ssl_scan 0.0.1

data/lib/ssl_scan/socket/ssl_tcp.rb

@@ -0,0 +1,345 @@
+# -*- coding: binary -*-
+require 'ssl_scan/socket'
+###
+#
+# This class provides methods for interacting with an SSL TCP client
+# connection.
+#
+###
+module SSLScan::Socket::SslTcp
+
+begin
+  @@loaded_openssl = false
+
+  begin
+    require 'openssl'
+    @@loaded_openssl = true
+    require 'openssl/nonblock'
+  rescue ::Exception
+  end
+
+
+  include SSLScan::Socket::Tcp
+
+  ##
+  #
+  # Factory
+  #
+  ##
+
+  #
+  # Creates an SSL TCP instance.
+  #
+  def self.create(hash = {})
+    raise RuntimeError, "No OpenSSL support" if not @@loaded_openssl
+    hash['SSL'] = true
+    self.create_param(SSLScan::Socket::Parameters.from_hash(hash))
+  end
+
+  #
+  # Set the SSL flag to true and call the base class's create_param routine.
+  #
+  def self.create_param(param)
+    param.ssl   = true
+    SSLScan::Socket::Tcp.create_param(param)
+  end
+
+  ##
+  #
+  # Class initialization
+  #
+  ##
+
+  #
+  # Initializes the SSL socket.
+  #
+  def initsock(params = nil)
+    super
+
+    version = :SSLv3
+    if(params)
+      case params.ssl_version
+      when 'SSL2', :SSLv2
+        version = :SSLv2
+      when 'SSL23', :SSLv23
+        version = :SSLv23
+      when 'TLS1', :TLSv1
+        version = :TLSv1
+      end
+    end
+
+    # Build the SSL connection
+    self.sslctx  = OpenSSL::SSL::SSLContext.new(version)
+
+    # Configure the SSL context
+    # TODO: Allow the user to specify the verify mode callback
+    # Valid modes:
+    #  VERIFY_CLIENT_ONCE
+    #  VERIFY_FAIL_IF_NO_PEER_CERT
+    #  VERIFY_NONE
+    #  VERIFY_PEER
+    if params.ssl_verify_mode
+      self.sslctx.verify_mode = OpenSSL::SSL.const_get("VERIFY_#{params.ssl_verify_mode}".intern)
+    else
+      # Could also do this as graceful faildown in case a passed verify_mode is not supported
+      self.sslctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    end
+    self.sslctx.options = OpenSSL::SSL::OP_ALL
+    if params.ssl_cipher
+      self.sslctx.ciphers = params.ssl_cipher
+    end
+
+    # Set the verification callback
+    self.sslctx.verify_callback = Proc.new do |valid, store|
+      self.peer_verified = valid
+      true
+    end
+
+    # Tie the context to a socket
+    self.sslsock = OpenSSL::SSL::SSLSocket.new(self, self.sslctx)
+
+    # XXX - enabling this causes infinite recursion, so disable for now
+    # self.sslsock.sync_close = true
+
+
+    # Force a negotiation timeout
+    begin
+    Timeout.timeout(params.timeout) do
+      if not allow_nonblock?
+        self.sslsock.connect
+      else
+        begin
+          self.sslsock.connect_nonblock
+        # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+        rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+            IO::select(nil, nil, nil, 0.10)
+            retry
+
+        # Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
+        rescue ::Exception => e
+          if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+            IO::select( [ self.sslsock ], nil, nil, 0.10 )
+            retry
+          end
+
+          if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
+            IO::select( nil, [ self.sslsock ], nil, 0.10 )
+            retry
+          end
+
+          raise e
+        end
+      end
+    end
+
+    rescue ::Timeout::Error
+      raise SSLScan::ConnectionTimeout.new(params.peerhost, params.peerport)
+    end
+  end
+
+  ##
+  #
+  # Stream mixin implementations
+  #
+  ##
+
+  #
+  # Writes data over the SSL socket.
+  #
+  def write(buf, opts = {})
+    return sslsock.write(buf) if not allow_nonblock?
+
+    total_sent   = 0
+    total_length = buf.length
+    block_size   = 16384
+    retry_time   = 0.5
+
+    begin
+      while( total_sent < total_length )
+        s = SSLScan::ThreadSafe.select( nil, [ self.sslsock ], nil, 0.25 )
+        if( s == nil || s[0] == nil )
+          next
+        end
+        data = buf[total_sent, block_size]
+        sent = sslsock.write_nonblock( data )
+        if sent > 0
+          total_sent += sent
+        end
+      end
+
+    rescue ::IOError, ::Errno::EPIPE
+      return nil
+
+    # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+    rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+      # Sleep for a half a second, or until we can write again
+      SSLScan::ThreadSafe.select( nil, [ self.sslsock ], nil, retry_time )
+      # Decrement the block size to handle full sendQs better
+      block_size = 1024
+      # Try to write the data again
+      retry
+
+    # Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
+    rescue ::Exception => e
+      if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+        IO::select( [ self.sslsock ], nil, nil, retry_time )
+        retry
+      end
+
+      if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
+        IO::select( nil, [ self.sslsock ], nil, retry_time )
+        retry
+      end
+
+      # Another form of SSL error, this is always fatal
+      if e.kind_of?(::OpenSSL::SSL::SSLError)
+        return nil
+      end
+
+      # Bubble the event up to the caller otherwise
+      raise e
+    end
+
+    total_sent
+  end
+
+  #
+  # Reads data from the SSL socket.
+  #
+  def read(length = nil, opts = {})
+    if not allow_nonblock?
+      length = 16384 unless length
+      begin
+        return sslsock.sysread(length)
+      rescue ::IOError, ::Errno::EPIPE, ::OpenSSL::SSL::SSLError
+        return nil
+      end
+      return
+    end
+
+
+    begin
+      while true
+        s = SSLScan::ThreadSafe.select( [ self.sslsock ], nil, nil, 0.10 )
+        if( s == nil || s[0] == nil )
+          next
+        end
+        return sslsock.read_nonblock( length )
+      end
+
+    rescue ::IOError, ::Errno::EPIPE
+      return nil
+
+    # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+    rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+      # Sleep for a tenth a second, or until we can read again
+      SSLScan::ThreadSafe.select( [ self.sslsock ], nil, nil, 0.10 )
+      # Decrement the block size to handle full sendQs better
+      block_size = 1024
+      # Try to write the data again
+      retry
+
+    # Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
+    rescue ::Exception => e
+      if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+        IO::select( [ self.sslsock ], nil, nil, 0.5 )
+        retry
+      end
+
+      if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
+        IO::select( nil, [ self.sslsock ], nil, 0.5 )
+        retry
+      end
+
+      # Another form of SSL error, this is always fatal
+      if e.kind_of?(::OpenSSL::SSL::SSLError)
+        return nil
+      end
+
+      raise e
+    end
+
+  end
+
+
+  #
+  # Closes the SSL socket.
+  #
+  def close
+    sslsock.close rescue nil
+    super
+  end
+
+  #
+  # Ignore shutdown requests
+  #
+  def shutdown(how=0)
+    # Calling shutdown() on an SSL socket can lead to bad things
+    # Cause of http://metasploit.com/dev/trac/ticket/102
+  end
+
+  #
+  # Access to peer cert
+  #
+  def peer_cert
+    sslsock.peer_cert if sslsock
+  end
+
+  #
+  # Access to peer cert chain
+  #
+  def peer_cert_chain
+    sslsock.peer_cert_chain if sslsock
+  end
+
+  #
+  # Access to the current cipher
+  #
+  def cipher
+    sslsock.cipher if sslsock
+  end
+
+  #
+  # Prevent a sysread from the bare socket
+  #
+  def sysread(*args)
+    raise RuntimeError, "Invalid sysread() call on SSL socket"
+  end
+
+  #
+  # Prevent a sysread from the bare socket
+  #
+  def syswrite(*args)
+    raise RuntimeError, "Invalid syswrite() call on SSL socket"
+  end
+
+  #
+  # This flag determines whether to use the non-blocking openssl
+  # API calls when they are available. This is still buggy on
+  # Linux/Mac OS X, but is required on Windows
+  #
+  def allow_nonblock?
+    avail = self.sslsock.respond_to?(:accept_nonblock)
+    if avail and SSLScan::Compat.is_windows
+      return true
+    end
+    false
+  end
+
+  attr_reader :peer_verified # :nodoc:
+  attr_accessor :sslsock, :sslctx # :nodoc:
+
+protected
+
+  attr_writer :peer_verified # :nodoc:
+
+
+rescue LoadError
+end
+
+  def type?
+    return 'tcp-ssl'
+  end
+
+end
+

data/lib/ssl_scan/socket/ssl_tcp_server.rb

@@ -0,0 +1,188 @@
+# -*- coding: binary -*-
+require 'ssl_scan/socket'
+require 'ssl_scan/socket/tcp_server'
+require 'ssl_scan/io/stream_server'
+
+###
+#
+# This class provides methods for interacting with an SSL wrapped TCP server.  It
+# implements the StreamServer IO interface.
+#
+###
+module SSLScan::Socket::SslTcpServer
+
+  @@loaded_openssl = false
+
+  begin
+    require 'openssl'
+    @@loaded_openssl = true
+    require 'openssl/nonblock'
+  rescue ::Exception
+  end
+
+  include SSLScan::Socket::TcpServer
+
+  ##
+  #
+  # Factory
+  #
+  ##
+
+  def self.create(hash = {})
+    hash['Proto']  = 'tcp'
+    hash['Server'] = true
+    hash['SSL']    = true
+    self.create_param(SSLScan::Socket::Parameters.from_hash(hash))
+  end
+
+  #
+  # Wrapper around the base class' creation method that automatically sets
+  # the parameter's protocol to TCP and sets the server flag to true.
+  #
+  def self.create_param(param)
+    param.proto  = 'tcp'
+    param.server = true
+    param.ssl    = true
+    SSLScan::Socket.create_param(param)
+  end
+
+  def initsock(params = nil)
+    raise RuntimeError, "No OpenSSL support" if not @@loaded_openssl
+    self.sslctx  = makessl(params)
+    super
+  end
+
+  # (see TcpServer#accept)
+  def accept(opts = {})
+    sock = super()
+    return if not sock
+
+    begin
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, self.sslctx)
+
+      if not allow_nonblock?(ssl)
+        ssl.accept
+      else
+        begin
+          ssl.accept_nonblock
+
+        # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+        rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+            IO::select(nil, nil, nil, 0.10)
+            retry
+
+        # Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
+        rescue ::Exception => e
+          if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+            IO::select( [ ssl ], nil, nil, 0.10 )
+            retry
+          end
+
+          if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
+            IO::select( nil, [ ssl ], nil, 0.10 )
+            retry
+          end
+
+          raise e
+        end
+      end
+
+      sock.extend(SSLScan::Socket::SslTcp)
+      sock.sslsock = ssl
+      sock.sslctx  = self.sslctx
+
+      return sock
+
+    rescue ::OpenSSL::SSL::SSLError
+      sock.close
+      nil
+    end
+  end
+
+
+  #
+  # Create a new ssl context.  If +ssl_cert+ is not given, generates a new
+  # key and a leaf certificate with random values.
+  #
+  # @param [SSLScan::Socket::Parameters] params
+  # @return [::OpenSSL::SSL::SSLContext]
+  def makessl(params)
+    ssl_cert = params.ssl_cert
+    if ssl_cert
+      cert = OpenSSL::X509::Certificate.new(ssl_cert)
+      key = OpenSSL::PKey::RSA.new(ssl_cert)
+    else
+      key = OpenSSL::PKey::RSA.new(1024){ }
+      cert = OpenSSL::X509::Certificate.new
+      cert.version = 2
+      cert.serial = rand(0xFFFFFFFF)
+      # name = OpenSSL::X509::Name.new([["C","JP"],["O","TEST"],["CN","localhost"]])
+      subject = OpenSSL::X509::Name.new([
+          ["C","US"],
+          ['ST', SSLScan::Text.rand_state()],
+          ["L", SSLScan::Text.rand_text_alpha(rand(20) + 10)],
+          ["O", SSLScan::Text.rand_text_alpha(rand(20) + 10)],
+          ["CN", SSLScan::Text.rand_hostname],
+        ])
+      issuer = OpenSSL::X509::Name.new([
+          ["C","US"],
+          ['ST', SSLScan::Text.rand_state()],
+          ["L", SSLScan::Text.rand_text_alpha(rand(20) + 10)],
+          ["O", SSLScan::Text.rand_text_alpha(rand(20) + 10)],
+          ["CN", SSLScan::Text.rand_hostname],
+        ])
+
+      cert.subject = subject
+      cert.issuer = issuer
+      cert.not_before = Time.now - (3600 * 365)
+      cert.not_after = Time.now + (3600 * 365)
+      cert.public_key = key.public_key
+      ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
+      cert.extensions = [
+        ef.create_extension("basicConstraints","CA:FALSE"),
+        ef.create_extension("subjectKeyIdentifier","hash"),
+        ef.create_extension("extendedKeyUsage","serverAuth"),
+        ef.create_extension("keyUsage","keyEncipherment,dataEncipherment,digitalSignature")
+      ]
+      ef.issuer_certificate = cert
+      cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+      cert.sign(key, OpenSSL::Digest::SHA1.new)
+    end
+
+    ctx = OpenSSL::SSL::SSLContext.new()
+    ctx.key = key
+    ctx.cert = cert
+    ctx.options = 0
+
+
+    # Older versions of OpenSSL do not export the OP_NO_COMPRESSION symbol
+    if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+      # enable/disable the SSL/TLS-level compression
+      if params.ssl_compression
+        ctx.options &= ~OpenSSL::SSL::OP_NO_COMPRESSION
+      else
+        ctx.options |= OpenSSL::SSL::OP_NO_COMPRESSION
+      end
+    end
+
+    ctx.session_id_context = SSLScan::Text.rand_text(16)
+
+    return ctx
+  end
+
+  #
+  # This flag determines whether to use the non-blocking openssl
+  # API calls when they are available. This is still buggy on
+  # Linux/Mac OS X, but is required on Windows
+  #
+  def allow_nonblock?(sock=self.sock)
+    avail = sock.respond_to?(:accept_nonblock)
+    if avail and SSLScan::Compat.is_windows
+      return true
+    end
+    false
+  end
+
+  attr_accessor :sslctx
+end
+

data/lib/ssl_scan/socket/subnet_walker.rb

@@ -0,0 +1,76 @@
+# -*- coding: binary -*-
+require 'ssl_scan/socket'
+
+module SSLScan
+module Socket
+
+###
+#
+# This class provides an interface to enumerating a subnet with a supplied
+# netmask.
+#
+###
+class SubnetWalker
+
+  #
+  # Initializes a subnet walker instance using the supplied subnet
+  # information.
+  #
+  def initialize(subnet, netmask)
+    self.subnet  = Socket.resolv_to_dotted(subnet)
+    self.netmask = Socket.resolv_to_dotted(netmask)
+
+    reset
+  end
+
+  #
+  # Resets the subnet walker back to its original state.
+  #
+  def reset
+    self.curr_ip     = self.subnet.split('.')
+    self.num_ips     = (1 << (32 - Socket.net2bitmask(self.netmask).to_i))
+    self.curr_ip_idx = 0
+  end
+
+  #
+  # Returns the next IP address.
+  #
+  def next_ip
+    if (curr_ip_idx >= num_ips)
+      return nil
+    end
+
+    if (curr_ip_idx > 0)
+      self.curr_ip[3] = (curr_ip[3].to_i + 1) % 256
+      self.curr_ip[2] = (curr_ip[2].to_i + 1) % 256 if (curr_ip[3] == 0)
+      self.curr_ip[1] = (curr_ip[1].to_i + 1) % 256 if (curr_ip[2] == 0)
+      self.curr_ip[0] = (curr_ip[0].to_i + 1) % 256 if (curr_ip[1] == 0)
+    end
+
+    self.curr_ip_idx += 1
+
+    self.curr_ip.join('.')
+  end
+
+  #
+  # The subnet that is being enumerated.
+  #
+  attr_reader :subnet
+  #
+  # The netmask of the subnet.
+  #
+  attr_reader :netmask
+  #
+  # The total number of IPs within the subnet.
+  #
+  attr_reader :num_ips
+
+protected
+
+  attr_writer   :subnet, :netmask, :num_ips # :nodoc:
+  attr_accessor :curr_ip, :curr_ip_idx # :nodoc:
+
+end
+
+end
+end