Mark CCM8 ciphers as weak and manually override their display bit str…

…ength
rbsec · Dec 2, 2024 · 4f2f9fa · 4f2f9fa
1 parent f8f9867
commit 4f2f9fa
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/Changelog b/Changelog
@@ -1,5 +1,19 @@
 Changelog
 =========
+Version: 2.1.6
+Date   : 02/12/2024
+Author : rbsec <[email protected]>
+Changes: The following are a list of changes
+		 > Flag CCM8 ciphers as weak and manually override their displayed
+		 bit strength to match newer versions of OpenSSL
+		 See https://github.com/openssl/openssl/pull/16652
+
+Version: 2.1.5
+Date   : 21/09/2024
+Author : rbsec <[email protected]>
+Changes: The following are a list of changes
+		 > Makefile improvements
+
 Version: 2.1.4
 Date   : 16/06/2024
 Author : rbsec <[email protected]>
@@ -11,7 +25,7 @@ Date   : 21/01/2024
 Author : rbsec <[email protected]>
 Changes: The following are a list of changes
 		 > Enable quiet shutdown for scanning (credit jarnfast)
-		 > Fix Docked build on non-x64 architectures (credit jtesta)
+		 > Fix Docker build on non-x64 architectures (credit jtesta)
 
 Version: 2.1.2
 Date   : 14/11/2023

diff --git a/sslscan.c b/sslscan.c
@@ -1720,6 +1720,14 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
     } else
       printf("%s  ", cleanSslMethod);
 
+    // Short authentication tag length
+    // These are flagged as 64 bit strength in newer versions of OpenSSL
+    // But in older versions they'll still show as 256 bits, so override that here
+    // See https://github.com/openssl/openssl/pull/16652
+    if (strstr(ciphername, "CCM8")) {
+        cipherbits = 64;
+    }
+
     if (cipherbits < 10)
       tempInt = 2;
     else if (cipherbits < 100)
@@ -1778,6 +1786,18 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
             printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
         }
         strength = "medium";
+    } else if (strstr(ciphername, "CCM8")) {
+        // Short authentication tag length
+        // These are flagged as 64 bit strength in newer versions of OpenSSL
+        // But in older versions they'll still show as 256 bits, so manually flag them here
+        // See https://github.com/openssl/openssl/pull/16652
+        if (options->ianaNames) {
+            printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
+        }
+        else {
+            printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
+        }
+        strength = "medium";
     } else if (strstr(ciphername, "_SM4_")) { /* Developed by Chinese government */
         if (options->ianaNames) {
             printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);