]>
git.ipfire.org Git - thirdparty/openssl.git/blob - util/perl/TLSProxy/Proxy.pm
1 # Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3 # Licensed under the Apache License 2.0 (the "License"). You may not use
4 # this file except in compliance with the License. You can obtain a copy
5 # in the file LICENSE in the source distribution or at
6 # https://www.openssl.org/source/license.html
9 use POSIX
":sys_wait_h";
11 package TLSProxy
::Proxy
;
17 use TLSProxy
::Message
;
18 use TLSProxy
::ClientHello
;
19 use TLSProxy
::ServerHello
;
20 use TLSProxy
::EncryptedExtensions
;
21 use TLSProxy
::Certificate
;
22 use TLSProxy
::CertificateVerify
;
23 use TLSProxy
::ServerKeyExchange
;
24 use TLSProxy
::NewSessionTicket
;
31 # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't.
32 # However, IO::Socket::INET6 is older and is said to be more widely
33 # deployed for the moment, and may have less bugs, so we try the latter
34 # first, then fall back on the core modules. Worst case scenario, we
35 # fall back to IO::Socket::INET, only supports IPv4.
37 require IO
::Socket
::INET6
;
38 my $s = IO
::Socket
::INET6
->new(
47 $IP_factory = sub { IO
::Socket
::INET6
->new(Domain
=> AF_INET6
, @_); };
51 require IO
::Socket
::IP
;
52 my $s = IO
::Socket
::IP
->new(
61 $IP_factory = sub { IO
::Socket
::IP
->new(@_); };
64 $IP_factory = sub { IO
::Socket
::INET
->new(@_); };
71 my $ciphersuite = undef;
83 proxy_addr
=> $have_IPv6 ?
"[::1]" : "127.0.0.1",
101 ciphers
=> "AES128-SHA",
102 ciphersuitess
=> "TLS_AES_128_GCM_SHA256",
110 # Create the Proxy socket
111 my $proxaddr = $self->{proxy_addr
};
112 $proxaddr =~ s/[\[\]]//g; # Remove [ and ]
114 LocalHost
=> $proxaddr,
120 if (my $sock = $IP_factory->(@proxyargs)) {
121 $self->{proxy_sock
} = $sock;
122 $self->{proxy_port
} = $sock->sockport();
123 $self->{proxy_addr
} = $sock->sockhost();
124 $self->{proxy_addr
} =~ s/(.*:.*)/[$1]/;
125 print "Proxy started on port ",
126 "$self->{proxy_addr}:$self->{proxy_port}\n";
127 # use same address for s_server
128 $self->{server_addr
} = $self->{proxy_addr
};
130 warn "Failed creating proxy socket (".$proxaddr.",0): $!\n";
133 return bless $self, $class;
140 $self->{proxy_sock
}->close() if $self->{proxy_sock
};
147 $self->{cipherc
} = "";
148 $self->{ciphersuitec
} = "";
149 $self->{flight
} = -1;
150 $self->{direction
} = -1;
151 $self->{partial
} = ["", ""];
152 $self->{record_list
} = [];
153 $self->{message_list
} = [];
154 $self->{clientflags
} = "";
155 $self->{sessionfile
} = undef;
156 $self->{clientpid
} = 0;
158 $ciphersuite = undef;
160 TLSProxy
::Message
->clear();
161 TLSProxy
::Record
->clear();
169 $self->{ciphers
} = "AES128-SHA";
170 $self->{ciphersuitess
} = "TLS_AES_128_GCM_SHA256";
171 $self->{serverflags
} = "";
172 $self->{serverconnects
} = 1;
173 $self->{serverpid
} = 0;
193 sub connect_to_server
196 my $servaddr = $self->{server_addr
};
198 $servaddr =~ s/[\[\]]//g; # Remove [ and ]
200 my $sock = $IP_factory->(PeerAddr
=> $servaddr,
201 PeerPort
=> $self->{server_port
},
203 if (!defined($sock)) {
205 kill(3, $self->{real_serverpid
});
206 die "unable to connect: $err\n";
209 $self->{server_sock
} = $sock;
217 if ($self->{proxy_sock
} == 0) {
221 my $execcmd = $self->execute
222 ." s_server -max_protocol TLSv1.3 -no_comp -rev -engine ossltest"
223 #In TLSv1.3 we issue two session tickets. The default session id
224 #callback gets confused because the ossltest engine causes the same
225 #session id to be created twice due to the changed random number
226 #generation. Using "-ext_cache" replaces the default callback with a
227 #different one that doesn't get confused.
229 ." -accept $self->{server_addr}:0"
230 ." -cert ".$self->cert." -cert2 ".$self->cert
231 ." -naccept ".$self->serverconnects;
232 if ($self->ciphers ne "") {
233 $execcmd .= " -cipher ".$self->ciphers;
235 if ($self->ciphersuitess ne "") {
236 $execcmd .= " -ciphersuites ".$self->ciphersuitess;
238 if ($self->serverflags ne "") {
239 $execcmd .= " ".$self->serverflags;
242 print STDERR
"Server command: $execcmd\n";
245 open(my $savedin, "<&STDIN");
247 # Temporarily replace STDIN so that sink process can inherit it...
248 $pid = open(STDIN
, "$execcmd 2>&1 |") or die "Failed to $execcmd: $!\n";
249 $self->{real_serverpid
} = $pid;
251 # Process the output from s_server until we find the ACCEPT line, which
252 # tells us what the accepting address and port are.
255 s/\R$//; # Better chomp
256 next unless (/^ACCEPT\s.*:(\d+)$/);
257 $self->{server_port
} = $1;
261 if ($self->{server_port
} == 0) {
262 # This actually means that s_server exited, because otherwise
263 # we would still searching for ACCEPT...
265 die "no ACCEPT detected in '$execcmd' output: $?\n";
268 # Just make sure everything else is simply printed [as separate lines].
269 # The sub process simply inherits our STD* and will keep consuming
270 # server's output and printing it as long as there is anything there,
274 if (eval { require Win32
::Process
; 1; }) {
275 if (Win32
::Process
::Create
(my $h, $^X
, "perl -ne print", 0, 0, ".")) {
276 $pid = $h->GetProcessID();
277 $self->{proc_handle
} = $h; # hold handle till next round [or exit]
279 $error = Win32
::FormatMessage
(Win32
::GetLastError
());
282 if (defined($pid = fork)) {
283 $pid or exec("$^X -ne print") or exit($!);
289 # Change back to original stdin
290 open(STDIN
, "<&", $savedin);
293 if (!defined($pid)) {
294 kill(3, $self->{real_serverpid
});
295 die "Failed to capture s_server's output: $error\n";
298 $self->{serverpid
} = $pid;
300 print STDERR
"Server responds on ",
301 "$self->{server_addr}:$self->{server_port}\n";
303 # Connect right away...
304 $self->connect_to_server();
306 return $self->clientstart;
313 if ($self->execute) {
315 my $execcmd = $self->execute
316 ." s_client -max_protocol TLSv1.3 -engine ossltest"
317 ." -connect $self->{proxy_addr}:$self->{proxy_port}";
318 if ($self->cipherc ne "") {
319 $execcmd .= " -cipher ".$self->cipherc;
321 if ($self->ciphersuitesc ne "") {
322 $execcmd .= " -ciphersuites ".$self->ciphersuitesc;
324 if ($self->clientflags ne "") {
325 $execcmd .= " ".$self->clientflags;
327 if ($self->clientflags !~ m/-(no)?servername/) {
328 $execcmd .= " -servername localhost";
330 if (defined $self->sessionfile) {
331 $execcmd .= " -ign_eof";
334 print STDERR
"Client command: $execcmd\n";
337 open(my $savedout, ">&STDOUT");
338 # If we open pipe with new descriptor, attempt to close it,
339 # explicitly or implicitly, would incur waitpid and effectively
341 if (!($pid = open(STDOUT
, "| $execcmd"))) {
343 kill(3, $self->{real_serverpid
});
344 die "Failed to $execcmd: $err\n";
346 $self->{clientpid
} = $pid;
348 # queue [magic] input
349 print $self->reneg ?
"R" : "test";
351 # this closes client's stdin without waiting for its pid
352 open(STDOUT
, ">&", $savedout);
356 # Wait for incoming connection from client
357 my $fdset = IO
::Select
->new($self->{proxy_sock
});
358 if (!$fdset->can_read(60)) {
359 kill(3, $self->{real_serverpid
});
360 die "s_client didn't try to connect\n";
364 if(!($client_sock = $self->{proxy_sock
}->accept())) {
365 warn "Failed accepting incoming connection: $!\n";
369 print "Connection opened\n";
371 my $server_sock = $self->{server_sock
};
374 #Wait for either the server socket or the client socket to become readable
375 $fdset = IO
::Select
->new($server_sock, $client_sock);
378 local $SIG{PIPE
} = "IGNORE";
379 $self->{saw_session_ticket
} = undef;
380 while($fdset->count && $ctr < 10) {
381 if (defined($self->{sessionfile
})) {
382 # s_client got -ign_eof and won't be exiting voluntarily, so we
383 # look for data *and* session ticket...
384 last if TLSProxy
::Message
->success()
385 && $self->{saw_session_ticket
};
387 if (!(@ready = $fdset->can_read(1))) {
391 foreach my $hand (@ready) {
392 if ($hand == $server_sock) {
393 if ($server_sock->sysread($indata, 16384)) {
394 if ($indata = $self->process_packet(1, $indata)) {
395 $client_sock->syswrite($indata) or goto END;
399 $fdset->remove($server_sock);
400 $client_sock->shutdown(SHUT_WR
);
402 } elsif ($hand == $client_sock) {
403 if ($client_sock->sysread($indata, 16384)) {
404 if ($indata = $self->process_packet(0, $indata)) {
405 $server_sock->syswrite($indata) or goto END;
409 $fdset->remove($client_sock);
410 $server_sock->shutdown(SHUT_WR
);
413 kill(3, $self->{real_serverpid
});
414 die "Unexpected handle";
420 kill(3, $self->{real_serverpid
});
421 die "No progress made";
425 print "Connection closed\n";
427 $server_sock->close();
428 $self->{server_sock
} = undef;
431 #Closing this also kills the child process
432 $client_sock->close();
436 if (--$self->{serverconnects
} == 0) {
437 $pid = $self->{serverpid
};
438 print "Waiting for 'perl -ne print' process to close: $pid...\n";
439 $pid = waitpid($pid, 0);
441 die "exit code $? from 'perl -ne print' process\n" if $?
!= 0;
442 } elsif ($pid == 0) {
443 kill(3, $self->{real_serverpid
});
444 die "lost control over $self->{serverpid}?";
446 $pid = $self->{real_serverpid
};
447 print "Waiting for s_server process to close: $pid...\n";
448 # it's done already, just collect the exit code [and reap]...
450 die "exit code $? from s_server process\n" if $?
!= 0;
452 # It's a bit counter-intuitive spot to make next connection to
453 # the s_server. Rationale is that established connection works
454 # as syncronization point, in sense that this way we know that
455 # s_server is actually done with current session...
456 $self->connect_to_server();
458 $pid = $self->{clientpid
};
459 print "Waiting for s_client process to close: $pid...\n";
467 my ($self, $server, $packet) = @_;
474 print "Received server packet\n";
476 print "Received client packet\n";
479 if ($self->{direction
} != $server) {
480 $self->{flight
} = $self->{flight
} + 1;
481 $self->{direction
} = $server;
484 print "Packet length = ".length($packet)."\n";
485 print "Processing flight ".$self->flight."\n";
487 #Return contains the list of record found in the packet followed by the
488 #list of messages in those records and any partial message
489 my @ret = TLSProxy
::Record
->get_records($server, $self->flight,
490 $self->{partial
}[$server].$packet);
491 $self->{partial
}[$server] = $ret[2];
492 push @
{$self->{record_list
}}, @
{$ret[0]};
493 push @
{$self->{message_list
}}, @
{$ret[1]};
497 if (scalar(@
{$ret[0]}) == 0 or length($ret[2]) != 0) {
501 #Finished parsing. Call user provided filter here
502 if (defined $self->filter) {
503 $self->filter->($self);
506 #Take a note on NewSessionTicket
507 foreach my $message (reverse @
{$self->{message_list
}}) {
508 if ($message->{mt
} == TLSProxy
::Message
::MT_NEW_SESSION_TICKET
) {
509 $self->{saw_session_ticket
} = 1;
514 #Reconstruct the packet
516 foreach my $record (@
{$self->record_list}) {
517 $packet .= $record->reconstruct_record($server);
520 print "Forwarded packet length = ".length($packet)."\n\n";
529 return $self->{execute
};
534 return $self->{cert
};
539 return $self->{debug
};
544 return $self->{flight
};
549 return $self->{record_list
};
554 return $self->{success
};
569 return $self->{proxy_addr
};
574 return $self->{proxy_port
};
579 return $self->{server_addr
};
584 return $self->{server_port
};
589 return $self->{serverpid
};
594 return $self->{clientpid
};
597 #Read/write accessors
602 $self->{filter
} = shift;
604 return $self->{filter
};
610 $self->{cipherc
} = shift;
612 return $self->{cipherc
};
618 $self->{ciphersuitesc
} = shift;
620 return $self->{ciphersuitesc
};
626 $self->{ciphers
} = shift;
628 return $self->{ciphers
};
634 $self->{ciphersuitess
} = shift;
636 return $self->{ciphersuitess
};
642 $self->{serverflags
} = shift;
644 return $self->{serverflags
};
650 $self->{clientflags
} = shift;
652 return $self->{clientflags
};
658 $self->{serverconnects
} = shift;
660 return $self->{serverconnects
};
662 # This is a bit ugly because the caller is responsible for keeping the records
663 # in sync with the updated message list; simply updating the message list isn't
664 # sufficient to get the proxy to forward the new message.
665 # But it does the trick for the one test (test_sslsessiontick) that needs it.
670 $self->{message_list
} = shift;
672 return $self->{message_list
};
679 for (my $i = 0; $i < $length; $i++) {
698 $self->{reneg
} = shift;
700 return $self->{reneg
};
703 #Setting a sessionfile means that the client will not close until the given
704 #file exists. This is useful in TLSv1.3 where otherwise s_client will close
705 #immediately at the end of the handshake, but before the session has been
706 #received from the server. A side effect of this is that s_client never sends
707 #a close_notify, so instead we consider success to be when it sends application
708 #data over the connection.
713 $self->{sessionfile
} = shift;
714 TLSProxy
::Message
->successondata(1);
716 return $self->{sessionfile
};
723 $ciphersuite = shift;