2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00

Merge pull request #124 from firesock/master

Allow EC keys to have a smaller bitsize
This commit is contained in:
Julien Vehent [:ulfr] 2017-01-13 16:14:33 -05:00 committed by GitHub
commit 6d66214fd1

View File

@ -7,7 +7,7 @@
from __future__ import print_function from __future__ import print_function
import sys, os, json, subprocess, logging, argparse, platform, urllib2 import sys, os, json, subprocess, logging, argparse, platform, urllib2, re
from collections import namedtuple from collections import namedtuple
from datetime import datetime from datetime import datetime
from copy import deepcopy from copy import deepcopy
@ -43,14 +43,20 @@ def has_good_pfs(pfs, target_dh, target_ecc, must_match=False):
def is_fubar(results): def is_fubar(results):
logging.debug('entering fubar evaluation') logging.debug('entering fubar evaluation')
lvl = 'fubar' lvl = 'fubar'
fubar = False fubar = False
has_ssl2 = False has_ssl2 = False
has_wrong_pubkey = False has_wrong_pubkey = False
has_wrong_ec_pubkey = False
has_bad_sig = False has_bad_sig = False
has_untrust_cert = False has_untrust_cert = False
has_wrong_pfs = False has_wrong_pfs = False
for conn in results['ciphersuite']: for conn in results['ciphersuite']:
logging.debug('testing connection %s' % conn) logging.debug('testing connection %s' % conn)
pubkey_bits = int(conn['pubkey'][0])
ec_kex = re.match(r"(ECDHE|EECDH|ECDH)-", conn['cipher'])
if conn['cipher'] not in (set(old["ciphersuites"]) | set(inter["ciphersuites"]) | set(modern["ciphersuites"])): if conn['cipher'] not in (set(old["ciphersuites"]) | set(inter["ciphersuites"]) | set(modern["ciphersuites"])):
failures[lvl].append("remove cipher " + conn['cipher']) failures[lvl].append("remove cipher " + conn['cipher'])
logging.debug(conn['cipher'] + ' is in the list of fubar ciphers') logging.debug(conn['cipher'] + ' is in the list of fubar ciphers')
@ -59,10 +65,14 @@ def is_fubar(results):
has_ssl2 = True has_ssl2 = True
logging.debug('SSLv2 is in the list of fubar protocols') logging.debug('SSLv2 is in the list of fubar protocols')
fubar = True fubar = True
if int(conn['pubkey'][0]) < 2048: if not ec_kex and pubkey_bits < 2048:
has_wrong_pubkey = True has_wrong_pubkey = True
logging.debug(conn['pubkey'][0] + ' is a fubar pubkey size') logging.debug(conn['pubkey'][0] + ' is a fubar pubkey size')
fubar = True fubar = True
if ec_kex and pubkey_bits < 256:
has_wrong_ec_pubkey = True
logging.debug(conn['pubkey'][0] + ' is a fubar EC pubkey size')
fubar = True
if conn['pfs'] != 'None': if conn['pfs'] != 'None':
if not has_good_pfs(conn['pfs'], 1024, 160): if not has_good_pfs(conn['pfs'], 1024, 160):
logging.debug(conn['pfs']+ ' is a fubar PFS parameters') logging.debug(conn['pfs']+ ' is a fubar PFS parameters')
@ -82,6 +92,8 @@ def is_fubar(results):
failures[lvl].append("don't use a cert with a bad signature algorithm") failures[lvl].append("don't use a cert with a bad signature algorithm")
if has_wrong_pubkey: if has_wrong_pubkey:
failures[lvl].append("don't use a public key smaller than 2048 bits") failures[lvl].append("don't use a public key smaller than 2048 bits")
if has_wrong_ec_pubkey:
failures[lvl].append("don't use an EC key smaller than 256 bits")
if has_untrust_cert: if has_untrust_cert:
failures[lvl].append("don't use an untrusted or self-signed certificate") failures[lvl].append("don't use an untrusted or self-signed certificate")
if has_wrong_pfs: if has_wrong_pfs: