Browse Source

Fix curves preference detection

new-scoring
aeris 2 years ago
parent
commit
15f8574213
2 changed files with 126 additions and 15 deletions
  1. 5
    5
      lib/cryptcheck/tls/server.rb
  2. 121
    10
      spec/cryptcheck/tls/server_spec.rb

+ 5
- 5
lib/cryptcheck/tls/server.rb View File

@@ -28,7 +28,7 @@ module CryptCheck
28 28
 			class ConnectionError < ::StandardError
29 29
 			end
30 30
 
31
-			attr_reader :certs, :keys, :dh, :supported_curves
31
+			attr_reader :certs, :keys, :dh, :supported_curves, :curves_preference
32 32
 
33 33
 			def initialize(hostname, family, ip, port)
34 34
 				@hostname, @family, @ip, @port = hostname, family, ip, port
@@ -199,10 +199,10 @@ module CryptCheck
199 199
 						@supported_curves = Curve.select do |curve|
200 200
 							begin
201 201
 								ssl_client method, ecdh, curves: curve
202
-								Logger.info { "  ECC curve #{curve}" }
202
+								Logger.info { "  ECC curve #{curve.name}" }
203 203
 								true
204 204
 							rescue TLSException
205
-								Logger.debug { "  ECC curve #{curve} : not supported" }
205
+								Logger.debug { "  ECC curve #{curve.name} : not supported" }
206 206
 								false
207 207
 							end
208 208
 						end
@@ -245,10 +245,10 @@ module CryptCheck
245 245
 												 end
246 246
 												 connection = ssl_client method, cipher, curves: curves
247 247
 												 curve      = connection.tmp_key.curve
248
-												 curve == a.name ? -1 : 1
248
+												 a == curve ? -1 : 1
249 249
 											 end
250 250
 											 preferences = @supported_curves.sort &sort
251
-											 Logger.info { 'Curves preference : ' + preferences.collect { |c| c.to_s }.join(', ') }
251
+											 Logger.info { 'Curves preference : ' + preferences.collect { |c| c.name }.join(', ') }
252 252
 											 preferences
253 253
 										 end
254 254
 									 end

+ 121
- 10
spec/cryptcheck/tls/server_spec.rb View File

@@ -38,45 +38,156 @@ describe CryptCheck::Tls::Server do
38 38
 	end
39 39
 
40 40
 	describe '#supported_curves' do
41
+		it 'must detect no supported curves' do
42
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256) do
43
+				curves = server.supported_curves.collect &:name
44
+				expect(curves).to be_empty
45
+			end
46
+		end
47
+
41 48
 		it 'must detect supported curves for RSA' do
42
-			tls_serv material: [[:rsa, 1024]], curves: %i(prime256v1 sect571r1) do
49
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
50
+					 curves:   %i(prime256v1 sect571r1) do
43 51
 				curves = server.supported_curves.collect &:name
44 52
 				expect(curves).to contain_exactly :prime256v1, :sect571r1
45 53
 			end
46 54
 		end
47 55
 
48 56
 		it 'must detect supported curves from ECDSA' do
49
-			tls_serv material: [[:ecdsa, :prime256v1]],
50
-					 curves: %i(prime256v1), server_preference: false do
57
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
58
+					 curves:   %i(prime256v1), server_preference: false do
51 59
 				curves = server.supported_curves.collect &:name
52 60
 				expect(curves).to contain_exactly :prime256v1
53 61
 			end
54 62
 		end
55 63
 
56 64
 		it 'must detect supported curves from ECDSA and ECDHE' do
57
-			tls_serv material: [[:ecdsa, :prime256v1]],
58
-					 curves: %i(prime256v1 sect571r1), server_preference: false do
65
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
66
+					 curves:   %i(prime256v1 sect571r1), server_preference: false do
59 67
 				curves = server.supported_curves.collect &:name
60 68
 				expect(curves).to contain_exactly :prime256v1, :sect571r1
61 69
 			end
62 70
 		end
63 71
 
64
-		# No chance here :'(
72
+		# No luck here :'(
65 73
 		it 'can\'t detect supported curves from ECDHE if server preference enforced' do
66
-			tls_serv material: [[:ecdsa, :prime256v1]],
67
-					 curves: %i(prime256v1 sect571r1), server_preference: true do
74
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
75
+					 curves:   %i(prime256v1 sect571r1), server_preference: true do
68 76
 				curves = server.supported_curves.collect &:name
69 77
 				expect(curves).to contain_exactly :prime256v1
70 78
 			end
71 79
 
72
-			tls_serv material: [[:ecdsa, :prime256v1]],
73
-					 curves: %i(sect571r1 prime256v1), server_preference: true do
80
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
81
+					 curves:   %i(sect571r1 prime256v1), server_preference: true do
74 82
 				curves = server.supported_curves.collect &:name
75 83
 				expect(curves).to contain_exactly :prime256v1, :sect571r1
76 84
 			end
77 85
 		end
78 86
 	end
79 87
 
88
+	describe '#curves_preference' do
89
+		it 'must report N/A if no curve on RSA' do
90
+			tls_serv material:          [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
91
+					 server_preference: true do
92
+				curves = server.curves_preference
93
+				expect(curves).to be_nil
94
+			end
95
+
96
+			tls_serv material:          [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
97
+					 server_preference: false do
98
+				curves = server.curves_preference
99
+				expect(curves).to be_nil
100
+			end
101
+		end
102
+
103
+		it 'must report N/A if a single curve on RSA' do
104
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
105
+					 curves:   %i(prime256v1), server_preference: true do
106
+				curves = server.curves_preference
107
+				expect(curves).to be_nil
108
+			end
109
+
110
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
111
+					 curves:   %i(prime256v1), server_preference: false do
112
+				curves = server.curves_preference
113
+				expect(curves).to be_nil
114
+			end
115
+		end
116
+
117
+		it 'must report server preference if server preference enforced on RSA' do
118
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
119
+					 curves:   %i(prime256v1 sect571r1), server_preference: true do
120
+				curves = server.curves_preference.collect &:name
121
+				expect(curves).to eq %i(prime256v1 sect571r1)
122
+			end
123
+
124
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
125
+					 curves:   %i(sect571r1 prime256v1), server_preference: true do
126
+				curves = server.curves_preference.collect &:name
127
+				expect(curves).to eq %i(sect571r1 prime256v1)
128
+			end
129
+		end
130
+
131
+		it 'must report client preference if server preference not enforced on RSA' do
132
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
133
+					 curves:   %i(prime256v1 sect571r1), server_preference: false do
134
+				curves = server.curves_preference
135
+				expect(curves).to be :client
136
+			end
137
+
138
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
139
+					 curves:   %i(sect571r1 prime256v1), server_preference: false do
140
+				curves = server.curves_preference
141
+				expect(curves).to be :client
142
+			end
143
+		end
144
+
145
+		it 'must report N/A if a single curve on ECDSA' do
146
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
147
+					 curves:   %i(prime256v1), server_preference: true do
148
+				curves = server.curves_preference
149
+				expect(curves).to be_nil
150
+			end
151
+
152
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
153
+					 curves:   %i(prime256v1), server_preference: false do
154
+				curves = server.curves_preference
155
+				expect(curves).to be_nil
156
+			end
157
+		end
158
+
159
+		# No luck here :'(
160
+		it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
161
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
162
+					 curves:   %i(prime256v1 sect571r1), server_preference: true do
163
+				curves = server.curves_preference
164
+				expect(curves).to be_nil
165
+			end
166
+		end
167
+
168
+		it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
169
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
170
+					 curves:   %i(sect571r1 prime256v1), server_preference: true do
171
+				curves = server.curves_preference.collect &:name
172
+				expect(curves).to eq %i(sect571r1 prime256v1)
173
+			end
174
+		end
175
+
176
+		it 'must report client preference if server preference not enforced on ECDSA' do
177
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
178
+					 curves:   %i(prime256v1 sect571r1), server_preference: false do
179
+				curves = server.curves_preference
180
+				expect(curves).to be :client
181
+			end
182
+
183
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
184
+					 curves:   %i(sect571r1 prime256v1), server_preference: false do
185
+				curves = server.curves_preference
186
+				expect(curves).to be :client
187
+			end
188
+		end
189
+	end
190
+
80 191
 	describe '#md5_sign?' do
81 192
 		it 'must detect server using MD5 certificate' do
82 193
 			tls_serv do

Loading…
Cancel
Save