From ce0a500885619444b7fd386419c5c556d5196e18 Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Sat, 23 Jan 2016 21:29:14 -0500 Subject: Add ignore based on TLS ClientHello SNI - also add some documentation about ignoring based on SNI --- libmproxy/protocol/__init__.py | 4 +- libmproxy/protocol/tls.py | 126 +++++++++++++++++++++++++---------------- 2 files changed, 79 insertions(+), 51 deletions(-) (limited to 'libmproxy/protocol') diff --git a/libmproxy/protocol/__init__.py b/libmproxy/protocol/__init__.py index 0d624fd7..d8ebd4f0 100644 --- a/libmproxy/protocol/__init__.py +++ b/libmproxy/protocol/__init__.py @@ -28,12 +28,12 @@ as late as possible; this makes server replay without any outgoing connections p from __future__ import (absolute_import, print_function, division) from .base import Layer, ServerConnectionMixin, Kill from .http import Http1Layer, UpstreamConnectLayer, Http2Layer -from .tls import TlsLayer, is_tls_record_magic +from .tls import TlsLayer, is_tls_record_magic, TlsClientHello from .rawtcp import RawTCPLayer __all__ = [ "Layer", "ServerConnectionMixin", "Kill", "Http1Layer", "UpstreamConnectLayer", "Http2Layer", - "TlsLayer", "is_tls_record_magic", + "TlsLayer", "is_tls_record_magic", "TlsClientHello" "RawTCPLayer" ] diff --git a/libmproxy/protocol/tls.py b/libmproxy/protocol/tls.py index ed747643..0955166f 100644 --- a/libmproxy/protocol/tls.py +++ b/libmproxy/protocol/tls.py @@ -221,6 +221,75 @@ def is_tls_record_magic(d): d[2] in ('\x00', '\x01', '\x02', '\x03') ) +def get_client_hello(client_conn): + """ + Peek into the socket and read all records that contain the initial client hello message. + + client_conn: + The :py:class:`client connection `. + + Returns: + The raw handshake packet bytes, without TLS record header(s). + """ + client_hello = "" + client_hello_size = 1 + offset = 0 + while len(client_hello) < client_hello_size: + record_header = client_conn.rfile.peek(offset + 5)[offset:] + if not is_tls_record_magic(record_header) or len(record_header) != 5: + raise TlsProtocolException('Expected TLS record, got "%s" instead.' % record_header) + record_size = struct.unpack("!H", record_header[3:])[0] + 5 + record_body = client_conn.rfile.peek(offset + record_size)[offset + 5:] + if len(record_body) != record_size - 5: + raise TlsProtocolException("Unexpected EOF in TLS handshake: %s" % record_body) + client_hello += record_body + offset += record_size + client_hello_size = struct.unpack("!I", '\x00' + client_hello[1:4])[0] + 4 + return client_hello + +class TlsClientHello(object): + def __init__(self, raw_client_hello): + self._client_hello = ClientHello.parse(raw_client_hello) + + def raw(self): + return self._client_hello + + @property + def client_cipher_suites(self): + return self._client_hello.cipher_suites.cipher_suites + + @property + def client_sni(self): + for extension in self._client_hello.extensions: + if (extension.type == 0x00 and len(extension.server_names) == 1 + and extension.server_names[0].type == 0): + return extension.server_names[0].name + + @property + def client_alpn_protocols(self): + for extension in self._client_hello.extensions: + if extension.type == 0x10: + return list(extension.alpn_protocols) + + @classmethod + def from_client_conn(cls, client_conn): + """ + Peek into the connection, read the initial client hello and parse it to obtain ALPN values. + client_conn: + The :py:class:`client connection `. + Returns: + :py:class:`client hello `. + """ + try: + raw_client_hello = get_client_hello(client_conn)[4:] # exclude handshake header. + except ProtocolException as e: + raise TlsProtocolException('Cannot parse Client Hello: %s' % repr(e)) + + try: + return cls(raw_client_hello) + except ConstructError as e: + #self.log("Raw Client Hello: %s" % raw_client_hello.encode("hex"), "debug") + raise TlsProtocolException('Cannot parse Client Hello: %s' % repr(e)) class TlsLayer(Layer): def __init__(self, ctx, client_tls, server_tls): @@ -281,60 +350,15 @@ class TlsLayer(Layer): else: return "TlsLayer(inactive)" - def _get_client_hello(self): - """ - Peek into the socket and read all records that contain the initial client hello message. - - Returns: - The raw handshake packet bytes, without TLS record header(s). - """ - client_hello = "" - client_hello_size = 1 - offset = 0 - while len(client_hello) < client_hello_size: - record_header = self.client_conn.rfile.peek(offset + 5)[offset:] - if not is_tls_record_magic(record_header) or len(record_header) != 5: - raise TlsProtocolException('Expected TLS record, got "%s" instead.' % record_header) - record_size = struct.unpack("!H", record_header[3:])[0] + 5 - record_body = self.client_conn.rfile.peek(offset + record_size)[offset + 5:] - if len(record_body) != record_size - 5: - raise TlsProtocolException("Unexpected EOF in TLS handshake: %s" % record_body) - client_hello += record_body - offset += record_size - client_hello_size = struct.unpack("!I", '\x00' + client_hello[1:4])[0] + 4 - return client_hello def _parse_client_hello(self): """ Peek into the connection, read the initial client hello and parse it to obtain ALPN values. """ - try: - raw_client_hello = self._get_client_hello()[4:] # exclude handshake header. - except ProtocolException as e: - self.log("Cannot parse Client Hello: %s" % repr(e), "error") - return - - try: - client_hello = ClientHello.parse(raw_client_hello) - except ConstructError as e: - self.log("Cannot parse Client Hello: %s" % repr(e), "error") - self.log("Raw Client Hello: %s" % raw_client_hello.encode("hex"), "debug") - return - - self.client_ciphers = client_hello.cipher_suites.cipher_suites - - for extension in client_hello.extensions: - if extension.type == 0x00: - if len(extension.server_names) != 1 or extension.server_names[0].type != 0: - self.log("Unknown Server Name Indication: %s" % extension.server_names, "error") - self.client_sni = extension.server_names[0].name - elif extension.type == 0x10: - self.client_alpn_protocols = list(extension.alpn_protocols) - - self.log( - "Parsed Client Hello: sni=%s, alpn=%s" % (self.client_sni, self.client_alpn_protocols), - "debug" - ) + parsed = TlsClientHello.from_client_conn(self.client_conn) + self.client_sni = parsed.client_sni + self.client_alpn_protocols = parsed.client_alpn_protocols + self.client_ciphers = parsed.client_cipher_suites def connect(self): if not self.server_conn: @@ -359,6 +383,10 @@ class TlsLayer(Layer): def alpn_for_client_connection(self): return self.server_conn.get_alpn_proto_negotiated() + @property + def client_tls(self): + return self._client_tls + def __alpn_select_callback(self, conn_, options): """ Once the client signals the alternate protocols it supports, -- cgit v1.2.3 From 0a43cc88448e27b5e5fcf7f550d3618241820595 Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Tue, 26 Jan 2016 09:33:03 -0500 Subject: add TlsClientHello repr --- libmproxy/protocol/tls.py | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'libmproxy/protocol') diff --git a/libmproxy/protocol/tls.py b/libmproxy/protocol/tls.py index 0955166f..07b9f353 100644 --- a/libmproxy/protocol/tls.py +++ b/libmproxy/protocol/tls.py @@ -291,6 +291,11 @@ class TlsClientHello(object): #self.log("Raw Client Hello: %s" % raw_client_hello.encode("hex"), "debug") raise TlsProtocolException('Cannot parse Client Hello: %s' % repr(e)) + def __repr__(self): + return "TlsClientHello( sni: %s alpn_protocols: %s, cipher_suites: %s)" % \ + (self.client_sni, self.client_alpn_protocols, self.client_cipher_suites) + + class TlsLayer(Layer): def __init__(self, ctx, client_tls, server_tls): self.client_sni = None -- cgit v1.2.3 From 11b289d3c7f8c0bae8ec2f570399fcc44675bdd8 Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Tue, 26 Jan 2016 11:28:19 -0500 Subject: remove client_tls property from TlsLayer --- libmproxy/protocol/tls.py | 4 ---- 1 file changed, 4 deletions(-) (limited to 'libmproxy/protocol') diff --git a/libmproxy/protocol/tls.py b/libmproxy/protocol/tls.py index 07b9f353..f05648ac 100644 --- a/libmproxy/protocol/tls.py +++ b/libmproxy/protocol/tls.py @@ -388,10 +388,6 @@ class TlsLayer(Layer): def alpn_for_client_connection(self): return self.server_conn.get_alpn_proto_negotiated() - @property - def client_tls(self): - return self._client_tls - def __alpn_select_callback(self, conn_, options): """ Once the client signals the alternate protocols it supports, -- cgit v1.2.3 From 17a32d921cd2df98ad2f7861eb9165ec20dc7314 Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Tue, 26 Jan 2016 11:38:14 -0500 Subject: Log exceptions parsing TlsClientHello in TlsLayer --- libmproxy/protocol/tls.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'libmproxy/protocol') diff --git a/libmproxy/protocol/tls.py b/libmproxy/protocol/tls.py index f05648ac..0b47af78 100644 --- a/libmproxy/protocol/tls.py +++ b/libmproxy/protocol/tls.py @@ -360,10 +360,13 @@ class TlsLayer(Layer): """ Peek into the connection, read the initial client hello and parse it to obtain ALPN values. """ - parsed = TlsClientHello.from_client_conn(self.client_conn) - self.client_sni = parsed.client_sni - self.client_alpn_protocols = parsed.client_alpn_protocols - self.client_ciphers = parsed.client_cipher_suites + try: + parsed = TlsClientHello.from_client_conn(self.client_conn) + self.client_sni = parsed.client_sni + self.client_alpn_protocols = parsed.client_alpn_protocols + self.client_ciphers = parsed.client_cipher_suites + except TlsProtocolException as e: + self.log("Cannot parse Client Hello: %s" % repr(e), "error") def connect(self): if not self.server_conn: -- cgit v1.2.3 From 8f8c2efccd52f9791cc5990f9863cdd02617bc0d Mon Sep 17 00:00:00 2001 From: David Weinstein Date: Tue, 26 Jan 2016 12:29:02 -0500 Subject: Include raw client hello in exception --- libmproxy/protocol/tls.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'libmproxy/protocol') diff --git a/libmproxy/protocol/tls.py b/libmproxy/protocol/tls.py index 0b47af78..6d4cac85 100644 --- a/libmproxy/protocol/tls.py +++ b/libmproxy/protocol/tls.py @@ -283,13 +283,13 @@ class TlsClientHello(object): try: raw_client_hello = get_client_hello(client_conn)[4:] # exclude handshake header. except ProtocolException as e: - raise TlsProtocolException('Cannot parse Client Hello: %s' % repr(e)) + raise TlsProtocolException('Cannot read raw Client Hello: %s' % repr(e)) try: return cls(raw_client_hello) except ConstructError as e: - #self.log("Raw Client Hello: %s" % raw_client_hello.encode("hex"), "debug") - raise TlsProtocolException('Cannot parse Client Hello: %s' % repr(e)) + raise TlsProtocolException('Cannot parse Client Hello: %s, Raw Client Hello: %s' % \ + (repr(e), raw_client_hello.encode("hex"))) def __repr__(self): return "TlsClientHello( sni: %s alpn_protocols: %s, cipher_suites: %s)" % \ -- cgit v1.2.3