From 46bf8c90acd59eaa75c1f7c9d905c00ae3968ecd Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 6 May 2020 14:30:44 -0400 Subject: [PATCH] Improve key exchange grading This commit makes a couple of improvements to set_key_str_score(). It rates (finite-field) DH keys the same as RSA and DSA keys. Second, in the case of a server that has more than one certificate, the current code sets $KEY_EXCH_SCORE based on the length of the public key in the last certificate that is parsed. This commit changes set_key_str_score() so that $KEY_EXCH_SCORE is set based on the weakest public key. Note that there is still the issue that the key exchange score does not take into account any ephemeral keys used. However, that needs to be addressed by callling set_key_str_score() from run_fs() and run_logjam(), as certificate_info() cannot provide information about ephemeral keys. --- testssl.sh | 30 ++++++++++-------------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/testssl.sh b/testssl.sh index dfb976f..954a6c3 100755 --- a/testssl.sh +++ b/testssl.sh @@ -382,7 +382,7 @@ HEX_CIPHER="" # " GRADE_CAP="" # Keeps track of the current grading cap GRADE_CAP_REASONS=() # Keeps track of all the reasons why grades are capped GRADE_WARNINGS=() # Keeps track of all the grade warnings -KEY_EXCH_SCORE=0 # Keeps track of the score for category 2 "Key Exchange Strength" +KEY_EXCH_SCORE=100 # Keeps track of the score for category 2 "Key Exchange Strength" CIPH_STR_BEST=0 # Keeps track of the best bit size for category 3 "Cipher Strength" CIPH_STR_WORST=100000 # Keeps track of the worst bit size for category 3 "Cipher Strength" # Intentionally set very high, so it can be set to 0, if necessary @@ -1039,41 +1039,31 @@ set_key_str_score() { # TODO: We need to get the size of DH params (follows the same table as the "else" clause) # For now, verifying the key size will do... - if [[ $type == EC || $type == DH ]]; then - if [[ $size -lt 110 ]]; then + if [[ $type == EC ]]; then + if [[ $size -lt 110 ]] && [[ $KEY_EXCH_SCORE -gt 20 ]]; then let KEY_EXCH_SCORE=20 set_grade_cap "F" "Using an insecure key" - elif [[ $size -lt 123 ]]; then + elif [[ $size -lt 123 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then let KEY_EXCH_SCORE=40 set_grade_cap "F" "Using an insecure key" - elif [[ $size -lt 163 ]]; then + elif [[ $size -lt 163 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then let KEY_EXCH_SCORE=80 set_grade_cap "B" "Using a weak key" - elif [[ $size -lt 225 ]]; then + elif [[ $size -lt 225 ]] && [[ $KEY_EXCH_SCORE -gt 90 ]]; then let KEY_EXCH_SCORE=90 - elif [[ $size -ge 225 ]]; then - let KEY_EXCH_SCORE=100 - else - let KEY_EXCH_SCORE=0 - set_grade_cap "F" "Using an insecure key" fi else - if [[ $size -lt 512 ]]; then + if [[ $size -lt 512 ]] && [[ $KEY_EXCH_SCORE -gt 20 ]]; then let KEY_EXCH_SCORE=20 set_grade_cap "F" "Using an insecure key" - elif [[ $size -lt 1024 ]]; then + elif [[ $size -lt 1024 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then let KEY_EXCH_SCORE=40 set_grade_cap "F" "Using an insecure key" - elif [[ $size -lt 2048 ]]; then + elif [[ $size -lt 2048 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then let KEY_EXCH_SCORE=80 set_grade_cap "B" "Using a weak key" - elif [[ $size -lt 4096 ]]; then + elif [[ $size -lt 4096 ]] && [[ $KEY_EXCH_SCORE -gt 90 ]]; then let KEY_EXCH_SCORE=90 - elif [[ $size -ge 4096 ]]; then - let KEY_EXCH_SCORE=100 - else - let KEY_EXCH_SCORE=0 - set_grade_cap "F" "Using an insecure key" fi fi return 0