Browse Source

Fix curves preference detection

new-scoring
aeris 2 years ago
parent
commit
15f8574213
2 changed files with 126 additions and 15 deletions
  1. 5
    5
      lib/cryptcheck/tls/server.rb
  2. 121
    10
      spec/cryptcheck/tls/server_spec.rb

+ 5
- 5
lib/cryptcheck/tls/server.rb View File

@@ -28,7 +28,7 @@ module CryptCheck
class ConnectionError < ::StandardError
end

attr_reader :certs, :keys, :dh, :supported_curves
attr_reader :certs, :keys, :dh, :supported_curves, :curves_preference

def initialize(hostname, family, ip, port)
@hostname, @family, @ip, @port = hostname, family, ip, port
@@ -199,10 +199,10 @@ module CryptCheck
@supported_curves = Curve.select do |curve|
begin
ssl_client method, ecdh, curves: curve
Logger.info { " ECC curve #{curve}" }
Logger.info { " ECC curve #{curve.name}" }
true
rescue TLSException
Logger.debug { " ECC curve #{curve} : not supported" }
Logger.debug { " ECC curve #{curve.name} : not supported" }
false
end
end
@@ -245,10 +245,10 @@ module CryptCheck
end
connection = ssl_client method, cipher, curves: curves
curve = connection.tmp_key.curve
curve == a.name ? -1 : 1
a == curve ? -1 : 1
end
preferences = @supported_curves.sort &sort
Logger.info { 'Curves preference : ' + preferences.collect { |c| c.to_s }.join(', ') }
Logger.info { 'Curves preference : ' + preferences.collect { |c| c.name }.join(', ') }
preferences
end
end

+ 121
- 10
spec/cryptcheck/tls/server_spec.rb View File

@@ -38,45 +38,156 @@ describe CryptCheck::Tls::Server do
end

describe '#supported_curves' do
it 'must detect no supported curves' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256) do
curves = server.supported_curves.collect &:name
expect(curves).to be_empty
end
end

it 'must detect supported curves for RSA' do
tls_serv material: [[:rsa, 1024]], curves: %i(prime256v1 sect571r1) do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1) do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
end
end

it 'must detect supported curves from ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]],
curves: %i(prime256v1), server_preference: false do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1), server_preference: false do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1
end
end

it 'must detect supported curves from ECDSA and ECDHE' do
tls_serv material: [[:ecdsa, :prime256v1]],
curves: %i(prime256v1 sect571r1), server_preference: false do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
end
end

# No chance here :'(
# No luck here :'(
it 'can\'t detect supported curves from ECDHE if server preference enforced' do
tls_serv material: [[:ecdsa, :prime256v1]],
curves: %i(prime256v1 sect571r1), server_preference: true do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1
end

tls_serv material: [[:ecdsa, :prime256v1]],
curves: %i(sect571r1 prime256v1), server_preference: true do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
end
end
end

describe '#curves_preference' do
it 'must report N/A if no curve on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end

tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
end
end

it 'must report N/A if a single curve on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end

tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
end
end

it 'must report server preference if server preference enforced on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(prime256v1 sect571r1)
end

tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(sect571r1 prime256v1)
end
end

it 'must report client preference if server preference not enforced on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end

tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(sect571r1 prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
end

it 'must report N/A if a single curve on ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end

tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
end
end

# No luck here :'(
it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end
end

it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(sect571r1 prime256v1)
end
end

it 'must report client preference if server preference not enforced on ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end

tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(sect571r1 prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
end
end

describe '#md5_sign?' do
it 'must detect server using MD5 certificate' do
tls_serv do

Loading…
Cancel
Save