Skip to content

Commit

Permalink
Mark CCM8 ciphers as weak and manually override their display bit str…
Browse files Browse the repository at this point in the history
…ength
  • Loading branch information
rbsec committed Dec 2, 2024
1 parent f8f9867 commit 4f2f9fa
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 1 deletion.
16 changes: 15 additions & 1 deletion Changelog
Original file line number Diff line number Diff line change
@@ -1,5 +1,19 @@
Changelog
=========
Version: 2.1.6
Date : 02/12/2024
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Flag CCM8 ciphers as weak and manually override their displayed
bit strength to match newer versions of OpenSSL
See https://github.com/openssl/openssl/pull/16652

Version: 2.1.5
Date : 21/09/2024
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Makefile improvements

Version: 2.1.4
Date : 16/06/2024
Author : rbsec <[email protected]>
Expand All @@ -11,7 +25,7 @@ Date : 21/01/2024
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Enable quiet shutdown for scanning (credit jarnfast)
> Fix Docked build on non-x64 architectures (credit jtesta)
> Fix Docker build on non-x64 architectures (credit jtesta)

Version: 2.1.2
Date : 14/11/2023
Expand Down
20 changes: 20 additions & 0 deletions sslscan.c
Original file line number Diff line number Diff line change
Expand Up @@ -1720,6 +1720,14 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
} else
printf("%s ", cleanSslMethod);

// Short authentication tag length
// These are flagged as 64 bit strength in newer versions of OpenSSL
// But in older versions they'll still show as 256 bits, so override that here
// See https://github.com/openssl/openssl/pull/16652
if (strstr(ciphername, "CCM8")) {
cipherbits = 64;
}

if (cipherbits < 10)
tempInt = 2;
else if (cipherbits < 100)
Expand Down Expand Up @@ -1778,6 +1786,18 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
}
strength = "medium";
} else if (strstr(ciphername, "CCM8")) {
// Short authentication tag length
// These are flagged as 64 bit strength in newer versions of OpenSSL
// But in older versions they'll still show as 256 bits, so manually flag them here
// See https://github.com/openssl/openssl/pull/16652
if (options->ianaNames) {
printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
}
else {
printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
}
strength = "medium";
} else if (strstr(ciphername, "_SM4_")) { /* Developed by Chinese government */
if (options->ianaNames) {
printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
Expand Down

0 comments on commit 4f2f9fa

Please sign in to comment.