dca97e9bfd
Reviewed-by: Richard Levitte <levitte@openssl.org>
506 lines
13 KiB
Perl
506 lines
13 KiB
Perl
# Written by Matt Caswell for the OpenSSL project.
|
|
# ====================================================================
|
|
# Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions
|
|
# are met:
|
|
#
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# 2. Redistributions in binary form must reproduce the above copyright
|
|
# notice, this list of conditions and the following disclaimer in
|
|
# the documentation and/or other materials provided with the
|
|
# distribution.
|
|
#
|
|
# 3. All advertising materials mentioning features or use of this
|
|
# software must display the following acknowledgment:
|
|
# "This product includes software developed by the OpenSSL Project
|
|
# for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
|
#
|
|
# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
# endorse or promote products derived from this software without
|
|
# prior written permission. For written permission, please contact
|
|
# openssl-core@openssl.org.
|
|
#
|
|
# 5. Products derived from this software may not be called "OpenSSL"
|
|
# nor may "OpenSSL" appear in their names without prior written
|
|
# permission of the OpenSSL Project.
|
|
#
|
|
# 6. Redistributions of any form whatsoever must retain the following
|
|
# acknowledgment:
|
|
# "This product includes software developed by the OpenSSL Project
|
|
# for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
# OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
# ====================================================================
|
|
#
|
|
# This product includes cryptographic software written by Eric Young
|
|
# (eay@cryptsoft.com). This product includes software written by Tim
|
|
# Hudson (tjh@cryptsoft.com).
|
|
|
|
use strict;
|
|
|
|
package TLSProxy::Proxy;
|
|
|
|
use File::Spec;
|
|
use IO::Socket;
|
|
use IO::Select;
|
|
use TLSProxy::Record;
|
|
use TLSProxy::Message;
|
|
use TLSProxy::ClientHello;
|
|
use TLSProxy::ServerHello;
|
|
use TLSProxy::ServerKeyExchange;
|
|
use TLSProxy::NewSessionTicket;
|
|
|
|
my $have_IPv6 = 0;
|
|
my $IP_factory;
|
|
|
|
sub new
|
|
{
|
|
my $class = shift;
|
|
my ($filter,
|
|
$execute,
|
|
$cert,
|
|
$debug) = @_;
|
|
|
|
my $self = {
|
|
#Public read/write
|
|
proxy_addr => "localhost",
|
|
proxy_port => 4453,
|
|
server_addr => "localhost",
|
|
server_port => 4443,
|
|
filter => $filter,
|
|
serverflags => "",
|
|
clientflags => "",
|
|
serverconnects => 1,
|
|
|
|
#Public read
|
|
execute => $execute,
|
|
cert => $cert,
|
|
debug => $debug,
|
|
cipherc => "",
|
|
ciphers => "AES128-SHA",
|
|
flight => 0,
|
|
record_list => [],
|
|
message_list => [],
|
|
};
|
|
|
|
# IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't.
|
|
# However, IO::Socket::INET6 is older and is said to be more widely
|
|
# deployed for the moment, and may have less bugs, so we try the latter
|
|
# first, then fall back on the code modules. Worst case scenario, we
|
|
# fall back to IO::Socket::INET, only supports IPv4.
|
|
eval {
|
|
require IO::Socket::INET6;
|
|
my $s = IO::Socket::INET6->new(
|
|
LocalAddr => "::1",
|
|
LocalPort => 0,
|
|
Listen=>1,
|
|
);
|
|
$s or die "\n";
|
|
$s->close();
|
|
};
|
|
if ($@ eq "") {
|
|
$IP_factory = sub { IO::Socket::INET6->new(@_); };
|
|
$have_IPv6 = 1;
|
|
} else {
|
|
eval {
|
|
require IO::Socket::IP;
|
|
my $s = IO::Socket::IP->new(
|
|
LocalAddr => "::1",
|
|
LocalPort => 0,
|
|
Listen=>1,
|
|
);
|
|
$s or die "\n";
|
|
$s->close();
|
|
};
|
|
if ($@ eq "") {
|
|
$IP_factory = sub { IO::Socket::IP->new(@_); };
|
|
$have_IPv6 = 1;
|
|
} else {
|
|
$IP_factory = sub { IO::Socket::INET->new(@_); };
|
|
}
|
|
}
|
|
|
|
return bless $self, $class;
|
|
}
|
|
|
|
sub clear
|
|
{
|
|
my $self = shift;
|
|
|
|
$self->{cipherc} = "";
|
|
$self->{ciphers} = "AES128-SHA";
|
|
$self->{flight} = 0;
|
|
$self->{record_list} = [];
|
|
$self->{message_list} = [];
|
|
$self->{serverflags} = "";
|
|
$self->{clientflags} = "";
|
|
$self->{serverconnects} = 1;
|
|
|
|
TLSProxy::Message->clear();
|
|
TLSProxy::Record->clear();
|
|
}
|
|
|
|
sub restart
|
|
{
|
|
my $self = shift;
|
|
|
|
$self->clear;
|
|
$self->start;
|
|
}
|
|
|
|
sub clientrestart
|
|
{
|
|
my $self = shift;
|
|
|
|
$self->clear;
|
|
$self->clientstart;
|
|
}
|
|
|
|
sub start
|
|
{
|
|
my ($self) = shift;
|
|
my $pid;
|
|
|
|
$pid = fork();
|
|
if ($pid == 0) {
|
|
if (!$self->debug) {
|
|
open(STDOUT, ">", File::Spec->devnull())
|
|
or die "Failed to redirect stdout: $!";
|
|
open(STDERR, ">&STDOUT");
|
|
}
|
|
my $execcmd = $self->execute
|
|
." s_server -no_comp -rev -engine ossltest -accept "
|
|
.($self->server_port)
|
|
." -cert ".$self->cert." -naccept ".$self->serverconnects;
|
|
if ($self->ciphers ne "") {
|
|
$execcmd .= " -cipher ".$self->ciphers;
|
|
}
|
|
if ($self->serverflags ne "") {
|
|
$execcmd .= " ".$self->serverflags;
|
|
}
|
|
exec($execcmd);
|
|
}
|
|
|
|
$self->clientstart;
|
|
}
|
|
|
|
sub clientstart
|
|
{
|
|
my ($self) = shift;
|
|
my $oldstdout;
|
|
|
|
if(!$self->debug) {
|
|
open DEVNULL, ">", File::Spec->devnull();
|
|
$oldstdout = select(DEVNULL);
|
|
}
|
|
|
|
# Create the Proxy socket
|
|
my $proxaddr = $self->proxy_addr;
|
|
$proxaddr =~ s/[\[\]]//g; # Remove [ and ]
|
|
my $proxy_sock = $IP_factory->(
|
|
LocalHost => $proxaddr,
|
|
LocalPort => $self->proxy_port,
|
|
Proto => "tcp",
|
|
Listen => SOMAXCONN,
|
|
ReuseAddr => 1
|
|
);
|
|
|
|
if ($proxy_sock) {
|
|
print "Proxy started on port ".$self->proxy_port."\n";
|
|
} else {
|
|
die "Failed creating proxy socket (".$proxaddr.",".$self->proxy_port."): $!\n";
|
|
}
|
|
|
|
if ($self->execute) {
|
|
my $pid = fork();
|
|
if ($pid == 0) {
|
|
if (!$self->debug) {
|
|
open(STDOUT, ">", File::Spec->devnull())
|
|
or die "Failed to redirect stdout: $!";
|
|
open(STDERR, ">&STDOUT");
|
|
}
|
|
my $execcmd = "echo test | ".$self->execute
|
|
." s_client -engine ossltest -connect "
|
|
.($self->proxy_addr).":".($self->proxy_port);
|
|
if ($self->cipherc ne "") {
|
|
$execcmd .= " -cipher ".$self->cipherc;
|
|
}
|
|
if ($self->clientflags ne "") {
|
|
$execcmd .= " ".$self->clientflags;
|
|
}
|
|
exec($execcmd);
|
|
}
|
|
}
|
|
|
|
# Wait for incoming connection from client
|
|
my $client_sock = $proxy_sock->accept()
|
|
or die "Failed accepting incoming connection: $!\n";
|
|
|
|
print "Connection opened\n";
|
|
|
|
# Now connect to the server
|
|
my $retry = 3;
|
|
my $server_sock;
|
|
#We loop over this a few times because sometimes s_server can take a while
|
|
#to start up
|
|
do {
|
|
my $servaddr = $self->server_addr;
|
|
$servaddr =~ s/[\[\]]//g; # Remove [ and ]
|
|
$server_sock = $IP_factory->(
|
|
PeerAddr => $servaddr,
|
|
PeerPort => $self->server_port,
|
|
MultiHomed => 1,
|
|
Proto => 'tcp'
|
|
);
|
|
|
|
$retry--;
|
|
if ($@ || !defined($server_sock)) {
|
|
$server_sock->close() if defined($server_sock);
|
|
undef $server_sock;
|
|
if ($retry) {
|
|
#Sleep for a short while
|
|
select(undef, undef, undef, 0.1);
|
|
} else {
|
|
die "Failed to start up server (".$servaddr.",".$self->server_port."): $!\n";
|
|
}
|
|
}
|
|
} while (!$server_sock);
|
|
|
|
my $sel = IO::Select->new($server_sock, $client_sock);
|
|
my $indata;
|
|
my @handles = ($server_sock, $client_sock);
|
|
|
|
#Wait for either the server socket or the client socket to become readable
|
|
my @ready;
|
|
while(!(TLSProxy::Message->end) && (@ready = $sel->can_read)) {
|
|
foreach my $hand (@ready) {
|
|
if ($hand == $server_sock) {
|
|
$server_sock->sysread($indata, 16384) or goto END;
|
|
$indata = $self->process_packet(1, $indata);
|
|
$client_sock->syswrite($indata);
|
|
} elsif ($hand == $client_sock) {
|
|
$client_sock->sysread($indata, 16384) or goto END;
|
|
$indata = $self->process_packet(0, $indata);
|
|
$server_sock->syswrite($indata);
|
|
} else {
|
|
print "Err\n";
|
|
goto END;
|
|
}
|
|
}
|
|
}
|
|
|
|
END:
|
|
print "Connection closed\n";
|
|
if($server_sock) {
|
|
$server_sock->close();
|
|
}
|
|
if($client_sock) {
|
|
#Closing this also kills the child process
|
|
$client_sock->close();
|
|
}
|
|
if($proxy_sock) {
|
|
$proxy_sock->close();
|
|
}
|
|
if(!$self->debug) {
|
|
select($oldstdout);
|
|
}
|
|
}
|
|
|
|
sub process_packet
|
|
{
|
|
my ($self, $server, $packet) = @_;
|
|
my $len_real;
|
|
my $decrypt_len;
|
|
my $data;
|
|
my $recnum;
|
|
|
|
if ($server) {
|
|
print "Received server packet\n";
|
|
} else {
|
|
print "Received client packet\n";
|
|
}
|
|
|
|
print "Packet length = ".length($packet)."\n";
|
|
print "Processing flight ".$self->flight."\n";
|
|
|
|
#Return contains the list of record found in the packet followed by the
|
|
#list of messages in those records
|
|
my @ret = TLSProxy::Record->get_records($server, $self->flight, $packet);
|
|
push @{$self->record_list}, @{$ret[0]};
|
|
push @{$self->{message_list}}, @{$ret[1]};
|
|
|
|
print "\n";
|
|
|
|
#Finished parsing. Call user provided filter here
|
|
if(defined $self->filter) {
|
|
$self->filter->($self);
|
|
}
|
|
|
|
#Reconstruct the packet
|
|
$packet = "";
|
|
foreach my $record (@{$self->record_list}) {
|
|
#We only replay the records for the current flight
|
|
if ($record->flight != $self->flight) {
|
|
next;
|
|
}
|
|
$packet .= $record->reconstruct_record();
|
|
}
|
|
|
|
$self->{flight} = $self->{flight} + 1;
|
|
|
|
print "Forwarded packet length = ".length($packet)."\n\n";
|
|
|
|
return $packet;
|
|
}
|
|
|
|
#Read accessors
|
|
sub execute
|
|
{
|
|
my $self = shift;
|
|
return $self->{execute};
|
|
}
|
|
sub cert
|
|
{
|
|
my $self = shift;
|
|
return $self->{cert};
|
|
}
|
|
sub debug
|
|
{
|
|
my $self = shift;
|
|
return $self->{debug};
|
|
}
|
|
sub flight
|
|
{
|
|
my $self = shift;
|
|
return $self->{flight};
|
|
}
|
|
sub record_list
|
|
{
|
|
my $self = shift;
|
|
return $self->{record_list};
|
|
}
|
|
sub success
|
|
{
|
|
my $self = shift;
|
|
return $self->{success};
|
|
}
|
|
sub end
|
|
{
|
|
my $self = shift;
|
|
return $self->{end};
|
|
}
|
|
sub supports_IPv6
|
|
{
|
|
my $self = shift;
|
|
return $have_IPv6;
|
|
}
|
|
|
|
#Read/write accessors
|
|
sub proxy_addr
|
|
{
|
|
my $self = shift;
|
|
if (@_) {
|
|
$self->{proxy_addr} = shift;
|
|
}
|
|
return $self->{proxy_addr};
|
|
}
|
|
sub proxy_port
|
|
{
|
|
my $self = shift;
|
|
if (@_) {
|
|
$self->{proxy_port} = shift;
|
|
}
|
|
return $self->{proxy_port};
|
|
}
|
|
sub server_addr
|
|
{
|
|
my $self = shift;
|
|
if (@_) {
|
|
$self->{server_addr} = shift;
|
|
}
|
|
return $self->{server_addr};
|
|
}
|
|
sub server_port
|
|
{
|
|
my $self = shift;
|
|
if (@_) {
|
|
$self->{server_port} = shift;
|
|
}
|
|
return $self->{server_port};
|
|
}
|
|
sub filter
|
|
{
|
|
my $self = shift;
|
|
if (@_) {
|
|
$self->{filter} = shift;
|
|
}
|
|
return $self->{filter};
|
|
}
|
|
sub cipherc
|
|
{
|
|
my $self = shift;
|
|
if (@_) {
|
|
$self->{cipherc} = shift;
|
|
}
|
|
return $self->{cipherc};
|
|
}
|
|
sub ciphers
|
|
{
|
|
my $self = shift;
|
|
if (@_) {
|
|
$self->{ciphers} = shift;
|
|
}
|
|
return $self->{ciphers};
|
|
}
|
|
sub serverflags
|
|
{
|
|
my $self = shift;
|
|
if (@_) {
|
|
$self->{serverflags} = shift;
|
|
}
|
|
return $self->{serverflags};
|
|
}
|
|
sub clientflags
|
|
{
|
|
my $self = shift;
|
|
if (@_) {
|
|
$self->{clientflags} = shift;
|
|
}
|
|
return $self->{clientflags};
|
|
}
|
|
sub serverconnects
|
|
{
|
|
my $self = shift;
|
|
if (@_) {
|
|
$self->{serverconnects} = shift;
|
|
}
|
|
return $self->{serverconnects};
|
|
}
|
|
# This is a bit ugly because the caller is responsible for keeping the records
|
|
# in sync with the updated message list; simply updating the message list isn't
|
|
# sufficient to get the proxy to forward the new message.
|
|
# But it does the trick for the one test (test_sslsessiontick) that needs it.
|
|
sub message_list
|
|
{
|
|
my $self = shift;
|
|
if (@_) {
|
|
$self->{message_list} = shift;
|
|
}
|
|
return $self->{message_list};
|
|
}
|
|
1;
|