Merge pull request #1548 from dcooper16/adjust_pr_cipher_quality

Adjust pr_cipher_quality ratings
This commit is contained in:
Dirk Wetter 2020-03-31 14:09:47 +02:00 committed by GitHub
commit d32743b2eb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 30 additions and 21 deletions

View File

@ -5948,7 +5948,7 @@ pr_cipher_quality() {
# We have an OpenSSL name and can't convert it to the RFC name which is rarely # We have an OpenSSL name and can't convert it to the RFC name which is rarely
# the case, see "prepare_arrays()" and "./etc/cipher-mapping.txt" # the case, see "prepare_arrays()" and "./etc/cipher-mapping.txt"
case "$cipher" in case "$cipher" in
*NULL*|EXP*|ADH*) *NULL*|EXP*|ADH*|AECDH*|*anon*)
pr_svrty_critical "$text" pr_svrty_critical "$text"
return 1 return 1
;; ;;
@ -5956,20 +5956,34 @@ pr_cipher_quality() {
pr_svrty_high "$text" pr_svrty_high "$text"
return 2 return 2
;; ;;
AES256-GCM-SHA384|AES128-GCM-SHA256|AES256-CCM|AES128-CCM|ARIA256-GCM-SHA384|ARIA128-GCM-SHA256) AES256-GCM-SHA384|AES128-GCM-SHA256|AES256-CCM*|AES128-CCM*|ARIA256-GCM-SHA384|ARIA128-GCM-SHA256)
# RSA kx and e.g. GCM isn't certainly the best # RSA kx and e.g. GCM isn't certainly the best
pr_svrty_good "$text" pr_svrty_good "$text"
return 6 return 6
;; ;;
*CBC3*|*3DES*|*IDEA*)
pr_svrty_medium "$text"
return 3
;;
*DES*)
pr_svrty_high "$text"
return 2
;;
PSK-*GCM*|PSK-*CCM*|RSA-PSK-*GCM*|RSA-PSK-CHACHA20-POLY1305|PSK-CHACHA20-POLY1305)
# PSK kx and e.g. GCM isn't certainly the best
pr_svrty_good "$text"
return 6
;;
DH-*GCM*|ECDH-*GCM*)
# static DH or ECDH kx and GCM isn't certainly the best
pr_svrty_good "$text"
return 6
;;
*GCM*|*CCM*|*CHACHA20*) *GCM*|*CCM*|*CHACHA20*)
pr_svrty_best "$text" pr_svrty_best "$text"
return 7 return 7
;; #best ones ;; #best ones
*CBC3*|*SEED*|*3DES*|*IDEA*) *AES*SHA*|*CAMELLIA*SHA*|*SEED*SHA*|*CBC*)
pr_svrty_medium "$text"
return 3
;;
ECDHE*AES*|DHE*AES*SHA*|*CAMELLIA*SHA)
pr_svrty_low "$text" pr_svrty_low "$text"
return 4 return 4
;; ;;
@ -6000,28 +6014,23 @@ pr_cipher_quality() {
pr_svrty_high "$text" pr_svrty_high "$text"
return 2 return 2
;; ;;
*CBC3*|*SEED*|*3DES*|*IDEA*) *CBC3*|*3DES*|*IDEA*)
pr_svrty_medium "$text" pr_svrty_medium "$text"
return 3 return 3
;; ;;
TLS_RSA_*) *CBC*)
if [[ "$cipher" =~ CBC ]]; then pr_svrty_low "$text"
pr_svrty_low "$text" return 4
return 4 ;;
else TLS_RSA_*|TLS_DH_*|TLS_ECDH_*|TLS_PSK_WITH_*)
pr_svrty_good "$text" pr_svrty_good "$text"
# RSA kx and e.g. GCM isn't certainly the best # RSA, or static DH, ECDH, or PSK kx and e.g. GCM isn't certainly the best
return 6 return 6
fi
;; ;;
*GCM*|*CCM*|*CHACHA20*) *GCM*|*CCM*|*CHACHA20*)
pr_svrty_best "$text" pr_svrty_best "$text"
return 7 return 7
;; ;;
*ECDHE*AES*CBC*|*DHE*AES*SHA*|*RSA*AES*SHA*|*CAMELLIA*SHA*)
pr_svrty_low "$text"
return 4
;;
*) *)
out "$text" out "$text"
return 5 return 5