mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-12-25 20:23:41 +01:00
Merge pull request #124 from firesock/master
Allow EC keys to have a smaller bitsize
This commit is contained in:
commit
6d66214fd1
16
analyze.py
16
analyze.py
@ -7,7 +7,7 @@
|
||||
|
||||
from __future__ import print_function
|
||||
|
||||
import sys, os, json, subprocess, logging, argparse, platform, urllib2
|
||||
import sys, os, json, subprocess, logging, argparse, platform, urllib2, re
|
||||
from collections import namedtuple
|
||||
from datetime import datetime
|
||||
from copy import deepcopy
|
||||
@ -43,14 +43,20 @@ def has_good_pfs(pfs, target_dh, target_ecc, must_match=False):
|
||||
def is_fubar(results):
|
||||
logging.debug('entering fubar evaluation')
|
||||
lvl = 'fubar'
|
||||
|
||||
fubar = False
|
||||
has_ssl2 = False
|
||||
has_wrong_pubkey = False
|
||||
has_wrong_ec_pubkey = False
|
||||
has_bad_sig = False
|
||||
has_untrust_cert = False
|
||||
has_wrong_pfs = False
|
||||
|
||||
for conn in results['ciphersuite']:
|
||||
logging.debug('testing connection %s' % conn)
|
||||
pubkey_bits = int(conn['pubkey'][0])
|
||||
ec_kex = re.match(r"(ECDHE|EECDH|ECDH)-", conn['cipher'])
|
||||
|
||||
if conn['cipher'] not in (set(old["ciphersuites"]) | set(inter["ciphersuites"]) | set(modern["ciphersuites"])):
|
||||
failures[lvl].append("remove cipher " + conn['cipher'])
|
||||
logging.debug(conn['cipher'] + ' is in the list of fubar ciphers')
|
||||
@ -59,10 +65,14 @@ def is_fubar(results):
|
||||
has_ssl2 = True
|
||||
logging.debug('SSLv2 is in the list of fubar protocols')
|
||||
fubar = True
|
||||
if int(conn['pubkey'][0]) < 2048:
|
||||
if not ec_kex and pubkey_bits < 2048:
|
||||
has_wrong_pubkey = True
|
||||
logging.debug(conn['pubkey'][0] + ' is a fubar pubkey size')
|
||||
fubar = True
|
||||
if ec_kex and pubkey_bits < 256:
|
||||
has_wrong_ec_pubkey = True
|
||||
logging.debug(conn['pubkey'][0] + ' is a fubar EC pubkey size')
|
||||
fubar = True
|
||||
if conn['pfs'] != 'None':
|
||||
if not has_good_pfs(conn['pfs'], 1024, 160):
|
||||
logging.debug(conn['pfs']+ ' is a fubar PFS parameters')
|
||||
@ -82,6 +92,8 @@ def is_fubar(results):
|
||||
failures[lvl].append("don't use a cert with a bad signature algorithm")
|
||||
if has_wrong_pubkey:
|
||||
failures[lvl].append("don't use a public key smaller than 2048 bits")
|
||||
if has_wrong_ec_pubkey:
|
||||
failures[lvl].append("don't use an EC key smaller than 256 bits")
|
||||
if has_untrust_cert:
|
||||
failures[lvl].append("don't use an untrusted or self-signed certificate")
|
||||
if has_wrong_pfs:
|
||||
|
Loading…
Reference in New Issue
Block a user