Browse Source

Tests for supported methods

new-scoring
aeris 2 years ago
parent
commit
ba1f0e7c34
2 changed files with 110 additions and 59 deletions
  1. 3
    2
      lib/cryptcheck/tls/server.rb
  2. 107
    57
      spec/cryptcheck/tls/server_spec.rb

+ 3
- 2
lib/cryptcheck/tls/server.rb View File

@@ -28,7 +28,7 @@ module CryptCheck
28 28
 			class ConnectionError < ::StandardError
29 29
 			end
30 30
 
31
-			attr_reader :certs, :keys, :dh, :supported_curves, :curves_preference
31
+			attr_reader :certs, :keys, :dh, :supported_methods, :supported_curves, :curves_preference
32 32
 
33 33
 			def initialize(hostname, family, ip, port)
34 34
 				@hostname, @family, @ip, @port = hostname, family, ip, port
@@ -402,7 +402,8 @@ module CryptCheck
402 402
 						when /state=SSLv2 read server hello A: peer error no cipher$/,
403 403
 								/state=error: no ciphers available$/,
404 404
 								/state=SSLv3 read server hello A: sslv3 alert handshake failure$/,
405
-								/state=error: missing export tmp dh key$/
405
+								/state=error: missing export tmp dh key$/,
406
+								/state=error: wrong curve$/
406 407
 							raise CipherNotAvailable, e
407 408
 						when /state=SSLv3 read server hello A: tlsv1 alert inappropriate fallback$/
408 409
 							raise InappropriateFallback, e

+ 107
- 57
spec/cryptcheck/tls/server_spec.rb View File

@@ -17,22 +17,108 @@ describe CryptCheck::Tls::Server do
17 17
 		it 'must detect RSA certificate' do
18 18
 			tls_serv material: [[:rsa, 1024]] do
19 19
 				certs = server.certs.collect &:fingerprint
20
-				expect(certs).to contain_exactly 'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
20
+				expect(certs).to match_array %w(a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
21 21
 			end
22 22
 		end
23 23
 
24 24
 		it 'must detect ECDSA certificate' do
25 25
 			tls_serv material: [[:ecdsa, :prime256v1]] do
26 26
 				certs = server.certs.collect &:fingerprint
27
-				expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06'
27
+				expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06)
28 28
 			end
29 29
 		end
30 30
 
31 31
 		it 'must detect RSA and ECDSA certificates' do
32 32
 			tls_serv material: [[:ecdsa, :prime256v1], [:rsa, 1024]] do
33 33
 				certs = server.certs.collect &:fingerprint
34
-				expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06',
35
-												 'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
34
+				expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06
35
+												a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
36
+			end
37
+		end
38
+	end
39
+
40
+	describe '#md5_sign?' do
41
+		it 'must detect server using MD5 certificate' do
42
+			tls_serv do
43
+				expect(server.md5_sign?).to be false
44
+			end
45
+
46
+			tls_serv material: [:md5, [:rsa, 1024]] do
47
+				expect(server.md5_sign?).to be true
48
+			end
49
+		end
50
+	end
51
+
52
+	describe '#sha1_sign?' do
53
+		it 'must detect server using SHA1 certificate' do
54
+			tls_serv do
55
+				expect(server.sha1_sign?).to be false
56
+			end
57
+
58
+			tls_serv material: [:sha1, [:rsa, 1024]] do
59
+				expect(server.sha1_sign?).to be true
60
+			end
61
+		end
62
+	end
63
+
64
+	describe '#sha2_sign?' do
65
+		it 'must detect server using SHA2 certificate' do
66
+			tls_serv do
67
+				expect(server.sha2_sign?).to be true
68
+			end
69
+
70
+			tls_serv material: [:md5, :sha1] do
71
+				expect(server.sha2_sign?).to be false
72
+			end
73
+		end
74
+	end
75
+
76
+	describe '#supported_methods' do
77
+		it 'must detect SSLv2' do
78
+			tls_serv methods: :SSLv2, material: [[:rsa, 1024]], chain: [],
79
+					 ciphers: %w(RC4-MD5) do
80
+				methods = server.supported_methods.collect &:name
81
+				expect(methods).to match_array %i(SSLv2)
82
+			end
83
+		end
84
+
85
+		it 'must detect SSLv3' do
86
+			tls_serv methods: %i(SSLv3), material: [[:rsa, 1024]],
87
+					 ciphers: %w(ECDHE-RSA-AES128-SHA) do
88
+				methods = server.supported_methods.collect &:name
89
+				expect(methods).to match_array %i(SSLv3)
90
+			end
91
+		end
92
+
93
+		it 'must detect TLSv1.0' do
94
+			tls_serv methods: %i(TLSv1), material: [[:rsa, 1024]],
95
+					 ciphers: %w(ECDHE-RSA-AES128-SHA) do
96
+				methods = server.supported_methods.collect &:name
97
+				expect(methods).to match_array %i(TLSv1)
98
+			end
99
+		end
100
+
101
+		it 'must detect TLSv1.1' do
102
+			tls_serv methods: %i(TLSv1_1), material: [[:rsa, 1024]],
103
+					 ciphers: %w(ECDHE-RSA-AES128-SHA) do
104
+				methods = server.supported_methods.collect &:name
105
+				expect(methods).to match_array %i(TLSv1_1)
106
+			end
107
+		end
108
+
109
+		it 'must detect TLSv1.2' do
110
+			tls_serv methods: %i(TLSv1_2), material: [[:rsa, 1024]],
111
+					 ciphers: %w(ECDHE-RSA-AES128-SHA) do
112
+				methods = server.supported_methods.collect &:name
113
+				expect(methods).to match_array %i(TLSv1_2)
114
+			end
115
+		end
116
+
117
+		it 'must detect mixed methods' do
118
+			tls_serv methods: %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2), material: [[:rsa, 1024]],
119
+					 ciphers: %w(ECDHE-RSA-AES128-SHA) do
120
+				methods = server.supported_methods.collect &:name
121
+				expect(methods).to match_array %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2)
36 122
 			end
37 123
 		end
38 124
 	end
@@ -46,7 +132,7 @@ describe CryptCheck::Tls::Server do
46 132
 		end
47 133
 
48 134
 		it 'must detect supported curves for RSA' do
49
-			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
135
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
50 136
 					 curves:   %i(prime256v1 sect571r1) do
51 137
 				curves = server.supported_curves.collect &:name
52 138
 				expect(curves).to contain_exactly :prime256v1, :sect571r1
@@ -54,7 +140,7 @@ describe CryptCheck::Tls::Server do
54 140
 		end
55 141
 
56 142
 		it 'must detect supported curves from ECDSA' do
57
-			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
143
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
58 144
 					 curves:   %i(prime256v1), server_preference: false do
59 145
 				curves = server.supported_curves.collect &:name
60 146
 				expect(curves).to contain_exactly :prime256v1
@@ -62,7 +148,7 @@ describe CryptCheck::Tls::Server do
62 148
 		end
63 149
 
64 150
 		it 'must detect supported curves from ECDSA and ECDHE' do
65
-			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
151
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
66 152
 					 curves:   %i(prime256v1 sect571r1), server_preference: false do
67 153
 				curves = server.supported_curves.collect &:name
68 154
 				expect(curves).to contain_exactly :prime256v1, :sect571r1
@@ -71,13 +157,13 @@ describe CryptCheck::Tls::Server do
71 157
 
72 158
 		# No luck here :'(
73 159
 		it 'can\'t detect supported curves from ECDHE if server preference enforced' do
74
-			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
160
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
75 161
 					 curves:   %i(prime256v1 sect571r1), server_preference: true do
76 162
 				curves = server.supported_curves.collect &:name
77 163
 				expect(curves).to contain_exactly :prime256v1
78 164
 			end
79 165
 
80
-			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
166
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
81 167
 					 curves:   %i(sect571r1 prime256v1), server_preference: true do
82 168
 				curves = server.supported_curves.collect &:name
83 169
 				expect(curves).to contain_exactly :prime256v1, :sect571r1
@@ -101,13 +187,13 @@ describe CryptCheck::Tls::Server do
101 187
 		end
102 188
 
103 189
 		it 'must report N/A if a single curve on RSA' do
104
-			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
190
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
105 191
 					 curves:   %i(prime256v1), server_preference: true do
106 192
 				curves = server.curves_preference
107 193
 				expect(curves).to be_nil
108 194
 			end
109 195
 
110
-			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
196
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
111 197
 					 curves:   %i(prime256v1), server_preference: false do
112 198
 				curves = server.curves_preference
113 199
 				expect(curves).to be_nil
@@ -115,13 +201,13 @@ describe CryptCheck::Tls::Server do
115 201
 		end
116 202
 
117 203
 		it 'must report server preference if server preference enforced on RSA' do
118
-			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
204
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
119 205
 					 curves:   %i(prime256v1 sect571r1), server_preference: true do
120 206
 				curves = server.curves_preference.collect &:name
121 207
 				expect(curves).to eq %i(prime256v1 sect571r1)
122 208
 			end
123 209
 
124
-			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
210
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
125 211
 					 curves:   %i(sect571r1 prime256v1), server_preference: true do
126 212
 				curves = server.curves_preference.collect &:name
127 213
 				expect(curves).to eq %i(sect571r1 prime256v1)
@@ -129,13 +215,13 @@ describe CryptCheck::Tls::Server do
129 215
 		end
130 216
 
131 217
 		it 'must report client preference if server preference not enforced on RSA' do
132
-			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
218
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
133 219
 					 curves:   %i(prime256v1 sect571r1), server_preference: false do
134 220
 				curves = server.curves_preference
135 221
 				expect(curves).to be :client
136 222
 			end
137 223
 
138
-			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
224
+			tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
139 225
 					 curves:   %i(sect571r1 prime256v1), server_preference: false do
140 226
 				curves = server.curves_preference
141 227
 				expect(curves).to be :client
@@ -143,13 +229,13 @@ describe CryptCheck::Tls::Server do
143 229
 		end
144 230
 
145 231
 		it 'must report N/A if a single curve on ECDSA' do
146
-			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
232
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
147 233
 					 curves:   %i(prime256v1), server_preference: true do
148 234
 				curves = server.curves_preference
149 235
 				expect(curves).to be_nil
150 236
 			end
151 237
 
152
-			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
238
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
153 239
 					 curves:   %i(prime256v1), server_preference: false do
154 240
 				curves = server.curves_preference
155 241
 				expect(curves).to be_nil
@@ -158,7 +244,7 @@ describe CryptCheck::Tls::Server do
158 244
 
159 245
 		# No luck here :'(
160 246
 		it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
161
-			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
247
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
162 248
 					 curves:   %i(prime256v1 sect571r1), server_preference: true do
163 249
 				curves = server.curves_preference
164 250
 				expect(curves).to be_nil
@@ -166,7 +252,7 @@ describe CryptCheck::Tls::Server do
166 252
 		end
167 253
 
168 254
 		it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
169
-			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
255
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
170 256
 					 curves:   %i(sect571r1 prime256v1), server_preference: true do
171 257
 				curves = server.curves_preference.collect &:name
172 258
 				expect(curves).to eq %i(sect571r1 prime256v1)
@@ -174,53 +260,17 @@ describe CryptCheck::Tls::Server do
174 260
 		end
175 261
 
176 262
 		it 'must report client preference if server preference not enforced on ECDSA' do
177
-			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
263
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
178 264
 					 curves:   %i(prime256v1 sect571r1), server_preference: false do
179 265
 				curves = server.curves_preference
180 266
 				expect(curves).to be :client
181 267
 			end
182 268
 
183
-			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
269
+			tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
184 270
 					 curves:   %i(sect571r1 prime256v1), server_preference: false do
185 271
 				curves = server.curves_preference
186 272
 				expect(curves).to be :client
187 273
 			end
188 274
 		end
189 275
 	end
190
-
191
-	describe '#md5_sign?' do
192
-		it 'must detect server using MD5 certificate' do
193
-			tls_serv do
194
-				expect(server.md5_sign?).to be false
195
-			end
196
-
197
-			tls_serv material: [:md5, [:rsa, 1024]] do
198
-				expect(server.md5_sign?).to be true
199
-			end
200
-		end
201
-	end
202
-
203
-	describe '#sha1_sign?' do
204
-		it 'must detect server using SHA1 certificate' do
205
-			tls_serv do
206
-				expect(server.sha1_sign?).to be false
207
-			end
208
-
209
-			tls_serv material: [:sha1, [:rsa, 1024]] do
210
-				expect(server.sha1_sign?).to be true
211
-			end
212
-		end
213
-	end
214
-
215
-	describe '#sha2_sign?' do
216
-		it 'must detect server using SHA2 certificate' do
217
-			tls_serv do
218
-				expect(server.sha2_sign?).to be true
219
-			end
220
-
221
-			tls_serv material: [:md5, :sha1] do
222
-				expect(server.sha2_sign?).to be false
223
-			end
224
-		end
225
-	end
226 276
 end

Loading…
Cancel
Save