mirror of https://github.com/jtesta/ssh-audit.git
RSA key size comments duplicated for all RSA sig algs (#182)
* RSA key size comments duplicated for all RSA sig algs * Save results on completion of testing a hostkey * Revised list names because they operates against all keys now not just rsa. * ensure all required fields added for non-rsa keys * Correction to the saving of comments against non-rsa keys
This commit is contained in:
parent
c33e7d9b72
commit
e172932977
|
@ -102,6 +102,9 @@ class HostKeyTest:
|
|||
|
||||
# For each host key type...
|
||||
for host_key_type in host_key_types:
|
||||
key_fail_comments = []
|
||||
key_warn_comments = []
|
||||
|
||||
# Skip those already handled (i.e.: those in the RSA family, as testing one tests them all).
|
||||
if 'parsed' in host_key_types[host_key_type] and host_key_types[host_key_type]['parsed']:
|
||||
continue
|
||||
|
@ -184,42 +187,46 @@ class HostKeyTest:
|
|||
|
||||
# Keys smaller than 2048 result in a failure. Keys smaller 3072 result in a warning. Update the database accordingly.
|
||||
if (cert is False) and (hostkey_modulus_size < hostkey_min_good):
|
||||
alg_list = SSH2_KexDB.ALGORITHMS['key'][host_key_type]
|
||||
|
||||
# Ensure that failure & warning lists exist.
|
||||
while len(alg_list) < 3:
|
||||
alg_list.append([])
|
||||
|
||||
# If the key is under 2048, add to the failure list.
|
||||
if hostkey_modulus_size < hostkey_min_warn:
|
||||
alg_list[1].append('using small %d-bit modulus' % hostkey_modulus_size)
|
||||
elif hostkey_warn_str not in alg_list[2]: # Issue a warning about 2048-bit moduli.
|
||||
alg_list[2].append(hostkey_warn_str)
|
||||
key_fail_comments.append('using small %d-bit modulus' % hostkey_modulus_size)
|
||||
elif hostkey_warn_str not in key_warn_comments: # Issue a warning about 2048-bit moduli.
|
||||
key_warn_comments.append(hostkey_warn_str)
|
||||
|
||||
elif (cert is True) and ((hostkey_modulus_size < hostkey_min_good) or (0 < ca_modulus_size < cakey_min_good)):
|
||||
alg_list = SSH2_KexDB.ALGORITHMS['key'][host_key_type]
|
||||
|
||||
# Ensure that failure & warning lists exist.
|
||||
while len(alg_list) < 3:
|
||||
alg_list.append([])
|
||||
|
||||
# If the host key is smaller than 2048-bit/224-bit, flag this as a failure.
|
||||
if hostkey_modulus_size < hostkey_min_warn:
|
||||
alg_list[1].append('using small %d-bit hostkey modulus' % hostkey_modulus_size)
|
||||
key_fail_comments.append('using small %d-bit hostkey modulus' % hostkey_modulus_size)
|
||||
# Otherwise, this is just a warning.
|
||||
elif (hostkey_modulus_size < hostkey_min_good) and (hostkey_warn_str not in alg_list[2]):
|
||||
alg_list[2].append(hostkey_warn_str)
|
||||
elif (hostkey_modulus_size < hostkey_min_good) and (hostkey_warn_str not in key_warn_comments):
|
||||
key_warn_comments.append(hostkey_warn_str)
|
||||
|
||||
# If the CA key is smaller than 2048-bit/224-bit, flag this as a failure.
|
||||
if 0 < ca_modulus_size < cakey_min_warn:
|
||||
alg_list[1].append('using small %d-bit CA key modulus' % ca_modulus_size)
|
||||
key_fail_comments.append('using small %d-bit CA key modulus' % ca_modulus_size)
|
||||
# Otherwise, this is just a warning.
|
||||
elif (0 < ca_modulus_size < cakey_min_good) and (cakey_warn_str not in alg_list[2]):
|
||||
alg_list[2].append(cakey_warn_str)
|
||||
elif (0 < ca_modulus_size < cakey_min_good) and (cakey_warn_str not in key_warn_comments):
|
||||
key_warn_comments.append(cakey_warn_str)
|
||||
|
||||
# If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all).
|
||||
if host_key_type in HostKeyTest.RSA_FAMILY:
|
||||
for rsa_type in HostKeyTest.RSA_FAMILY:
|
||||
host_key_types[rsa_type]['parsed'] = True
|
||||
# If the current key is a member of the RSA family, then populate all RSA family members with the same
|
||||
# failure and/or warning comments.
|
||||
while len(SSH2_KexDB.ALGORITHMS['key'][rsa_type]) < 3:
|
||||
SSH2_KexDB.ALGORITHMS['key'][rsa_type].append([])
|
||||
if key_fail_comments:
|
||||
SSH2_KexDB.ALGORITHMS['key'][rsa_type][1].extend(key_fail_comments)
|
||||
if key_warn_comments:
|
||||
SSH2_KexDB.ALGORITHMS['key'][rsa_type][2].extend(key_warn_comments)
|
||||
|
||||
else:
|
||||
host_key_types[host_key_type]['parsed'] = True
|
||||
while len(SSH2_KexDB.ALGORITHMS['key'][host_key_type]) < 3:
|
||||
SSH2_KexDB.ALGORITHMS['key'][host_key_type].append([])
|
||||
if key_fail_comments:
|
||||
SSH2_KexDB.ALGORITHMS['key'][host_key_type][1].extend(key_fail_comments)
|
||||
if key_warn_comments:
|
||||
SSH2_KexDB.ALGORITHMS['key'][host_key_type][2].extend(key_warn_comments)
|
||||
|
|
Loading…
Reference in New Issue