-
Notifications
You must be signed in to change notification settings - Fork 0
/
tls_score.go
79 lines (69 loc) · 2.43 KB
/
tls_score.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
package tlsmodel
func score2009p(s *ScanResult) (result SecurityScore) {
if s.SupportsTLS() {
result = computeBasicScore(s)
adjustScore2009p(&result, *s)
} else {
//No TLS
result.Grade = toTLSGrade(-1)
}
return
}
func score2009q(s *ScanResult) (result SecurityScore) {
if s.SupportsTLS() {
result = computeBasicScore(s)
adjustScore2009q(&result, *s)
} else {
//No TLS
result.Grade = toTLSGrade(-1)
}
return
}
//computeBasicScore tries to mimic SSLLabs scoring system (although the algorithm description is not really clear).
//see https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
//the following is the interpretation:
//protocol score = (max_protocol_score + min_protocol_score)/2
//key exchange score = (max_keyExchange_score + min_keyExchange_score)/2 <- this piece is not well-specified
//cipher strength score = (max_cipher_strength_score + min_cipher_strength_score)/2
//Basic score = 30% protocol score + 30% key exchange score + 40% cipher strength score
func computeBasicScore(s *ScanResult) (result SecurityScore) {
max := uint16(0)
min := uint16(1000)
for _, p := range s.SupportedProtocols {
if p > max {
max = p
}
if p < min {
min = p
}
}
highProtocol := scoreProtocol(max)
lowProtocol := scoreProtocol(min)
result.ProtocolScore = (highProtocol + lowProtocol) / 2
keyExchangeMinScore := 1000
keyExchangeMaxScore := 0
cipherStrengthMinScore := 1000
cipherStrengthMaxScore := 0
// for _, p := range s.SupportedProtocols {
p := s.SupportedProtocols[0] // use the strongest protocol
var cipherSuite []uint16
if s.HasCipherPreferenceOrderByProtocol[p] {
cipherSuite = s.CipherPreferenceOrderByProtocol[p]
} else {
cipherSuite = s.CipherSuiteByProtocol[p]
}
for _, c := range cipherSuite {
selectMinimalKeyExchangeScore(c, p, &keyExchangeMinScore, &keyExchangeMaxScore, &cipherStrengthMinScore, &cipherStrengthMaxScore, *s)
}
// }
result.KeyExchangeScore = (keyExchangeMaxScore + keyExchangeMinScore) / 2
result.CipherEncryptionScore = (cipherStrengthMaxScore + cipherStrengthMinScore) / 2
if result.ProtocolScore*result.KeyExchangeScore*result.CipherEncryptionScore == 0 {
//if any of the three protocol, key exchange or cipher encryption score is zero, then zero the result
result.Grade = toTLSGrade(0)
} else {
result.Grade = toTLSGrade((30*result.ProtocolScore + 30*result.KeyExchangeScore + 40*result.CipherEncryptionScore) / 100)
}
scoreCertificate(&result, s)
return
}