Send ECDHE quality to fileout()

This PR is also based on #1139, but it addresses ECDH keys rather than DH keys. When run_pfs() prints the list of elliptic curves offered, it colors each curve according to its quality (based on key length). However, the severity level used when the list is sent to fileout() is always "INFO". This PR changes the call to fileout() to make the severity level be based on the quality of the shortest curve that the server offers.
2025-01-03 23:39:45 +01:00 · 2018-10-04 14:02:43 -04:00 · 2018-10-04 14:02:43 -04:00 · b5af8496fc
commit b5af8496fc
parent d6f1064b9c
1 changed files with 17 additions and 2 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -8419,6 +8419,7 @@ run_pfs() {
     local curves_hex=("00,01" "00,02" "00,03" "00,04" "00,05" "00,06" "00,07" "00,08" "00,09" "00,0a" "00,0b" "00,0c" "00,0d" "00,0e" "00,0f" "00,10" "00,11" "00,12" "00,13" "00,14" "00,15" "00,16" "00,17" "00,18" "00,19" "00,1a" "00,1b" "00,1c" "00,1d" "00,1e")
     local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448")
     local -a curves_ossl_output=("K-163" "sect163r1" "B-163" "sect193r1" "sect193r2" "K-233" "B-233" "sect239k1" "K-283" "B-283" "K-409" "B-409" "K-571" "B-571" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "P-192" "secp224k1" "P-224" "secp256k1" "P-256" "P-384" "P-521" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448")
     local -ai curves_bits=(163 162 163 193 193 232 233 238 281 282 407 409 570 570 161 161 161 192 192 225 224 256 256 384 521 256 384 512 253 448)
     # Many curves have been deprecated, and RFC 8446, Appendix B.3.1.4, states
     # that these curves MUST NOT be offered in a TLS 1.3 ClientHello.
     local -a curves_deprecated=("true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "false" "false" "false" "true" "true" "true" "false" "false")
@ -8753,15 +8754,29 @@ run_pfs() {
          done
     fi
     if "$ecdhe_offered"; then
          low=1000
          for (( i=0; i < nr_curves; i++ )); do
-               "${supported_curve[i]}" && curves_offered+="${curves_ossl[i]} "
+               if "${supported_curve[i]}"; then
                    curves_offered+="${curves_ossl[i]} "
                    [[ ${curves_bits[i]} -lt $low ]] && low=${curves_bits[i]}
               fi
          done
          if [[ -n "$curves_offered" ]]; then
               "$WIDE" && outln
               pr_bold " Elliptic curves offered:     "
               out_row_aligned_max_width_by_entry "$curves_offered" "                              " $TERM_WIDTH pr_ecdh_curve_quality
               outln
-               fileout "ECDHE_curves" "INFO" "$curves_offered"
+               # severity ratings based on quality specified by
               # pr_ecdh_quality() for shortest curve offered.
               if [[ "$low" -le 163 ]]; then
                    fileout "ECDHE_curves" "MEDIUM" "$curves_offered"
               elif [[ "$low" -le 193 ]]; then
                    fileout "ECDHE_curves" "LOW" "$curves_offered"
               elif [[ "$low" -le 224 ]]; then
                    fileout "ECDHE_curves" "INFO" "$curves_offered"
               else
                    fileout "ECDHE_curves" "OK" "$curves_offered"
               fi
          fi
     fi
     if "$using_sockets" && ( "$pfs_tls13_offered" || ( "$ffdhe_offered" && "$EXPERIMENTAL" ) ); then