aboutsummaryrefslogtreecommitdiffstats
path: root/libmproxy/protocol
diff options
context:
space:
mode:
Diffstat (limited to 'libmproxy/protocol')
-rw-r--r--libmproxy/protocol/__init__.py8
-rw-r--r--libmproxy/protocol/base.py5
-rw-r--r--libmproxy/protocol/http.py11
-rw-r--r--libmproxy/protocol/rawtcp.py2
-rw-r--r--libmproxy/protocol/tls.py137
5 files changed, 105 insertions, 58 deletions
diff --git a/libmproxy/protocol/__init__.py b/libmproxy/protocol/__init__.py
index 0d624fd7..d46f16f5 100644
--- a/libmproxy/protocol/__init__.py
+++ b/libmproxy/protocol/__init__.py
@@ -28,12 +28,14 @@ as late as possible; this makes server replay without any outgoing connections p
from __future__ import (absolute_import, print_function, division)
from .base import Layer, ServerConnectionMixin, Kill
from .http import Http1Layer, UpstreamConnectLayer, Http2Layer
-from .tls import TlsLayer, is_tls_record_magic
+from .tls import TlsLayer
+from .tls import is_tls_record_magic
+from .tls import TlsClientHello
from .rawtcp import RawTCPLayer
__all__ = [
"Layer", "ServerConnectionMixin", "Kill",
"Http1Layer", "UpstreamConnectLayer", "Http2Layer",
- "TlsLayer", "is_tls_record_magic",
- "RawTCPLayer"
+ "TlsLayer", "is_tls_record_magic", "TlsClientHello",
+ "RawTCPLayer",
]
diff --git a/libmproxy/protocol/base.py b/libmproxy/protocol/base.py
index d984cadb..4eb034c0 100644
--- a/libmproxy/protocol/base.py
+++ b/libmproxy/protocol/base.py
@@ -3,13 +3,13 @@ import sys
import six
-from netlib import tcp
from ..models import ServerConnection
from ..exceptions import ProtocolException
from netlib.exceptions import TcpException
class _LayerCodeCompletion(object):
+
"""
Dummy class that provides type hinting in PyCharm, which simplifies development a lot.
"""
@@ -31,6 +31,7 @@ class _LayerCodeCompletion(object):
class Layer(_LayerCodeCompletion):
+
"""
Base class for all layers. All other protocol layers should inherit from this class.
"""
@@ -91,6 +92,7 @@ class Layer(_LayerCodeCompletion):
class ServerConnectionMixin(object):
+
"""
Mixin that provides a layer with the capabilities to manage a server connection.
The server address can be passed in the constructor or set by calling :py:meth:`set_server`.
@@ -190,6 +192,7 @@ class ServerConnectionMixin(object):
class Kill(Exception):
+
"""
Signal that both client and server connection(s) should be killed immediately.
"""
diff --git a/libmproxy/protocol/http.py b/libmproxy/protocol/http.py
index d72adc37..12d09e71 100644
--- a/libmproxy/protocol/http.py
+++ b/libmproxy/protocol/http.py
@@ -72,6 +72,7 @@ class _StreamingHttpLayer(_HttpLayer):
class Http1Layer(_StreamingHttpLayer):
+
def __init__(self, ctx, mode):
super(Http1Layer, self).__init__(ctx)
self.mode = mode
@@ -132,6 +133,7 @@ class Http1Layer(_StreamingHttpLayer):
# TODO: The HTTP2 layer is missing multiplexing, which requires a major rewrite.
class Http2Layer(_HttpLayer):
+
def __init__(self, ctx, mode):
super(Http2Layer, self).__init__(ctx)
self.mode = mode
@@ -229,6 +231,7 @@ class Http2Layer(_HttpLayer):
class ConnectServerConnection(object):
+
"""
"Fake" ServerConnection to represent state after a CONNECT request to an upstream proxy.
"""
@@ -249,6 +252,7 @@ class ConnectServerConnection(object):
class UpstreamConnectLayer(Layer):
+
def __init__(self, ctx, connect_request):
super(UpstreamConnectLayer, self).__init__(ctx)
self.connect_request = connect_request
@@ -293,6 +297,7 @@ class UpstreamConnectLayer(Layer):
class HttpLayer(Layer):
+
def __init__(self, ctx, mode):
super(HttpLayer, self).__init__(ctx)
self.mode = mode
@@ -328,7 +333,8 @@ class HttpLayer(Layer):
return
except NetlibException as e:
self.send_error_response(400, repr(e))
- six.reraise(ProtocolException, ProtocolException("Error in HTTP connection: %s" % repr(e)), sys.exc_info()[2])
+ six.reraise(ProtocolException, ProtocolException(
+ "Error in HTTP connection: %s" % repr(e)), sys.exc_info()[2])
try:
flow = HTTPFlow(self.client_conn, self.server_conn, live=self)
@@ -376,7 +382,8 @@ class HttpLayer(Layer):
self.log(traceback.format_exc(), "debug")
return
else:
- six.reraise(ProtocolException, ProtocolException("Error in HTTP connection: %s" % repr(e)), sys.exc_info()[2])
+ six.reraise(ProtocolException, ProtocolException(
+ "Error in HTTP connection: %s" % repr(e)), sys.exc_info()[2])
finally:
flow.live = False
diff --git a/libmproxy/protocol/rawtcp.py b/libmproxy/protocol/rawtcp.py
index ccd3c7ec..b87899e4 100644
--- a/libmproxy/protocol/rawtcp.py
+++ b/libmproxy/protocol/rawtcp.py
@@ -1,6 +1,5 @@
from __future__ import (absolute_import, print_function, division)
import socket
-import select
import six
import sys
@@ -14,6 +13,7 @@ from .base import Layer
class TcpMessage(object):
+
def __init__(self, client_conn, server_conn, sender, receiver, message):
self.client_conn = client_conn
self.server_conn = server_conn
diff --git a/libmproxy/protocol/tls.py b/libmproxy/protocol/tls.py
index ed747643..28f8c177 100644
--- a/libmproxy/protocol/tls.py
+++ b/libmproxy/protocol/tls.py
@@ -5,14 +5,14 @@ import sys
from construct import ConstructError
import six
-from netlib.exceptions import InvalidCertificateException, TcpException, TlsException
+from netlib.exceptions import InvalidCertificateException
+from netlib.exceptions import TlsException
from ..contrib.tls._constructs import ClientHello
from ..exceptions import ProtocolException, TlsProtocolException, ClientHandshakeException
from .base import Layer
-
# taken from https://testssl.sh/openssl-rfc.mappping.html
CIPHER_ID_NAME_MAP = {
0x00: 'NULL-MD5',
@@ -222,7 +222,85 @@ def is_tls_record_magic(d):
)
+def get_client_hello(client_conn):
+ """
+ Peek into the socket and read all records that contain the initial client hello message.
+
+ client_conn:
+ The :py:class:`client connection <libmproxy.models.ClientConnection>`.
+
+ Returns:
+ The raw handshake packet bytes, without TLS record header(s).
+ """
+ client_hello = ""
+ client_hello_size = 1
+ offset = 0
+ while len(client_hello) < client_hello_size:
+ record_header = client_conn.rfile.peek(offset + 5)[offset:]
+ if not is_tls_record_magic(record_header) or len(record_header) != 5:
+ raise TlsProtocolException('Expected TLS record, got "%s" instead.' % record_header)
+ record_size = struct.unpack("!H", record_header[3:])[0] + 5
+ record_body = client_conn.rfile.peek(offset + record_size)[offset + 5:]
+ if len(record_body) != record_size - 5:
+ raise TlsProtocolException("Unexpected EOF in TLS handshake: %s" % record_body)
+ client_hello += record_body
+ offset += record_size
+ client_hello_size = struct.unpack("!I", '\x00' + client_hello[1:4])[0] + 4
+ return client_hello
+
+
+class TlsClientHello(object):
+
+ def __init__(self, raw_client_hello):
+ self._client_hello = ClientHello.parse(raw_client_hello)
+
+ def raw(self):
+ return self._client_hello
+
+ @property
+ def client_cipher_suites(self):
+ return self._client_hello.cipher_suites.cipher_suites
+
+ @property
+ def client_sni(self):
+ for extension in self._client_hello.extensions:
+ if (extension.type == 0x00 and len(extension.server_names) == 1
+ and extension.server_names[0].type == 0):
+ return extension.server_names[0].name
+
+ @property
+ def client_alpn_protocols(self):
+ for extension in self._client_hello.extensions:
+ if extension.type == 0x10:
+ return list(extension.alpn_protocols)
+
+ @classmethod
+ def from_client_conn(cls, client_conn):
+ """
+ Peek into the connection, read the initial client hello and parse it to obtain ALPN values.
+ client_conn:
+ The :py:class:`client connection <libmproxy.models.ClientConnection>`.
+ Returns:
+ :py:class:`client hello <libmproxy.protocol.tls.TlsClientHello>`.
+ """
+ try:
+ raw_client_hello = get_client_hello(client_conn)[4:] # exclude handshake header.
+ except ProtocolException as e:
+ raise TlsProtocolException('Cannot read raw Client Hello: %s' % repr(e))
+
+ try:
+ return cls(raw_client_hello)
+ except ConstructError as e:
+ raise TlsProtocolException('Cannot parse Client Hello: %s, Raw Client Hello: %s' %
+ (repr(e), raw_client_hello.encode("hex")))
+
+ def __repr__(self):
+ return "TlsClientHello( sni: %s alpn_protocols: %s, cipher_suites: %s)" % \
+ (self.client_sni, self.client_alpn_protocols, self.client_cipher_suites)
+
+
class TlsLayer(Layer):
+
def __init__(self, ctx, client_tls, server_tls):
self.client_sni = None
self.client_alpn_protocols = None
@@ -281,60 +359,17 @@ class TlsLayer(Layer):
else:
return "TlsLayer(inactive)"
- def _get_client_hello(self):
- """
- Peek into the socket and read all records that contain the initial client hello message.
-
- Returns:
- The raw handshake packet bytes, without TLS record header(s).
- """
- client_hello = ""
- client_hello_size = 1
- offset = 0
- while len(client_hello) < client_hello_size:
- record_header = self.client_conn.rfile.peek(offset + 5)[offset:]
- if not is_tls_record_magic(record_header) or len(record_header) != 5:
- raise TlsProtocolException('Expected TLS record, got "%s" instead.' % record_header)
- record_size = struct.unpack("!H", record_header[3:])[0] + 5
- record_body = self.client_conn.rfile.peek(offset + record_size)[offset + 5:]
- if len(record_body) != record_size - 5:
- raise TlsProtocolException("Unexpected EOF in TLS handshake: %s" % record_body)
- client_hello += record_body
- offset += record_size
- client_hello_size = struct.unpack("!I", '\x00' + client_hello[1:4])[0] + 4
- return client_hello
-
def _parse_client_hello(self):
"""
Peek into the connection, read the initial client hello and parse it to obtain ALPN values.
"""
try:
- raw_client_hello = self._get_client_hello()[4:] # exclude handshake header.
- except ProtocolException as e:
+ parsed = TlsClientHello.from_client_conn(self.client_conn)
+ self.client_sni = parsed.client_sni
+ self.client_alpn_protocols = parsed.client_alpn_protocols
+ self.client_ciphers = parsed.client_cipher_suites
+ except TlsProtocolException as e:
self.log("Cannot parse Client Hello: %s" % repr(e), "error")
- return
-
- try:
- client_hello = ClientHello.parse(raw_client_hello)
- except ConstructError as e:
- self.log("Cannot parse Client Hello: %s" % repr(e), "error")
- self.log("Raw Client Hello: %s" % raw_client_hello.encode("hex"), "debug")
- return
-
- self.client_ciphers = client_hello.cipher_suites.cipher_suites
-
- for extension in client_hello.extensions:
- if extension.type == 0x00:
- if len(extension.server_names) != 1 or extension.server_names[0].type != 0:
- self.log("Unknown Server Name Indication: %s" % extension.server_names, "error")
- self.client_sni = extension.server_names[0].name
- elif extension.type == 0x10:
- self.client_alpn_protocols = list(extension.alpn_protocols)
-
- self.log(
- "Parsed Client Hello: sni=%s, alpn=%s" % (self.client_sni, self.client_alpn_protocols),
- "debug"
- )
def connect(self):
if not self.server_conn:
@@ -435,7 +470,7 @@ class TlsLayer(Layer):
alpn = [x for x in self.client_alpn_protocols if not deprecated_http2_variant(x)]
else:
alpn = None
- if alpn and "h2" in alpn and not self.config.http2 :
+ if alpn and "h2" in alpn and not self.config.http2:
alpn.remove("h2")
ciphers_server = self.config.ciphers_server
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-31 22:11:21 +0000