1 # Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 # Licensed under the OpenSSL license (the "License"). You may not use
4 # this file except in compliance with the License. You can obtain a copy
5 # in the file LICENSE in the source distribution or at
6 # https://www.openssl.org/source/license.html
9 use POSIX ":sys_wait_h";
11 package TLSProxy::Proxy;
17 use TLSProxy::Message;
18 use TLSProxy::ClientHello;
19 use TLSProxy::ServerHello;
20 use TLSProxy::ServerKeyExchange;
21 use TLSProxy::NewSessionTicket;
38 proxy_addr => "localhost",
40 server_addr => "localhost",
53 ciphers => "AES128-SHA:TLS13-AES-128-GCM-SHA256",
59 # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't.
60 # However, IO::Socket::INET6 is older and is said to be more widely
61 # deployed for the moment, and may have less bugs, so we try the latter
62 # first, then fall back on the code modules. Worst case scenario, we
63 # fall back to IO::Socket::INET, only supports IPv4.
65 require IO::Socket::INET6;
66 my $s = IO::Socket::INET6->new(
75 $IP_factory = sub { IO::Socket::INET6->new(@_); };
79 require IO::Socket::IP;
80 my $s = IO::Socket::IP->new(
89 $IP_factory = sub { IO::Socket::IP->new(@_); };
92 $IP_factory = sub { IO::Socket::INET->new(@_); };
96 return bless $self, $class;
103 $self->{cipherc} = "";
105 $self->{record_list} = [];
106 $self->{message_list} = [];
107 $self->{clientflags} = "";
110 TLSProxy::Message->clear();
111 TLSProxy::Record->clear();
119 $self->{ciphers} = "AES128-SHA:TLS13-AES-128-GCM-SHA256";
120 $self->{serverflags} = "";
121 $self->{serverconnects} = 1;
122 $self->{serverpid} = 0;
149 open(STDOUT, ">", File::Spec->devnull())
150 or die "Failed to redirect stdout: $!";
151 open(STDERR, ">&STDOUT");
153 my $execcmd = $self->execute
154 ." s_server -no_comp -rev -engine ossltest -accept "
155 .($self->server_port)
156 ." -cert ".$self->cert." -naccept ".$self->serverconnects;
157 if ($self->ciphers ne "") {
158 $execcmd .= " -cipher ".$self->ciphers;
160 if ($self->serverflags ne "") {
161 $execcmd .= " ".$self->serverflags;
165 $self->serverpid($pid);
167 return $self->clientstart;
176 open DEVNULL, ">", File::Spec->devnull();
177 $oldstdout = select(DEVNULL);
180 # Create the Proxy socket
181 my $proxaddr = $self->proxy_addr;
182 $proxaddr =~ s/[\[\]]//g; # Remove [ and ]
183 my $proxy_sock = $IP_factory->(
184 LocalHost => $proxaddr,
185 LocalPort => $self->proxy_port,
192 print "Proxy started on port ".$self->proxy_port."\n";
194 warn "Failed creating proxy socket (".$proxaddr.",".$self->proxy_port."): $!\n";
198 if ($self->execute) {
202 open(STDOUT, ">", File::Spec->devnull())
203 or die "Failed to redirect stdout: $!";
204 open(STDERR, ">&STDOUT");
206 my $execcmd = "echo test | ".$self->execute
207 ." s_client -engine ossltest -connect "
208 .($self->proxy_addr).":".($self->proxy_port);
209 if ($self->cipherc ne "") {
210 $execcmd .= " -cipher ".$self->cipherc;
212 if ($self->clientflags ne "") {
213 $execcmd .= " ".$self->clientflags;
219 # Wait for incoming connection from client
221 if(!($client_sock = $proxy_sock->accept())) {
222 warn "Failed accepting incoming connection: $!\n";
226 print "Connection opened\n";
228 # Now connect to the server
231 #We loop over this a few times because sometimes s_server can take a while
234 my $servaddr = $self->server_addr;
235 $servaddr =~ s/[\[\]]//g; # Remove [ and ]
237 $server_sock = $IP_factory->(
238 PeerAddr => $servaddr,
239 PeerPort => $self->server_port,
246 #Some buggy IP factories can return a defined server_sock that hasn't
247 #actually connected, so we check peerport too
248 if ($@ || !defined($server_sock) || !defined($server_sock->peerport)) {
249 $server_sock->close() if defined($server_sock);
252 #Sleep for a short while
253 select(undef, undef, undef, 0.1);
255 warn "Failed to start up server (".$servaddr.",".$self->server_port."): $!\n";
259 } while (!$server_sock);
261 my $sel = IO::Select->new($server_sock, $client_sock);
263 my @handles = ($server_sock, $client_sock);
265 #Wait for either the server socket or the client socket to become readable
267 while(!(TLSProxy::Message->end) && (@ready = $sel->can_read)) {
268 foreach my $hand (@ready) {
269 if ($hand == $server_sock) {
270 $server_sock->sysread($indata, 16384) or goto END;
271 $indata = $self->process_packet(1, $indata);
272 $client_sock->syswrite($indata);
273 } elsif ($hand == $client_sock) {
274 $client_sock->sysread($indata, 16384) or goto END;
275 $indata = $self->process_packet(0, $indata);
276 $server_sock->syswrite($indata);
285 print "Connection closed\n";
287 $server_sock->close();
290 #Closing this also kills the child process
291 $client_sock->close();
294 $proxy_sock->close();
299 $self->serverconnects($self->serverconnects - 1);
300 if ($self->serverconnects == 0) {
301 die "serverpid is zero\n" if $self->serverpid == 0;
302 print "Waiting for server process to close: "
303 .$self->serverpid."\n";
304 waitpid( $self->serverpid, 0);
311 my ($self, $server, $packet) = @_;
318 print "Received server packet\n";
320 print "Received client packet\n";
323 print "Packet length = ".length($packet)."\n";
324 print "Processing flight ".$self->flight."\n";
326 #Return contains the list of record found in the packet followed by the
327 #list of messages in those records
328 my @ret = TLSProxy::Record->get_records($server, $self->flight, $packet);
329 push @{$self->record_list}, @{$ret[0]};
330 push @{$self->{message_list}}, @{$ret[1]};
334 #Finished parsing. Call user provided filter here
335 if(defined $self->filter) {
336 $self->filter->($self);
339 #Reconstruct the packet
341 foreach my $record (@{$self->record_list}) {
342 #We only replay the records for the current flight
343 if ($record->flight != $self->flight) {
346 $packet .= $record->reconstruct_record($server);
349 $self->{flight} = $self->{flight} + 1;
351 print "Forwarded packet length = ".length($packet)."\n\n";
360 return $self->{execute};
365 return $self->{cert};
370 return $self->{debug};
375 return $self->{flight};
380 return $self->{record_list};
385 return $self->{success};
398 #Read/write accessors
403 $self->{proxy_addr} = shift;
405 return $self->{proxy_addr};
411 $self->{proxy_port} = shift;
413 return $self->{proxy_port};
419 $self->{server_addr} = shift;
421 return $self->{server_addr};
427 $self->{server_port} = shift;
429 return $self->{server_port};
435 $self->{filter} = shift;
437 return $self->{filter};
443 $self->{cipherc} = shift;
445 return $self->{cipherc};
451 $self->{ciphers} = shift;
453 return $self->{ciphers};
459 $self->{serverflags} = shift;
461 return $self->{serverflags};
467 $self->{clientflags} = shift;
469 return $self->{clientflags};
475 $self->{serverconnects} = shift;
477 return $self->{serverconnects};
479 # This is a bit ugly because the caller is responsible for keeping the records
480 # in sync with the updated message list; simply updating the message list isn't
481 # sufficient to get the proxy to forward the new message.
482 # But it does the trick for the one test (test_sslsessiontick) that needs it.
487 $self->{message_list} = shift;
489 return $self->{message_list};
495 $self->{serverpid} = shift;
497 return $self->{serverpid};
504 for (my $i = 0; $i < $length; $i++) {