Let ssl-cert grab certs from DTLS services. Fix rules for TCP-only scripts

2025-12-06 04:31:29 +00:00 · 2024-06-03 19:00:33 +00:00
parent ff0b70f6dd
commit 74a88c0804
17 changed files with 39 additions and 32 deletions
--- a/nselib/sslcert.lua
+++ b/nselib/sslcert.lua
@@ -1004,18 +1004,26 @@ function getCertificate(host, port)
  local mutex = nmap.mutex("sslcert-cache-mutex")
  mutex "lock"

-  if ( host.registry["ssl-cert"] and
-    host.registry["ssl-cert"][port.number] ) then
+  local cache = host.registry["ssl-cert"]
+  if not cache then
+    cache = {}
+    host.registry["ssl-cert"] = cache
+  end
+  local key = ("%d%s"):format(port.number, port.protocol)
+  local cert = cache[key]
+
+  if cert then
    stdnse.debug2("sslcert: Returning cached SSL certificate")
    mutex "done"
-    return true, host.registry["ssl-cert"][port.number]
+    return true, cert
  end

-  local cert
-
-  local wrapper = SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.service] or SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.number]
+  local wrapper, specialized
+  if (port.protocol == "tcp") then
+    wrapper = SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.service] or SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.number]
    local special_table = have_openssl and SPECIALIZED_PREPARE_TLS or SPECIALIZED_PREPARE_TLS_WITHOUT_RECONNECT
-  local specialized = special_table[port.service] or special_table[port.number]
+    specialized = special_table[port.service] or special_table[port.number]
+  end

  local status = false

@@ -1051,10 +1059,8 @@ function getCertificate(host, port)

  -- Now try to connect with Nsock's SSL connection
  if not status and have_openssl then
-    local socket = nmap.new_socket()
-    local errmsg
-    status, errmsg = socket:connect(host, port, "ssl")
-    if not status then
+    local socket, errmsg = comm.opencon(host, port, nil, {proto="ssl"})
+    if not socket then
      stdnse.debug1("SSL connect error: %s", errmsg)
    else
      cert = socket:get_ssl_certificate()
@@ -1065,7 +1071,8 @@ function getCertificate(host, port)

  -- Finally, try to connect and manually handshake (maybe more tolerant of TLS
  -- insecurity than OpenSSL)
-  if not status then
+  -- TODO: DTLS handshaking
+  if not status and port.protocol == "tcp" then
    local socket = nmap.new_socket()
    local errmsg
    status, errmsg = socket:connect(host, port)
@@ -1082,9 +1089,7 @@ function getCertificate(host, port)
    return false, "No certificate found"
  end

-  host.registry["ssl-cert"] = host.registry["ssl-cert"] or {}
-  host.registry["ssl-cert"][port.number] = host.registry["ssl-cert"][port.number] or {}
-  host.registry["ssl-cert"][port.number] = cert
+  cache[key] = cert
  mutex "done"
  return true, cert
 end
--- a/scripts/http-vuln-cve2014-2126.nse
+++ b/scripts/http-vuln-cve2014-2126.nse
@@ -38,7 +38,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "safe"}

 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
 end

 action = function(host, port)
--- a/scripts/http-vuln-cve2014-2127.nse
+++ b/scripts/http-vuln-cve2014-2127.nse
@@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "safe"}

 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
 end

 action = function(host, port)
--- a/scripts/http-vuln-cve2014-2128.nse
+++ b/scripts/http-vuln-cve2014-2128.nse
@@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "safe"}

 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
 end

 action = function(host, port)
--- a/scripts/http-vuln-cve2014-2129.nse
+++ b/scripts/http-vuln-cve2014-2129.nse
@@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "safe"}

 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
 end

 action = function(host, port)
--- a/scripts/ssl-ccs-injection.nse
+++ b/scripts/ssl-ccs-injection.nse
@@ -69,7 +69,7 @@ categories = { "vuln", "safe" }
 dependencies = {"https-redirect"}

 portrule = function(host, port)
- return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end

 local Error = {
--- a/scripts/ssl-date.nse
+++ b/scripts/ssl-date.nse
@@ -40,7 +40,7 @@ categories = {"discovery", "safe", "default"}
 dependencies = {"https-redirect"}

 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end

 -- Miscellaneous script-wide constants
--- a/scripts/ssl-dh-params.nse
+++ b/scripts/ssl-dh-params.nse
@@ -788,7 +788,7 @@ end


 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end

 local function format_check(t, label)
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -1095,7 +1095,7 @@ local function try_protocol(host, port, protocol, upresults)
 end

 portrule = function (host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end

 action = function(host, port)
--- a/scripts/ssl-heartbleed.nse
+++ b/scripts/ssl-heartbleed.nse
@@ -47,7 +47,7 @@ dependencies = {"https-redirect"}
 local arg_protocols = stdnse.get_script_args(SCRIPT_NAME .. ".protocols") or {'TLSv1.0', 'TLSv1.1', 'TLSv1.2'}

 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end

 local function recvhdr(s)
--- a/scripts/ssl-known-key.nse
+++ b/scripts/ssl-known-key.nse
@@ -103,7 +103,9 @@ local get_fingerprints = function(path)
  return true, fingerprints
 end

-portrule = shortport.ssl
+portrule = function(host, port)
+  return shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)
+end

 action = function(host, port)
  -- Get script arguments.
--- a/scripts/ssl-poodle.nse
+++ b/scripts/ssl-poodle.nse
@@ -308,7 +308,7 @@ local function check_fallback_scsv(host, port, protocol, ciphers)
 end

 portrule = function (host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end

 action = function(host, port)
--- a/scripts/sslv2-drown.nse
+++ b/scripts/sslv2-drown.nse
@@ -95,7 +95,7 @@ for k, v in pairs(sslv2.SSL_CIPHERS) do
 end

 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end

 -- Return whether all values of "t1" are also values in "t2".
--- a/scripts/sslv2.nse
+++ b/scripts/sslv2.nse
@@ -40,7 +40,7 @@ categories = {"default", "safe"}


 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end

 action = function(host, port)
--- a/scripts/tls-alpn.nse
+++ b/scripts/tls-alpn.nse
@@ -40,7 +40,7 @@ categories = {"discovery", "safe", "default"}
 dependencies = {"https-redirect"}

 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end


--- a/scripts/tls-nextprotoneg.nse
+++ b/scripts/tls-nextprotoneg.nse
@@ -43,7 +43,7 @@ categories = {"discovery", "safe", "default"}
 dependencies = {"https-redirect"}

 portrule = function(host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end


--- a/scripts/tls-ticketbleed.nse
+++ b/scripts/tls-ticketbleed.nse
@@ -68,7 +68,7 @@ portrule = function(host, port)
    return false
  end

-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
 end

 local function is_vuln(host, port, version)