首页 发现 帮助
登录
OWEALs
/
openssl
镜像自地址 git://git.openssl.org/openssl.git
2
0
派生 0
文件 工单管理 1 Wiki
目录树: c8d1c9b067
分支列表 标签列表
openssl
/
util
/
TLSProxy
/
Proxy.pm

Proxy.pm 13 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501 
  1. # Written by Matt Caswell for the OpenSSL project.
    2. 

  2. # ====================================================================
    3. 

  3. # Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
    4. 

  4. #
    5. 

  5. # Redistribution and use in source and binary forms, with or without
    6. 

  6. # modification, are permitted provided that the following conditions
    7. 

  7. # are met:
    8. 

  8. #
    9. 

  9. # 1. Redistributions of source code must retain the above copyright
    10. 

  10. #    notice, this list of conditions and the following disclaimer.
    11. 

  11. #
    12. 

  12. # 2. Redistributions in binary form must reproduce the above copyright
    13. 

  13. #    notice, this list of conditions and the following disclaimer in
    14. 

  14. #    the documentation and/or other materials provided with the
    15. 

  15. #    distribution.
    16. 

  16. #
    17. 

  17. # 3. All advertising materials mentioning features or use of this
    18. 

  18. #    software must display the following acknowledgment:
    19. 

  19. #    "This product includes software developed by the OpenSSL Project
    20. 

  20. #    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
    21. 

  21. #
    22. 

  22. # 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
    23. 

  23. #    endorse or promote products derived from this software without
    24. 

  24. #    prior written permission. For written permission, please contact
    25. 

  25. #    openssl-core@openssl.org.
    26. 

  26. #
    27. 

  27. # 5. Products derived from this software may not be called "OpenSSL"
    28. 

  28. #    nor may "OpenSSL" appear in their names without prior written
    29. 

  29. #    permission of the OpenSSL Project.
    30. 

  30. #
    31. 

  31. # 6. Redistributions of any form whatsoever must retain the following
    32. 

  32. #    acknowledgment:
    33. 

  33. #    "This product includes software developed by the OpenSSL Project
    34. 

  34. #    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
    35. 

  35. #
    36. 

  36. # THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
    37. 

  37. # EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    38. 

  38. # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    39. 

  39. # PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
    40. 

  40. # ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
    41. 

  41. # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
    42. 

  42. # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
    43. 

  43. # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    44. 

  44. # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    45. 

  45. # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    46. 

  46. # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    47. 

  47. # OF THE POSSIBILITY OF SUCH DAMAGE.
    48. 

  48. # ====================================================================
    49. 

  49. #
    50. 

  50. # This product includes cryptographic software written by Eric Young
    51. 

  51. # (eay@cryptsoft.com).  This product includes software written by Tim
    52. 

  52. # Hudson (tjh@cryptsoft.com).
    53. 

  53. 

  54. use strict;
    55. 

  55. 

  56. package TLSProxy::Proxy;
    57. 

  57. 

  58. use File::Spec;
    59. 

  59. use IO::Socket;
    60. 

  60. use IO::Select;
    61. 

  61. use TLSProxy::Record;
    62. 

  62. use TLSProxy::Message;
    63. 

  63. use TLSProxy::ClientHello;
    64. 

  64. use TLSProxy::ServerHello;
    65. 

  65. use TLSProxy::ServerKeyExchange;
    66. 

  66. use TLSProxy::NewSessionTicket;
    67. 

  67. 

  68. my $have_IPv6 = 0;
    69. 

  69. my $IP_factory;
    70. 

  70. 

  71. sub new
    72. 

  72. {
    73. 

  73.     my $class = shift;
    74. 

  74.     my ($filter,
    75. 

  75.         $execute,
    76. 

  76.         $cert,
    77. 

  77.         $debug) = @_;
    78. 

  78. 

  79.     my $self = {
    80. 

  80.         #Public read/write
    81. 

  81.         proxy_addr => "localhost",
    82. 

  82.         proxy_port => 4453,
    83. 

  83.         server_addr => "localhost",
    84. 

  84.         server_port => 4443,
    85. 

  85.         filter => $filter,
    86. 

  86.         serverflags => "",
    87. 

  87.         clientflags => "",
    88. 

  88.         serverconnects => 1,
    89. 

  89. 

  90.         #Public read
    91. 

  91.         execute => $execute,
    92. 

  92.         cert => $cert,
    93. 

  93.         debug => $debug,
    94. 

  94.         cipherc => "",
    95. 

  95.         ciphers => "AES128-SHA",
    96. 

  96.         flight => 0,
    97. 

  97.         record_list => [],
    98. 

  98.         message_list => [],
    99. 

  99.     };
    100. 

  100. 

  101.     eval {
    102. 

  102.         require IO::Socket::IP;
    103. 

  103.         my $s = IO::Socket::IP->new(
    104. 

  104.             LocalAddr => "::1",
    105. 

  105.             LocalPort => 0,
    106. 

  106.             Listen=>1,
    107. 

  107.             );
    108. 

  108.         $s or die "\n";
    109. 

  109.         $s->close();
    110. 

  110.     };
    111. 

  111.     if ($@ eq "") {
    112. 

  112.         # IO::Socket::IP supports IPv6 and is in the core modules list
    113. 

  113.         $IP_factory = sub { IO::Socket::IP->new(@_); };
    114. 

  114.         $have_IPv6 = 1;
    115. 

  115.     } else {
    116. 

  116.         eval {
    117. 

  117.             require IO::Socket::INET6;
    118. 

  118.             my $s = IO::Socket::INET6->new(
    119. 

  119.                 LocalAddr => "::1",
    120. 

  120.                 LocalPort => 0,
    121. 

  121.                 Listen=>1,
    122. 

  122.                 );
    123. 

  123.             $s or die "\n";
    124. 

  124.             $s->close();
    125. 

  125.         };
    126. 

  126.         if ($@ eq "") {
    127. 

  127.             # IO::Socket::INET6 supports IPv6 but isn't on the core modules list
    128. 

  128.             # However, it's a bit older and said to be more widely deployed
    129. 

  129.             # at the time of writing this comment.
    130. 

  130.             $IP_factory = sub { IO::Socket::INET6->new(@_); };
    131. 

  131.             $have_IPv6 = 1;
    132. 

  132.         } else {
    133. 

  133.             # IO::Socket::INET doesn't support IPv6 but is a fallback in case
    134. 

  134.             # we have no other.
    135. 

  135.             $IP_factory = sub { IO::Socket::INET->new(@_); };
    136. 

  136.         }
    137. 

  137.     }
    138. 

  138. 

  139.     return bless $self, $class;
    140. 

  140. }
    141. 

  141. 

  142. sub clear
    143. 

  143. {
    144. 

  144.     my $self = shift;
    145. 

  145. 

  146.     $self->{cipherc} = "";
    147. 

  147.     $self->{ciphers} = "AES128-SHA";
    148. 

  148.     $self->{flight} = 0;
    149. 

  149.     $self->{record_list} = [];
    150. 

  150.     $self->{message_list} = [];
    151. 

  151.     $self->{serverflags} = "";
    152. 

  152.     $self->{clientflags} = "";
    153. 

  153.     $self->{serverconnects} = 1;
    154. 

  154. 

  155.     TLSProxy::Message->clear();
    156. 

  156.     TLSProxy::Record->clear();
    157. 

  157. }
    158. 

  158. 

  159. sub restart
    160. 

  160. {
    161. 

  161.     my $self = shift;
    162. 

  162. 

  163.     $self->clear;
    164. 

  164.     $self->start;
    165. 

  165. }
    166. 

  166. 

  167. sub clientrestart
    168. 

  168. {
    169. 

  169.     my $self = shift;
    170. 

  170. 

  171.     $self->clear;
    172. 

  172.     $self->clientstart;
    173. 

  173. }
    174. 

  174. 

  175. sub start
    176. 

  176. {
    177. 

  177.     my ($self) = shift;
    178. 

  178.     my $pid;
    179. 

  179. 

  180.     $pid = fork();
    181. 

  181.     if ($pid == 0) {
    182. 

  182.         open(STDOUT, ">", File::Spec->devnull())
    183. 

  183.             or die "Failed to redirect stdout: $!";
    184. 

  184.         open(STDERR, ">&STDOUT");
    185. 

  185.         my $execcmd = $self->execute
    186. 

  186.             ." s_server -no_comp -rev -engine ossltest -accept "
    187. 

  187.             .($self->server_port)
    188. 

  188.             ." -cert ".$self->cert." -naccept ".$self->serverconnects;
    189. 

  189.         if ($self->ciphers ne "") {
    190. 

  190.             $execcmd .= " -cipher ".$self->ciphers;
    191. 

  191.         }
    192. 

  192.         if ($self->serverflags ne "") {
    193. 

  193.             $execcmd .= " ".$self->serverflags;
    194. 

  194.         }
    195. 

  195.         exec($execcmd);
    196. 

  196.     }
    197. 

  197. 

  198.     $self->clientstart;
    199. 

  199. }
    200. 

  200. 

  201. sub clientstart
    202. 

  202. {
    203. 

  203.     my ($self) = shift;
    204. 

  204.     my $oldstdout;
    205. 

  205. 

  206.     if(!$self->debug) {
    207. 

  207.         open DEVNULL, ">", File::Spec->devnull();
    208. 

  208.         $oldstdout = select(DEVNULL);
    209. 

  209.     }
    210. 

  210. 

  211.     # Create the Proxy socket
    212. 

  212.     my $proxaddr = $self->proxy_addr;
    213. 

  213.     $proxaddr =~ s/[\[\]]//g; # Remove [ and ]
    214. 

  214.     my $proxy_sock = $IP_factory->(
    215. 

  215.         LocalHost   => $proxaddr,
    216. 

  216.         LocalPort   => $self->proxy_port,
    217. 

  217.         Proto       => "tcp",
    218. 

  218.         Listen      => SOMAXCONN,
    219. 

  219.         ReuseAddr   => 1
    220. 

  220.     );
    221. 

  221. 

  222.     if ($proxy_sock) {
    223. 

  223.         print "Proxy started on port ".$self->proxy_port."\n";
    224. 

  224.     } else {
    225. 

  225.         die "Failed creating proxy socket (".$proxaddr.",".$self->proxy_port."): $!\n";
    226. 

  226.     }
    227. 

  227. 

  228.     if ($self->execute) {
    229. 

  229.         my $pid = fork();
    230. 

  230.         if ($pid == 0) {
    231. 

  231.             open(STDOUT, ">", File::Spec->devnull())
    232. 

  232.                 or die "Failed to redirect stdout: $!";
    233. 

  233.             open(STDERR, ">&STDOUT");
    234. 

  234.             my $execcmd = "echo test | ".$self->execute
    235. 

  235.                  ." s_client -engine ossltest -connect "
    236. 

  236.                  .($self->proxy_addr).":".($self->proxy_port);
    237. 

  237.             if ($self->cipherc ne "") {
    238. 

  238.                 $execcmd .= " -cipher ".$self->cipherc;
    239. 

  239.             }
    240. 

  240.             if ($self->clientflags ne "") {
    241. 

  241.                 $execcmd .= " ".$self->clientflags;
    242. 

  242.             }
    243. 

  243.             exec($execcmd);
    244. 

  244.         }
    245. 

  245.     }
    246. 

  246. 

  247.     # Wait for incoming connection from client
    248. 

  248.     my $client_sock = $proxy_sock->accept()
    249. 

  249.         or die "Failed accepting incoming connection: $!\n";
    250. 

  250. 

  251.     print "Connection opened\n";
    252. 

  252. 

  253.     # Now connect to the server
    254. 

  254.     my $retry = 3;
    255. 

  255.     my $server_sock;
    256. 

  256.     #We loop over this a few times because sometimes s_server can take a while
    257. 

  257.     #to start up
    258. 

  258.     do {
    259. 

  259.         my $servaddr = $self->server_addr;
    260. 

  260.         $servaddr =~ s/[\[\]]//g; # Remove [ and ]
    261. 

  261.         $server_sock = $IP_factory->(
    262. 

  262.             PeerAddr => $servaddr,
    263. 

  263.             PeerPort => $self->server_port,
    264. 

  264.             MultiHomed => 1,
    265. 

  265.             Proto => 'tcp'
    266. 

  266.         );
    267. 

  267. 

  268.         $retry--;
    269. 

  269.         if (!$server_sock) {
    270. 

  270.             if ($retry) {
    271. 

  271.                 #Sleep for a short while
    272. 

  272.                 select(undef, undef, undef, 0.1);
    273. 

  273.             } else {
    274. 

  274.                 die "Failed to start up server (".$servaddr.",".$self->server_port."): $!\n";
    275. 

  275.             }
    276. 

  276.         }
    277. 

  277.     } while (!$server_sock);
    278. 

  278. 

  279.     my $sel = IO::Select->new($server_sock, $client_sock);
    280. 

  280.     my $indata;
    281. 

  281.     my @handles = ($server_sock, $client_sock);
    282. 

  282. 

  283.     #Wait for either the server socket or the client socket to become readable
    284. 

  284.     my @ready;
    285. 

  285.     while(!(TLSProxy::Message->end) && (@ready = $sel->can_read)) {
    286. 

  286.         foreach my $hand (@ready) {
    287. 

  287.             if ($hand == $server_sock) {
    288. 

  288.                 $server_sock->sysread($indata, 16384) or goto END;
    289. 

  289.                 $indata = $self->process_packet(1, $indata);
    290. 

  290.                 $client_sock->syswrite($indata);
    291. 

  291.             } elsif ($hand == $client_sock) {
    292. 

  292.                 $client_sock->sysread($indata, 16384) or goto END;
    293. 

  293.                 $indata = $self->process_packet(0, $indata);
    294. 

  294.                 $server_sock->syswrite($indata);
    295. 

  295.             } else {
    296. 

  296.                 print "Err\n";
    297. 

  297.                 goto END;
    298. 

  298.             }
    299. 

  299.         }
    300. 

  300.     }
    301. 

  301. 

  302.     END:
    303. 

  303.     print "Connection closed\n";
    304. 

  304.     if($server_sock) {
    305. 

  305.         $server_sock->close();
    306. 

  306.     }
    307. 

  307.     if($client_sock) {
    308. 

  308.         #Closing this also kills the child process
    309. 

  309.         $client_sock->close();
    310. 

  310.     }
    311. 

  311.     if($proxy_sock) {
    312. 

  312.         $proxy_sock->close();
    313. 

  313.     }
    314. 

  314.     if(!$self->debug) {
    315. 

  315.         select($oldstdout);
    316. 

  316.     }
    317. 

  317. }
    318. 

  318. 

  319. sub process_packet
    320. 

  320. {
    321. 

  321.     my ($self, $server, $packet) = @_;
    322. 

  322.     my $len_real;
    323. 

  323.     my $decrypt_len;
    324. 

  324.     my $data;
    325. 

  325.     my $recnum;
    326. 

  326. 

  327.     if ($server) {
    328. 

  328.         print "Received server packet\n";
    329. 

  329.     } else {
    330. 

  330.         print "Received client packet\n";
    331. 

  331.     }
    332. 

  332. 

  333.     print "Packet length = ".length($packet)."\n";
    334. 

  334.     print "Processing flight ".$self->flight."\n";
    335. 

  335. 

  336.     #Return contains the list of record found in the packet followed by the
    337. 

  337.     #list of messages in those records
    338. 

  338.     my @ret = TLSProxy::Record->get_records($server, $self->flight, $packet);
    339. 

  339.     push @{$self->record_list}, @{$ret[0]};
    340. 

  340.     push @{$self->{message_list}}, @{$ret[1]};
    341. 

  341. 

  342.     print "\n";
    343. 

  343. 

  344.     #Finished parsing. Call user provided filter here
    345. 

  345.     if(defined $self->filter) {
    346. 

  346.         $self->filter->($self);
    347. 

  347.     }
    348. 

  348. 

  349.     #Reconstruct the packet
    350. 

  350.     $packet = "";
    351. 

  351.     foreach my $record (@{$self->record_list}) {
    352. 

  352.         #We only replay the records for the current flight
    353. 

  353.         if ($record->flight != $self->flight) {
    354. 

  354.             next;
    355. 

  355.         }
    356. 

  356.         $packet .= $record->reconstruct_record();
    357. 

  357.     }
    358. 

  358. 

  359.     $self->{flight} = $self->{flight} + 1;
    360. 

  360. 

  361.     print "Forwarded packet length = ".length($packet)."\n\n";
    362. 

  362. 

  363.     return $packet;
    364. 

  364. }
    365. 

  365. 

  366. #Read accessors
    367. 

  367. sub execute
    368. 

  368. {
    369. 

  369.     my $self = shift;
    370. 

  370.     return $self->{execute};
    371. 

  371. }
    372. 

  372. sub cert
    373. 

  373. {
    374. 

  374.     my $self = shift;
    375. 

  375.     return $self->{cert};
    376. 

  376. }
    377. 

  377. sub debug
    378. 

  378. {
    379. 

  379.     my $self = shift;
    380. 

  380.     return $self->{debug};
    381. 

  381. }
    382. 

  382. sub flight
    383. 

  383. {
    384. 

  384.     my $self = shift;
    385. 

  385.     return $self->{flight};
    386. 

  386. }
    387. 

  387. sub record_list
    388. 

  388. {
    389. 

  389.     my $self = shift;
    390. 

  390.     return $self->{record_list};
    391. 

  391. }
    392. 

  392. sub success
    393. 

  393. {
    394. 

  394.     my $self = shift;
    395. 

  395.     return $self->{success};
    396. 

  396. }
    397. 

  397. sub end
    398. 

  398. {
    399. 

  399.     my $self = shift;
    400. 

  400.     return $self->{end};
    401. 

  401. }
    402. 

  402. sub supports_IPv6
    403. 

  403. {
    404. 

  404.     my $self = shift;
    405. 

  405.     return $have_IPv6;
    406. 

  406. }
    407. 

  407. 

  408. #Read/write accessors
    409. 

  409. sub proxy_addr
    410. 

  410. {
    411. 

  411.     my $self = shift;
    412. 

  412.     if (@_) {
    413. 

  413.       $self->{proxy_addr} = shift;
    414. 

  414.     }
    415. 

  415.     return $self->{proxy_addr};
    416. 

  416. }
    417. 

  417. sub proxy_port
    418. 

  418. {
    419. 

  419.     my $self = shift;
    420. 

  420.     if (@_) {
    421. 

  421.       $self->{proxy_port} = shift;
    422. 

  422.     }
    423. 

  423.     return $self->{proxy_port};
    424. 

  424. }
    425. 

  425. sub server_addr
    426. 

  426. {
    427. 

  427.     my $self = shift;
    428. 

  428.     if (@_) {
    429. 

  429.       $self->{server_addr} = shift;
    430. 

  430.     }
    431. 

  431.     return $self->{server_addr};
    432. 

  432. }
    433. 

  433. sub server_port
    434. 

  434. {
    435. 

  435.     my $self = shift;
    436. 

  436.     if (@_) {
    437. 

  437.       $self->{server_port} = shift;
    438. 

  438.     }
    439. 

  439.     return $self->{server_port};
    440. 

  440. }
    441. 

  441. sub filter
    442. 

  442. {
    443. 

  443.     my $self = shift;
    444. 

  444.     if (@_) {
    445. 

  445.       $self->{filter} = shift;
    446. 

  446.     }
    447. 

  447.     return $self->{filter};
    448. 

  448. }
    449. 

  449. sub cipherc
    450. 

  450. {
    451. 

  451.     my $self = shift;
    452. 

  452.     if (@_) {
    453. 

  453.       $self->{cipherc} = shift;
    454. 

  454.     }
    455. 

  455.     return $self->{cipherc};
    456. 

  456. }
    457. 

  457. sub ciphers
    458. 

  458. {
    459. 

  459.     my $self = shift;
    460. 

  460.     if (@_) {
    461. 

  461.       $self->{ciphers} = shift;
    462. 

  462.     }
    463. 

  463.     return $self->{ciphers};
    464. 

  464. }
    465. 

  465. sub serverflags
    466. 

  466. {
    467. 

  467.     my $self = shift;
    468. 

  468.     if (@_) {
    469. 

  469.       $self->{serverflags} = shift;
    470. 

  470.     }
    471. 

  471.     return $self->{serverflags};
    472. 

  472. }
    473. 

  473. sub clientflags
    474. 

  474. {
    475. 

  475.     my $self = shift;
    476. 

  476.     if (@_) {
    477. 

  477.       $self->{clientflags} = shift;
    478. 

  478.     }
    479. 

  479.     return $self->{clientflags};
    480. 

  480. }
    481. 

  481. sub serverconnects
    482. 

  482. {
    483. 

  483.     my $self = shift;
    484. 

  484.     if (@_) {
    485. 

  485.       $self->{serverconnects} = shift;
    486. 

  486.     }
    487. 

  487.     return $self->{serverconnects};
    488. 

  488. }
    489. 

  489. # This is a bit ugly because the caller is responsible for keeping the records
    490. 

  490. # in sync with the updated message list; simply updating the message list isn't
    491. 

  491. # sufficient to get the proxy to forward the new message.
    492. 

  492. # But it does the trick for the one test (test_sslsessiontick) that needs it.
    493. 

  493. sub message_list
    494. 

  494. {
    495. 

  495.     my $self = shift;
    496. 

  496.     if (@_) {
    497. 

  497.         $self->{message_list} = shift;
    498. 

  498.     }
    499. 

  499.     return $self->{message_list};
    500. 

  500. }
    501. 

  501. 1;
    502.