]>
git.ipfire.org Git - thirdparty/openssl.git/blob - util/TLSProxy/Proxy.pm
95599e50ebecd99bbbab69117f9d9efc7b89848e
1 # Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 # Licensed under the OpenSSL license (the "License"). You may not use
4 # this file except in compliance with the License. You can obtain a copy
5 # in the file LICENSE in the source distribution or at
6 # https://www.openssl.org/source/license.html
9 use POSIX
":sys_wait_h";
11 package TLSProxy
::Proxy
;
17 use TLSProxy
::Message
;
18 use TLSProxy
::ClientHello
;
19 use TLSProxy
::ServerHello
;
20 use TLSProxy
::EncryptedExtensions
;
21 use TLSProxy
::ServerKeyExchange
;
22 use TLSProxy
::NewSessionTicket
;
39 proxy_addr
=> "localhost",
41 server_addr
=> "localhost",
54 ciphers
=> "AES128-SHA:TLS13-AES-128-GCM-SHA256",
60 # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't.
61 # However, IO::Socket::INET6 is older and is said to be more widely
62 # deployed for the moment, and may have less bugs, so we try the latter
63 # first, then fall back on the code modules. Worst case scenario, we
64 # fall back to IO::Socket::INET, only supports IPv4.
66 require IO
::Socket
::INET6
;
67 my $s = IO
::Socket
::INET6
->new(
76 $IP_factory = sub { IO
::Socket
::INET6
->new(@_); };
80 require IO
::Socket
::IP
;
81 my $s = IO
::Socket
::IP
->new(
90 $IP_factory = sub { IO
::Socket
::IP
->new(@_); };
93 $IP_factory = sub { IO
::Socket
::INET
->new(@_); };
97 return bless $self, $class;
104 $self->{cipherc
} = "";
106 $self->{record_list
} = [];
107 $self->{message_list
} = [];
108 $self->{clientflags
} = "";
111 TLSProxy
::Message
->clear();
112 TLSProxy
::Record
->clear();
120 $self->{ciphers
} = "AES128-SHA:TLS13-AES-128-GCM-SHA256";
121 $self->{serverflags
} = "";
122 $self->{serverconnects
} = 1;
123 $self->{serverpid
} = 0;
150 open(STDOUT
, ">", File
::Spec
->devnull())
151 or die "Failed to redirect stdout: $!";
152 open(STDERR
, ">&STDOUT");
154 my $execcmd = $self->execute
155 ." s_server -no_comp -rev -engine ossltest -accept "
156 .($self->server_port)
157 ." -cert ".$self->cert." -cert2 ".$self->cert
158 ." -naccept ".$self->serverconnects;
159 if ($self->ciphers ne "") {
160 $execcmd .= " -cipher ".$self->ciphers;
162 if ($self->serverflags ne "") {
163 $execcmd .= " ".$self->serverflags;
167 $self->serverpid($pid);
169 return $self->clientstart;
178 open DEVNULL
, ">", File
::Spec
->devnull();
179 $oldstdout = select(DEVNULL
);
182 # Create the Proxy socket
183 my $proxaddr = $self->proxy_addr;
184 $proxaddr =~ s/[\[\]]//g; # Remove [ and ]
185 my $proxy_sock = $IP_factory->(
186 LocalHost
=> $proxaddr,
187 LocalPort
=> $self->proxy_port,
194 print "Proxy started on port ".$self->proxy_port."\n";
196 warn "Failed creating proxy socket (".$proxaddr.",".$self->proxy_port."): $!\n";
200 if ($self->execute) {
204 open(STDOUT
, ">", File
::Spec
->devnull())
205 or die "Failed to redirect stdout: $!";
206 open(STDERR
, ">&STDOUT");
208 my $execcmd = "echo test | ".$self->execute
209 ." s_client -engine ossltest -connect "
210 .($self->proxy_addr).":".($self->proxy_port);
211 if ($self->cipherc ne "") {
212 $execcmd .= " -cipher ".$self->cipherc;
214 if ($self->clientflags ne "") {
215 $execcmd .= " ".$self->clientflags;
221 # Wait for incoming connection from client
223 if(!($client_sock = $proxy_sock->accept())) {
224 warn "Failed accepting incoming connection: $!\n";
228 print "Connection opened\n";
230 # Now connect to the server
233 #We loop over this a few times because sometimes s_server can take a while
236 my $servaddr = $self->server_addr;
237 $servaddr =~ s/[\[\]]//g; # Remove [ and ]
239 $server_sock = $IP_factory->(
240 PeerAddr
=> $servaddr,
241 PeerPort
=> $self->server_port,
248 #Some buggy IP factories can return a defined server_sock that hasn't
249 #actually connected, so we check peerport too
250 if ($@
|| !defined($server_sock) || !defined($server_sock->peerport)) {
251 $server_sock->close() if defined($server_sock);
254 #Sleep for a short while
255 select(undef, undef, undef, 0.1);
257 warn "Failed to start up server (".$servaddr.",".$self->server_port."): $!\n";
261 } while (!$server_sock);
263 my $sel = IO
::Select
->new($server_sock, $client_sock);
265 my @handles = ($server_sock, $client_sock);
267 #Wait for either the server socket or the client socket to become readable
269 while(!(TLSProxy
::Message
->end) && (@ready = $sel->can_read)) {
270 foreach my $hand (@ready) {
271 if ($hand == $server_sock) {
272 $server_sock->sysread($indata, 16384) or goto END;
273 $indata = $self->process_packet(1, $indata);
274 $client_sock->syswrite($indata);
275 } elsif ($hand == $client_sock) {
276 $client_sock->sysread($indata, 16384) or goto END;
277 $indata = $self->process_packet(0, $indata);
278 $server_sock->syswrite($indata);
287 print "Connection closed\n";
289 $server_sock->close();
292 #Closing this also kills the child process
293 $client_sock->close();
296 $proxy_sock->close();
301 $self->serverconnects($self->serverconnects - 1);
302 if ($self->serverconnects == 0) {
303 die "serverpid is zero\n" if $self->serverpid == 0;
304 print "Waiting for server process to close: "
305 .$self->serverpid."\n";
306 waitpid( $self->serverpid, 0);
313 my ($self, $server, $packet) = @_;
320 print "Received server packet\n";
322 print "Received client packet\n";
325 print "Packet length = ".length($packet)."\n";
326 print "Processing flight ".$self->flight."\n";
328 #Return contains the list of record found in the packet followed by the
329 #list of messages in those records
330 my @ret = TLSProxy
::Record
->get_records($server, $self->flight, $packet);
331 push @
{$self->record_list}, @
{$ret[0]};
332 push @
{$self->{message_list
}}, @
{$ret[1]};
336 #Finished parsing. Call user provided filter here
337 if(defined $self->filter) {
338 $self->filter->($self);
341 #Reconstruct the packet
343 foreach my $record (@
{$self->record_list}) {
344 #We only replay the records for the current flight
345 if ($record->flight != $self->flight) {
348 $packet .= $record->reconstruct_record($server);
351 $self->{flight
} = $self->{flight
} + 1;
353 print "Forwarded packet length = ".length($packet)."\n\n";
362 return $self->{execute
};
367 return $self->{cert
};
372 return $self->{debug
};
377 return $self->{flight
};
382 return $self->{record_list
};
387 return $self->{success
};
400 #Read/write accessors
405 $self->{proxy_addr
} = shift;
407 return $self->{proxy_addr
};
413 $self->{proxy_port
} = shift;
415 return $self->{proxy_port
};
421 $self->{server_addr
} = shift;
423 return $self->{server_addr
};
429 $self->{server_port
} = shift;
431 return $self->{server_port
};
437 $self->{filter
} = shift;
439 return $self->{filter
};
445 $self->{cipherc
} = shift;
447 return $self->{cipherc
};
453 $self->{ciphers
} = shift;
455 return $self->{ciphers
};
461 $self->{serverflags
} = shift;
463 return $self->{serverflags
};
469 $self->{clientflags
} = shift;
471 return $self->{clientflags
};
477 $self->{serverconnects
} = shift;
479 return $self->{serverconnects
};
481 # This is a bit ugly because the caller is responsible for keeping the records
482 # in sync with the updated message list; simply updating the message list isn't
483 # sufficient to get the proxy to forward the new message.
484 # But it does the trick for the one test (test_sslsessiontick) that needs it.
489 $self->{message_list
} = shift;
491 return $self->{message_list
};
497 $self->{serverpid
} = shift;
499 return $self->{serverpid
};
506 for (my $i = 0; $i < $length; $i++) {