aeris
/
cryptcheck
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Display DH parameter size

master
Nicolas Vinot 3 years ago
parent
1994fdc87f
commit
7753d023a2
7 changed files with 126 additions and 65 deletions
Split View Show Diff Stats
  1. 2
    2
      bin/check_https.rb
  2. 2
    2
      bin/check_smtp.rb
  3. 1
    0
      lib/cryptcheck.rb
  4. 19
    0
      lib/cryptcheck/tls.rb
  5. 77
    0
      lib/cryptcheck/tls/fixture.rb
  6. 13
    17
      lib/cryptcheck/tls/grade.rb
  7. 12
    44
      lib/cryptcheck/tls/server.rb

+ 2
- 2
bin/check_https.rb View File 

@@ -11,8 +11,8 @@ if ::File.exist? file
11 11 
 	::CryptCheck::Logger.level = :none
12 12 
 	::CryptCheck::Tls::Https.analyze_from_file "output/#{name}.yml", "output/#{name}.html"
13 13 
 else
14 
-	::CryptCheck::Logger.level = :info
15 
-	server = ::CryptCheck::Tls::Https::Server.new(ARGV[0], ARGV[1] || 443)
14 
+	::CryptCheck::Logger.level = (ARGV[1] || :info).to_sym
15 
+	server = ::CryptCheck::Tls::Https::Server.new ARGV[0]
16 16 
 	grade = ::CryptCheck::Tls::Https::Grade.new server
17 17 
 	::CryptCheck::Logger.info { '' }
18 18 
 	grade.display

+ 2
- 2
bin/check_smtp.rb View File 

@@ -7,8 +7,8 @@ require 'cryptcheck'
7 7
8 8 
 name = ARGV[0]
9 9 
 if name
10 
-	::CryptCheck::Logger.level = :info
11 
-	server = ::CryptCheck::Tls::Smtp::Server.new(ARGV[0], ARGV[1] || 25)
10 
+	::CryptCheck::Logger.level = (ARGV[1] || :info).to_sym
11 
+	server = ::CryptCheck::Tls::Smtp::Server.new ARGV[0]
12 12 
 	grade = ::CryptCheck::Tls::Smtp::Grade.new server
13 13 
 	::CryptCheck::Logger.info { '' }
14 14 
 	grade.display

+ 1
- 0
lib/cryptcheck.rb View File 

@@ -1,4 +1,5 @@
1 1 
 require 'colorize'
2 
+require 'cryptcheck/tls/fixture'
2 3
3 4 
 module CryptCheck
4 5 
 	autoload :Logger, 'cryptcheck/logger'

+ 19
- 0
lib/cryptcheck/tls.rb View File 

@@ -107,6 +107,25 @@ module CryptCheck
107 107 
 			cipher.to_s.colorize colors
108 108 
 		end
109 109
110 
+		def self.key_to_s(key)
111 
+			size       = key.rsa_equivalent_size
112 
+			type_color = case key.type
113 
+							 when :ecc
114 
+								 { color: :green }
115 
+							 when :dsa
116 
+								 { color: :yellow }
117 
+						 end
118 
+			size_color = case size
119 
+							 when 0...1024
120 
+								 { color: :white, background: :red }
121 
+							 when 1024...2048
122 
+								 { color: :yellow }
123 
+							 when 4096...::Float::INFINITY
124 
+								 { color: :green }
125 
+						 end
126 
+			"#{key.type.to_s.upcase.colorize type_color} #{key.size.to_s.colorize size_color} bits"
127 
+		end
128 
+
110 129 
 		private
111 130 
 		SCORES = %w(A+ A A- B C D E F T M X)
112 131

+ 77
- 0
lib/cryptcheck/tls/fixture.rb View File 

@@ -0,0 +1,77 @@
1 
+class ::OpenSSL::PKey::EC
2 
+	def type
3 
+		:ecc
4 
+	end
5 
+
6 
+	def size
7 
+		self.group.degree
8 
+	end
9 
+
10 
+	def rsa_equivalent_size
11 
+		case self.size
12 
+			when 160 then 1024
13 
+			when 224 then 2048
14 
+			when 256 then 3072
15 
+			when 384 then 7680
16 
+			when 521 then 15360
17 
+		end
18 
+	end
19 
+
20 
+	def to_s
21 
+		"ECC #{self.size} bits"
22 
+	end
23 
+end
24 
+
25 
+class ::OpenSSL::PKey::RSA
26 
+	def type
27 
+		:rsa
28 
+	end
29 
+
30 
+	def size
31 
+		self.n.num_bits
32 
+	end
33 
+
34 
+	def rsa_equivalent_size
35 
+		self.size
36 
+	end
37 
+
38 
+	def to_s
39 
+		"RSA #{self.size} bits"
40 
+	end
41 
+end
42 
+
43 
+class ::OpenSSL::PKey::DSA
44 
+	def type
45 
+		:dsa
46 
+	end
47 
+
48 
+	def size
49 
+		self.p.num_bits
50 
+	end
51 
+
52 
+	def rsa_equivalent_size
53 
+		self.size
54 
+	end
55 
+
56 
+	def to_s
57 
+		"DSA #{self.size} bits"
58 
+	end
59 
+end
60 
+
61 
+class ::OpenSSL::PKey::DH
62 
+	def type
63 
+		:dh
64 
+	end
65 
+
66 
+	def size
67 
+		self.p.num_bits
68 
+	end
69 
+
70 
+	def rsa_equivalent_size
71 
+		self.size
72 
+	end
73 
+
74 
+	def to_s
75 
+		"DH #{self.size} bits"
76 
+	end
77 
+end

+ 13
- 17
lib/cryptcheck/tls/grade.rb View File 

@@ -107,18 +107,20 @@ module CryptCheck
107 107 
 				@success << :pfs if @server.pfs_only?
108 108 
 			end
109 109
110 
-			ALL_ERROR   = %i(md5_sig md5 anonymous dss null export des rc4)
111 
-			ALL_WARNING = %i(sha1_sig des3)
112 
-			ALL_SUCCESS = %i(pfs)
110 
+			ALL_ERROR = %i(md5_sig md5 anonymous dss null export des rc4)
113 111
114 112 
 			def all_error
115 113 
 				ALL_ERROR
116 114 
 			end
117 115
116 
+			ALL_WARNING = %i(sha1_sig des3)
117 
+
118 118 
 			def all_warning
119 119 
 				ALL_WARNING
120 120 
 			end
121 121
122 
+			ALL_SUCCESS = %i(pfs)
123 
+
122 124 
 			def all_success
123 125 
 				ALL_SUCCESS
124 126 
 			end
 
@@ -127,28 +129,22 @@ module CryptCheck
127 129 
 				@grade = 'A+' if @grade == 'A' and @error.empty? and @warning.empty? and (ALL_SUCCESS & @success) == ALL_SUCCESS
128 130 
 			end
129 131
130 
-			METHODS_SCORES = { SSLv2: 0, SSLv3: 80, TLSv1: 90, TLSv1_1: 95, TLSv1_2: 100 }
132 
+			METHODS_SCORES = { SSLv2: 0, SSLv3: 10, TLSv1: 50, TLSv1_1: 75, TLSv1_2: 100 }
131 133
132 134 
 			def calculate_protocol_score
133 135 
 				methods         = @server.supported_methods
134 
-				worst, best     = methods[:worst], methods[:best]
136 
+				worst, best     = methods.last, methods.first
135 137 
 				@protocol_score = (METHODS_SCORES[worst] + METHODS_SCORES[best]) / 2
136 138 
 			end
137 139
138 140 
 			def calculate_key_exchange_score
139 141 
 				@key_exchange_score = case @server.key_size
140 
-										  when 0 then
141 
-											  0
142 
-										  when 0...512 then
143 
-											  20
144 
-										  when 512...1024 then
145 
-											  40
146 
-										  when 1024...2048 then
147 
-											  80
148 
-										  when 2048...4096 then
149 
-											  90
150 
-										  else
151 
-											  100
142 
+										  when 0 then 0
143 
+										  when 0...512 then 20
144 
+										  when 512...1024 then 40
145 
+										  when 1024...2048 then 80
146 
+										  when 2048...4096 then 90
147 
+										  when 4096...::Float::INFINITY then 100
152 148 
 									  end
153 149 
 			end
154 150

+ 12
- 44
lib/cryptcheck/tls/server.rb View File 

@@ -35,50 +35,18 @@ module CryptCheck
35 35 
 			attr_reader :hostname, :port, :prefered_ciphers, :cert, :cert_valid, :cert_trusted
36 36
37 37 
 			def initialize(hostname, port)
38 
-				@hostname = hostname
39 
-				@port     = port
38 
+				@hostname, @port = hostname, port
39 
+				@dh = []
40 40 
 				Logger.info { "#{hostname}:#{port}".colorize :blue }
41 41 
 				extract_cert
42 
-				#@prefered_ciphers = @supported_ciphers = Hash[SUPPORTED_METHODS.collect { |m| [m, []]}]
42 
+				Logger.info { '' }
43 
+				Logger.info { "Key : #{Tls.key_to_s @cert.public_key}" }
43 44 
 				fetch_prefered_ciphers
44 45 
 				check_supported_cipher
45 46 
 			end
46 47
47 48 
 			def supported_methods
48 
-				worst = EXISTING_METHODS.find { |method| !@prefered_ciphers[method].nil? }
49 
-				best  = EXISTING_METHODS.reverse.find { |method| !@prefered_ciphers[method].nil? }
50 
-				{ worst: worst, best: best }
51 
-			end
52 
-
53 
-			def key
54 
-				key = @cert.public_key
55 
-				case key
56 
-					when ::OpenSSL::PKey::RSA then
57 
-						[:rsa, key.n.num_bits]
58 
-					when ::OpenSSL::PKey::DSA then
59 
-						[:dsa, key.p.num_bits]
60 
-					when ::OpenSSL::PKey::EC then
61 
-						[:ecc, key.group.degree]
62 
-				end
63 
-			end
64 
-
65 
-			def key_size
66 
-				type, size = self.key
67 
-				if type == :ecc
68 
-					size = case size
69 
-							   when 160 then
70 
-								   1024
71 
-							   when 224 then
72 
-								   2048
73 
-							   when 256 then
74 
-								   3072
75 
-							   when 384 then
76 
-								   7680
77 
-							   when 521 then
78 
-								   15360
79 
-						   end
80 
-				end
81 
-				size
49 
+				EXISTING_METHODS.select { |m| !@prefered_ciphers[m].nil? }
82 50 
 			end
83 51
84 52 
 			def cipher_size
 
@@ -115,6 +83,10 @@ module CryptCheck
115 83 
 				RUBY_EVAL
116 84 
 			end
117 85
86 
+			def key_size
87 
+				@cert.public_key.rsa_equivalent_size
88 
+			end
89 
+
118 90 
 			def ssl?
119 91 
 				sslv2? or sslv3?
120 92 
 			end
 
@@ -139,10 +111,6 @@ module CryptCheck
139 111 
 				@supported_ciphers.values.flatten(1).uniq
140 112 
 			end
141 113
142 
-			def supported_ciphers_by_method
143 
-				@supported_ciphers
144 
-			end
145 
-
146 114 
 			private
147 115 
 			def connect(family, host, port, &block)
148 116 
 				socket   = ::Socket.new family, sock_type
 
@@ -262,7 +230,6 @@ module CryptCheck
262 230 
 			end
263 231
264 232 
 			def fetch_prefered_ciphers
265 
-				Logger.info { '' }
266 233 
 				@prefered_ciphers = {}
267 234 
 				EXISTING_METHODS.each do |method|
268 235 
 					next unless SUPPORTED_METHODS.include? method
 
@@ -278,8 +245,9 @@ module CryptCheck
278 245 
 			end
279 246
280 247 
 			def supported_cipher?(method, cipher)
281 
-				ssl_client method, [cipher]
282 
-				Logger.info { "#{Tls.colorize method} / #{Tls.colorize cipher[0]} : Supported" }
248 
+				dh = ssl_client method, [cipher] { |s| s.tmp_key }
249 
+				dh = dh ? " (#{'DH'.colorize :green} : #{Tls.key_to_s dh})" : ''
250 
+				Logger.info { "#{Tls.colorize method} / #{Tls.colorize cipher[0]} : Supported#{dh}" }
283 251 
 				true
284 252 
 			rescue TLSException => e
285 253 
 				Logger.debug { "#{Tls.colorize method} / #{Tls.colorize cipher[0]} : Not supported (#{e})" }

Write Preview
Loading…
Cancel
Save