Browse Source

Display DH parameter size

master
Nicolas Vinot 3 years ago
parent
commit
7753d023a2

+ 2
- 2
bin/check_https.rb View File

@@ -11,8 +11,8 @@ if ::File.exist? file
11 11
 	::CryptCheck::Logger.level = :none
12 12
 	::CryptCheck::Tls::Https.analyze_from_file "output/#{name}.yml", "output/#{name}.html"
13 13
 else
14
-	::CryptCheck::Logger.level = :info
15
-	server = ::CryptCheck::Tls::Https::Server.new(ARGV[0], ARGV[1] || 443)
14
+	::CryptCheck::Logger.level = (ARGV[1] || :info).to_sym
15
+	server = ::CryptCheck::Tls::Https::Server.new ARGV[0]
16 16
 	grade = ::CryptCheck::Tls::Https::Grade.new server
17 17
 	::CryptCheck::Logger.info { '' }
18 18
 	grade.display

+ 2
- 2
bin/check_smtp.rb View File

@@ -7,8 +7,8 @@ require 'cryptcheck'
7 7
 
8 8
 name = ARGV[0]
9 9
 if name
10
-	::CryptCheck::Logger.level = :info
11
-	server = ::CryptCheck::Tls::Smtp::Server.new(ARGV[0], ARGV[1] || 25)
10
+	::CryptCheck::Logger.level = (ARGV[1] || :info).to_sym
11
+	server = ::CryptCheck::Tls::Smtp::Server.new ARGV[0]
12 12
 	grade = ::CryptCheck::Tls::Smtp::Grade.new server
13 13
 	::CryptCheck::Logger.info { '' }
14 14
 	grade.display

+ 1
- 0
lib/cryptcheck.rb View File

@@ -1,4 +1,5 @@
1 1
 require 'colorize'
2
+require 'cryptcheck/tls/fixture'
2 3
 
3 4
 module CryptCheck
4 5
 	autoload :Logger, 'cryptcheck/logger'

+ 19
- 0
lib/cryptcheck/tls.rb View File

@@ -107,6 +107,25 @@ module CryptCheck
107 107
 			cipher.to_s.colorize colors
108 108
 		end
109 109
 
110
+		def self.key_to_s(key)
111
+			size       = key.rsa_equivalent_size
112
+			type_color = case key.type
113
+							 when :ecc
114
+								 { color: :green }
115
+							 when :dsa
116
+								 { color: :yellow }
117
+						 end
118
+			size_color = case size
119
+							 when 0...1024
120
+								 { color: :white, background: :red }
121
+							 when 1024...2048
122
+								 { color: :yellow }
123
+							 when 4096...::Float::INFINITY
124
+								 { color: :green }
125
+						 end
126
+			"#{key.type.to_s.upcase.colorize type_color} #{key.size.to_s.colorize size_color} bits"
127
+		end
128
+
110 129
 		private
111 130
 		SCORES = %w(A+ A A- B C D E F T M X)
112 131
 

+ 77
- 0
lib/cryptcheck/tls/fixture.rb View File

@@ -0,0 +1,77 @@
1
+class ::OpenSSL::PKey::EC
2
+	def type
3
+		:ecc
4
+	end
5
+
6
+	def size
7
+		self.group.degree
8
+	end
9
+
10
+	def rsa_equivalent_size
11
+		case self.size
12
+			when 160 then 1024
13
+			when 224 then 2048
14
+			when 256 then 3072
15
+			when 384 then 7680
16
+			when 521 then 15360
17
+		end
18
+	end
19
+
20
+	def to_s
21
+		"ECC #{self.size} bits"
22
+	end
23
+end
24
+
25
+class ::OpenSSL::PKey::RSA
26
+	def type
27
+		:rsa
28
+	end
29
+
30
+	def size
31
+		self.n.num_bits
32
+	end
33
+
34
+	def rsa_equivalent_size
35
+		self.size
36
+	end
37
+
38
+	def to_s
39
+		"RSA #{self.size} bits"
40
+	end
41
+end
42
+
43
+class ::OpenSSL::PKey::DSA
44
+	def type
45
+		:dsa
46
+	end
47
+
48
+	def size
49
+		self.p.num_bits
50
+	end
51
+
52
+	def rsa_equivalent_size
53
+		self.size
54
+	end
55
+
56
+	def to_s
57
+		"DSA #{self.size} bits"
58
+	end
59
+end
60
+
61
+class ::OpenSSL::PKey::DH
62
+	def type
63
+		:dh
64
+	end
65
+
66
+	def size
67
+		self.p.num_bits
68
+	end
69
+
70
+	def rsa_equivalent_size
71
+		self.size
72
+	end
73
+
74
+	def to_s
75
+		"DH #{self.size} bits"
76
+	end
77
+end

+ 13
- 17
lib/cryptcheck/tls/grade.rb View File

@@ -107,18 +107,20 @@ module CryptCheck
107 107
 				@success << :pfs if @server.pfs_only?
108 108
 			end
109 109
 
110
-			ALL_ERROR   = %i(md5_sig md5 anonymous dss null export des rc4)
111
-			ALL_WARNING = %i(sha1_sig des3)
112
-			ALL_SUCCESS = %i(pfs)
110
+			ALL_ERROR = %i(md5_sig md5 anonymous dss null export des rc4)
113 111
 
114 112
 			def all_error
115 113
 				ALL_ERROR
116 114
 			end
117 115
 
116
+			ALL_WARNING = %i(sha1_sig des3)
117
+
118 118
 			def all_warning
119 119
 				ALL_WARNING
120 120
 			end
121 121
 
122
+			ALL_SUCCESS = %i(pfs)
123
+
122 124
 			def all_success
123 125
 				ALL_SUCCESS
124 126
 			end
@@ -127,28 +129,22 @@ module CryptCheck
127 129
 				@grade = 'A+' if @grade == 'A' and @error.empty? and @warning.empty? and (ALL_SUCCESS & @success) == ALL_SUCCESS
128 130
 			end
129 131
 
130
-			METHODS_SCORES = { SSLv2: 0, SSLv3: 80, TLSv1: 90, TLSv1_1: 95, TLSv1_2: 100 }
132
+			METHODS_SCORES = { SSLv2: 0, SSLv3: 10, TLSv1: 50, TLSv1_1: 75, TLSv1_2: 100 }
131 133
 
132 134
 			def calculate_protocol_score
133 135
 				methods         = @server.supported_methods
134
-				worst, best     = methods[:worst], methods[:best]
136
+				worst, best     = methods.last, methods.first
135 137
 				@protocol_score = (METHODS_SCORES[worst] + METHODS_SCORES[best]) / 2
136 138
 			end
137 139
 
138 140
 			def calculate_key_exchange_score
139 141
 				@key_exchange_score = case @server.key_size
140
-										  when 0 then
141
-											  0
142
-										  when 0...512 then
143
-											  20
144
-										  when 512...1024 then
145
-											  40
146
-										  when 1024...2048 then
147
-											  80
148
-										  when 2048...4096 then
149
-											  90
150
-										  else
151
-											  100
142
+										  when 0 then 0
143
+										  when 0...512 then 20
144
+										  when 512...1024 then 40
145
+										  when 1024...2048 then 80
146
+										  when 2048...4096 then 90
147
+										  when 4096...::Float::INFINITY then 100
152 148
 									  end
153 149
 			end
154 150
 

+ 12
- 44
lib/cryptcheck/tls/server.rb View File

@@ -35,50 +35,18 @@ module CryptCheck
35 35
 			attr_reader :hostname, :port, :prefered_ciphers, :cert, :cert_valid, :cert_trusted
36 36
 
37 37
 			def initialize(hostname, port)
38
-				@hostname = hostname
39
-				@port     = port
38
+				@hostname, @port = hostname, port
39
+				@dh = []
40 40
 				Logger.info { "#{hostname}:#{port}".colorize :blue }
41 41
 				extract_cert
42
-				#@prefered_ciphers = @supported_ciphers = Hash[SUPPORTED_METHODS.collect { |m| [m, []]}]
42
+				Logger.info { '' }
43
+				Logger.info { "Key : #{Tls.key_to_s @cert.public_key}" }
43 44
 				fetch_prefered_ciphers
44 45
 				check_supported_cipher
45 46
 			end
46 47
 
47 48
 			def supported_methods
48
-				worst = EXISTING_METHODS.find { |method| !@prefered_ciphers[method].nil? }
49
-				best  = EXISTING_METHODS.reverse.find { |method| !@prefered_ciphers[method].nil? }
50
-				{ worst: worst, best: best }
51
-			end
52
-
53
-			def key
54
-				key = @cert.public_key
55
-				case key
56
-					when ::OpenSSL::PKey::RSA then
57
-						[:rsa, key.n.num_bits]
58
-					when ::OpenSSL::PKey::DSA then
59
-						[:dsa, key.p.num_bits]
60
-					when ::OpenSSL::PKey::EC then
61
-						[:ecc, key.group.degree]
62
-				end
63
-			end
64
-
65
-			def key_size
66
-				type, size = self.key
67
-				if type == :ecc
68
-					size = case size
69
-							   when 160 then
70
-								   1024
71
-							   when 224 then
72
-								   2048
73
-							   when 256 then
74
-								   3072
75
-							   when 384 then
76
-								   7680
77
-							   when 521 then
78
-								   15360
79
-						   end
80
-				end
81
-				size
49
+				EXISTING_METHODS.select { |m| !@prefered_ciphers[m].nil? }
82 50
 			end
83 51
 
84 52
 			def cipher_size
@@ -115,6 +83,10 @@ module CryptCheck
115 83
 				RUBY_EVAL
116 84
 			end
117 85
 
86
+			def key_size
87
+				@cert.public_key.rsa_equivalent_size
88
+			end
89
+
118 90
 			def ssl?
119 91
 				sslv2? or sslv3?
120 92
 			end
@@ -139,10 +111,6 @@ module CryptCheck
139 111
 				@supported_ciphers.values.flatten(1).uniq
140 112
 			end
141 113
 
142
-			def supported_ciphers_by_method
143
-				@supported_ciphers
144
-			end
145
-
146 114
 			private
147 115
 			def connect(family, host, port, &block)
148 116
 				socket   = ::Socket.new family, sock_type
@@ -262,7 +230,6 @@ module CryptCheck
262 230
 			end
263 231
 
264 232
 			def fetch_prefered_ciphers
265
-				Logger.info { '' }
266 233
 				@prefered_ciphers = {}
267 234
 				EXISTING_METHODS.each do |method|
268 235
 					next unless SUPPORTED_METHODS.include? method
@@ -278,8 +245,9 @@ module CryptCheck
278 245
 			end
279 246
 
280 247
 			def supported_cipher?(method, cipher)
281
-				ssl_client method, [cipher]
282
-				Logger.info { "#{Tls.colorize method} / #{Tls.colorize cipher[0]} : Supported" }
248
+				dh = ssl_client method, [cipher] { |s| s.tmp_key }
249
+				dh = dh ? " (#{'DH'.colorize :green} : #{Tls.key_to_s dh})" : ''
250
+				Logger.info { "#{Tls.colorize method} / #{Tls.colorize cipher[0]} : Supported#{dh}" }
283 251
 				true
284 252
 			rescue TLSException => e
285 253
 				Logger.debug { "#{Tls.colorize method} / #{Tls.colorize cipher[0]} : Not supported (#{e})" }

Loading…
Cancel
Save