mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Improve key exchange grading
This commit makes a couple of improvements to set_key_str_score(). It rates (finite-field) DH keys the same as RSA and DSA keys. Second, in the case of a server that has more than one certificate, the current code sets $KEY_EXCH_SCORE based on the length of the public key in the last certificate that is parsed. This commit changes set_key_str_score() so that $KEY_EXCH_SCORE is set based on the weakest public key. Note that there is still the issue that the key exchange score does not take into account any ephemeral keys used. However, that needs to be addressed by callling set_key_str_score() from run_fs() and run_logjam(), as certificate_info() cannot provide information about ephemeral keys.
This commit is contained in:
parent
f492cf0336
commit
46bf8c90ac
30
testssl.sh
30
testssl.sh
@ -382,7 +382,7 @@ HEX_CIPHER="" # "
|
||||
GRADE_CAP="" # Keeps track of the current grading cap
|
||||
GRADE_CAP_REASONS=() # Keeps track of all the reasons why grades are capped
|
||||
GRADE_WARNINGS=() # Keeps track of all the grade warnings
|
||||
KEY_EXCH_SCORE=0 # Keeps track of the score for category 2 "Key Exchange Strength"
|
||||
KEY_EXCH_SCORE=100 # Keeps track of the score for category 2 "Key Exchange Strength"
|
||||
CIPH_STR_BEST=0 # Keeps track of the best bit size for category 3 "Cipher Strength"
|
||||
CIPH_STR_WORST=100000 # Keeps track of the worst bit size for category 3 "Cipher Strength"
|
||||
# Intentionally set very high, so it can be set to 0, if necessary
|
||||
@ -1039,41 +1039,31 @@ set_key_str_score() {
|
||||
|
||||
# TODO: We need to get the size of DH params (follows the same table as the "else" clause)
|
||||
# For now, verifying the key size will do...
|
||||
if [[ $type == EC || $type == DH ]]; then
|
||||
if [[ $size -lt 110 ]]; then
|
||||
if [[ $type == EC ]]; then
|
||||
if [[ $size -lt 110 ]] && [[ $KEY_EXCH_SCORE -gt 20 ]]; then
|
||||
let KEY_EXCH_SCORE=20
|
||||
set_grade_cap "F" "Using an insecure key"
|
||||
elif [[ $size -lt 123 ]]; then
|
||||
elif [[ $size -lt 123 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then
|
||||
let KEY_EXCH_SCORE=40
|
||||
set_grade_cap "F" "Using an insecure key"
|
||||
elif [[ $size -lt 163 ]]; then
|
||||
elif [[ $size -lt 163 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then
|
||||
let KEY_EXCH_SCORE=80
|
||||
set_grade_cap "B" "Using a weak key"
|
||||
elif [[ $size -lt 225 ]]; then
|
||||
elif [[ $size -lt 225 ]] && [[ $KEY_EXCH_SCORE -gt 90 ]]; then
|
||||
let KEY_EXCH_SCORE=90
|
||||
elif [[ $size -ge 225 ]]; then
|
||||
let KEY_EXCH_SCORE=100
|
||||
else
|
||||
let KEY_EXCH_SCORE=0
|
||||
set_grade_cap "F" "Using an insecure key"
|
||||
fi
|
||||
else
|
||||
if [[ $size -lt 512 ]]; then
|
||||
if [[ $size -lt 512 ]] && [[ $KEY_EXCH_SCORE -gt 20 ]]; then
|
||||
let KEY_EXCH_SCORE=20
|
||||
set_grade_cap "F" "Using an insecure key"
|
||||
elif [[ $size -lt 1024 ]]; then
|
||||
elif [[ $size -lt 1024 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then
|
||||
let KEY_EXCH_SCORE=40
|
||||
set_grade_cap "F" "Using an insecure key"
|
||||
elif [[ $size -lt 2048 ]]; then
|
||||
elif [[ $size -lt 2048 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then
|
||||
let KEY_EXCH_SCORE=80
|
||||
set_grade_cap "B" "Using a weak key"
|
||||
elif [[ $size -lt 4096 ]]; then
|
||||
elif [[ $size -lt 4096 ]] && [[ $KEY_EXCH_SCORE -gt 90 ]]; then
|
||||
let KEY_EXCH_SCORE=90
|
||||
elif [[ $size -ge 4096 ]]; then
|
||||
let KEY_EXCH_SCORE=100
|
||||
else
|
||||
let KEY_EXCH_SCORE=0
|
||||
set_grade_cap "F" "Using an insecure key"
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
|
Loading…
Reference in New Issue
Block a user