tlspretense 0.6.1

data/lib/packetthief/handlers/ssl_smart_proxy.rb

@@ -0,0 +1,143 @@
+module PacketThief
+  module Handlers
+
+    # This SSL proxy needs a CA certificate (or chain) and private key. It then
+    # uses that information to automatically generate host certificates. It
+    # creates a host certificate by performing a pre-flight request to the
+    # original destination to get its certificate. It then doctors that
+    # certificate so that it's keypair is the supplied keypair, and so that it
+    # appears to be issued by the CA or last CA in the chain. Note that the
+    # supplied key must correspond to the last signing certificate, and that
+    # the key will be used as the doctored certificate's new key.
+    class SSLSmartProxy < SSLTransparentProxy
+
+      # How long to wait before giving up on a preflight request. Defaults to 5
+      # seconds.
+      attr_accessor :preflight_timeout
+
+      def initialize(tcpsocket, ca_chain, key, logger=nil)
+        super(tcpsocket, logger)
+
+        @preflight_timeout = 5
+        if ca_chain.kind_of? Array
+          @ca_chain = ca_chain
+        else
+          @ca_chain = [ca_chain]
+        end
+        @key = key
+
+        begin
+          # preflight the original destination.
+          @ctx.cert = lookup_cert
+          @ctx.extra_chain_cert = @ca_chain
+          @ctx.key = @key
+        rescue OpenSSL::SSL::SSLError, Errno::ECONNREFUSED, Errno::ETIMEDOUT => e
+          logerror "initialize: Failed to look up cert", :error => e
+          close_connection
+        end
+      end
+
+#      def client_connected
+#        # don't try to connect to dest here.
+#      end
+#
+
+      def servername_cb(sslsock, hostname)
+        super
+        newctx = sslsock.context.dup
+        newctx.cert = lookup_cert(hostname)
+        newctx.extra_chain_cert = @ca_chain
+        newctx.key = @key
+        newctx
+      end
+
+      # Requests a certificate from the original destination.
+      def preflight_for_cert(hostname=nil)
+        logdebug "prefilight for: #{hostname}"
+        begin
+          pfctx = OpenSSL::SSL::SSLContext.new
+          pfctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          # Try to use a non-blocking Socket to create a short timeout.
+          pfs = Socket.new(:AF_INET, :SOCK_STREAM)
+          begin
+            pfs.connect_nonblock(Socket.sockaddr_in(dest_port, dest_host))
+          rescue Errno::EINPROGRESS
+            IO.select(nil, [pfs], nil, preflight_timeout) or raise Errno::ETIMEDOUT, "Connection to #{dest_host}:#{dest_port} timed out after #{preflight_timeout} seconds"
+          end
+          logdebug "preflight tcp socket connected"
+          pfssl = OpenSSL::SSL::SSLSocket.new(pfs, pfctx)
+          pfssl.hostname = hostname if hostname and pfssl.respond_to? :hostname
+          begin
+            pfssl.connect_nonblock
+          rescue IO::WaitReadable, IO::WaitWritable
+            IO.select([pfssl],[pfssl],nil,preflight_timeout) or raise Errno::ETIMEDOUT, "SSL handshake to #{dest_host}:#{dest_port} timed out #{preflight_timeout} seconds"
+            retry
+          end
+          logdebug "preflight complete"
+          return pfssl.peer_cert
+        rescue OpenSSL::SSL::SSLError, Errno::ECONNREFUSED, Errno::ETIMEDOUT => e
+          logerror "Error during preflight SSL connection: #{e} (#{e.class})"
+          raise
+        ensure
+          pfssl.close if pfssl
+        end
+      end
+
+
+      # Replace the issuer, the public key, and the signature.
+      def doctor_cert(oldcert, cacert, key)
+        newcert = oldcert.dup
+        newcert.issuer = cacert.subject
+        newcert.public_key = key.public_key
+
+        exts = newcert.extensions.dup
+        exts.each_index do |i|
+          if exts[i].oid == "authorityKeyIdentifier"
+            ef = OpenSSL::X509::ExtensionFactory.new
+            ef.subject_certificate = newcert
+            ef.issuer_certificate = cacert
+            newe = ef.create_ext_from_string("authorityKeyIdentifier=keyid:always")
+            exts[i] = newe
+          end
+        end
+        newcert.extensions = exts
+
+        sigalg = case newcert.signature_algorithm
+        when /MD5/i
+          OpenSSL::Digest::MD5.new
+        when /SHA1/i
+          OpenSSL::Digest::SHA1.new
+        when /SHA256/i
+          OpenSSL::Digest::SHA256.new
+        else
+          raise "Unsupported signing algorithm: #{@ctx.cert.signing_algorithm}"
+        end
+        newcert.sign(key, sigalg)
+        return newcert
+      end
+
+      # Check a class-level cache for an existing doctored certificate that
+      # corresponds to the requested hostname (IP address for non-SNI or
+      # pre-SNI lookup, and hostnames from SNI lookup).
+      def lookup_cert(hostname=nil)
+        @@certcache ||= {}
+
+        if hostname
+          cachekey = "#{hostname}:#{dest_port}"
+        else
+          cachekey = "#{dest_host}:#{dest_port}"
+        end
+
+        unless @@certcache.has_key? cachekey
+          logdebug "lookup_cert: cache miss, looking up and doctoring actual cert", :dest => cachekey
+          @@certcache[cachekey] = doctor_cert(preflight_for_cert(hostname), @ca_chain[0], @key)
+        else
+          logdebug "lookup_cert: cache hit", :dest => cachekey
+        end
+        logdebug "lookup_cert: returning", :subject => @@certcache[cachekey].subject
+        @@certcache[cachekey]
+      end
+
+    end
+  end
+end

data/lib/packetthief/handlers/ssl_transparent_proxy.rb

@@ -0,0 +1,225 @@
+module PacketThief
+  module Handlers
+
+    # Provides a transparent proxy for any TCP connection.
+    class SSLTransparentProxy < SSLServer
+
+      # Represents a connection out to the original destination.
+      class SSLProxyConnection < SSLClient
+        # Boolean that represents whether this handler has started to
+        # close/unbind. Used to ensure there is no unbind-loop between the two
+        # connections that make up the proxy.
+        attr_accessor :closed
+
+        # Boolean that represents whether the connection has connected yet.
+        attr_accessor :connected
+
+        # Sets up references to the client proxy connection handler that created
+        # this handler.
+        def initialize(tcpsocket, client_conn, ctx)
+          super(tcpsocket)
+          @client = client_conn
+          @ctx = ctx
+
+          @connected = false
+          @closed = false
+          sni_hostname = @client.dest_hostname if @client.dest_hostname
+        end
+
+        # send on successful handshake instead of on post_init.
+        def tls_successful_handshake
+          @client.dest_connected
+          @client._send_buffer
+        end
+
+        def tls_failed_handshake(e)
+          @client.dest_handshake_failed(e)
+        end
+
+        # Transmit data sent by the destinaton to the client.
+        def receive_data(data)
+          @client.dest_recv(data)
+        end
+
+        # Start the closing process and close the other connection if it is not
+        # already closing.
+        def unbind
+          @client.dest_closed
+          self.closed = true
+          @client.dest = nil
+          @client.close_connection_after_writing if @client and not @client.closed
+        end
+
+      end
+
+      # This holds a reference to the connection to the destination. If it is
+      # null, it hasn't been created yet.
+      attr_accessor :dest
+
+      # This holds a reference to the connection to the client. It is actually
+      # self.
+      attr_accessor :client
+
+      attr_reader :client_host, :client_port
+
+      # Override these before connecting to dest to change the dest connection.
+      attr_accessor :dest_host, :dest_port
+
+      # An internal buffer of packet data received from the client. It will grow until
+      # the destination connection connects.
+      attr_accessor :buffer
+
+      # Boolean that represents whether this handler has started to
+      # close/unbind. Used to ensure there is no unbind-loop between the two
+      # connections that make up the proxy.
+      attr_accessor :closed
+
+      # If a client specifies a TLS hostname extension (SNI) as the hostname,
+      # then we can forward that fact on to the real server. We can also use it
+      # to choose a certificate to present.
+      attr_accessor :dest_hostname
+
+      # The SSLContext that will be used on the connection to the destination.
+      # Initially, its verify_mode is set to OpenSSL::SSL::VERIFY_NONE.
+      attr_accessor :dest_ctx
+
+      def initialize(tcpsocket, logger=nil)
+        super
+        @closed = false
+
+        @client = self
+        @dest = nil
+
+        @buffer = []
+        @@activeconns ||= {}
+
+        @client_port, @client_host = Socket.unpack_sockaddr_in(get_peername)
+        @dest_port, @dest_host = PacketThief.original_dest(self)
+
+        if @@activeconns.has_key? "#{client_host}:#{client_port}"
+          logwarn "loop detected! Stopping the loop."
+          close_connection
+          return
+        end
+
+        @dest_ctx = OpenSSL::SSL::SSLContext.new
+        @dest_ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+      end
+
+      # Just calls client_connected to keep things straightforward.
+      def tls_successful_handshake
+        client_connected
+      end
+
+      def receive_data(data)
+        client_recv data
+      end
+
+      # Start the closing process and close the other connection if it is not
+      # already closing.
+      def unbind
+        client_closed
+        @@activeconns.delete "#{client_host}:#{client_port}"
+        self.closed = true
+#        @dest.client = nil if @dest
+        @dest.close_connection_after_writing if @dest and not @dest.closed
+      end
+
+      # Initiate the connection to @dest_host:@dest_port.
+      def connect_to_dest
+        return if @dest
+        @dest = SSLProxyConnection.connect(@dest_host, @dest_port, self, @dest_ctx)
+        newport, newhost = Socket::unpack_sockaddr_in(@dest.get_sockname)
+        # Add the new connection to the list to prevent loops.
+        @@activeconns["#{newhost}:#{newport}"] = "#{dest_host}:#{dest_port}"
+      end
+
+      def _send_buffer
+        @buffer.each do |pkt|
+          @dest.send_data pkt
+        end
+        @buffer = []
+      end
+
+
+      # Queues up data to send to the remote host, only sending it if the
+      # connection to the remote host exists.
+      def send_to_dest(data)
+        @buffer << data
+        _send_buffer if @dest
+      end
+
+      # Sends data back to the client
+      def send_to_client(data)
+        send_data data
+      end
+
+      # Returns the certificate chain for the destination, or nil if the
+      # destination connection does not exist yet.
+      def dest_cert_chain
+        return @dest.sslsocket.peer_cert_chain if @dest
+        nil
+      end
+
+      #### Callbacks
+
+      # Set _dest_hostname_ in addition to the default behavior.
+      def servername_cb(sslsock, hostname)
+        @dest_hostname = hostname
+
+        super(sslsock, hostname)
+      end
+
+      # This method is called when a client connects, and the TLS handhsake has
+      # completed. The default behavior is to begin initating the connection to
+      # the original destination. Override this method to change its behavior.
+      def client_connected
+        connect_to_dest
+      end
+
+      # This method is called when the TLS handshake between the client and the
+      # proxy fails. It does nothing by default.
+      def client_handshake_failed
+      end
+
+      # This method is called when the proxy receives data from the client
+      # connection. The default behavior is to call send_to_dest(data) in order
+      # to foward the data on to the original destination. Override this method
+      # to analyze the data, or modify it before sending it on.
+      def client_recv(data)
+        send_to_dest data
+      end
+
+      # Called when the client connection closes. At present, it only provides
+      # informational utility.
+      def client_closed
+      end
+
+      # Called when the connection to and the TLS handshake between the proxy
+      # and the destination succeeds. The default behavior does nothing.
+      def dest_connected
+      end
+
+      # Called when the TLS handshake between the proxy and the destination
+      # fails.
+      def dest_handshake_failed(e)
+      end
+
+      # Called when the proxy receives data from the destination connection.
+      # The default behavior calls #dest_recv() to send the data to the client.
+      #
+      # Override it to analyze or modify the data.
+      def dest_recv(data)
+        send_to_client data
+      end
+
+      # Called when the original destination connection closes. At present, it only provides
+      # informational utility.
+      def dest_closed
+      end
+
+    end
+
+  end
+end

data/lib/packetthief/handlers/transparent_proxy.rb

@@ -0,0 +1,183 @@
+module PacketThief
+  module Handlers
+
+    # Provides a transparent proxy for any TCP connection.
+    class TransparentProxy < ::EM::Connection
+      include Logging
+
+      # Represents a connection out to the original destination.
+      module ProxyConnection
+        # Boolean that represents whether this handler has started to
+        # close/unbind. Used to ensure there is no unbind-loop between the two
+        # connections that make up the proxy.
+        attr_accessor :closing
+
+        # Boolean that represents whether the connection has connected yet.
+        attr_accessor :connected
+
+        # Sets up references to the client proxy connection handler that created
+        # this handler.
+        def initialize(client_conn)
+          @client = client_conn
+
+          @connected = false
+          @closing = false
+        end
+
+        def post_init
+          @client._send_buffer
+        end
+
+        # Transmit data sent by the destinaton to the client.
+        def receive_data(data)
+          @client.dest_recv(data)
+        end
+
+        # Start the closing process and close the other connection if it is not
+        # already closing.
+        def unbind
+          @client.dest_closed
+          self.closing = true
+          @client.close_connection_after_writing if @client and not @client.closing
+        end
+
+      end
+
+      # This holds a reference to the connection to the destination. If it is
+      # null, it hasn't been created yet.
+      attr_accessor :dest
+
+      # This holds a reference to the connection to the client. It is actually
+      # self.
+      attr_accessor :client
+
+      attr_reader :client_host, :client_port
+
+      # Override these before connecting to dest to change the dest connection.
+      attr_accessor :dest_host, :dest_port
+
+      # An internal buffer of packet data received from the client. It will grow until
+      # the destination connection connects.
+      attr_accessor :buffer
+
+      # Boolean that represents whether this handler has started to
+      # close/unbind. Used to ensure there is no unbind-loop between the two
+      # connections that make up the proxy.
+      attr_accessor :closing
+
+      # When the proxy should connect to a destination.
+      attr_accessor :when_to_connect_to_dest
+
+      def initialize(log=nil)
+        @logger = log
+      end
+
+      def post_init
+        @closing = false
+
+        @client = self
+        @dest = nil
+
+        @buffer = []
+        @@activeconns ||= {}
+
+        @client_port, @client_host = Socket.unpack_sockaddr_in(get_peername)
+        @dest_port, @dest_host = PacketThief.original_dest(self)
+
+        logdebug "Client connected", :client_host => client_host, :client => "#{@client_host}:#{@client_port}", :orig_dest => "#{@dest_host}:#{@dest_port}"
+
+        if @@activeconns.has_key? "#{client_host}:#{client_port}"
+          puts "Warning: loop detected! Stopping the loop."
+          close_connection
+          return
+        end
+
+        client_connected
+      end
+
+      def receive_data(data)
+        client_recv data
+      end
+
+      # Start the closing process and close the other connection if it is not
+      # already closing.
+      def unbind
+        client_closed
+        @@activeconns.delete "#{client_host}:#{client_port}"
+        self.closing = true
+        @dest.close_connection_after_writing if @dest and not @dest.closing
+      end
+
+
+      # Initiate the connection to @dest_host:@dest_port.
+      def connect_to_dest
+        logdebug "Connecting to #{@dest_host}:#{@dest_port}"
+        @dest = ::EM.connect(@dest_host, @dest_port, ProxyConnection, self)
+        newport, newhost = Socket::unpack_sockaddr_in(@dest.get_sockname)
+        # Add the new connection to the list to prevent loops.
+        @@activeconns["#{newhost}:#{newport}"] = "#{dest_host}:#{dest_port}"
+      end
+
+      def _send_buffer
+        @buffer.each do |pkt|
+          @dest.send_data pkt
+        end
+        @buffer = []
+      end
+
+
+      # Queues up data to send to the remote host, only sending it if the
+      # connection to the remote host exists.
+      def send_to_dest(data)
+        logdebug "sending to dest", :data => data
+        @buffer << data
+        _send_buffer if @dest
+      end
+
+      # Sends data back to the client
+      def send_to_client(data)
+        send_data data
+      end
+
+
+      # This method is called when a client connects. The default behavior is
+      # to begin initating the connection to the original destination. Override
+      # this method to change its behavior.
+      def client_connected
+        connect_to_dest
+      end
+
+      # This method is called when the proxy receives data from the client
+      # connection. The default behavior is to call send_to_dest(data) in order
+      # to foward the data on to the original destination. Override this method
+      # to analyze the data, or modify it before sending it on.
+      def client_recv(data)
+        logdebug("received from client", :data => data)
+        send_to_dest data
+      end
+
+      # Called when the proxy receives data from the destination connection.
+      # The default behavior calls #dest_recv() to send the data to the client.
+      #
+      # Override it to analyze or modify the data.
+      def dest_recv(data)
+        logdebug("received from dest", :data => data)
+        send_to_client data
+      end
+
+      # Called when the client connection closes. At present, it only provides
+      # informational utility.
+      def client_closed
+        logdebug("client closed connection")
+      end
+
+      # Called when the original destination connection closes. At present, it only provides
+      # informational utility.
+      def dest_closed
+        logdebug("dest closed connection")
+      end
+
+    end
+
+  end
+end