PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-22 07:29:01 +00:00
Code Issues Projects Releases Wiki Activity

Simplify Nsock SSL init API

Browse Source 
Replaced nsock_pool_ssl_init_max_speed() by a NSOCK_SSL_MAX_SPEED
flag to be passed to nsock_pool_ssl_init(). Default (flag=0) means
secure.
This commit is contained in:
henri
2015-06-27 08:21:22 +00:00
parent 0348359f60
commit fd40b8df08
6 changed files with 38 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ncat/ncat_connect.c
View File

@@ -889,7 +889,7 @@ int ncat_connect(void)
nsock_pool_set_broadcast(mypool, 1); nsock_pool_set_broadcast(mypool, 1);
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
set_ssl_ctx_options((SSL_CTX *) nsock_pool_ssl_init(mypool)); set_ssl_ctx_options((SSL_CTX *) nsock_pool_ssl_init(mypool, 0));
#endif #endif
if (!o.proxytype) { if (!o.proxytype) {

2
nse_nsock.cc
View File

@@ -1110,7 +1110,7 @@ LUALIB_API int luaopen_nsock (lua_State *L)
#if HAVE_OPENSSL #if HAVE_OPENSSL
/* Value speed over security in SSL connections. */ /* Value speed over security in SSL connections. */
nsock_pool_ssl_init_max_speed(nsp); nsock_pool_ssl_init(nsp, NSOCK_SSL_MAX_SPEED);
#endif #endif
luaL_newlibtable(L, l_nsock); luaL_newlibtable(L, l_nsock);

25
nsock/include/nsock.h
View File

@@ -230,13 +230,24 @@ void nsock_pool_set_device(nsock_pool nsp, const char *device);
/* Initializes an Nsock pool to create SSL connections. This sets an internal /* Initializes an Nsock pool to create SSL connections. This sets an internal
* SSL_CTX, which is like a template that sets options for all connections that * SSL_CTX, which is like a template that sets options for all connections that
* are made from it. Returns the SSL_CTX so you can set your own options. */ * are made from it. Returns the SSL_CTX so you can set your own options.
nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool); *
* Use the NSOCK_SSL_MAX_SPEED to emphasize speed over security.
/* Initializes an Nsock pool to create SSL connections that emphasize speed over * Insecure ciphers are used when they are faster and no certificate
* security. Insecure ciphers are used when they are faster and no certificate * verification is done.
* verification is done. Returns the SSL_CTX so you can set your own options. */ *
nsock_ssl_ctx nsock_pool_ssl_init_max_speed(nsock_pool ms_pool); * Returns the SSL_CTX so you can set your own options.
* By default, do no server certificate verification. To enable it, do
* something like:
* SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
*
* on the SSL_CTX returned. If you do, it is then up to the application to
* load trusted certificates with SSL_CTX_load_verify_locations or
* SSL_CTX_set_default_verify_paths, or else every connection will fail. It
* is also up to the application to do any further checks such as domain name
* validation. */
#define NSOCK_SSL_MAX_SPEED (1 << 0)
nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool, int flags);
/* Enforce use of a given IO engine. /* Enforce use of a given IO engine.
* The engine parameter is a zero-terminated string that will be * The engine parameter is a zero-terminated string that will be

4
nsock/src/nsock_connect.c
View File

@@ -397,7 +397,7 @@ nsock_event_id nsock_connect_ssl(nsock_pool nsp, nsock_iod nsiod, nsock_ev_handl
struct nevent *nse; struct nevent *nse;
if (!ms->sslctx) if (!ms->sslctx)
nsock_pool_ssl_init(ms); nsock_pool_ssl_init(ms, 0);
assert(nsi->state == NSIOD_STATE_INITIAL || nsi->state == NSIOD_STATE_UNKNOWN); assert(nsi->state == NSIOD_STATE_INITIAL || nsi->state == NSIOD_STATE_UNKNOWN);
@@ -435,7 +435,7 @@ nsock_event_id nsock_reconnect_ssl(nsock_pool nsp, nsock_iod nsiod, nsock_ev_han
struct nevent *nse; struct nevent *nse;
if (!ms->sslctx) if (!ms->sslctx)
nsock_pool_ssl_init(ms); nsock_pool_ssl_init(ms, 0);
nse = event_new(ms, NSE_TYPE_CONNECT_SSL, nsi, timeout_msecs, handler, userdata); nse = event_new(ms, NSE_TYPE_CONNECT_SSL, nsi, timeout_msecs, handler, userdata);
assert(nse); assert(nse);

62
nsock/src/nsock_ssl.c
View File

@@ -80,8 +80,7 @@
extern struct timeval nsock_tod; extern struct timeval nsock_tod;
/* Create an SSL_CTX and do initialization that is common to nsock_pool_ssl_init and /* Create an SSL_CTX and do initialization that is common to all init modes. */
* nsock_pool_ssl_init_max_speed. */
static SSL_CTX *ssl_init_common() { static SSL_CTX *ssl_init_common() {
SSL_CTX *ctx; SSL_CTX *ctx;
@@ -109,65 +108,38 @@ static SSL_CTX *ssl_init_common() {
* are made from it. The connections made from this context will use only secure * are made from it. The connections made from this context will use only secure
* ciphers but no server certificate verification is done. Returns the SSL_CTX * ciphers but no server certificate verification is done. Returns the SSL_CTX
* so you can set your own options. */ * so you can set your own options. */
nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool) { nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool, int flags) {
struct npool *ms = (struct npool *)ms_pool; struct npool *ms = (struct npool *)ms_pool;
char rndbuf[128]; char rndbuf[128];
if (ms->sslctx == NULL) if (ms->sslctx == NULL)
ms->sslctx = ssl_init_common(); ms->sslctx = ssl_init_common();
/* get_random_bytes may or may not provide high-quality randomness. Add it to /* Get_random_bytes may or may not provide high-quality randomness. Add it to
* the entropy pool without increasing the entropy estimate (third argument of * the entropy pool without increasing the entropy estimate (third argument of
* RAND_add is 0). We rely on OpenSSL's entropy gathering, called implicitly * RAND_add is 0). We rely on OpenSSL's entropy gathering, called implicitly
* by RAND_status, to give us what we need, or else bail out if it fails. */ * by RAND_status, to give us what we need, or else bail out if it fails. */
get_random_bytes(rndbuf, sizeof(rndbuf)); get_random_bytes(rndbuf, sizeof(rndbuf));
RAND_add(rndbuf, sizeof(rndbuf), 0); RAND_add(rndbuf, sizeof(rndbuf), 0);
if (!RAND_status())
fatal("nsock_pool_ssl_init: Failed to seed OpenSSL PRNG (RAND_status returned false).");
/* By default, do no server certificate verification. To enable it, do if (!(flags & NSOCK_SSL_MAX_SPEED)) {
* something like: if (!RAND_status())
* SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); fatal("%s: Failed to seed OpenSSL PRNG"
* " (RAND_status returned false).", __func__);
* on the SSL_CTX returned. If you do, it is then up to the application to }
* load trusted certificates with SSL_CTX_load_verify_locations or
* SSL_CTX_set_default_verify_paths, or else every connection will fail. It
* is also up to the application to do any further checks such as domain name
* validation. */
SSL_CTX_set_verify(ms->sslctx, SSL_VERIFY_NONE, NULL);
/* SSL_OP_ALL sets bug-compatibility for pretty much everything. /* SSL_OP_ALL sets bug-compatibility for pretty much everything.
* SSL_OP_NO_SSLv2 disables the less-secure SSLv2 while allowing us to use the * SSL_OP_NO_SSLv2 disables the less-secure SSLv2 while allowing us to use the
* SSLv2-compatible SSLv23_client_method. */ * SSLv2-compatible SSLv23_client_method. */
SSL_CTX_set_options(ms->sslctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
if (!SSL_CTX_set_cipher_list(ms->sslctx, CIPHERS_SECURE)) {
fatal("Unable to set OpenSSL cipher list: %s",
ERR_error_string(ERR_get_error(), NULL));
}
return ms->sslctx;
}
/* Initializes an Nsock pool to create SSL connections that emphasize speed over
* security. Insecure ciphers are used when they are faster and no certificate
* verification is done. Returns the SSL_CTX so you can set your own options. */
nsock_ssl_ctx nsock_pool_ssl_init_max_speed(nsock_pool ms_pool) {
struct npool *ms = (struct npool *)ms_pool;
char rndbuf[128];
if (ms->sslctx == NULL)
ms->sslctx = ssl_init_common();
/* get_random_bytes may or may not provide high-quality randomness. */
get_random_bytes(rndbuf, sizeof(rndbuf));
RAND_seed(rndbuf, sizeof(rndbuf));
SSL_CTX_set_verify(ms->sslctx, SSL_VERIFY_NONE, NULL); SSL_CTX_set_verify(ms->sslctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_options(ms->sslctx, SSL_OP_ALL); SSL_CTX_set_options(ms->sslctx, flags & NSOCK_SSL_MAX_SPEED ?
if (!SSL_CTX_set_cipher_list(ms->sslctx, CIPHERS_FAST)) { SSL_OP_ALL : SSL_OP_ALL|SSL_OP_NO_SSLv2);
if (!SSL_CTX_set_cipher_list(ms->sslctx, flags & NSOCK_SSL_MAX_SPEED ?
CIPHERS_FAST : CIPHERS_SECURE))
fatal("Unable to set OpenSSL cipher list: %s", fatal("Unable to set OpenSSL cipher list: %s",
ERR_error_string(ERR_get_error(), NULL)); ERR_error_string(ERR_get_error(), NULL));
}
return ms->sslctx; return ms->sslctx;
} }
@@ -201,11 +173,7 @@ int nsi_ssl_post_connect_verify(const nsock_iod nsockiod) {
#else /* NOT HAVE_OPENSSL */ #else /* NOT HAVE_OPENSSL */
nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool) { nsock_ssl_ctx nsock_pool_ssl_init(nsock_pool ms_pool, int flags) {
fatal("%s called with no OpenSSL support", __func__);
}
nsock_ssl_ctx nsock_pool_ssl_init_max_speed(nsock_pool ms_pool) {
fatal("%s called with no OpenSSL support", __func__); fatal("%s called with no OpenSSL support", __func__);
} }

2
service_scan.cc
View File

@@ -2766,7 +2766,7 @@ int service_scan(std::vector<Target *> &Targets) {
#if HAVE_OPENSSL #if HAVE_OPENSSL
/* We don't care about connection security in version detection. */ /* We don't care about connection security in version detection. */
nsock_pool_ssl_init_max_speed(nsp); nsock_pool_ssl_init(nsp, NSOCK_SSL_MAX_SPEED);
#endif #endif
launchSomeServiceProbes(nsp, SG); launchSomeServiceProbes(nsp, SG);