Nmap Development mailing list archives

Re: [NSE][PATCH] OpenSSL bindings for NSE

From: David Fifield <david () bamsoftware com>
Date: Mon, 22 Sep 2008 17:47:21 -0600

On Fri, Sep 19, 2008 at 09:12:24AM +0200, Sven Klemm wrote:

Hi everyone,

here is the latest OpenSSL bindings patch for nmap including support for 
multiprecision integer arithmetics, message digests, hmac, symmetric 
encryption, symmetric decryption.
Documentation for the new functions is also included.


Hi Sven. This is looking great. The documentation is especially
appreciated. This module will open a lot of doors for script developers
and I'd like to see it integrated.

Before that can be done, it must be made to degrade gracefully when
OpenSSL isn't available. I see that you have altered the makefile not to
build the module in that case. Patrick's recent change to allow script
scanning in the face of "require" errors also helps.

The way I see it, the remaining challenges are, when OpenSSL isn't
available, 1) to make sure the script engine skips over script that use
the openssl module without an error message, except at higher verbosity
levels, and 2) to make sure --script-updatedb works. A minor issue is
the removal of the current hash module, but that's small enough that it
can be handled as part of the merge.

Is it possible to modify SSH-hostkey.nse to keep it from throwing an
error is openssl isn't available? If so, please do it. If it's not hard
to do, it can become the standard technique for using OpenSSL in
scripts. A solution that didn't require any script modifications would
be better, but one that only requires one or two lines in each
openssl-using script would be fine.

By the way, I just did "./configure --without-openssl" to test. That's
how I found that --script-updatedb didn't work.

Merging the openssl module will remove a bit of existing functionality
in the no-OpenSSL case. Any scripts that now use the hash module would
now require OpenSSL, even though now they do not. That's because nbase
currently has copied some OpenSSL files to do hashing, and these would
be removed in preference of using the OpenSSL functions. I think that
loss is acceptable, particularly because OpenSSL is usually available,
but I want to be clear to everyone about what merging the openssl module
would mean.

David

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Re: [NSE][PATCH] OpenSSL bindings for NSE, (continued)
- - - Re: [NSE][PATCH] OpenSSL bindings for NSE Fyodor (Sep 04)
    - Re: [NSE][PATCH] OpenSSL bindings for NSE Sven Klemm (Sep 04)
    - Re: [NSE][PATCH] OpenSSL bindings for NSE Patrick Donnelly (Sep 04)
    - Re: [NSE][PATCH] OpenSSL bindings for NSE David Fifield (Sep 22)
    - Re: [NSE][PATCH] OpenSSL bindings for NSE Sven Klemm (Sep 22)
- Re: [NSE][PATCH] OpenSSL bindings for NSE Sven Klemm (Sep 19)
  - Re: [NSE][PATCH] OpenSSL bindings for NSE Ron (Sep 22)
    - Re: [NSE][PATCH] OpenSSL bindings for NSE David Fifield (Sep 22)
    - Re: [NSE][PATCH] OpenSSL bindings for NSE Ron (Sep 22)
    - Re: [NSE][PATCH] OpenSSL bindings for NSE David Fifield (Sep 22)
  - Re: [NSE][PATCH] OpenSSL bindings for NSE David Fifield (Sep 22)
    - Re: [NSE][PATCH] OpenSSL bindings for NSE Fyodor (Sep 23)