You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

server_spec.rb 8.2KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249
  1. require 'faketime'
  2. describe CryptCheck::Tls::Server do
  3. before :all do
  4. FakeTime.freeze Time.utc(2000, 1, 1)
  5. end
  6. after :all do
  7. FakeTime.unfreeze
  8. end
  9. default_parameters = {
  10. methods: %i(TLSv1_2),
  11. chain: %w(intermediate ca),
  12. curves: %i(prime256v1),
  13. server_preference: true
  14. }.freeze
  15. default_ecdsa_parameters = default_parameters.merge({
  16. material: [[:ecdsa, :prime256v1]],
  17. ciphers: %i(ECDHE-ECDSA-AES128-SHA),
  18. curves: %i(prime256v1)
  19. }).freeze
  20. default_rsa_parameters = default_parameters.merge({
  21. material: [[:rsa, 1024]],
  22. ciphers: %i(ECDHE-RSA-AES128-SHA),
  23. curves: %i(prime256v1),
  24. dh: 1024
  25. }).freeze
  26. default_mixed_parameters = default_parameters.merge({
  27. material: [[:ecdsa, :prime256v1], [:rsa, 1024]],
  28. ciphers: %i(ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA),
  29. curves: %i(prime256v1),
  30. dh: 1024
  31. }).freeze
  32. default_sslv2_parameters = default_parameters.merge({
  33. methods: :SSLv2,
  34. material: [[:rsa, 1024]],
  35. ciphers: %i(RC4-MD5),
  36. chain: []
  37. }).freeze
  38. DEFAULT_PARAMETERS = { ecdsa: default_ecdsa_parameters.freeze,
  39. rsa: default_rsa_parameters.freeze,
  40. mixed: default_mixed_parameters.freeze,
  41. sslv2: default_sslv2_parameters.freeze }.freeze
  42. def server(type=:ecdsa, **kargs)
  43. params = DEFAULT_PARAMETERS[type].dup
  44. params.merge!(kargs) if kargs
  45. host, port = '127.0.0.1', 5000
  46. params.merge!({ host: host, port: port })
  47. tls_serv **params do
  48. CryptCheck::Tls::TcpServer.new 'localhost', ::Socket::PF_INET, host, port
  49. end
  50. end
  51. describe '#certs' do
  52. it 'must detect RSA certificate' do
  53. certs = server(:rsa).certs.collect &:fingerprint
  54. expect(certs).to match_array %w(a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
  55. end
  56. it 'must detect ECDSA certificate' do
  57. certs = server.certs.collect &:fingerprint
  58. expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06)
  59. end
  60. it 'must detect RSA and ECDSA certificates' do
  61. certs = server(:mixed).certs.collect &:fingerprint
  62. expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06
  63. a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
  64. end
  65. end
  66. describe '#md5_sign?' do
  67. it 'must detect server using MD5 certificate' do
  68. expect(server.md5_sign?).to be false
  69. expect(server(material: [:md5, [:rsa, 1024]]).md5_sign?).to be true
  70. end
  71. end
  72. describe '#sha1_sign?' do
  73. it 'must detect server using SHA1 certificate' do
  74. expect(server.sha1_sign?).to be false
  75. expect(server(material: [:sha1, [:rsa, 1024]]).sha1_sign?).to be true
  76. end
  77. end
  78. describe '#sha2_sign?' do
  79. it 'must detect server using SHA2 certificate' do
  80. expect(server.sha2_sign?).to be true
  81. expect(server(material: [:md5]).sha2_sign?).to be false
  82. expect(server(material: [:sha1]).sha2_sign?).to be false
  83. end
  84. end
  85. describe '#supported_methods' do
  86. it 'must detect SSLv2' do
  87. s = server :sslv2
  88. methods = s.supported_methods.collect &:to_sym
  89. expect(methods).to match_array %i(SSLv2)
  90. end
  91. it 'must detect SSLv3' do
  92. server = server methods: %i(SSLv3)
  93. methods = server.supported_methods.collect &:to_sym
  94. expect(methods).to match_array %i(SSLv3)
  95. end
  96. it 'must detect TLSv1.0' do
  97. server = server methods: %i(TLSv1)
  98. methods = server.supported_methods.collect &:to_sym
  99. expect(methods).to match_array %i(TLSv1)
  100. end
  101. it 'must detect TLSv1.1' do
  102. server = server methods: %i(TLSv1_1)
  103. methods = server.supported_methods.collect &:to_sym
  104. expect(methods).to match_array %i(TLSv1_1)
  105. end
  106. it 'must detect TLSv1.2' do
  107. server = server methods: %i(TLSv1_2)
  108. methods = server.supported_methods.collect &:to_sym
  109. expect(methods).to match_array %i(TLSv1_2)
  110. end
  111. it 'must detect mixed methods' do
  112. server = server methods: %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2)
  113. methods = server.supported_methods.collect &:to_sym
  114. expect(methods).to match_array %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2)
  115. end
  116. end
  117. describe '#supported_ciphers' do
  118. it 'must detect supported cipher' do
  119. ciphers = server.supported_ciphers
  120. .map { |k, v| [k.to_sym, v.keys.collect(&:name)] }
  121. .to_h[:TLSv1_2]
  122. expect(ciphers).to match_array %w(ECDHE-ECDSA-AES128-SHA)
  123. end
  124. end
  125. describe '#supported_curves' do
  126. it 'must detect no supported curves' do
  127. s = server :rsa, ciphers: %w(AES128-SHA)
  128. curves = s.supported_curves.collect &:name
  129. expect(curves).to be_empty
  130. end
  131. it 'must detect supported curves for RSA' do
  132. s = server :rsa, curves: %i(prime256v1 sect571r1)
  133. curves = s.supported_curves.collect &:name
  134. expect(curves).to contain_exactly :prime256v1, :sect571r1
  135. end
  136. it 'must detect supported curves from ECDSA' do
  137. server = server server_preference: false
  138. curves = server.supported_curves.collect &:name
  139. expect(curves).to contain_exactly :prime256v1
  140. end
  141. it 'must detect supported curves from ECDSA and ECDHE' do
  142. server = server curves: %i(prime256v1 sect571r1), server_preference: false
  143. curves = server.supported_curves.collect &:name
  144. expect(curves).to contain_exactly :prime256v1, :sect571r1
  145. end
  146. # No luck here :'(
  147. it 'can\'t detect supported curves from ECDHE if server preference enforced' do
  148. server = server curves: %i(prime256v1 sect571r1)
  149. curves = server.supported_curves.collect &:name
  150. expect(curves).to contain_exactly :prime256v1
  151. server = server curves: %i(sect571r1 prime256v1)
  152. curves = server.supported_curves.collect &:name
  153. expect(curves).to contain_exactly :prime256v1, :sect571r1
  154. end
  155. end
  156. describe '#curves_preference' do
  157. it 'must report N/A if no curve on RSA' do
  158. s = server :rsa, ciphers: %w(AES128-GCM-SHA256)
  159. curves = s.curves_preference
  160. expect(curves).to be_nil
  161. s = server :rsa, ciphers: %w(AES128-GCM-SHA256), server_preference: false
  162. curves = s.curves_preference
  163. expect(curves).to be_nil
  164. end
  165. it 'must report N/A if a single curve on RSA' do
  166. curves = server(:rsa).curves_preference
  167. expect(curves).to be_nil
  168. curves = server(:rsa, server_preference: false).curves_preference
  169. expect(curves).to be_nil
  170. end
  171. it 'must report server preference if server preference enforced on RSA' do
  172. s = server :rsa, curves: %i(prime256v1 sect571r1)
  173. curves = s.curves_preference.collect &:name
  174. expect(curves).to eq %i(prime256v1 sect571r1)
  175. s = server :rsa, curves: %i(sect571r1 prime256v1)
  176. curves = s.curves_preference.collect &:name
  177. expect(curves).to eq %i(sect571r1 prime256v1)
  178. end
  179. it 'must report client preference if server preference not enforced on RSA' do
  180. s = server :rsa, curves: %i(prime256v1 sect571r1), server_preference: false
  181. curves = s.curves_preference
  182. expect(curves).to be :client
  183. s = server :rsa, curves: %i(sect571r1 prime256v1), server_preference: false
  184. curves = s.curves_preference
  185. expect(curves).to be :client
  186. end
  187. it 'must report N/A if a single curve on ECDSA' do
  188. curves = server.curves_preference
  189. expect(curves).to be_nil
  190. curves = server(server_preference: false).curves_preference
  191. expect(curves).to be_nil
  192. end
  193. # No luck here :'(
  194. it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
  195. curves = server(curves: %i(prime256v1 sect571r1)).curves_preference
  196. expect(curves).to be_nil
  197. end
  198. it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
  199. s = server curves: %i(sect571r1 prime256v1)
  200. curves = s.curves_preference.collect &:name
  201. expect(curves).to eq %i(sect571r1 prime256v1)
  202. end
  203. it 'must report client preference if server preference not enforced on ECDSA' do
  204. s = server curves: %i(prime256v1 sect571r1), server_preference: false
  205. curves = s.curves_preference
  206. expect(curves).to be :client
  207. s = server curves: %i(sect571r1 prime256v1), server_preference: false
  208. curves = s.curves_preference
  209. expect(curves).to be :client
  210. end
  211. end
  212. end