LittleNellie
/
cipherscan
mirror of https://github.com/mozilla/cipherscan.git
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #124 from firesock/master 

Allow EC keys to have a smaller bitsize
This commit is contained in:
Julien Vehent [:ulfr] 2017-01-13 16:14:33 -05:00 committed by GitHub
parent b1d37bf26d bb3e89ec09
commit 6d66214fd1
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
analyze.py
View File

@ -7,7 +7,7 @@
from __future__ import print_function from __future__ import print_function
import sys, os, json, subprocess, logging, argparse, platform, urllib2 import sys, os, json, subprocess, logging, argparse, platform, urllib2, re
from collections import namedtuple from collections import namedtuple
from datetime import datetime from datetime import datetime
from copy import deepcopy from copy import deepcopy
@ -43,14 +43,20 @@ def has_good_pfs(pfs, target_dh, target_ecc, must_match=False):
def is_fubar(results): def is_fubar(results):
logging.debug('entering fubar evaluation') logging.debug('entering fubar evaluation')
lvl = 'fubar' lvl = 'fubar'
fubar = False fubar = False
has_ssl2 = False has_ssl2 = False
has_wrong_pubkey = False has_wrong_pubkey = False
has_wrong_ec_pubkey = False
has_bad_sig = False has_bad_sig = False
has_untrust_cert = False has_untrust_cert = False
has_wrong_pfs = False has_wrong_pfs = False
for conn in results['ciphersuite']: for conn in results['ciphersuite']:
logging.debug('testing connection %s' % conn) logging.debug('testing connection %s' % conn)
pubkey_bits = int(conn['pubkey'][0])
ec_kex = re.match(r"(ECDHE|EECDH|ECDH)-", conn['cipher'])
if conn['cipher'] not in (set(old["ciphersuites"]) | set(inter["ciphersuites"]) | set(modern["ciphersuites"])): if conn['cipher'] not in (set(old["ciphersuites"]) | set(inter["ciphersuites"]) | set(modern["ciphersuites"])):
failures[lvl].append("remove cipher " + conn['cipher']) failures[lvl].append("remove cipher " + conn['cipher'])
logging.debug(conn['cipher'] + ' is in the list of fubar ciphers') logging.debug(conn['cipher'] + ' is in the list of fubar ciphers')
@ -59,10 +65,14 @@ def is_fubar(results):
has_ssl2 = True has_ssl2 = True
logging.debug('SSLv2 is in the list of fubar protocols') logging.debug('SSLv2 is in the list of fubar protocols')
fubar = True fubar = True
if int(conn['pubkey'][0]) < 2048: if not ec_kex and pubkey_bits < 2048:
has_wrong_pubkey = True has_wrong_pubkey = True
logging.debug(conn['pubkey'][0] + ' is a fubar pubkey size') logging.debug(conn['pubkey'][0] + ' is a fubar pubkey size')
fubar = True fubar = True
if ec_kex and pubkey_bits < 256:
has_wrong_ec_pubkey = True
logging.debug(conn['pubkey'][0] + ' is a fubar EC pubkey size')
fubar = True
if conn['pfs'] != 'None': if conn['pfs'] != 'None':
if not has_good_pfs(conn['pfs'], 1024, 160): if not has_good_pfs(conn['pfs'], 1024, 160):
logging.debug(conn['pfs']+ ' is a fubar PFS parameters') logging.debug(conn['pfs']+ ' is a fubar PFS parameters')
@ -82,6 +92,8 @@ def is_fubar(results):
failures[lvl].append("don't use a cert with a bad signature algorithm") failures[lvl].append("don't use a cert with a bad signature algorithm")
if has_wrong_pubkey: if has_wrong_pubkey:
failures[lvl].append("don't use a public key smaller than 2048 bits") failures[lvl].append("don't use a public key smaller than 2048 bits")
if has_wrong_ec_pubkey:
failures[lvl].append("don't use an EC key smaller than 256 bits")
if has_untrust_cert: if has_untrust_cert:
failures[lvl].append("don't use an untrusted or self-signed certificate") failures[lvl].append("don't use an untrusted or self-signed certificate")
if has_wrong_pfs: if has_wrong_pfs: