Merge pull request #124 from firesock/master

Allow EC keys to have a smaller bitsize
2024-11-04 23:13:41 +01:00 · 2017-01-13 16:14:33 -05:00 · 2017-01-13 16:14:33 -05:00 · 6d66214fd1
commit 6d66214fd1
parent b1d37bf26d bb3e89ec09
1 changed files with 14 additions and 2 deletions
--- a/analyze.py
+++ b/analyze.py
@ -7,7 +7,7 @@

 from __future__ import print_function

-import sys, os, json, subprocess, logging, argparse, platform, urllib2
+import sys, os, json, subprocess, logging, argparse, platform, urllib2, re
 from collections import namedtuple
 from datetime import datetime
 from copy import deepcopy
@ -43,14 +43,20 @@ def has_good_pfs(pfs, target_dh, target_ecc, must_match=False):
 def is_fubar(results):
    logging.debug('entering fubar evaluation')
    lvl = 'fubar'
+
    fubar = False
    has_ssl2 = False
    has_wrong_pubkey = False
+    has_wrong_ec_pubkey = False
    has_bad_sig = False
    has_untrust_cert = False
    has_wrong_pfs = False
+
    for conn in results['ciphersuite']:
        logging.debug('testing connection %s' % conn)
+        pubkey_bits = int(conn['pubkey'][0])
+        ec_kex = re.match(r"(ECDHE|EECDH|ECDH)-", conn['cipher'])
+
        if conn['cipher'] not in (set(old["ciphersuites"]) | set(inter["ciphersuites"]) | set(modern["ciphersuites"])):
            failures[lvl].append("remove cipher " + conn['cipher'])
            logging.debug(conn['cipher'] + ' is in the list of fubar ciphers')
@ -59,10 +65,14 @@ def is_fubar(results):
            has_ssl2 = True
            logging.debug('SSLv2 is in the list of fubar protocols')
            fubar = True
-        if int(conn['pubkey'][0]) < 2048:
+        if not ec_kex and pubkey_bits < 2048:
            has_wrong_pubkey = True
            logging.debug(conn['pubkey'][0] + ' is a fubar pubkey size')
            fubar = True
+        if ec_kex and pubkey_bits < 256:
+            has_wrong_ec_pubkey = True
+            logging.debug(conn['pubkey'][0] + ' is a fubar EC pubkey size')
+            fubar = True
        if conn['pfs'] != 'None':
            if not has_good_pfs(conn['pfs'], 1024, 160):
                logging.debug(conn['pfs']+ ' is a fubar PFS parameters')
@ -82,6 +92,8 @@ def is_fubar(results):
        failures[lvl].append("don't use a cert with a bad signature algorithm")
    if has_wrong_pubkey:
        failures[lvl].append("don't use a public key smaller than 2048 bits")
+    if has_wrong_ec_pubkey:
+        failures[lvl].append("don't use an EC key smaller than 256 bits")
    if has_untrust_cert:
        failures[lvl].append("don't use an untrusted or self-signed certificate")
    if has_wrong_pfs: