1 # Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3 # Licensed under the OpenSSL license (the "License"). You may not use
4 # this file except in compliance with the License. You can obtain a copy
5 # in the file LICENSE in the source distribution or at
6 # https://www.openssl.org/source/license.html
9 use POSIX ":sys_wait_h";
11 package TLSProxy::Proxy;
17 use TLSProxy::Message;
18 use TLSProxy::ClientHello;
19 use TLSProxy::ServerHello;
20 use TLSProxy::EncryptedExtensions;
21 use TLSProxy::Certificate;
22 use TLSProxy::CertificateVerify;
23 use TLSProxy::ServerKeyExchange;
24 use TLSProxy::NewSessionTicket;
25 use Time::HiRes qw/usleep/;
31 my $ciphersuite = undef;
43 proxy_addr => "localhost",
45 server_addr => "localhost",
62 ciphers => "AES128-SHA",
63 ciphersuitess => "TLS_AES_128_GCM_SHA256",
71 # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't.
72 # However, IO::Socket::INET6 is older and is said to be more widely
73 # deployed for the moment, and may have less bugs, so we try the latter
74 # first, then fall back on the code modules. Worst case scenario, we
75 # fall back to IO::Socket::INET, only supports IPv4.
77 require IO::Socket::INET6;
78 my $s = IO::Socket::INET6->new(
87 $IP_factory = sub { IO::Socket::INET6->new(@_); };
91 require IO::Socket::IP;
92 my $s = IO::Socket::IP->new(
101 $IP_factory = sub { IO::Socket::IP->new(@_); };
104 $IP_factory = sub { IO::Socket::INET->new(@_); };
108 # Create the Proxy socket
109 my $proxaddr = $self->{proxy_addr};
110 $proxaddr =~ s/[\[\]]//g; # Remove [ and ]
112 LocalHost => $proxaddr,
113 LocalPort => $self->{proxy_port},
117 push @proxyargs, ReuseAddr => 1
118 unless $^O eq "MSWin32";
119 $self->{proxy_sock} = $IP_factory->(@proxyargs);
121 if ($self->{proxy_sock}) {
122 print "Proxy started on port ".$self->{proxy_port}."\n";
124 warn "Failed creating proxy socket (".$proxaddr.",".$self->{proxy_port}."): $!\n";
127 return bless $self, $class;
134 $self->{proxy_sock}->close() if $self->{proxy_sock};
141 $self->{cipherc} = "";
142 $self->{ciphersuitec} = "";
143 $self->{flight} = -1;
144 $self->{direction} = -1;
145 $self->{partial} = ["", ""];
146 $self->{record_list} = [];
147 $self->{message_list} = [];
148 $self->{clientflags} = "";
149 $self->{sessionfile} = undef;
150 $self->{clientpid} = 0;
152 $ciphersuite = undef;
154 TLSProxy::Message->clear();
155 TLSProxy::Record->clear();
163 $self->{ciphers} = "AES128-SHA";
164 $self->{ciphersuitess} = "TLS_AES_128_GCM_SHA256";
165 $self->{serverflags} = "";
166 $self->{serverconnects} = 1;
167 $self->{serverpid} = 0;
192 if ($self->{proxy_sock} == 0) {
198 my $execcmd = $self->execute
199 ." s_server -max_protocol TLSv1.3 -no_comp -rev -engine ossltest -accept "
200 .($self->server_port)
201 ." -cert ".$self->cert." -cert2 ".$self->cert
202 ." -naccept ".$self->serverconnects;
203 unless ($self->supports_IPv6) {
206 if ($self->ciphers ne "") {
207 $execcmd .= " -cipher ".$self->ciphers;
209 if ($self->ciphersuitess ne "") {
210 $execcmd .= " -ciphersuites ".$self->ciphersuitess;
212 if ($self->serverflags ne "") {
213 $execcmd .= " ".$self->serverflags;
216 print STDERR "Server command: $execcmd\n";
220 $self->serverpid($pid);
222 return $self->clientstart;
230 if ($self->execute) {
234 if ($self->reneg()) {
239 my $execcmd = "echo ".$echostr." | ".$self->execute
240 ." s_client -max_protocol TLSv1.3 -engine ossltest -connect "
241 .($self->proxy_addr).":".($self->proxy_port);
242 unless ($self->supports_IPv6) {
245 if ($self->cipherc ne "") {
246 $execcmd .= " -cipher ".$self->cipherc;
248 if ($self->ciphersuitesc ne "") {
249 $execcmd .= " -ciphersuites ".$self->ciphersuitesc;
251 if ($self->clientflags ne "") {
252 $execcmd .= " ".$self->clientflags;
254 if (defined $self->sessionfile) {
255 $execcmd .= " -ign_eof";
258 print STDERR "Client command: $execcmd\n";
262 $self->clientpid($pid);
265 # Wait for incoming connection from client
267 if(!($client_sock = $self->{proxy_sock}->accept())) {
268 warn "Failed accepting incoming connection: $!\n";
272 print "Connection opened\n";
274 # Now connect to the server
277 #We loop over this a few times because sometimes s_server can take a while
280 my $servaddr = $self->server_addr;
281 $servaddr =~ s/[\[\]]//g; # Remove [ and ]
283 $server_sock = $IP_factory->(
284 PeerAddr => $servaddr,
285 PeerPort => $self->server_port,
292 #Some buggy IP factories can return a defined server_sock that hasn't
293 #actually connected, so we check peerport too
294 if ($@ || !defined($server_sock) || !defined($server_sock->peerport)) {
295 $server_sock->close() if defined($server_sock);
298 #Sleep for a short while
299 select(undef, undef, undef, 0.1);
301 warn "Failed to start up server (".$servaddr.",".$self->server_port."): $!\n";
305 } while (!$server_sock);
307 my $sel = IO::Select->new($server_sock, $client_sock);
309 my @handles = ($server_sock, $client_sock);
311 #Wait for either the server socket or the client socket to become readable
314 local $SIG{PIPE} = "IGNORE";
315 while( (!(TLSProxy::Message->end)
316 || (defined $self->sessionfile()
317 && (-s $self->sessionfile()) == 0))
319 if (!(@ready = $sel->can_read(1))) {
323 foreach my $hand (@ready) {
324 if ($hand == $server_sock) {
325 $server_sock->sysread($indata, 16384) or goto END;
326 $indata = $self->process_packet(1, $indata);
327 $client_sock->syswrite($indata);
329 } elsif ($hand == $client_sock) {
330 $client_sock->sysread($indata, 16384) or goto END;
331 $indata = $self->process_packet(0, $indata);
332 $server_sock->syswrite($indata);
335 die "Unexpected handle";
340 die "No progress made" if $ctr >= 10;
343 print "Connection closed\n";
345 $server_sock->close();
348 #Closing this also kills the child process
349 $client_sock->close();
354 $self->serverconnects($self->serverconnects - 1);
355 if ($self->serverconnects == 0) {
356 die "serverpid is zero\n" if $self->serverpid == 0;
357 print "Waiting for server process to close: "
358 .$self->serverpid."\n";
359 waitpid( $self->serverpid, 0);
360 die "exit code $? from server process\n" if $? != 0;
362 # Give s_server sufficient time to finish what it was doing
365 die "clientpid is zero\n" if $self->clientpid == 0;
366 print "Waiting for client process to close: ".$self->clientpid."\n";
367 waitpid($self->clientpid, 0);
374 my ($self, $server, $packet) = @_;
381 print "Received server packet\n";
383 print "Received client packet\n";
386 if ($self->{direction} != $server) {
387 $self->{flight} = $self->{flight} + 1;
388 $self->{direction} = $server;
391 print "Packet length = ".length($packet)."\n";
392 print "Processing flight ".$self->flight."\n";
394 #Return contains the list of record found in the packet followed by the
395 #list of messages in those records and any partial message
396 my @ret = TLSProxy::Record->get_records($server, $self->flight, $self->{partial}[$server].$packet);
397 $self->{partial}[$server] = $ret[2];
398 push @{$self->record_list}, @{$ret[0]};
399 push @{$self->{message_list}}, @{$ret[1]};
403 if (scalar(@{$ret[0]}) == 0 or length($ret[2]) != 0) {
407 #Finished parsing. Call user provided filter here
408 if (defined $self->filter) {
409 $self->filter->($self);
412 #Reconstruct the packet
414 foreach my $record (@{$self->record_list}) {
415 $packet .= $record->reconstruct_record($server);
418 print "Forwarded packet length = ".length($packet)."\n\n";
427 return $self->{execute};
432 return $self->{cert};
437 return $self->{debug};
442 return $self->{flight};
447 return $self->{record_list};
452 return $self->{success};
467 return $self->{proxy_addr};
472 return $self->{proxy_port};
475 #Read/write accessors
480 $self->{server_addr} = shift;
482 return $self->{server_addr};
488 $self->{server_port} = shift;
490 return $self->{server_port};
496 $self->{filter} = shift;
498 return $self->{filter};
504 $self->{cipherc} = shift;
506 return $self->{cipherc};
512 $self->{ciphersuitesc} = shift;
514 return $self->{ciphersuitesc};
520 $self->{ciphers} = shift;
522 return $self->{ciphers};
528 $self->{ciphersuitess} = shift;
530 return $self->{ciphersuitess};
536 $self->{serverflags} = shift;
538 return $self->{serverflags};
544 $self->{clientflags} = shift;
546 return $self->{clientflags};
552 $self->{serverconnects} = shift;
554 return $self->{serverconnects};
556 # This is a bit ugly because the caller is responsible for keeping the records
557 # in sync with the updated message list; simply updating the message list isn't
558 # sufficient to get the proxy to forward the new message.
559 # But it does the trick for the one test (test_sslsessiontick) that needs it.
564 $self->{message_list} = shift;
566 return $self->{message_list};
572 $self->{serverpid} = shift;
574 return $self->{serverpid};
580 $self->{clientpid} = shift;
582 return $self->{clientpid};
589 for (my $i = 0; $i < $length; $i++) {
608 $self->{reneg} = shift;
610 return $self->{reneg};
613 #Setting a sessionfile means that the client will not close until the given
614 #file exists. This is useful in TLSv1.3 where otherwise s_client will close
615 #immediately at the end of the handshake, but before the session has been
616 #received from the server. A side effect of this is that s_client never sends
617 #a close_notify, so instead we consider success to be when it sends application
618 #data over the connection.
623 $self->{sessionfile} = shift;
624 TLSProxy::Message->successondata(1);
626 return $self->{sessionfile};
633 $ciphersuite = shift;