Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 22:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1669 from dcooper16/separate_pr_cipher_quality

Browse Source 
Separate pr_cipher_quality() into two functions
This commit is contained in:
Dirk Wetter
2020-07-07 08:36:31 +02:00
committed by GitHub
parent 9122ffec1d 919064095f
commit d881140cac
1 changed files with 30 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
testssl.sh
View File

@@ -6108,8 +6108,7 @@ pr_ecdh_curve_quality() {
pr_ecdh_quality "$bits" "$curve" pr_ecdh_quality "$bits" "$curve"
} }
# Print $2 based on the quality of the cipher in $1. If $2 is empty, just print $1. # Return a value that is an indicator of the quality of the cipher in $1:
# The return value is an indicator of the quality of the cipher in $1:
# 0 = $1 is empty # 0 = $1 is empty
# 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low # 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low
# 5 = neither good nor bad, 6 = pr_svrty_good, 7 = pr_svrty_best # 5 = neither good nor bad, 6 = pr_svrty_good, 7 = pr_svrty_best
@@ -6119,13 +6118,11 @@ pr_ecdh_curve_quality() {
# Hint: find out by "grep <pattern> etc/cipher-mapping.txt" but it' might be be easier # Hint: find out by "grep <pattern> etc/cipher-mapping.txt" but it' might be be easier
# to look out Enc= and Au= or Mac= # to look out Enc= and Au= or Mac=
# #
pr_cipher_quality() { get_cipher_quality() {
local cipher="$1" local cipher="$1"
local text="$2"
local ossl_cipher local ossl_cipher
[[ -z "$1" ]] && return 0 [[ -z "$1" ]] && return 0
[[ -z "$text" ]] && text="$cipher"
if [[ "$cipher" != TLS_* ]] && [[ "$cipher" != SSL_* ]]; then if [[ "$cipher" != TLS_* ]] && [[ "$cipher" != SSL_* ]]; then
# This must be the OpenSSL name for a cipher or for TLS 1.3 ($TLS13_OSSL_CIPHERS) # This must be the OpenSSL name for a cipher or for TLS 1.3 ($TLS13_OSSL_CIPHERS)
@@ -6135,46 +6132,36 @@ pr_cipher_quality() {
# the case, see "prepare_arrays()" and "./etc/cipher-mapping.txt" # the case, see "prepare_arrays()" and "./etc/cipher-mapping.txt"
case "$cipher" in case "$cipher" in
*NULL*|EXP*|ADH*|AECDH*|*anon*) *NULL*|EXP*|ADH*|AECDH*|*anon*)
pr_svrty_critical "$text"
return 1 return 1
;; ;;
*RC4*|*RC2*|*MD5|*M1) *RC4*|*RC2*|*MD5|*M1)
pr_svrty_high "$text"
return 2 return 2
;; ;;
AES256-GCM-SHA384|AES128-GCM-SHA256|AES256-CCM*|AES128-CCM*|ARIA256-GCM-SHA384|ARIA128-GCM-SHA256) AES256-GCM-SHA384|AES128-GCM-SHA256|AES256-CCM*|AES128-CCM*|ARIA256-GCM-SHA384|ARIA128-GCM-SHA256)
# RSA kx and e.g. GCM isn't certainly the best # RSA kx and e.g. GCM isn't certainly the best
pr_svrty_good "$text"
return 6 return 6
;; ;;
*CBC3*|*3DES*|*IDEA*) *CBC3*|*3DES*|*IDEA*)
pr_svrty_medium "$text"
return 3 return 3
;; ;;
*DES*) *DES*)
pr_svrty_high "$text"
return 2 return 2
;; ;;
PSK-*GCM*|PSK-*CCM*|RSA-PSK-*GCM*|RSA-PSK-CHACHA20-POLY1305|PSK-CHACHA20-POLY1305) PSK-*GCM*|PSK-*CCM*|RSA-PSK-*GCM*|RSA-PSK-CHACHA20-POLY1305|PSK-CHACHA20-POLY1305)
# PSK kx and e.g. GCM isn't certainly the best # PSK kx and e.g. GCM isn't certainly the best
pr_svrty_good "$text"
return 6 return 6
;; ;;
DH-*GCM*|ECDH-*GCM*) DH-*GCM*|ECDH-*GCM*)
# static DH or ECDH kx and GCM isn't certainly the best # static DH or ECDH kx and GCM isn't certainly the best
pr_svrty_good "$text"
return 6 return 6
;; ;;
*GCM*|*CCM*|*CHACHA20*) *GCM*|*CCM*|*CHACHA20*)
pr_svrty_best "$text"
return 7 return 7
;; #best ones ;; #best ones
*AES*SHA*|*CAMELLIA*SHA*|*SEED*SHA*|*CBC*|*GOST*) *AES*SHA*|*CAMELLIA*SHA*|*SEED*SHA*|*CBC*|*GOST*)
pr_svrty_low "$text"
return 4 return 4
;; ;;
*) *)
out "$text"
return 5 return 5
;; ;;
esac esac
@@ -6187,45 +6174,64 @@ pr_cipher_quality() {
# Now we look at the RFC cipher names. The sequence matters - as above. # Now we look at the RFC cipher names. The sequence matters - as above.
case "$cipher" in case "$cipher" in
*NULL*|*EXP*|*_DES40_*|*anon*) *NULL*|*EXP*|*_DES40_*|*anon*)
pr_svrty_critical "$text"
return 1 return 1
;; ;;
*RC4*|*RC2*|*MD5|*MD5_1) *RC4*|*RC2*|*MD5|*MD5_1)
pr_svrty_high "$text"
return 2 return 2
;; ;;
*_DES_*) *_DES_*)
if [[ "$cipher" =~ EDE3 ]]; then if [[ "$cipher" =~ EDE3 ]]; then
pr_svrty_medium "$text" # 3DES
return 3 return 3
fi fi
pr_svrty_high "$text"
return 2 return 2
;; ;;
*CBC3*|*3DES*|*IDEA*) *CBC3*|*3DES*|*IDEA*)
pr_svrty_medium "$text"
return 3 return 3
;; ;;
*CBC*|*GOST*) *CBC*|*GOST*)
pr_svrty_low "$text"
return 4 return 4
;; ;;
TLS_RSA_*|TLS_DH_*|TLS_ECDH_*|TLS_PSK_WITH_*) TLS_RSA_*|TLS_DH_*|TLS_ECDH_*|TLS_PSK_WITH_*)
pr_svrty_good "$text"
# RSA, or static DH, ECDH, or PSK kx and e.g. GCM isn't certainly the best # RSA, or static DH, ECDH, or PSK kx and e.g. GCM isn't certainly the best
return 6 return 6
;; ;;
*GCM*|*CCM*|*CHACHA20*) *GCM*|*CCM*|*CHACHA20*)
pr_svrty_best "$text"
return 7 return 7
;; ;;
*) *)
out "$text"
return 5 return 5
;; ;;
esac esac
} }
# Print $2 based on the quality of the cipher in $1. If $2 is empty, just print $1.
# The return value is an indicator of the quality of the cipher in $1:
# 0 = $1 is empty
# 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low
# 5 = neither good nor bad, 6 = pr_svrty_good, 7 = pr_svrty_best
#
pr_cipher_quality() {
local cipher="$1"
local text="$2"
local -i quality
[[ -z "$1" ]] && return 0
[[ -z "$text" ]] && text="$cipher"
get_cipher_quality "$cipher"
quality=$?
case $quality in
1) pr_svrty_critical "$text" ;;
2) pr_svrty_high "$text" ;;
3) pr_svrty_medium "$text" ;;
4) pr_svrty_low "$text" ;;
5) out "$text" ;;
6) pr_svrty_good "$text" ;;
7) pr_svrty_best "$text" ;;
esac
return $quality
}
# arg1: file with input for grepping the type of ephemeral DH key (DH ECDH) # arg1: file with input for grepping the type of ephemeral DH key (DH ECDH)
read_dhtype_from_file() { read_dhtype_from_file() {
local temp kx local temp kx