From 4f2f9fa3d3d2e520cd8f1ffda6aab3b7bc0bbcaa Mon Sep 17 00:00:00 2001
From: rbsec <robin@rbsec.net>
Date: Mon, 2 Dec 2024 17:12:26 +0000
Subject: [PATCH] Mark CCM8 ciphers as weak and manually override their display
 bit strength

---
 Changelog | 16 +++++++++++++++-
 sslscan.c | 20 ++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/Changelog b/Changelog
index 9cea395..eb24a54 100644
--- a/Changelog
+++ b/Changelog
@@ -1,5 +1,19 @@
 Changelog
 =========
+Version: 2.1.6
+Date   : 02/12/2024
+Author : rbsec <robin@rbsec.net>
+Changes: The following are a list of changes
+		 > Flag CCM8 ciphers as weak and manually override their displayed
+		 bit strength to match newer versions of OpenSSL
+		 See https://github.com/openssl/openssl/pull/16652
+
+Version: 2.1.5
+Date   : 21/09/2024
+Author : rbsec <robin@rbsec.net>
+Changes: The following are a list of changes
+		 > Makefile improvements
+
 Version: 2.1.4
 Date   : 16/06/2024
 Author : rbsec <robin@rbsec.net>
@@ -11,7 +25,7 @@ Date   : 21/01/2024
 Author : rbsec <robin@rbsec.net>
 Changes: The following are a list of changes
 		 > Enable quiet shutdown for scanning (credit jarnfast)
-		 > Fix Docked build on non-x64 architectures (credit jtesta)
+		 > Fix Docker build on non-x64 architectures (credit jtesta)
 
 Version: 2.1.2
 Date   : 14/11/2023
diff --git a/sslscan.c b/sslscan.c
index 952ab60..f22991e 100644
--- a/sslscan.c
+++ b/sslscan.c
@@ -1720,6 +1720,14 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
     } else
       printf("%s  ", cleanSslMethod);
 
+    // Short authentication tag length
+    // These are flagged as 64 bit strength in newer versions of OpenSSL
+    // But in older versions they'll still show as 256 bits, so override that here
+    // See https://github.com/openssl/openssl/pull/16652
+    if (strstr(ciphername, "CCM8")) {
+        cipherbits = 64;
+    }
+
     if (cipherbits < 10)
       tempInt = 2;
     else if (cipherbits < 100)
@@ -1778,6 +1786,18 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
             printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
         }
         strength = "medium";
+    } else if (strstr(ciphername, "CCM8")) {
+        // Short authentication tag length
+        // These are flagged as 64 bit strength in newer versions of OpenSSL
+        // But in older versions they'll still show as 256 bits, so manually flag them here
+        // See https://github.com/openssl/openssl/pull/16652
+        if (options->ianaNames) {
+            printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
+        }
+        else {
+            printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
+        }
+        strength = "medium";
     } else if (strstr(ciphername, "_SM4_")) { /* Developed by Chinese government */
         if (options->ianaNames) {
             printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);