aeris
/
cryptcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Tests for supported methods

new-scoring
aeris 2017-02-01 01:23:34 +01:00
parent 5976e801d8
commit ba1f0e7c34
2 changed files with 208 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/cryptcheck/tls/server.rb
View File

@ -28,7 +28,7 @@ module CryptCheck
class ConnectionError < ::StandardError
end
attr_reader :certs, :keys, :dh, :supported_curves, :curves_preference
attr_reader :certs, :keys, :dh, :supported_methods, :supported_curves, :curves_preference
def initialize(hostname, family, ip, port)
@hostname, @family, @ip, @port = hostname, family, ip, port
@ -402,7 +402,8 @@ module CryptCheck
when /state=SSLv2 read server hello A: peer error no cipher$/,
/state=error: no ciphers available$/,
/state=SSLv3 read server hello A: sslv3 alert handshake failure$/,
/state=error: missing export tmp dh key$/
/state=error: missing export tmp dh key$/,
/state=error: wrong curve$/
raise CipherNotAvailable, e
when /state=SSLv3 read server hello A: tlsv1 alert inappropriate fallback$/
raise InappropriateFallback, e

360
spec/cryptcheck/tls/server_spec.rb
View File

@ -17,173 +17,22 @@ describe CryptCheck::Tls::Server do
it 'must detect RSA certificate' do
tls_serv material: [[:rsa, 1024]] do
certs = server.certs.collect &:fingerprint
expect(certs).to contain_exactly 'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
expect(certs).to match_array %w(a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
end
end
it 'must detect ECDSA certificate' do
tls_serv material: [[:ecdsa, :prime256v1]] do
certs = server.certs.collect &:fingerprint
expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06'
expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06)
end
end
it 'must detect RSA and ECDSA certificates' do
tls_serv material: [[:ecdsa, :prime256v1], [:rsa, 1024]] do
certs = server.certs.collect &:fingerprint
expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06',
'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
end
end
end
describe '#supported_curves' do
it 'must detect no supported curves' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256) do
curves = server.supported_curves.collect &:name
expect(curves).to be_empty
end
end
it 'must detect supported curves for RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1) do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
end
end
it 'must detect supported curves from ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1), server_preference: false do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1
end
end
it 'must detect supported curves from ECDSA and ECDHE' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
end
end
# No luck here :'(
it 'can\'t detect supported curves from ECDHE if server preference enforced' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1
end
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
end
end
end
describe '#curves_preference' do
it 'must report N/A if no curve on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
end
end
it 'must report N/A if a single curve on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
end
end
it 'must report server preference if server preference enforced on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(prime256v1 sect571r1)
end
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(sect571r1 prime256v1)
end
end
it 'must report client preference if server preference not enforced on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
curves: %i(sect571r1 prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
end
it 'must report N/A if a single curve on ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
end
end
# No luck here :'(
it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end
end
it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(sect571r1 prime256v1)
end
end
it 'must report client preference if server preference not enforced on ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
curves: %i(sect571r1 prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06
a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
end
end
end
@ -223,4 +72,205 @@ describe CryptCheck::Tls::Server do
end
end
end
describe '#supported_methods' do
it 'must detect SSLv2' do
tls_serv methods: :SSLv2, material: [[:rsa, 1024]], chain: [],
ciphers: %w(RC4-MD5) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(SSLv2)
end
end
it 'must detect SSLv3' do
tls_serv methods: %i(SSLv3), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(SSLv3)
end
end
it 'must detect TLSv1.0' do
tls_serv methods: %i(TLSv1), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(TLSv1)
end
end
it 'must detect TLSv1.1' do
tls_serv methods: %i(TLSv1_1), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(TLSv1_1)
end
end
it 'must detect TLSv1.2' do
tls_serv methods: %i(TLSv1_2), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(TLSv1_2)
end
end
it 'must detect mixed methods' do
tls_serv methods: %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2)
end
end
end
describe '#supported_curves' do
it 'must detect no supported curves' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256) do
curves = server.supported_curves.collect &:name
expect(curves).to be_empty
end
end
it 'must detect supported curves for RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1) do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
end
end
it 'must detect supported curves from ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: false do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1
end
end
it 'must detect supported curves from ECDSA and ECDHE' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
end
end
# No luck here :'(
it 'can\'t detect supported curves from ECDHE if server preference enforced' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1
end
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
end
end
end
describe '#curves_preference' do
it 'must report N/A if no curve on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
end
end
it 'must report N/A if a single curve on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
end
end
it 'must report server preference if server preference enforced on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(prime256v1 sect571r1)
end
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(sect571r1 prime256v1)
end
end
it 'must report client preference if server preference not enforced on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
end
it 'must report N/A if a single curve on ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
end
end
# No luck here :'(
it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end
end
it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(sect571r1 prime256v1)
end
end
it 'must report client preference if server preference not enforced on ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
end
end
end