diff --git a/nselib/tls.lua b/nselib/tls.lua index 9d64ca7c6..ccbc16935 100644 --- a/nselib/tls.lua +++ b/nselib/tls.lua @@ -654,7 +654,7 @@ local cipher_info_cache = { local function unpack_dhparams (blob, pos) local p, g, y pos, p, g, y = bin.unpack(">PPP", blob) - return pos, {p=p, g=g, y=y}, rsa_equiv("dh", #p) + return pos, {p=p, g=g, y=y}, #p end local function unpack_ecdhparams (blob, pos) @@ -665,7 +665,7 @@ local function unpack_ecdhparams (blob, pos) if eccurvetype == 1 then local p, a, b, base, order, cofactor pos, p, a, b, base, order, cofactor = bin.unpack("pppppp", blob, pos) - strength = rsa_equiv("ec", #p) + strength = #p ret.curve_params = { ec_curve_type = "explicit_prime", prime_p=p, curve={a=a, b=b}, base=base, order=order, cofactor=cofactor @@ -674,7 +674,7 @@ local function unpack_ecdhparams (blob, pos) local p = {} local m, basis pos, m, basis = bin.unpack(">SC", blob, pos) - strength = rsa_equiv("ec", m) + strength = m if basis == 1 then -- ec_trinomial pos, p.k = bin.unpack("p", blob, pos) elseif basis == 2 then -- ec_pentanomial @@ -695,7 +695,7 @@ local function unpack_ecdhparams (blob, pos) } local size = ret.curve_params.curve:match("(%d+)[rk]%d$") if size then - strength = rsa_equiv("ec", tonumber(size)) + strength = tonumber(size) end end pos, ret.public = bin.unpack("p", blob, pos) @@ -723,9 +723,9 @@ end -- @param bits Size of key in bits -- @return Size in bits of RSA key with equivalent strength function rsa_equiv (ktype, bits) - if ktype == "rsa" or ktype == "dsa" or ktype == "dh" then + if ktype == "rsa" or ktype == "dsa" then return bits - elseif ktype == "ec" then + elseif ktype == "ec" or ktype == "dh" then if bits < 160 then return 512 -- Possibly down to 0, but details not published elseif bits < 224 then @@ -765,7 +765,7 @@ KEX_ALGORITHMS.DH_anon_EXPORT = { } KEX_ALGORITHMS.ECDH_anon = { anon=true, - type = "ecdh", + type = "ec", server_key_exchange = function (blob, protocol) local pos local ret = {} @@ -776,7 +776,7 @@ KEX_ALGORITHMS.ECDH_anon = { KEX_ALGORITHMS.ECDH_anon_EXPORT = { anon=true, export=true, - type = "ecdh", + type = "ec", server_key_exchange = KEX_ALGORITHMS.ECDH_anon.server_key_exchange } @@ -846,7 +846,7 @@ KEX_ALGORITHMS.DH_RSA_EXPORT={ KEX_ALGORITHMS.ECDHE_RSA={ pubkey="rsa", - type = "ecdh", + type = "dh", server_key_exchange = function (blob, protocol) local pos local ret = {} @@ -857,7 +857,7 @@ KEX_ALGORITHMS.ECDHE_RSA={ } KEX_ALGORITHMS.ECDHE_ECDSA={ pubkey="ec", - type = "ecdh", + type = "dh", server_key_exchange = KEX_ALGORITHMS.ECDHE_RSA.server_key_exchange } KEX_ALGORITHMS.ECDH_ECDSA={ @@ -913,7 +913,7 @@ KEX_ALGORITHMS.PSK_DHE = KEX_ALGORITHMS.DHE_PSK --rfc5489 KEX_ALGORITHMS.ECDHE_PSK={ - type = "ecdh", + type = "dh", server_key_exchange = function (blob, protocol) local pos local ret = {} diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse index cec1d56ad..91f1e57ca 100644 --- a/scripts/ssl-enum-ciphers.nse +++ b/scripts/ssl-enum-ciphers.nse @@ -518,11 +518,12 @@ local function find_ciphers_group(host, port, protocol, group, scores) if kex.server_key_exchange and ske then local kex_info = kex.server_key_exchange(ske.data) if kex_info.strength then - if kex_strength and kex_strength > kex_info.strength then - kex_strength = kex_info.strength + local rsa_bits = tls.rsa_equiv(kex.type, kex_info.strength) + if kex_strength and kex_strength > rsa_bits then + kex_strength = rsa_bits scores.warnings["Key exchange parameters of lower strength than certificate key"] = true end - kex_strength = kex_strength or kex_info.strength + kex_strength = kex_strength or rsa_bits extra = string.format("%s %d", kex.type, kex_info.strength) end end