PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-23 16:09:02 +00:00
Code Issues Projects Releases Wiki Activity

Gracefully handles case of openssl being missing. Cipherscores

Browse Source 
of those ciphers that require openssl are marked unkown.
Closes #115.
This commit is contained in:
gyani
2015-07-04 07:34:14 +00:00
parent a5bb16df1d
commit 29f57ea556
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
scripts/ssl-enum-ciphers.nse
View File

@@ -138,6 +138,7 @@ categories = {"discovery", "intrusive"}
-- http://seclists.org/nmap-dev/2012/q3/156 -- http://seclists.org/nmap-dev/2012/q3/156
-- http://seclists.org/nmap-dev/2010/q1/859 -- http://seclists.org/nmap-dev/2010/q1/859
local CHUNK_SIZE = 64 local CHUNK_SIZE = 64
local have_ssl, _ = pcall(require,'openssl')
-- Add additional context (protocol) to debug output -- Add additional context (protocol) to debug output
local function ctx_log(level, protocol, fmt, ...) local function ctx_log(level, protocol, fmt, ...)
@@ -503,15 +504,13 @@ local function find_ciphers_group(host, port, protocol, group, scores)
kex_strength = 512 kex_strength = 512
end end
else else
if kex.pubkey then if have_ssl and kex.pubkey then
local certs = get_body(handshake, "type", "certificate") local certs = get_body(handshake, "type", "certificate")
-- Assume RFC compliance: -- Assume RFC compliance:
-- "The sender's certificate MUST come first in the list." -- "The sender's certificate MUST come first in the list."
-- This may not always be the case, so -- This may not always be the case, so
-- TODO: reorder certificates and validate entire chain -- TODO: reorder certificates and validate entire chain
-- TODO: certificate validation (date, self-signed, etc) -- TODO: certificate validation (date, self-signed, etc)
-- TODO: Handle this gracefully when OpenSSL is not compiled in
-- (throws error otherwise)
local c = sslcert.parse_ssl_certificate(certs.certificates[1]) local c = sslcert.parse_ssl_certificate(certs.certificates[1])
if c.pubkey.type == kex.pubkey then if c.pubkey.type == kex.pubkey then
local sigalg = c.sig_algorithm:match("([mM][dD][245])") local sigalg = c.sig_algorithm:match("([mM][dD][245])")
@@ -587,7 +586,6 @@ local function find_ciphers(host, port, protocol)
local results = {} local results = {}
local scores = {warnings={}} local scores = {warnings={}}
-- Try every cipher. -- Try every cipher.
for _, group in ipairs(ciphers) do for _, group in ipairs(ciphers) do
local chunk, protocol_worked = find_ciphers_group(host, port, protocol, group, scores) local chunk, protocol_worked = find_ciphers_group(host, port, protocol, group, scores)
@@ -819,7 +817,6 @@ local function try_protocol(host, port, protocol, upresults)
end end
-- Add rankings to ciphers -- Add rankings to ciphers
local cipherstr
for i, name in ipairs(ciphers) do for i, name in ipairs(ciphers) do
local outcipher = {name=name, kex_info=scores[name].extra, strength=scores[name].letter_grade} local outcipher = {name=name, kex_info=scores[name].extra, strength=scores[name].letter_grade}
setmetatable(outcipher,{ setmetatable(outcipher,{
@@ -908,6 +905,11 @@ function sorted_by_key(t)
end end
action = function(host, port) action = function(host, port)
if not have_ssl then
stdnse.verbose("OpenSSL not available; some cipher scores will be unkown.")
end
local results = {} local results = {}
local condvar = nmap.condvar(results) local condvar = nmap.condvar(results)