tlspretense 0.6.2 → 0.7.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4ed245d56d277c418ad64f001cfd058c143558fd
+  data.tar.gz: d32fe446d812f2a499df03ee9c955696486a88c2
+SHA512:
+  metadata.gz: 282430a23df7618eac0eb73b1078e03738268cec66a9b5031d42ce7bed18f0b814edfc3426a6bfd1f7527347b6e4fcc35aabcf0b9040644d75ac7a93f531fae8
+  data.tar.gz: 709560af229dcc7f6c122321af8d51053a10e31a78a100bb850f2a23758459f6c32dec94ed4bbbdc8a9f41f2b8c3eeab88c2c4c910b8ed9eeab3a7ab76c3710f

data/.gitignore

@@ -5,3 +5,4 @@ rdoc
 .bundle
 pkg
 tags
+Gemfile.lock

data/.travis.yml

@@ -0,0 +1,5 @@
+language: ruby
+rvm:
+  - 2.2
+  - 2.3
+  - 2.4

data/README.rdoc

@@ -126,11 +126,12 @@ Or just certain tests (in the order specified):
   though.
 
 * It currently uses the goodca to re-sign certificates from hostnames that do
-  not match the configured test hostname.
+  not match the configured test hostname, instead of silently forwarding the
+  connection.
 
-* The existing PFDivert rule implementation does not work on Mac OS X 10.7 (and
-  probably not on 10.8 either). OpenBSD 5.0(?) and FreeBSD 9 can make use of
-  this functionality though.
+* The existing PFDivert rule implementation does not work on Mac OS X 10.7 or
+  10.8 (use PFRdr instead). OpenBSD newer than 4.3 and FreeBSD 9 can make use
+  of the newer PF syntax and functionality though.
 
 == TODO
 
@@ -140,25 +141,33 @@ Or just certain tests (in the order specified):
   until the pre-flight finishes. (the SSLClient within SSLTransparentProxy
   probably also should do this until the client connects)
 
-* Fix the subjectAltName null byte test. It requires manual construction of the
-  ASN1 encoding due to the null byte causing a truncation somewhere in OpenSSL
-  or Ruby's OpenSSL.
-
-* Add wildcard tests
+* Add wildcard tests (need a hostname that has
+  domain.domain.domain.publicsuffix for all tests)
   * cert hostname: \*.%PARENTHOSTNAME%
-  * bad hostname: \*.other.com
+  * bad hostname: \*.other.com (reject)
   * tld hostname: \*.%TLDHOSTNAME% (reject)
   * do we want to test more complicated wildcards?
+  * http://www.ietf.org/rfc/rfc2818.txt requires wildcards to only match a
+    single subdomain component, not all subdomain components. Eg, *.a.com matches
+    foo.a.com but not bar.foo.a.com
 
 * Decide how to deal with a wildcard cert at the original destination. If we
   are testing foo.somehost.com, and the client connects to other hostnames like
   bar.somehost.com, and they all use a *.somehost.com certificate, then
   TLSPretense gets confused.
-
-* Add extension criticality tests (need an extension oid that nobody knows how to verify)
-  * If an extension is marked critical and the verifier doesn't know how to
-    verify, then it should fail. If it is not marked critical, then it is
-    allowed to skip the extension.
+  * If I allow *.somehost.com from the original server to match a test hostname
+    of foo.somehost.com, and the client then requests bar.somehost.com,
+    TLSPretense would present foo.somehost.com, making a well behaved client
+    reject the hostname mismatch.
+  * If I don't allow *.somehost.com from the original server match a test
+    hostname of foo.somehost.com, then TLSPretense will never successfully run
+    its tests.
+  * If I set the test hostname to *.somehost.com, then tests for wildcards and
+    subdomains wouldn't be valid, but the rest of the tests would work.
+  * Perhaps a better option would be to present a warning if the original
+    host has a wildcard in it, unless the target hostname also has a wildcard
+    in it. (which should present a warning about the sort of tests that won't
+    produce meaningful results)
 
 * Advanced: Add name constraints tests.
   * success: dnsName of leaf matches exactly the dnsName permitted constraint
@@ -226,6 +235,6 @@ Or just certain tests (in the order specified):
 
 == Copyright
 
-Copyright (c) 2012 iSEC Partners
+Copyright (c) 2012-2013 iSEC Partners
 
 See LICENSE.txt for further details.

data/Rakefile

@@ -18,6 +18,7 @@ task :default => :spec
 
 require 'rdoc/task'
 Rake::RDocTask.new do |rdoc|
+  $: << 'lib'
   require 'tlspretense/version'
   version = TLSPretense::VERSION
 
@@ -38,7 +39,3 @@ Rake::RDocTask.new do |rdoc|
   end
 end
 
-require 'certmaker/tasks'
-
-desc "Runs certs:clean"
-task :clean => ['certs:clean']

data/doc/general_setup.rdoc

@@ -49,10 +49,28 @@ This setup has the following network topography:
 
 == Installing TLSPretense
 
-Install with rubygems:
+=== General Case
+
+The following assumes that the +gem+ command refers to the Ruby 1.9.3 version
+of gem. If the Ruby 1.9.3 version on your system has a suffix, use that version
+of +gem+ instead. Install with rubygems:
 
     umask 0022 ; sudo gem install tlspretense
 
+=== Ubuntu 12.04 and Later
+
+If you are using Ubuntu, The ruby1.9.1 package on Ubuntu 12.04 is actually Ruby
+1.9.3 (1.9.1 in this case is the ABI version, not the software version).
+Assuming you haven't already installed Ruby 1.9.3:
+
+    sudo apt-get install ruby1.9.1-full
+
+then install with rubygems:
+
+    umask 0022 ; sudo gem1.9.1 install tlspretense
+
+=== Create a TLSPretense Project
+
 Create a new project:
 
     tlspretense init myproject
@@ -258,6 +276,9 @@ the firewall rule that redirects network traffic itself.
 For a sample Linux-specific configuration, see: {Linux
 Setup}[rdoc-ref:linux_setup].
 
+For information on configuring TLSPretense on a Mac OS X system, see: {Mac OS X
+Setup}[rdoc-ref:macosx_setup]
+
 
 == Running the tests
 

data/doc/macosx_setup.rdoc

@@ -0,0 +1,86 @@
+= Setting Up Mac OS X for Use With TLSPretense
+
+To run TLSPretense on Mac OS X, you need a Mac running Mac OS X 10.6 or later,
+and you need to have at least two network interfaces. If you are using a Mac
+laptop that only has wifi, you will need to use one or more ethernet adapters.
+
+The following sections cover how to setup both Mac OS X 10.6 and 10.7.
+
+== Configuring Internet Sharing
+
+This example assumes that you want to test software running on a device
+that uses wifi, such as an iOS or Android app. The sytem hosting TLSPretense
+will be a Mac running Mac OS X 10.6, 10.7, or 10.8. We
+will turn our wifi adapter into a wireless access point and then share our
+Internet connection from a physical ethernet adapter with it.
+
+First, open System Preferences and ensure that the ethernet connection has
+Internet access. You may need to authenticate as an admin in order to make
+changes.
+
+Then, if your wifi adapter is currently connected to a network, tell it to
+disconnect.
+
+Next, go to the Sharing preference pane, and click on "Internet Sharing" to
+configure it. Set "Share your connection from:" to your Ethernet connection
+(usually en0), and share it to your airport connection (usually en1). Click on
+"AirPort Options..." to configure the wireless access point it will create.
+Finally, click the checkbox next to "Internet Sharing" enable it.
+
+Internet Sharing will enable +natd+ in Mac OX X 10.6 (uses ipfw), ??? in
+Mac OS X 10.7 and +natpmpd+ in 10.8 (10.7 and later use Apple's version of PF,
+which is a much older version of PF than used by FreeBSD and OpenBSD). Both
+versions of the NAT
+will forward IPv4 traffic originating from devices connected to the Mac's
+Airport card, and forward it on to the designated outgoing network device
+(TODO: Does it handle IPv6 routing?).
+Internet Sharing will also enable a DHCP server to automatically configure any
+clients that connect to the internal side of the network.
+
+TLSPretense uses its PacketThief library to capture the traffic it is
+configured to intercept, and it will initiate new outgoing connections, usually
+bypassing the NAT daemon for such traffic. We still want the NAT service because it will
+forward traffic not intercepted by TLSPretense.
+
+Once you have Internet Sharing enabled, you should test to make sure it works
+with your test device.
+
+== Configure the Test Device
+
+Next, the system that will run the client code needs to be configured to use
+the TLSPretense host as its gateway. This usually involves connecting the
+client system to the new wireless access point or to the ethernet port that
+represents the internal network. DHCP should automatically configure the
+address, gateway, subnet mask, and DNS information for the client system, but
+you may need to manually modify these values if something does not work
+(wireshark on the system running TLSPretense can help you debug this).
+
+== Configuring the PF Firewall
+
+You need to add the following line to the bottom of your system's +/etc/pf.conf+:
+
+    rdr-anchor "packetthief"
+
+It should be inserted after any NAT rules, but before any other redirect rules
+(such as Apple's +rdr-anchor+ rule). Once you have added it, you should reload
+the core ruleset:
+
+    sudo pfctl -f /etc/pf.conf
+
+
+== Configure TLSPretense
+
+Mac laptops use en0, en1, etc. for their Unix network interface names. Mac
+laptops that have both ethernet and wifi built in usually have ethernet on en0
+and their wifi interface on en1. However, on newer Mac laptops that only have
+built-in wifi, the wifi is usually +en0+ and devices like Thunderbolt ethernet
+adaptors will be assigned a higher-numbered interface name.
+
+On Mac OS X 10.8, with Internet Sharing enabled, the internal LAN's gateway is
++bridge0+ rather than the +en*+ interface.
+
+You should set +in_interface+ in the +packetthief+ section of your config.yml
+to the network interface name of the correct internal network.
+
+Aside from that, configure TLSPretense normally, as discussed in the {General
+Setup}[rdoc-ref:general_setup].

data/lib/packetthief.rb

@@ -117,6 +117,14 @@ module PacketThief
     include Logging
   end
 
+  def self.logger=(log)
+    PacketThief::Logging.logger = log
+  end
+
+  def self.logger
+    PacketThief::Logging.logger
+  end
+
   def self.implementation; @implementation ; end
 
   def self.implementation=(newimpl)
@@ -155,7 +163,6 @@ module PacketThief
     if self.implementation == nil
       self.implementation = guess_implementation
     end
-    implementation.logger = @logger if implementation.respond_to? :logger=
     self.implementation.send(m, *args, &block)
   end
 

data/lib/packetthief/handlers/abstract_ssl_handler.rb

@@ -26,8 +26,7 @@ module PacketThief
       # is applied to the SSLSocket during #tls_begin.
       attr_accessor :sni_hostname
 
-      def initialize(tcpsocket, logger=nil)
-        @logger = logger
+      def initialize(tcpsocket)
         logdebug "initialize"
         # Set up initial values
         @tcpsocket = tcpsocket

data/lib/packetthief/handlers/ssl_server.rb

@@ -103,11 +103,10 @@ module PacketThief
           logdebug "(#{@ssl_class}): Received a new connection, spawning a #{@ssl_class}"
           sock = @servsocket.accept_nonblock
 
-          ::EM.watch sock, @ssl_class, sock, *@args, @logger do |h|
+          ::EM.watch sock, @ssl_class, sock, *@args do |h|
             logdebug "after initialize"
             h.server_handler = self
             h.notify_readable = true
-            h.logger = @logger
             # Now call the caller's block.
             @block.call(h) if @block
             # And finally finish initialization by applying the context to an
@@ -145,8 +144,8 @@ module PacketThief
       ####
 
       public
-      def initialize(tcpsocket,logger=nil)
-        super(tcpsocket, logger)
+      def initialize(tcpsocket)
+        super(tcpsocket)
         @ctx.servername_cb = proc {|sslsocket, hostname| self.servername_cb(sslsocket, hostname) }
       end
 

data/lib/packetthief/handlers/ssl_smart_proxy.rb

@@ -15,8 +15,8 @@ module PacketThief
       # seconds.
       attr_accessor :preflight_timeout
 
-      def initialize(tcpsocket, ca_chain, key, logger=nil)
-        super(tcpsocket, logger)
+      def initialize(tcpsocket, ca_chain, key)
+        super(tcpsocket)
 
         @preflight_timeout = 5
         if ca_chain.kind_of? Array
@@ -53,7 +53,7 @@ module PacketThief
 
       # Requests a certificate from the original destination.
       def preflight_for_cert(hostname=nil)
-        logdebug "prefilight for: #{hostname}"
+        logdebug "preflight for: #{hostname}"
         begin
           pfctx = OpenSSL::SSL::SSLContext.new
           pfctx.verify_mode = OpenSSL::SSL::VERIFY_NONE

data/lib/packetthief/handlers/ssl_transparent_proxy.rb

@@ -83,7 +83,7 @@ module PacketThief
       # Initially, its verify_mode is set to OpenSSL::SSL::VERIFY_NONE.
       attr_accessor :dest_ctx
 
-      def initialize(tcpsocket, logger=nil)
+      def initialize(tcpsocket)
         super
         @closed = false
 

data/lib/packetthief/handlers/transparent_proxy.rb

@@ -68,8 +68,7 @@ module PacketThief
       # When the proxy should connect to a destination.
       attr_accessor :when_to_connect_to_dest
 
-      def initialize(log=nil)
-        @logger = log
+      def initialize
       end
 
       def post_init

data/lib/packetthief/logging.rb

@@ -1,48 +1,56 @@
 module PacketThief
   # Mix-in that provides some private convenience logging functions. Uses the
-  # @logger instance variable.
+  # logger specified by this module. To set the current logger for all of
+  # PacketThief:
+  #
+  #     PacketThief::Logging.logger = Logger.new
   module Logging
-    # An optional Ruby Logger for debugging output. If it is unset, the log
-    # methods will be silent.
-    attr_accessor :logger
 
-    private
-
-    # Print a message at the specified log severity (prefixed with the component),
-    # and display any additional arguments. For example:
-    #
-    #     dlog(Logger::DEBUG, SomeClass, "hello", :somevalue => 'that value")
-    #
-    # Will print the message: "SomeClass: hello: somevalue=that value" at the
-    # debug log level.
-    def log(level, component, msg, args={})
-      if @logger
-        unless args.empty?
-          kvstr = args.map { |pair| pair[0].to_s + ': ' + pair[1].inspect }.sort.join(', ')
-          msg += ": " + kvstr
+    class << self
+
+      # An optional Ruby Logger for debugging output. If it is unset, the log
+      # methods will be silent.
+      attr_accessor :logger
+
+      # Print a message at the specified log severity (prefixed with the component),
+      # and display any additional arguments. For example:
+      #
+      #     log(Logger::DEBUG, SomeClass, "hello", :somevalue => 'that value")
+      #
+      # Will print the message: "SomeClass: hello: somevalue=that value" at the
+      # debug log level.
+      def log(level, component, msg, args={})
+        if @logger
+          unless args.empty?
+            kvstr = args.map { |pair| pair[0].to_s + ': ' + pair[1].inspect }.sort.join(', ')
+            msg += ": " + kvstr
+          end
+          @logger.log(level, component.to_s + ': ' + msg)
         end
-        @logger.log(level, component.to_s + ': ' + msg)
       end
+
     end
 
+    private
+
     def logdebug(msg, args={})
-      log(Logger::DEBUG, (([Module, Class].include? self.class) ? self.name : self.class), msg, args)
+      Logging.log(Logger::DEBUG, (([Module, Class].include? self.class) ? self.name : self.class), msg, args)
     end
 
     def loginfo(msg, args={})
-      log(Logger::INFO, self.class, msg, args)
+      Logging.log(Logger::INFO, self.class, msg, args)
     end
 
     def logwarn(msg, args={})
-      log(Logger::WARN, self.class, msg, args)
+      Logging.log(Logger::WARN, self.class, msg, args)
     end
 
     def logerror(msg, args={})
-      log(Logger::ERROR, self.class, msg, args)
+      Logging.log(Logger::ERROR, self.class, msg, args)
     end
 
     def logfatal(msg, args={})
-      log(Logger::FATAL, self.class, msg, args)
+      Logging.log(Logger::FATAL, self.class, msg, args)
     end
 
   end

data/lib/tlspretense/app.rb

@@ -30,7 +30,9 @@ QUOTE
         when 'init'
           InitRunner.new(@action_args, @stdin, @stdout).run
         when 'run'
-          TestHarness::Runner.new(@action_args, @stdin, @stdout).run
+          unless TestHarness::Runner.new(@action_args, @stdin, @stdout).run
+            return 1
+          end
         when 'list', 'ls'
           TestHarness::Runner.new(['--list'] + @action_args, @stdin, @stdout).run
         when 'ca'
@@ -45,8 +47,9 @@ QUOTE
       rescue CleanExitError => e
         @stdout.puts ""
         @stdout.puts "#{e.class}: #{e}"
-        exit 1
+        return 1
       end
+      0
     end
   end
 end

data/lib/tlspretense/cert_maker.rb

@@ -4,11 +4,16 @@ require 'yaml'
 
 require 'tlspretense/ext_core/hash_indifferent_fetch'
 
+# Provide a limited version of OpenSSL::PKey.read for older Ruby versions.
+require 'tlspretense/ext_compat/openssl_pkey_read'
+TLSPretense::ExtCompat::OpenSSLPKeyRead.check_and_apply_patch
+
 module TLSPretense
   module CertMaker
 
     autoload :CertificateFactory,         'tlspretense/cert_maker/certificate_factory'
     autoload :CertificateSuiteGenerator,  'tlspretense/cert_maker/certificate_suite_generator'
+    autoload :SubjectAltNameFactory,      'tlspretense/cert_maker/subject_alt_name_factory'
 
 
   # Generate certificates and keys using +config+.