Separate pr_cipher_quality() into two functions

This commit separates pr_cipher_quality() into two functions, one that returns the quality of a cipher as a numeric rating (get_cipher_quality()) and one that prints a cipher based on its quality (pr_cipher_quality()). This separation allows get_cipher_quality() to be used to determine how good a cipher is without having to print anything. Having this ability would be helpful in implementing the changes suggested in #1311.
This commit is contained in:
David Cooper 2020-07-06 15:45:36 -04:00
parent 9122ffec1d
commit 919064095f
1 changed files with 30 additions and 24 deletions

View File

@ -6108,8 +6108,7 @@ pr_ecdh_curve_quality() {
pr_ecdh_quality "$bits" "$curve" pr_ecdh_quality "$bits" "$curve"
} }
# Print $2 based on the quality of the cipher in $1. If $2 is empty, just print $1. # Return a value that is an indicator of the quality of the cipher in $1:
# The return value is an indicator of the quality of the cipher in $1:
# 0 = $1 is empty # 0 = $1 is empty
# 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low # 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low
# 5 = neither good nor bad, 6 = pr_svrty_good, 7 = pr_svrty_best # 5 = neither good nor bad, 6 = pr_svrty_good, 7 = pr_svrty_best
@ -6119,13 +6118,11 @@ pr_ecdh_curve_quality() {
# Hint: find out by "grep <pattern> etc/cipher-mapping.txt" but it' might be be easier # Hint: find out by "grep <pattern> etc/cipher-mapping.txt" but it' might be be easier
# to look out Enc= and Au= or Mac= # to look out Enc= and Au= or Mac=
# #
pr_cipher_quality() { get_cipher_quality() {
local cipher="$1" local cipher="$1"
local text="$2"
local ossl_cipher local ossl_cipher
[[ -z "$1" ]] && return 0 [[ -z "$1" ]] && return 0
[[ -z "$text" ]] && text="$cipher"
if [[ "$cipher" != TLS_* ]] && [[ "$cipher" != SSL_* ]]; then if [[ "$cipher" != TLS_* ]] && [[ "$cipher" != SSL_* ]]; then
# This must be the OpenSSL name for a cipher or for TLS 1.3 ($TLS13_OSSL_CIPHERS) # This must be the OpenSSL name for a cipher or for TLS 1.3 ($TLS13_OSSL_CIPHERS)
@ -6135,46 +6132,36 @@ pr_cipher_quality() {
# the case, see "prepare_arrays()" and "./etc/cipher-mapping.txt" # the case, see "prepare_arrays()" and "./etc/cipher-mapping.txt"
case "$cipher" in case "$cipher" in
*NULL*|EXP*|ADH*|AECDH*|*anon*) *NULL*|EXP*|ADH*|AECDH*|*anon*)
pr_svrty_critical "$text"
return 1 return 1
;; ;;
*RC4*|*RC2*|*MD5|*M1) *RC4*|*RC2*|*MD5|*M1)
pr_svrty_high "$text"
return 2 return 2
;; ;;
AES256-GCM-SHA384|AES128-GCM-SHA256|AES256-CCM*|AES128-CCM*|ARIA256-GCM-SHA384|ARIA128-GCM-SHA256) AES256-GCM-SHA384|AES128-GCM-SHA256|AES256-CCM*|AES128-CCM*|ARIA256-GCM-SHA384|ARIA128-GCM-SHA256)
# RSA kx and e.g. GCM isn't certainly the best # RSA kx and e.g. GCM isn't certainly the best
pr_svrty_good "$text"
return 6 return 6
;; ;;
*CBC3*|*3DES*|*IDEA*) *CBC3*|*3DES*|*IDEA*)
pr_svrty_medium "$text"
return 3 return 3
;; ;;
*DES*) *DES*)
pr_svrty_high "$text"
return 2 return 2
;; ;;
PSK-*GCM*|PSK-*CCM*|RSA-PSK-*GCM*|RSA-PSK-CHACHA20-POLY1305|PSK-CHACHA20-POLY1305) PSK-*GCM*|PSK-*CCM*|RSA-PSK-*GCM*|RSA-PSK-CHACHA20-POLY1305|PSK-CHACHA20-POLY1305)
# PSK kx and e.g. GCM isn't certainly the best # PSK kx and e.g. GCM isn't certainly the best
pr_svrty_good "$text"
return 6 return 6
;; ;;
DH-*GCM*|ECDH-*GCM*) DH-*GCM*|ECDH-*GCM*)
# static DH or ECDH kx and GCM isn't certainly the best # static DH or ECDH kx and GCM isn't certainly the best
pr_svrty_good "$text"
return 6 return 6
;; ;;
*GCM*|*CCM*|*CHACHA20*) *GCM*|*CCM*|*CHACHA20*)
pr_svrty_best "$text"
return 7 return 7
;; #best ones ;; #best ones
*AES*SHA*|*CAMELLIA*SHA*|*SEED*SHA*|*CBC*|*GOST*) *AES*SHA*|*CAMELLIA*SHA*|*SEED*SHA*|*CBC*|*GOST*)
pr_svrty_low "$text"
return 4 return 4
;; ;;
*) *)
out "$text"
return 5 return 5
;; ;;
esac esac
@ -6187,45 +6174,64 @@ pr_cipher_quality() {
# Now we look at the RFC cipher names. The sequence matters - as above. # Now we look at the RFC cipher names. The sequence matters - as above.
case "$cipher" in case "$cipher" in
*NULL*|*EXP*|*_DES40_*|*anon*) *NULL*|*EXP*|*_DES40_*|*anon*)
pr_svrty_critical "$text"
return 1 return 1
;; ;;
*RC4*|*RC2*|*MD5|*MD5_1) *RC4*|*RC2*|*MD5|*MD5_1)
pr_svrty_high "$text"
return 2 return 2
;; ;;
*_DES_*) *_DES_*)
if [[ "$cipher" =~ EDE3 ]]; then if [[ "$cipher" =~ EDE3 ]]; then
pr_svrty_medium "$text" # 3DES
return 3 return 3
fi fi
pr_svrty_high "$text"
return 2 return 2
;; ;;
*CBC3*|*3DES*|*IDEA*) *CBC3*|*3DES*|*IDEA*)
pr_svrty_medium "$text"
return 3 return 3
;; ;;
*CBC*|*GOST*) *CBC*|*GOST*)
pr_svrty_low "$text"
return 4 return 4
;; ;;
TLS_RSA_*|TLS_DH_*|TLS_ECDH_*|TLS_PSK_WITH_*) TLS_RSA_*|TLS_DH_*|TLS_ECDH_*|TLS_PSK_WITH_*)
pr_svrty_good "$text"
# RSA, or static DH, ECDH, or PSK kx and e.g. GCM isn't certainly the best # RSA, or static DH, ECDH, or PSK kx and e.g. GCM isn't certainly the best
return 6 return 6
;; ;;
*GCM*|*CCM*|*CHACHA20*) *GCM*|*CCM*|*CHACHA20*)
pr_svrty_best "$text"
return 7 return 7
;; ;;
*) *)
out "$text"
return 5 return 5
;; ;;
esac esac
} }
# Print $2 based on the quality of the cipher in $1. If $2 is empty, just print $1.
# The return value is an indicator of the quality of the cipher in $1:
# 0 = $1 is empty
# 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low
# 5 = neither good nor bad, 6 = pr_svrty_good, 7 = pr_svrty_best
#
pr_cipher_quality() {
local cipher="$1"
local text="$2"
local -i quality
[[ -z "$1" ]] && return 0
[[ -z "$text" ]] && text="$cipher"
get_cipher_quality "$cipher"
quality=$?
case $quality in
1) pr_svrty_critical "$text" ;;
2) pr_svrty_high "$text" ;;
3) pr_svrty_medium "$text" ;;
4) pr_svrty_low "$text" ;;
5) out "$text" ;;
6) pr_svrty_good "$text" ;;
7) pr_svrty_best "$text" ;;
esac
return $quality
}
# arg1: file with input for grepping the type of ephemeral DH key (DH ECDH) # arg1: file with input for grepping the type of ephemeral DH key (DH ECDH)
read_dhtype_from_file() { read_dhtype_from_file() {
local temp kx local temp kx