Downgraded Cipher scores one step below if the cipher scores A or B a…

…nd is not Forward Secret or is tagged Weak
adedayo · Feb 25, 2021 · 0ee81a0 · 0ee81a0
1 parent 19a32f4
commit 0ee81a0
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 9 deletions.
diff --git a/pkg/model/models.go b/pkg/model/models.go
@@ -1656,12 +1656,20 @@ func supportsAEAD(scan ScanResult) bool {
 }
 
 //see https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
-func toTLSGrade(score int) (grade string) {
+func toTLSGrade(score int, meta strengthMetadata) (grade string) {
 	switch {
 	case score >= 80:
-		grade = "A"
+		if meta.forwardSecret == "" || meta.weak != "" {
+			grade = "B"
+		} else {
+			grade = "A"
+		}
 	case score >= 65:
-		grade = "B"
+		if meta.forwardSecret == "" || meta.weak != "" {
+			grade = "C"
+		} else {
+			grade = "B"
+		}
 	case score >= 50:
 		grade = "C"
 	case score >= 35:
@@ -1751,11 +1759,23 @@ func scoreCipher(cipher, protocol uint16, scan ScanResult) (score string) {
 		}
 		s := (30*mapEncKeyLengthToScore(cc.GetEncryptionKeyLength()) + 30*fsScore +
 			40*mapKeyExchangeKeylengthToScore(cc.GetKeyExchangeKeyLength(cipher, protocol, scan))) / 100
-		return fmt.Sprintf("%d bits, %s%sGrade %s", cc.GetEncryptionKeyLength(), fs, annotateWeak(cc), toTLSGrade(s))
+
+		meta := strengthMetadata{
+			keyLength:     s,
+			weak:          annotateWeak(cc),
+			forwardSecret: fs,
+		}
+		return fmt.Sprintf("%d bits, %s%sGrade %s", cc.GetEncryptionKeyLength(), fs, meta.weak, toTLSGrade(s, meta))
 	}
 	return
 }
 
+type strengthMetadata struct {
+	keyLength     int
+	weak          string
+	forwardSecret string
+}
+
 func annotateWeak(cc CipherConfig) string {
 	weak := "Weak, "
 	switch {

diff --git a/pkg/model/tls_score.go b/pkg/model/tls_score.go
@@ -6,7 +6,7 @@ func score2009p(s *ScanResult) (result SecurityScore) {
 		adjustScore2009p(&result, *s)
 	} else {
 		//No TLS
-		result.Grade = toTLSGrade(-1)
+		result.Grade = toTLSGrade(-1, strengthMetadata{})
 	}
 	return
 }
@@ -17,7 +17,7 @@ func score2009q(s *ScanResult) (result SecurityScore) {
 		adjustScore2009q(&result, *s)
 	} else {
 		//No TLS
-		result.Grade = toTLSGrade(-1)
+		result.Grade = toTLSGrade(-1, strengthMetadata{})
 	}
 	return
 }
@@ -66,12 +66,12 @@ func computeBasicScore(s *ScanResult) (result SecurityScore) {
 	result.KeyExchangeScore = (keyExchangeMaxScore + keyExchangeMinScore) / 2
 
 	result.CipherEncryptionScore = (cipherStrengthMaxScore + cipherStrengthMinScore) / 2
-
+	var meta strengthMetadata
 	if result.ProtocolScore*result.KeyExchangeScore*result.CipherEncryptionScore == 0 {
 		//if any of the three protocol, key exchange or cipher encryption score is zero, then zero the result
-		result.Grade = toTLSGrade(0)
+		result.Grade = toTLSGrade(0, meta)
 	} else {
-		result.Grade = toTLSGrade((30*result.ProtocolScore + 30*result.KeyExchangeScore + 40*result.CipherEncryptionScore) / 100)
+		result.Grade = toTLSGrade((30*result.ProtocolScore+30*result.KeyExchangeScore+40*result.CipherEncryptionScore)/100, meta)
 	}
 
 	scoreCertificate(&result, s)