@@ -3,24 +3,34 @@ module CryptCheck | |||
LEVELS = %i(critical error warning good perfect best).freeze | |||
PROBLEMS = %i(critical error warning).freeze | |||
extend Enumerable | |||
def self.each(&block) | |||
LEVELS.each &block | |||
end | |||
def self.status(statuses) | |||
statuses = self.collect statuses | |||
self.select LEVELS, statuses | |||
statuses = self.convert statuses | |||
self.min LEVELS, statuses | |||
end | |||
class << self | |||
alias_method :'[]', :status | |||
end | |||
def self.problem(statuses) | |||
statuses = self.collect statuses | |||
self.select PROBLEMS, statuses | |||
statuses = self.convert statuses | |||
self.min PROBLEMS, statuses | |||
end | |||
private | |||
def self.collect(statuses) | |||
def self.convert(statuses) | |||
statuses = [ statuses ] unless statuses.respond_to? :first | |||
first = statuses.first | |||
statuses = statuses.collect &:status if first.respond_to? :status | |||
statuses | |||
end | |||
def self.select(levels, statuses) | |||
def self.min(levels, statuses) | |||
return nil if statuses.empty? | |||
(levels & statuses).first | |||
end | |||
@@ -19,13 +19,15 @@ module CryptCheck | |||
def self.key_to_s(key) | |||
size, color = case key.type | |||
when :ecc | |||
["#{key.group.curve_name} #{key.size}", :good] | |||
when :dh | |||
[key.size, :warning] | |||
when :dsa | |||
[key.size, :critical] | |||
end | |||
when :ecc | |||
["#{key.group.curve_name} #{key.size}", :good] | |||
when :rsa | |||
[key.size, nil] | |||
when :dsa | |||
[key.size, :critical] | |||
when :dh | |||
[key.size, :warning] | |||
end | |||
"#{key.type.to_s.upcase.colorize color} #{size.to_s.colorize key.status} bits" | |||
end | |||
end | |||
@@ -74,7 +74,8 @@ class ::OpenSSL::PKey::EC | |||
:error | |||
when 192...256 | |||
:warning | |||
when 384...::Float::INFINITY | |||
when 256...364 | |||
else | |||
:good | |||
end | |||
end | |||
@@ -99,7 +100,8 @@ class ::OpenSSL::PKey::RSA | |||
:critical | |||
when 1024...2048 | |||
:error | |||
when 4096...::Float::INFINITY | |||
when 2048...4096 | |||
else | |||
:good | |||
end | |||
end | |||
@@ -17,7 +17,7 @@ module CryptCheck | |||
when 'B', 'B+' | |||
:perfect | |||
when 'C', 'C+' | |||
nil | |||
:good | |||
when 'E' | |||
:warning | |||
when 'F' | |||
@@ -30,16 +30,9 @@ module CryptCheck | |||
Logger.info { "Grade : #{self.grade.colorize color }" } | |||
Logger.info { '' } | |||
[ | |||
['Critical', :critical], | |||
['Error', :error], | |||
['Warning', :warning], | |||
['Good', :good], | |||
['Perfect', :perfect], | |||
['Best', :best], | |||
].each do |text, color| | |||
Status.each do |color| | |||
states = @states[color] | |||
Logger.info { "#{text} : #{states.collect { |s| s.to_s.colorize color }.join ' '}" } unless states.empty? | |||
Logger.info { "#{color.to_s.capitalize} : #{states.collect { |s| s.to_s.colorize color }.join ' '}" } unless states.empty? | |||
end | |||
end | |||
@@ -78,10 +71,10 @@ module CryptCheck | |||
CHECKS = [ | |||
# Keys | |||
[:dss_sign, Proc.new { |s| s.dss_sig? }, :critical], | |||
[:weak_key, Proc.new { |s| %i(critical error warning) & [s.key.status] } ], | |||
[:weak_key, Proc.new { |s| Status.problem s.key_status } ], | |||
# DH | |||
[:weak_dh, Proc.new { |s| (%i(critical error warning) & s.dh.collect(&:status).uniq).first } ], | |||
[:weak_dh, Proc.new { |s| Status.problem s.dh_status } ], | |||
# Certificates | |||
[:md2_sign, Proc.new { |s| s.md2_sig? }, :critical], | |||
@@ -111,6 +104,8 @@ module CryptCheck | |||
[:no_pfs, Proc.new { |s| not s.pfs_only? }, :warning], | |||
[:pfs, Proc.new { |s| s.pfs? }, :good], | |||
[:pfs_only, Proc.new { |s| s.pfs_only? }, :perfect], | |||
[:no_ecdhe, Proc.new { |s| not s.ecdhe? }, :warning], | |||
[:ecdhe, Proc.new { |s| s.ecdhe? }, :good], | |||
[:ecdhe_only, Proc.new { |s| s.ecdhe_only? }, :perfect], | |||
@@ -130,7 +125,7 @@ module CryptCheck | |||
end | |||
def calculate_states | |||
states = { critical: [], error: [], warning: [], good: [], perfect: [], best: [] } | |||
states = Status.collect { |s| [s, []] }.to_h | |||
@checks.each do |name, check, status| | |||
result = check.call @server | |||
if result | |||
@@ -9,6 +9,7 @@ module CryptCheck | |||
SSL_TIMEOUT = 2*TCP_TIMEOUT | |||
EXISTING_METHODS = %i(TLSv1_2 TLSv1_1 TLSv1 SSLv3 SSLv2) | |||
SUPPORTED_METHODS = ::OpenSSL::SSL::SSLContext::METHODS | |||
class TLSException < ::StandardError | |||
end | |||
class TLSNotAvailableException < TLSException | |||
@@ -360,13 +361,12 @@ module CryptCheck | |||
end | |||
end | |||
end | |||
Logger.info { '' } unless supported_ciphers.empty? | |||
@supported_ciphers[method] = supported_ciphers | |||
end | |||
end | |||
def check_fallback_scsv | |||
Logger.info { '' } | |||
@fallback_scsv = false | |||
methods = @prefered_ciphers.reject { |_, v| v.nil? }.keys | |||
@@ -11,6 +11,7 @@ describe CryptCheck::Status do | |||
[:critical, :critical] => :critical, | |||
[:critical, :error] => :critical, | |||
[:critical, :warning] => :critical, | |||
[:critical, nil] => :critical, | |||
[:critical, :good] => :critical, | |||
[:critical, :perfect] => :critical, | |||
[:critical, :best] => :critical, | |||
@@ -18,6 +19,7 @@ describe CryptCheck::Status do | |||
[:error, :critical] => :critical, | |||
[:error, :error] => :error, | |||
[:error, :warning] => :error, | |||
[:error, nil] => :error, | |||
[:error, :good] => :error, | |||
[:error, :perfect] => :error, | |||
[:error, :best] => :error, | |||
@@ -25,6 +27,7 @@ describe CryptCheck::Status do | |||
[:warning, :critical] => :critical, | |||
[:warning, :error] => :error, | |||
[:warning, :warning] => :warning, | |||
[:warning, nil] => :warning, | |||
[:warning, :good] => :warning, | |||
[:warning, :perfect] => :warning, | |||
[:warning, :best] => :warning, | |||
@@ -32,6 +35,7 @@ describe CryptCheck::Status do | |||
[:good, :critical] => :critical, | |||
[:good, :error] => :error, | |||
[:good, :warning] => :warning, | |||
[:good, nil] => :good, | |||
[:good, :good] => :good, | |||
[:good, :perfect] => :good, | |||
[:good, :best] => :good, | |||
@@ -39,6 +43,7 @@ describe CryptCheck::Status do | |||
[:perfect, :critical] => :critical, | |||
[:perfect, :error] => :error, | |||
[:perfect, :warning] => :warning, | |||
[:perfect, nil] => :perfect, | |||
[:perfect, :good] => :good, | |||
[:perfect, :perfect] => :perfect, | |||
[:perfect, :best] => :perfect, | |||
@@ -46,6 +51,7 @@ describe CryptCheck::Status do | |||
[:best, :critical] => :critical, | |||
[:best, :error] => :error, | |||
[:best, :warning] => :warning, | |||
[:best, nil] => :best, | |||
[:best, :good] => :good, | |||
[:best, :perfect] => :perfect, | |||
[:best, :best] => :best | |||
@@ -68,6 +74,7 @@ describe CryptCheck::Status do | |||
[:critical, :critical] => :critical, | |||
[:critical, :error] => :critical, | |||
[:critical, :warning] => :critical, | |||
[:critical, nil] => :critical, | |||
[:critical, :good] => :critical, | |||
[:critical, :perfect] => :critical, | |||
[:critical, :best] => :critical, | |||
@@ -75,6 +82,7 @@ describe CryptCheck::Status do | |||
[:error, :critical] => :critical, | |||
[:error, :error] => :error, | |||
[:error, :warning] => :error, | |||
[:error, nil] => :error, | |||
[:error, :good] => :error, | |||
[:error, :perfect] => :error, | |||
[:error, :best] => :error, | |||
@@ -82,6 +90,7 @@ describe CryptCheck::Status do | |||
[:warning, :critical] => :critical, | |||
[:warning, :error] => :error, | |||
[:warning, :warning] => :warning, | |||
[:warning, nil] => :warning, | |||
[:warning, :good] => :warning, | |||
[:warning, :perfect] => :warning, | |||
[:warning, :best] => :warning, | |||
@@ -89,6 +98,7 @@ describe CryptCheck::Status do | |||
[:good, :critical] => :critical, | |||
[:good, :error] => :error, | |||
[:good, :warning] => :warning, | |||
[:good, nil] => nil, | |||
[:good, :good] => nil, | |||
[:good, :perfect] => nil, | |||
[:good, :best] => nil, | |||
@@ -96,6 +106,7 @@ describe CryptCheck::Status do | |||
[:perfect, :critical] => :critical, | |||
[:perfect, :error] => :error, | |||
[:perfect, :warning] => :warning, | |||
[:perfect, nil] => nil, | |||
[:perfect, :good] => nil, | |||
[:perfect, :perfect] => nil, | |||
[:perfect, :best] => nil, | |||
@@ -103,6 +114,7 @@ describe CryptCheck::Status do | |||
[:best, :critical] => :critical, | |||
[:best, :error] => :error, | |||
[:best, :warning] => :warning, | |||
[:best, nil] => nil, | |||
[:best, :good] => nil, | |||
[:best, :perfect] => nil, | |||
[:best, :best] => nil | |||