aboutsummaryrefslogtreecommitdiffstats
path: root/libmproxy/protocol
diff options
context:
space:
mode:
Diffstat (limited to 'libmproxy/protocol')
-rw-r--r--libmproxy/protocol/base.py15
-rw-r--r--libmproxy/protocol/http.py71
-rw-r--r--libmproxy/protocol/rawtcp.py16
-rw-r--r--libmproxy/protocol/tls.py56
4 files changed, 113 insertions, 45 deletions
diff --git a/libmproxy/protocol/base.py b/libmproxy/protocol/base.py
index 9d8c8bfe..b92aeea1 100644
--- a/libmproxy/protocol/base.py
+++ b/libmproxy/protocol/base.py
@@ -1,4 +1,8 @@
from __future__ import (absolute_import, print_function, division)
+import sys
+
+import six
+
from netlib import tcp
from ..models import ServerConnection
from ..exceptions import ProtocolException
@@ -172,8 +176,15 @@ class ServerConnectionMixin(object):
try:
self.server_conn.connect()
except tcp.NetLibError as e:
- raise ProtocolException(
- "Server connection to %s failed: %s" % (repr(self.server_conn.address), e), e)
+ six.reraise(
+ ProtocolException,
+ ProtocolException(
+ "Server connection to {} failed: {}".format(
+ repr(self.server_conn.address), str(e)
+ )
+ ),
+ sys.exc_info()[2]
+ )
class Kill(Exception):
diff --git a/libmproxy/protocol/http.py b/libmproxy/protocol/http.py
index 93972111..230f2be9 100644
--- a/libmproxy/protocol/http.py
+++ b/libmproxy/protocol/http.py
@@ -1,4 +1,9 @@
from __future__ import (absolute_import, print_function, division)
+import itertools
+import sys
+import traceback
+
+import six
from netlib import tcp
from netlib.http import http1, HttpErrorConnClosed, HttpError, Headers
@@ -7,7 +12,6 @@ from netlib.tcp import NetLibError, Address
from netlib.http.http1 import HTTP1Protocol
from netlib.http.http2 import HTTP2Protocol
from netlib.http.http2.frame import GoAwayFrame, PriorityFrame, WindowUpdateFrame
-
from .. import utils
from ..exceptions import InvalidCredentials, HttpException, ProtocolException
from ..models import (
@@ -45,12 +49,25 @@ class _StreamingHttpLayer(_HttpLayer):
raise NotImplementedError()
yield "this is a generator" # pragma: no cover
+ def read_response(self, request_method):
+ response = self.read_response_headers()
+ response.body = "".join(
+ self.read_response_body(response.headers, request_method, response.code)
+ )
+ return response
+
def send_response_headers(self, response):
raise NotImplementedError
def send_response_body(self, response, chunks):
raise NotImplementedError()
+ def send_response(self, response):
+ if response.body == CONTENT_MISSING:
+ raise HttpError(502, "Cannot assemble flow with CONTENT_MISSING")
+ self.send_response_headers(response)
+ self.send_response_body(response, [response.body])
+
class Http1Layer(_StreamingHttpLayer):
def __init__(self, ctx, mode):
@@ -68,17 +85,6 @@ class Http1Layer(_StreamingHttpLayer):
def send_request(self, request):
self.server_conn.send(self.server_protocol.assemble(request))
- def read_response(self, request_method):
- return HTTPResponse.from_protocol(
- self.server_protocol,
- request_method=request_method,
- body_size_limit=self.config.body_size_limit,
- include_body=True
- )
-
- def send_response(self, response):
- self.client_conn.send(self.client_protocol.assemble(response))
-
def read_response_headers(self):
return HTTPResponse.from_protocol(
self.server_protocol,
@@ -104,16 +110,21 @@ class Http1Layer(_StreamingHttpLayer):
response,
preserve_transfer_encoding=True
)
- self.client_conn.send(h + "\r\n")
+ self.client_conn.wfile.write(h + "\r\n")
+ self.client_conn.wfile.flush()
def send_response_body(self, response, chunks):
if self.client_protocol.has_chunked_encoding(response.headers):
- chunks = (
- "%d\r\n%s\r\n" % (len(chunk), chunk)
- for chunk in chunks
+ chunks = itertools.chain(
+ (
+ "{:x}\r\n{}\r\n".format(len(chunk), chunk)
+ for chunk in chunks if chunk
+ ),
+ ("0\r\n\r\n",)
)
for chunk in chunks:
- self.client_conn.send(chunk)
+ self.client_conn.wfile.write(chunk)
+ self.client_conn.wfile.flush()
def check_close_connection(self, flow):
close_connection = (
@@ -360,7 +371,13 @@ class HttpLayer(Layer):
if self.check_close_connection(flow):
return
- # TODO: Implement HTTP Upgrade
+ # Handle 101 Switching Protocols
+ # It may be useful to pass additional args (such as the upgrade header)
+ # to next_layer in the future
+ if flow.response.status_code == 101:
+ layer = self.ctx.next_layer(self)
+ layer()
+ return
# Upstream Proxy Mode: Handle CONNECT
if flow.request.form_in == "authority" and flow.response.code == 200:
@@ -368,9 +385,13 @@ class HttpLayer(Layer):
return
except (HttpErrorConnClosed, NetLibError, HttpError, ProtocolException) as e:
+ error_propagated = False
if flow.request and not flow.response:
- flow.error = Error(repr(e))
+ flow.error = Error(str(e))
self.channel.ask("error", flow)
+ self.log(traceback.format_exc(), "debug")
+ error_propagated = True
+
try:
self.send_response(make_error_response(
getattr(e, "code", 502),
@@ -378,10 +399,12 @@ class HttpLayer(Layer):
))
except NetLibError:
pass
- if isinstance(e, ProtocolException):
- raise e
- else:
- raise ProtocolException("Error in HTTP connection: %s" % repr(e), e)
+
+ if not error_propagated:
+ if isinstance(e, ProtocolException):
+ six.reraise(ProtocolException, e, sys.exc_info()[2])
+ else:
+ six.reraise(ProtocolException, ProtocolException("Error in HTTP connection: %s" % repr(e)), sys.exc_info()[2])
finally:
flow.live = False
@@ -511,7 +534,7 @@ class HttpLayer(Layer):
if self.mode == "regular" or self.mode == "transparent":
# If there's an existing connection that doesn't match our expectations, kill it.
- if address != self.server_conn.address or tls != self.server_conn.ssl_established:
+ if address != self.server_conn.address or tls != self.server_conn.tls_established:
self.set_server(address, tls, address.host)
# Establish connection is neccessary.
if not self.server_conn:
diff --git a/libmproxy/protocol/rawtcp.py b/libmproxy/protocol/rawtcp.py
index 86468773..24c19523 100644
--- a/libmproxy/protocol/rawtcp.py
+++ b/libmproxy/protocol/rawtcp.py
@@ -1,11 +1,13 @@
from __future__ import (absolute_import, print_function, division)
import socket
import select
+import six
+import sys
from OpenSSL import SSL
-from netlib.tcp import NetLibError
-from netlib.utils import cleanBin
+from netlib.tcp import NetLibError, ssl_read_select
+from netlib.utils import clean_bin
from ..exceptions import ProtocolException
from .base import Layer
@@ -28,7 +30,7 @@ class RawTCPLayer(Layer):
try:
while True:
- r, _, _ = select.select(conns, [], [], 10)
+ r = ssl_read_select(conns, 10)
for conn in r:
dst = server if conn == client else client
@@ -56,11 +58,15 @@ class RawTCPLayer(Layer):
direction = "-> tcp -> {}".format(repr(self.server_conn.address))
else:
direction = "<- tcp <- {}".format(repr(self.server_conn.address))
- data = cleanBin(buf[:size].tobytes())
+ data = clean_bin(buf[:size].tobytes())
self.log(
"{}\r\n{}".format(direction, data),
"info"
)
except (socket.error, NetLibError, SSL.Error) as e:
- raise ProtocolException("TCP connection closed unexpectedly: {}".format(repr(e)), e)
+ six.reraise(
+ ProtocolException,
+ ProtocolException("TCP connection closed unexpectedly: {}".format(repr(e))),
+ sys.exc_info()[2]
+ )
diff --git a/libmproxy/protocol/tls.py b/libmproxy/protocol/tls.py
index 6e8535ae..2935ca9f 100644
--- a/libmproxy/protocol/tls.py
+++ b/libmproxy/protocol/tls.py
@@ -1,16 +1,19 @@
from __future__ import (absolute_import, print_function, division)
import struct
+import sys
from construct import ConstructError
+import six
from netlib.tcp import NetLibError, NetLibInvalidCertificateError
from netlib.http.http1 import HTTP1Protocol
from ..contrib.tls._constructs import ClientHello
-from ..exceptions import ProtocolException, TlsException
+from ..exceptions import ProtocolException, TlsException, ClientHandshakeException
from .base import Layer
+
# taken from https://testssl.sh/openssl-rfc.mappping.html
CIPHER_ID_NAME_MAP = {
0x00: 'NULL-MD5',
@@ -224,6 +227,7 @@ class TlsLayer(Layer):
def __init__(self, ctx, client_tls, server_tls):
self.client_sni = None
self.client_alpn_protocols = None
+ self.client_ciphers = []
super(TlsLayer, self).__init__(ctx)
self._client_tls = client_tls
@@ -387,7 +391,7 @@ class TlsLayer(Layer):
self._establish_tls_with_client()
except:
pass
- raise e
+ six.reraise(*sys.exc_info())
self._establish_tls_with_client()
@@ -405,8 +409,22 @@ class TlsLayer(Layer):
chain_file=chain_file,
alpn_select_callback=self.__alpn_select_callback,
)
+ # Some TLS clients will not fail the handshake,
+ # but will immediately throw an "unexpected eof" error on the first read.
+ # The reason for this might be difficult to find, so we try to peek here to see if it
+ # raises ann error.
+ self.client_conn.rfile.peek(1)
except NetLibError as e:
- raise TlsException("Cannot establish TLS with client: %s" % repr(e), e)
+ six.reraise(
+ ClientHandshakeException,
+ ClientHandshakeException(
+ "Cannot establish TLS with client (sni: {sni}): {e}".format(
+ sni=self.client_sni, e=repr(e)
+ ),
+ self.client_sni or repr(self.server_conn.address)
+ ),
+ sys.exc_info()[2]
+ )
def _establish_tls_with_server(self):
self.log("Establish TLS with server", "debug")
@@ -416,9 +434,11 @@ class TlsLayer(Layer):
# and mitmproxy would enter TCP passthrough mode, which we want to avoid.
deprecated_http2_variant = lambda x: x.startswith("h2-") or x.startswith("spdy")
if self.client_alpn_protocols:
- alpn = filter(lambda x: not deprecated_http2_variant(x), self.client_alpn_protocols)
+ alpn = [x for x in self.client_alpn_protocols if not deprecated_http2_variant(x)]
else:
alpn = None
+ if alpn and "h2" in alpn and not self.config.http2 :
+ alpn.remove("h2")
ciphers_server = self.config.ciphers_server
if not ciphers_server:
@@ -453,17 +473,25 @@ class TlsLayer(Layer):
(tls_cert_err['depth'], tls_cert_err['errno']),
"error")
self.log("Aborting connection attempt", "error")
- raise TlsException("Cannot establish TLS with {address} (sni: {sni}): {e}".format(
- address=repr(self.server_conn.address),
- sni=self.sni_for_server_connection,
- e=repr(e),
- ), e)
+ six.reraise(
+ TlsException,
+ TlsException("Cannot establish TLS with {address} (sni: {sni}): {e}".format(
+ address=repr(self.server_conn.address),
+ sni=self.sni_for_server_connection,
+ e=repr(e),
+ )),
+ sys.exc_info()[2]
+ )
except NetLibError as e:
- raise TlsException("Cannot establish TLS with {address} (sni: {sni}): {e}".format(
- address=repr(self.server_conn.address),
- sni=self.sni_for_server_connection,
- e=repr(e),
- ), e)
+ six.reraise(
+ TlsException,
+ TlsException("Cannot establish TLS with {address} (sni: {sni}): {e}".format(
+ address=repr(self.server_conn.address),
+ sni=self.sni_for_server_connection,
+ e=repr(e),
+ )),
+ sys.exc_info()[2]
+ )
self.log("ALPN selected by server: %s" % self.alpn_for_client_connection, "debug")
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-31 14:05:29 +0000