1 1.1 christos # Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. 2 1.1 christos # 3 1.1 christos # Licensed under the Apache License 2.0 (the "License"). You may not use 4 1.1 christos # this file except in compliance with the License. You can obtain a copy 5 1.1 christos # in the file LICENSE in the source distribution or at 6 1.1 christos # https://www.openssl.org/source/license.html 7 1.1 christos 8 1.1 christos use strict; 9 1.1 christos use POSIX ":sys_wait_h"; 10 1.1 christos 11 1.1 christos package TLSProxy::Proxy; 12 1.1 christos 13 1.1 christos use File::Spec; 14 1.1 christos use IO::Socket; 15 1.1 christos use IO::Select; 16 1.1 christos use TLSProxy::Record; 17 1.1 christos use TLSProxy::Message; 18 1.1 christos use TLSProxy::ClientHello; 19 1.1 christos use TLSProxy::ServerHello; 20 1.1 christos use TLSProxy::HelloVerifyRequest; 21 1.1 christos use TLSProxy::EncryptedExtensions; 22 1.1 christos use TLSProxy::Certificate; 23 1.1 christos use TLSProxy::CertificateRequest; 24 1.1 christos use TLSProxy::CertificateVerify; 25 1.1 christos use TLSProxy::ServerKeyExchange; 26 1.1 christos use TLSProxy::NewSessionTicket; 27 1.1 christos use TLSProxy::NextProto; 28 1.1 christos 29 1.1 christos my $have_IPv6; 30 1.1 christos my $useINET6; 31 1.1 christos my $IP_factory; 32 1.1 christos 33 1.1 christos BEGIN 34 1.1 christos { 35 1.1 christos # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't. 36 1.1 christos # However, IO::Socket::INET6 is older and is said to be more widely 37 1.1 christos # deployed for the moment, and may have less bugs, so we try the latter 38 1.1 christos # first, then fall back on the core modules. Worst case scenario, we 39 1.1 christos # fall back to IO::Socket::INET, only supports IPv4. 40 1.1 christos eval { 41 1.1 christos require IO::Socket::INET6; 42 1.1 christos my $s = IO::Socket::INET6->new( 43 1.1 christos LocalAddr => "::1", 44 1.1 christos LocalPort => 0, 45 1.1 christos Listen=>1, 46 1.1 christos ); 47 1.1 christos $s or die "\n"; 48 1.1 christos $s->close(); 49 1.1 christos }; 50 1.1 christos if ($@ eq "") { 51 1.1 christos $IP_factory = sub { IO::Socket::INET6->new(Domain => AF_INET6, @_); }; 52 1.1 christos $have_IPv6 = 1; 53 1.1 christos $useINET6 = 1; 54 1.1 christos } else { 55 1.1 christos eval { 56 1.1 christos require IO::Socket::IP; 57 1.1 christos my $s = IO::Socket::IP->new( 58 1.1 christos LocalAddr => "::1", 59 1.1 christos LocalPort => 0, 60 1.1 christos Listen=>1, 61 1.1 christos ); 62 1.1 christos $s or die "\n"; 63 1.1 christos $s->close(); 64 1.1 christos }; 65 1.1 christos if ($@ eq "") { 66 1.1 christos $IP_factory = sub { IO::Socket::IP->new(@_); }; 67 1.1 christos $have_IPv6 = 1; 68 1.1 christos $useINET6 = 0; 69 1.1 christos } else { 70 1.1 christos $IP_factory = sub { IO::Socket::INET->new(@_); }; 71 1.1 christos $have_IPv6 = 0; 72 1.1 christos $useINET6 = 0; 73 1.1 christos } 74 1.1 christos } 75 1.1 christos } 76 1.1 christos 77 1.1 christos my $is_tls13 = 0; 78 1.1 christos my $ciphersuite = undef; 79 1.1 christos 80 1.1 christos sub new { 81 1.1 christos my $class = shift; 82 1.1 christos my ($filter, 83 1.1 christos $execute, 84 1.1 christos $cert, 85 1.1 christos $debug) = @_; 86 1.1 christos return init($class, $filter, $execute, $cert, $debug, 0); 87 1.1 christos } 88 1.1 christos 89 1.1 christos sub new_dtls { 90 1.1 christos my $class = shift; 91 1.1 christos my ($filter, 92 1.1 christos $execute, 93 1.1 christos $cert, 94 1.1 christos $debug) = @_; 95 1.1 christos return init($class, $filter, $execute, $cert, $debug, 1); 96 1.1 christos } 97 1.1 christos 98 1.1 christos sub init 99 1.1 christos { 100 1.1.1.2 christos my $useSockInet = 0; 101 1.1.1.2 christos eval { 102 1.1.1.2 christos require IO::Socket::IP; 103 1.1.1.2 christos my $s = IO::Socket::IP->new( 104 1.1.1.2 christos LocalAddr => "::1", 105 1.1.1.2 christos LocalPort => 0, 106 1.1.1.2 christos Listen=>1, 107 1.1.1.2 christos ); 108 1.1.1.2 christos $s or die "\n"; 109 1.1.1.2 christos $s->close(); 110 1.1.1.2 christos }; 111 1.1.1.2 christos if ($@ eq "") { 112 1.1.1.2 christos require IO::Socket::IP; 113 1.1.1.2 christos } else { 114 1.1.1.2 christos $useSockInet = 1; 115 1.1.1.2 christos } 116 1.1.1.2 christos 117 1.1 christos my $class = shift; 118 1.1 christos my ($filter, 119 1.1 christos $execute, 120 1.1 christos $cert, 121 1.1 christos $debug, 122 1.1 christos $isdtls) = @_; 123 1.1 christos 124 1.1 christos my $test_client_port; 125 1.1 christos 126 1.1 christos # Sometimes, our random selection of client ports gets unlucky 127 1.1.1.2 christos # And we randomly select a port that's already in use. This causes 128 1.1 christos # this test to fail, so lets harden ourselves against that by doing 129 1.1 christos # a test bind to the randomly selected port, and only continue once we 130 1.1.1.2 christos # find a port that's available. 131 1.1 christos my $test_client_addr = $have_IPv6 ? "[::1]" : "127.0.0.1"; 132 1.1 christos my $found_port = 0; 133 1.1 christos for (my $i = 0; $i <= 10; $i++) { 134 1.1 christos $test_client_port = 49152 + int(rand(65535 - 49152)); 135 1.1 christos my $test_sock; 136 1.1 christos if ($useINET6 == 0) { 137 1.1.1.2 christos if ($useSockInet == 0) { 138 1.1.1.2 christos $test_sock = IO::Socket::IP->new(LocalPort => $test_client_port, 139 1.1.1.2 christos LocalAddr => $test_client_addr); 140 1.1.1.2 christos } else { 141 1.1.1.2 christos $test_sock = IO::Socket::INET->new(LocalAddr => $test_client_addr, 142 1.1.1.2 christos LocalPort => $test_client_port); 143 1.1.1.2 christos } 144 1.1 christos } else { 145 1.1 christos $test_sock = IO::Socket::INET6->new(LocalAddr => $test_client_addr, 146 1.1 christos LocalPort => $test_client_port, 147 1.1 christos Domain => AF_INET6); 148 1.1 christos } 149 1.1 christos if ($test_sock) { 150 1.1 christos $found_port = 1; 151 1.1 christos $test_sock->close(); 152 1.1 christos print "Found available client port ${test_client_port}\n"; 153 1.1 christos last; 154 1.1 christos } 155 1.1 christos print "Port ${test_client_port} in use - $@\n"; 156 1.1 christos } 157 1.1 christos 158 1.1 christos if ($found_port == 0) { 159 1.1 christos die "Unable to find usable port for TLSProxy"; 160 1.1 christos } 161 1.1 christos 162 1.1 christos my $self = { 163 1.1 christos #Public read/write 164 1.1 christos proxy_addr => $test_client_addr, 165 1.1 christos client_addr => $test_client_addr, 166 1.1 christos filter => $filter, 167 1.1 christos serverflags => "", 168 1.1 christos clientflags => "", 169 1.1 christos serverconnects => 1, 170 1.1 christos reneg => 0, 171 1.1 christos sessionfile => undef, 172 1.1 christos 173 1.1 christos #Public read 174 1.1 christos isdtls => $isdtls, 175 1.1 christos proxy_port => 0, 176 1.1 christos client_port => $test_client_port, 177 1.1 christos server_port => 0, 178 1.1 christos serverpid => 0, 179 1.1 christos clientpid => 0, 180 1.1 christos execute => $execute, 181 1.1 christos cert => $cert, 182 1.1 christos debug => $debug, 183 1.1 christos cipherc => "", 184 1.1 christos ciphersuitesc => "", 185 1.1 christos ciphers => "AES128-SHA", 186 1.1 christos ciphersuitess => "TLS_AES_128_GCM_SHA256", 187 1.1 christos flight => -1, 188 1.1 christos direction => -1, 189 1.1 christos partial => ["", ""], 190 1.1 christos record_list => [], 191 1.1 christos message_list => [], 192 1.1 christos }; 193 1.1 christos 194 1.1 christos return bless $self, $class; 195 1.1 christos } 196 1.1 christos 197 1.1 christos sub DESTROY 198 1.1 christos { 199 1.1 christos my $self = shift; 200 1.1 christos 201 1.1 christos $self->{proxy_sock}->close() if $self->{proxy_sock}; 202 1.1 christos } 203 1.1 christos 204 1.1 christos sub clearClient 205 1.1 christos { 206 1.1 christos my $self = shift; 207 1.1 christos 208 1.1 christos $self->{cipherc} = ""; 209 1.1 christos $self->{ciphersuitec} = ""; 210 1.1 christos $self->{flight} = -1; 211 1.1 christos $self->{direction} = -1; 212 1.1 christos $self->{partial} = ["", ""]; 213 1.1 christos $self->{record_list} = []; 214 1.1 christos $self->{message_list} = []; 215 1.1 christos $self->{clientflags} = ""; 216 1.1 christos $self->{sessionfile} = undef; 217 1.1 christos $self->{clientpid} = 0; 218 1.1 christos $is_tls13 = 0; 219 1.1 christos $ciphersuite = undef; 220 1.1 christos 221 1.1 christos TLSProxy::Message->clear(); 222 1.1 christos TLSProxy::Record->clear(); 223 1.1 christos } 224 1.1 christos 225 1.1 christos sub clear 226 1.1 christos { 227 1.1 christos my $self = shift; 228 1.1 christos 229 1.1 christos $self->clearClient; 230 1.1 christos $self->{ciphers} = "AES128-SHA"; 231 1.1 christos $self->{ciphersuitess} = "TLS_AES_128_GCM_SHA256"; 232 1.1 christos $self->{serverflags} = ""; 233 1.1 christos $self->{serverconnects} = 1; 234 1.1 christos $self->{serverpid} = 0; 235 1.1 christos $self->{reneg} = 0; 236 1.1 christos } 237 1.1 christos 238 1.1 christos sub restart 239 1.1 christos { 240 1.1 christos my $self = shift; 241 1.1 christos 242 1.1 christos $self->clear; 243 1.1 christos $self->start; 244 1.1 christos } 245 1.1 christos 246 1.1 christos sub clientrestart 247 1.1 christos { 248 1.1 christos my $self = shift; 249 1.1 christos 250 1.1 christos $self->clear; 251 1.1 christos $self->clientstart; 252 1.1 christos } 253 1.1 christos 254 1.1 christos sub connect_to_server 255 1.1 christos { 256 1.1 christos my $self = shift; 257 1.1 christos my $servaddr = $self->{server_addr}; 258 1.1 christos 259 1.1 christos $servaddr =~ s/[\[\]]//g; # Remove [ and ] 260 1.1 christos 261 1.1 christos my $sock = $IP_factory->(PeerAddr => $servaddr, 262 1.1 christos PeerPort => $self->{server_port}, 263 1.1 christos Proto => $self->{isdtls} ? 'udp' : 'tcp'); 264 1.1 christos if (!defined($sock)) { 265 1.1 christos my $err = $!; 266 1.1 christos kill(3, $self->{real_serverpid}); 267 1.1 christos die "unable to connect: $err\n"; 268 1.1 christos } 269 1.1 christos 270 1.1 christos $self->{server_sock} = $sock; 271 1.1 christos } 272 1.1 christos 273 1.1 christos sub start 274 1.1 christos { 275 1.1 christos my ($self) = shift; 276 1.1 christos my $pid; 277 1.1 christos 278 1.1 christos # Create the Proxy socket 279 1.1 christos my $proxaddr = $self->{proxy_addr}; 280 1.1 christos $proxaddr =~ s/[\[\]]//g; # Remove [ and ] 281 1.1 christos my $clientaddr = $self->{client_addr}; 282 1.1 christos $clientaddr =~ s/[\[\]]//g; # Remove [ and ] 283 1.1 christos 284 1.1 christos my @proxyargs; 285 1.1 christos 286 1.1 christos if ($self->{isdtls}) { 287 1.1 christos @proxyargs = ( 288 1.1 christos LocalHost => $proxaddr, 289 1.1 christos LocalPort => 0, 290 1.1 christos PeerHost => $clientaddr, 291 1.1 christos PeerPort => $self->{client_port}, 292 1.1 christos Proto => "udp", 293 1.1 christos ); 294 1.1 christos } else { 295 1.1 christos @proxyargs = ( 296 1.1 christos LocalHost => $proxaddr, 297 1.1 christos LocalPort => 0, 298 1.1 christos Proto => "tcp", 299 1.1 christos Listen => SOMAXCONN, 300 1.1 christos ); 301 1.1 christos } 302 1.1 christos 303 1.1 christos if (my $sock = $IP_factory->(@proxyargs)) { 304 1.1 christos $self->{proxy_sock} = $sock; 305 1.1 christos $self->{proxy_port} = $sock->sockport(); 306 1.1 christos $self->{proxy_addr} = $sock->sockhost(); 307 1.1 christos $self->{proxy_addr} =~ s/(.*:.*)/[$1]/; 308 1.1 christos print "Proxy started on port ", 309 1.1 christos "$self->{proxy_addr}:$self->{proxy_port}\n"; 310 1.1 christos # use same address for s_server 311 1.1 christos $self->{server_addr} = $self->{proxy_addr}; 312 1.1 christos } else { 313 1.1 christos warn "Failed creating proxy socket (".$proxaddr.",0): $!\n"; 314 1.1 christos } 315 1.1 christos 316 1.1 christos if ($self->{proxy_sock} == 0) { 317 1.1 christos return 0; 318 1.1 christos } 319 1.1 christos 320 1.1 christos my $execcmd = $self->execute 321 1.1 christos ." s_server -no_comp -engine ossltest -state" 322 1.1 christos #In TLSv1.3 we issue two session tickets. The default session id 323 1.1 christos #callback gets confused because the ossltest engine causes the same 324 1.1 christos #session id to be created twice due to the changed random number 325 1.1 christos #generation. Using "-ext_cache" replaces the default callback with a 326 1.1 christos #different one that doesn't get confused. 327 1.1 christos ." -ext_cache" 328 1.1 christos ." -accept $self->{server_addr}:0" 329 1.1 christos ." -cert ".$self->cert." -cert2 ".$self->cert 330 1.1 christos ." -naccept ".$self->serverconnects; 331 1.1 christos if ($self->{isdtls}) { 332 1.1 christos $execcmd .= " -dtls -max_protocol DTLSv1.2" 333 1.1 christos # TLSProxy does not support message fragmentation. So 334 1.1 christos # set a high mtu and fingers crossed. 335 1.1 christos ." -mtu 1500"; 336 1.1 christos } else { 337 1.1 christos $execcmd .= " -rev -max_protocol TLSv1.3"; 338 1.1 christos } 339 1.1 christos if ($self->ciphers ne "") { 340 1.1 christos $execcmd .= " -cipher ".$self->ciphers; 341 1.1 christos } 342 1.1 christos if ($self->ciphersuitess ne "") { 343 1.1 christos $execcmd .= " -ciphersuites ".$self->ciphersuitess; 344 1.1 christos } 345 1.1 christos if ($self->serverflags ne "") { 346 1.1 christos $execcmd .= " ".$self->serverflags; 347 1.1 christos } 348 1.1 christos if ($self->debug) { 349 1.1 christos print STDERR "Server command: $execcmd\n"; 350 1.1 christos } 351 1.1 christos 352 1.1 christos open(my $savedin, "<&STDIN"); 353 1.1 christos 354 1.1 christos # Temporarily replace STDIN so that sink process can inherit it... 355 1.1 christos open(STDIN, "$^X -e 'sleep(10)' |") if $self->{isdtls}; 356 1.1 christos $pid = open(STDIN, "$execcmd 2>&1 |") or die "Failed to $execcmd: $!\n"; 357 1.1 christos $self->{real_serverpid} = $pid; 358 1.1 christos 359 1.1 christos # Process the output from s_server until we find the ACCEPT line, which 360 1.1 christos # tells us what the accepting address and port are. 361 1.1 christos while (<>) { 362 1.1 christos print; 363 1.1 christos s/\R$//; # Better chomp 364 1.1 christos next unless (/^ACCEPT\s.*:(\d+)$/); 365 1.1 christos $self->{server_port} = $1; 366 1.1 christos last; 367 1.1 christos } 368 1.1 christos 369 1.1 christos if ($self->{server_port} == 0) { 370 1.1 christos # This actually means that s_server exited, because otherwise 371 1.1 christos # we would still searching for ACCEPT... 372 1.1 christos waitpid($pid, 0); 373 1.1 christos die "no ACCEPT detected in '$execcmd' output: $?\n"; 374 1.1 christos } 375 1.1 christos 376 1.1 christos # Just make sure everything else is simply printed [as separate lines]. 377 1.1 christos # The sub process simply inherits our STD* and will keep consuming 378 1.1 christos # server's output and printing it as long as there is anything there, 379 1.1 christos # out of our way. 380 1.1 christos my $error; 381 1.1 christos $pid = undef; 382 1.1 christos if (eval { require Win32::Process; 1; }) { 383 1.1 christos if (Win32::Process::Create(my $h, $^X, "perl -ne print", 0, 0, ".")) { 384 1.1 christos $pid = $h->GetProcessID(); 385 1.1 christos $self->{proc_handle} = $h; # hold handle till next round [or exit] 386 1.1 christos } else { 387 1.1 christos $error = Win32::FormatMessage(Win32::GetLastError()); 388 1.1 christos } 389 1.1 christos } else { 390 1.1 christos if (defined($pid = fork)) { 391 1.1 christos $pid or exec("$^X -ne print") or exit($!); 392 1.1 christos } else { 393 1.1 christos $error = $!; 394 1.1 christos } 395 1.1 christos } 396 1.1 christos 397 1.1 christos # Change back to original stdin 398 1.1 christos open(STDIN, "<&", $savedin); 399 1.1 christos close($savedin); 400 1.1 christos 401 1.1 christos if (!defined($pid)) { 402 1.1 christos kill(3, $self->{real_serverpid}); 403 1.1 christos die "Failed to capture s_server's output: $error\n"; 404 1.1 christos } 405 1.1 christos 406 1.1 christos $self->{serverpid} = $pid; 407 1.1 christos 408 1.1 christos print STDERR "Server responds on ", 409 1.1 christos "$self->{server_addr}:$self->{server_port}\n"; 410 1.1 christos 411 1.1 christos # Connect right away... 412 1.1 christos $self->connect_to_server(); 413 1.1 christos 414 1.1 christos return $self->clientstart; 415 1.1 christos } 416 1.1 christos 417 1.1 christos sub clientstart 418 1.1 christos { 419 1.1 christos my ($self) = shift; 420 1.1 christos 421 1.1 christos my $success = 1; 422 1.1 christos 423 1.1 christos if ($self->execute) { 424 1.1 christos my $pid; 425 1.1 christos my $execcmd = $self->execute 426 1.1 christos ." s_client -engine ossltest" 427 1.1 christos ." -connect $self->{proxy_addr}:$self->{proxy_port}"; 428 1.1 christos if ($self->{isdtls}) { 429 1.1 christos $execcmd .= " -dtls -max_protocol DTLSv1.2" 430 1.1 christos # TLSProxy does not support message fragmentation. So 431 1.1 christos # set a high mtu and fingers crossed. 432 1.1 christos ." -mtu 1500" 433 1.1 christos # UDP has no "accept" for sockets which means we need to 434 1.1 christos # know were to send data back to. 435 1.1 christos ." -bind $self->{client_addr}:$self->{client_port}"; 436 1.1 christos } else { 437 1.1 christos $execcmd .= " -max_protocol TLSv1.3"; 438 1.1 christos } 439 1.1 christos if ($self->cipherc ne "") { 440 1.1 christos $execcmd .= " -cipher ".$self->cipherc; 441 1.1 christos } 442 1.1 christos if ($self->ciphersuitesc ne "") { 443 1.1 christos $execcmd .= " -ciphersuites ".$self->ciphersuitesc; 444 1.1 christos } 445 1.1 christos if ($self->clientflags ne "") { 446 1.1 christos $execcmd .= " ".$self->clientflags; 447 1.1 christos } 448 1.1 christos if ($self->clientflags !~ m/-(no)?servername/) { 449 1.1 christos $execcmd .= " -servername localhost"; 450 1.1 christos } 451 1.1 christos if (defined $self->sessionfile) { 452 1.1 christos $execcmd .= " -ign_eof"; 453 1.1 christos } 454 1.1 christos if ($self->debug) { 455 1.1 christos print STDERR "Client command: $execcmd\n"; 456 1.1 christos } 457 1.1 christos 458 1.1 christos open(my $savedout, ">&STDOUT"); 459 1.1 christos # If we open pipe with new descriptor, attempt to close it, 460 1.1 christos # explicitly or implicitly, would incur waitpid and effectively 461 1.1 christos # dead-lock... 462 1.1 christos if (!($pid = open(STDOUT, "| $execcmd"))) { 463 1.1 christos my $err = $!; 464 1.1 christos kill(3, $self->{real_serverpid}); 465 1.1 christos die "Failed to $execcmd: $err\n"; 466 1.1 christos } 467 1.1 christos $self->{clientpid} = $pid; 468 1.1 christos 469 1.1 christos # queue [magic] input 470 1.1 christos print $self->reneg ? "R" : "test"; 471 1.1 christos 472 1.1 christos # this closes client's stdin without waiting for its pid 473 1.1 christos open(STDOUT, ">&", $savedout); 474 1.1 christos close($savedout); 475 1.1 christos } 476 1.1 christos 477 1.1 christos # Wait for incoming connection from client 478 1.1 christos my $fdset = IO::Select->new($self->{proxy_sock}); 479 1.1 christos if (!$fdset->can_read(60)) { 480 1.1 christos kill(3, $self->{real_serverpid}); 481 1.1 christos die "s_client didn't try to connect\n"; 482 1.1 christos } 483 1.1 christos 484 1.1 christos my $client_sock; 485 1.1 christos if($self->{isdtls}) { 486 1.1 christos $client_sock = $self->{proxy_sock} 487 1.1 christos } elsif (!($client_sock = $self->{proxy_sock}->accept())) { 488 1.1 christos warn "Failed accepting incoming connection: $!\n"; 489 1.1 christos return 0; 490 1.1 christos } 491 1.1 christos 492 1.1 christos print "Connection opened\n"; 493 1.1 christos 494 1.1 christos my $server_sock = $self->{server_sock}; 495 1.1 christos my $indata; 496 1.1 christos 497 1.1 christos #Wait for either the server socket or the client socket to become readable 498 1.1 christos $fdset = IO::Select->new($server_sock, $client_sock); 499 1.1 christos my @ready; 500 1.1 christos my $ctr = 0; 501 1.1 christos local $SIG{PIPE} = "IGNORE"; 502 1.1 christos $self->{saw_session_ticket} = undef; 503 1.1 christos while($fdset->count && $ctr < 10) { 504 1.1 christos if (defined($self->{sessionfile})) { 505 1.1 christos # s_client got -ign_eof and won't be exiting voluntarily, so we 506 1.1 christos # look for data *and* session ticket... 507 1.1 christos last if TLSProxy::Message->success() 508 1.1 christos && $self->{saw_session_ticket}; 509 1.1 christos } 510 1.1 christos if (!(@ready = $fdset->can_read(1))) { 511 1.1 christos last if TLSProxy::Message->success() 512 1.1 christos && $self->{saw_session_ticket}; 513 1.1 christos 514 1.1 christos $ctr++; 515 1.1 christos next; 516 1.1 christos } 517 1.1 christos foreach my $hand (@ready) { 518 1.1 christos if ($hand == $server_sock) { 519 1.1 christos if ($server_sock->sysread($indata, 16384)) { 520 1.1 christos if ($indata = $self->process_packet(1, $indata)) { 521 1.1 christos $client_sock->syswrite($indata) or goto END; 522 1.1 christos } 523 1.1 christos $ctr = 0; 524 1.1 christos } else { 525 1.1 christos $fdset->remove($server_sock); 526 1.1 christos $client_sock->shutdown(SHUT_WR); 527 1.1 christos } 528 1.1 christos } elsif ($hand == $client_sock) { 529 1.1 christos if ($client_sock->sysread($indata, 16384)) { 530 1.1 christos if ($indata = $self->process_packet(0, $indata)) { 531 1.1 christos $server_sock->syswrite($indata) or goto END; 532 1.1 christos } 533 1.1 christos $ctr = 0; 534 1.1 christos } else { 535 1.1 christos $fdset->remove($client_sock); 536 1.1 christos $server_sock->shutdown(SHUT_WR); 537 1.1 christos } 538 1.1 christos } else { 539 1.1 christos kill(3, $self->{real_serverpid}); 540 1.1 christos die "Unexpected handle"; 541 1.1 christos } 542 1.1 christos } 543 1.1 christos } 544 1.1 christos 545 1.1 christos if ($ctr >= 10) { 546 1.1 christos kill(3, $self->{real_serverpid}); 547 1.1 christos print "No progress made\n"; 548 1.1 christos $success = 0; 549 1.1 christos } 550 1.1 christos 551 1.1 christos END: 552 1.1 christos print "Connection closed\n"; 553 1.1 christos if($server_sock) { 554 1.1 christos $server_sock->close(); 555 1.1 christos $self->{server_sock} = undef; 556 1.1 christos } 557 1.1 christos if($client_sock) { 558 1.1 christos #Closing this also kills the child process 559 1.1 christos $client_sock->close(); 560 1.1 christos } 561 1.1 christos 562 1.1 christos my $pid; 563 1.1 christos if (--$self->{serverconnects} == 0) { 564 1.1 christos $pid = $self->{serverpid}; 565 1.1 christos print "Waiting for 'perl -ne print' process to close: $pid...\n"; 566 1.1 christos $pid = waitpid($pid, 0); 567 1.1 christos if ($pid > 0) { 568 1.1 christos die "exit code $? from 'perl -ne print' process\n" if $? != 0; 569 1.1 christos } elsif ($pid == 0) { 570 1.1 christos kill(3, $self->{real_serverpid}); 571 1.1 christos die "lost control over $self->{serverpid}?"; 572 1.1 christos } 573 1.1 christos $pid = $self->{real_serverpid}; 574 1.1 christos print "Waiting for s_server process to close: $pid...\n"; 575 1.1 christos # it's done already, just collect the exit code [and reap]... 576 1.1 christos waitpid($pid, 0); 577 1.1 christos die "exit code $? from s_server process\n" if $? != 0; 578 1.1 christos } else { 579 1.1 christos # It's a bit counter-intuitive spot to make next connection to 580 1.1 christos # the s_server. Rationale is that established connection works 581 1.1 christos # as synchronization point, in sense that this way we know that 582 1.1 christos # s_server is actually done with current session... 583 1.1 christos $self->connect_to_server(); 584 1.1 christos } 585 1.1 christos $pid = $self->{clientpid}; 586 1.1 christos print "Waiting for s_client process to close: $pid...\n"; 587 1.1 christos waitpid($pid, 0); 588 1.1 christos 589 1.1 christos return $success; 590 1.1 christos } 591 1.1 christos 592 1.1 christos sub process_packet 593 1.1 christos { 594 1.1 christos my ($self, $server, $packet) = @_; 595 1.1 christos my $len_real; 596 1.1 christos my $decrypt_len; 597 1.1 christos my $data; 598 1.1 christos my $recnum; 599 1.1 christos 600 1.1 christos if ($server) { 601 1.1 christos print "Received server packet\n"; 602 1.1 christos } else { 603 1.1 christos print "Received client packet\n"; 604 1.1 christos } 605 1.1 christos 606 1.1 christos if ($self->{direction} != $server) { 607 1.1 christos $self->{flight} = $self->{flight} + 1; 608 1.1 christos $self->{direction} = $server; 609 1.1 christos } 610 1.1 christos 611 1.1 christos print "Packet length = ".length($packet)."\n"; 612 1.1 christos print "Processing flight ".$self->flight."\n"; 613 1.1 christos 614 1.1 christos #Return contains the list of record found in the packet followed by the 615 1.1 christos #list of messages in those records and any partial message 616 1.1 christos my @ret = TLSProxy::Record->get_records($server, $self->flight, 617 1.1 christos $self->{partial}[$server].$packet, 618 1.1 christos $self->{isdtls}); 619 1.1 christos 620 1.1 christos $self->{partial}[$server] = $ret[2]; 621 1.1 christos push @{$self->{record_list}}, @{$ret[0]}; 622 1.1 christos push @{$self->{message_list}}, @{$ret[1]}; 623 1.1 christos 624 1.1 christos print "\n"; 625 1.1 christos 626 1.1 christos if (scalar(@{$ret[0]}) == 0 or length($ret[2]) != 0) { 627 1.1 christos return ""; 628 1.1 christos } 629 1.1 christos 630 1.1 christos #Finished parsing. Call user provided filter here 631 1.1 christos if (defined $self->filter) { 632 1.1 christos $self->filter->($self); 633 1.1 christos } 634 1.1 christos 635 1.1 christos #Take a note on NewSessionTicket 636 1.1 christos foreach my $message (reverse @{$self->{message_list}}) { 637 1.1 christos if ($message->{mt} == TLSProxy::Message::MT_NEW_SESSION_TICKET) { 638 1.1 christos $self->{saw_session_ticket} = 1; 639 1.1 christos last; 640 1.1 christos } 641 1.1 christos } 642 1.1 christos 643 1.1 christos #Reconstruct the packet 644 1.1 christos $packet = ""; 645 1.1 christos foreach my $record (@{$self->record_list}) { 646 1.1 christos $packet .= $record->reconstruct_record($server); 647 1.1 christos } 648 1.1 christos 649 1.1 christos print "Forwarded packet length = ".length($packet)."\n\n"; 650 1.1 christos 651 1.1 christos return $packet; 652 1.1 christos } 653 1.1 christos 654 1.1 christos #Read accessors 655 1.1 christos sub execute 656 1.1 christos { 657 1.1 christos my $self = shift; 658 1.1 christos return $self->{execute}; 659 1.1 christos } 660 1.1 christos sub cert 661 1.1 christos { 662 1.1 christos my $self = shift; 663 1.1 christos return $self->{cert}; 664 1.1 christos } 665 1.1 christos sub debug 666 1.1 christos { 667 1.1 christos my $self = shift; 668 1.1 christos return $self->{debug}; 669 1.1 christos } 670 1.1 christos sub flight 671 1.1 christos { 672 1.1 christos my $self = shift; 673 1.1 christos return $self->{flight}; 674 1.1 christos } 675 1.1 christos sub record_list 676 1.1 christos { 677 1.1 christos my $self = shift; 678 1.1 christos return $self->{record_list}; 679 1.1 christos } 680 1.1 christos sub success 681 1.1 christos { 682 1.1 christos my $self = shift; 683 1.1 christos return $self->{success}; 684 1.1 christos } 685 1.1 christos sub end 686 1.1 christos { 687 1.1 christos my $self = shift; 688 1.1 christos return $self->{end}; 689 1.1 christos } 690 1.1 christos sub supports_IPv6 691 1.1 christos { 692 1.1 christos my $self = shift; 693 1.1 christos return $have_IPv6; 694 1.1 christos } 695 1.1 christos sub proxy_addr 696 1.1 christos { 697 1.1 christos my $self = shift; 698 1.1 christos return $self->{proxy_addr}; 699 1.1 christos } 700 1.1 christos sub proxy_port 701 1.1 christos { 702 1.1 christos my $self = shift; 703 1.1 christos return $self->{proxy_port}; 704 1.1 christos } 705 1.1 christos sub server_addr 706 1.1 christos { 707 1.1 christos my $self = shift; 708 1.1 christos return $self->{server_addr}; 709 1.1 christos } 710 1.1 christos sub server_port 711 1.1 christos { 712 1.1 christos my $self = shift; 713 1.1 christos return $self->{server_port}; 714 1.1 christos } 715 1.1 christos sub serverpid 716 1.1 christos { 717 1.1 christos my $self = shift; 718 1.1 christos return $self->{serverpid}; 719 1.1 christos } 720 1.1 christos sub clientpid 721 1.1 christos { 722 1.1 christos my $self = shift; 723 1.1 christos return $self->{clientpid}; 724 1.1 christos } 725 1.1 christos 726 1.1 christos #Read/write accessors 727 1.1 christos sub filter 728 1.1 christos { 729 1.1 christos my $self = shift; 730 1.1 christos if (@_) { 731 1.1 christos $self->{filter} = shift; 732 1.1 christos } 733 1.1 christos return $self->{filter}; 734 1.1 christos } 735 1.1 christos sub cipherc 736 1.1 christos { 737 1.1 christos my $self = shift; 738 1.1 christos if (@_) { 739 1.1 christos $self->{cipherc} = shift; 740 1.1 christos } 741 1.1 christos return $self->{cipherc}; 742 1.1 christos } 743 1.1 christos sub ciphersuitesc 744 1.1 christos { 745 1.1 christos my $self = shift; 746 1.1 christos if (@_) { 747 1.1 christos $self->{ciphersuitesc} = shift; 748 1.1 christos } 749 1.1 christos return $self->{ciphersuitesc}; 750 1.1 christos } 751 1.1 christos sub ciphers 752 1.1 christos { 753 1.1 christos my $self = shift; 754 1.1 christos if (@_) { 755 1.1 christos $self->{ciphers} = shift; 756 1.1 christos } 757 1.1 christos return $self->{ciphers}; 758 1.1 christos } 759 1.1 christos sub ciphersuitess 760 1.1 christos { 761 1.1 christos my $self = shift; 762 1.1 christos if (@_) { 763 1.1 christos $self->{ciphersuitess} = shift; 764 1.1 christos } 765 1.1 christos return $self->{ciphersuitess}; 766 1.1 christos } 767 1.1 christos sub serverflags 768 1.1 christos { 769 1.1 christos my $self = shift; 770 1.1 christos if (@_) { 771 1.1 christos $self->{serverflags} = shift; 772 1.1 christos } 773 1.1 christos return $self->{serverflags}; 774 1.1 christos } 775 1.1 christos sub clientflags 776 1.1 christos { 777 1.1 christos my $self = shift; 778 1.1 christos if (@_) { 779 1.1 christos $self->{clientflags} = shift; 780 1.1 christos } 781 1.1 christos return $self->{clientflags}; 782 1.1 christos } 783 1.1 christos sub serverconnects 784 1.1 christos { 785 1.1 christos my $self = shift; 786 1.1 christos if (@_) { 787 1.1 christos $self->{serverconnects} = shift; 788 1.1 christos } 789 1.1 christos return $self->{serverconnects}; 790 1.1 christos } 791 1.1 christos # This is a bit ugly because the caller is responsible for keeping the records 792 1.1 christos # in sync with the updated message list; simply updating the message list isn't 793 1.1 christos # sufficient to get the proxy to forward the new message. 794 1.1 christos # But it does the trick for the one test (test_sslsessiontick) that needs it. 795 1.1 christos sub message_list 796 1.1 christos { 797 1.1 christos my $self = shift; 798 1.1 christos if (@_) { 799 1.1 christos $self->{message_list} = shift; 800 1.1 christos } 801 1.1 christos return $self->{message_list}; 802 1.1 christos } 803 1.1 christos 804 1.1 christos sub fill_known_data 805 1.1 christos { 806 1.1 christos my $length = shift; 807 1.1 christos my $ret = ""; 808 1.1 christos for (my $i = 0; $i < $length; $i++) { 809 1.1 christos $ret .= chr($i); 810 1.1 christos } 811 1.1 christos return $ret; 812 1.1 christos } 813 1.1 christos 814 1.1 christos sub is_tls13 815 1.1 christos { 816 1.1 christos my $class = shift; 817 1.1 christos if (@_) { 818 1.1 christos $is_tls13 = shift; 819 1.1 christos } 820 1.1 christos return $is_tls13; 821 1.1 christos } 822 1.1 christos 823 1.1 christos sub reneg 824 1.1 christos { 825 1.1 christos my $self = shift; 826 1.1 christos if (@_) { 827 1.1 christos $self->{reneg} = shift; 828 1.1 christos } 829 1.1 christos return $self->{reneg}; 830 1.1 christos } 831 1.1 christos 832 1.1 christos #Setting a sessionfile means that the client will not close until the given 833 1.1 christos #file exists. This is useful in TLSv1.3 where otherwise s_client will close 834 1.1 christos #immediately at the end of the handshake, but before the session has been 835 1.1 christos #received from the server. A side effect of this is that s_client never sends 836 1.1 christos #a close_notify, so instead we consider success to be when it sends application 837 1.1 christos #data over the connection. 838 1.1 christos sub sessionfile 839 1.1 christos { 840 1.1 christos my $self = shift; 841 1.1 christos if (@_) { 842 1.1 christos $self->{sessionfile} = shift; 843 1.1 christos TLSProxy::Message->successondata(1); 844 1.1 christos } 845 1.1 christos return $self->{sessionfile}; 846 1.1 christos } 847 1.1 christos 848 1.1 christos sub ciphersuite 849 1.1 christos { 850 1.1 christos my $class = shift; 851 1.1 christos if (@_) { 852 1.1 christos $ciphersuite = shift; 853 1.1 christos } 854 1.1 christos return $ciphersuite; 855 1.1 christos } 856 1.1 christos 857 1.1 christos sub isdtls 858 1.1 christos { 859 1.1 christos my $self = shift; 860 1.1 christos return $self->{isdtls}; #read-only 861 1.1 christos } 862 1.1 christos 863 1.1 christos 1; 864
Indexes created Sat Feb 28 05:31:39 UTC 2026