2012-06-29 05:18:28 +00:00
|
|
|
# -*- coding: binary -*-
|
2006-04-24 18:49:00 +00:00
|
|
|
require 'rex/socket'
|
|
|
|
require 'rex/socket/tcp_server'
|
|
|
|
require 'rex/io/stream_server'
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This class provides methods for interacting with an SSL wrapped TCP server. It
|
|
|
|
# implements the StreamServer IO interface.
|
|
|
|
#
|
|
|
|
###
|
2008-11-12 22:47:21 +00:00
|
|
|
module Rex::Socket::SslTcpServer
|
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
@@loaded_openssl = false
|
|
|
|
|
|
|
|
begin
|
|
|
|
require 'openssl'
|
|
|
|
@@loaded_openssl = true
|
|
|
|
require 'openssl/nonblock'
|
|
|
|
rescue ::Exception
|
|
|
|
end
|
|
|
|
|
|
|
|
include Rex::Socket::TcpServer
|
|
|
|
|
|
|
|
##
|
|
|
|
#
|
|
|
|
# Factory
|
|
|
|
#
|
|
|
|
##
|
|
|
|
|
|
|
|
def self.create(hash = {})
|
|
|
|
hash['Proto'] = 'tcp'
|
|
|
|
hash['Server'] = true
|
|
|
|
hash['SSL'] = true
|
|
|
|
self.create_param(Rex::Socket::Parameters.from_hash(hash))
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Wrapper around the base class' creation method that automatically sets
|
|
|
|
# the parameter's protocol to TCP and sets the server flag to true.
|
|
|
|
#
|
|
|
|
def self.create_param(param)
|
|
|
|
param.proto = 'tcp'
|
|
|
|
param.server = true
|
|
|
|
param.ssl = true
|
|
|
|
Rex::Socket.create_param(param)
|
|
|
|
end
|
|
|
|
|
|
|
|
def initsock(params = nil)
|
|
|
|
raise RuntimeError, "No OpenSSL support" if not @@loaded_openssl
|
2013-11-20 04:34:31 +00:00
|
|
|
self.sslctx = makessl(params)
|
2013-08-30 21:28:33 +00:00
|
|
|
super
|
|
|
|
end
|
|
|
|
|
|
|
|
# (see TcpServer#accept)
|
|
|
|
def accept(opts = {})
|
|
|
|
sock = super()
|
|
|
|
return if not sock
|
|
|
|
|
|
|
|
begin
|
|
|
|
ssl = OpenSSL::SSL::SSLSocket.new(sock, self.sslctx)
|
|
|
|
|
|
|
|
if not allow_nonblock?(ssl)
|
|
|
|
ssl.accept
|
|
|
|
else
|
|
|
|
begin
|
|
|
|
ssl.accept_nonblock
|
2013-11-20 04:34:31 +00:00
|
|
|
rescue ::IO::WaitReadable, ::IO::WaitWritable
|
|
|
|
::IO::select( [ ssl ], nil, nil, 0.10 )
|
|
|
|
retry
|
2013-08-30 21:28:33 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
sock.extend(Rex::Socket::SslTcp)
|
|
|
|
sock.sslsock = ssl
|
|
|
|
sock.sslctx = self.sslctx
|
|
|
|
|
|
|
|
return sock
|
|
|
|
|
|
|
|
rescue ::OpenSSL::SSL::SSLError
|
|
|
|
sock.close
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Create a new ssl context. If +ssl_cert+ is not given, generates a new
|
|
|
|
# key and a leaf certificate with random values.
|
|
|
|
#
|
2013-11-20 04:34:31 +00:00
|
|
|
# @param [Rex::Socket::Parameters] params
|
2013-08-30 21:28:33 +00:00
|
|
|
# @return [::OpenSSL::SSL::SSLContext]
|
2013-11-20 04:34:31 +00:00
|
|
|
def makessl(params)
|
|
|
|
ssl_cert = params.ssl_cert
|
2013-08-30 21:28:33 +00:00
|
|
|
if ssl_cert
|
|
|
|
cert = OpenSSL::X509::Certificate.new(ssl_cert)
|
|
|
|
key = OpenSSL::PKey::RSA.new(ssl_cert)
|
|
|
|
else
|
|
|
|
key = OpenSSL::PKey::RSA.new(1024){ }
|
|
|
|
cert = OpenSSL::X509::Certificate.new
|
|
|
|
cert.version = 2
|
|
|
|
cert.serial = rand(0xFFFFFFFF)
|
|
|
|
# name = OpenSSL::X509::Name.new([["C","JP"],["O","TEST"],["CN","localhost"]])
|
|
|
|
subject = OpenSSL::X509::Name.new([
|
|
|
|
["C","US"],
|
|
|
|
['ST', Rex::Text.rand_state()],
|
|
|
|
["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
|
|
|
|
["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
|
|
|
|
["CN", Rex::Text.rand_hostname],
|
|
|
|
])
|
|
|
|
issuer = OpenSSL::X509::Name.new([
|
|
|
|
["C","US"],
|
|
|
|
['ST', Rex::Text.rand_state()],
|
|
|
|
["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
|
|
|
|
["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
|
|
|
|
["CN", Rex::Text.rand_hostname],
|
|
|
|
])
|
|
|
|
|
|
|
|
cert.subject = subject
|
|
|
|
cert.issuer = issuer
|
|
|
|
cert.not_before = Time.now - (3600 * 365)
|
|
|
|
cert.not_after = Time.now + (3600 * 365)
|
|
|
|
cert.public_key = key.public_key
|
|
|
|
ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
|
|
|
|
cert.extensions = [
|
|
|
|
ef.create_extension("basicConstraints","CA:FALSE"),
|
|
|
|
ef.create_extension("subjectKeyIdentifier","hash"),
|
|
|
|
ef.create_extension("extendedKeyUsage","serverAuth"),
|
|
|
|
ef.create_extension("keyUsage","keyEncipherment,dataEncipherment,digitalSignature")
|
|
|
|
]
|
|
|
|
ef.issuer_certificate = cert
|
|
|
|
cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
|
|
|
|
cert.sign(key, OpenSSL::Digest::SHA1.new)
|
|
|
|
end
|
|
|
|
|
|
|
|
ctx = OpenSSL::SSL::SSLContext.new()
|
|
|
|
ctx.key = key
|
|
|
|
ctx.cert = cert
|
2013-11-20 05:42:58 +00:00
|
|
|
ctx.options = 0
|
2013-11-20 04:34:31 +00:00
|
|
|
|
|
|
|
# enable/disable the SSL/TLS-level compression
|
2013-11-20 06:01:48 +00:00
|
|
|
if params.ssl_compression
|
|
|
|
ctx.options &= ~OpenSSL::SSL::OP_NO_COMPRESSION
|
|
|
|
else
|
2013-11-20 04:34:31 +00:00
|
|
|
ctx.options |= OpenSSL::SSL::OP_NO_COMPRESSION
|
|
|
|
end
|
2013-08-30 21:28:33 +00:00
|
|
|
|
|
|
|
ctx.session_id_context = Rex::Text.rand_text(16)
|
|
|
|
|
|
|
|
return ctx
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# This flag determines whether to use the non-blocking openssl
|
|
|
|
# API calls when they are available. This is still buggy on
|
|
|
|
# Linux/Mac OS X, but is required on Windows
|
|
|
|
#
|
|
|
|
def allow_nonblock?(sock=self.sock)
|
|
|
|
avail = sock.respond_to?(:accept_nonblock)
|
|
|
|
if avail and Rex::Compat.is_windows
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
false
|
|
|
|
end
|
|
|
|
|
|
|
|
attr_accessor :sslctx
|
2008-11-12 22:47:21 +00:00
|
|
|
end
|
2009-11-09 00:13:25 +00:00
|
|
|
|