Send ECDHE quality to fileout()

This PR is also based on #1139, but it addresses ECDH keys rather than DH keys. When run_pfs() prints the list of elliptic curves offered, it colors each curve according to its quality (based on key length). However, the severity level used when the list is sent to fileout() is always "INFO". This PR changes the call to fileout() to make the severity level be based on the quality of the shortest curve that the server offers.
This commit is contained in:
David Cooper 2018-10-04 14:02:43 -04:00 committed by GitHub
parent d6f1064b9c
commit b5af8496fc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -8419,6 +8419,7 @@ run_pfs() {
local curves_hex=("00,01" "00,02" "00,03" "00,04" "00,05" "00,06" "00,07" "00,08" "00,09" "00,0a" "00,0b" "00,0c" "00,0d" "00,0e" "00,0f" "00,10" "00,11" "00,12" "00,13" "00,14" "00,15" "00,16" "00,17" "00,18" "00,19" "00,1a" "00,1b" "00,1c" "00,1d" "00,1e")
local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448")
local -a curves_ossl_output=("K-163" "sect163r1" "B-163" "sect193r1" "sect193r2" "K-233" "B-233" "sect239k1" "K-283" "B-283" "K-409" "B-409" "K-571" "B-571" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "P-192" "secp224k1" "P-224" "secp256k1" "P-256" "P-384" "P-521" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448")
local -ai curves_bits=(163 162 163 193 193 232 233 238 281 282 407 409 570 570 161 161 161 192 192 225 224 256 256 384 521 256 384 512 253 448)
# Many curves have been deprecated, and RFC 8446, Appendix B.3.1.4, states
# that these curves MUST NOT be offered in a TLS 1.3 ClientHello.
local -a curves_deprecated=("true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "true" "false" "false" "false" "true" "true" "true" "false" "false")
@ -8753,15 +8754,29 @@ run_pfs() {
done
fi
if "$ecdhe_offered"; then
low=1000
for (( i=0; i < nr_curves; i++ )); do
"${supported_curve[i]}" && curves_offered+="${curves_ossl[i]} "
if "${supported_curve[i]}"; then
curves_offered+="${curves_ossl[i]} "
[[ ${curves_bits[i]} -lt $low ]] && low=${curves_bits[i]}
fi
done
if [[ -n "$curves_offered" ]]; then
"$WIDE" && outln
pr_bold " Elliptic curves offered: "
out_row_aligned_max_width_by_entry "$curves_offered" " " $TERM_WIDTH pr_ecdh_curve_quality
outln
# severity ratings based on quality specified by
# pr_ecdh_quality() for shortest curve offered.
if [[ "$low" -le 163 ]]; then
fileout "ECDHE_curves" "MEDIUM" "$curves_offered"
elif [[ "$low" -le 193 ]]; then
fileout "ECDHE_curves" "LOW" "$curves_offered"
elif [[ "$low" -le 224 ]]; then
fileout "ECDHE_curves" "INFO" "$curves_offered"
else
fileout "ECDHE_curves" "OK" "$curves_offered"
fi
fi
fi
if "$using_sockets" && ( "$pfs_tls13_offered" || ( "$ffdhe_offered" && "$EXPERIMENTAL" ) ); then