module SSLScan::Socket::SslTcp
This class provides methods for interacting with an SSL TCP client connection.
Public Class Methods
create(hash = {})
click to toggle source
Creates an SSL TCP instance.
# File lib/ssl_scan/socket/ssl_tcp.rb, line 32 def self.create(hash = {}) raise RuntimeError, "No OpenSSL support" if not @@loaded_openssl hash['SSL'] = true self.create_param(SSLScan::Socket::Parameters.from_hash(hash)) end
create_param(param)
click to toggle source
Set the SSL flag to true and call the base class's create_param
routine.
# File lib/ssl_scan/socket/ssl_tcp.rb, line 41 def self.create_param(param) param.ssl = true SSLScan::Socket::Tcp.create_param(param) end
Public Instance Methods
allow_nonblock?()
click to toggle source
This flag determines whether to use the non-blocking openssl API calls when they are available. This is still buggy on Linux/Mac OS X, but is required on Windows
# File lib/ssl_scan/socket/ssl_tcp.rb, line 320 def allow_nonblock? avail = self.sslsock.respond_to?(:accept_nonblock) if avail and SSLScan::Compat.is_windows return true end false end
cipher()
click to toggle source
Access to the current cipher
# File lib/ssl_scan/socket/ssl_tcp.rb, line 297 def cipher sslsock.cipher if sslsock end
close()
click to toggle source
Closes the SSL socket.
Calls superclass method
# File lib/ssl_scan/socket/ssl_tcp.rb, line 267 def close sslsock.close rescue nil super end
initsock(params = nil)
click to toggle source
Initializes the SSL socket.
Calls superclass method
# File lib/ssl_scan/socket/ssl_tcp.rb, line 55 def initsock(params = nil) super version = :SSLv3 if(params) case params.ssl_version when 'SSL2', :SSLv2 version = :SSLv2 when 'SSL23', :SSLv23 version = :SSLv23 when 'TLS1', :TLSv1 version = :TLSv1 end end # Build the SSL connection self.sslctx = OpenSSL::SSL::SSLContext.new(version) # Configure the SSL context # TODO: Allow the user to specify the verify mode callback # Valid modes: # VERIFY_CLIENT_ONCE # VERIFY_FAIL_IF_NO_PEER_CERT # VERIFY_NONE # VERIFY_PEER if params.ssl_verify_mode self.sslctx.verify_mode = OpenSSL::SSL.const_get("VERIFY_#{params.ssl_verify_mode}".intern) else # Could also do this as graceful faildown in case a passed verify_mode is not supported self.sslctx.verify_mode = OpenSSL::SSL::VERIFY_PEER end self.sslctx.options = OpenSSL::SSL::OP_ALL if params.ssl_cipher self.sslctx.ciphers = params.ssl_cipher end # Set the verification callback self.sslctx.verify_callback = Proc.new do |valid, store| self.peer_verified = valid true end # Tie the context to a socket self.sslsock = OpenSSL::SSL::SSLSocket.new(self, self.sslctx) # XXX - enabling this causes infinite recursion, so disable for now # self.sslsock.sync_close = true # Force a negotiation timeout begin Timeout.timeout(params.timeout) do if not allow_nonblock? self.sslsock.connect else begin self.sslsock.connect_nonblock # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK IO::select(nil, nil, nil, 0.10) retry # Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable rescue ::Exception => e if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable) IO::select( [ self.sslsock ], nil, nil, 0.10 ) retry end if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable) IO::select( nil, [ self.sslsock ], nil, 0.10 ) retry end raise e end end end rescue ::Timeout::Error raise SSLScan::ConnectionTimeout.new(params.peerhost, params.peerport) end end
peer_cert()
click to toggle source
Access to peer cert
# File lib/ssl_scan/socket/ssl_tcp.rb, line 283 def peer_cert sslsock.peer_cert if sslsock end
peer_cert_chain()
click to toggle source
Access to peer cert chain
# File lib/ssl_scan/socket/ssl_tcp.rb, line 290 def peer_cert_chain sslsock.peer_cert_chain if sslsock end
read(length = nil, opts = {})
click to toggle source
Reads data from the SSL socket.
# File lib/ssl_scan/socket/ssl_tcp.rb, line 208 def read(length = nil, opts = {}) if not allow_nonblock? length = 16384 unless length begin return sslsock.sysread(length) rescue ::IOError, ::Errno::EPIPE, ::OpenSSL::SSL::SSLError return nil end return end begin while true s = SSLScan::ThreadSafe.select( [ self.sslsock ], nil, nil, 0.10 ) if( s == nil || s[0] == nil ) next end return sslsock.read_nonblock( length ) end rescue ::IOError, ::Errno::EPIPE return nil # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK # Sleep for a tenth a second, or until we can read again SSLScan::ThreadSafe.select( [ self.sslsock ], nil, nil, 0.10 ) # Decrement the block size to handle full sendQs better block_size = 1024 # Try to write the data again retry # Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable rescue ::Exception => e if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable) IO::select( [ self.sslsock ], nil, nil, 0.5 ) retry end if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable) IO::select( nil, [ self.sslsock ], nil, 0.5 ) retry end # Another form of SSL error, this is always fatal if e.kind_of?(::OpenSSL::SSL::SSLError) return nil end raise e end end
shutdown(how=0)
click to toggle source
Ignore shutdown requests
# File lib/ssl_scan/socket/ssl_tcp.rb, line 275 def shutdown(how=0) # Calling shutdown() on an SSL socket can lead to bad things # Cause of http://metasploit.com/dev/trac/ticket/102 end
sysread(*args)
click to toggle source
Prevent a sysread from the bare socket
# File lib/ssl_scan/socket/ssl_tcp.rb, line 304 def sysread(*args) raise RuntimeError, "Invalid sysread() call on SSL socket" end
syswrite(*args)
click to toggle source
Prevent a sysread from the bare socket
# File lib/ssl_scan/socket/ssl_tcp.rb, line 311 def syswrite(*args) raise RuntimeError, "Invalid syswrite() call on SSL socket" end
type?()
click to toggle source
# File lib/ssl_scan/socket/ssl_tcp.rb, line 339 def type? return 'tcp-ssl' end
write(buf, opts = {})
click to toggle source
Writes data over the SSL socket.
# File lib/ssl_scan/socket/ssl_tcp.rb, line 148 def write(buf, opts = {}) return sslsock.write(buf) if not allow_nonblock? total_sent = 0 total_length = buf.length block_size = 16384 retry_time = 0.5 begin while( total_sent < total_length ) s = SSLScan::ThreadSafe.select( nil, [ self.sslsock ], nil, 0.25 ) if( s == nil || s[0] == nil ) next end data = buf[total_sent, block_size] sent = sslsock.write_nonblock( data ) if sent > 0 total_sent += sent end end rescue ::IOError, ::Errno::EPIPE return nil # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK # Sleep for a half a second, or until we can write again SSLScan::ThreadSafe.select( nil, [ self.sslsock ], nil, retry_time ) # Decrement the block size to handle full sendQs better block_size = 1024 # Try to write the data again retry # Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable rescue ::Exception => e if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable) IO::select( [ self.sslsock ], nil, nil, retry_time ) retry end if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable) IO::select( nil, [ self.sslsock ], nil, retry_time ) retry end # Another form of SSL error, this is always fatal if e.kind_of?(::OpenSSL::SSL::SSLError) return nil end # Bubble the event up to the caller otherwise raise e end total_sent end