proper rating of dh group length

This commit is contained in:
Magnus Larsen 2020-05-11 15:20:16 +02:00
parent 78612c86a0
commit 6119d8538e
2 changed files with 8 additions and 17 deletions

View File

@ -404,7 +404,6 @@ As of writing, these checks are missing:
* Zombie POODLE - should be graded **F** if vulnerable * Zombie POODLE - should be graded **F** if vulnerable
* All remaining old Symantec PKI certificates are distrusted - should be graded **T** * All remaining old Symantec PKI certificates are distrusted - should be graded **T**
* Symantec certificates issued before June 2016 are distrusted - should be graded **T** * Symantec certificates issued before June 2016 are distrusted - should be graded **T**
* ! A reading of DH params - should give correct points in `set_key_str_score()`
* Anonymous key exchange - should give **0** points in `set_key_str_score()` * Anonymous key exchange - should give **0** points in `set_key_str_score()`
* Exportable key exchange - should give **40** points in `set_key_str_score()` * Exportable key exchange - should give **40** points in `set_key_str_score()`
* Weak key (Debian OpenSSL Flaw) - should give **0** points in `set_key_str_score()` * Weak key (Debian OpenSSL Flaw) - should give **0** points in `set_key_str_score()`

View File

@ -1030,7 +1030,7 @@ set_grade_warning() {
} }
# Sets the score for Category 2 (Key Exchange Strength) # Sets the score for Category 2 (Key Exchange Strength)
# arg1: Short key algorithm ("EC", "DH", "RSA", ...) # Can die, when we get DH_PARAMs # arg1: Short key algorithm ("EC", "DH", "RSA", ...), or "DHE" for ephemeral key size
# arg2: key size (number of bits) # arg2: key size (number of bits)
set_key_str_score() { set_key_str_score() {
local type=$1 local type=$1
@ -1038,13 +1038,8 @@ set_key_str_score() {
"$do_rating" || return 0 "$do_rating" || return 0
# TODO: We need to get the size of DH params (follows the same table as the "else" clause)
# For now, verifying the key size will do...
if [[ $type == EC ]]; then if [[ $type == EC ]]; then
if [[ $size -lt 110 ]] && [[ $KEY_EXCH_SCORE -gt 20 ]]; then if [[ $size -lt 123 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then
let KEY_EXCH_SCORE=20
set_grade_cap "F" "Using an insecure key"
elif [[ $size -lt 123 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then
let KEY_EXCH_SCORE=40 let KEY_EXCH_SCORE=40
set_grade_cap "F" "Using an insecure key" set_grade_cap "F" "Using an insecure key"
elif [[ $size -lt 163 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then elif [[ $size -lt 163 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then
@ -1054,15 +1049,12 @@ set_key_str_score() {
let KEY_EXCH_SCORE=90 let KEY_EXCH_SCORE=90
fi fi
else else
if [[ $size -lt 512 ]] && [[ $KEY_EXCH_SCORE -gt 20 ]]; then if [[ $size -lt 1024 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then
let KEY_EXCH_SCORE=20
set_grade_cap "F" "Using an insecure key"
elif [[ $size -lt 1024 ]] && [[ $KEY_EXCH_SCORE -gt 40 ]]; then
let KEY_EXCH_SCORE=40 let KEY_EXCH_SCORE=40
set_grade_cap "F" "Using an insecure key" set_grade_cap "F" "Using an insecure key / DH key exchange parameters"
elif [[ $size -lt 2048 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then elif [[ $size -lt 2048 ]] && [[ $KEY_EXCH_SCORE -gt 80 ]]; then
let KEY_EXCH_SCORE=80 let KEY_EXCH_SCORE=80
set_grade_cap "B" "Using a weak key" set_grade_cap "B" "Using a weak key / DH key exchange parameters"
elif [[ $size -lt 4096 ]] && [[ $KEY_EXCH_SCORE -gt 90 ]]; then elif [[ $size -lt 4096 ]] && [[ $KEY_EXCH_SCORE -gt 90 ]]; then
let KEY_EXCH_SCORE=90 let KEY_EXCH_SCORE=90
fi fi
@ -16677,7 +16669,6 @@ run_logjam() {
if "$vuln_exportdh_ciphers"; then if "$vuln_exportdh_ciphers"; then
pr_svrty_high "VULNERABLE (NOT ok):"; out " uses DH EXPORT ciphers" pr_svrty_high "VULNERABLE (NOT ok):"; out " uses DH EXPORT ciphers"
fileout "$jsonID" "HIGH" "VULNERABLE, uses DH EXPORT ciphers" "$cve" "$cwe" "$hint" fileout "$jsonID" "HIGH" "VULNERABLE, uses DH EXPORT ciphers" "$cve" "$cwe" "$hint"
set_grade_cap "B" "Uses weak DH key exchange parameters (vulnerable to LOGJAM)"
if [[ $subret -eq 3 ]]; then if [[ $subret -eq 3 ]]; then
out ", no DH key detected with <= TLS 1.2" out ", no DH key detected with <= TLS 1.2"
fileout "$jsonID2" "OK" "no DH key detected with <= TLS 1.2" fileout "$jsonID2" "OK" "no DH key detected with <= TLS 1.2"
@ -16693,7 +16684,6 @@ run_logjam() {
else else
if [[ $subret -eq 1 ]]; then if [[ $subret -eq 1 ]]; then
out_common_prime "$jsonID2" "$cve" "$cwe" out_common_prime "$jsonID2" "$cve" "$cwe"
set_grade_cap "A" "Uses known DH key exchange parameters"
if ! "$openssl_no_expdhciphers"; then if ! "$openssl_no_expdhciphers"; then
outln "," outln ","
out "${spaces}but no DH EXPORT ciphers${addtl_warning}" out "${spaces}but no DH EXPORT ciphers${addtl_warning}"
@ -16726,6 +16716,8 @@ run_logjam() {
fi fi
fi fi
[[ $DH_GROUP_LEN_P -gt 0 ]] && set_key_str_score "DHE" $DH_GROUP_LEN_P
outln outln
tmpfile_handle ${FUNCNAME[0]}.txt tmpfile_handle ${FUNCNAME[0]}.txt
return $ret return $ret