projects
/
tls-check.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Give a more accurate effective key size for 3DES
[tls-check.git]
/
tls-check
diff --git
a/tls-check
b/tls-check
index 5e8e19e5e18de4bf467cc0e586aa89d57c9d2e63..5de58e4f03c8925b110f5014dca8c48bcb81b9c5 100755
(executable)
--- a/
tls-check
+++ b/
tls-check
@@
-124,10
+124,14
@@
class CipherPropsProvider:
assert '\n' not in cipherInfo
cipherInfoFields = cipherInfo.split()
# get # of bits
assert '\n' not in cipherInfo
cipherInfoFields = cipherInfo.split()
# get # of bits
-
bitMatch = re.match(r'^Enc=[0-9A-Za-z]+
\(([0-9]+)\)$', cipherInfoFields[4])
- if
bit
Match is None:
+
encMatch = re.match(r'^Enc=([0-9A-Za-z]+)
\(([0-9]+)\)$', cipherInfoFields[4])
+ if
enc
Match is None:
raise Exception("Unexpected OpenSSL output: Cannot determine encryption strength from {1}\nComplete output: {0}".format(cipherInfo, cipherInfoFields[4]))
raise Exception("Unexpected OpenSSL output: Cannot determine encryption strength from {1}\nComplete output: {0}".format(cipherInfo, cipherInfoFields[4]))
- bits = int(bitMatch.group(1))
+ encCipher = encMatch.group(1)
+ bits = int(encMatch.group(2))
+ if encCipher == '3DES':
+ # OpenSSL gives the key size, which however for 3DES is a totally bad estimate
+ bits = int(bits*2/3)
# figure out whether the cipher is pfs
kxMatch = re.match(r'^Kx=([0-9A-Z/()]+)$', cipherInfoFields[2])
if kxMatch is None:
# figure out whether the cipher is pfs
kxMatch = re.match(r'^Kx=([0-9A-Z/()]+)$', cipherInfoFields[2])
if kxMatch is None:
@@
-198,6
+202,6
@@
if __name__ == "__main__":
if supported:
cipherProps = propsProvider.getProps(cipher)
fsText = ConsoleFormat.color("FS", ConsoleFormat.GREEN) if cipherProps.isPfs else ConsoleFormat.color("no FS", ConsoleFormat.RED)
if supported:
cipherProps = propsProvider.getProps(cipher)
fsText = ConsoleFormat.color("FS", ConsoleFormat.GREEN) if cipherProps.isPfs else ConsoleFormat.color("no FS", ConsoleFormat.RED)
- bitColor = ConsoleFormat.GREEN if cipherProps.bits > 128 else (ConsoleFormat.YELLOW if cipherProps.bits >= 100 else ConsoleFormat.RED)
+ bitColor = ConsoleFormat.GREEN if cipherProps.bits >
=
128 else (ConsoleFormat.YELLOW if cipherProps.bits >= 100 else ConsoleFormat.RED)
print(" {0} ({1}, {2}, {3})".format(cipher.ljust(STATE_WIDTH), cipherProps.strength.colorName(), ConsoleFormat.color(str(cipherProps.bits)+" bits", bitColor), fsText))
print()
print(" {0} ({1}, {2}, {3})".format(cipher.ljust(STATE_WIDTH), cipherProps.strength.colorName(), ConsoleFormat.color(str(cipherProps.bits)+" bits", bitColor), fsText))
print()