Kaynağa Gözat

TLS server for testing

new-scoring
aeris 2 yıl önce
ebeveyn
işleme
52a19f8c35
6 değiştirilmiş dosya ile 189 ekleme ve 31 silme
  1. 8
    7
      .gitignore
  2. 1
    0
      bin/tls_server
  3. 123
    0
      bin/tls_server.rb
  4. 53
    20
      lib/cryptcheck/tls/fixture.rb
  5. 2
    2
      lib/cryptcheck/tls/server.rb
  6. 2
    2
      spec/helpers.rb

+ 8
- 7
.gitignore Dosyayı Görüntüle

@@ -1,13 +1,14 @@
1 1
 *.iml
2 2
 *.gem
3
-Gemfile.lock
3
+*.pem
4 4
 .rakeTasks
5 5
 .idea/
6
-/html/
7
-/rakefile
8
-/output/*.html
6
+/build/
9 7
 /db/*.sqlite3
10 8
 /db/schema.rb
11
-/lib/**/*.so
12
-/lib/**/*.so.1.0.0
13
-/build/
9
+/output/*.html
10
+/lib/*.so
11
+/lib/*.so.*
12
+/.ruby-version
13
+/rakefile
14
+Gemfile.lock

+ 1
- 0
bin/tls_server Dosyayı Görüntüle

@@ -0,0 +1 @@
1
+runner

+ 123
- 0
bin/tls_server.rb Dosyayı Görüntüle

@@ -0,0 +1,123 @@
1
+#!/usr/bin/env ruby
2
+$:.unshift File.expand_path File.join File.dirname(__FILE__), '../lib'
3
+require 'rubygems'
4
+require 'bundler/setup'
5
+require 'openssl'
6
+require 'socket'
7
+require 'cryptcheck'
8
+
9
+::CryptCheck::Logger.level = ENV['LOG'] || :info
10
+
11
+OpenSSL::PKey::EC.send :alias_method, :private?, :private_key?
12
+
13
+# [512, 768, 1024, 2048, 3072, 4096].each do |s|
14
+# 	file = "config/rsa-#{s}.pem"
15
+# 	unless File.exists? file
16
+# 		puts :rsa, s
17
+# 		dh = OpenSSL::PKey::RSA.new s
18
+# 		File.write file, dh.to_pem
19
+# 	end
20
+#
21
+# 	file = "config/dh-#{s}.pem"
22
+# 	unless File.exists? file
23
+# 		puts :dh, s
24
+# 		dh = OpenSSL::PKey::DH.new s
25
+# 		File.write file, dh.to_pem
26
+# 	end
27
+# end
28
+# exit
29
+
30
+def certificate(key)
31
+	CryptCheck::Logger.info 'Generating certificate'
32
+	cert            = OpenSSL::X509::Certificate.new
33
+	cert.version    = 2
34
+	cert.serial     = rand 2**(20*8-1) .. 2**(20*8)
35
+	cert.not_before = Time.now
36
+	cert.not_after  = Time.now + 365*24*60*60
37
+
38
+	cert.public_key = case key
39
+						  when OpenSSL::PKey::EC
40
+							  curve             = key.group.curve_name
41
+							  public            = OpenSSL::PKey::EC.new curve
42
+							  public.public_key = key.public_key
43
+							  public
44
+						  else
45
+							  key.public_key
46
+					  end
47
+
48
+	name         = OpenSSL::X509::Name.parse 'CN=localhost'
49
+	cert.subject = name
50
+	cert.issuer  = name
51
+
52
+	extension_factory                     = OpenSSL::X509::ExtensionFactory.new nil, cert
53
+	extension_factory.subject_certificate = cert
54
+	extension_factory.issuer_certificate  = cert
55
+
56
+	cert.add_extension extension_factory.create_extension 'basicConstraints', 'CA:TRUE', true
57
+	cert.add_extension extension_factory.create_extension 'keyUsage', 'keyEncipherment, dataEncipherment, digitalSignature,nonRepudiation,keyCertSign'
58
+	cert.add_extension extension_factory.create_extension 'extendedKeyUsage', 'serverAuth, clientAuth'
59
+	cert.add_extension extension_factory.create_extension 'subjectKeyIdentifier', 'hash'
60
+	cert.add_extension extension_factory.create_extension 'authorityKeyIdentifier', 'keyid:always'
61
+	cert.add_extension extension_factory.create_extension 'subjectAltName', 'DNS:localhost'
62
+
63
+	cert.add_extension OpenSSL::X509::Extension.new '1.3.6.1.5.5.7.1.24', '0', true
64
+
65
+	cert.sign key, OpenSSL::Digest::SHA512.new
66
+	CryptCheck::Logger.info 'Certificate generated'
67
+	cert
68
+end
69
+
70
+key = OpenSSL::PKey::RSA.new File.read 'config/rsa-2048.pem'
71
+#key = OpenSSL::PKey::EC.new('secp521r1').generate_key
72
+cert = certificate key
73
+
74
+CryptCheck::Logger.info 'Starting server'
75
+
76
+context = OpenSSL::SSL::SSLContext.new
77
+#context = OpenSSL::SSL::SSLContext.new :SSLv3
78
+#context         = OpenSSL::SSL::SSLContext.new :TLSv1_1
79
+context.cert    = cert
80
+context.key     = key
81
+context.ciphers = ARGV[0] || 'ECDHE+AESGCM'
82
+
83
+dh                      = OpenSSL::PKey::DH.new File.read 'config/dh-4096.pem'
84
+context.tmp_dh_callback = proc { dh }
85
+#context.ecdh_curves = CryptCheck::Tls::Server::SUPPORTED_CURVES.join ':'
86
+#context.ecdh_curves = 'secp384r1:secp521r1:sect571r1'
87
+context.ecdh_curves     = 'secp384r1'
88
+#ecdh = OpenSSL::PKey::EC.new('secp384r1').generate_key
89
+#context.tmp_ecdh_callback = proc { ecdh }
90
+
91
+host, port = '::', 5000
92
+tcp_server              = TCPServer.new host, port
93
+tls_server              = OpenSSL::SSL::SSLServer.new tcp_server, context
94
+::CryptCheck::Logger.info "Server started on #{host}:#{port}"
95
+
96
+loop do
97
+	begin
98
+		connection = tls_server.accept
99
+
100
+		method = connection.ssl_version
101
+
102
+		dh = connection.tmp_key
103
+		cipher = connection.cipher
104
+		cipher = CryptCheck::Tls::Cipher.new method, cipher, dh
105
+		states = cipher.states
106
+		text   = %i(critical error warning good perfect best).collect do |s|
107
+			states[s].collect { |t| t.to_s.colorize s }.join ' '
108
+		end.reject &:empty?
109
+		text   = text.join ' '
110
+
111
+		dh     = dh ? " (#{'PFS'.colorize :good} : #{CryptCheck::Tls.key_to_s dh})" : ''
112
+		CryptCheck::Logger.info { "#{CryptCheck::Tls.colorize method} / #{cipher.colorize}#{dh} [#{text}]" }
113
+
114
+		data       = connection.gets
115
+		if data
116
+			CryptCheck::Logger.info data
117
+		end
118
+		connection.puts 'HTTP/1.1 200 OK'
119
+		connection.puts 'Strict-Transport-Security: max-age=31536000'
120
+		connection.close
121
+	rescue OpenSSL::SSL::SSLError, SystemCallError
122
+	end
123
+end

+ 53
- 20
lib/cryptcheck/tls/fixture.rb Dosyayı Görüntüle

@@ -5,29 +5,51 @@ class String
5 5
 
6 6
 	COLORS = {
7 7
 			critical: { color: :white, background: :red },
8
-			error: :red,
9
-			warning: :light_red,
10
-			good: :green,
11
-			perfect: :blue,
12
-			best: :magenta,
13
-			unknown: { background: :black }
8
+			error:    :red,
9
+			warning:  :light_red,
10
+			good:     :green,
11
+			perfect:  :blue,
12
+			best:     :magenta,
13
+			unknown:  { background: :black }
14 14
 	}
15 15
 
16 16
 	def colorize(state)
17
-		self.colorize_old COLORS[state]
17
+		color = COLORS[state] || state
18
+		self.colorize_old color
19
+	end
20
+end
21
+
22
+class Exception
23
+	BACKTRACE_REGEXP = /^(.*):(\d+):in `(.*)'$/
24
+
25
+	def colorize
26
+		$stderr.puts self.message.colorize(:red)
27
+		self.backtrace.each do |line|
28
+			line = BACKTRACE_REGEXP.match line
29
+			line = '%s:%s:in `%s\'' % [
30
+					line[1].colorize(:yellow),
31
+					line[2].colorize(:blue),
32
+					line[3].colorize(:magenta)
33
+			]
34
+			$stderr.puts line
35
+		end
18 36
 	end
19 37
 end
20 38
 
21 39
 class Integer
22 40
 	def humanize
23 41
 		secs = self
24
-		[[60, :second], [60, :minute], [24, :hour], [30, :day], [12, :month]].map { |count, name|
42
+		[[60, :second],
43
+		 [60, :minute],
44
+		 [24, :hour],
45
+		 [30, :day],
46
+		 [12, :month]].map do |count, name|
25 47
 			if secs > 0
26 48
 				secs, n = secs.divmod count
27
-				n = n.to_i
49
+				n       = n.to_i
28 50
 				n > 0 ? "#{n} #{name}#{n > 1 ? 's' : ''}" : nil
29 51
 			end
30
-		}.compact.reverse.join(' ')
52
+		end.compact.reverse.join ' '
31 53
 	end
32 54
 end
33 55
 
@@ -46,10 +68,14 @@ class ::OpenSSL::PKey::EC
46 68
 
47 69
 	def status
48 70
 		case self.size
49
-			when 0...160 then :critical
50
-			when 160...192 then :error
51
-			when 192...256 then :warning
52
-			when 384...::Float::INFINITY then :good
71
+			when 0...160
72
+				:critical
73
+			when 160...192
74
+				:error
75
+			when 192...256
76
+				:warning
77
+			when 384...::Float::INFINITY
78
+				:good
53 79
 		end
54 80
 	end
55 81
 end
@@ -69,9 +95,12 @@ class ::OpenSSL::PKey::RSA
69 95
 
70 96
 	def status
71 97
 		case self.size
72
-			when 0...1024 then :critical
73
-			when 1024...2048 then :error
74
-			when 4096...::Float::INFINITY then :good
98
+			when 0...1024
99
+				:critical
100
+			when 1024...2048
101
+				:error
102
+			when 4096...::Float::INFINITY
103
+				:good
75 104
 		end
76 105
 	end
77 106
 end
@@ -109,9 +138,13 @@ class ::OpenSSL::PKey::DH
109 138
 
110 139
 	def status
111 140
 		case self.size
112
-			when 0...1024 then :critical
113
-			when 1024...2048 then :error
114
-			when 4096...::Float::INFINITY then :good
141
+			when 0...1024
142
+				:critical
143
+			when 1024...2048
144
+				:error
145
+			when 2048...4096
146
+			else
147
+				:good
115 148
 		end
116 149
 	end
117 150
 end

+ 2
- 2
lib/cryptcheck/tls/server.rb Dosyayı Görüntüle

@@ -260,7 +260,8 @@ module CryptCheck
260 260
 				sect571r1 X25519)
261 261
 
262 262
 			def ssl_client(method, ciphers = %w(ALL COMPLEMENTOFALL), curves = nil, fallback: false, &block)
263
-				ssl_context = ::OpenSSL::SSL::SSLContext.new method, fallback_scsv: fallback
263
+				ssl_context = ::OpenSSL::SSL::SSLContext.new method #, fallback_scsv: fallback
264
+				ssl_context.enable_fallback_scsv if fallback
264 265
 				ssl_context.ciphers     = ciphers.join ':'
265 266
 
266 267
 				ssl_context.ecdh_curves = curves.join ':' if curves
@@ -285,7 +286,6 @@ module CryptCheck
285 286
 						break
286 287
 					rescue Timeout, TLSTimeout, ConnectionError, ::SystemCallError
287 288
 						raise
288
-					rescue
289 289
 					end
290 290
 				end
291 291
 				raise TLSNotAvailableException unless @cert

+ 2
- 2
spec/helpers.rb Dosyayı Görüntüle

@@ -184,9 +184,9 @@ module Helpers
184 184
 		expect(server.ip).to eq ip
185 185
 		expect(server.port).to eq port
186 186
 		expect(server.family).to eq case family
187
-										when :ipv4 then
187
+										when :ipv4
188 188
 											Socket::AF_INET
189
-										when :ipv6 then
189
+										when :ipv6
190 190
 											Socket::AF_INET6
191 191
 									end
192 192
 		[grade, server]

Loading…
İptal
Kaydet