ssl_scan 0.0.1

data/lib/ssl_scan/io/stream_abstraction.rb

@@ -0,0 +1,209 @@
+# -*- coding: binary -*-
+
+require 'socket'
+require 'fcntl'
+
+module Rex
+module IO
+
+###
+#
+# This class provides an abstraction to a stream based
+# connection through the use of a streaming socketpair.
+#
+###
+module StreamAbstraction
+
+  ###
+  #
+  # Extension information for required Stream interface.
+  #
+  ###
+  module Ext
+
+    #
+    # Initializes peer information.
+    #
+    def initinfo(peer,local)
+      @peer = peer
+      @local = local
+    end
+
+    #
+    # Symbolic peer information.
+    #
+    def peerinfo
+      (@peer || "Remote Pipe")
+    end
+
+    #
+    # Symbolic local information.
+    #
+    def localinfo
+      (@local || "Local Pipe")
+    end
+  end
+
+  #
+  # This method creates a streaming socket pair and initializes it.
+  #
+  def initialize_abstraction
+    self.lsock, self.rsock = Rex::Socket.tcp_socket_pair()
+    self.lsock.extend(Rex::IO::Stream)
+    self.lsock.extend(Ext)
+    self.rsock.extend(Rex::IO::Stream)
+
+    self.monitor_rsock
+  end
+
+  #
+  # This method cleans up the abstraction layer.
+  #
+  def cleanup_abstraction
+    self.lsock.close if (self.lsock)
+    self.rsock.close if (self.rsock)
+
+    self.lsock = nil
+    self.rsock = nil
+  end
+
+  #
+  # Low-level write to the local side.
+  #
+  def syswrite(buffer)
+    lsock.syswrite(buffer)
+  end
+
+  #
+  # Low-level read from the local side.
+  #
+  def sysread(length)
+    lsock.sysread(length)
+  end
+
+  #
+  # Shuts down the local side of the stream abstraction.
+  #
+  def shutdown(how)
+    lsock.shutdown(how)
+  end
+
+  #
+  # Closes both sides of the stream abstraction.
+  #
+  def close
+    cleanup_abstraction
+  end
+
+  #
+  # Symbolic peer information.
+  #
+  def peerinfo
+    "Remote-side of Pipe"
+  end
+
+  #
+  # Symbolic local information.
+  #
+  def localinfo
+    "Local-side of Pipe"
+  end
+
+  #
+  # The left side of the stream.
+  #
+  attr_reader :lsock
+  #
+  # The right side of the stream.
+  #
+  attr_reader :rsock
+
+protected
+
+  def monitor_rsock
+    self.monitor_thread = Rex::ThreadFactory.spawn("StreamMonitorRemote", false) {
+      loop do
+        closed = false
+        buf    = nil
+
+        if not self.rsock
+          wlog("monitor_rsock: the remote socket is nil, exiting loop")
+          break
+        end
+
+        begin
+          s = Rex::ThreadSafe.select( [ self.rsock ], nil, nil, 0.2 )
+          if( s == nil || s[0] == nil )
+            next
+          end
+        rescue Exception => e
+          wlog("monitor_rsock: exception during select: #{e.class} #{e}")
+          closed = true
+        end
+
+        if( closed == false )
+          begin
+            buf = self.rsock.sysread( 32768 )
+            if buf == nil
+              closed = true
+              wlog("monitor_rsock: closed remote socket due to nil read")
+            end
+          rescue EOFError => e
+            closed = true
+            dlog("monitor_rsock: EOF in rsock")
+          rescue ::Exception => e
+            closed = true
+            wlog("monitor_rsock: exception during read: #{e.class} #{e}")
+          end
+        end
+
+        if( closed == false )
+          total_sent   = 0
+          total_length = buf.length
+          while( total_sent < total_length )
+            begin
+              data = buf[total_sent, buf.length]
+
+              # Note that this must be write() NOT syswrite() or put() or anything like it.
+              # Using syswrite() breaks SSL streams.
+              sent = self.write( data )
+
+              # sf: Only remove the data off the queue is write was successfull.
+              #     This way we naturally perform a resend if a failure occured.
+              #     Catches an edge case with meterpreter TCP channels where remote send
+              #     failes gracefully and a resend is required.
+              if (sent.nil?)
+                closed = true
+                wlog("monitor_rsock: failed writing, socket must be dead")
+                break
+              elsif (sent > 0)
+                total_sent += sent
+              end
+            rescue ::IOError, ::EOFError => e
+              closed = true
+              wlog("monitor_rsock: exception during write: #{e.class} #{e}")
+              break
+            end
+          end
+        end
+
+        if( closed )
+          begin
+            self.close_write if self.respond_to?('close_write')
+          rescue IOError
+          end
+          break
+        end
+      end
+    }
+  end
+
+protected
+  attr_accessor :monitor_thread
+  attr_writer :lsock
+  attr_writer :rsock
+
+end
+
+end; end
+

data/lib/ssl_scan/io/stream_server.rb

@@ -0,0 +1,221 @@
+# -*- coding: binary -*-
+require 'thread'
+
+module SSLScan
+module IO
+
+###
+#
+# This mixin provides the framework and interface for implementing a streaming
+# server that can listen for and accept stream client connections.  Stream
+# servers extend this class and are required to implement the following
+# methods:
+#
+#   accept
+#   fd
+#
+###
+module StreamServer
+
+  ##
+  #
+  # Abstract methods
+  #
+  ##
+
+  ##
+  #
+  # Default server monitoring and client management implementation follows
+  # below.
+  #
+  ##
+
+  #
+  # This callback is notified when a client connects.
+  #
+  def on_client_connect(client)
+    if (on_client_connect_proc)
+      on_client_connect_proc.call(client)
+    end
+  end
+
+  #
+  # This callback is notified when a client connection has data that needs to
+  # be processed.
+  #
+  def on_client_data(client)
+    if (on_client_data_proc)
+      on_client_data_proc.call(client)
+    end
+  end
+
+  #
+  # This callback is notified when a client connection has closed.
+  #
+  def on_client_close(client)
+    if (on_client_close_proc)
+      on_client_close_proc.call(client)
+    end
+  end
+
+  #
+  # Start monitoring the listener socket for connections and keep track of
+  # all client connections.
+  #
+  def start
+    self.clients = []
+    self.client_waiter = ::Queue.new
+
+    self.listener_thread = SSLScan::ThreadFactory.spawn("StreamServerListener", false) {
+      monitor_listener
+    }
+    self.clients_thread = SSLScan::ThreadFactory.spawn("StreamServerClientMonitor", false) {
+      monitor_clients
+    }
+  end
+
+  #
+  # Terminates the listener monitoring threads and closes all active clients.
+  #
+  def stop
+    self.listener_thread.kill
+    self.clients_thread.kill
+
+    self.clients.each { |cli|
+      close_client(cli)
+    }
+  end
+
+  #
+  # This method closes a client connection and cleans up the resources
+  # associated with it.
+  #
+  def close_client(client)
+    if (client)
+      clients.delete(client)
+
+      begin
+        client.close
+      rescue IOError
+      end
+    end
+  end
+
+  #
+  # This method waits on the server listener thread
+  #
+  def wait
+    self.listener_thread.join if self.listener_thread
+  end
+
+  ##
+  #
+  # Callback procedures.
+  #
+  ##
+
+  #
+  # This callback procedure can be set and will be called when new clients
+  # connect.
+  #
+  attr_accessor :on_client_connect_proc
+  #
+  # This callback procedure can be set and will be called when clients
+  # have data to be processed.
+  #
+  attr_accessor :on_client_data_proc
+  #
+  # This callback procedure can be set and will be called when a client
+  # disconnects from the server.
+  #
+  attr_accessor :on_client_close_proc
+
+  attr_accessor :clients # :nodoc:
+  attr_accessor :listener_thread, :clients_thread # :nodoc:
+  attr_accessor :client_waiter
+
+protected
+
+  #
+  # This method monitors the listener socket for new connections and calls
+  # the +on_client_connect+ callback routine.
+  #
+  def monitor_listener
+
+    while true
+      begin
+        cli = accept
+        if not cli
+          elog("The accept() returned nil in stream server listener monitor:  #{fd.inspect}")
+          ::IO.select(nil, nil, nil, 0.10)
+          next
+        end
+
+        # Append to the list of clients
+        self.clients << cli
+
+        # Initialize the connection processing
+        on_client_connect(cli)
+
+        # Notify the client monitor
+        self.client_waiter.push(cli)
+
+      # Skip exceptions caused by accept() [ SSL ]
+      rescue ::EOFError, ::Errno::ECONNRESET, ::Errno::ENOTCONN, ::Errno::ECONNABORTED
+      rescue ::Interrupt
+        raise $!
+      rescue ::Exception
+        elog("Error in stream server server monitor: #{$!}")
+        rlog(ExceptionCallStack)
+        break
+      end
+    end
+  end
+
+  #
+  # This method monitors client connections for data and calls the
+  # +on_client_data+ routine when new data arrives.
+  #
+  def monitor_clients
+    begin
+
+      # Wait for a notify if our client list is empty
+      if (clients.length == 0)
+        self.client_waiter.pop
+        next
+      end
+
+      sd = SSLScan::ThreadSafe.select(clients, nil, nil, nil)
+
+      sd[0].each { |cfd|
+        begin
+          on_client_data(cfd)
+        rescue ::EOFError, ::Errno::ECONNRESET, ::Errno::ENOTCONN, ::Errno::ECONNABORTED
+          on_client_close(cfd)
+          close_client(cfd)
+        rescue ::Interrupt
+          raise $!
+        rescue ::Exception
+          close_client(cfd)
+          elog("Error in stream server client monitor: #{$!}")
+          rlog(ExceptionCallStack)
+
+        end
+      }
+
+    rescue ::SSLScan::StreamClosedError => e
+      # Remove the closed stream from the list
+      clients.delete(e.stream)
+    rescue ::Interrupt
+      raise $!
+    rescue ::Exception
+      elog("Error in stream server client monitor: #{$!}")
+      rlog(ExceptionCallStack)
+    end while true
+  end
+
+end
+
+end
+end
+

data/lib/ssl_scan/result.rb

@@ -0,0 +1,165 @@
+module SSLScan
+  class Result
+
+    attr_accessor :openssl_sslv2
+
+    attr_reader :ciphers
+    attr_reader :supported_versions
+
+    def initialize()
+      @cert = nil
+      @ciphers = Set.new
+      @supported_versions = [:SSLv2, :SSLv3, :TLSv1]
+    end
+
+    def cert
+      @cert
+    end
+
+    def cert=(input)
+      unless input.kind_of? OpenSSL::X509::Certificate or input.nil?
+        raise ArgumentError, "Must be an X509 Cert!"
+      end
+      @cert = input
+    end
+
+    def sslv2
+      @ciphers.reject{|cipher| cipher[:version] != :SSLv2 }
+    end
+
+    def sslv3
+      @ciphers.reject{|cipher| cipher[:version] != :SSLv3 }
+    end
+
+    def tlsv1
+      @ciphers.reject{|cipher| cipher[:version] != :TLSv1 }
+    end
+
+    def weak_ciphers
+      accepted.reject{|cipher| cipher[:weak] == false }
+    end
+
+    def strong_ciphers
+      accepted.reject{|cipher| cipher[:weak] }
+    end
+
+    # Returns all accepted ciphers matching the supplied version
+    # @param version [Symbol, Array] The SSL Version to filter on
+    # @raise [ArgumentError] if the version supplied is invalid
+    # @return [Array] An array of accepted cipher details matching the supplied versions
+    def accepted(version = :all)
+      enum_ciphers(:accepted, version)
+    end
+
+    # Returns all rejected ciphers matching the supplied version
+    # @param version [Symbol, Array] The SSL Version to filter on
+    # @raise [ArgumentError] if the version supplied is invalid
+    # @return [Array] An array of rejected cipher details matching the supplied versions
+    def rejected(version = :all)
+      enum_ciphers(:rejected, version)
+    end
+
+    def each_accepted(version = :all)
+      accepted(version).each do |cipher_result|
+        yield cipher_result
+      end
+    end
+
+    def each_rejected(version = :all)
+      rejected(version).each do |cipher_result|
+        yield cipher_result
+      end
+    end
+
+    def supports_sslv2?
+      !(accepted(:SSLv2).empty?)
+    end
+
+    def supports_sslv3?
+      !(accepted(:SSLv3).empty?)
+    end
+
+    def supports_tlsv1?
+      !(accepted(:TLSv1).empty?)
+    end
+
+    def supports_ssl?
+      supports_sslv2? or supports_sslv3? or supports_tlsv1?
+    end
+
+    def supports_weak_ciphers?
+      !(weak_ciphers.empty?)
+    end
+
+    def standards_compliant?
+      if supports_ssl?
+        return false if supports_sslv2?
+        return false if supports_weak_ciphers?
+      end
+      true
+    end
+
+    # Adds the details of a cipher test to the Result object.
+    # @param version [Symbol] the SSL Version
+    # @param cipher [String] the SSL cipher
+    # @param key_length [Fixnum] the length of encryption key
+    # @param status [Symbol] :accepted or :rejected
+    def add_cipher(version, cipher, key_length, status)
+      unless @supported_versions.include? version
+        raise ArgumentError, "Must be a supported SSL Version"
+      end
+      unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include? cipher
+        raise ArgumentError, "Must be a valid SSL Cipher for #{version}!"
+      end
+      unless key_length.kind_of? Fixnum
+        raise ArgumentError, "Must supply a valid key length"
+      end
+      unless [:accepted, :rejected].include? status
+        raise ArgumentError, "Status must be either :accepted or :rejected"
+      end
+
+      strong_cipher_ctx = OpenSSL::SSL::SSLContext.new(version)
+      # OpenSSL Directive For Strong Ciphers
+      # See: http://www.rapid7.com/vulndb/lookup/ssl-weak-ciphers
+      strong_cipher_ctx.ciphers = "ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
+
+      if strong_cipher_ctx.ciphers.flatten.include? cipher
+        weak = false
+      else
+        weak = true
+      end
+
+      cipher_details = {:version => version, :cipher => cipher, :key_length => key_length, :weak => weak, :status => status}
+      @ciphers << cipher_details
+    end
+
+    protected
+
+    # @param state [Symbol] Either :accepted or :rejected
+    # @param version [Symbol, Array] The SSL Version to filter on (:SSLv2, :SSLv3, :TLSv1, :all)
+    # @return [Set] The Set of cipher results matching the filter criteria
+    def enum_ciphers(state, version = :all)
+      case version
+      when Symbol
+        case version
+        when :all
+          return @ciphers.select { |cipher| cipher[:status] == state }
+        when :SSLv2, :SSLv3, :TLSv1
+          return @ciphers.select { |cipher| cipher[:status] == state and cipher[:version] == version }
+        else
+          raise ArgumentError, "Invalid SSL Version Supplied: #{version}"
+        end
+      when Array
+        version = version.reject{|v| !(@supported_versions.include? v)}
+        if version.empty?
+          return @ciphers.select{|cipher| cipher[:status] == state}
+        else
+          return @ciphers.select{|cipher| cipher[:status] == state and version.include? cipher[:version]}
+        end
+      else
+        raise ArgumentError, "Was expecting Symbol or Array and got #{version.class}"
+      end
+    end
+
+  end
+end