mitmproxy/libmproxy/protocol2/tls.py

from __future__ import (absolute_import, print_function, division)

import traceback
from netlib import tcp

from ..exceptions import ProtocolException
from .layer import Layer, yield_from_callback
from .messages import Connect, Reconnect, ChangeServer


class TlsLayer(Layer):
    def __init__(self, ctx, client_tls, server_tls):
        super(TlsLayer, self).__init__(ctx)
        self._client_tls = client_tls
        self._server_tls = server_tls
        self._connected = False
        self.client_sni = None
        self._sni_from_server_change = None

    def __call__(self):
        """
        The strategy for establishing SSL is as follows:
            First, we determine whether we need the server cert to establish ssl with the client.
            If so, we first connect to the server and then to the client.
            If not, we only connect to the client and do the server_ssl lazily on a Connect message.

        An additional complexity is that establish ssl with the server may require a SNI value from the client.
        In an ideal world, we'd do the following:
            1. Start the SSL handshake with the client
            2. Check if the client sends a SNI.
            3. Pause the client handshake, establish SSL with the server.
            4. Finish the client handshake with the certificate from the server.
        There's just one issue: We cannot get a callback from OpenSSL if the client doesn't send a SNI. :(
        Thus, we resort to the following workaround when establishing SSL with the server:
            1. Try to establish SSL with the server without SNI. If this fails, we ignore it.
            2. Establish SSL with client.
                - If there's a SNI callback, reconnect to the server with SNI.
                - If not and the server connect failed, raise the original exception.
        Further notes:
            - OpenSSL 1.0.2 introduces a callback that would help here:
              https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_cb.html
            - The original mitmproxy issue is https://github.com/mitmproxy/mitmproxy/issues/427
        """
        client_tls_requires_server_cert = (
            self._client_tls and self._server_tls and not self.config.no_upstream_cert
        )
        lazy_server_tls = (
            self._server_tls and not client_tls_requires_server_cert
        )

        if client_tls_requires_server_cert:
            for m in self._establish_tls_with_client_and_server():
                yield m
        elif self._client_tls:
            for m in self._establish_tls_with_client():
                yield m

        layer = self.ctx.next_layer(self)
        for message in layer():
            if message != Connect or not self._connected:
                yield message
            if message == Connect:
                if lazy_server_tls:
                    self._establish_tls_with_server()
            if message == ChangeServer and message.depth == 1:
                self._server_tls = message.server_tls
                self._sni_from_server_change = message.sni
            if message == Reconnect or message == ChangeServer:
                if self._server_tls:
                    self._establish_tls_with_server()

    @property
    def sni_for_upstream_connection(self):
        if self._sni_from_server_change is False:
            return None
        else:
            return self._sni_from_server_change or self.client_sni

    def _establish_tls_with_client_and_server(self):
        """
        This function deals with the problem that the server may require a SNI value from the client.
        """

        # First, try to connect to the server.
        yield Connect()
        self._connected = True
        server_err = None
        try:
            self._establish_tls_with_server()
        except ProtocolException as e:
            server_err = e

        for message in self._establish_tls_with_client():
            if message == Reconnect:
                yield message
                self._establish_tls_with_server()
            else:
                raise RuntimeError("Unexpected Message: %s" % message)

        if server_err and not self.client_sni:
            raise server_err

    def __handle_sni(self, connection):
        """
        This callback gets called during the TLS handshake with the client.
        The client has just sent the Sever Name Indication (SNI).
        """
        try:
            old_upstream_sni = self.sni_for_upstream_connection

            sn = connection.get_servername()
            if not sn:
                return
            self.client_sni = sn.decode("utf8").encode("idna")

            if old_upstream_sni != self.sni_for_upstream_connection:
                # Perform reconnect
                if self._server_tls:
                    self.yield_from_callback(Reconnect())

            if self.client_sni:
                # Now, change client context to reflect possibly changed certificate:
                cert, key, chain_file = self._find_cert()
                new_context = self.client_conn.create_ssl_context(
                    cert, key,
                    method=self.config.openssl_method_client,
                    options=self.config.openssl_options_client,
                    cipher_list=self.config.ciphers_client,
                    dhparams=self.config.certstore.dhparams,
                    chain_file=chain_file
                )
                connection.set_context(new_context)
        # An unhandled exception in this method will core dump PyOpenSSL, so
        # make dang sure it doesn't happen.
        except:  # pragma: no cover
            self.log("Error in handle_sni:\r\n" + traceback.format_exc(), "error")

    @yield_from_callback
    def _establish_tls_with_client(self):
        self.log("Establish TLS with client", "debug")
        cert, key, chain_file = self._find_cert()
        try:
            self.client_conn.convert_to_ssl(
                cert, key,
                method=self.config.openssl_method_client,
                options=self.config.openssl_options_client,
                handle_sni=self.__handle_sni,
                cipher_list=self.config.ciphers_client,
                dhparams=self.config.certstore.dhparams,
                chain_file=chain_file
            )
        except tcp.NetLibError as e:
            raise ProtocolException(repr(e), e)

    def _establish_tls_with_server(self):
        self.log("Establish TLS with server", "debug")
        try:
            self.server_conn.establish_ssl(
                self.config.clientcerts,
                self.sni_for_upstream_connection,
                method=self.config.openssl_method_server,
                options=self.config.openssl_options_server,
                verify_options=self.config.openssl_verification_mode_server,
                ca_path=self.config.openssl_trusted_cadir_server,
                ca_pemfile=self.config.openssl_trusted_ca_server,
                cipher_list=self.config.ciphers_server,
            )
            tls_cert_err = self.server_conn.ssl_verification_error
            if tls_cert_err is not None:
                self.log(
                    "TLS verification failed for upstream server at depth %s with error: %s" %
                    (tls_cert_err['depth'], tls_cert_err['errno']),
                    "error")
                self.log("Ignoring server verification error, continuing with connection", "error")
        except tcp.NetLibInvalidCertificateError as e:
            tls_cert_err = self.server_conn.ssl_verification_error
            self.log(
                "TLS verification failed for upstream server at depth %s with error: %s" %
                (tls_cert_err['depth'], tls_cert_err['errno']),
                "error")
            self.log("Aborting connection attempt", "error")
            raise ProtocolException(repr(e), e)
        except tcp.NetLibError as e:
            raise ProtocolException(repr(e), e)

    def _find_cert(self):
        host = self.server_conn.address.host
        sans = set()
        # Incorporate upstream certificate
        if self.server_conn.tls_established and (not self.config.no_upstream_cert):
            upstream_cert = self.server_conn.cert
            sans.update(upstream_cert.altnames)
            if upstream_cert.cn:
                sans.add(host)
                host = upstream_cert.cn.decode("utf8").encode("idna")
        # Also add SNI values.
        if self.client_sni:
            sans.add(self.client_sni)
        if self._sni_from_server_change:
            sans.add(self._sni_from_server_change)

        return self.config.certstore.get_cert(host, list(sans))
apply fixes from proxy-refactor-cb branch 2015-08-06 09:09:01 +00:00			`from __future__ import (absolute_import, print_function, division)`
more work on http layer 2015-08-14 08:41:11 +00:00
add ssl layer 2015-07-24 15:48:27 +00:00			`import traceback`
first initial proof-of-concept 2015-07-24 11:31:55 +00:00			`from netlib import tcp`

cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`from ..exceptions import ProtocolException`
simplify layer code, add yield_from_callback decorator 2015-08-06 10:13:23 +00:00			`from .layer import Layer, yield_from_callback`
move files around 2015-07-24 16:29:13 +00:00			`from .messages import Connect, Reconnect, ChangeServer`
add ssl layer 2015-07-24 15:48:27 +00:00

cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`class TlsLayer(Layer):`
			`def __init__(self, ctx, client_tls, server_tls):`
			`super(TlsLayer, self).__init__(ctx)`
			`self._client_tls = client_tls`
			`self._server_tls = server_tls`
add ssl layer 2015-07-24 15:48:27 +00:00			`self._connected = False`
add reverseproxy mode, fix bugs 2015-08-06 10:32:33 +00:00			`self.client_sni = None`
add ssl layer 2015-07-24 15:48:27 +00:00			`self._sni_from_server_change = None`

			`def __call__(self):`
			`"""`
			`The strategy for establishing SSL is as follows:`
			`First, we determine whether we need the server cert to establish ssl with the client.`
			`If so, we first connect to the server and then to the client.`
			`If not, we only connect to the client and do the server_ssl lazily on a Connect message.`

			`An additional complexity is that establish ssl with the server may require a SNI value from the client.`
			`In an ideal world, we'd do the following:`
			`1. Start the SSL handshake with the client`
			`2. Check if the client sends a SNI.`
			`3. Pause the client handshake, establish SSL with the server.`
			`4. Finish the client handshake with the certificate from the server.`
			`There's just one issue: We cannot get a callback from OpenSSL if the client doesn't send a SNI. :(`
			`Thus, we resort to the following workaround when establishing SSL with the server:`
			`1. Try to establish SSL with the server without SNI. If this fails, we ignore it.`
			`2. Establish SSL with client.`
			`- If there's a SNI callback, reconnect to the server with SNI.`
			`- If not and the server connect failed, raise the original exception.`
			`Further notes:`
			`- OpenSSL 1.0.2 introduces a callback that would help here:`
			`https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_cb.html`
			`- The original mitmproxy issue is https://github.com/mitmproxy/mitmproxy/issues/427`
			`"""`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`client_tls_requires_server_cert = (`
			`self._client_tls and self._server_tls and not self.config.no_upstream_cert`
add ssl layer 2015-07-24 15:48:27 +00:00			`)`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`lazy_server_tls = (`
			`self._server_tls and not client_tls_requires_server_cert`
add ssl layer 2015-07-24 15:48:27 +00:00			`)`

cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`if client_tls_requires_server_cert:`
			`for m in self._establish_tls_with_client_and_server():`
add ssl layer 2015-07-24 15:48:27 +00:00			`yield m`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`elif self._client_tls:`
			`for m in self._establish_tls_with_client():`
simplify layer code, add yield_from_callback decorator 2015-08-06 10:13:23 +00:00			`yield m`
add ssl layer 2015-07-24 15:48:27 +00:00
wip commit 2015-08-11 18:27:34 +00:00			`layer = self.ctx.next_layer(self)`
add ssl layer 2015-07-24 15:48:27 +00:00			`for message in layer():`
			`if message != Connect or not self._connected:`
			`yield message`
			`if message == Connect:`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`if lazy_server_tls:`
			`self._establish_tls_with_server()`
add ssl layer 2015-07-24 15:48:27 +00:00			`if message == ChangeServer and message.depth == 1:`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`self._server_tls = message.server_tls`
add ssl layer 2015-07-24 15:48:27 +00:00			`self._sni_from_server_change = message.sni`
			`if message == Reconnect or message == ChangeServer:`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`if self._server_tls:`
			`self._establish_tls_with_server()`
add ssl layer 2015-07-24 15:48:27 +00:00
			`@property`
apply fixes from proxy-refactor-cb branch 2015-08-06 09:09:01 +00:00			`def sni_for_upstream_connection(self):`
add ssl layer 2015-07-24 15:48:27 +00:00			`if self._sni_from_server_change is False:`
			`return None`
			`else:`
add reverseproxy mode, fix bugs 2015-08-06 10:32:33 +00:00			`return self._sni_from_server_change or self.client_sni`
add ssl layer 2015-07-24 15:48:27 +00:00
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`def _establish_tls_with_client_and_server(self):`
add ssl layer 2015-07-24 15:48:27 +00:00			`"""`
			`This function deals with the problem that the server may require a SNI value from the client.`
			`"""`

			`# First, try to connect to the server.`
			`yield Connect()`
			`self._connected = True`
			`server_err = None`
			`try:`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`self._establish_tls_with_server()`
			`except ProtocolException as e:`
add ssl layer 2015-07-24 15:48:27 +00:00			`server_err = e`

cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`for message in self._establish_tls_with_client():`
simplify layer code, add yield_from_callback decorator 2015-08-06 10:13:23 +00:00			`if message == Reconnect:`
			`yield message`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`self._establish_tls_with_server()`
simplify layer code, add yield_from_callback decorator 2015-08-06 10:13:23 +00:00			`else:`
			`raise RuntimeError("Unexpected Message: %s" % message)`
add ssl layer 2015-07-24 15:48:27 +00:00
add reverseproxy mode, fix bugs 2015-08-06 10:32:33 +00:00			`if server_err and not self.client_sni:`
add ssl layer 2015-07-24 15:48:27 +00:00			`raise server_err`

more work on http layer 2015-08-14 08:41:11 +00:00			`def __handle_sni(self, connection):`
add ssl layer 2015-07-24 15:48:27 +00:00			`"""`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`This callback gets called during the TLS handshake with the client.`
add ssl layer 2015-07-24 15:48:27 +00:00			`The client has just sent the Sever Name Indication (SNI).`
			`"""`
			`try:`
apply fixes from proxy-refactor-cb branch 2015-08-06 09:09:01 +00:00			`old_upstream_sni = self.sni_for_upstream_connection`

add ssl layer 2015-07-24 15:48:27 +00:00			`sn = connection.get_servername()`
			`if not sn:`
			`return`
add reverseproxy mode, fix bugs 2015-08-06 10:32:33 +00:00			`self.client_sni = sn.decode("utf8").encode("idna")`
add ssl layer 2015-07-24 15:48:27 +00:00
apply fixes from proxy-refactor-cb branch 2015-08-06 09:09:01 +00:00			`if old_upstream_sni != self.sni_for_upstream_connection:`
add ssl layer 2015-07-24 15:48:27 +00:00			`# Perform reconnect`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`if self._server_tls:`
simplify layer code, add yield_from_callback decorator 2015-08-06 10:13:23 +00:00			`self.yield_from_callback(Reconnect())`
add ssl layer 2015-07-24 15:48:27 +00:00
add reverseproxy mode, fix bugs 2015-08-06 10:32:33 +00:00			`if self.client_sni:`
apply fixes from proxy-refactor-cb branch 2015-08-06 09:09:01 +00:00			`# Now, change client context to reflect possibly changed certificate:`
more work on http layer 2015-08-14 08:41:11 +00:00			`cert, key, chain_file = self._find_cert()`
add ssl layer 2015-07-24 15:48:27 +00:00			`new_context = self.client_conn.create_ssl_context(`
			`cert, key,`
			`method=self.config.openssl_method_client,`
			`options=self.config.openssl_options_client,`
			`cipher_list=self.config.ciphers_client,`
			`dhparams=self.config.certstore.dhparams,`
			`chain_file=chain_file`
			`)`
			`connection.set_context(new_context)`
			`# An unhandled exception in this method will core dump PyOpenSSL, so`
			`# make dang sure it doesn't happen.`
			`except: # pragma: no cover`
			`self.log("Error in handle_sni:\r\n" + traceback.format_exc(), "error")`

simplify layer code, add yield_from_callback decorator 2015-08-06 10:13:23 +00:00			`@yield_from_callback`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`def _establish_tls_with_client(self):`
			`self.log("Establish TLS with client", "debug")`
more work on http layer 2015-08-14 08:41:11 +00:00			`cert, key, chain_file = self._find_cert()`
add ssl layer 2015-07-24 15:48:27 +00:00			`try:`
			`self.client_conn.convert_to_ssl(`
			`cert, key,`
			`method=self.config.openssl_method_client,`
			`options=self.config.openssl_options_client,`
more work on http layer 2015-08-14 08:41:11 +00:00			`handle_sni=self.__handle_sni,`
add ssl layer 2015-07-24 15:48:27 +00:00			`cipher_list=self.config.ciphers_client,`
			`dhparams=self.config.certstore.dhparams,`
			`chain_file=chain_file`
			`)`
			`except tcp.NetLibError as e:`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`raise ProtocolException(repr(e), e)`
add ssl layer 2015-07-24 15:48:27 +00:00
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`def _establish_tls_with_server(self):`
			`self.log("Establish TLS with server", "debug")`
add ssl layer 2015-07-24 15:48:27 +00:00			`try:`
			`self.server_conn.establish_ssl(`
			`self.config.clientcerts,`
apply fixes from proxy-refactor-cb branch 2015-08-06 09:09:01 +00:00			`self.sni_for_upstream_connection,`
add ssl layer 2015-07-24 15:48:27 +00:00			`method=self.config.openssl_method_server,`
			`options=self.config.openssl_options_server,`
			`verify_options=self.config.openssl_verification_mode_server,`
			`ca_path=self.config.openssl_trusted_cadir_server,`
			`ca_pemfile=self.config.openssl_trusted_ca_server,`
			`cipher_list=self.config.ciphers_server,`
			`)`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`tls_cert_err = self.server_conn.ssl_verification_error`
			`if tls_cert_err is not None:`
add ssl layer 2015-07-24 15:48:27 +00:00			`self.log(`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`"TLS verification failed for upstream server at depth %s with error: %s" %`
			`(tls_cert_err['depth'], tls_cert_err['errno']),`
add ssl layer 2015-07-24 15:48:27 +00:00			`"error")`
			`self.log("Ignoring server verification error, continuing with connection", "error")`
			`except tcp.NetLibInvalidCertificateError as e:`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`tls_cert_err = self.server_conn.ssl_verification_error`
add ssl layer 2015-07-24 15:48:27 +00:00			`self.log(`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`"TLS verification failed for upstream server at depth %s with error: %s" %`
			`(tls_cert_err['depth'], tls_cert_err['errno']),`
add ssl layer 2015-07-24 15:48:27 +00:00			`"error")`
			`self.log("Aborting connection attempt", "error")`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`raise ProtocolException(repr(e), e)`
apply fixes from proxy-refactor-cb branch 2015-08-06 09:09:01 +00:00			`except tcp.NetLibError as e:`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`raise ProtocolException(repr(e), e)`
add ssl layer 2015-07-24 15:48:27 +00:00
more work on http layer 2015-08-14 08:41:11 +00:00			`def _find_cert(self):`
add ssl layer 2015-07-24 15:48:27 +00:00			`host = self.server_conn.address.host`
apply fixes from proxy-refactor-cb branch 2015-08-06 09:09:01 +00:00			`sans = set()`
add ssl layer 2015-07-24 15:48:27 +00:00			`# Incorporate upstream certificate`
cleaner Exceptions, ssl -> tls, upstream proxy mode 2015-08-08 14:08:57 +00:00			`if self.server_conn.tls_established and (not self.config.no_upstream_cert):`
add ssl layer 2015-07-24 15:48:27 +00:00			`upstream_cert = self.server_conn.cert`
apply fixes from proxy-refactor-cb branch 2015-08-06 09:09:01 +00:00			`sans.update(upstream_cert.altnames)`
add ssl layer 2015-07-24 15:48:27 +00:00			`if upstream_cert.cn:`
apply fixes from proxy-refactor-cb branch 2015-08-06 09:09:01 +00:00			`sans.add(host)`
add ssl layer 2015-07-24 15:48:27 +00:00			`host = upstream_cert.cn.decode("utf8").encode("idna")`
			`# Also add SNI values.`
add reverseproxy mode, fix bugs 2015-08-06 10:32:33 +00:00			`if self.client_sni:`
			`sans.add(self.client_sni)`
add ssl layer 2015-07-24 15:48:27 +00:00			`if self._sni_from_server_change:`
apply fixes from proxy-refactor-cb branch 2015-08-06 09:09:01 +00:00			`sans.add(self._sni_from_server_change)`
add ssl layer 2015-07-24 15:48:27 +00:00
simplify layer code, add yield_from_callback decorator 2015-08-06 10:13:23 +00:00			`return self.config.certstore.get_cert(host, list(sans))`