aeris
/
cryptcheck
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Better curve detection, detecting new corner case when server preference enforced

aeris 2 years ago
parent
395d78bc64
commit
4d90d2e643
3 changed files with 25 additions and 8 deletions
Split View Show Diff Stats
  1. 1
    0
      lib/cryptcheck.rb
  2. 13
    2
      lib/cryptcheck/tls/curve.rb
  3. 11
    6
      lib/cryptcheck/tls/server.rb

+ 1
- 0
lib/cryptcheck.rb View File 

@@ -95,6 +95,7 @@ module CryptCheck
95 95 
 						else
96 96 
 							server.new *a, **kargs
97 97 
 						end
98 
+					exit
98 99 
 					if grade
99 100 
 						g = grade.new s
100 101 
 						Logger.info { '' }

+ 13
- 2
lib/cryptcheck/tls/curve.rb View File 

@@ -7,14 +7,14 @@ module CryptCheck
7 7 
 				@name = name
8 8 
 			end
9 9
10 
-			# SUPPORTED = %w(sect163k1 sect163r1 sect163r2 sect193r1
10 
+			# SUPPORTED = %i(sect163k1 sect163r1 sect163r2 sect193r1
11 11 
 			# 	sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1
12 12 
 			# 	sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1
13 13 
 			# 	secp160r2 secp192k1 secp192r1 secp224k1 secp224r1 secp256k1
14 14 
 			# 	secp256r1 secp384r1 secp521r1
15 15 
 			# 	prime256v1
16 16 
 			# 	brainpoolP256r1 brainpoolP384r1 brainpoolP512r1)
17 
-			SUPPORTED = %w(secp256k1 sect283k1 sect283r1 secp384r1
17 
+			SUPPORTED = %i(secp256k1 sect283k1 sect283r1 secp384r1
18 18 
 				sect409k1 sect409r1 secp521r1 sect571k1 sect571r1
19 19 
 				prime192v1 prime256v1
20 20 
 				brainpoolP256r1 brainpoolP384r1 brainpoolP512r1).collect { |c| self.new c }.freeze
 
@@ -28,6 +28,17 @@ module CryptCheck
28 28 
 			def to_s
29 29 
 				@name
30 30 
 			end
31 
+
32 
+			def ==(other)
33 
+				case other
34 
+					when String
35 
+						@name == other.to_sym
36 
+					when Symbol
37 
+						@name == other
38 
+					else
39 
+						@name == other.name
40 
+				end
41 
+			end
31 42 
 		end
32 43 
 	end
33 44 
 end

+ 11
- 6
lib/cryptcheck/tls/server.rb View File 

@@ -28,7 +28,7 @@ module CryptCheck
28 28 
 			class ConnectionError < ::StandardError
29 29 
 			end
30 30
31 
-			attr_reader :certs, :keys, :dh
31 
+			attr_reader :certs, :keys, :dh, :supported_curves
32 32
33 33 
 			def initialize(hostname, family, ip, port)
34 34 
 				@hostname, @family, @ip, @port = hostname, family, ip, port
 
@@ -168,15 +168,20 @@ module CryptCheck
168 168 
 							begin
169 169 
 								connection       = ssl_client method, ecdsa, curves: [curve, ecdsa_curve]
170 170 
 								# Not too fast !!!
171 
-								# Handshake will **always** succeed, because ECDSA curve is always supported
172 
-								# So, need to test for the real curve
171 
+								# Handshake will **always** succeed, because ECDSA
172 
+								# curve is always supported.
173 
+								# So, we need to test for the real curve!
174 
+								# Treaky case : if server preference is enforced,
175 
+								# ECDSA curve can be prefered over ECDHE one and so
176 
+								# really supported curve can be detected as not supported :(
177 
+
173 178 
 								dh               = connection.tmp_key
174 179 
 								negociated_curve = dh.curve
175 
-								supported        = negociated_curve != ecdsa_curve
180 
+								supported        = ecdsa_curve != negociated_curve
176 181 
 								if supported
177 
-									Logger.info { "  ECC curve #{curve}" }
182 
+									Logger.info { "  ECC curve #{curve.name}" }
178 183 
 								else
179 
-									Logger.debug { "  ECC curve #{curve} : not supported" }
184 
+									Logger.debug { "  ECC curve #{curve.name} : not supported" }
180 185 
 								end
181 186 
 								supported
182 187 
 							rescue TLSException

Write Preview
Loading…
Cancel
Save