* Grading --> Rating. But we still hand out grades

This commit is contained in:
Dirk Wetter 2020-04-20 22:45:58 +02:00
parent c3f09f56f7
commit e9e11e213a
1 changed files with 47 additions and 35 deletions

View File

@ -998,7 +998,7 @@ f5_port_decode() {
# arg1: A grade to set ("A", "B", "C", "D", "E", "F", "M", or "T") # arg1: A grade to set ("A", "B", "C", "D", "E", "F", "M", or "T")
# arg2: A reason why (e.g. "Vulnerable to CRIME") # arg2: A reason why (e.g. "Vulnerable to CRIME")
set_grade_cap() { set_grade_cap() {
"$do_grading" || return 0 "$do_rating" || return 0
GRADE_CAP_REASONS+=("Grade capped to $1. $2") GRADE_CAP_REASONS+=("Grade capped to $1. $2")
# Always set special attributes. These are hard caps, due to name mismatch or cert being invalid # Always set special attributes. These are hard caps, due to name mismatch or cert being invalid
@ -1014,7 +1014,7 @@ set_grade_cap() {
# Sets a grade warning, as specified by the grade specification # Sets a grade warning, as specified by the grade specification
# arg1: A warning message # arg1: A warning message
set_grade_warning() { set_grade_warning() {
"$do_grading" || return 0 "$do_rating" || return 0
GRADE_WARNINGS+=("$1") GRADE_WARNINGS+=("$1")
return 0 return 0
} }
@ -1026,7 +1026,7 @@ set_key_str_score() {
local type=$1 local type=$1
local size=$2 local size=$2
"$do_grading" || return 0 "$do_rating" || return 0
# TODO: We need to get the size of DH params (follows the same table as the "else" clause) # TODO: We need to get the size of DH params (follows the same table as the "else" clause)
# For now, verifying the key size will do... # For now, verifying the key size will do...
@ -1076,7 +1076,7 @@ set_key_str_score() {
set_ciph_str_score() { set_ciph_str_score() {
local size=$1 local size=$1
"$do_grading" || return 0 "$do_rating" || return 0
[[ $size -gt $CIPH_STR_BEST ]] && let CIPH_STR_BEST=$size [[ $size -gt $CIPH_STR_BEST ]] && let CIPH_STR_BEST=$size
[[ $size -lt $CIPH_STR_WORST ]] && let CIPH_STR_WORST=$size [[ $size -lt $CIPH_STR_WORST ]] && let CIPH_STR_WORST=$size
@ -1121,7 +1121,7 @@ fileout_json_section() {
9) echo -e ",\n \"vulnerabilities\" : [" ;; 9) echo -e ",\n \"vulnerabilities\" : [" ;;
10) echo -e ",\n \"cipherTests\" : [" ;; 10) echo -e ",\n \"cipherTests\" : [" ;;
11) echo -e ",\n \"browserSimulations\": [" ;; 11) echo -e ",\n \"browserSimulations\": [" ;;
12) echo -e ",\n \"grading\" : [" ;; 12) echo -e ",\n \"rating\" : [" ;;
*) echo "invalid section" ;; *) echo "invalid section" ;;
esac esac
} }
@ -3438,7 +3438,7 @@ neat_list(){
enc="${enc//POLY1305/}" # remove POLY1305 enc="${enc//POLY1305/}" # remove POLY1305
enc="${enc//\//}" # remove "/" enc="${enc//\//}" # remove "/"
# For grading, set bits size # For rating set bit size
set_ciph_str_score $strength set_ciph_str_score $strength
[[ "$export" =~ export ]] && strength="$strength,exp" [[ "$export" =~ export ]] && strength="$strength,exp"
@ -18560,7 +18560,7 @@ output options (can also be preset via environment variables):
--color <0|1|2|3> 0: no escape or other codes, 1: b/w escape codes, 2: color (default), 3: extra color (color all ciphers) --color <0|1|2|3> 0: no escape or other codes, 1: b/w escape codes, 2: color (default), 3: extra color (color all ciphers)
--colorblind swap green and blue in the output --colorblind swap green and blue in the output
--debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh" --debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh"
--disable-grading Explicitly disables the grading output --disable-rating Explicitly disables the rating output
file output options (can also be preset via environment variables) file output options (can also be preset via environment variables)
--log, --logging logs stdout to '\${NODE}-p\${port}\${YYYYMMDD-HHMM}.log' in current working directory (cwd) --log, --logging logs stdout to '\${NODE}-p\${port}\${YYYYMMDD-HHMM}.log' in current working directory (cwd)
@ -20535,7 +20535,7 @@ run_mass_testing_parallel() {
return $? return $?
} }
run_grading() { run_rating() {
local final_score pre_cap_grade final_grade local final_score pre_cap_grade final_grade
local c1_score c2_score c3_score c1_wscore c2_wscore c3_wscore local c1_score c2_score c3_score c1_wscore c2_wscore c3_wscore
local c1_worst c1_best local c1_worst c1_best
@ -20543,14 +20543,15 @@ run_grading() {
local old_ifs=$IFS sorted_reasons sorted_warnings reason_loop=0 warning_loop=0 local old_ifs=$IFS sorted_reasons sorted_warnings reason_loop=0 warning_loop=0
outln "\n"; outln "\n";
pr_headlineln " Calculating grades (experimental)" pr_headlineln " Rating (experimental) "
outln outln
if [[ -n "$STARTTLS_PROTOCOL" ]]; then if [[ -n "$STARTTLS_PROTOCOL" ]]; then
pr_bold " Grade "; pr_svrty_critical "T" pr_bold " Grade "; pr_svrty_critical "T"
outln " - STARTTLS encryption is opportunistic" outln " - STARTTLS encryption is opportunistic"
outln " (Further details would lead to a false sense of security)" outln " (Further details would lead to a false sense of security)"
fileout "grade" "CRITICAL" "T, No more details shown as it would lead to a false sense of security" fileout "grade" "CRITICAL" "T"
fileout "grade_cap_reasons" "INFO" "No more details shown as it would lead to a false sense of security"
return 0 return 0
fi fi
@ -20558,10 +20559,10 @@ run_grading() {
IFS=$'\n' sorted_reasons=($(sort -ru <<<"${GRADE_CAP_REASONS[*]}")) IFS=$'\n' sorted_reasons=($(sort -ru <<<"${GRADE_CAP_REASONS[*]}"))
IFS=$'\n' sorted_warnings=($(sort -u <<<"${GRADE_WARNINGS[*]}")) IFS=$'\n' sorted_warnings=($(sort -u <<<"${GRADE_WARNINGS[*]}"))
IFS=$old_ifs IFS=$old_ifs
pr_bold " Grading specs"; out ", not complete "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)" pr_bold " Rating specs"; out " (not complete) "; outln "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)"
pr_bold " Specification documentation "; pr_url "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide" pr_bold " Specification documentation "; pr_url "https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide"
outln outln
fileout "grading_spec" "INFO" "SSLLabs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)" fileout "rating_spec" "INFO" "SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)"
# No point in calculating a score, if a cap of "F", "T", or "M" has been set # No point in calculating a score, if a cap of "F", "T", or "M" has been set
if [[ $GRADE_CAP == F || $GRADE_CAP == T || $GRADE_CAP == M ]]; then if [[ $GRADE_CAP == F || $GRADE_CAP == T || $GRADE_CAP == M ]]; then
@ -20569,7 +20570,7 @@ run_grading() {
pr_bold " Key Exchange"; out " (weighted) "; outln "0 (0)" pr_bold " Key Exchange"; out " (weighted) "; outln "0 (0)"
pr_bold " Cipher Strength"; out " (weighted) "; outln "0 (0)" pr_bold " Cipher Strength"; out " (weighted) "; outln "0 (0)"
pr_bold " Final Score "; outln "0" pr_bold " Final Score "; outln "0"
pr_bold " Grade "; prln_svrty_critical "$GRADE_CAP" pr_bold " Overall Grade "; prln_svrty_critical "$GRADE_CAP"
fileout "grade" "CRITICAL" "$GRADE_CAP" fileout "grade" "CRITICAL" "$GRADE_CAP"
else else
## Category 1 ## Category 1
@ -20640,7 +20641,7 @@ run_grading() {
c3_worst=0 c3_worst=0
fi fi
let c3_score="($c3_best+$c3_worst)/2" # Gets the category score let c3_score="($c3_best+$c3_worst)/2" # Gets the category score
let c3_wscore=$c3_score*40/100 # Gets the weighted score for category (40%) let c3_wscore=$c3_score*40/100 # Gets the weighted score for category (40%)
pr_bold " Cipher Strength "; out " (weighted) "; outln "$c3_score ($c3_wscore)" pr_bold " Cipher Strength "; out " (weighted) "; outln "$c3_score ($c3_wscore)"
@ -20678,7 +20679,7 @@ run_grading() {
final_grade=$pre_cap_grade final_grade=$pre_cap_grade
fi fi
pr_bold " Grade " pr_bold " Overall Grade "
case "$final_grade" in case "$final_grade" in
A*) prln_svrty_best $final_grade A*) prln_svrty_best $final_grade
fileout "grade" "OK" "$final_grade" fileout "grade" "OK" "$final_grade"
@ -20720,14 +20721,26 @@ run_grading() {
fi fi
done done
case $GRADE_CAP in
# A-E: WIP
A) fileout "grade_cap_reasons" "INFO" "" ;;
B) fileout "grade_cap_reasons" "INFO" "" ;;
C) fileout "grade_cap_reasons" "INFO" "" ;;
D) fileout "grade_cap_reasons" "INFO" "" ;;
E) fileout "grade_cap_reasons" "INFO" "" ;;
M) fileout "grade_cap_reasons" "INFO" "SAN / CN mismatch" ;;
F) fileout "grade_cap_reasons" "INFO" "Severe vulnerability or cryptographic problem" ;;
T) fileout "grade_cap_reasons" "INFO" "Issue with certificate" ;;
esac
return 0 return 0
} }
# Checks whether grading can be done or not. # Checks whether rating can be done or not.
# Grading needs a mix of certificate and vulnerabilities checks, in order to give out a proper grade. # Rating needs a mix of certificate and vulnerabilities checks, in order to give out proper grades.
# This function disables grading, if not all required checks are enabled # This function disables rating, if not all required checks are enabled
# Returns "0" if grading is enabled, and "1" if grading is disabled # Returns "0" if rating is enabled, and "1" if rating is disabled
set_grading_state() { set_rating_state() {
local gbl local gbl
local nr_enabled=0 local nr_enabled=0
@ -20742,9 +20755,9 @@ set_grading_state() {
# ... atleast one of these has to be set # ... atleast one of these has to be set
[[ "$do_allciphers" || "$do_cipher_per_proto" ]] && let nr_enabled++ [[ "$do_allciphers" || "$do_cipher_per_proto" ]] && let nr_enabled++
# ... else we can't grade # ... else we can't do rating
if [[ $nr_enabled -lt 18 ]]; then if [[ $nr_enabled -lt 18 ]]; then
do_grading=false do_rating=false
return 1 return 1
fi fi
@ -20793,7 +20806,7 @@ initialize_globals() {
do_client_simulation=false do_client_simulation=false
do_display_only=false do_display_only=false
do_starttls=false do_starttls=false
do_grading=false do_rating=false
} }
@ -20829,7 +20842,7 @@ set_scanning_defaults() {
else else
VULN_COUNT=12 VULN_COUNT=12
fi fi
do_grading=true do_rating=true
} }
# returns number of $do variables set = number of run_funcs() to perform # returns number of $do variables set = number of run_funcs() to perform
@ -20840,8 +20853,8 @@ count_do_variables() {
for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_ticketbleed do_cipher_per_proto do_crime \ for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_ticketbleed do_cipher_per_proto do_crime \
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_fs do_protocols do_rc4 do_grease do_robot do_renego \ do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_fs do_protocols do_rc4 do_grease do_robot do_renego \
do_cipherlists do_server_defaults do_server_preference do_ssl_poodle do_tls_fallback_scsv \ do_cipherlists do_server_defaults do_server_preference do_ssl_poodle do_tls_fallback_scsv \
do_sweet32 do_client_simulation do_cipher_match do_tls_sockets do_mass_testing do_display_only do_grading; do do_sweet32 do_client_simulation do_cipher_match do_tls_sockets do_mass_testing do_display_only do_rating; do
[[ "${!gbl}" == true ]] && let true_nr++ "${!gbl}" && let true_nr++
done done
return $true_nr return $true_nr
} }
@ -20853,7 +20866,7 @@ debug_globals() {
for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_ticketbleed do_cipher_per_proto do_crime \ for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_ticketbleed do_cipher_per_proto do_crime \
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_fs do_protocols do_rc4 do_grease do_robot do_renego \ do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_fs do_protocols do_rc4 do_grease do_robot do_renego \
do_cipherlists do_server_defaults do_server_preference do_ssl_poodle do_tls_fallback_scsv \ do_cipherlists do_server_defaults do_server_preference do_ssl_poodle do_tls_fallback_scsv \
do_sweet32 do_client_simulation do_cipher_match do_tls_sockets do_mass_testing do_display_only do_grading; do do_sweet32 do_client_simulation do_cipher_match do_tls_sockets do_mass_testing do_display_only do_rating; do
printf "%-22s = %s\n" $gbl "${!gbl}" printf "%-22s = %s\n" $gbl "${!gbl}"
done done
printf "%-22s : %s\n" URI: "$URI" printf "%-22s : %s\n" URI: "$URI"
@ -20931,7 +20944,7 @@ parse_cmd_line() {
;; ;;
esac esac
# initializing # set all globals to false
initialize_globals initialize_globals
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
@ -21117,8 +21130,8 @@ parse_cmd_line() {
-g|--grease) -g|--grease)
do_grease=true do_grease=true
;; ;;
--disable-grading) --disable-rating)
do_grading=false do_rating=false
;; ;;
-9|--full) -9|--full)
set_scanning_defaults set_scanning_defaults
@ -21439,14 +21452,13 @@ parse_cmd_line() {
grep -q "BEGIN CERTIFICATE" "$fname" || fatal "\"$fname\" is not CA file in PEM format" $ERR_RESOURCE grep -q "BEGIN CERTIFICATE" "$fname" || fatal "\"$fname\" is not CA file in PEM format" $ERR_RESOURCE
done done
[[ "$DEBUG" -ge 5 ]] && debug_globals
count_do_variables count_do_variables
[[ $? -eq 0 ]] && set_scanning_defaults [[ $? -eq 0 ]] && set_scanning_defaults
[[ "$DEBUG" -ge 5 ]] && debug_globals
# Unless explicit disabled, check if grading can be enabled # Unless explicit disabled, check if rating can be enabled
# Should be called after set_scanning_defaults # Should be called after set_scanning_defaults
"$do_grading" || set_grading_state ! "$do_rating" && set_rating_state
CMDLINE_PARSED=true CMDLINE_PARSED=true
} }
@ -21618,7 +21630,7 @@ lets_roll() {
"$do_client_simulation" && { run_client_simulation; ret=$(($? + ret)); stopwatch run_client_simulation; } "$do_client_simulation" && { run_client_simulation; ret=$(($? + ret)); stopwatch run_client_simulation; }
fileout_section_header $section_number true && ((section_number++)) fileout_section_header $section_number true && ((section_number++))
"$do_grading" && { run_grading; ret=$(($? + ret)); stopwatch run_grading; } "$do_rating" && { run_rating; ret=$(($? + ret)); stopwatch run_rating; }
fi fi
fileout_section_footer true fileout_section_footer true