Browse Source

Tests for supported methods

new-scoring
aeris 2 years ago
parent
commit
ba1f0e7c34
2 changed files with 110 additions and 59 deletions
  1. 3
    2
      lib/cryptcheck/tls/server.rb
  2. 107
    57
      spec/cryptcheck/tls/server_spec.rb

+ 3
- 2
lib/cryptcheck/tls/server.rb View File

@@ -28,7 +28,7 @@ module CryptCheck
class ConnectionError < ::StandardError
end

attr_reader :certs, :keys, :dh, :supported_curves, :curves_preference
attr_reader :certs, :keys, :dh, :supported_methods, :supported_curves, :curves_preference

def initialize(hostname, family, ip, port)
@hostname, @family, @ip, @port = hostname, family, ip, port
@@ -402,7 +402,8 @@ module CryptCheck
when /state=SSLv2 read server hello A: peer error no cipher$/,
/state=error: no ciphers available$/,
/state=SSLv3 read server hello A: sslv3 alert handshake failure$/,
/state=error: missing export tmp dh key$/
/state=error: missing export tmp dh key$/,
/state=error: wrong curve$/
raise CipherNotAvailable, e
when /state=SSLv3 read server hello A: tlsv1 alert inappropriate fallback$/
raise InappropriateFallback, e

+ 107
- 57
spec/cryptcheck/tls/server_spec.rb View File

@@ -17,22 +17,108 @@ describe CryptCheck::Tls::Server do
it 'must detect RSA certificate' do
tls_serv material: [[:rsa, 1024]] do
certs = server.certs.collect &:fingerprint
expect(certs).to contain_exactly 'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
expect(certs).to match_array %w(a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
end
end

it 'must detect ECDSA certificate' do
tls_serv material: [[:ecdsa, :prime256v1]] do
certs = server.certs.collect &:fingerprint
expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06'
expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06)
end
end

it 'must detect RSA and ECDSA certificates' do
tls_serv material: [[:ecdsa, :prime256v1], [:rsa, 1024]] do
certs = server.certs.collect &:fingerprint
expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06',
'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06
a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
end
end
end

describe '#md5_sign?' do
it 'must detect server using MD5 certificate' do
tls_serv do
expect(server.md5_sign?).to be false
end

tls_serv material: [:md5, [:rsa, 1024]] do
expect(server.md5_sign?).to be true
end
end
end

describe '#sha1_sign?' do
it 'must detect server using SHA1 certificate' do
tls_serv do
expect(server.sha1_sign?).to be false
end

tls_serv material: [:sha1, [:rsa, 1024]] do
expect(server.sha1_sign?).to be true
end
end
end

describe '#sha2_sign?' do
it 'must detect server using SHA2 certificate' do
tls_serv do
expect(server.sha2_sign?).to be true
end

tls_serv material: [:md5, :sha1] do
expect(server.sha2_sign?).to be false
end
end
end

describe '#supported_methods' do
it 'must detect SSLv2' do
tls_serv methods: :SSLv2, material: [[:rsa, 1024]], chain: [],
ciphers: %w(RC4-MD5) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(SSLv2)
end
end

it 'must detect SSLv3' do
tls_serv methods: %i(SSLv3), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(SSLv3)
end
end

it 'must detect TLSv1.0' do
tls_serv methods: %i(TLSv1), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(TLSv1)
end
end

it 'must detect TLSv1.1' do
tls_serv methods: %i(TLSv1_1), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(TLSv1_1)
end
end

it 'must detect TLSv1.2' do
tls_serv methods: %i(TLSv1_2), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(TLSv1_2)
end
end

it 'must detect mixed methods' do
tls_serv methods: %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2)
end
end
end
@@ -46,7 +132,7 @@ describe CryptCheck::Tls::Server do
end

it 'must detect supported curves for RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1) do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
@@ -54,7 +140,7 @@ describe CryptCheck::Tls::Server do
end

it 'must detect supported curves from ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: false do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1
@@ -62,7 +148,7 @@ describe CryptCheck::Tls::Server do
end

it 'must detect supported curves from ECDSA and ECDHE' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
@@ -71,13 +157,13 @@ describe CryptCheck::Tls::Server do

# No luck here :'(
it 'can\'t detect supported curves from ECDHE if server preference enforced' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1
end

tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
@@ -101,13 +187,13 @@ describe CryptCheck::Tls::Server do
end

it 'must report N/A if a single curve on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end

tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
@@ -115,13 +201,13 @@ describe CryptCheck::Tls::Server do
end

it 'must report server preference if server preference enforced on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(prime256v1 sect571r1)
end

tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(sect571r1 prime256v1)
@@ -129,13 +215,13 @@ describe CryptCheck::Tls::Server do
end

it 'must report client preference if server preference not enforced on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end

tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
@@ -143,13 +229,13 @@ describe CryptCheck::Tls::Server do
end

it 'must report N/A if a single curve on ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end

tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
@@ -158,7 +244,7 @@ describe CryptCheck::Tls::Server do

# No luck here :'(
it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
@@ -166,7 +252,7 @@ describe CryptCheck::Tls::Server do
end

it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(sect571r1 prime256v1)
@@ -174,53 +260,17 @@ describe CryptCheck::Tls::Server do
end

it 'must report client preference if server preference not enforced on ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end

tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
end
end

describe '#md5_sign?' do
it 'must detect server using MD5 certificate' do
tls_serv do
expect(server.md5_sign?).to be false
end

tls_serv material: [:md5, [:rsa, 1024]] do
expect(server.md5_sign?).to be true
end
end
end

describe '#sha1_sign?' do
it 'must detect server using SHA1 certificate' do
tls_serv do
expect(server.sha1_sign?).to be false
end

tls_serv material: [:sha1, [:rsa, 1024]] do
expect(server.sha1_sign?).to be true
end
end
end

describe '#sha2_sign?' do
it 'must detect server using SHA2 certificate' do
tls_serv do
expect(server.sha2_sign?).to be true
end

tls_serv material: [:md5, :sha1] do
expect(server.sha2_sign?).to be false
end
end
end
end

Loading…
Cancel
Save