Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Patch for issue 172 and 173

From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 16 Sep 2015 00:00:07 -0500
Brandon,

Thanks for taking the time to address these issues. I applied your first
idea after ensuring that the newly calculated strengths would be properly
processed by the rsa_equiv function. This required some tweaking of the
KEX_ALGORITHMS data table, which you can see in r35244.

The second patch looks generally good. I'll take a closer look and commit
it tomorrow. Thanks!

Dan

On Mon, Aug 24, 2015 at 4:01 PM, Brandon Paulsen <pauls658 () d umn edu> wrote



For 172, the issue turned out to be an error in tls.lua. The functions
unpack_dhparams and unpack_ecdhparams both use the length of the public key
in bytes for calculating strength when they should use the length in bits.
My first patch simply multiplies the length in bytes by 8 when calculating
strength. Also, I checked for dependencies on these functions and
ssl-enum-ciphers appears to be the only script that uses these functions,
so this change shouldn't break anyone's scripts.







For 173, my patch does two things. First it adds a function called
lua_push_ecdhparams in nse_ssl_cert.cc. This function extracts the name of
the elliptic curve being used or the curve type if an unnamed curve is
used, and it pushes it into the return value as described in my previous
email [1]. I was originally going to extract the curve parameters if an
explicit curve is being used, but I decided to leave it out because its
such a rare case (RFC 5280 2.1.1 actually says explicit curves are not
allowed in X.509) and it might also cause nmap to crash if it were to
process a malformed certificate. I left a comment briefly stating why it
was left out.
Second, the patch modifies ssl-enum-ciphers so that it will print the name
of the curve if a named curve is used, or it will print out the curve type
and strength if an unnamed curve is used. I felt it was necessary to
include some indication that an unnamed curve was being used because
openssl recommends against it [2].

Feedback is greatly appreciated.

Brandon

[1] http://seclists.org/nmap-dev/2015/q3/133
[2]
https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography#Defining_Curves

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: