mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-22 14:05:22 +01:00
RSA key size comments duplicated for all RSA sig algs (#182)
* RSA key size comments duplicated for all RSA sig algs * Save results on completion of testing a hostkey * Revised list names because they operates against all keys now not just rsa. * ensure all required fields added for non-rsa keys * Correction to the saving of comments against non-rsa keys
This commit is contained in:
parent
c33e7d9b72
commit
e172932977
@ -102,6 +102,9 @@ class HostKeyTest:
|
|||||||
|
|
||||||
# For each host key type...
|
# For each host key type...
|
||||||
for host_key_type in host_key_types:
|
for host_key_type in host_key_types:
|
||||||
|
key_fail_comments = []
|
||||||
|
key_warn_comments = []
|
||||||
|
|
||||||
# Skip those already handled (i.e.: those in the RSA family, as testing one tests them all).
|
# Skip those already handled (i.e.: those in the RSA family, as testing one tests them all).
|
||||||
if 'parsed' in host_key_types[host_key_type] and host_key_types[host_key_type]['parsed']:
|
if 'parsed' in host_key_types[host_key_type] and host_key_types[host_key_type]['parsed']:
|
||||||
continue
|
continue
|
||||||
@ -184,42 +187,46 @@ class HostKeyTest:
|
|||||||
|
|
||||||
# Keys smaller than 2048 result in a failure. Keys smaller 3072 result in a warning. Update the database accordingly.
|
# Keys smaller than 2048 result in a failure. Keys smaller 3072 result in a warning. Update the database accordingly.
|
||||||
if (cert is False) and (hostkey_modulus_size < hostkey_min_good):
|
if (cert is False) and (hostkey_modulus_size < hostkey_min_good):
|
||||||
alg_list = SSH2_KexDB.ALGORITHMS['key'][host_key_type]
|
|
||||||
|
|
||||||
# Ensure that failure & warning lists exist.
|
|
||||||
while len(alg_list) < 3:
|
|
||||||
alg_list.append([])
|
|
||||||
|
|
||||||
# If the key is under 2048, add to the failure list.
|
# If the key is under 2048, add to the failure list.
|
||||||
if hostkey_modulus_size < hostkey_min_warn:
|
if hostkey_modulus_size < hostkey_min_warn:
|
||||||
alg_list[1].append('using small %d-bit modulus' % hostkey_modulus_size)
|
key_fail_comments.append('using small %d-bit modulus' % hostkey_modulus_size)
|
||||||
elif hostkey_warn_str not in alg_list[2]: # Issue a warning about 2048-bit moduli.
|
elif hostkey_warn_str not in key_warn_comments: # Issue a warning about 2048-bit moduli.
|
||||||
alg_list[2].append(hostkey_warn_str)
|
key_warn_comments.append(hostkey_warn_str)
|
||||||
|
|
||||||
elif (cert is True) and ((hostkey_modulus_size < hostkey_min_good) or (0 < ca_modulus_size < cakey_min_good)):
|
elif (cert is True) and ((hostkey_modulus_size < hostkey_min_good) or (0 < ca_modulus_size < cakey_min_good)):
|
||||||
alg_list = SSH2_KexDB.ALGORITHMS['key'][host_key_type]
|
|
||||||
|
|
||||||
# Ensure that failure & warning lists exist.
|
|
||||||
while len(alg_list) < 3:
|
|
||||||
alg_list.append([])
|
|
||||||
|
|
||||||
# If the host key is smaller than 2048-bit/224-bit, flag this as a failure.
|
# If the host key is smaller than 2048-bit/224-bit, flag this as a failure.
|
||||||
if hostkey_modulus_size < hostkey_min_warn:
|
if hostkey_modulus_size < hostkey_min_warn:
|
||||||
alg_list[1].append('using small %d-bit hostkey modulus' % hostkey_modulus_size)
|
key_fail_comments.append('using small %d-bit hostkey modulus' % hostkey_modulus_size)
|
||||||
# Otherwise, this is just a warning.
|
# Otherwise, this is just a warning.
|
||||||
elif (hostkey_modulus_size < hostkey_min_good) and (hostkey_warn_str not in alg_list[2]):
|
elif (hostkey_modulus_size < hostkey_min_good) and (hostkey_warn_str not in key_warn_comments):
|
||||||
alg_list[2].append(hostkey_warn_str)
|
key_warn_comments.append(hostkey_warn_str)
|
||||||
|
|
||||||
# If the CA key is smaller than 2048-bit/224-bit, flag this as a failure.
|
# If the CA key is smaller than 2048-bit/224-bit, flag this as a failure.
|
||||||
if 0 < ca_modulus_size < cakey_min_warn:
|
if 0 < ca_modulus_size < cakey_min_warn:
|
||||||
alg_list[1].append('using small %d-bit CA key modulus' % ca_modulus_size)
|
key_fail_comments.append('using small %d-bit CA key modulus' % ca_modulus_size)
|
||||||
# Otherwise, this is just a warning.
|
# Otherwise, this is just a warning.
|
||||||
elif (0 < ca_modulus_size < cakey_min_good) and (cakey_warn_str not in alg_list[2]):
|
elif (0 < ca_modulus_size < cakey_min_good) and (cakey_warn_str not in key_warn_comments):
|
||||||
alg_list[2].append(cakey_warn_str)
|
key_warn_comments.append(cakey_warn_str)
|
||||||
|
|
||||||
# If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all).
|
# If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all).
|
||||||
if host_key_type in HostKeyTest.RSA_FAMILY:
|
if host_key_type in HostKeyTest.RSA_FAMILY:
|
||||||
for rsa_type in HostKeyTest.RSA_FAMILY:
|
for rsa_type in HostKeyTest.RSA_FAMILY:
|
||||||
host_key_types[rsa_type]['parsed'] = True
|
host_key_types[rsa_type]['parsed'] = True
|
||||||
|
# If the current key is a member of the RSA family, then populate all RSA family members with the same
|
||||||
|
# failure and/or warning comments.
|
||||||
|
while len(SSH2_KexDB.ALGORITHMS['key'][rsa_type]) < 3:
|
||||||
|
SSH2_KexDB.ALGORITHMS['key'][rsa_type].append([])
|
||||||
|
if key_fail_comments:
|
||||||
|
SSH2_KexDB.ALGORITHMS['key'][rsa_type][1].extend(key_fail_comments)
|
||||||
|
if key_warn_comments:
|
||||||
|
SSH2_KexDB.ALGORITHMS['key'][rsa_type][2].extend(key_warn_comments)
|
||||||
|
|
||||||
else:
|
else:
|
||||||
host_key_types[host_key_type]['parsed'] = True
|
host_key_types[host_key_type]['parsed'] = True
|
||||||
|
while len(SSH2_KexDB.ALGORITHMS['key'][host_key_type]) < 3:
|
||||||
|
SSH2_KexDB.ALGORITHMS['key'][host_key_type].append([])
|
||||||
|
if key_fail_comments:
|
||||||
|
SSH2_KexDB.ALGORITHMS['key'][host_key_type][1].extend(key_fail_comments)
|
||||||
|
if key_warn_comments:
|
||||||
|
SSH2_KexDB.ALGORITHMS['key'][host_key_type][2].extend(key_warn_comments)
|
||||||
|
Loading…
Reference in New Issue
Block a user