aboutsummaryrefslogtreecommitdiffstats
path: root/libmproxy/protocol
diff options
context:
space:
mode:
Diffstat (limited to 'libmproxy/protocol')
-rw-r--r--libmproxy/protocol/__init__.py13
-rw-r--r--libmproxy/protocol/base.py152
-rw-r--r--libmproxy/protocol/http.py602
-rw-r--r--libmproxy/protocol/http_replay.py95
-rw-r--r--libmproxy/protocol/http_wrappers.py413
-rw-r--r--libmproxy/protocol/primitives.py166
-rw-r--r--libmproxy/protocol/rawtcp.py66
-rw-r--r--libmproxy/protocol/tls.py288
8 files changed, 1137 insertions, 658 deletions
diff --git a/libmproxy/protocol/__init__.py b/libmproxy/protocol/__init__.py
index bbc20dba..c582592b 100644
--- a/libmproxy/protocol/__init__.py
+++ b/libmproxy/protocol/__init__.py
@@ -1 +1,12 @@
-from .primitives import *
+from __future__ import (absolute_import, print_function, division)
+from .base import Layer, ServerConnectionMixin, Log, Kill
+from .http import Http1Layer, Http2Layer
+from .tls import TlsLayer, is_tls_record_magic
+from .rawtcp import RawTCPLayer
+
+__all__ = [
+ "Layer", "ServerConnectionMixin", "Log", "Kill",
+ "Http1Layer", "Http2Layer",
+ "TlsLayer", "is_tls_record_magic",
+ "RawTCPLayer"
+]
diff --git a/libmproxy/protocol/base.py b/libmproxy/protocol/base.py
new file mode 100644
index 00000000..d22a71c6
--- /dev/null
+++ b/libmproxy/protocol/base.py
@@ -0,0 +1,152 @@
+"""
+mitmproxy protocol architecture
+
+In mitmproxy, protocols are implemented as a set of layers, which are composed on top each other.
+For example, the following scenarios depict possible settings (lowest layer first):
+
+Transparent HTTP proxy, no SSL:
+ TransparentProxy
+ Http1Layer
+ HttpLayer
+
+Regular proxy, CONNECT request with WebSockets over SSL:
+ HttpProxy
+ Http1Layer
+ HttpLayer
+ SslLayer
+ WebsocketLayer (or TcpLayer)
+
+Automated protocol detection by peeking into the buffer:
+ TransparentProxy
+ TLSLayer
+ Http2Layer
+ HttpLayer
+
+Communication between layers is done as follows:
+ - lower layers provide context information to higher layers
+ - higher layers can call functions provided by lower layers,
+ which are propagated until they reach a suitable layer.
+
+Further goals:
+ - Connections should always be peekable to make automatic protocol detection work.
+ - Upstream connections should be established as late as possible;
+ inline scripts shall have a chance to handle everything locally.
+"""
+from __future__ import (absolute_import, print_function, division)
+from netlib import tcp
+from ..models import ServerConnection
+from ..exceptions import ProtocolException
+
+
+class _LayerCodeCompletion(object):
+ """
+ Dummy class that provides type hinting in PyCharm, which simplifies development a lot.
+ """
+
+ def __init__(self, *args, **kwargs):
+ super(_LayerCodeCompletion, self).__init__(*args, **kwargs)
+ if True:
+ return
+ self.config = None
+ """@type: libmproxy.proxy.config.ProxyConfig"""
+ self.client_conn = None
+ """@type: libmproxy.proxy.connection.ClientConnection"""
+ self.channel = None
+ """@type: libmproxy.controller.Channel"""
+
+
+class Layer(_LayerCodeCompletion):
+ def __init__(self, ctx, *args, **kwargs):
+ """
+ Args:
+ ctx: The (read-only) higher layer.
+ """
+ super(Layer, self).__init__(*args, **kwargs)
+ self.ctx = ctx
+
+ def __call__(self):
+ """
+ Logic of the layer.
+ Raises:
+ ProtocolException in case of protocol exceptions.
+ """
+ raise NotImplementedError
+
+ def __getattr__(self, name):
+ """
+ Attributes not present on the current layer may exist on a higher layer.
+ """
+ return getattr(self.ctx, name)
+
+ def log(self, msg, level, subs=()):
+ full_msg = [
+ "{}: {}".format(repr(self.client_conn.address), msg)
+ ]
+ for i in subs:
+ full_msg.append(" -> " + i)
+ full_msg = "\n".join(full_msg)
+ self.channel.tell("log", Log(full_msg, level))
+
+ @property
+ def layers(self):
+ return [self] + self.ctx.layers
+
+ def __repr__(self):
+ return type(self).__name__
+
+
+class ServerConnectionMixin(object):
+ """
+ Mixin that provides a layer with the capabilities to manage a server connection.
+ """
+
+ def __init__(self, server_address=None):
+ super(ServerConnectionMixin, self).__init__()
+ self.server_conn = ServerConnection(server_address)
+
+ def reconnect(self):
+ address = self.server_conn.address
+ self._disconnect()
+ self.server_conn.address = address
+ self.connect()
+
+ def set_server(self, address, server_tls=None, sni=None, depth=1):
+ if depth == 1:
+ if self.server_conn:
+ self._disconnect()
+ self.log("Set new server address: " + repr(address), "debug")
+ self.server_conn.address = address
+ else:
+ self.ctx.set_server(address, server_tls, sni, depth - 1)
+
+ def _disconnect(self):
+ """
+ Deletes (and closes) an existing server connection.
+ """
+ self.log("serverdisconnect", "debug", [repr(self.server_conn.address)])
+ self.server_conn.finish()
+ self.server_conn.close()
+ # self.channel.tell("serverdisconnect", self)
+ self.server_conn = ServerConnection(None)
+
+ def connect(self):
+ if not self.server_conn.address:
+ raise ProtocolException("Cannot connect to server, no server address given.")
+ self.log("serverconnect", "debug", [repr(self.server_conn.address)])
+ try:
+ self.server_conn.connect()
+ except tcp.NetLibError as e:
+ raise ProtocolException(
+ "Server connection to '%s' failed: %s" % (self.server_conn.address, e), e)
+
+
+class Log(object):
+ def __init__(self, msg, level="info"):
+ self.msg = msg
+ self.level = level
+
+
+class Kill(Exception):
+ """
+ Kill a connection.
+ """
diff --git a/libmproxy/protocol/http.py b/libmproxy/protocol/http.py
index bde7b088..fc57f6df 100644
--- a/libmproxy/protocol/http.py
+++ b/libmproxy/protocol/http.py
@@ -1,92 +1,538 @@
-from __future__ import absolute_import
+from __future__ import (absolute_import, print_function, division)
-from .primitives import Flow
+from netlib import tcp
+from netlib.http import http1, HttpErrorConnClosed, HttpError
+from netlib.http.semantics import CONTENT_MISSING
+from netlib import odict
+from netlib.tcp import NetLibError, Address
+from netlib.http.http1 import HTTP1Protocol
+from netlib.http.http2 import HTTP2Protocol
-from .http_wrappers import decoded, HTTPRequest, HTTPResponse
+from .. import utils
+from ..exceptions import InvalidCredentials, HttpException, ProtocolException
+from ..models import (
+ HTTPFlow, HTTPRequest, HTTPResponse, make_error_response, make_connect_response, Error
+)
+from .base import Layer, Kill
-class HTTPFlow(Flow):
- """
- A HTTPFlow is a collection of objects representing a single HTTP
- transaction. The main attributes are:
- request: HTTPRequest object
- response: HTTPResponse object
- error: Error object
- server_conn: ServerConnection object
- client_conn: ClientConnection object
+class _HttpLayer(Layer):
+ supports_streaming = False
+
+ def read_request(self):
+ raise NotImplementedError()
+
+ def send_request(self, request):
+ raise NotImplementedError()
+
+ def read_response(self, request_method):
+ raise NotImplementedError()
+
+ def send_response(self, response):
+ raise NotImplementedError()
+
+
+class _StreamingHttpLayer(_HttpLayer):
+ supports_streaming = True
+
+ def read_response_headers(self):
+ raise NotImplementedError
+
+ def read_response_body(self, headers, request_method, response_code, max_chunk_size=None):
+ raise NotImplementedError()
+ yield "this is a generator"
+
+ def send_response_headers(self, response):
+ raise NotImplementedError
+
+ def send_response_body(self, response, chunks):
+ raise NotImplementedError()
+
+
+class Http1Layer(_StreamingHttpLayer):
+ def __init__(self, ctx, mode):
+ super(Http1Layer, self).__init__(ctx)
+ self.mode = mode
+ self.client_protocol = HTTP1Protocol(self.client_conn)
+ self.server_protocol = HTTP1Protocol(self.server_conn)
+
+ def read_request(self):
+ return HTTPRequest.from_protocol(
+ self.client_protocol,
+ body_size_limit=self.config.body_size_limit
+ )
+
+ def send_request(self, request):
+ self.server_conn.send(self.server_protocol.assemble(request))
+
+ def read_response(self, request_method):
+ return HTTPResponse.from_protocol(
+ self.server_protocol,
+ request_method=request_method,
+ body_size_limit=self.config.body_size_limit,
+ include_body=True
+ )
+
+ def send_response(self, response):
+ self.client_conn.send(self.client_protocol.assemble(response))
+
+ def read_response_headers(self):
+ return HTTPResponse.from_protocol(
+ self.server_protocol,
+ request_method=None, # does not matter if we don't read the body.
+ body_size_limit=self.config.body_size_limit,
+ include_body=False
+ )
+
+ def read_response_body(self, headers, request_method, response_code, max_chunk_size=None):
+ return self.server_protocol.read_http_body_chunked(
+ headers,
+ self.config.body_size_limit,
+ request_method,
+ response_code,
+ False,
+ max_chunk_size
+ )
+
+ def send_response_headers(self, response):
+ h = self.client_protocol._assemble_response_first_line(response)
+ self.client_conn.wfile.write(h + "\r\n")
+ h = self.client_protocol._assemble_response_headers(
+ response,
+ preserve_transfer_encoding=True
+ )
+ self.client_conn.send(h + "\r\n")
+
+ def send_response_body(self, response, chunks):
+ if self.client_protocol.has_chunked_encoding(response.headers):
+ chunks = (
+ "%d\r\n%s\r\n" % (len(chunk), chunk)
+ for chunk in chunks
+ )
+ for chunk in chunks:
+ self.client_conn.send(chunk)
- Note that it's possible for a Flow to have both a response and an error
- object. This might happen, for instance, when a response was received
- from the server, but there was an error sending it back to the client.
+ def connect(self):
+ self.ctx.connect()
+ self.server_protocol = HTTP1Protocol(self.server_conn)
- The following additional attributes are exposed:
+ def reconnect(self):
+ self.ctx.reconnect()
+ self.server_protocol = HTTP1Protocol(self.server_conn)
- intercepted: Is this flow currently being intercepted?
- live: Does this flow have a live client connection?
+ def set_server(self, *args, **kwargs):
+ self.ctx.set_server(*args, **kwargs)
+ self.server_protocol = HTTP1Protocol(self.server_conn)
+
+ def __call__(self):
+ layer = HttpLayer(self, self.mode)
+ layer()
+
+
+# TODO: The HTTP2 layer is missing multiplexing, which requires a major rewrite.
+class Http2Layer(_HttpLayer):
+ def __init__(self, ctx, mode):
+ super(Http2Layer, self).__init__(ctx)
+ self.mode = mode
+ self.client_protocol = HTTP2Protocol(self.client_conn, is_server=True,
+ unhandled_frame_cb=self.handle_unexpected_frame)
+ self.server_protocol = HTTP2Protocol(self.server_conn, is_server=False,
+ unhandled_frame_cb=self.handle_unexpected_frame)
+
+ def read_request(self):
+ request = HTTPRequest.from_protocol(
+ self.client_protocol,
+ body_size_limit=self.config.body_size_limit
+ )
+ self._stream_id = request.stream_id
+ return request
+
+ def send_request(self, message):
+ # TODO: implement flow control and WINDOW_UPDATE frames
+ self.server_conn.send(self.server_protocol.assemble(message))
+
+ def read_response(self, request_method):
+ return HTTPResponse.from_protocol(
+ self.server_protocol,
+ request_method=request_method,
+ body_size_limit=self.config.body_size_limit,
+ include_body=True,
+ stream_id=self._stream_id
+ )
+
+ def send_response(self, message):
+ # TODO: implement flow control and WINDOW_UPDATE frames
+ self.client_conn.send(self.client_protocol.assemble(message))
+
+ def connect(self):
+ self.ctx.connect()
+ self.server_protocol = HTTP2Protocol(self.server_conn, is_server=False,
+ unhandled_frame_cb=self.handle_unexpected_frame)
+ self.server_protocol.perform_connection_preface()
+
+ def reconnect(self):
+ self.ctx.reconnect()
+ self.server_protocol = HTTP2Protocol(self.server_conn, is_server=False,
+ unhandled_frame_cb=self.handle_unexpected_frame)
+ self.server_protocol.perform_connection_preface()
+
+ def set_server(self, *args, **kwargs):
+ self.ctx.set_server(*args, **kwargs)
+ self.server_protocol = HTTP2Protocol(self.server_conn, is_server=False,
+ unhandled_frame_cb=self.handle_unexpected_frame)
+ self.server_protocol.perform_connection_preface()
+
+ def __call__(self):
+ self.server_protocol.perform_connection_preface()
+ layer = HttpLayer(self, self.mode)
+ layer()
+
+ def handle_unexpected_frame(self, frm):
+ self.log("Unexpected HTTP2 Frame: %s" % frm.human_readable(), "info")
+
+
+class ConnectServerConnection(object):
+ """
+ "Fake" ServerConnection to represent state after a CONNECT request to an upstream proxy.
"""
- def __init__(self, client_conn, server_conn, live=None):
- super(HTTPFlow, self).__init__("http", client_conn, server_conn, live)
- self.request = None
- """@type: HTTPRequest"""
- self.response = None
- """@type: HTTPResponse"""
-
- _stateobject_attributes = Flow._stateobject_attributes.copy()
- _stateobject_attributes.update(
- request=HTTPRequest,
- response=HTTPResponse
- )
-
- @classmethod
- def from_state(cls, state):
- f = cls(None, None)
- f.load_state(state)
- return f
-
- def __repr__(self):
- s = "<HTTPFlow"
- for a in ("request", "response", "error", "client_conn", "server_conn"):
- if getattr(self, a, False):
- s += "\r\n %s = {flow.%s}" % (a, a)
- s += ">"
- return s.format(flow=self)
-
- def copy(self):
- f = super(HTTPFlow, self).copy()
- if self.request:
- f.request = self.request.copy()
- if self.response:
- f.response = self.response.copy()
- return f
-
- def match(self, f):
- """
- Match this flow against a compiled filter expression. Returns True
- if matched, False if not.
+ def __init__(self, address, ctx):
+ self.address = tcp.Address.wrap(address)
+ self._ctx = ctx
- If f is a string, it will be compiled as a filter expression. If
- the expression is invalid, ValueError is raised.
- """
- if isinstance(f, basestring):
- from .. import filt
+ @property
+ def via(self):
+ return self._ctx.server_conn
- f = filt.parse(f)
- if not f:
- raise ValueError("Invalid filter expression.")
- if f:
- return f(self)
- return True
+ def __getattr__(self, item):
+ return getattr(self.via, item)
- def replace(self, pattern, repl, *args, **kwargs):
- """
- Replaces a regular expression pattern with repl in both request and
- response of the flow. Encoded content will be decoded before
- replacement, and re-encoded afterwards.
- Returns the number of replacements made.
+class UpstreamConnectLayer(Layer):
+ def __init__(self, ctx, connect_request):
+ super(UpstreamConnectLayer, self).__init__(ctx)
+ self.connect_request = connect_request
+ self.server_conn = ConnectServerConnection(
+ (connect_request.host, connect_request.port),
+ self.ctx
+ )
+
+ def __call__(self):
+ layer = self.ctx.next_layer(self)
+ layer()
+
+ def connect(self):
+ if not self.server_conn:
+ self.ctx.connect()
+ self.send_request(self.connect_request)
+ else:
+ pass # swallow the message
+
+ def reconnect(self):
+ self.ctx.reconnect()
+ self.send_request(self.connect_request)
+ resp = self.read_response("CONNECT")
+ if resp.code != 200:
+ raise ProtocolException("Reconnect: Upstream server refuses CONNECT request")
+
+ def set_server(self, address, server_tls=None, sni=None, depth=1):
+ if depth == 1:
+ if self.ctx.server_conn:
+ self.ctx.reconnect()
+ address = Address.wrap(address)
+ self.connect_request.host = address.host
+ self.connect_request.port = address.port
+ self.server_conn.address = address
+ else:
+ self.ctx.set_server(address, server_tls, sni, depth - 1)
+
+
+class HttpLayer(Layer):
+ def __init__(self, ctx, mode):
+ super(HttpLayer, self).__init__(ctx)
+ self.mode = mode
+ self.__original_server_conn = None
+ "Contains the original destination in transparent mode, which needs to be restored"
+ "if an inline script modified the target server for a single http request"
+
+ def __call__(self):
+ if self.mode == "transparent":
+ self.__original_server_conn = self.server_conn
+ while True:
+ try:
+ flow = HTTPFlow(self.client_conn, self.server_conn, live=self)
+
+ try:
+ request = self.read_request()
+ except tcp.NetLibError:
+ # don't throw an error for disconnects that happen
+ # before/between requests.
+ return
+
+ self.log("request", "debug", [repr(request)])
+
+ # Handle Proxy Authentication
+ self.authenticate(request)
+
+ # Regular Proxy Mode: Handle CONNECT
+ if self.mode == "regular" and request.form_in == "authority":
+ self.handle_regular_mode_connect(request)
+ return
+
+ # Make sure that the incoming request matches our expectations
+ self.validate_request(request)
+
+ flow.request = request
+ self.process_request_hook(flow)
+
+ if not flow.response:
+ self.establish_server_connection(flow)
+ self.get_response_from_server(flow)
+
+ self.send_response_to_client(flow)
+
+ if self.check_close_connection(flow):
+ return
+
+ # TODO: Implement HTTP Upgrade
+
+ # Upstream Proxy Mode: Handle CONNECT
+ if flow.request.form_in == "authority" and flow.response.code == 200:
+ self.handle_upstream_mode_connect(flow.request.copy())
+ return
+
+ except (HttpErrorConnClosed, NetLibError, HttpError, ProtocolException) as e:
+ if flow.request and not flow.response:
+ flow.error = Error(repr(e))
+ self.channel.ask("error", flow)
+ try:
+ self.send_response(make_error_response(
+ getattr(e, "code", 502),
+ repr(e)
+ ))
+ except NetLibError:
+ pass
+ if isinstance(e, ProtocolException):
+ raise e
+ else:
+ raise ProtocolException("Error in HTTP connection: %s" % repr(e), e)
+ finally:
+ flow.live = False
+
+ def handle_regular_mode_connect(self, request):
+ self.set_server((request.host, request.port))
+ self.send_response(make_connect_response(request.httpversion))
+ layer = self.ctx.next_layer(self)
+ layer()
+
+ def handle_upstream_mode_connect(self, connect_request):
+ layer = UpstreamConnectLayer(self, connect_request)
+ layer()
+
+ def check_close_connection(self, flow):
"""
- c = self.request.replace(pattern, repl, *args, **kwargs)
- if self.response:
- c += self.response.replace(pattern, repl, *args, **kwargs)
- return c
+ Checks if the connection should be closed depending on the HTTP
+ semantics. Returns True, if so.
+ """
+
+ # TODO: add logic for HTTP/2
+
+ close_connection = (
+ http1.HTTP1Protocol.connection_close(
+ flow.request.httpversion,
+ flow.request.headers
+ ) or http1.HTTP1Protocol.connection_close(
+ flow.response.httpversion,
+ flow.response.headers
+ ) or http1.HTTP1Protocol.expected_http_body_size(
+ flow.response.headers,
+ False,
+ flow.request.method,
+ flow.response.code) == -1
+ )
+ if flow.request.form_in == "authority" and flow.response.code == 200:
+ # Workaround for
+ # https://github.com/mitmproxy/mitmproxy/issues/313: Some
+ # proxies (e.g. Charles) send a CONNECT response with HTTP/1.0
+ # and no Content-Length header
+
+ return False
+ return close_connection
+
+ def send_response_to_client(self, flow):
+ if not (self.supports_streaming and flow.response.stream):
+ # no streaming:
+ # we already received the full response from the server and can
+ # send it to the client straight away.
+ self.send_response(flow.response)
+ else:
+ # streaming:
+ # First send the headers and then transfer the response incrementally
+ self.send_response_headers(flow.response)
+ chunks = self.read_response_body(
+ flow.response.headers,
+ flow.request.method,
+ flow.response.code,
+ max_chunk_size=4096
+ )
+ if callable(flow.response.stream):
+ chunks = flow.response.stream(chunks)
+ self.send_response_body(flow.response, chunks)
+ flow.response.timestamp_end = utils.timestamp()
+
+ def get_response_from_server(self, flow):
+ def get_response():
+ self.send_request(flow.request)
+ if self.supports_streaming:
+ flow.response = self.read_response_headers()
+ else:
+ flow.response = self.read_response()
+
+ try:
+ get_response()
+ except (tcp.NetLibError, HttpErrorConnClosed) as v:
+ self.log(
+ "server communication error: %s" % repr(v),
+ level="debug"
+ )
+ # In any case, we try to reconnect at least once. This is
+ # necessary because it might be possible that we already
+ # initiated an upstream connection after clientconnect that
+ # has already been expired, e.g consider the following event
+ # log:
+ # > clientconnect (transparent mode destination known)
+ # > serverconnect (required for client tls handshake)
+ # > read n% of large request
+ # > server detects timeout, disconnects
+ # > read (100-n)% of large request
+ # > send large request upstream
+ self.reconnect()
+ get_response()
+
+ # call the appropriate script hook - this is an opportunity for an
+ # inline script to set flow.stream = True
+ flow = self.channel.ask("responseheaders", flow)
+ if flow is None or flow == Kill:
+ raise Kill()
+
+ if self.supports_streaming:
+ if flow.response.stream:
+ flow.response.content = CONTENT_MISSING
+ else:
+ flow.response.content = "".join(self.read_response_body(
+ flow.response.headers,
+ flow.request.method,
+ flow.response.code
+ ))
+ flow.response.timestamp_end = utils.timestamp()
+
+ # no further manipulation of self.server_conn beyond this point
+ # we can safely set it as the final attribute value here.
+ flow.server_conn = self.server_conn
+
+ self.log(
+ "response",
+ "debug",
+ [repr(flow.response)]
+ )
+ response_reply = self.channel.ask("response", flow)
+ if response_reply is None or response_reply == Kill:
+ raise Kill()
+
+ def process_request_hook(self, flow):
+ # Determine .scheme, .host and .port attributes for inline scripts.
+ # For absolute-form requests, they are directly given in the request.
+ # For authority-form requests, we only need to determine the request scheme.
+ # For relative-form requests, we need to determine host and port as
+ # well.
+ if self.mode == "regular":
+ pass # only absolute-form at this point, nothing to do here.
+ elif self.mode == "upstream":
+ if flow.request.form_in == "authority":
+ flow.request.scheme = "http" # pseudo value
+ else:
+ flow.request.host = self.__original_server_conn.address.host
+ flow.request.port = self.__original_server_conn.address.port
+ flow.request.scheme = "https" if self.__original_server_conn.tls_established else "http"
+
+ request_reply = self.channel.ask("request", flow)
+ if request_reply is None or request_reply == Kill:
+ raise Kill()
+ if isinstance(request_reply, HTTPResponse):
+ flow.response = request_reply
+ return
+
+ def establish_server_connection(self, flow):
+ address = tcp.Address((flow.request.host, flow.request.port))
+ tls = (flow.request.scheme == "https")
+
+ if self.mode == "regular" or self.mode == "transparent":
+ # If there's an existing connection that doesn't match our expectations, kill it.
+ if address != self.server_conn.address or tls != self.server_conn.ssl_established:
+ self.set_server(address, tls, address.host)
+ # Establish connection is neccessary.
+ if not self.server_conn:
+ self.connect()
+
+ # SetServer is not guaranteed to work with TLS:
+ # If there's not TlsLayer below which could catch the exception,
+ # TLS will not be established.
+ if tls and not self.server_conn.tls_established:
+ raise ProtocolException(
+ "Cannot upgrade to SSL, no TLS layer on the protocol stack.")
+ else:
+ if not self.server_conn:
+ self.connect()
+ if tls:
+ raise HttpException("Cannot change scheme in upstream proxy mode.")
+ """
+ # This is a very ugly (untested) workaround to solve a very ugly problem.
+ if self.server_conn and self.server_conn.tls_established and not ssl:
+ self.reconnect()
+ elif ssl and not hasattr(self, "connected_to") or self.connected_to != address:
+ if self.server_conn.tls_established:
+ self.reconnect()
+
+ self.send_request(make_connect_request(address))
+ tls_layer = TlsLayer(self, False, True)
+ tls_layer._establish_tls_with_server()
+ """
+
+ def validate_request(self, request):
+ if request.form_in == "absolute" and request.scheme != "http":
+ self.send_response(
+ make_error_response(400, "Invalid request scheme: %s" % request.scheme))
+ raise HttpException("Invalid request scheme: %s" % request.scheme)
+
+ expected_request_forms = {
+ "regular": ("absolute",), # an authority request would already be handled.
+ "upstream": ("authority", "absolute"),
+ "transparent": ("relative",)
+ }
+
+ allowed_request_forms = expected_request_forms[self.mode]
+ if request.form_in not in allowed_request_forms:
+ err_message = "Invalid HTTP request form (expected: %s, got: %s)" % (
+ " or ".join(allowed_request_forms), request.form_in
+ )
+ self.send_response(make_error_response(400, err_message))
+ raise HttpException(err_message)
+
+ if self.mode == "regular":
+ request.form_out = "relative"
+
+ def authenticate(self, request):
+ if self.config.authenticator:
+ if self.config.authenticator.authenticate(request.headers):
+ self.config.authenticator.clean(request.headers)
+ else:
+ self.send_response(make_error_response(
+ 407,
+ "Proxy Authentication Required",
+ odict.ODictCaseless(
+ [
+ [k, v] for k, v in
+ self.config.authenticator.auth_challenge_headers().items()
+ ])
+ ))
+ raise InvalidCredentials("Proxy Authentication Required")
diff --git a/libmproxy/protocol/http_replay.py b/libmproxy/protocol/http_replay.py
new file mode 100644
index 00000000..e0144c93
--- /dev/null
+++ b/libmproxy/protocol/http_replay.py
@@ -0,0 +1,95 @@
+import threading
+
+from netlib.http import HttpError
+from netlib.http.http1 import HTTP1Protocol
+from netlib.tcp import NetLibError
+from ..controller import Channel
+from ..models import Error, HTTPResponse, ServerConnection, make_connect_request
+from .base import Log, Kill
+
+
+# TODO: Doesn't really belong into libmproxy.protocol...
+
+
+class RequestReplayThread(threading.Thread):
+ name = "RequestReplayThread"
+
+ def __init__(self, config, flow, masterq, should_exit):
+ """
+ masterqueue can be a queue or None, if no scripthooks should be
+ processed.
+ """
+ self.config, self.flow = config, flow
+ if masterq:
+ self.channel = Channel(masterq, should_exit)
+ else:
+ self.channel = None
+ super(RequestReplayThread, self).__init__()
+
+ def run(self):
+ r = self.flow.request
+ form_out_backup = r.form_out
+ try:
+ self.flow.response = None
+
+ # If we have a channel, run script hooks.
+ if self.channel:
+ request_reply = self.channel.ask("request", self.flow)
+ if request_reply is None or request_reply == Kill:
+ raise Kill()
+ elif isinstance(request_reply, HTTPResponse):
+ self.flow.response = request_reply
+
+ if not self.flow.response:
+ # In all modes, we directly connect to the server displayed
+ if self.config.mode == "upstream":
+ server_address = self.config.upstream_server.address
+ server = ServerConnection(server_address)
+ server.connect()
+ protocol = HTTP1Protocol(server)
+ if r.scheme == "https":
+ connect_request = make_connect_request((r.host, r.port))
+ server.send(protocol.assemble(connect_request))
+ resp = protocol.read_response("CONNECT")
+ if resp.code != 200:
+ raise HttpError(502, "Upstream server refuses CONNECT request")
+ server.establish_ssl(
+ self.config.clientcerts,
+ sni=self.flow.server_conn.sni
+ )
+ r.form_out = "relative"
+ else:
+ r.form_out = "absolute"
+ else:
+ server_address = (r.host, r.port)
+ server = ServerConnection(server_address)
+ server.connect()
+ protocol = HTTP1Protocol(server)
+ if r.scheme == "https":
+ server.establish_ssl(
+ self.config.clientcerts,
+ sni=self.flow.server_conn.sni
+ )
+ r.form_out = "relative"
+
+ server.send(protocol.assemble(r))
+ self.flow.server_conn = server
+ self.flow.response = HTTPResponse.from_protocol(
+ protocol,
+ r.method,
+ body_size_limit=self.config.body_size_limit,
+ )
+ if self.channel:
+ response_reply = self.channel.ask("response", self.flow)
+ if response_reply is None or response_reply == Kill:
+ raise Kill()
+ except (HttpError, NetLibError) as v:
+ self.flow.error = Error(repr(v))
+ if self.channel:
+ self.channel.ask("error", self.flow)
+ except Kill:
+ # KillSignal should only be raised if there's a channel in the
+ # first place.
+ self.channel.tell("log", Log("Connection killed", "info"))
+ finally:
+ r.form_out = form_out_backup
diff --git a/libmproxy/protocol/http_wrappers.py b/libmproxy/protocol/http_wrappers.py
deleted file mode 100644
index a26ddbb4..00000000
--- a/libmproxy/protocol/http_wrappers.py
+++ /dev/null
@@ -1,413 +0,0 @@
-from __future__ import absolute_import
-import Cookie
-import copy
-import time
-from email.utils import parsedate_tz, formatdate, mktime_tz
-
-from netlib import odict, encoding
-from netlib.http import semantics, CONTENT_MISSING
-from .. import utils, stateobject
-
-
-class decoded(object):
- """
- A context manager that decodes a request or response, and then
- re-encodes it with the same encoding after execution of the block.
-
- Example:
- with decoded(request):
- request.content = request.content.replace("foo", "bar")
- """
-
- def __init__(self, o):
- self.o = o
- ce = o.headers.get_first("content-encoding")
- if ce in encoding.ENCODINGS:
- self.ce = ce
- else:
- self.ce = None
-
- def __enter__(self):
- if self.ce:
- self.o.decode()
-
- def __exit__(self, type, value, tb):
- if self.ce:
- self.o.encode(self.ce)
-
-
-class MessageMixin(stateobject.StateObject):
- _stateobject_attributes = dict(
- httpversion=tuple,
- headers=odict.ODictCaseless,
- body=str,
- timestamp_start=float,
- timestamp_end=float
- )
- _stateobject_long_attributes = {"body"}
-
- def get_state(self, short=False):
- ret = super(MessageMixin, self).get_state(short)
- if short:
- if self.body:
- ret["contentLength"] = len(self.body)
- elif self.body == CONTENT_MISSING:
- ret["contentLength"] = None
- else:
- ret["contentLength"] = 0
- return ret
-
- def get_decoded_content(self):
- """
- Returns the decoded content based on the current Content-Encoding
- header.
- Doesn't change the message iteself or its headers.
- """
- ce = self.headers.get_first("content-encoding")
- if not self.body or ce not in encoding.ENCODINGS:
- return self.body
- return encoding.decode(ce, self.body)
-
- def decode(self):
- """
- Decodes body based on the current Content-Encoding header, then
- removes the header. If there is no Content-Encoding header, no
- action is taken.
-
- Returns True if decoding succeeded, False otherwise.
- """
- ce = self.headers.get_first("content-encoding")
- if not self.body or ce not in encoding.ENCODINGS:
- return False
- data = encoding.decode(ce, self.body)
- if data is None:
- return False
- self.body = data
- del self.headers["content-encoding"]
- return True
-
- def encode(self, e):
- """
- Encodes body with the encoding e, where e is "gzip", "deflate"
- or "identity".
- """
- # FIXME: Error if there's an existing encoding header?
- self.body = encoding.encode(e, self.body)
- self.headers["content-encoding"] = [e]
-
- def copy(self):
- c = copy.copy(self)
- c.headers = self.headers.copy()
- return c
-
- def replace(self, pattern, repl, *args, **kwargs):
- """
- Replaces a regular expression pattern with repl in both the headers
- and the body of the message. Encoded body will be decoded
- before replacement, and re-encoded afterwards.
-
- Returns the number of replacements made.
- """
- with decoded(self):
- self.body, c = utils.safe_subn(
- pattern, repl, self.body, *args, **kwargs
- )
- c += self.headers.replace(pattern, repl, *args, **kwargs)
- return c
-
-
-class HTTPRequest(MessageMixin, semantics.Request):
- """
- An HTTP request.
-
- Exposes the following attributes:
-
- method: HTTP method
-
- scheme: URL scheme (http/https)
-
- host: Target hostname of the request. This is not neccessarily the
- directy upstream server (which could be another proxy), but it's always
- the target server we want to reach at the end. This attribute is either
- inferred from the request itself (absolute-form, authority-form) or from
- the connection metadata (e.g. the host in reverse proxy mode).
-
- port: Destination port
-
- path: Path portion of the URL (not present in authority-form)
-
- httpversion: HTTP version tuple, e.g. (1,1)
-
- headers: odict.ODictCaseless object
-
- content: Content of the request, None, or CONTENT_MISSING if there
- is content associated, but not present. CONTENT_MISSING evaluates
- to False to make checking for the presence of content natural.
-
- form_in: The request form which mitmproxy has received. The following
- values are possible:
-
- - relative (GET /index.html, OPTIONS *) (covers origin form and
- asterisk form)
- - absolute (GET http://example.com:80/index.html)
- - authority-form (CONNECT example.com:443)
- Details: http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-25#section-5.3
-
- form_out: The request form which mitmproxy will send out to the
- destination
-
- timestamp_start: Timestamp indicating when request transmission started
-
- timestamp_end: Timestamp indicating when request transmission ended
- """
-
- def __init__(
- self,
- form_in,
- method,
- scheme,
- host,
- port,
- path,
- httpversion,
- headers,
- body,
- timestamp_start=None,
- timestamp_end=None,
- form_out=None,
- ):
- semantics.Request.__init__(
- self,
- form_in,
- method,
- scheme,
- host,
- port,
- path,
- httpversion,
- headers,
- body,
- timestamp_start,
- timestamp_end,
- )
- self.form_out = form_out or form_in
-
- # Have this request's cookies been modified by sticky cookies or auth?
- self.stickycookie = False
- self.stickyauth = False
-
- # Is this request replayed?
- self.is_replay = False
-
- _stateobject_attributes = MessageMixin._stateobject_attributes.copy()
- _stateobject_attributes.update(
- form_in=str,
- method=str,
- scheme=str,
- host=str,
- port=int,
- path=str,
- form_out=str,
- is_replay=bool
- )
-
- @classmethod
- def from_state(cls, state):
- f = cls(
- None,
- None,
- None,
- None,
- None,
- None,
- None,
- None,
- None,
- None,
- None)
- f.load_state(state)
- return f
-
- @classmethod
- def from_protocol(
- self,
- protocol,
- *args,
- **kwargs
- ):
- req = protocol.read_request(*args, **kwargs)
- return self.wrap(req)
-
- @classmethod
- def wrap(self, request):
- req = HTTPRequest(
- form_in=request.form_in,
- method=request.method,
- scheme=request.scheme,
- host=request.host,
- port=request.port,
- path=request.path,
- httpversion=request.httpversion,
- headers=request.headers,
- body=request.body,
- timestamp_start=request.timestamp_start,
- timestamp_end=request.timestamp_end,
- form_out=(request.form_out if hasattr(request, 'form_out') else None),
- )
- if hasattr(request, 'stream_id'):
- req.stream_id = request.stream_id
- return req
-
- def __hash__(self):
- return id(self)
-
- def replace(self, pattern, repl, *args, **kwargs):
- """
- Replaces a regular expression pattern with repl in the headers, the
- request path and the body of the request. Encoded content will be
- decoded before replacement, and re-encoded afterwards.
-
- Returns the number of replacements made.
- """
- c = MessageMixin.replace(self, pattern, repl, *args, **kwargs)
- self.path, pc = utils.safe_subn(
- pattern, repl, self.path, *args, **kwargs
- )
- c += pc
- return c
-
-
-class HTTPResponse(MessageMixin, semantics.Response):
- """
- An HTTP response.
-
- Exposes the following attributes:
-
- httpversion: HTTP version tuple, e.g. (1, 0), (1, 1), or (2, 0)
-
- status_code: HTTP response status code
-
- msg: HTTP response message
-
- headers: ODict Caseless object
-
- content: Content of the request, None, or CONTENT_MISSING if there
- is content associated, but not present. CONTENT_MISSING evaluates
- to False to make checking for the presence of content natural.
-
- timestamp_start: Timestamp indicating when request transmission started
-
- timestamp_end: Timestamp indicating when request transmission ended
- """
-
- def __init__(
- self,
- httpversion,
- status_code,
- msg,
- headers,
- body,
- timestamp_start=None,
- timestamp_end=None,
- ):
- semantics.Response.__init__(
- self,
- httpversion,
- status_code,
- msg,
- headers,
- body,
- timestamp_start=timestamp_start,
- timestamp_end=timestamp_end,
- )
-
- # Is this request replayed?
- self.is_replay = False
- self.stream = False
-
- _stateobject_attributes = MessageMixin._stateobject_attributes.copy()
- _stateobject_attributes.update(
- status_code=int,
- msg=str
- )
-
- @classmethod
- def from_state(cls, state):
- f = cls(None, None, None, None, None)
- f.load_state(state)
- return f
-
- @classmethod
- def from_protocol(
- self,
- protocol,
- *args,
- **kwargs
- ):
- resp = protocol.read_response(*args, **kwargs)
- return self.wrap(resp)
-
- @classmethod
- def wrap(self, response):
- resp = HTTPResponse(
- httpversion=response.httpversion,
- status_code=response.status_code,
- msg=response.msg,
- headers=response.headers,
- body=response.body,
- timestamp_start=response.timestamp_start,
- timestamp_end=response.timestamp_end,
- )
- if hasattr(response, 'stream_id'):
- resp.stream_id = response.stream_id
- return resp
-
- def _refresh_cookie(self, c, delta):
- """
- Takes a cookie string c and a time delta in seconds, and returns
- a refreshed cookie string.
- """
- c = Cookie.SimpleCookie(str(c))
- for i in c.values():
- if "expires" in i:
- d = parsedate_tz(i["expires"])
- if d:
- d = mktime_tz(d) + delta
- i["expires"] = formatdate(d)
- else:
- # This can happen when the expires tag is invalid.
- # reddit.com sends a an expires tag like this: "Thu, 31 Dec
- # 2037 23:59:59 GMT", which is valid RFC 1123, but not
- # strictly correct according to the cookie spec. Browsers
- # appear to parse this tolerantly - maybe we should too.
- # For now, we just ignore this.
- del i["expires"]
- return c.output(header="").strip()
-
- def refresh(self, now=None):
- """
- This fairly complex and heuristic function refreshes a server
- response for replay.
-
- - It adjusts date, expires and last-modified headers.
- - It adjusts cookie expiration.
- """
- if not now:
- now = time.time()
- delta = now - self.timestamp_start
- refresh_headers = [
- "date",
- "expires",
- "last-modified",
- ]
- for i in refresh_headers:
- if i in self.headers:
- d = parsedate_tz(self.headers[i][0])
- if d:
- new = mktime_tz(d) + delta
- self.headers[i] = [formatdate(new)]
- c = []
- for i in self.headers["set-cookie"]:
- c.append(self._refresh_cookie(i, delta))
- if c:
- self.headers["set-cookie"] = c
diff --git a/libmproxy/protocol/primitives.py b/libmproxy/protocol/primitives.py
deleted file mode 100644
index c663f0c5..00000000
--- a/libmproxy/protocol/primitives.py
+++ /dev/null
@@ -1,166 +0,0 @@
-from __future__ import absolute_import
-import copy
-import uuid
-
-from .. import stateobject, utils, version
-from ..proxy.connection import ClientConnection, ServerConnection
-
-KILL = 0 # const for killed requests
-
-
-class Error(stateobject.StateObject):
- """
- An Error.
-
- This is distinct from an protocol error response (say, a HTTP code 500),
- which is represented by a normal HTTPResponse object. This class is
- responsible for indicating errors that fall outside of normal protocol
- communications, like interrupted connections, timeouts, protocol errors.
-
- Exposes the following attributes:
-
- flow: Flow object
- msg: Message describing the error
- timestamp: Seconds since the epoch
- """
-
- def __init__(self, msg, timestamp=None):
- """
- @type msg: str
- @type timestamp: float
- """
- self.flow = None # will usually be set by the flow backref mixin
- self.msg = msg
- self.timestamp = timestamp or utils.timestamp()
-
- _stateobject_attributes = dict(
- msg=str,
- timestamp=float
- )
-
- def __str__(self):
- return self.msg
-
- @classmethod
- def from_state(cls, state):
- # the default implementation assumes an empty constructor. Override
- # accordingly.
- f = cls(None)
- f.load_state(state)
- return f
-
- def copy(self):
- c = copy.copy(self)
- return c
-
-
-class Flow(stateobject.StateObject):
- """
- A Flow is a collection of objects representing a single transaction.
- This class is usually subclassed for each protocol, e.g. HTTPFlow.
- """
-
- def __init__(self, type, client_conn, server_conn, live=None):
- self.type = type
- self.id = str(uuid.uuid4())
- self.client_conn = client_conn
- """@type: ClientConnection"""
- self.server_conn = server_conn
- """@type: ServerConnection"""
- self.live = live
- """@type: LiveConnection"""
-
- self.error = None
- """@type: Error"""
- self.intercepted = False
- """@type: bool"""
- self._backup = None
- self.reply = None
-
- _stateobject_attributes = dict(
- id=str,
- error=Error,
- client_conn=ClientConnection,
- server_conn=ServerConnection,
- type=str,
- intercepted=bool
- )
-
- def get_state(self, short=False):
- d = super(Flow, self).get_state(short)
- d.update(version=version.IVERSION)
- if self._backup and self._backup != d:
- if short:
- d.update(modified=True)
- else:
- d.update(backup=self._backup)
- return d
-
- def __eq__(self, other):
- return self is other
-
- def copy(self):
- f = copy.copy(self)
-
- f.id = str(uuid.uuid4())
- f.live = False
- f.client_conn = self.client_conn.copy()
- f.server_conn = self.server_conn.copy()
-
- if self.error:
- f.error = self.error.copy()
- return f
-
- def modified(self):
- """
- Has this Flow been modified?
- """
- if self._backup:
- return self._backup != self.get_state()
- else:
- return False
-
- def backup(self, force=False):
- """
- Save a backup of this Flow, which can be reverted to using a
- call to .revert().
- """
- if not self._backup:
- self._backup = self.get_state()
-
- def revert(self):
- """
- Revert to the last backed up state.
- """
- if self._backup:
- self.load_state(self._backup)
- self._backup = None
-
- def kill(self, master):
- """
- Kill this request.
- """
- self.error = Error("Connection killed")
- self.intercepted = False
- self.reply(KILL)
- master.handle_error(self)
-
- def intercept(self, master):
- """
- Intercept this Flow. Processing will stop until accept_intercept is
- called.
- """
- if self.intercepted:
- return
- self.intercepted = True
- master.handle_intercept(self)
-
- def accept_intercept(self, master):
- """
- Continue with the flow - called after an intercept().
- """
- if not self.intercepted:
- return
- self.intercepted = False
- self.reply()
- master.handle_accept_intercept(self)
diff --git a/libmproxy/protocol/rawtcp.py b/libmproxy/protocol/rawtcp.py
new file mode 100644
index 00000000..86468773
--- /dev/null
+++ b/libmproxy/protocol/rawtcp.py
@@ -0,0 +1,66 @@
+from __future__ import (absolute_import, print_function, division)
+import socket
+import select
+
+from OpenSSL import SSL
+
+from netlib.tcp import NetLibError
+from netlib.utils import cleanBin
+from ..exceptions import ProtocolException
+from .base import Layer
+
+
+class RawTCPLayer(Layer):
+ chunk_size = 4096
+
+ def __init__(self, ctx, logging=True):
+ self.logging = logging
+ super(RawTCPLayer, self).__init__(ctx)
+
+ def __call__(self):
+ self.connect()
+
+ buf = memoryview(bytearray(self.chunk_size))
+
+ client = self.client_conn.connection
+ server = self.server_conn.connection
+ conns = [client, server]
+
+ try:
+ while True:
+ r, _, _ = select.select(conns, [], [], 10)
+ for conn in r:
+ dst = server if conn == client else client
+
+ size = conn.recv_into(buf, self.chunk_size)
+ if not size:
+ conns.remove(conn)
+ # Shutdown connection to the other peer
+ if isinstance(conn, SSL.Connection):
+ # We can't half-close a connection, so we just close everything here.
+ # Sockets will be cleaned up on a higher level.
+ return
+ else:
+ dst.shutdown(socket.SHUT_WR)
+
+ if len(conns) == 0:
+ return
+ continue
+
+ dst.sendall(buf[:size])
+
+ if self.logging:
+ # log messages are prepended with the client address,
+ # hence the "weird" direction string.
+ if dst == server:
+ direction = "-> tcp -> {}".format(repr(self.server_conn.address))
+ else:
+ direction = "<- tcp <- {}".format(repr(self.server_conn.address))
+ data = cleanBin(buf[:size].tobytes())
+ self.log(
+ "{}\r\n{}".format(direction, data),
+ "info"
+ )
+
+ except (socket.error, NetLibError, SSL.Error) as e:
+ raise ProtocolException("TCP connection closed unexpectedly: {}".format(repr(e)), e)
diff --git a/libmproxy/protocol/tls.py b/libmproxy/protocol/tls.py
new file mode 100644
index 00000000..b85a6595
--- /dev/null
+++ b/libmproxy/protocol/tls.py
@@ -0,0 +1,288 @@
+from __future__ import (absolute_import, print_function, division)
+
+import struct
+
+from construct import ConstructError
+
+from netlib.tcp import NetLibError, NetLibInvalidCertificateError
+from netlib.http.http1 import HTTP1Protocol
+from ..contrib.tls._constructs import ClientHello
+from ..exceptions import ProtocolException
+from .base import Layer
+
+
+def is_tls_record_magic(d):
+ """
+ Returns:
+ True, if the passed bytes start with the TLS record magic bytes.
+ False, otherwise.
+ """
+ d = d[:3]
+
+ # TLS ClientHello magic, works for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2
+ # http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html#client-hello
+ return (
+ len(d) == 3 and
+ d[0] == '\x16' and
+ d[1] == '\x03' and
+ d[2] in ('\x00', '\x01', '\x02', '\x03')
+ )
+
+
+class TlsLayer(Layer):
+ def __init__(self, ctx, client_tls, server_tls):
+ self.client_sni = None
+ self.client_alpn_protocols = None
+
+ super(TlsLayer, self).__init__(ctx)
+ self._client_tls = client_tls
+ self._server_tls = server_tls
+
+ self._sni_from_server_change = None
+
+ def __call__(self):
+ """
+ The strategy for establishing SSL is as follows:
+ First, we determine whether we need the server cert to establish ssl with the client.
+ If so, we first connect to the server and then to the client.
+ If not, we only connect to the client and do the server_ssl lazily on a Connect message.
+
+ An additional complexity is that establish ssl with the server may require a SNI value from the client.
+ In an ideal world, we'd do the following:
+ 1. Start the SSL handshake with the client
+ 2. Check if the client sends a SNI.
+ 3. Pause the client handshake, establish SSL with the server.
+ 4. Finish the client handshake with the certificate from the server.
+ There's just one issue: We cannot get a callback from OpenSSL if the client doesn't send a SNI. :(
+ Thus, we manually peek into the connection and parse the ClientHello message to obtain both SNI and ALPN values.
+
+ Further notes:
+ - OpenSSL 1.0.2 introduces a callback that would help here:
+ https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_cb.html
+ - The original mitmproxy issue is https://github.com/mitmproxy/mitmproxy/issues/427
+ """
+
+ client_tls_requires_server_cert = (
+ self._client_tls and self._server_tls and not self.config.no_upstream_cert
+ )
+
+ if self._client_tls:
+ self._parse_client_hello()
+
+ if client_tls_requires_server_cert:
+ self._establish_tls_with_client_and_server()
+ elif self._client_tls:
+ self._establish_tls_with_client()
+
+ layer = self.ctx.next_layer(self)
+ layer()
+
+ def __repr__(self):
+ if self._client_tls and self._server_tls:
+ return "TlsLayer(client and server)"
+ elif self._client_tls:
+ return "TlsLayer(client)"
+ elif self._server_tls:
+ return "TlsLayer(server)"
+ else:
+ return "TlsLayer(inactive)"
+
+ def _get_client_hello(self):
+ """
+ Peek into the socket and read all records that contain the initial client hello message.
+
+ Returns:
+ The raw handshake packet bytes, without TLS record header(s).
+ """
+ client_hello = ""
+ client_hello_size = 1
+ offset = 0
+ while len(client_hello) < client_hello_size:
+ record_header = self.client_conn.rfile.peek(offset + 5)[offset:]
+ if not is_tls_record_magic(record_header) or len(record_header) != 5:
+ raise ProtocolException('Expected TLS record, got "%s" instead.' % record_header)
+ record_size = struct.unpack("!H", record_header[3:])[0] + 5
+ record_body = self.client_conn.rfile.peek(offset + record_size)[offset + 5:]
+ if len(record_body) != record_size - 5:
+ raise ProtocolException("Unexpected EOF in TLS handshake: %s" % record_body)
+ client_hello += record_body
+ offset += record_size
+ client_hello_size = struct.unpack("!I", '\x00' + client_hello[1:4])[0] + 4
+ return client_hello
+
+ def _parse_client_hello(self):
+ """
+ Peek into the connection, read the initial client hello and parse it to obtain ALPN values.
+ """
+ try:
+ raw_client_hello = self._get_client_hello()[4:] # exclude handshake header.
+ except ProtocolException as e:
+ self.log("Cannot parse Client Hello: %s" % repr(e), "error")
+ return
+
+ try:
+ client_hello = ClientHello.parse(raw_client_hello)
+ except ConstructError as e:
+ self.log("Cannot parse Client Hello: %s" % repr(e), "error")
+ self.log("Raw Client Hello:\r\n:%s" % raw_client_hello.encode("hex"), "debug")
+ return
+
+ for extension in client_hello.extensions:
+ if extension.type == 0x00:
+ if len(extension.server_names) != 1 or extension.server_names[0].type != 0:
+ self.log("Unknown Server Name Indication: %s" % extension.server_names, "error")
+ self.client_sni = extension.server_names[0].name
+ elif extension.type == 0x10:
+ self.client_alpn_protocols = list(extension.alpn_protocols)
+
+ self.log(
+ "Parsed Client Hello: sni=%s, alpn=%s" % (self.client_sni, self.client_alpn_protocols),
+ "debug"
+ )
+
+ def connect(self):
+ if not self.server_conn:
+ self.ctx.connect()
+ if self._server_tls and not self.server_conn.tls_established:
+ self._establish_tls_with_server()
+
+ def reconnect(self):
+ self.ctx.reconnect()
+ if self._server_tls and not self.server_conn.tls_established:
+ self._establish_tls_with_server()
+
+ def set_server(self, address, server_tls=None, sni=None, depth=1):
+ self.ctx.set_server(address, server_tls, sni, depth)
+ if depth == 1 and server_tls is not None:
+ self._sni_from_server_change = sni
+ self._server_tls = server_tls
+
+ @property
+ def sni_for_server_connection(self):
+ if self._sni_from_server_change is False:
+ return None
+ else:
+ return self._sni_from_server_change or self.client_sni
+
+ @property
+ def alpn_for_client_connection(self):
+ return self.server_conn.get_alpn_proto_negotiated()
+
+ def __alpn_select_callback(self, conn_, options):
+ """
+ Once the client signals the alternate protocols it supports,
+ we reconnect upstream with the same list and pass the server's choice down to the client.
+ """
+
+ # This gets triggered if we haven't established an upstream connection yet.
+ default_alpn = HTTP1Protocol.ALPN_PROTO_HTTP1
+ # alpn_preference = netlib.http.http2.HTTP2Protocol.ALPN_PROTO_H2
+
+ if self.alpn_for_client_connection in options:
+ choice = bytes(self.alpn_for_client_connection)
+ elif default_alpn in options:
+ choice = bytes(default_alpn)
+ else:
+ choice = options[0]
+ self.log("ALPN for client: %s" % choice, "debug")
+ return choice
+
+ def _establish_tls_with_client_and_server(self):
+ self.ctx.connect()
+
+ # If establishing TLS with the server fails, we try to establish TLS with the client nonetheless
+ # to send an error message over TLS.
+ try:
+ self._establish_tls_with_server()
+ except Exception as e:
+ try:
+ self._establish_tls_with_client()
+ except:
+ pass
+ raise e
+
+ self._establish_tls_with_client()
+
+ def _establish_tls_with_client(self):
+ self.log("Establish TLS with client", "debug")
+ cert, key, chain_file = self._find_cert()
+
+ try:
+ self.client_conn.convert_to_ssl(
+ cert, key,
+ method=self.config.openssl_method_client,
+ options=self.config.openssl_options_client,
+ cipher_list=self.config.ciphers_client,
+ dhparams=self.config.certstore.dhparams,
+ chain_file=chain_file,
+ alpn_select_callback=self.__alpn_select_callback,
+ )
+ except NetLibError as e:
+ raise ProtocolException("Cannot establish TLS with client: %s" % repr(e), e)
+
+ def _establish_tls_with_server(self):
+ self.log("Establish TLS with server", "debug")
+ try:
+ # We only support http/1.1 and h2.
+ # If the server only supports spdy (next to http/1.1), it may select that
+ # and mitmproxy would enter TCP passthrough mode, which we want to avoid.
+ deprecated_http2_variant = lambda x: x.startswith("h2-") or x.startswith("spdy")
+ if self.client_alpn_protocols:
+ alpn = filter(lambda x: not deprecated_http2_variant(x), self.client_alpn_protocols)
+ else:
+ alpn = None
+
+ self.server_conn.establish_ssl(
+ self.config.clientcerts,
+ self.sni_for_server_connection,
+ method=self.config.openssl_method_server,
+ options=self.config.openssl_options_server,
+ verify_options=self.config.openssl_verification_mode_server,
+ ca_path=self.config.openssl_trusted_cadir_server,
+ ca_pemfile=self.config.openssl_trusted_ca_server,
+ cipher_list=self.config.ciphers_server,
+ alpn_protos=alpn,
+ )
+ tls_cert_err = self.server_conn.ssl_verification_error
+ if tls_cert_err is not None:
+ self.log(
+ "TLS verification failed for upstream server at depth %s with error: %s" %
+ (tls_cert_err['depth'], tls_cert_err['errno']),
+ "error")
+ self.log("Ignoring server verification error, continuing with connection", "error")
+ except NetLibInvalidCertificateError as e:
+ tls_cert_err = self.server_conn.ssl_verification_error
+ self.log(
+ "TLS verification failed for upstream server at depth %s with error: %s" %
+ (tls_cert_err['depth'], tls_cert_err['errno']),
+ "error")
+ self.log("Aborting connection attempt", "error")
+ raise ProtocolException("Cannot establish TLS with server: %s" % repr(e), e)
+ except NetLibError as e:
+ raise ProtocolException("Cannot establish TLS with server: %s" % repr(e), e)
+
+ self.log("ALPN selected by server: %s" % self.alpn_for_client_connection, "debug")
+
+ def _find_cert(self):
+ host = self.server_conn.address.host
+ sans = set()
+ # Incorporate upstream certificate
+ use_upstream_cert = (
+ self.server_conn and
+ self.server_conn.tls_established and
+ (not self.config.no_upstream_cert)
+ )
+ if use_upstream_cert:
+ upstream_cert = self.server_conn.cert
+ sans.update(upstream_cert.altnames)
+ if upstream_cert.cn:
+ sans.add(host)
+ host = upstream_cert.cn.decode("utf8").encode("idna")
+ # Also add SNI values.
+ if self.client_sni:
+ sans.add(self.client_sni)
+ if self._sni_from_server_change:
+ sans.add(self._sni_from_server_change)
+
+ sans.discard(host)
+ return self.config.certstore.get_cert(host, list(sans))
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-25 10:35:30 +0000