Nmap Development mailing list archives
Re: Patch for issue 172 and 173
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 16 Sep 2015 00:00:07 -0500
Brandon, Thanks for taking the time to address these issues. I applied your first idea after ensuring that the newly calculated strengths would be properly processed by the rsa_equiv function. This required some tweaking of the KEX_ALGORITHMS data table, which you can see in r35244. The second patch looks generally good. I'll take a closer look and commit it tomorrow. Thanks! Dan On Mon, Aug 24, 2015 at 4:01 PM, Brandon Paulsen <pauls658 () d umn edu> wrote
For 172, the issue turned out to be an error in tls.lua. The functions unpack_dhparams and unpack_ecdhparams both use the length of the public key in bytes for calculating strength when they should use the length in bits. My first patch simply multiplies the length in bytes by 8 when calculating strength. Also, I checked for dependencies on these functions and ssl-enum-ciphers appears to be the only script that uses these functions, so this change shouldn't break anyone's scripts.
For 173, my patch does two things. First it adds a function called lua_push_ecdhparams in nse_ssl_cert.cc. This function extracts the name of the elliptic curve being used or the curve type if an unnamed curve is used, and it pushes it into the return value as described in my previous email [1]. I was originally going to extract the curve parameters if an explicit curve is being used, but I decided to leave it out because its such a rare case (RFC 5280 2.1.1 actually says explicit curves are not allowed in X.509) and it might also cause nmap to crash if it were to process a malformed certificate. I left a comment briefly stating why it was left out. Second, the patch modifies ssl-enum-ciphers so that it will print the name of the curve if a named curve is used, or it will print out the curve type and strength if an unnamed curve is used. I felt it was necessary to include some indication that an unnamed curve was being used because openssl recommends against it [2]. Feedback is greatly appreciated. Brandon [1] http://seclists.org/nmap-dev/2015/q3/133 [2] https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography#Defining_Curves _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Patch for issue 172 and 173 Brandon Paulsen (Aug 24)
- Re: Patch for issue 172 and 173 Daniel Miller (Sep 15)
- Re: Patch for issue 172 and 173 Daniel Miller (Sep 17)
- Re: Patch for issue 172 and 173 Daniel Miller (Sep 15)