Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Patch for issue 172 and 173

From: Brandon Paulsen <pauls658 () d umn edu>
Date: Mon, 24 Aug 2015 16:01:39 -0500
Hi list,

I've written two patches for issues 172 (
https://github.com/nmap/nmap/issues/172) and 173 (
https://github.com/nmap/nmap/issues/173).

For 172, the issue turned out to be an error in tls.lua. The functions
unpack_dhparams and unpack_ecdhparams both use the length of the public key
in bytes for calculating strength when they should use the length in bits.
My first patch simply multiplies the length in bytes by 8 when calculating
strength. Also, I checked for dependencies on these functions and
ssl-enum-ciphers appears to be the only script that uses these functions,
so this change shouldn't break anyone's scripts.

For 173, my patch does two things. First it adds a function called
lua_push_ecdhparams in nse_ssl_cert.cc. This function extracts the name of
the elliptic curve being used or the curve type if an unnamed curve is
used, and it pushes it into the return value as described in my previous
email [1]. I was originally going to extract the curve parameters if an
explicit curve is being used, but I decided to leave it out because its
such a rare case (RFC 5280 2.1.1 actually says explicit curves are not
allowed in X.509) and it might also cause nmap to crash if it were to
process a malformed certificate. I left a comment briefly stating why it
was left out.
Second, the patch modifies ssl-enum-ciphers so that it will print the name
of the curve if a named curve is used, or it will print out the curve type
and strength if an unnamed curve is used. I felt it was necessary to
include some indication that an unnamed curve was being used because
openssl recommends against it [2].

Feedback is greatly appreciated.

Brandon

[1] http://seclists.org/nmap-dev/2015/q3/133
[2]
https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography#Defining_Curves

Attachment: 172.patch
Description:

Attachment: 173.patch
Description: 

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: