Better curve detection, detecting new corner case when server preference enforced

6 years ago · 4d90d2e643
parent 395d78bc64
commit 4d90d2e643
3 changed files with 25 additions and 8 deletions
--- a/lib/cryptcheck.rb
+++ b/lib/cryptcheck.rb
@ -95,6 +95,7 @@ module CryptCheck
 						else
 							server.new *a, **kargs
 						end
+					exit
 					if grade
 						g = grade.new s
 						Logger.info { '' }
--- a/lib/cryptcheck/tls/curve.rb
+++ b/lib/cryptcheck/tls/curve.rb
@ -7,14 +7,14 @@ module CryptCheck
 				@name = name
 			end

-			# SUPPORTED = %w(sect163k1 sect163r1 sect163r2 sect193r1
+			# SUPPORTED = %i(sect163k1 sect163r1 sect163r2 sect193r1
 			# 	sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1
 			# 	sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1
 			# 	secp160r2 secp192k1 secp192r1 secp224k1 secp224r1 secp256k1
 			# 	secp256r1 secp384r1 secp521r1
 			# 	prime256v1
 			# 	brainpoolP256r1 brainpoolP384r1 brainpoolP512r1)
-			SUPPORTED = %w(secp256k1 sect283k1 sect283r1 secp384r1
+			SUPPORTED = %i(secp256k1 sect283k1 sect283r1 secp384r1
 				sect409k1 sect409r1 secp521r1 sect571k1 sect571r1
 				prime192v1 prime256v1
 				brainpoolP256r1 brainpoolP384r1 brainpoolP512r1).collect { |c| self.new c }.freeze
@ -28,6 +28,17 @@ module CryptCheck
 			def to_s
 				@name
 			end
+
+			def ==(other)
+				case other
+					when String
+						@name == other.to_sym
+					when Symbol
+						@name == other
+					else
+						@name == other.name
+				end
+			end
 		end
 	end
 end
--- a/lib/cryptcheck/tls/server.rb
+++ b/lib/cryptcheck/tls/server.rb
@ -28,7 +28,7 @@ module CryptCheck
 			class ConnectionError < ::StandardError
 			end

-			attr_reader :certs, :keys, :dh
+			attr_reader :certs, :keys, :dh, :supported_curves

 			def initialize(hostname, family, ip, port)
 				@hostname, @family, @ip, @port = hostname, family, ip, port
@ -168,15 +168,20 @@ module CryptCheck
 							begin
 								connection       = ssl_client method, ecdsa, curves: [curve, ecdsa_curve]
 								# Not too fast !!!
-								# Handshake will **always** succeed, because ECDSA curve is always supported
-								# So, need to test for the real curve
+								# Handshake will **always** succeed, because ECDSA
+								# curve is always supported.
+								# So, we need to test for the real curve!
+								# Treaky case : if server preference is enforced,
+								# ECDSA curve can be prefered over ECDHE one and so
+								# really supported curve can be detected as not supported :(
+
 								dh               = connection.tmp_key
 								negociated_curve = dh.curve
-								supported        = negociated_curve != ecdsa_curve
+								supported        = ecdsa_curve != negociated_curve
 								if supported
-									Logger.info { "  ECC curve #{curve}" }
+									Logger.info { "  ECC curve #{curve.name}" }
 								else
-									Logger.debug { "  ECC curve #{curve} : not supported" }
+									Logger.debug { "  ECC curve #{curve.name} : not supported" }
 								end
 								supported
 							rescue TLSException