tlspretense 0.6.1

data/lib/packetthief/handlers.rb

@@ -0,0 +1,14 @@
+require 'eventmachine'
+
+module PacketThief
+  module Handlers
+    autoload :AbstractSSLHandler, 'packetthief/handlers/abstract_ssl_handler'
+    autoload :SSLClient,   'packetthief/handlers/ssl_client'
+    autoload :SSLServer,   'packetthief/handlers/ssl_server'
+    autoload :SSLSmartProxy,        'packetthief/handlers/ssl_smart_proxy'
+    autoload :SSLTransparentProxy,  'packetthief/handlers/ssl_transparent_proxy'
+    autoload :TransparentProxy, 'packetthief/handlers/transparent_proxy'
+    autoload :ProxyRedirector,  'packetthief/handlers/proxy_redirector'
+  end
+end
+

data/lib/packetthief/handlers/abstract_ssl_handler.rb

@@ -0,0 +1,249 @@
+require 'openssl'
+
+module PacketThief
+  module Handlers
+
+    # Parent class for both SSLServer and SSLClient.
+    #
+    # TODO: get_peer_cert, get_peername, etc.
+    class AbstractSSLHandler < ::EM::Connection
+      include Logging
+
+      # The OpenSSL::SSL::SSLContext. Modify this in post_init or in the
+      # initializing code block to add certificates, etc.
+      attr_accessor :ctx
+
+      # The TCPSocket that the SSLSocket will be created from. It is added by
+      # #initialize.
+      attr_accessor :tcpsocket
+
+      # The SSLSocket. It is not available until #tls_begin creates it, after
+      # post_init and the initializing code block.
+      attr_accessor :sslsocket
+
+      # (Used by SSLClient only) The hostname that the SNI TLS extension should
+      # request. Set it in post_init or in the initializing code block --- it
+      # is applied to the SSLSocket during #tls_begin.
+      attr_accessor :sni_hostname
+
+      def initialize(tcpsocket, logger=nil)
+        @logger = logger
+        logdebug "initialize"
+        # Set up initial values
+        @tcpsocket = tcpsocket
+        @ctx = OpenSSL::SSL::SSLContext.new
+
+        @close_after_writing = false
+        @state = :new
+      end
+
+      # Creates _sslsocket_ from _tcpsocket_ and _ctx_, and initializes the
+      # handler's internal state. Called from the class method that creates the
+      # object, after post_init and the optional code block.
+      #
+      # @note (SSLClient only) If @sni_hostname exists on the handler at this
+      # point, it will be added to the SSLSocket in order to enable sending a
+      # hostname in the SNI TLS extension.
+      def tls_begin
+        logdebug "tls begin", :sni_hostname => @sni_hostname
+        @sslsocket = OpenSSL::SSL::SSLSocket.new(@tcpsocket, @ctx)
+        if @sni_hostname
+          if @sslsocket.respond_to? :hostname
+            @sslsocket.hostname = @sni_hostname
+          else
+            logwarn "#{@sslsocket.class} does not support setting an SNI hostname! This requires Ruby 1.9.x built against OpenSSL with SNI support.",
+              :ruby_version => RUBY_VERSION
+          end
+        end
+        @state = :initialized
+      end
+
+      # Calls accept_nonblock/connect_nonblock, read_nonblock, or
+      # write_nonblock based on the current state of the connection.
+      def notify_readable
+        logdebug "notify_readable", :state => @state
+        case @state
+        when :initialized
+          attempt_connection
+        when :ready_to_read
+          attempt_read
+        when :write_needs_to_read
+          attempt_write
+        end
+      end
+
+      # We only care about notify_writable if we are waiting to write for some
+      # reason.
+      def notify_writable
+        logdebug "notify_writable", :state => @state
+        notify_writable = false # disable it now. if we still need it, we'll renabled it.
+        case @state
+        when :initialized
+          attempt_connection
+        when :read_needs_to_write
+          attempt_read
+        when :write_needs_to_write
+          attempt_write
+        end
+
+        # if we waiting to close and are not longer waiting to write, we can flush and close the connection.
+        if @close_after_writing and not notify_writable?
+          @sslsock.flush
+          close_connection
+        end
+      end
+
+      private
+      def attempt_connection
+        begin
+          # Client usess connect_nonblock, while server uses accept_nonblock.
+          connection_action
+          @state = :ready_to_read
+          tls_successful_handshake
+          attempt_write if write_buffer.length > 0
+        rescue IO::WaitReadable
+          # accept_nonblock needs to wait until it can read again.
+          notify_readable = true
+        rescue IO::WaitWritable
+          # accept_nonblock needs to wait until it can write again.
+          notify_writable = true
+        rescue OpenSSL::SSL::SSLError, Errno::ECONNREFUSED => e
+          # ssl handshake failed. Likely due to client rejecting our certificate!
+          tls_failed_handshake(e)
+          close_connection
+        end
+      end
+
+      private
+      def attempt_read
+        begin
+          data = @sslsocket.read_nonblock 4096 # much more than a network packet...
+          receive_data(data)
+          notify_writable = false
+        rescue EOFError, Errno::ECONNRESET
+          # remote closed. time to wrap up
+          close_connection
+        rescue IO::WaitReadable
+          # we had no data to read.
+          notify_readable = true
+        rescue IO::WaitWritable
+          # we ran out of buffer to send (yes, SSLSocket#read_nonblock can
+          # trigger this)
+          @state = :read_needs_to_write
+          notify_writable = true
+        rescue OpenSSL::SSL::SSLError => e
+          logerror "attempt_read: #{e} (#{e.class})"
+          close_connection
+        else
+          @state = :ready_to_read
+        end
+      end
+
+      public
+      def write_buffer
+        @write_buffer ||= ""
+      end
+
+      public
+      def write_buffer=(rhs)
+        @write_buffer = rhs
+      end
+
+      private
+      def attempt_write(data=nil)
+        logdebug "attempt_write"
+        write_buffer << data if data
+        # do not attempt to write until we are ready!
+        return if @state == :initialized or @state == :new
+        begin
+          count_written = @sslsocket.write_nonblock write_buffer
+        rescue IO::WaitWritable
+          notify_writable = true
+        rescue IO::WaitReadable
+          @state = :write_needs_to_read
+        rescue OpenSSL::SSL::SSLError, IOError => e
+          logerror "attempt_write: #{e} (#{e.class})"
+          close_connection
+        else
+          # shrink the buf
+          #
+          # byteslice was added in ruby 1.9.x. in ruby 1.8.7, bytesize is
+          # aliased to length, implying that a character coresponds to a
+          # byte.
+          @write_buffer = if write_buffer.respond_to?(:byteslice)
+                            write_buffer.byteslice(count_written..-1)
+                          else
+                            write_buffer.slice(count_written..-1)
+                          end
+          # if we didn't write everything, wait for writable.
+          notify_writable = true if write_buffer.bytesize > 0
+        end
+      end
+
+      ####
+
+      public
+
+      # Call this to send data to the other end of the connection.
+      def send_data(data)
+        logdebug "send_data:", :data => data
+        attempt_write(data)
+      end
+
+      def close_connection
+        detach
+        @sslsocket.close if @sslsocket and not @sslsocket.closed?
+        @tcpsocket.close if not @tcpsocket.closed?
+#        unbind
+      end
+
+      def close_connection_after_writing
+        @close_after_writing = true
+        # if we aren't waiting to write, then we can flush and close.
+        if not notify_writable?
+          @sslsocket.flush
+          close_connection
+        end
+
+      end
+
+
+      # Note that post_init dos not have access to the _sslsocket_. The
+      # _sslsocket_ is not added until tls_begin is called, after the code
+      # block.
+      #
+      # #post_init gives you a chance to manipulate the SSLContext.
+      def post_init
+      end
+
+
+      # Called right after the SSL handshake succeeds. This is your "new"
+      # #post_init.
+      def tls_successful_handshake
+        logdebug "Succesful handshake!"
+      end
+
+      # Called right after accept_nonblock fails for some unknown reason. The
+      # only parameter contains the OpenSSL::SSL::SSLError object that was
+      # thrown.
+      #
+      # The connection will be closed after this.
+      def tls_failed_handshake(e)
+        logerror "tls_failed_handshake: Failed to accept: #{e} (#{e.class})"
+      end
+
+      # Override this to do something with the unecrypted data.
+      def receive_data(data)
+        logdebug "receive_data:", :data => data
+      end
+
+      # Override this to do something when the socket is finished.
+      def unbind
+        logdebug "unbind"
+      end
+
+    end
+  end
+end
+
+

data/lib/packetthief/handlers/proxy_redirector.rb

@@ -0,0 +1,26 @@
+module PacketThief
+  module Handlers
+
+    # Instead of forwarding the connection to the original host, forwards it to
+    # a configured host instead.
+    class ProxyRedirector < TransparentProxy
+
+      def initialize(proxy_host, proxy_port, log=nil)
+        super(log)
+
+        @proxy_host = proxy_host
+        @proxy_port = proxy_port
+      end
+
+      # Instead of using the original destination, use the configured destination.
+      def client_connected
+        @dest_host = @proxy_host
+        @dest_port = @proxy_port
+        connect_to_dest
+      end
+
+    end
+
+  end
+end
+

data/lib/packetthief/handlers/ssl_client.rb

@@ -0,0 +1,87 @@
+module PacketThief
+  module Handlers
+
+    # Basic SSL/TLS Client built on Ruby's OpenSSL objects instead of on
+    # EventMachine's start_tls. This allows you to manipulate the SSLContext
+    # and other details of the connection that EM normally doesn't let you
+    # touch.
+    #
+    # Subclass it and override any of the methods in the following example to
+    # use the the functionality.
+    #
+    # You can #send_data to send encrypted data to the other side, and
+    # #receive_data will be called when there is data for the handler.
+    #
+    #   EM.run {
+    #     SSLClient.connect "www.isecpartners.com", 443 do |p|
+    #
+    #       # Note: this code block is actually too late to set up a new
+    #       # #post_init since it runs just after post_init. You can use
+    #       # #post_init on a subclass though.
+    #       def p.post_init
+    #         # modify p.ctx to configure your certificates, key, etc.
+    #       end
+    #
+    #       # The following makes more sense for the initialization block.
+    #       h.ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    #
+    #       def p.tls_successful_handshake
+    #         # the handshake succeeded
+    #       end
+    #
+    #       def p.tls_failed_handshake(e)
+    #         # the ssl handshake failed, probably due to the client rejecting
+    #         # your certificate. =)
+    #       end
+    #
+    #       def p.unbind
+    #         # unbind handler, called regardless of handshake success
+    #       end
+    #
+    #       def p.receive_data(data)
+    #         # do something with the unencrypted stream
+    #         p.send_data("some message") # data to be encrypted then sent to the client
+    #       end
+    #
+    #     end
+    #   }
+    #
+    # Note: During #initialize and #post_init, this class
+    # does not have access to its socket yet. Instead, use #tls_pre_start or
+    # the code block you pass to .start to initialize the SSLContext, and use
+    # #tls_successful_handshake to do anything once the SSL handshake has
+    # completed.
+    class SSLClient < AbstractSSLHandler
+
+      def self.connect(host, port, *args, &block)
+        ssl_class = self
+
+        sock = TCPSocket.new host, port
+
+        ::EM.watch sock, ssl_class, sock, *args do |h|
+          h.notify_readable = true
+#          h.notify_writable = true
+          block.call(h) if block
+          h.tls_begin
+        end
+      end
+
+      ####
+
+      private
+      # SSLClient uses connect_nonblock instead of accept_nonblock.
+      def connection_action
+        @sslsocket.connect_nonblock
+      end
+
+      ####
+
+      public
+      def tls_begin
+        super
+        attempt_connection
+      end
+
+    end
+  end
+end

data/lib/packetthief/handlers/ssl_server.rb

@@ -0,0 +1,174 @@
+module PacketThief
+  module Handlers
+
+    # Basic SSL/TLS Server built on Ruby's OpenSSL objects instead of on
+    # EventMachine's start_tls. This allows you to manipulate the SSLContext
+    # and other details of the connection that EM normally doesn't let you
+    # touch.
+    #
+    # Subclass it and override any of the methods in the following example to
+    # use the the functionality.
+    #
+    # You can #send_data to send encrypted data to the other side, and
+    # #receive_data will be called when there is data for the handler.
+    #
+    #   EM.run {
+    #     # Leave the hostname blank for Linux's netfilter.
+    #     SSLServer.start '', 54321 do |p|
+    #
+    #       # Note: this code block is actually too late to set up a new
+    #       # #post_init since it runs just after post_init. Instead, you would
+    #       # use post_init in a subclass.
+    #       def p.post_init
+    #         # modify p.ctx to configure your certificates, key, etc.
+    #       end
+    #
+    #       # In this example, the following would work in this initialization
+    #       # block:
+    #       h.ctx.cert = cert
+    #       h.ctx.extra_chain_cert = chain
+    #       h.ctx.key = key
+    #
+    #       def servername_cb(sock, hostname)
+    #         # implement your own SNI handling callback. The default will
+    #         # return the originally configured context.
+    #       end
+    #
+    #       def p.tls_successful_handshake
+    #         # the handshake succeeded
+    #       end
+    #
+    #       def p.tls_failed_handshake(e)
+    #         # the ssl handshake failed, probably due to the client rejecting
+    #         # your certificate. =)
+    #       end
+    #
+    #       def p.unbind
+    #         # unbind handler, called regardless of handshake success
+    #       end
+    #
+    #       def p.receive_data(data)
+    #         # do something with the unencrypted stream
+    #         p.send_data("some message") # data to be encrypted then sent to the client
+    #       end
+    #
+    #     end
+    #   }
+    #
+    # Note: During #initialize and #post_init, this class
+    # does not have access to its socket yet. Instead, use #tls_pre_start or
+    # the code block you pass to .start to initialize the SSLContext, and use
+    # #tls_post_accept to do anything once the SSL handshake has completed. You
+    # can also override #servername_cb to perform the SNI callback.
+    class SSLServer < AbstractSSLHandler
+
+      # reference to the InitialServer that created the current handler. exists
+      # so you can call #stop_server or do something else to it directly.
+      attr_accessor :server_handler
+
+      def self.start(host, port, *args, &block)
+        ssl_class = self
+
+        serv = TCPServer.new host, port
+
+        # We use InitialServer to listen for incoming connections. It will then
+        # create the actual SSLServer.
+        initialserver = ::EM.watch serv, InitialServer, serv, ssl_class, args, block do |h|
+          h.notify_readable = true
+        end
+
+        initialserver
+      end
+
+      ####
+
+      # Handles the initial listening socket. We can't seem to use
+      # EM.start_server -> EM.detach -> em.watch without triggering
+      # (in EventMachine 1.0.0):
+      #
+      #   Assertion failed: (sd != INVALID_SOCKET), function _RunSelectOnce, file em.cpp, line 893.
+      #
+      # So we handle the server muckery ourselves.
+      module InitialServer
+        include Logging
+
+        def initialize(servsocket, ssl_class, args, block)
+          @servsocket = servsocket
+          @ssl_class = ssl_class
+          @args = args
+          @block = block
+        end
+
+        def notify_readable
+          logdebug "(#{@ssl_class}): Received a new connection, spawning a #{@ssl_class}"
+          sock = @servsocket.accept_nonblock
+
+          ::EM.watch sock, @ssl_class, sock, *@args, @logger do |h|
+            logdebug "after initialize"
+            h.server_handler = self
+            h.notify_readable = true
+            h.logger = @logger
+            # Now call the caller's block.
+            @block.call(h) if @block
+            # And finally finish initialization by applying the context to an
+            # SSLSocket, and setting the internal state.
+            h.tls_begin unless h.tcpsocket.closed?
+          end
+
+        end
+
+        def notify_writable
+          logdebug "(#{@ssl_class}): Server socket notify writable"
+        end
+
+        # This must be called explicitly. EM doesn't seem to have a callback for when the EM::run call ends.
+        def stop_server
+          unless @servsocket.closed?
+            detach
+            @servsocket.close
+          end
+        end
+
+        def unbind
+          logdebug "(#{@ssl_class}): Stopping server socket"
+        end
+      end
+
+      ####
+
+      private
+      # SSLServer uses accept_nonblock instead of connect_nonblock.
+      def connection_action
+        @sslsocket.accept_nonblock
+      end
+
+      ####
+
+      public
+      def initialize(tcpsocket,logger=nil)
+        super(tcpsocket, logger)
+        @ctx.servername_cb = proc {|sslsocket, hostname| self.servername_cb(sslsocket, hostname) }
+      end
+
+
+      # Called when the client sends a hostname using the SNI TLS extension.
+      #
+      # This method should return an OpenSSL::SSL::SSLContext. It gives you an
+      # opportunity to pick or generate a different server certificate or
+      # certificate chain based on the hostname requested by the client.
+      #
+      # The default implementation does nothing by just returning the original
+      # SSLContext.
+      def servername_cb(sslsock, hostname)
+        sslsock.context
+      end
+
+      # Stops the InitialListener sever handler that spawned this handler. Due
+      # to our use of EM.watch, we can't rely on EM to close the socket.
+      def stop_server
+        @server_handler.stop_server
+      end
+
+    end
+  end
+end