aboutsummaryrefslogtreecommitdiffstats
path: root/libmproxy/protocol
diff options
context:
space:
mode:
Diffstat (limited to 'libmproxy/protocol')
-rw-r--r--libmproxy/protocol/__init__.py31
-rw-r--r--libmproxy/protocol/base.py184
-rw-r--r--libmproxy/protocol/http.py229
-rw-r--r--libmproxy/protocol/http_replay.py5
-rw-r--r--libmproxy/protocol/rawtcp.py12
-rw-r--r--libmproxy/protocol/tls.py280
6 files changed, 526 insertions, 215 deletions
diff --git a/libmproxy/protocol/__init__.py b/libmproxy/protocol/__init__.py
index c582592b..35d59f28 100644
--- a/libmproxy/protocol/__init__.py
+++ b/libmproxy/protocol/__init__.py
@@ -1,11 +1,38 @@
+"""
+In mitmproxy, protocols are implemented as a set of layers, which are composed on top each other.
+The first layer is usually the proxy mode, e.g. transparent proxy or normal HTTP proxy. Next,
+various protocol layers are stacked on top of each other - imagine WebSockets on top of an HTTP
+Upgrade request. An actual mitmproxy connection may look as follows (outermost layer first):
+
+ Transparent HTTP proxy, no TLS:
+ - TransparentProxy
+ - Http1Layer
+ - HttpLayer
+
+ Regular proxy, CONNECT request with WebSockets over SSL:
+ - ReverseProxy
+ - Http1Layer
+ - HttpLayer
+ - TLSLayer
+ - WebsocketLayer (or TCPLayer)
+
+Every layer acts as a read-only context for its inner layers (see :py:class:`Layer`). To communicate
+with an outer layer, a layer can use functions provided in the context. The next layer is always
+determined by a call to :py:meth:`.next_layer() <libmproxy.proxy.RootContext.next_layer>`,
+which is provided by the root context.
+
+Another subtle design goal of this architecture is that upstream connections should be established
+as late as possible; this makes server replay without any outgoing connections possible.
+"""
+
from __future__ import (absolute_import, print_function, division)
-from .base import Layer, ServerConnectionMixin, Log, Kill
+from .base import Layer, ServerConnectionMixin, Kill
from .http import Http1Layer, Http2Layer
from .tls import TlsLayer, is_tls_record_magic
from .rawtcp import RawTCPLayer
__all__ = [
- "Layer", "ServerConnectionMixin", "Log", "Kill",
+ "Layer", "ServerConnectionMixin", "Kill",
"Http1Layer", "Http2Layer",
"TlsLayer", "is_tls_record_magic",
"RawTCPLayer"
diff --git a/libmproxy/protocol/base.py b/libmproxy/protocol/base.py
index 40ec0536..b92aeea1 100644
--- a/libmproxy/protocol/base.py
+++ b/libmproxy/protocol/base.py
@@ -1,38 +1,8 @@
-"""
-mitmproxy protocol architecture
-
-In mitmproxy, protocols are implemented as a set of layers, which are composed on top each other.
-For example, the following scenarios depict possible settings (lowest layer first):
-
-Transparent HTTP proxy, no SSL:
- TransparentProxy
- Http1Layer
- HttpLayer
-
-Regular proxy, CONNECT request with WebSockets over SSL:
- HttpProxy
- Http1Layer
- HttpLayer
- SslLayer
- WebsocketLayer (or TcpLayer)
-
-Automated protocol detection by peeking into the buffer:
- TransparentProxy
- TLSLayer
- Http2Layer
- HttpLayer
-
-Communication between layers is done as follows:
- - lower layers provide context information to higher layers
- - higher layers can call functions provided by lower layers,
- which are propagated until they reach a suitable layer.
-
-Further goals:
- - Connections should always be peekable to make automatic protocol detection work.
- - Upstream connections should be established as late as possible;
- inline scripts shall have a chance to handle everything locally.
-"""
from __future__ import (absolute_import, print_function, division)
+import sys
+
+import six
+
from netlib import tcp
from ..models import ServerConnection
from ..exceptions import ProtocolException
@@ -43,8 +13,8 @@ class _LayerCodeCompletion(object):
Dummy class that provides type hinting in PyCharm, which simplifies development a lot.
"""
- def __init__(self, *args, **kwargs): # pragma: nocover
- super(_LayerCodeCompletion, self).__init__(*args, **kwargs)
+ def __init__(self, **mixin_args): # pragma: nocover
+ super(_LayerCodeCompletion, self).__init__(**mixin_args)
if True:
return
self.config = None
@@ -55,43 +25,64 @@ class _LayerCodeCompletion(object):
"""@type: libmproxy.models.ServerConnection"""
self.channel = None
"""@type: libmproxy.controller.Channel"""
+ self.ctx = None
+ """@type: libmproxy.protocol.Layer"""
class Layer(_LayerCodeCompletion):
- def __init__(self, ctx, *args, **kwargs):
+ """
+ Base class for all layers. All other protocol layers should inherit from this class.
+ """
+
+ def __init__(self, ctx, **mixin_args):
"""
+ Each layer usually passes itself to its child layers as a context. Properties of the
+ context are transparently mapped to the layer, so that the following works:
+
+ .. code-block:: python
+
+ root_layer = Layer(None)
+ root_layer.client_conn = 42
+ sub_layer = Layer(root_layer)
+ print(sub_layer.client_conn) # 42
+
+ The root layer is passed a :py:class:`libmproxy.proxy.RootContext` object,
+ which provides access to :py:attr:`.client_conn <libmproxy.proxy.RootContext.client_conn>`,
+ :py:attr:`.next_layer <libmproxy.proxy.RootContext.next_layer>` and other basic attributes.
+
Args:
- ctx: The (read-only) higher layer.
+ ctx: The (read-only) parent layer / context.
"""
self.ctx = ctx
- """@type: libmproxy.protocol.Layer"""
- super(Layer, self).__init__(*args, **kwargs)
+ """
+ The parent layer.
- def __call__(self):
+ :type: :py:class:`Layer`
"""
- Logic of the layer.
+ super(Layer, self).__init__(**mixin_args)
+
+ def __call__(self):
+ """Logic of the layer.
+
+ Returns:
+ Once the protocol has finished without exceptions.
+
Raises:
- ProtocolException in case of protocol exceptions.
+ ~libmproxy.exceptions.ProtocolException: if an exception occurs. No other exceptions must be raised.
"""
raise NotImplementedError()
def __getattr__(self, name):
"""
- Attributes not present on the current layer may exist on a higher layer.
+ Attributes not present on the current layer are looked up on the context.
"""
return getattr(self.ctx, name)
- def log(self, msg, level, subs=()):
- full_msg = [
- "{}: {}".format(repr(self.client_conn.address), msg)
- ]
- for i in subs:
- full_msg.append(" -> " + i)
- full_msg = "\n".join(full_msg)
- self.channel.tell("log", Log(full_msg, level))
-
@property
def layers(self):
+ """
+ List of all layers, including the current layer (``[self, self.ctx, self.ctx.ctx, ...]``)
+ """
return [self] + self.ctx.layers
def __repr__(self):
@@ -101,20 +92,28 @@ class Layer(_LayerCodeCompletion):
class ServerConnectionMixin(object):
"""
Mixin that provides a layer with the capabilities to manage a server connection.
+ The server address can be passed in the constructor or set by calling :py:meth:`set_server`.
+ Subclasses are responsible for calling :py:meth:`disconnect` before returning.
+
+ Recommended Usage:
+
+ .. code-block:: python
+
+ class MyLayer(Layer, ServerConnectionMixin):
+ def __call__(self):
+ try:
+ # Do something.
+ finally:
+ if self.server_conn:
+ self.disconnect()
"""
def __init__(self, server_address=None):
super(ServerConnectionMixin, self).__init__()
self.server_conn = ServerConnection(server_address)
- self._check_self_connect()
-
- def reconnect(self):
- address = self.server_conn.address
- self._disconnect()
- self.server_conn.address = address
- self.connect()
+ self.__check_self_connect()
- def _check_self_connect(self):
+ def __check_self_connect(self):
"""
We try to protect the proxy from _accidentally_ connecting to itself,
e.g. because of a failed transparent lookup or an invalid configuration.
@@ -131,31 +130,45 @@ class ServerConnectionMixin(object):
"The proxy shall not connect to itself.".format(repr(address))
)
- def set_server(self, address, server_tls=None, sni=None, depth=1):
- if depth == 1:
- if self.server_conn:
- self._disconnect()
- self.log("Set new server address: " + repr(address), "debug")
- self.server_conn.address = address
- self._check_self_connect()
- if server_tls:
- raise ProtocolException(
- "Cannot upgrade to TLS, no TLS layer on the protocol stack."
- )
- else:
- self.ctx.set_server(address, server_tls, sni, depth - 1)
+ def set_server(self, address, server_tls=None, sni=None):
+ """
+ Sets a new server address. If there is an existing connection, it will be closed.
+
+ Raises:
+ ~libmproxy.exceptions.ProtocolException:
+ if ``server_tls`` is ``True``, but there was no TLS layer on the
+ protocol stack which could have processed this.
+ """
+ if self.server_conn:
+ self.disconnect()
+ self.log("Set new server address: " + repr(address), "debug")
+ self.server_conn.address = address
+ self.__check_self_connect()
+ if server_tls:
+ raise ProtocolException(
+ "Cannot upgrade to TLS, no TLS layer on the protocol stack."
+ )
- def _disconnect(self):
+ def disconnect(self):
"""
Deletes (and closes) an existing server connection.
+ Must not be called if there is no existing connection.
"""
self.log("serverdisconnect", "debug", [repr(self.server_conn.address)])
+ address = self.server_conn.address
self.server_conn.finish()
self.server_conn.close()
self.channel.tell("serverdisconnect", self.server_conn)
- self.server_conn = ServerConnection(None)
+ self.server_conn = ServerConnection(address)
def connect(self):
+ """
+ Establishes a server connection.
+ Must not be called if there is an existing connection.
+
+ Raises:
+ ~libmproxy.exceptions.ProtocolException: if the connection could not be established.
+ """
if not self.server_conn.address:
raise ProtocolException("Cannot connect to server, no server address given.")
self.log("serverconnect", "debug", [repr(self.server_conn.address)])
@@ -163,17 +176,18 @@ class ServerConnectionMixin(object):
try:
self.server_conn.connect()
except tcp.NetLibError as e:
- raise ProtocolException(
- "Server connection to %s failed: %s" % (repr(self.server_conn.address), e), e)
-
-
-class Log(object):
- def __init__(self, msg, level="info"):
- self.msg = msg
- self.level = level
+ six.reraise(
+ ProtocolException,
+ ProtocolException(
+ "Server connection to {} failed: {}".format(
+ repr(self.server_conn.address), str(e)
+ )
+ ),
+ sys.exc_info()[2]
+ )
class Kill(Exception):
"""
- Kill a connection.
+ Signal that both client and server connection(s) should be killed immediately.
"""
diff --git a/libmproxy/protocol/http.py b/libmproxy/protocol/http.py
index 7f57d17c..3a415320 100644
--- a/libmproxy/protocol/http.py
+++ b/libmproxy/protocol/http.py
@@ -1,14 +1,16 @@
from __future__ import (absolute_import, print_function, division)
+import itertools
+import sys
+
+import six
from netlib import tcp
-from netlib.http import http1, HttpErrorConnClosed, HttpError
+from netlib.http import http1, HttpErrorConnClosed, HttpError, Headers
from netlib.http.semantics import CONTENT_MISSING
-from netlib import odict
from netlib.tcp import NetLibError, Address
from netlib.http.http1 import HTTP1Protocol
from netlib.http.http2 import HTTP2Protocol
-from netlib.http.http2.frame import WindowUpdateFrame
-
+from netlib.http.http2.frame import GoAwayFrame, PriorityFrame, WindowUpdateFrame
from .. import utils
from ..exceptions import InvalidCredentials, HttpException, ProtocolException
from ..models import (
@@ -32,6 +34,9 @@ class _HttpLayer(Layer):
def send_response(self, response):
raise NotImplementedError()
+ def check_close_connection(self, flow):
+ raise NotImplementedError()
+
class _StreamingHttpLayer(_HttpLayer):
supports_streaming = True
@@ -43,12 +48,25 @@ class _StreamingHttpLayer(_HttpLayer):
raise NotImplementedError()
yield "this is a generator" # pragma: no cover
+ def read_response(self, request_method):
+ response = self.read_response_headers()
+ response.body = "".join(
+ self.read_response_body(response.headers, request_method, response.code)
+ )
+ return response
+
def send_response_headers(self, response):
raise NotImplementedError
def send_response_body(self, response, chunks):
raise NotImplementedError()
+ def send_response(self, response):
+ if response.body == CONTENT_MISSING:
+ raise HttpError(502, "Cannot assemble flow with CONTENT_MISSING")
+ self.send_response_headers(response)
+ self.send_response_body(response, [response.body])
+
class Http1Layer(_StreamingHttpLayer):
def __init__(self, ctx, mode):
@@ -66,17 +84,6 @@ class Http1Layer(_StreamingHttpLayer):
def send_request(self, request):
self.server_conn.send(self.server_protocol.assemble(request))
- def read_response(self, request_method):
- return HTTPResponse.from_protocol(
- self.server_protocol,
- request_method=request_method,
- body_size_limit=self.config.body_size_limit,
- include_body=True
- )
-
- def send_response(self, response):
- self.client_conn.send(self.client_protocol.assemble(response))
-
def read_response_headers(self):
return HTTPResponse.from_protocol(
self.server_protocol,
@@ -102,25 +109,49 @@ class Http1Layer(_StreamingHttpLayer):
response,
preserve_transfer_encoding=True
)
- self.client_conn.send(h + "\r\n")
+ self.client_conn.wfile.write(h + "\r\n")
+ self.client_conn.wfile.flush()
def send_response_body(self, response, chunks):
if self.client_protocol.has_chunked_encoding(response.headers):
- chunks = (
- "%d\r\n%s\r\n" % (len(chunk), chunk)
- for chunk in chunks
+ chunks = itertools.chain(
+ (
+ "{:x}\r\n{}\r\n".format(len(chunk), chunk)
+ for chunk in chunks if chunk
+ ),
+ ("0\r\n\r\n",)
)
for chunk in chunks:
- self.client_conn.send(chunk)
+ self.client_conn.wfile.write(chunk)
+ self.client_conn.wfile.flush()
+
+ def check_close_connection(self, flow):
+ close_connection = (
+ http1.HTTP1Protocol.connection_close(
+ flow.request.httpversion,
+ flow.request.headers
+ ) or http1.HTTP1Protocol.connection_close(
+ flow.response.httpversion,
+ flow.response.headers
+ ) or http1.HTTP1Protocol.expected_http_body_size(
+ flow.response.headers,
+ False,
+ flow.request.method,
+ flow.response.code) == -1
+ )
+ if flow.request.form_in == "authority" and flow.response.code == 200:
+ # Workaround for
+ # https://github.com/mitmproxy/mitmproxy/issues/313: Some
+ # proxies (e.g. Charles) send a CONNECT response with HTTP/1.0
+ # and no Content-Length header
+
+ return False
+ return close_connection
def connect(self):
self.ctx.connect()
self.server_protocol = HTTP1Protocol(self.server_conn)
- def reconnect(self):
- self.ctx.reconnect()
- self.server_protocol = HTTP1Protocol(self.server_conn)
-
def set_server(self, *args, **kwargs):
self.ctx.set_server(*args, **kwargs)
self.server_protocol = HTTP1Protocol(self.server_conn)
@@ -136,9 +167,9 @@ class Http2Layer(_HttpLayer):
super(Http2Layer, self).__init__(ctx)
self.mode = mode
self.client_protocol = HTTP2Protocol(self.client_conn, is_server=True,
- unhandled_frame_cb=self.handle_unexpected_frame)
+ unhandled_frame_cb=self.handle_unexpected_frame_from_client)
self.server_protocol = HTTP2Protocol(self.server_conn, is_server=False,
- unhandled_frame_cb=self.handle_unexpected_frame)
+ unhandled_frame_cb=self.handle_unexpected_frame_from_server)
def read_request(self):
request = HTTPRequest.from_protocol(
@@ -162,25 +193,24 @@ class Http2Layer(_HttpLayer):
)
def send_response(self, message):
- # TODO: implement flow control and WINDOW_UPDATE frames
+ # TODO: implement flow control to prevent client buffer filling up
+ # maintain a send buffer size, and read WindowUpdateFrames from client to increase the send buffer
self.client_conn.send(self.client_protocol.assemble(message))
+ def check_close_connection(self, flow):
+ # TODO: add a timer to disconnect after a 10 second timeout
+ return False
+
def connect(self):
self.ctx.connect()
self.server_protocol = HTTP2Protocol(self.server_conn, is_server=False,
- unhandled_frame_cb=self.handle_unexpected_frame)
- self.server_protocol.perform_connection_preface()
-
- def reconnect(self):
- self.ctx.reconnect()
- self.server_protocol = HTTP2Protocol(self.server_conn, is_server=False,
- unhandled_frame_cb=self.handle_unexpected_frame)
+ unhandled_frame_cb=self.handle_unexpected_frame_from_server)
self.server_protocol.perform_connection_preface()
def set_server(self, *args, **kwargs):
self.ctx.set_server(*args, **kwargs)
self.server_protocol = HTTP2Protocol(self.server_conn, is_server=False,
- unhandled_frame_cb=self.handle_unexpected_frame)
+ unhandled_frame_cb=self.handle_unexpected_frame_from_server)
self.server_protocol.perform_connection_preface()
def __call__(self):
@@ -188,7 +218,10 @@ class Http2Layer(_HttpLayer):
layer = HttpLayer(self, self.mode)
layer()
- def handle_unexpected_frame(self, frame):
+ # terminate the connection
+ self.client_conn.send(GoAwayFrame().to_bytes())
+
+ def handle_unexpected_frame_from_client(self, frame):
if isinstance(frame, WindowUpdateFrame):
# Clients are sending WindowUpdate frames depending on their flow control algorithm.
# Since we cannot predict these frames, and we do not need to respond to them,
@@ -196,7 +229,34 @@ class Http2Layer(_HttpLayer):
# Ideally we should keep track of our own flow control window and
# stall transmission if the outgoing flow control buffer is full.
return
- self.log("Unexpected HTTP2 Frame: %s" % frame.human_readable(), "info")
+ if isinstance(frame, PriorityFrame):
+ # Clients are sending Priority frames depending on their implementation.
+ # The RFC does not clearly state when or which priority preferences should be set.
+ # Since we cannot predict these frames, and we do not need to respond to them,
+ # simply accept them, and hide them from the log.
+ # Ideally we should forward them to the server.
+ return
+ if isinstance(frame, GoAwayFrame):
+ # Client wants to terminate the connection,
+ # relay it to the server.
+ self.server_conn.send(frame.to_bytes())
+ return
+ self.log("Unexpected HTTP2 frame from client: %s" % frame.human_readable(), "info")
+
+ def handle_unexpected_frame_from_server(self, frame):
+ if isinstance(frame, WindowUpdateFrame):
+ # Servers are sending WindowUpdate frames depending on their flow control algorithm.
+ # Since we cannot predict these frames, and we do not need to respond to them,
+ # simply accept them, and hide them from the log.
+ # Ideally we should keep track of our own flow control window and
+ # stall transmission if the outgoing flow control buffer is full.
+ return
+ if isinstance(frame, GoAwayFrame):
+ # Server wants to terminate the connection,
+ # relay it to the client.
+ self.client_conn.send(frame.to_bytes())
+ return
+ self.log("Unexpected HTTP2 frame from server: %s" % frame.human_readable(), "info")
class ConnectServerConnection(object):
@@ -245,20 +305,22 @@ class UpstreamConnectLayer(Layer):
else:
pass # swallow the message
- def reconnect(self):
- self.ctx.reconnect()
- self._send_connect_request()
-
- def set_server(self, address, server_tls=None, sni=None, depth=1):
- if depth == 1:
- if self.ctx.server_conn:
- self.ctx.reconnect()
- address = Address.wrap(address)
- self.connect_request.host = address.host
- self.connect_request.port = address.port
- self.server_conn.address = address
- else:
- self.ctx.set_server(address, server_tls, sni, depth - 1)
+ def change_upstream_proxy_server(self, address):
+ if address != self.server_conn.via.address:
+ self.ctx.set_server(address)
+
+ def set_server(self, address, server_tls=None, sni=None):
+ if self.ctx.server_conn:
+ self.ctx.disconnect()
+ address = Address.wrap(address)
+ self.connect_request.host = address.host
+ self.connect_request.port = address.port
+ self.server_conn.address = address
+
+ if server_tls:
+ raise ProtocolException(
+ "Cannot upgrade to TLS, no TLS layer on the protocol stack."
+ )
class HttpLayer(Layer):
@@ -308,7 +370,13 @@ class HttpLayer(Layer):
if self.check_close_connection(flow):
return
- # TODO: Implement HTTP Upgrade
+ # Handle 101 Switching Protocols
+ # It may be useful to pass additional args (such as the upgrade header)
+ # to next_layer in the future
+ if flow.response.status_code == 101:
+ layer = self.ctx.next_layer(self)
+ layer()
+ return
# Upstream Proxy Mode: Handle CONNECT
if flow.request.form_in == "authority" and flow.response.code == 200:
@@ -327,12 +395,18 @@ class HttpLayer(Layer):
except NetLibError:
pass
if isinstance(e, ProtocolException):
- raise e
+ six.reraise(ProtocolException, e, sys.exc_info()[2])
else:
- raise ProtocolException("Error in HTTP connection: %s" % repr(e), e)
+ six.reraise(ProtocolException, ProtocolException("Error in HTTP connection: %s" % repr(e)), sys.exc_info()[2])
finally:
flow.live = False
+ def change_upstream_proxy_server(self, address):
+ # Make set_upstream_proxy_server always available,
+ # even if there's no UpstreamConnectLayer
+ if address != self.server_conn.address:
+ return self.set_server(address)
+
def handle_regular_mode_connect(self, request):
self.set_server((request.host, request.port))
self.send_response(make_connect_response(request.httpversion))
@@ -343,36 +417,6 @@ class HttpLayer(Layer):
layer = UpstreamConnectLayer(self, connect_request)
layer()
- def check_close_connection(self, flow):
- """
- Checks if the connection should be closed depending on the HTTP
- semantics. Returns True, if so.
- """
-
- # TODO: add logic for HTTP/2
-
- close_connection = (
- http1.HTTP1Protocol.connection_close(
- flow.request.httpversion,
- flow.request.headers
- ) or http1.HTTP1Protocol.connection_close(
- flow.response.httpversion,
- flow.response.headers
- ) or http1.HTTP1Protocol.expected_http_body_size(
- flow.response.headers,
- False,
- flow.request.method,
- flow.response.code) == -1
- )
- if flow.request.form_in == "authority" and flow.response.code == 200:
- # Workaround for
- # https://github.com/mitmproxy/mitmproxy/issues/313: Some
- # proxies (e.g. Charles) send a CONNECT response with HTTP/1.0
- # and no Content-Length header
-
- return False
- return close_connection
-
def send_response_to_client(self, flow):
if not (self.supports_streaming and flow.response.stream):
# no streaming:
@@ -420,7 +464,8 @@ class HttpLayer(Layer):
# > server detects timeout, disconnects
# > read (100-n)% of large request
# > send large request upstream
- self.reconnect()
+ self.disconnect()
+ self.connect()
get_response()
# call the appropriate script hook - this is an opportunity for an
@@ -482,7 +527,7 @@ class HttpLayer(Layer):
if self.mode == "regular" or self.mode == "transparent":
# If there's an existing connection that doesn't match our expectations, kill it.
- if address != self.server_conn.address or tls != self.server_conn.ssl_established:
+ if address != self.server_conn.address or tls != self.server_conn.tls_established:
self.set_server(address, tls, address.host)
# Establish connection is neccessary.
if not self.server_conn:
@@ -495,10 +540,12 @@ class HttpLayer(Layer):
"""
# This is a very ugly (untested) workaround to solve a very ugly problem.
if self.server_conn and self.server_conn.tls_established and not ssl:
- self.reconnect()
+ self.disconnect()
+ self.connect()
elif ssl and not hasattr(self, "connected_to") or self.connected_to != address:
if self.server_conn.tls_established:
- self.reconnect()
+ self.disconnect()
+ self.connect()
self.send_request(make_connect_request(address))
tls_layer = TlsLayer(self, False, True)
@@ -536,10 +583,6 @@ class HttpLayer(Layer):
self.send_response(make_error_response(
407,
"Proxy Authentication Required",
- odict.ODictCaseless(
- [
- [k, v] for k, v in
- self.config.authenticator.auth_challenge_headers().items()
- ])
+ Headers(**self.config.authenticator.auth_challenge_headers())
))
raise InvalidCredentials("Proxy Authentication Required")
diff --git a/libmproxy/protocol/http_replay.py b/libmproxy/protocol/http_replay.py
index 2759a019..a9ee5506 100644
--- a/libmproxy/protocol/http_replay.py
+++ b/libmproxy/protocol/http_replay.py
@@ -6,7 +6,7 @@ from netlib.http.http1 import HTTP1Protocol
from netlib.tcp import NetLibError
from ..controller import Channel
from ..models import Error, HTTPResponse, ServerConnection, make_connect_request
-from .base import Log, Kill
+from .base import Kill
# TODO: Doesn't really belong into libmproxy.protocol...
@@ -89,8 +89,9 @@ class RequestReplayThread(threading.Thread):
if self.channel:
self.channel.ask("error", self.flow)
except Kill:
- # KillSignal should only be raised if there's a channel in the
+ # Kill should only be raised if there's a channel in the
# first place.
+ from ..proxy.root_context import Log
self.channel.tell("log", Log("Connection killed", "info"))
finally:
r.form_out = form_out_backup
diff --git a/libmproxy/protocol/rawtcp.py b/libmproxy/protocol/rawtcp.py
index 86468773..9b155412 100644
--- a/libmproxy/protocol/rawtcp.py
+++ b/libmproxy/protocol/rawtcp.py
@@ -1,10 +1,12 @@
from __future__ import (absolute_import, print_function, division)
import socket
import select
+import six
+import sys
from OpenSSL import SSL
-from netlib.tcp import NetLibError
+from netlib.tcp import NetLibError, ssl_read_select
from netlib.utils import cleanBin
from ..exceptions import ProtocolException
from .base import Layer
@@ -28,7 +30,7 @@ class RawTCPLayer(Layer):
try:
while True:
- r, _, _ = select.select(conns, [], [], 10)
+ r = ssl_read_select(conns, 10)
for conn in r:
dst = server if conn == client else client
@@ -63,4 +65,8 @@ class RawTCPLayer(Layer):
)
except (socket.error, NetLibError, SSL.Error) as e:
- raise ProtocolException("TCP connection closed unexpectedly: {}".format(repr(e)), e)
+ six.reraise(
+ ProtocolException,
+ ProtocolException("TCP connection closed unexpectedly: {}".format(repr(e))),
+ sys.exc_info()[2]
+ )
diff --git a/libmproxy/protocol/tls.py b/libmproxy/protocol/tls.py
index a8dc8bb2..4f7c9300 100644
--- a/libmproxy/protocol/tls.py
+++ b/libmproxy/protocol/tls.py
@@ -1,16 +1,210 @@
from __future__ import (absolute_import, print_function, division)
import struct
+import sys
from construct import ConstructError
+import six
from netlib.tcp import NetLibError, NetLibInvalidCertificateError
from netlib.http.http1 import HTTP1Protocol
from ..contrib.tls._constructs import ClientHello
-from ..exceptions import ProtocolException
+from ..exceptions import ProtocolException, TlsException, ClientHandshakeException
from .base import Layer
+
+# taken from https://testssl.sh/openssl-rfc.mappping.html
+CIPHER_ID_NAME_MAP = {
+ 0x00: 'NULL-MD5',
+ 0x01: 'NULL-MD5',
+ 0x02: 'NULL-SHA',
+ 0x03: 'EXP-RC4-MD5',
+ 0x04: 'RC4-MD5',
+ 0x05: 'RC4-SHA',
+ 0x06: 'EXP-RC2-CBC-MD5',
+ 0x07: 'IDEA-CBC-SHA',
+ 0x08: 'EXP-DES-CBC-SHA',
+ 0x09: 'DES-CBC-SHA',
+ 0x0a: 'DES-CBC3-SHA',
+ 0x0b: 'EXP-DH-DSS-DES-CBC-SHA',
+ 0x0c: 'DH-DSS-DES-CBC-SHA',
+ 0x0d: 'DH-DSS-DES-CBC3-SHA',
+ 0x0e: 'EXP-DH-RSA-DES-CBC-SHA',
+ 0x0f: 'DH-RSA-DES-CBC-SHA',
+ 0x10: 'DH-RSA-DES-CBC3-SHA',
+ 0x11: 'EXP-EDH-DSS-DES-CBC-SHA',
+ 0x12: 'EDH-DSS-DES-CBC-SHA',
+ 0x13: 'EDH-DSS-DES-CBC3-SHA',
+ 0x14: 'EXP-EDH-RSA-DES-CBC-SHA',
+ 0x15: 'EDH-RSA-DES-CBC-SHA',
+ 0x16: 'EDH-RSA-DES-CBC3-SHA',
+ 0x17: 'EXP-ADH-RC4-MD5',
+ 0x18: 'ADH-RC4-MD5',
+ 0x19: 'EXP-ADH-DES-CBC-SHA',
+ 0x1a: 'ADH-DES-CBC-SHA',
+ 0x1b: 'ADH-DES-CBC3-SHA',
+ # 0x1c: ,
+ # 0x1d: ,
+ 0x1e: 'KRB5-DES-CBC-SHA',
+ 0x1f: 'KRB5-DES-CBC3-SHA',
+ 0x20: 'KRB5-RC4-SHA',
+ 0x21: 'KRB5-IDEA-CBC-SHA',
+ 0x22: 'KRB5-DES-CBC-MD5',
+ 0x23: 'KRB5-DES-CBC3-MD5',
+ 0x24: 'KRB5-RC4-MD5',
+ 0x25: 'KRB5-IDEA-CBC-MD5',
+ 0x26: 'EXP-KRB5-DES-CBC-SHA',
+ 0x27: 'EXP-KRB5-RC2-CBC-SHA',
+ 0x28: 'EXP-KRB5-RC4-SHA',
+ 0x29: 'EXP-KRB5-DES-CBC-MD5',
+ 0x2a: 'EXP-KRB5-RC2-CBC-MD5',
+ 0x2b: 'EXP-KRB5-RC4-MD5',
+ 0x2f: 'AES128-SHA',
+ 0x30: 'DH-DSS-AES128-SHA',
+ 0x31: 'DH-RSA-AES128-SHA',
+ 0x32: 'DHE-DSS-AES128-SHA',
+ 0x33: 'DHE-RSA-AES128-SHA',
+ 0x34: 'ADH-AES128-SHA',
+ 0x35: 'AES256-SHA',
+ 0x36: 'DH-DSS-AES256-SHA',
+ 0x37: 'DH-RSA-AES256-SHA',
+ 0x38: 'DHE-DSS-AES256-SHA',
+ 0x39: 'DHE-RSA-AES256-SHA',
+ 0x3a: 'ADH-AES256-SHA',
+ 0x3b: 'NULL-SHA256',
+ 0x3c: 'AES128-SHA256',
+ 0x3d: 'AES256-SHA256',
+ 0x3e: 'DH-DSS-AES128-SHA256',
+ 0x3f: 'DH-RSA-AES128-SHA256',
+ 0x40: 'DHE-DSS-AES128-SHA256',
+ 0x41: 'CAMELLIA128-SHA',
+ 0x42: 'DH-DSS-CAMELLIA128-SHA',
+ 0x43: 'DH-RSA-CAMELLIA128-SHA',
+ 0x44: 'DHE-DSS-CAMELLIA128-SHA',
+ 0x45: 'DHE-RSA-CAMELLIA128-SHA',
+ 0x46: 'ADH-CAMELLIA128-SHA',
+ 0x62: 'EXP1024-DES-CBC-SHA',
+ 0x63: 'EXP1024-DHE-DSS-DES-CBC-SHA',
+ 0x64: 'EXP1024-RC4-SHA',
+ 0x65: 'EXP1024-DHE-DSS-RC4-SHA',
+ 0x66: 'DHE-DSS-RC4-SHA',
+ 0x67: 'DHE-RSA-AES128-SHA256',
+ 0x68: 'DH-DSS-AES256-SHA256',
+ 0x69: 'DH-RSA-AES256-SHA256',
+ 0x6a: 'DHE-DSS-AES256-SHA256',
+ 0x6b: 'DHE-RSA-AES256-SHA256',
+ 0x6c: 'ADH-AES128-SHA256',
+ 0x6d: 'ADH-AES256-SHA256',
+ 0x80: 'GOST94-GOST89-GOST89',
+ 0x81: 'GOST2001-GOST89-GOST89',
+ 0x82: 'GOST94-NULL-GOST94',
+ 0x83: 'GOST2001-GOST89-GOST89',
+ 0x84: 'CAMELLIA256-SHA',
+ 0x85: 'DH-DSS-CAMELLIA256-SHA',
+ 0x86: 'DH-RSA-CAMELLIA256-SHA',
+ 0x87: 'DHE-DSS-CAMELLIA256-SHA',
+ 0x88: 'DHE-RSA-CAMELLIA256-SHA',
+ 0x89: 'ADH-CAMELLIA256-SHA',
+ 0x8a: 'PSK-RC4-SHA',
+ 0x8b: 'PSK-3DES-EDE-CBC-SHA',
+ 0x8c: 'PSK-AES128-CBC-SHA',
+ 0x8d: 'PSK-AES256-CBC-SHA',
+ # 0x8e: ,
+ # 0x8f: ,
+ # 0x90: ,
+ # 0x91: ,
+ # 0x92: ,
+ # 0x93: ,
+ # 0x94: ,
+ # 0x95: ,
+ 0x96: 'SEED-SHA',
+ 0x97: 'DH-DSS-SEED-SHA',
+ 0x98: 'DH-RSA-SEED-SHA',
+ 0x99: 'DHE-DSS-SEED-SHA',
+ 0x9a: 'DHE-RSA-SEED-SHA',
+ 0x9b: 'ADH-SEED-SHA',
+ 0x9c: 'AES128-GCM-SHA256',
+ 0x9d: 'AES256-GCM-SHA384',
+ 0x9e: 'DHE-RSA-AES128-GCM-SHA256',
+ 0x9f: 'DHE-RSA-AES256-GCM-SHA384',
+ 0xa0: 'DH-RSA-AES128-GCM-SHA256',
+ 0xa1: 'DH-RSA-AES256-GCM-SHA384',
+ 0xa2: 'DHE-DSS-AES128-GCM-SHA256',
+ 0xa3: 'DHE-DSS-AES256-GCM-SHA384',
+ 0xa4: 'DH-DSS-AES128-GCM-SHA256',
+ 0xa5: 'DH-DSS-AES256-GCM-SHA384',
+ 0xa6: 'ADH-AES128-GCM-SHA256',
+ 0xa7: 'ADH-AES256-GCM-SHA384',
+ 0x5600: 'TLS_FALLBACK_SCSV',
+ 0xc001: 'ECDH-ECDSA-NULL-SHA',
+ 0xc002: 'ECDH-ECDSA-RC4-SHA',
+ 0xc003: 'ECDH-ECDSA-DES-CBC3-SHA',
+ 0xc004: 'ECDH-ECDSA-AES128-SHA',
+ 0xc005: 'ECDH-ECDSA-AES256-SHA',
+ 0xc006: 'ECDHE-ECDSA-NULL-SHA',
+ 0xc007: 'ECDHE-ECDSA-RC4-SHA',
+ 0xc008: 'ECDHE-ECDSA-DES-CBC3-SHA',
+ 0xc009: 'ECDHE-ECDSA-AES128-SHA',
+ 0xc00a: 'ECDHE-ECDSA-AES256-SHA',
+ 0xc00b: 'ECDH-RSA-NULL-SHA',
+ 0xc00c: 'ECDH-RSA-RC4-SHA',
+ 0xc00d: 'ECDH-RSA-DES-CBC3-SHA',
+ 0xc00e: 'ECDH-RSA-AES128-SHA',
+ 0xc00f: 'ECDH-RSA-AES256-SHA',
+ 0xc010: 'ECDHE-RSA-NULL-SHA',
+ 0xc011: 'ECDHE-RSA-RC4-SHA',
+ 0xc012: 'ECDHE-RSA-DES-CBC3-SHA',
+ 0xc013: 'ECDHE-RSA-AES128-SHA',
+ 0xc014: 'ECDHE-RSA-AES256-SHA',
+ 0xc015: 'AECDH-NULL-SHA',
+ 0xc016: 'AECDH-RC4-SHA',
+ 0xc017: 'AECDH-DES-CBC3-SHA',
+ 0xc018: 'AECDH-AES128-SHA',
+ 0xc019: 'AECDH-AES256-SHA',
+ 0xc01a: 'SRP-3DES-EDE-CBC-SHA',
+ 0xc01b: 'SRP-RSA-3DES-EDE-CBC-SHA',
+ 0xc01c: 'SRP-DSS-3DES-EDE-CBC-SHA',
+ 0xc01d: 'SRP-AES-128-CBC-SHA',
+ 0xc01e: 'SRP-RSA-AES-128-CBC-SHA',
+ 0xc01f: 'SRP-DSS-AES-128-CBC-SHA',
+ 0xc020: 'SRP-AES-256-CBC-SHA',
+ 0xc021: 'SRP-RSA-AES-256-CBC-SHA',
+ 0xc022: 'SRP-DSS-AES-256-CBC-SHA',
+ 0xc023: 'ECDHE-ECDSA-AES128-SHA256',
+ 0xc024: 'ECDHE-ECDSA-AES256-SHA384',
+ 0xc025: 'ECDH-ECDSA-AES128-SHA256',
+ 0xc026: 'ECDH-ECDSA-AES256-SHA384',
+ 0xc027: 'ECDHE-RSA-AES128-SHA256',
+ 0xc028: 'ECDHE-RSA-AES256-SHA384',
+ 0xc029: 'ECDH-RSA-AES128-SHA256',
+ 0xc02a: 'ECDH-RSA-AES256-SHA384',
+ 0xc02b: 'ECDHE-ECDSA-AES128-GCM-SHA256',
+ 0xc02c: 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ 0xc02d: 'ECDH-ECDSA-AES128-GCM-SHA256',
+ 0xc02e: 'ECDH-ECDSA-AES256-GCM-SHA384',
+ 0xc02f: 'ECDHE-RSA-AES128-GCM-SHA256',
+ 0xc030: 'ECDHE-RSA-AES256-GCM-SHA384',
+ 0xc031: 'ECDH-RSA-AES128-GCM-SHA256',
+ 0xc032: 'ECDH-RSA-AES256-GCM-SHA384',
+ 0xcc13: 'ECDHE-RSA-CHACHA20-POLY1305',
+ 0xcc14: 'ECDHE-ECDSA-CHACHA20-POLY1305',
+ 0xcc15: 'DHE-RSA-CHACHA20-POLY1305',
+ 0xff00: 'GOST-MD5',
+ 0xff01: 'GOST-GOST94',
+ 0xff02: 'GOST-GOST89MAC',
+ 0xff03: 'GOST-GOST89STREAM',
+ 0x010080: 'RC4-MD5',
+ 0x020080: 'EXP-RC4-MD5',
+ 0x030080: 'RC2-CBC-MD5',
+ 0x040080: 'EXP-RC2-CBC-MD5',
+ 0x050080: 'IDEA-CBC-MD5',
+ 0x060040: 'DES-CBC-MD5',
+ 0x0700c0: 'DES-CBC3-MD5',
+ 0x080080: 'RC4-64-MD5',
+}
+
+
def is_tls_record_magic(d):
"""
Returns:
@@ -47,8 +241,8 @@ class TlsLayer(Layer):
If so, we first connect to the server and then to the client.
If not, we only connect to the client and do the server_ssl lazily on a Connect message.
- An additional complexity is that establish ssl with the server may require a SNI value from the client.
- In an ideal world, we'd do the following:
+ An additional complexity is that establish ssl with the server may require a SNI value from
+ the client. In an ideal world, we'd do the following:
1. Start the SSL handshake with the client
2. Check if the client sends a SNI.
3. Pause the client handshake, establish SSL with the server.
@@ -100,11 +294,11 @@ class TlsLayer(Layer):
while len(client_hello) < client_hello_size:
record_header = self.client_conn.rfile.peek(offset + 5)[offset:]
if not is_tls_record_magic(record_header) or len(record_header) != 5:
- raise ProtocolException('Expected TLS record, got "%s" instead.' % record_header)
+ raise TlsException('Expected TLS record, got "%s" instead.' % record_header)
record_size = struct.unpack("!H", record_header[3:])[0] + 5
record_body = self.client_conn.rfile.peek(offset + record_size)[offset + 5:]
if len(record_body) != record_size - 5:
- raise ProtocolException("Unexpected EOF in TLS handshake: %s" % record_body)
+ raise TlsException("Unexpected EOF in TLS handshake: %s" % record_body)
client_hello += record_body
offset += record_size
client_hello_size = struct.unpack("!I", '\x00' + client_hello[1:4])[0] + 4
@@ -127,6 +321,8 @@ class TlsLayer(Layer):
self.log("Raw Client Hello:\r\n:%s" % raw_client_hello.encode("hex"), "debug")
return
+ self.client_ciphers = client_hello.cipher_suites.cipher_suites
+
for extension in client_hello.extensions:
if extension.type == 0x00:
if len(extension.server_names) != 1 or extension.server_names[0].type != 0:
@@ -146,18 +342,11 @@ class TlsLayer(Layer):
if self._server_tls and not self.server_conn.tls_established:
self._establish_tls_with_server()
- def reconnect(self):
- self.ctx.reconnect()
- if self._server_tls and not self.server_conn.tls_established:
- self._establish_tls_with_server()
-
- def set_server(self, address, server_tls=None, sni=None, depth=1):
- if depth == 1 and server_tls is not None:
- self.ctx.set_server(address, None, None, 1)
+ def set_server(self, address, server_tls=None, sni=None):
+ if server_tls is not None:
self._sni_from_server_change = sni
self._server_tls = server_tls
- else:
- self.ctx.set_server(address, server_tls, sni, depth)
+ self.ctx.set_server(address, None, None)
@property
def sni_for_server_connection(self):
@@ -201,7 +390,7 @@ class TlsLayer(Layer):
self._establish_tls_with_client()
except:
pass
- raise e
+ six.reraise(*sys.exc_info())
self._establish_tls_with_client()
@@ -219,8 +408,22 @@ class TlsLayer(Layer):
chain_file=chain_file,
alpn_select_callback=self.__alpn_select_callback,
)
+ # Some TLS clients will not fail the handshake,
+ # but will immediately throw an "unexpected eof" error on the first read.
+ # The reason for this might be difficult to find, so we try to peek here to see if it
+ # raises ann error.
+ self.client_conn.rfile.peek(1)
except NetLibError as e:
- raise ProtocolException("Cannot establish TLS with client: %s" % repr(e), e)
+ six.reraise(
+ ClientHandshakeException,
+ ClientHandshakeException(
+ "Cannot establish TLS with client (sni: {sni}): {e}".format(
+ sni=self.client_sni, e=repr(e)
+ ),
+ self.client_sni or repr(self.server_conn.address)
+ ),
+ sys.exc_info()[2]
+ )
def _establish_tls_with_server(self):
self.log("Establish TLS with server", "debug")
@@ -230,9 +433,19 @@ class TlsLayer(Layer):
# and mitmproxy would enter TCP passthrough mode, which we want to avoid.
deprecated_http2_variant = lambda x: x.startswith("h2-") or x.startswith("spdy")
if self.client_alpn_protocols:
- alpn = filter(lambda x: not deprecated_http2_variant(x), self.client_alpn_protocols)
+ alpn = [x for x in self.client_alpn_protocols if not deprecated_http2_variant(x)]
else:
alpn = None
+ if alpn and "h2" in alpn and not self.config.http2 :
+ alpn.remove("h2")
+
+ ciphers_server = self.config.ciphers_server
+ if not ciphers_server:
+ ciphers_server = []
+ for id in self.client_ciphers:
+ if id in CIPHER_ID_NAME_MAP.keys():
+ ciphers_server.append(CIPHER_ID_NAME_MAP[id])
+ ciphers_server = ':'.join(ciphers_server)
self.server_conn.establish_ssl(
self.config.clientcerts,
@@ -242,7 +455,7 @@ class TlsLayer(Layer):
verify_options=self.config.openssl_verification_mode_server,
ca_path=self.config.openssl_trusted_cadir_server,
ca_pemfile=self.config.openssl_trusted_ca_server,
- cipher_list=self.config.ciphers_server,
+ cipher_list=ciphers_server,
alpn_protos=alpn,
)
tls_cert_err = self.server_conn.ssl_verification_error
@@ -259,17 +472,25 @@ class TlsLayer(Layer):
(tls_cert_err['depth'], tls_cert_err['errno']),
"error")
self.log("Aborting connection attempt", "error")
- raise ProtocolException("Cannot establish TLS with {address} (sni: {sni}): {e}".format(
- address=repr(self.server_conn.address),
- sni=self.sni_for_server_connection,
- e=repr(e),
- ), e)
+ six.reraise(
+ TlsException,
+ TlsException("Cannot establish TLS with {address} (sni: {sni}): {e}".format(
+ address=repr(self.server_conn.address),
+ sni=self.sni_for_server_connection,
+ e=repr(e),
+ )),
+ sys.exc_info()[2]
+ )
except NetLibError as e:
- raise ProtocolException("Cannot establish TLS with {address} (sni: {sni}): {e}".format(
- address=repr(self.server_conn.address),
- sni=self.sni_for_server_connection,
- e=repr(e),
- ), e)
+ six.reraise(
+ TlsException,
+ TlsException("Cannot establish TLS with {address} (sni: {sni}): {e}".format(
+ address=repr(self.server_conn.address),
+ sni=self.sni_for_server_connection,
+ e=repr(e),
+ )),
+ sys.exc_info()[2]
+ )
self.log("ALPN selected by server: %s" % self.alpn_for_client_connection, "debug")
@@ -294,5 +515,4 @@ class TlsLayer(Layer):
if self._sni_from_server_change:
sans.add(self._sni_from_server_change)
- sans.discard(host)
return self.config.certstore.get_cert(host, list(sans))
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-07 15:34:52 +0000