Add verification methods to HTTPS

This commit enables peer verification for SSL.
It also gives the user options to verify the server if the server uses a self-signed cert.
There is an override to skip verification as well.

Author: jbarnett-r7

lib/metasploit/framework/data_service/remote/http/core.rb

@@ -22,9 +22,10 @@ class RemoteHTTPDataService
   #
   # @param [String] endpoint A valid http or https URL. Cannot be nil
   #
-  def initialize(endpoint)
+  def initialize(endpoint, https_opts = {})
     validate_endpoint(endpoint)
     @endpoint = URI.parse(endpoint)
+    @https_opts = https_opts
     build_client_pool(5)
   end
 
@@ -244,12 +245,39 @@ def build_client_pool(size)
       http = Net::HTTP.new(@endpoint.host, @endpoint.port)
       if @endpoint.is_a?(URI::HTTPS)
         http.use_ssl = true
-        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        unless @https_opts.empty?
+          if @https_opts[:skip_verify]
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          else
+            # https://stackoverflow.com/questions/22093042/implementing-https-certificate-pubkey-pinning-with-ruby
+            user_passed_cert = OpenSSL::X509::Certificate.new(File.read(@https_opts[:cert]))
+
+            http.verify_callback = lambda do |preverify_ok, cert_store|
+              server_cert = cert_store.chain[0]
+              return true unless server_cert.to_der == cert_store.current_cert.to_der
+              same_public_key?(server_cert, user_passed_cert)
+            end
+          end
+        end
       end
       @client_pool << http
     }
   end
 
+  # Tells us whether the private keys on the passed certificates match
+  # and use the same algo
+  def same_public_key?(ref_cert, actual_cert)
+    pkr, pka = ref_cert.public_key, actual_cert.public_key
+
+    # First check if the public keys use the same crypto...
+    return false unless pkr.class == pka.class
+    # ...and then - that they have the same contents
+    return false unless pkr.to_pem == pka.to_pem
+
+    true
+  end
+
   def try_sound_effect()
     sound_file = ::File.join(Msf::Config.data_directory, "sounds", "Goliath_Online_Sound_Effect.wav")
     Rex::Compat.play_sound(sound_file)

lib/msf/ui/console/command_dispatcher/db.rb

@@ -101,6 +101,7 @@ def cmd_list_data_services()
           def cmd_add_data_service(*args)
             protocol = "http"
             port = 80
+            https_opts = {}
             while (arg = args.shift)
               case arg
                 when '-h', '--help'
@@ -110,6 +111,10 @@ def cmd_add_data_service(*args)
                   port = args.shift
                 when '-s', '--ssl'
                   protocol = "https"
+                when '-c'
+                  https_opts[:cert] = args.shift
+                when '--skip-verify'
+                  https_opts[:skip_verify] = true
                 else
                   host = arg
               end
@@ -121,7 +126,7 @@ def cmd_add_data_service(*args)
             end
 
             endpoint = "#{protocol}://#{host}:#{port}"
-            remote_data_service = Metasploit::Framework::DataService::RemoteHTTPDataService.new(endpoint)
+            remote_data_service = Metasploit::Framework::DataService::RemoteHTTPDataService.new(endpoint, https_opts)
             data_service_manager = Metasploit::Framework::DataService::DataProxy.instance
             data_service_manager.register_data_service(remote_data_service)
           end
@@ -131,8 +136,10 @@ def cmd_add_data_service_help
             print_line
             print_line "OPTIONS:"
             print_line "  -h, --help        Show this help information."
-            print_line "  -p <port>         The port the data service is listening on. Default is 80"
+            print_line "  -p <port>         The port the data service is listening on. Default is 80."
             print_line "  -s, --ssl         Enable SSL. Required for HTTPS data services."
+            print_line "  -c                Certificate file matching the server's certificate. Needed when using self-signed SSL cert."
+            print_line "  --skip-verify     Skip validating authenticity of server's certificate. NOT RECOMMENDED."
             print_line
           end