Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Send DHE quality to fileout()

Browse Source 
In run_pfs(), when information about the finite field groups offered is printed, the color used is based on the length of the key. This information should also be conveyed to fileout() in the severity parameter.
This commit is contained in:
David Cooper 2018-10-04 13:19:28 -04:00
parent f3cfb53546
commit 93116f38e7
1 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
testssl.sh
View File

@ -5419,20 +5419,28 @@ run_cipherlists() {
return $ret return $ret
} }
# The return value is an indicator of the quality of the DH key length in $1:
# 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low
# 5 = neither good nor bad, 6 = pr_svrty_good, 7 = pr_svrty_best
pr_dh_quality() { pr_dh_quality() {
local bits="$1" local bits="$1"
local string="$2" local string="$2"
if [[ "$bits" -le 600 ]]; then if [[ "$bits" -le 600 ]]; then
pr_svrty_critical "$string" pr_svrty_critical "$string"
return 1
elif [[ "$bits" -le 800 ]]; then elif [[ "$bits" -le 800 ]]; then
pr_svrty_high "$string" pr_svrty_high "$string"
return 2
elif [[ "$bits" -le 1280 ]]; then elif [[ "$bits" -le 1280 ]]; then
pr_svrty_medium "$string" pr_svrty_medium "$string"
return 3
elif [[ "$bits" -ge 2048 ]]; then elif [[ "$bits" -ge 2048 ]]; then
pr_svrty_good "$string" pr_svrty_good "$string"
return 6
else else
out "$string" out "$string"
return 5
fi fi
} }
@ -8435,8 +8443,8 @@ run_pfs() {
local -i nr_supported_ciphers=0 nr_curves=0 nr_ossl_curves=0 i j low high local -i nr_supported_ciphers=0 nr_curves=0 nr_ossl_curves=0 i j low high
local pfs_ciphers curves_offered="" curves_to_test temp local pfs_ciphers curves_offered="" curves_to_test temp
local len1 len2 curve_found local len1 len2 curve_found
local key_bitstring dh_p local key_bitstring dh_p quality_str
local -i lineno_matched len_dh_p local -i lineno_matched len_dh_p quality
local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt" local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
local has_dh_bits="$HAS_DH_BITS" local has_dh_bits="$HAS_DH_BITS"
local using_sockets=true local using_sockets=true
@ -8869,12 +8877,26 @@ run_pfs() {
fi fi
if [[ "$curves_offered" =~ ffdhe ]]; then if [[ "$curves_offered" =~ ffdhe ]]; then
pr_svrty_good "$curves_offered" pr_svrty_good "$curves_offered"
quality=6
else else
out "$curves_offered (" out "$curves_offered ("
pr_dh_quality "$len_dh_p" "$len_dh_p bits" pr_dh_quality "$len_dh_p" "$len_dh_p bits"
quality=$?
out ")" out ")"
fi fi
fileout "DHE_groups" "INFO" "$curves_offered" case "$quality" in
1) quality_str="CRITICAL" ;;
2) quality_str="HIGH" ;;
3) quality_str="MEDIUM" ;;
4) quality_str="LOW" ;;
5) quality_str="INFO" ;;
6|7) quality_str="OK" ;;
esac
if [[ "$curves_offered" == "unrecognized group" ]]; then
fileout "DHE_groups" "$quality_str" "$curves_offered ($len_dh_p bits)"
else
fileout "DHE_groups" "$quality_str" "$curves_offered"
fi
fi fi
fi fi
outln outln