1 # Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3 # Licensed under the OpenSSL license (the "License"). You may not use
4 # this file except in compliance with the License. You can obtain a copy
5 # in the file LICENSE in the source distribution or at
6 # https://www.openssl.org/source/license.html
9 use POSIX ":sys_wait_h";
11 package TLSProxy::Proxy;
17 use TLSProxy::Message;
18 use TLSProxy::ClientHello;
19 use TLSProxy::ServerHello;
20 use TLSProxy::ServerKeyExchange;
21 use TLSProxy::NewSessionTicket;
22 use Time::HiRes qw/usleep/;
37 proxy_addr => "localhost",
39 server_addr => "localhost",
54 ciphers => "AES128-SHA",
62 # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't.
63 # However, IO::Socket::INET6 is older and is said to be more widely
64 # deployed for the moment, and may have less bugs, so we try the latter
65 # first, then fall back on the code modules. Worst case scenario, we
66 # fall back to IO::Socket::INET, only supports IPv4.
68 require IO::Socket::INET6;
69 my $s = IO::Socket::INET6->new(
78 $IP_factory = sub { IO::Socket::INET6->new(@_); };
82 require IO::Socket::IP;
83 my $s = IO::Socket::IP->new(
92 $IP_factory = sub { IO::Socket::IP->new(@_); };
95 $IP_factory = sub { IO::Socket::INET->new(@_); };
99 # Create the Proxy socket
100 my $proxaddr = $self->{proxy_addr};
101 $proxaddr =~ s/[\[\]]//g; # Remove [ and ]
103 LocalHost => $proxaddr,
104 LocalPort => $self->{proxy_port},
108 push @proxyargs, ReuseAddr => 1
109 unless $^O eq "MSWin32";
110 $self->{proxy_sock} = $IP_factory->(@proxyargs);
112 if ($self->{proxy_sock}) {
113 print "Proxy started on port ".$self->{proxy_port}."\n";
115 warn "Failed creating proxy socket (".$proxaddr.",".$self->{proxy_port}."): $!\n";
118 return bless $self, $class;
125 $self->{proxy_sock}->close() if $self->{proxy_sock};
132 $self->{cipherc} = "";
133 $self->{flight} = -1;
134 $self->{direction} = -1;
135 $self->{partial} = ["", ""];
136 $self->{record_list} = [];
137 $self->{message_list} = [];
138 $self->{clientflags} = "";
139 $self->{clientpid} = 0;
141 TLSProxy::Message->clear();
142 TLSProxy::Record->clear();
150 $self->{ciphers} = "AES128-SHA";
151 $self->{serverflags} = "";
152 $self->{serverconnects} = 1;
153 $self->{serverpid} = 0;
178 if ($self->{proxy_sock} == 0) {
184 my $execcmd = $self->execute
185 ." s_server -max_protocol TLSv1.2 -no_comp -rev -engine ossltest -accept "
186 .($self->server_port)
187 ." -cert ".$self->cert." -naccept ".$self->serverconnects;
188 unless ($self->supports_IPv6) {
191 if ($self->ciphers ne "") {
192 $execcmd .= " -cipher ".$self->ciphers;
194 if ($self->serverflags ne "") {
195 $execcmd .= " ".$self->serverflags;
198 print STDERR "Server command: $execcmd\n";
202 $self->serverpid($pid);
204 return $self->clientstart;
212 if ($self->execute) {
216 if ($self->reneg()) {
221 my $execcmd = "echo ".$echostr." | ".$self->execute
222 ." s_client -max_protocol TLSv1.2 -engine ossltest -connect "
223 .($self->proxy_addr).":".($self->proxy_port);
224 unless ($self->supports_IPv6) {
227 if ($self->cipherc ne "") {
228 $execcmd .= " -cipher ".$self->cipherc;
230 if ($self->clientflags ne "") {
231 $execcmd .= " ".$self->clientflags;
234 print STDERR "Client command: $execcmd\n";
238 $self->clientpid($pid);
241 # Wait for incoming connection from client
243 if(!($client_sock = $self->{proxy_sock}->accept())) {
244 warn "Failed accepting incoming connection: $!\n";
248 print "Connection opened\n";
250 # Now connect to the server
253 #We loop over this a few times because sometimes s_server can take a while
256 my $servaddr = $self->server_addr;
257 $servaddr =~ s/[\[\]]//g; # Remove [ and ]
259 $server_sock = $IP_factory->(
260 PeerAddr => $servaddr,
261 PeerPort => $self->server_port,
268 #Some buggy IP factories can return a defined server_sock that hasn't
269 #actually connected, so we check peerport too
270 if ($@ || !defined($server_sock) || !defined($server_sock->peerport)) {
271 $server_sock->close() if defined($server_sock);
274 #Sleep for a short while
275 select(undef, undef, undef, 0.1);
277 warn "Failed to start up server (".$servaddr.",".$self->server_port."): $!\n";
281 } while (!$server_sock);
283 my $sel = IO::Select->new($server_sock, $client_sock);
285 my @handles = ($server_sock, $client_sock);
287 #Wait for either the server socket or the client socket to become readable
289 local $SIG{PIPE} = "IGNORE";
290 while(!(TLSProxy::Message->end) && (@ready = $sel->can_read)) {
291 foreach my $hand (@ready) {
292 if ($hand == $server_sock) {
293 $server_sock->sysread($indata, 16384) or goto END;
294 $indata = $self->process_packet(1, $indata);
295 $client_sock->syswrite($indata);
296 } elsif ($hand == $client_sock) {
297 $client_sock->sysread($indata, 16384) or goto END;
298 $indata = $self->process_packet(0, $indata);
299 $server_sock->syswrite($indata);
308 print "Connection closed\n";
310 $server_sock->close();
313 #Closing this also kills the child process
314 $client_sock->close();
319 $self->serverconnects($self->serverconnects - 1);
320 if ($self->serverconnects == 0) {
321 die "serverpid is zero\n" if $self->serverpid == 0;
322 print "Waiting for server process to close: "
323 .$self->serverpid."\n";
324 waitpid( $self->serverpid, 0);
325 die "exit code $? from server process\n" if $? != 0;
327 # Give s_server sufficient time to finish what it was doing
330 die "clientpid is zero\n" if $self->clientpid == 0;
331 print "Waiting for client process to close: ".$self->clientpid."\n";
332 waitpid($self->clientpid, 0);
339 my ($self, $server, $packet) = @_;
346 print "Received server packet\n";
348 print "Received client packet\n";
351 if ($self->{direction} != $server) {
352 $self->{flight} = $self->{flight} + 1;
353 $self->{direction} = $server;
356 print "Packet length = ".length($packet)."\n";
357 print "Processing flight ".$self->flight."\n";
359 #Return contains the list of record found in the packet followed by the
360 #list of messages in those records and any partial message
361 my @ret = TLSProxy::Record->get_records($server, $self->flight, $self->{partial}[$server].$packet);
362 $self->{partial}[$server] = $ret[2];
363 push @{$self->record_list}, @{$ret[0]};
364 push @{$self->{message_list}}, @{$ret[1]};
368 if (scalar(@{$ret[0]}) == 0 or length($ret[2]) != 0) {
372 #Finished parsing. Call user provided filter here
373 if (defined $self->filter) {
374 $self->filter->($self);
377 #Reconstruct the packet
379 foreach my $record (@{$self->record_list}) {
380 $packet .= $record->reconstruct_record();
383 print "Forwarded packet length = ".length($packet)."\n\n";
392 return $self->{execute};
397 return $self->{cert};
402 return $self->{debug};
407 return $self->{flight};
412 return $self->{record_list};
417 return $self->{success};
432 return $self->{proxy_addr};
437 return $self->{proxy_port};
440 #Read/write accessors
445 $self->{server_addr} = shift;
447 return $self->{server_addr};
453 $self->{server_port} = shift;
455 return $self->{server_port};
461 $self->{filter} = shift;
463 return $self->{filter};
469 $self->{cipherc} = shift;
471 return $self->{cipherc};
477 $self->{ciphers} = shift;
479 return $self->{ciphers};
485 $self->{serverflags} = shift;
487 return $self->{serverflags};
493 $self->{clientflags} = shift;
495 return $self->{clientflags};
501 $self->{serverconnects} = shift;
503 return $self->{serverconnects};
505 # This is a bit ugly because the caller is responsible for keeping the records
506 # in sync with the updated message list; simply updating the message list isn't
507 # sufficient to get the proxy to forward the new message.
508 # But it does the trick for the one test (test_sslsessiontick) that needs it.
513 $self->{message_list} = shift;
515 return $self->{message_list};
521 $self->{serverpid} = shift;
523 return $self->{serverpid};
529 $self->{clientpid} = shift;
531 return $self->{clientpid};
538 for (my $i = 0; $i < $length; $i++) {
548 $self->{reneg} = shift;
550 return $self->{reneg};