Merge pull request #121 from cosmincojocar/tls

Add a check for PreferServerCipherSuites flag of tls.Config

Author: gcmurphy

rules/tls.go

@@ -68,6 +68,16 @@ func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Contex
 				return gas.NewIssue(c, n, "TLS InsecureSkipVerify may be true.", gas.High, gas.Low)
 			}
 
+		case "PreferServerCipherSuites":
+			if node, ok := n.Value.(*ast.Ident); ok {
+				if node.Name == "false" {
+					return gas.NewIssue(c, n, "TLS PreferServerCipherSuites set false.", gas.Medium, gas.High)
+				}
+			} else {
+				// TODO(tk): symbol tab look up to get the actual value
+				return gas.NewIssue(c, n, "TLS PreferServerCipherSuites may be false.", gas.Medium, gas.Low)
+			}
+
 		case "MinVersion":
 			if ival, ierr := gas.GetInt(n.Value); ierr == nil {
 				if (int16)(ival) < t.MinVersion {
@@ -90,7 +100,9 @@ func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Contex
 			if ret := t.processTlsCipherSuites(n, c); ret != nil {
 				return ret
 			}
+
 		}
+
 	}
 	return nil
 }

rules/tls_test.go

@@ -138,3 +138,32 @@ func TestInsecureCipherSuite(t *testing.T) {
 
 	checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_RSA_WITH_RC4_128_SHA")
 }
+
+func TestPreferServerCipherSuites(t *testing.T) {
+	config := map[string]interface{}{"ignoreNosec": false}
+	analyzer := gas.NewAnalyzer(config, nil)
+	analyzer.AddRule(NewModernTlsCheck(config))
+
+	issues := gasTestRunner(`
+        package main
+
+        import (
+        	"crypto/tls"
+        	"fmt"
+        	"net/http"
+        )
+
+        func main() {
+        	tr := &http.Transport{
+        		TLSClientConfig: &tls.Config{PreferServerCipherSuites: false},
+        	}
+        	client := &http.Client{Transport: tr}
+        	_, err := client.Get("https://golang.org/")
+        	if err != nil {
+        		fmt.Println(err)
+        	}
+        }
+        `, analyzer)
+
+	checkTestResults(t, issues, 1, "TLS PreferServerCipherSuites set false")
+}