7 changed files with 126 additions and 65 deletions
+ 2
- 2
bin/check_https.rb
View File
| @@ -11,8 +11,8 @@ if ::File.exist? file | |||
| ::CryptCheck::Logger.level = :none | |||
| ::CryptCheck::Tls::Https.analyze_from_file "output/#{name}.yml", "output/#{name}.html" | |||
| else | |||
| ::CryptCheck::Logger.level = :info | |||
| server = ::CryptCheck::Tls::Https::Server.new(ARGV[0], ARGV[1] || 443) | |||
| ::CryptCheck::Logger.level = (ARGV[1] || :info).to_sym | |||
| server = ::CryptCheck::Tls::Https::Server.new ARGV[0] | |||
| grade = ::CryptCheck::Tls::Https::Grade.new server | |||
| ::CryptCheck::Logger.info { '' } | |||
| grade.display | |||
+ 2
- 2
bin/check_smtp.rb
View File
| @@ -7,8 +7,8 @@ require 'cryptcheck' | |||
| name = ARGV[0] | |||
| if name | |||
| ::CryptCheck::Logger.level = :info | |||
| server = ::CryptCheck::Tls::Smtp::Server.new(ARGV[0], ARGV[1] || 25) | |||
| ::CryptCheck::Logger.level = (ARGV[1] || :info).to_sym | |||
| server = ::CryptCheck::Tls::Smtp::Server.new ARGV[0] | |||
| grade = ::CryptCheck::Tls::Smtp::Grade.new server | |||
| ::CryptCheck::Logger.info { '' } | |||
| grade.display | |||
+ 1
- 0
lib/cryptcheck.rb
View File
| @@ -1,4 +1,5 @@ | |||
| require 'colorize' | |||
| require 'cryptcheck/tls/fixture' | |||
| module CryptCheck | |||
| autoload :Logger, 'cryptcheck/logger' | |||
+ 19
- 0
lib/cryptcheck/tls.rb
View File
| @@ -107,6 +107,25 @@ module CryptCheck | |||
| cipher.to_s.colorize colors | |||
| end | |||
| def self.key_to_s(key) | |||
| size = key.rsa_equivalent_size | |||
| type_color = case key.type | |||
| when :ecc | |||
| { color: :green } | |||
| when :dsa | |||
| { color: :yellow } | |||
| end | |||
| size_color = case size | |||
| when 0...1024 | |||
| { color: :white, background: :red } | |||
| when 1024...2048 | |||
| { color: :yellow } | |||
| when 4096...::Float::INFINITY | |||
| { color: :green } | |||
| end | |||
| "#{key.type.to_s.upcase.colorize type_color} #{key.size.to_s.colorize size_color} bits" | |||
| end | |||
| private | |||
| SCORES = %w(A+ A A- B C D E F T M X) | |||
+ 77
- 0
lib/cryptcheck/tls/fixture.rb
View File
| @@ -0,0 +1,77 @@ | |||
| class ::OpenSSL::PKey::EC | |||
| def type | |||
| :ecc | |||
| end | |||
| def size | |||
| self.group.degree | |||
| end | |||
| def rsa_equivalent_size | |||
| case self.size | |||
| when 160 then 1024 | |||
| when 224 then 2048 | |||
| when 256 then 3072 | |||
| when 384 then 7680 | |||
| when 521 then 15360 | |||
| end | |||
| end | |||
| def to_s | |||
| "ECC #{self.size} bits" | |||
| end | |||
| end | |||
| class ::OpenSSL::PKey::RSA | |||
| def type | |||
| :rsa | |||
| end | |||
| def size | |||
| self.n.num_bits | |||
| end | |||
| def rsa_equivalent_size | |||
| self.size | |||
| end | |||
| def to_s | |||
| "RSA #{self.size} bits" | |||
| end | |||
| end | |||
| class ::OpenSSL::PKey::DSA | |||
| def type | |||
| :dsa | |||
| end | |||
| def size | |||
| self.p.num_bits | |||
| end | |||
| def rsa_equivalent_size | |||
| self.size | |||
| end | |||
| def to_s | |||
| "DSA #{self.size} bits" | |||
| end | |||
| end | |||
| class ::OpenSSL::PKey::DH | |||
| def type | |||
| :dh | |||
| end | |||
| def size | |||
| self.p.num_bits | |||
| end | |||
| def rsa_equivalent_size | |||
| self.size | |||
| end | |||
| def to_s | |||
| "DH #{self.size} bits" | |||
| end | |||
| end | |||
+ 13
- 17
lib/cryptcheck/tls/grade.rb
View File
| @@ -107,18 +107,20 @@ module CryptCheck | |||
| @success << :pfs if @server.pfs_only? | |||
| end | |||
| ALL_ERROR = %i(md5_sig md5 anonymous dss null export des rc4) | |||
| ALL_WARNING = %i(sha1_sig des3) | |||
| ALL_SUCCESS = %i(pfs) | |||
| ALL_ERROR = %i(md5_sig md5 anonymous dss null export des rc4) | |||
| def all_error | |||
| ALL_ERROR | |||
| end | |||
| ALL_WARNING = %i(sha1_sig des3) | |||
| def all_warning | |||
| ALL_WARNING | |||
| end | |||
| ALL_SUCCESS = %i(pfs) | |||
| def all_success | |||
| ALL_SUCCESS | |||
| end | |||
| @@ -127,28 +129,22 @@ module CryptCheck | |||
| @grade = 'A+' if @grade == 'A' and @error.empty? and @warning.empty? and (ALL_SUCCESS & @success) == ALL_SUCCESS | |||
| end | |||
| METHODS_SCORES = { SSLv2: 0, SSLv3: 80, TLSv1: 90, TLSv1_1: 95, TLSv1_2: 100 } | |||
| METHODS_SCORES = { SSLv2: 0, SSLv3: 10, TLSv1: 50, TLSv1_1: 75, TLSv1_2: 100 } | |||
| def calculate_protocol_score | |||
| methods = @server.supported_methods | |||
| worst, best = methods[:worst], methods[:best] | |||
| worst, best = methods.last, methods.first | |||
| @protocol_score = (METHODS_SCORES[worst] + METHODS_SCORES[best]) / 2 | |||
| end | |||
| def calculate_key_exchange_score | |||
| @key_exchange_score = case @server.key_size | |||
| when 0 then | |||
| 0 | |||
| when 0...512 then | |||
| 20 | |||
| when 512...1024 then | |||
| 40 | |||
| when 1024...2048 then | |||
| 80 | |||
| when 2048...4096 then | |||
| 90 | |||
| else | |||
| 100 | |||
| when 0 then 0 | |||
| when 0...512 then 20 | |||
| when 512...1024 then 40 | |||
| when 1024...2048 then 80 | |||
| when 2048...4096 then 90 | |||
| when 4096...::Float::INFINITY then 100 | |||
| end | |||
| end | |||
+ 12
- 44
lib/cryptcheck/tls/server.rb
View File
| @@ -35,50 +35,18 @@ module CryptCheck | |||
| attr_reader :hostname, :port, :prefered_ciphers, :cert, :cert_valid, :cert_trusted | |||
| def initialize(hostname, port) | |||
| @hostname = hostname | |||
| @port = port | |||
| @hostname, @port = hostname, port | |||
| @dh = [] | |||
| Logger.info { "#{hostname}:#{port}".colorize :blue } | |||
| extract_cert | |||
| #@prefered_ciphers = @supported_ciphers = Hash[SUPPORTED_METHODS.collect { |m| [m, []]}] | |||
| Logger.info { '' } | |||
| Logger.info { "Key : #{Tls.key_to_s @cert.public_key}" } | |||
| fetch_prefered_ciphers | |||
| check_supported_cipher | |||
| end | |||
| def supported_methods | |||
| worst = EXISTING_METHODS.find { |method| !@prefered_ciphers[method].nil? } | |||
| best = EXISTING_METHODS.reverse.find { |method| !@prefered_ciphers[method].nil? } | |||
| { worst: worst, best: best } | |||
| end | |||
| def key | |||
| key = @cert.public_key | |||
| case key | |||
| when ::OpenSSL::PKey::RSA then | |||
| [:rsa, key.n.num_bits] | |||
| when ::OpenSSL::PKey::DSA then | |||
| [:dsa, key.p.num_bits] | |||
| when ::OpenSSL::PKey::EC then | |||
| [:ecc, key.group.degree] | |||
| end | |||
| end | |||
| def key_size | |||
| type, size = self.key | |||
| if type == :ecc | |||
| size = case size | |||
| when 160 then | |||
| 1024 | |||
| when 224 then | |||
| 2048 | |||
| when 256 then | |||
| 3072 | |||
| when 384 then | |||
| 7680 | |||
| when 521 then | |||
| 15360 | |||
| end | |||
| end | |||
| size | |||
| EXISTING_METHODS.select { |m| !@prefered_ciphers[m].nil? } | |||
| end | |||
| def cipher_size | |||
| @@ -115,6 +83,10 @@ module CryptCheck | |||
| RUBY_EVAL | |||
| end | |||
| def key_size | |||
| @cert.public_key.rsa_equivalent_size | |||
| end | |||
| def ssl? | |||
| sslv2? or sslv3? | |||
| end | |||
| @@ -139,10 +111,6 @@ module CryptCheck | |||
| @supported_ciphers.values.flatten(1).uniq | |||
| end | |||
| def supported_ciphers_by_method | |||
| @supported_ciphers | |||
| end | |||
| private | |||
| def connect(family, host, port, &block) | |||
| socket = ::Socket.new family, sock_type | |||
| @@ -262,7 +230,6 @@ module CryptCheck | |||
| end | |||
| def fetch_prefered_ciphers | |||
| Logger.info { '' } | |||
| @prefered_ciphers = {} | |||
| EXISTING_METHODS.each do |method| | |||
| next unless SUPPORTED_METHODS.include? method | |||
| @@ -278,8 +245,9 @@ module CryptCheck | |||
| end | |||
| def supported_cipher?(method, cipher) | |||
| ssl_client method, [cipher] | |||
| Logger.info { "#{Tls.colorize method} / #{Tls.colorize cipher[0]} : Supported" } | |||
| dh = ssl_client method, [cipher] { |s| s.tmp_key } | |||
| dh = dh ? " (#{'DH'.colorize :green} : #{Tls.key_to_s dh})" : '' | |||
| Logger.info { "#{Tls.colorize method} / #{Tls.colorize cipher[0]} : Supported#{dh}" } | |||
| true | |||
| rescue TLSException => e | |||
| Logger.debug { "#{Tls.colorize method} / #{Tls.colorize cipher[0]} : Not supported (#{e})" } | |||
Loading…