Fix curves preference detection

6 years ago · 15f8574213
parent 4d90d2e643
commit 15f8574213
2 changed files with 126 additions and 15 deletions
--- a/lib/cryptcheck/tls/server.rb
+++ b/lib/cryptcheck/tls/server.rb
@ -28,7 +28,7 @@ module CryptCheck
 			class ConnectionError < ::StandardError
 			end

-			attr_reader :certs, :keys, :dh, :supported_curves
+			attr_reader :certs, :keys, :dh, :supported_curves, :curves_preference

 			def initialize(hostname, family, ip, port)
 				@hostname, @family, @ip, @port = hostname, family, ip, port
@ -199,10 +199,10 @@ module CryptCheck
 						@supported_curves = Curve.select do |curve|
 							begin
 								ssl_client method, ecdh, curves: curve
-								Logger.info { "  ECC curve #{curve}" }
+								Logger.info { "  ECC curve #{curve.name}" }
 								true
 							rescue TLSException
-								Logger.debug { "  ECC curve #{curve} : not supported" }
+								Logger.debug { "  ECC curve #{curve.name} : not supported" }
 								false
 							end
 						end
@ -245,10 +245,10 @@ module CryptCheck
 												 end
 												 connection = ssl_client method, cipher, curves: curves
 												 curve      = connection.tmp_key.curve
-												 curve == a.name ? -1 : 1
+												 a == curve ? -1 : 1
 											 end
 											 preferences = @supported_curves.sort &sort
-											 Logger.info { 'Curves preference : ' + preferences.collect { |c| c.to_s }.join(', ') }
+											 Logger.info { 'Curves preference : ' + preferences.collect { |c| c.name }.join(', ') }
 											 preferences
 										 end
 									 end
--- a/spec/cryptcheck/tls/server_spec.rb
+++ b/spec/cryptcheck/tls/server_spec.rb
@ -38,45 +38,156 @@ describe CryptCheck::Tls::Server do
 	end

 	describe '#supported_curves' do
+		it 'must detect no supported curves' do
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256) do
+				curves = server.supported_curves.collect &:name
+				expect(curves).to be_empty
+			end
+		end
+
 		it 'must detect supported curves for RSA' do
-			tls_serv material: [[:rsa, 1024]], curves: %i(prime256v1 sect571r1) do
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1 sect571r1) do
 				curves = server.supported_curves.collect &:name
 				expect(curves).to contain_exactly :prime256v1, :sect571r1
 			end
 		end

 		it 'must detect supported curves from ECDSA' do
-			tls_serv material: [[:ecdsa, :prime256v1]],
-					 curves: %i(prime256v1), server_preference: false do
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1), server_preference: false do
 				curves = server.supported_curves.collect &:name
 				expect(curves).to contain_exactly :prime256v1
 			end
 		end

 		it 'must detect supported curves from ECDSA and ECDHE' do
-			tls_serv material: [[:ecdsa, :prime256v1]],
-					 curves: %i(prime256v1 sect571r1), server_preference: false do
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1 sect571r1), server_preference: false do
 				curves = server.supported_curves.collect &:name
 				expect(curves).to contain_exactly :prime256v1, :sect571r1
 			end
 		end

-		# No chance here :'(
+		# No luck here :'(
 		it 'can\'t detect supported curves from ECDHE if server preference enforced' do
-			tls_serv material: [[:ecdsa, :prime256v1]],
-					 curves: %i(prime256v1 sect571r1), server_preference: true do
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1 sect571r1), server_preference: true do
 				curves = server.supported_curves.collect &:name
 				expect(curves).to contain_exactly :prime256v1
 			end

-			tls_serv material: [[:ecdsa, :prime256v1]],
-					 curves: %i(sect571r1 prime256v1), server_preference: true do
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(sect571r1 prime256v1), server_preference: true do
 				curves = server.supported_curves.collect &:name
 				expect(curves).to contain_exactly :prime256v1, :sect571r1
 			end
 		end
 	end

+	describe '#curves_preference' do
+		it 'must report N/A if no curve on RSA' do
+			tls_serv material:          [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
+					 server_preference: true do
+				curves = server.curves_preference
+				expect(curves).to be_nil
+			end
+
+			tls_serv material:          [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
+					 server_preference: false do
+				curves = server.curves_preference
+				expect(curves).to be_nil
+			end
+		end
+
+		it 'must report N/A if a single curve on RSA' do
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1), server_preference: true do
+				curves = server.curves_preference
+				expect(curves).to be_nil
+			end
+
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1), server_preference: false do
+				curves = server.curves_preference
+				expect(curves).to be_nil
+			end
+		end
+
+		it 'must report server preference if server preference enforced on RSA' do
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1 sect571r1), server_preference: true do
+				curves = server.curves_preference.collect &:name
+				expect(curves).to eq %i(prime256v1 sect571r1)
+			end
+
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(sect571r1 prime256v1), server_preference: true do
+				curves = server.curves_preference.collect &:name
+				expect(curves).to eq %i(sect571r1 prime256v1)
+			end
+		end
+
+		it 'must report client preference if server preference not enforced on RSA' do
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1 sect571r1), server_preference: false do
+				curves = server.curves_preference
+				expect(curves).to be :client
+			end
+
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(sect571r1 prime256v1), server_preference: false do
+				curves = server.curves_preference
+				expect(curves).to be :client
+			end
+		end
+
+		it 'must report N/A if a single curve on ECDSA' do
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1), server_preference: true do
+				curves = server.curves_preference
+				expect(curves).to be_nil
+			end
+
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1), server_preference: false do
+				curves = server.curves_preference
+				expect(curves).to be_nil
+			end
+		end
+
+		# No luck here :'(
+		it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1 sect571r1), server_preference: true do
+				curves = server.curves_preference
+				expect(curves).to be_nil
+			end
+		end
+
+		it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(sect571r1 prime256v1), server_preference: true do
+				curves = server.curves_preference.collect &:name
+				expect(curves).to eq %i(sect571r1 prime256v1)
+			end
+		end
+
+		it 'must report client preference if server preference not enforced on ECDSA' do
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(prime256v1 sect571r1), server_preference: false do
+				curves = server.curves_preference
+				expect(curves).to be :client
+			end
+
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
+					 curves:   %i(sect571r1 prime256v1), server_preference: false do
+				curves = server.curves_preference
+				expect(curves).to be :client
+			end
+		end
+	end
+
 	describe '#md5_sign?' do
 		it 'must detect server using MD5 certificate' do
 			tls_serv do