tlspretense 0.6.1

data/lib/packetthief/impl/pf_rdr.rb

@@ -0,0 +1,192 @@
+
+
+module PacketThief
+  module Impl
+    # Implementation that uses PF's +rdr+ (old style rules) and parses pfctl's
+    # output to interoperate with Mac OS X 10.7 Lion.
+    #
+    # It assumes that the system running PacketThief is already set up to
+    # reroute traffic like a NAT (On Mac OS X, you can do this by enabling
+    # Internet Sharing).
+    #
+    # To use it, you need to add the following rule to your /etc/pf.conf file
+    # in the "Translation" section.
+    #
+    #     rdr-anchor "packetthief"
+    #
+    # This rule probably should be inserted after any NAT rules, but before any
+    # other redirect rules (such as Apple's +rdr-anchor+ rule). Once you have
+    # added it, you can reload the core ruleset:
+    #
+    #     pfctl -f /etc/pf.conf
+    #
+    # == Design
+    #
+    # Lion (and Mountain Lion) provide an older implementation of PF (circa
+    # OpenBSD 4.3 and earlier) that does not contain the +divert-to+ action.
+    # Furthermore, Apple has decided to not make pfvars.h a public header file,
+    # making it marginally difficult to compile C code that can look up the
+    # original destination. Instead, we use pfctl to look up the state table,
+    # and we parse its output to find the current connection and acquire its
+    # original destination.
+    #
+    # Redirect rules look like the following:
+    #
+    #     rdr on en1 proto tcp from any to any port 443 -> 127.0.0.1 port 54321
+    #
+    # The pfctl state table output looks something like:
+    #
+    #     $ sudo pfctl -s states
+    #     No ALTQ support in kernel
+    #     ALTQ related functions disabled
+    #     ALL tcp 74.125.224.68:80 <- 192.168.2.2:52995       ESTABLISHED:ESTABLISHED
+    #     ALL tcp 192.168.2.2:52995 -> 10.0.1.2:33596 -> 74.125.224.68:80       ESTABLISHED:ESTABLISHED
+    #     ALL tcp 127.0.0.1:54321 <- 173.194.79.147:443 <- 192.168.2.2:52998       CLOSED:SYN_SENT
+    #     ALL tcp 127.0.0.1:54321 <- 173.194.79.147:443 <- 192.168.2.2:52999       CLOSED:SYN_SENT
+    #     ALL tcp 127.0.0.1:54321 <- 173.194.79.147:443 <- 192.168.2.2:53000       CLOSED:SYN_SENT
+    #     ALL tcp 127.0.0.1:54321 <- 173.194.79.147:443 <- 192.168.2.2:53001       CLOSED:SYN_SENT
+    #     ALL udp 192.168.2.1:53 <- 192.168.2.2:53690       SINGLE:MULTIPLE
+    #     ALL tcp 74.125.224.105:80 <- 192.168.2.2:53002       ESTABLISHED:ESTABLISHED
+    #     ALL tcp 192.168.2.2:53002 -> 10.0.1.2:38466 -> 74.125.224.105:80       ESTABLISHED:ESTABLISHED
+    #     ALL udp 224.0.0.251:5353 <- 10.0.1.4:5353       NO_TRAFFIC:SINGLE
+    #     ALL udp ff02::fb[5353] <- fe80::72de:e2ff:fe41:5ddd[5353]       NO_TRAFFIC:SINGLE
+    #
+    #  /^(?<iface>\S+)\s+(?<proto>\S+)\s+(?<dest>\S+)\s+<-\s+(?<origdest>\S+)\s+<-\s+(?<src>\S+)\s+(?<status>\S+)$/
+    #
+    class PFRdr
+      module PFRdrRuleHandler
+        include Logging
+        attr_accessor :active_rules
+
+        # Executes a rule and holds onto it for later removal.
+        def run(rule)
+          @active_rules ||= []
+
+          @active_rules << rule
+          rulestrs = @active_rules.map { |r| r.to_pf_command.join(" ") }
+
+          rulestrs.each { |rule| logdebug rule }
+          args = %W{pfctl -q -a packetthief -f -}
+          IO.popen(args, "w+") do |pfctlio|
+            rulestrs.each { |rule| pfctlio.puts rule }
+          end
+          unless $?.exitstatus == 0
+            raise "Command #{args.inspect} exited with error code #{$?.inspect}"
+          end
+
+        end
+
+        # Reverts all executed rules that this handler knows about.
+        def revert
+          return if @active_rules == nil or @active_rules.empty?
+
+          args = %W{pfctl -q -a packetthief -F all}
+          unless system(*args)
+            raise "Command #{args.inspect} exited with error code #{$?.inspect}"
+          end
+          #        end
+
+          @active_rules = []
+        end
+      end
+      extend PFRdrRuleHandler
+
+      class PFRdrRule < RedirectRule
+
+        attr_accessor :rule_number
+
+        def initialize(handler, rule_number=nil)
+          super(handler)
+          @rule_number = rule_number
+        end
+
+        def to_pf_command
+          args = []
+
+          args << "rdr"
+
+          if self.rulespec
+            args << 'on' << self.rulespec[:in_interface].to_s if self.rulespec.has_key? :in_interface
+
+            args << "proto" << self.rulespec.fetch(:protocol,'ip').to_s
+
+            args << 'from'
+            args << self.rulespec.fetch(:source_address, 'any').to_s
+            args << 'port' << self.rulespec[:source_port].to_s if self.rulespec.has_key? :source_port
+
+            args << 'to'
+            args << self.rulespec.fetch(:dest_address, 'any').to_s
+            args << 'port' << self.rulespec[:dest_port].to_s if self.rulespec.has_key? :dest_port
+          end
+
+          if self.redirectspec
+            if self.redirectspec.has_key? :to_ports
+              args << '->'
+              args << "127.0.0.1"
+              args << 'port' << self.redirectspec[:to_ports].to_s if self.redirectspec.has_key? :to_ports
+            else
+              raise "Rule lacks a valid redirect: #{self.inspect}"
+            end
+          end
+
+
+          args
+        end
+      end
+
+      def self.redirect(args={})
+        rule = PFRdrRule.new(self)
+        rule.redirect(args)
+      end
+
+      RDR_PAT = /^(?<iface>\S+)\s+(?<proto>\S+)\s+(?<dest>\S+)\s+<-\s+(?<origdest>\S+)\s+<-\s+(?<src>\S+)\s+(?<status>\S+)$/
+
+      # Returns the [port, host] for the original destination of +sock+.
+      #
+      # +Sock+ can be a Ruby socket or an EventMachine::Connection (including
+      # handler modules, which are mixed in to an anonymous descendent of
+      # EM::Connection).
+      #
+      # When PF uses a nat/rdr rule, it stores the original destination in a
+      # table that can be queried using an ioctl() call on the /dev/pf device.
+      # Unfortunately for Mac OS X 10.7 and 10.8, Apple does not provide the
+      # necessary pfvars.h header for querying pf, although it exists in the XNU
+      # kernel source, which marks it as a "private" header. Apple's version is
+      # also "different" from the version supported by most BSDs these days,
+      # creating additional headaches.
+      #
+      # To work around this, we instead use +pfctl -s states+ to get the nat
+      # state information.
+      def self.original_dest(sock)
+        if sock.respond_to? :getsockname
+          sockname = sock.getsockname
+        elsif sock.respond_to? :get_sockname
+          sockname = sock.get_sockname
+        else
+          raise ArgumentError, "#{sock.inspect} supports neither :getsockname nor :get_sockname!"
+        end
+        if sock.respond_to? :getpeername
+          peername = sock.getpeername
+        elsif sock.respond_to? :get_peername
+          peername = sock.get_peername
+        else
+          raise ArgumentError, "#{sock.inspect} supports neither :getpeername nor :get_peername!"
+        end
+        dest = Socket.unpack_sockaddr_in(sockname)
+        src = Socket.unpack_sockaddr_in(peername)
+
+        state_table = `pfctl -q -s state`
+        rdr_lines = state_table.split("\n").map { |l| l.match(RDR_PAT) }.compact
+        matched_conns = rdr_lines.select { |l| l[:dest] == "#{dest[1]}:#{dest[0]}" and l[:src] == "#{src[1]}:#{src[0]}" }
+        raise "multiple conns matched: #{matched_conns.inspect}" unless matched_conns.length == 1
+        host, port = matched_conns[0][:origdest].split(':', 2)
+        port = port.to_i
+
+        logdebug "original_dest:", :port => port, :host => host
+        [port, host]
+      end
+
+    end
+
+  end
+end

data/lib/packetthief/logging.rb

@@ -0,0 +1,49 @@
+module PacketThief
+  # Mix-in that provides some private convenience logging functions. Uses the
+  # @logger instance variable.
+  module Logging
+    # An optional Ruby Logger for debugging output. If it is unset, the log
+    # methods will be silent.
+    attr_accessor :logger
+
+    private
+
+    # Print a message at the specified log severity (prefixed with the component),
+    # and display any additional arguments. For example:
+    #
+    #     dlog(Logger::DEBUG, SomeClass, "hello", :somevalue => 'that value")
+    #
+    # Will print the message: "SomeClass: hello: somevalue=that value" at the
+    # debug log level.
+    def log(level, component, msg, args={})
+      if @logger
+        unless args.empty?
+          kvstr = args.map { |pair| pair[0].to_s + ': ' + pair[1].inspect }.sort.join(', ')
+          msg += ": " + kvstr
+        end
+        @logger.log(level, component.to_s + ': ' + msg)
+      end
+    end
+
+    def logdebug(msg, args={})
+      log(Logger::DEBUG, (([Module, Class].include? self.class) ? self.name : self.class), msg, args)
+    end
+
+    def loginfo(msg, args={})
+      log(Logger::INFO, self.class, msg, args)
+    end
+
+    def logwarn(msg, args={})
+      log(Logger::WARN, self.class, msg, args)
+    end
+
+    def logerror(msg, args={})
+      log(Logger::ERROR, self.class, msg, args)
+    end
+
+    def logfatal(msg, args={})
+      log(Logger::FATAL, self.class, msg, args)
+    end
+
+  end
+end

data/lib/packetthief/redirect_rule.rb

@@ -0,0 +1,29 @@
+
+module PacketThief
+  class RedirectRule
+    attr_accessor :handler
+    attr_accessor :rulespec
+    attr_accessor :redirectspec
+
+    def initialize(handler)
+      @handler = handler
+    end
+
+    # specify an original destination
+    def where(args)
+      rule = clone
+      rule.rulespec = args
+      rule
+    end
+
+    def redirect(args)
+      rule = clone
+      rule.redirectspec = args
+      rule
+    end
+
+    def run
+      @handler.run(self)
+    end
+  end
+end

data/lib/packetthief/util.rb

@@ -0,0 +1,36 @@
+module PacketThief
+  # Some utility methods, currently just used by the examples.
+  module Util
+    class << self
+      # Extracts all PEM encoded certificates out of a raw string and returns
+      # each raw PEM encoded certificate in an array.
+      def split_chain(raw)
+        chain = []
+        remaining = raw
+        certpat = /-----BEGIN CERTIFICATE-----(.*?)-----END CERTIFICATE-----/m
+        while m = certpat.match(remaining)
+          remaining = m.post_match
+          chain << m[0].strip
+        end
+        chain
+      end
+
+      # Extracts all PEM encoded certs from a raw string and returns a list of
+      # X509 certificate objects in the order they appear in the file.
+      #
+      # This can be helpful for loading a chain of certificates, eg for a
+      # server.
+      #
+      # Usage:
+      #
+      #   chain = cert_chain(File.read("chain.pem"))
+      #   p chain # => [#<OpenSSL::X509::Certificate subject=/C=US/CN=my.hostname.com, issuer=/C=US/CN=Trusted CA...>,
+      #                   #<OpenSSL::X509::Certificate subject=/C=US/CN=Trusted CA ... >]
+      def cert_chain(raw)
+        rawchain = split_chain(raw)
+        rawchain.map { |rawcert| OpenSSL::X509::Certificate.new(rawcert) }
+      end
+
+    end
+  end
+end

data/lib/ssl_test.rb

@@ -0,0 +1,21 @@
+require 'packetthief'
+require 'eventmachine'
+require 'optparse'
+require 'termios'
+require 'logger'
+
+require 'ssl_test/ext_core/io_raw_input'
+
+module SSLTest
+  autoload :AppContext,         'ssl_test/app_context'
+  autoload :CertificateManager, 'ssl_test/certificate_manager'
+  autoload :Config,       'ssl_test/config'
+  autoload :InputHandler, 'ssl_test/input_handler'
+  autoload :RunnerOptions,      'ssl_test/runner_options'
+  autoload :Runner,       'ssl_test/runner'
+  autoload :SSLTestCase,  'ssl_test/ssl_test_case'
+  autoload :SSLTestReport,  'ssl_test/ssl_test_report'
+  autoload :SSLTestResult,  'ssl_test/ssl_test_result'
+  autoload :TestListener, 'ssl_test/test_listener'
+  autoload :TestManager, 'ssl_test/test_manager'
+end

data/lib/ssl_test/app_context.rb

@@ -0,0 +1,17 @@
+module SSLTest
+
+  # Class to hold onto application-wide values in a single place and to track
+  # application state.
+  class AppContext
+
+    attr_accessor :config
+    attr_accessor :cert_manager
+    attr_accessor :logger
+
+    def initialize(config, cert_manager, logger)
+      @config = config
+      @cert_manager = cert_manager
+      @logger = logger
+    end
+  end
+end

data/lib/ssl_test/certificate_manager.rb

@@ -0,0 +1,33 @@
+module SSLTest
+  # Handles the loading and caching of certificates and private keys.
+  class CertificateManager
+
+    def initialize(certinfo)
+      @certinfo = certinfo
+    end
+
+    def get_raw_cert(name)
+      File.read(File.join('certs',name+"cert.pem"))
+    end
+
+    def get_cert(name)
+      OpenSSL::X509::Certificate.new(get_raw_cert(name))
+    end
+
+    def get_raw_key(name)
+      File.read(File.join('certs',name+"key.pem"))
+    end
+
+    def get_key(name)
+      OpenSSL::PKey.read(get_raw_key(name))
+    end
+
+    def get_chain(list)
+      list.map { |name| get_cert(name) }
+    end
+
+    def get_keychain(list)
+      list.map { |name| get_key(name) }
+    end
+  end
+end

data/lib/ssl_test/config.rb

@@ -0,0 +1,79 @@
+module SSLTest
+  # Loads and interprets the configuration file.
+  class Config
+
+    DEFAULT = "config.yml"
+
+    attr_reader :raw
+    attr_reader :certs
+
+    def self.load_conf(opts)
+      Config.new(opts)
+    end
+
+    # TODO: do some basic type validation on the config file.
+    def initialize(opts)
+      @opts = opts
+
+      @raw = YAML.load_file(@opts[:config])
+      @certs = @raw['certs']
+    end
+
+    def tests
+      @raw['tests']
+    end
+
+    def hosttotest
+      @raw['hostname']
+    end
+
+    def listener_port
+      @raw['listener_port']
+    end
+
+    def testing_method
+      @raw['testing_method']
+    end
+
+    def packetthief
+      pt = @raw['packetthief'].dup
+      newvals = {}
+      pt.each_pair do |k,v|
+        if k.kind_of? String
+          newvals[k.to_sym] = v
+        end
+      end
+      pt.merge! newvals
+      pt
+    end
+
+    def pause?
+      @opts[:pause]
+    end
+
+    def action
+      @opts[:action]
+    end
+
+    def loglevel
+      levelstr = if @opts.has_key? :loglevel
+        @opts[:loglevel].upcase
+      elsif @raw.has_key? 'log' and @raw['log'].has_key? 'level'
+        @raw['log']['level'].upcase
+      else
+        'INFO'
+      end
+      Logger.const_get(levelstr)
+    end
+
+    def logfile
+      if @opts[:logfile] == '-'
+        STDOUT
+      else
+        @opts[:logfile]
+      end
+    end
+
+
+  end
+end