tlspretense 0.6.1

data/lib/ssl_test/ext_core/io_raw_input.rb

@@ -0,0 +1,31 @@
+require 'termios'
+
+# Extends IO to enable "raw" input on TTYs.
+class IO
+  # Enables raw character input for a TTY. It uses the ruby-termios gem to
+  # disable ICANON and ECHO functionality. This means that characters will
+  # become immediately available to IO#gets, IO#getchar, etc. after the user
+  # presses a button, and that the characters will not be implicitly echoed to
+  # the screen.
+  #
+  # If you call this on $stdin, you probably should ensure that you call
+  # #disable_raw_chars in order to restore the previous termios state after
+  # your program exits. Otherwise, you may screw up the user's terminal, and
+  # they will have to call `reset`.
+  def enable_raw_chars
+    raise IOError, "#{self} is not a TTY." unless self.tty?
+    @_oldtermios = Termios.tcgetattr(self)
+    newt = @_oldtermios.dup
+    newt.c_lflag &= ~Termios::ICANON
+    newt.c_lflag &= ~Termios::ECHO
+    Termios.tcsetattr(self, Termios::TCSANOW, newt)
+  end
+
+  # Reverts the termios state to what it was before calling #enable_raw_chars.
+  def disable_raw_chars
+    raise IOError, "#{self} is not a TTY." unless self.tty?
+    Termios.tcsetattr(self, Termios::TCSANOW, @_oldtermios)
+  end
+
+
+end

data/lib/ssl_test/input_handler.rb

@@ -0,0 +1,35 @@
+
+
+module SSLTest
+  # EM handler to handle keyboard input while a test is running.
+  module InputHandler
+
+    def initialize(stdin=$stdin)
+      @stdin = stdin
+      @actions = {}
+
+      # Set the term to accept keystrokes immediately.
+      @stdin.enable_raw_chars
+    end
+
+    def unbind
+      # Clean up by resotring the old termios
+      @stdin.disable_raw_chars
+    end
+
+    # Receives one character at a time.
+    def receive_data(data)
+      raise "data was longer than 1 char: #{data.inspect}" if data.length != 1
+      if @actions.has_key? data
+        @actions[data].call
+      end
+    end
+
+    def on(char, blk=nil, &block)
+      puts "Warning: setting a keyboard handler for a keystroke that is longer than one char: #{char.inspect}" if char.length != 1
+      raise ArgumentError, "No block passed in" if blk == nil and block == nil
+      @actions[char] = ( blk ? blk : block)
+    end
+
+  end
+end

data/lib/ssl_test/runner.rb

@@ -0,0 +1,110 @@
+module SSLTest
+  # Handles a list of arguments, and uses the arguments to run a sequence of tests.
+  class Runner
+    include PacketThief::Logging
+
+    attr_reader :results
+
+    def initialize(args, stdin, stdout)
+      options = RunnerOptions.parse(args)
+      @test_list = options.args
+      @stdin = stdin
+      @stdout = stdout
+
+      @config = Config.new options.options
+      cert_manager = CertificateManager.new(@config.certs)
+      @logger = Logger.new(@config.logfile)
+      @logger.level = @config.loglevel
+      @logger.datetime_format = "%Y-%m-%d %H:%M:%S %Z"
+      @logger.formatter = proc do |severity, datetime, progname, msg|
+          "#{datetime}:#{severity}: #{msg}\n"
+      end
+      @app_context = AppContext.new(@config, cert_manager, @logger)
+
+      @report = SSLTestReport.new
+      init_packetthief
+    end
+
+    def run
+      case @config.action
+      when :list
+        @stdout.puts "These are the test I will perform and their descriptions:"
+        @stdout.puts ''
+        SSLTestCase.factory(@app_context, @config.tests, @test_list).each do |test|
+          display_test test
+        end
+      when :runtests
+        @stdout.puts "Press spacebar to skip a test, or 'q' to stop testing."
+        loginfo "Hostname being tested (assuming certs are up to date): #{@config.hosttotest}"
+
+        @tests = SSLTestCase.factory(@app_context, @config.tests, @test_list)
+        loginfo "Running #{@tests.length} tests"
+
+        start_packetthief
+        run_tests(@tests)
+        stop_packetthief
+
+        @report.print_results(@stdout)
+      else
+        raise "Unknown action: #{opts[:action]}"
+      end
+    end
+
+    def run_tests(testlist)
+      test_manager = TestManager.new(@app_context, testlist, @report, @logger)
+      EM.run do
+        # @listener handles the initial server socket, not the accepted connections.
+        # h in the code block is for each accepted connection.
+        @listener = TestListener.start('', @config.listener_port, test_manager)
+        @listener.logger = @logger
+        @keyboard = EM.open_keyboard InputHandler do |h|
+          h.on(' ') { test_manager.test_completed(test_manager.current_test, :skipped) }
+          h.on('q') { test_manager.stop_testing }
+          h.on("\n") { test_manager.unpause }
+        end
+        EM.add_periodic_timer(5) { logdebug "EM connection count: #{EM.connection_count}" }
+      end
+    end
+
+    # Initialize custom PacketThief modes of operation. Eg, we use manual when PT
+    # does not manage the firewall rules and when it should just return a
+    # preconfigured destination, and external for when PT does not manage the
+    # firewall rules but still needs to know how to discover the destination.
+    def init_packetthief
+      PacketThief.logger = @logger
+      if @config.packetthief.has_key? 'implementation'
+        impl = @config.packetthief['implementation']
+        case impl
+        when /manual\(/i
+          PacketThief.implementation = :manual
+          host = /manual\((.*)\)/i.match(impl)[1]
+          PacketThief.set_dest(host, @config.packetthief.fetch('dest_port',443))
+        when /external\(/i
+          real_impl = /external\((.*)\)/i.match(impl)[1]
+          PacketThief.implementation = real_impl.strip.downcase.to_sym
+        else
+          PacketThief.implementation = impl
+        end
+      end
+    end
+
+    def start_packetthief
+      ptconf = @config.packetthief
+      unless ptconf.has_key? 'implementation' and ptconf['implementation'].match(/external/i)
+        PacketThief.redirect(:to_ports => @config.listener_port).where(ptconf).run
+      end
+      at_exit { PacketThief.revert }
+    end
+
+    def stop_packetthief
+      PacketThief.revert
+    end
+
+    def display_test(test)
+      @stdout.printf "%s: %s\n", test.id, test.description
+      @stdout.printf "  %s\n", test.certchainalias.inspect
+      @stdout.puts ''
+    end
+
+  end
+end

data/lib/ssl_test/runner_options.rb

@@ -0,0 +1,68 @@
+module SSLTest
+  class RunnerOptions
+
+    DEFAULT_OPTS = {
+      :pause => false,
+      :config => Config::DEFAULT,
+      :action => :runtests,
+      :loglevel => 'INFO',
+      :logfile => '-'
+    }
+
+    # Parsed command line options.
+    attr_reader :options
+
+    # Any command line arguments that are not options.
+    attr_reader :args
+
+    def self.parse(args)
+      opts = new(args)
+      opts.parse
+      opts
+    end
+
+    def initialize(args)
+      @orig_args = args
+    end
+
+    def parse
+      @options = DEFAULT_OPTS.dup
+
+      opts = OptionParser.new do |opts|
+        opts.banner = "Usage: #{$0} [options] [tests to run]"
+
+        opts.on("-p","--[no-]pause", "Pause between tests") do
+          @options[:pause] = true
+        end
+
+        opts.on("-c", "--config path/to/config.yml",
+                "Specify a custom config.yml file",
+                "  (Default: #{DEFAULT_OPTS[:config]})") do |confname|
+          @options[:config] = confname
+        end
+
+        opts.on("-l","--list", "List all tests (or those specified on the command line") do
+          @options[:action] = :list
+        end
+
+        opts.on("--log-level=loglevel", "Set the log level. It can be one of:",
+                "  DEBUG, INFO, WARN, ERROR, FATAL", "  (Default: INFO, or whatever config.yml sets)") do |level|
+          @options[:loglevel] = level
+        end
+
+        opts.on("--log-file=somefile.log", "Specify the file to write logs to.","  (Default: - (STDOUT))") do |file|
+          @options[:logfile] = file
+        end
+        opts.on_tail('-h', '--help', "Print this help message.") do
+          puts opts
+          exit
+        end
+
+      end
+
+      @args = @orig_args.dup
+      opts.parse!(@args)
+    end
+
+  end
+end

data/lib/ssl_test/ssl_test_case.rb

@@ -0,0 +1,46 @@
+module SSLTest
+  # Represents a single test case.
+  class SSLTestCase
+    include PacketThief::Logging
+
+    attr_reader :id
+    attr_reader :description
+    attr_reader :certchainalias
+    attr_reader :expected_result
+
+    attr_reader :certchain
+    attr_reader :keychain
+    attr_reader :hosttotest
+
+    def self.factory(appctx, test_data, tests_to_create)
+      if tests_to_create == [] or tests_to_create == nil
+        final_test_data = test_data
+      else
+        final_test_data = tests_to_create.map { |name| test_data.select { |test| test['alias'] == name }[0] }
+      end
+      final_test_data.map { |data| SSLTestCase.new(appctx, data) }
+    end
+
+    def initialize(appctx, testdesc)
+      @appctx = appctx
+      @raw = testdesc.dup
+      @id = @raw['alias']
+      @description = @raw['name']
+      @certchainalias = @raw['certchain']
+      @expected_result = @raw['expected_result']
+    end
+
+    def certchain
+      @certchain ||= @appctx.cert_manager.get_chain(@certchainalias)
+    end
+
+    def keychain
+      @keychain ||= @appctx.cert_manager.get_keychain(@certchainalias)
+    end
+
+    def hosttotest
+      @hosttotest ||= @appctx.config.hosttotest
+    end
+
+  end
+end

data/lib/ssl_test/ssl_test_report.rb

@@ -0,0 +1,24 @@
+module SSLTest
+  # Represents an entire report. SSLTestCases add results to it, which it can
+  # later format.
+  class SSLTestReport
+
+    def initialize
+      @results = []
+    end
+
+    def add_result(result)
+      @results << result
+    end
+
+    def print_results(out)
+        out.puts "Alias            Description      P/F  Expected Actual   Start Time Stop Time "
+        out.puts "---------------- ---------------- ---- -------- -------- ---------- ----------"
+      @results.each do |r|
+        out.printf "%-16.16<id>s %-16.16<description>s %-4.4<passed>s %-8.8<expected_result>s %-8.8<actual_result>s %<start_time>s %<stop_time>s\n", r.to_h
+      end
+
+    end
+
+  end
+end

data/lib/ssl_test/ssl_test_result.rb

@@ -0,0 +1,30 @@
+module SSLTest
+  # SSLTestResults are created by running SSLTestCases. They are then added to
+  # an SSLTestReport so that they can be included in that report.
+  class SSLTestResult
+
+    attr_reader   :id
+    attr_accessor :description
+    attr_accessor :expected_result, :actual_result
+    attr_accessor :start_time, :stop_time
+
+    def passed? ; @passed ; end
+
+    def initialize(testcase_id, passed=false)
+      @id = testcase_id
+      @passed = passed
+    end
+
+    def to_h
+      {
+        :id => id,
+        :passed => passed? ? "Pass" : "Fail",
+        :description => description,
+        :expected_result => expected_result,
+        :actual_result => actual_result,
+        :start_time => start_time,
+        :stop_time => stop_time,
+      }
+    end
+  end
+end

data/lib/ssl_test/test_listener.rb

@@ -0,0 +1,140 @@
+module SSLTest
+
+  # TestListener is the real workhorse used by SSLTestCases. It builds on the
+  # SSLSmartProxy from PacketThief in order to intercept and forward SSL
+  # connections. It uses SSLSmartProxy because SSLSmartProxy provides a default
+  # behavior where it grabs the remote certificate from the destination and
+  # re-signs it before presenting it to the client.
+  #
+  # TestListener expands on this by presenting the configured test chain
+  # instead of the re-signed remote certificate when the destination
+  # corresponds to the hostname the test suite is testing off of.
+  class TestListener < PacketThief::Handlers::SSLSmartProxy
+
+    # For all hosts that do not match _hosttotest_, we currently use the
+    # _cacert_ and re-sign the original cert provided by the actual host. This
+    # will cause issues with certificate revocation.
+    #
+    # * _cacert_  [OpenSSL::X509::Certificate] A CA that the client should
+    #   trust.
+    # * _cakey_   [OpenSSL::PKey::PKey] The CA's key, needed for resigning. It
+    #   will also be the key used by the resigned certificates.
+    # * _hosttotest_  [String] The hostname we want to apply the test chain to.
+    # * _chaintotest_ [Array<OpenSSL::X509Certificate>] A chain of certs to
+    #   present when the client attempts to connect to hostname.
+    # * _keytotest_   [OpenSSL::PKey::PKey] The key corresponding to the leaf
+    #   node in _chaintotest_.
+    def initialize(tcpsocket, test_manager, logger=nil)
+      @test_manager = test_manager
+
+      if @test_manager.paused?
+        @paused = true
+      else
+        @paused = false
+        @test = @test_manager.current_test
+        @hosttotest = @test.hosttotest
+        chain = @test.certchain.dup
+        @hostcert = chain.shift
+        @hostkey = @test.keychain[0]
+        @extrachain = chain
+      end
+      # Use the goodca for hosts we don't care to test against.
+      super(tcpsocket, @test_manager.goodcacert, @test_manager.goodcakey, logger)
+
+      @test_status = :running
+      @testing_host = false
+    end
+
+    # Checks whether the initial original destination certificate (without SNI
+    # hostname) matches the test hostname. We do this with post_init to have
+    # the check happen after the parent class already added a re-signed
+    # certificate to +@ctx+.
+    def post_init
+      check_for_hosttotest(@ctx)
+    end
+
+    # Checks whether the original destination certificate after we handle the
+    # SNI hostname matches the test hostname. Super already replaced the
+    # context with a certificate based on the remote host's certificate.
+    def servername_cb(sslsock, hostname)
+      check_for_hosttotest(super(sslsock, hostname))
+    end
+
+    # Replaces the certificates used in the SSLContext with the test
+    # certificates if the destination matches the hostname we wish to test
+    # against. Otherwise, it leaves the context alone.
+    #
+    # Additionally, if it matches, it sets @testing_host to true to check
+    # whether the test succeeds or not.
+    def check_for_hosttotest(actx)
+      if @paused
+        logdebug "Testing is paused, not checking whether this is the host to test", :certcubject => actx.cert.subject
+      elsif TestListener.cert_matches_host(actx.cert, @hosttotest)
+        logdebug "Destination matches host-to-test", :hosttotest => @hosttotest, :certsubject => actx.cert.subject, :testname => @test.id
+        actx.cert = @hostcert
+        actx.key = @hostkey
+        actx.extra_chain_cert = @extrachain
+        @testing_host = true
+      else
+        logdebug "Destination does not match host-to-test", :hosttotest => @hosttotest, :certsubject => actx.cert.subject
+      end
+      actx
+    end
+
+    # Return true if _cert_'s CNAME or subjectAltName matches hostname,
+    # otherwise return false.
+    def self.cert_matches_host(cert, hostname)
+      OpenSSL::SSL.verify_certificate_identity(cert, hostname)
+    end
+
+    # If the client completes connecting, we might consider that trusting our
+    # certificate chain. However, at least Java's SSL client classes don't
+    # reject until after completing the handshake.
+    def tls_successful_handshake
+      super
+      logdebug "successful handshake"
+      if @testing_host
+        @test_status = :connected
+        if @test_manager.testing_method == 'tlshandshake'
+          @test_manager.test_completed(@test, @test_status)
+          @testing_host = false
+        end
+      end
+    end
+
+    # If the handshake failed, then the client rejected our cert chain.
+    def tls_failed_handshake(e)
+      super
+      logdebug "failed handshake"
+      if @testing_host
+        @test_status = :rejected
+        @test_manager.test_completed(@test, @test_status)
+        @testing_host = false
+      end
+    end
+
+    # Report our result.
+    def unbind
+      super
+      logdebug "unbind"
+      if @testing_host
+        @test_manager.test_completed(@test, @test_status)
+        @testing_host = false
+      end
+    end
+
+    # client_recv means that the client sent data over the TLS connection,
+    # meaning they definately trusted our certificate chain.
+    def client_recv(data)
+      if @testing_host
+        @test_status = :sentdata
+        if @test_manager.testing_method == 'senddata'
+          @test_manager.test_completed(@test, @test_status)
+          @testing_host = false
+        end
+      end
+      super(data)
+    end
+
+  end
+end