2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-04 23:13:41 +01:00

Merge pull request #124 from firesock/master

Allow EC keys to have a smaller bitsize
This commit is contained in:
Julien Vehent [:ulfr] 2017-01-13 16:14:33 -05:00 committed by GitHub
commit 6d66214fd1

View File

@ -7,7 +7,7 @@
from __future__ import print_function
import sys, os, json, subprocess, logging, argparse, platform, urllib2
import sys, os, json, subprocess, logging, argparse, platform, urllib2, re
from collections import namedtuple
from datetime import datetime
from copy import deepcopy
@ -43,14 +43,20 @@ def has_good_pfs(pfs, target_dh, target_ecc, must_match=False):
def is_fubar(results):
logging.debug('entering fubar evaluation')
lvl = 'fubar'
fubar = False
has_ssl2 = False
has_wrong_pubkey = False
has_wrong_ec_pubkey = False
has_bad_sig = False
has_untrust_cert = False
has_wrong_pfs = False
for conn in results['ciphersuite']:
logging.debug('testing connection %s' % conn)
pubkey_bits = int(conn['pubkey'][0])
ec_kex = re.match(r"(ECDHE|EECDH|ECDH)-", conn['cipher'])
if conn['cipher'] not in (set(old["ciphersuites"]) | set(inter["ciphersuites"]) | set(modern["ciphersuites"])):
failures[lvl].append("remove cipher " + conn['cipher'])
logging.debug(conn['cipher'] + ' is in the list of fubar ciphers')
@ -59,10 +65,14 @@ def is_fubar(results):
has_ssl2 = True
logging.debug('SSLv2 is in the list of fubar protocols')
fubar = True
if int(conn['pubkey'][0]) < 2048:
if not ec_kex and pubkey_bits < 2048:
has_wrong_pubkey = True
logging.debug(conn['pubkey'][0] + ' is a fubar pubkey size')
fubar = True
if ec_kex and pubkey_bits < 256:
has_wrong_ec_pubkey = True
logging.debug(conn['pubkey'][0] + ' is a fubar EC pubkey size')
fubar = True
if conn['pfs'] != 'None':
if not has_good_pfs(conn['pfs'], 1024, 160):
logging.debug(conn['pfs']+ ' is a fubar PFS parameters')
@ -82,6 +92,8 @@ def is_fubar(results):
failures[lvl].append("don't use a cert with a bad signature algorithm")
if has_wrong_pubkey:
failures[lvl].append("don't use a public key smaller than 2048 bits")
if has_wrong_ec_pubkey:
failures[lvl].append("don't use an EC key smaller than 256 bits")
if has_untrust_cert:
failures[lvl].append("don't use an untrusted or self-signed certificate")
if has_wrong_pfs: