Documentation
¶
Index ¶
- Variables
- func GetAllCipherSuiteNumbers() []uint16
- type CertificateMessage
- type CipherConfig
- func (cc *CipherConfig) ComputeContextFreeMetric(config CipherConfigParameters) (metric CipherMetrics)
- func (cc *CipherConfig) GetEncryptionKeyLength() int
- func (cc *CipherConfig) GetKeyExchangeKeyLength(cipher, protocol uint16, scan ScanResult) int
- func (cc *CipherConfig) GetMACPRFStrength() int
- func (cc *CipherConfig) IsAuthenticated() bool
- type CipherConfigParameters
- type CipherMetrics
- type CipherMetricsSorter
- type HelloAndKey
- type HostAndPort
- type HumanCertificate
- type HumanScanResult
- type KeyExchangeAlgorithm
- type PersistedScanRequest
- type ScanConfig
- type ScanProgress
- type ScanRequest
- type ScanResult
- type ScanResultSorter
- type ScanResultSummary
- type SecurityScore
- type ServerHelloMessage
- type ServerKeyExchangeMsg
- type TLSAuditConfig
- type TLSAuditSnapshot
- type TLSAuditSnapshotHuman
Constants ¶
This section is empty.
Variables ¶
var ( //NamedCurves are named elliptic curve //see https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 NamedCurves = map[uint16]string{ 0: "Reserved", 1: "sect163k1", 2: "sect163r1", 3: "sect163r2", 4: "sect193r1", 5: "sect193r2", 6: "sect233k1", 7: "sect233r1", 8: "sect239k1", 9: "sect283k1", 10: "sect283r1", 11: "sect409k1", 12: "sect409r1", 13: "sect571k1", 14: "sect571r1", 15: "secp160k1", 16: "secp160r1", 17: "secp160r2", 18: "secp192k1", 19: "secp192r1", 20: "secp224k1", 21: "secp224r1", 22: "secp256k1", 23: "secp256r1", 24: "secp384r1", 25: "secp521r1", 26: "brainpoolP256r1", 27: "brainpoolP384r1", 28: "brainpoolP512r1", 29: "x25519", 30: "x448", 256: "ffdhe2048", 257: "ffdhe3072", 258: "ffdhe4096", 259: "ffdhe6144", 260: "ffdhe8192", 65281: "arbitrary_explicit_prime_curves", 65282: "arbitrary_explicit_char2_curves", } //NamedCurveStrength maps named eliptic curve to comparable RSA length //For comparable strengths of EC named curves see //1. https://www.ietf.org/rfc/rfc5114.txt (see section 4, security considerations) //2. https://www.ietf.org/rfc/rfc5480.txt and //3. pp 133 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf NamedCurveStrength = map[uint16]int{ 0: -1, 1: -1, 2: -1, 3: -1, 4: -1, 5: -1, 6: -1, 7: -1, 8: -1, 9: -1, 10: -1, 11: -1, 12: -1, 13: -1, 14: -1, 15: -1, 16: -1, 17: -1, 18: -1, 19: 1024, 20: 2048, 21: 2048, 22: 3072, 23: 3072, 24: 7680, 25: 15360, 26: 3072, 27: 7680, 28: 15360, 29: 3072, 30: 7680, 256: 2048, 257: 3072, 258: 4096, 259: 6144, 260: 8192, 65281: -1, 65282: -1, } // CipherSuiteMap - list of ciphersuites based on: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml // For CSV: https://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv // reserved/unknown items are excluded. CipherSuiteMap = map[uint16]string{}/* 334 elements not displayed */ // AllCipherSuites is the numerical values of the ciphersuites AllCipherSuites []uint16 //VersionSSL20 is the protocol code of SSL v2.0 VersionSSL20 uint16 = 0x0002 //VersionTLS13 is the protocol code of TLS v1.3 see https://datatracker.ietf.org/doc/rfc8446 VersionTLS13 uint16 = 0x0304 //TLSVersions an array of supported TLS versions TLSVersions = []uint16{VersionSSL20, tls.VersionSSL30, tls.VersionTLS10, tls.VersionTLS11, tls.VersionTLS12} //TLSVersionMap a mapping from TLS version to a string representation TLSVersionMap = map[uint16]string{ VersionSSL20: "SSL v2.0", tls.VersionSSL30: "SSL v3.0", tls.VersionTLS10: "TLS v1.0", tls.VersionTLS11: "TLS v1.1", tls.VersionTLS12: "TLS v1.2", VersionTLS13: "TLS v1.3", } //AllALPNProtos Application Layer Protocol Negotiation. See defined list at https://tools.ietf.org/html/rfc7301#section-6 AllALPNProtos = []string{"spdy/3", "spdy/2", "spdy/1", "http/1.1"} //NkxErrorMessage error message NkxErrorMessage = "Not a key exchange message" )
Functions ¶
func GetAllCipherSuiteNumbers ¶
func GetAllCipherSuiteNumbers() []uint16
GetAllCipherSuiteNumbers returns all the cipher suit numerical values
Types ¶
type CertificateMessage ¶
CertificateMessage simply exporting the internal certificateMsg
func (CertificateMessage) GetCertificates ¶
func (cert CertificateMessage) GetCertificates() (certs []*x509.Certificate, e error)
GetCertificates returns the list of certificates in a TLS certificate message
type CipherConfig ¶ added in v0.1.9
type CipherConfig struct {
CipherID uint16
Cipher string
KeyExchange string
Authentication string
IsExport bool
SupportsForwardSecrecy bool
Encryption string
MACPRF string //MAC (TLS <=1.1) or PseudoRandomFunction (TLS >= 1.2)
}
CipherConfig extracts the important elements of a Ciphersuit based on its name
func GetCipherConfig ¶ added in v0.1.9
func GetCipherConfig(cipher uint16) (config CipherConfig, err error)
GetCipherConfig extracts a `CipherConfig` using the Cipher's IANA string name Details here https://www.iana.org/assignments/tls-parameters/tls-parameters.txt
func (*CipherConfig) ComputeContextFreeMetric ¶ added in v0.1.27
func (cc *CipherConfig) ComputeContextFreeMetric(config CipherConfigParameters) (metric CipherMetrics)
ComputeContextFreeMetric calculates interesting metrics about the cipher
func (*CipherConfig) GetEncryptionKeyLength ¶ added in v0.1.9
func (cc *CipherConfig) GetEncryptionKeyLength() int
GetEncryptionKeyLength returns the effective key lengths of encryption algorithms used in the cipher See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf for details
func (*CipherConfig) GetKeyExchangeKeyLength ¶ added in v0.1.9
func (cc *CipherConfig) GetKeyExchangeKeyLength(cipher, protocol uint16, scan ScanResult) int
GetKeyExchangeKeyLength returns the key length indicated by the cipher
func (*CipherConfig) GetMACPRFStrength ¶ added in v0.1.27
func (cc *CipherConfig) GetMACPRFStrength() int
GetMACPRFStrength returns the relative strength of the MAC/PRF algorithm
func (*CipherConfig) IsAuthenticated ¶ added in v0.1.9
func (cc *CipherConfig) IsAuthenticated() bool
IsAuthenticated returns whether the cipher supports authentication
type CipherConfigParameters ¶ added in v0.1.27
type CipherConfigParameters struct {
RSABitLength int //The RSA key from the certificate
NamedCurveStrength int
NamedCurves []string //The named curves that have the indicated strength
}
CipherConfigParameters contains information about Parameters for determining the key length of key exchange algorithms and other cipher parameters
type CipherMetrics ¶ added in v0.1.27
type CipherMetrics struct {
Authentication int
KeyExchangeStrength int
ForwardSecrecy int
EncryptionKeyStrength int
MacPRF int
Performance int
OverallScore int
ConfigParams CipherConfigParameters
CipherConfig CipherConfig
}
CipherMetrics are various metrics of interest to compare ciphers as the bases for various desirable property ordering such as security and performance
func EnumerateCipherMetrics ¶ added in v0.1.27
func EnumerateCipherMetrics() (metrics []CipherMetrics)
EnumerateCipherMetrics enumerates metrics for ciphers along multiple config axes
type CipherMetricsSorter ¶ added in v0.1.27
type CipherMetricsSorter []CipherMetrics
CipherMetricsSorter sorts scan results by server IP and port
func (CipherMetricsSorter) Len ¶ added in v0.1.27
func (k CipherMetricsSorter) Len() int
func (CipherMetricsSorter) Less ¶ added in v0.1.27
func (k CipherMetricsSorter) Less(i, j int) bool
func (CipherMetricsSorter) Swap ¶ added in v0.1.27
func (k CipherMetricsSorter) Swap(i, j int)
type HelloAndKey ¶
type HelloAndKey struct {
Hello ServerHelloMessage
Key ServerKeyExchangeMsg
HasKey bool
}
HelloAndKey bundles server hello and ServerKeyExchange messages
type HostAndPort ¶
HostAndPort is a model representing a hostname and a given port
type HumanCertificate ¶ added in v0.1.22
type HumanCertificate struct {
Subject string
SubjectSerialNo string
SubjectCN string
SubjectAN string
SerialNumber string
Issuer string
PublicKeyAlgorithm string
ValidFrom string
ValidUntil string
Key string
SignatureAlgorithm string
Signature string
OcspStapling bool
RevocationDetail string
}
HumanCertificate is a "string" representation of various attributes of a certificate
type HumanScanResult ¶
type HumanScanResult struct {
Server string
HostName string
Port string
SupportsTLS bool
SupportedProtocols []string
HasCipherPreferenceOrderByProtocol map[string]bool
CipherPreferenceOrderByProtocol map[string][]string
OcspStaplingByProtocol map[string]bool
SelectedCipherByProtocol map[string]string
ALPNByProtocol map[string]string
SecureRenegotiationSupportedByProtocol map[string]bool
CipherSuiteByProtocol map[string][]string
// ServerHelloMessageByProtocolByCipher map[string]map[string]ServerHelloMessage
CertificatesPerProtocol map[string][]HumanCertificate
// KeyExchangeByProtocolByCipher map[string]map[string]ServerKeyExchangeMsg
IsSTARTLS bool
IsSSH bool
SupportsTLSFallbackSCSV bool
Score SecurityScore
}
HumanScanResult is a Stringified version of ScanResult
type PersistedScanRequest ¶ added in v0.1.18
type PersistedScanRequest struct {
Request ScanRequest
Hosts []string
ScanStart time.Time
ScanEnd time.Time
Progress int
}
PersistedScanRequest persisted version of ScanRequest
func UnmasharlPersistedScanRequest ¶ added in v0.1.18
func UnmasharlPersistedScanRequest(data []byte) (PersistedScanRequest, error)
UnmasharlPersistedScanRequest builds PersistedScanRequest from bytes
func (PersistedScanRequest) Marshall ¶ added in v0.1.18
func (psr PersistedScanRequest) Marshall() []byte
Marshall scan request
type ScanConfig ¶
type ScanConfig struct {
ProtocolsOnly bool
Timeout int
//Number of Packets per Second to send out during underlying port scan
PacketsPerSecond int
//Suppress certificate output
HideCerts bool
//control whether to produce a running commentary of scan progress or stay quiet till the end
Quiet bool
ServicePort int
}
ScanConfig describes details of how the TLS scan should be carried out
type ScanProgress ¶ added in v0.1.10
type ScanProgress struct {
ScanID string
Progress float32
ScanResults []HumanScanResult // this is the latest scan results delta, at the end of scan all cummulative scans are sent
Narrative string //freeflow text
}
ScanProgress contains partial scam results with an indication of progress
type ScanRequest ¶ added in v0.1.10
type ScanRequest struct {
CIDRs []string
Config ScanConfig
Day string //Date the scan was run in the format yyyy-mm-dd
ScanID string //Non-empty ScanID means this is a ScanRequest to resume an existing, possibly incomplete, scan
}
ScanRequest is a model to describe a given TLS Audit scan
type ScanResult ¶
type ScanResult struct {
Server string
Port string
SupportedProtocols []uint16
HasCipherPreferenceOrderByProtocol map[uint16]bool
CipherPreferenceOrderByProtocol map[uint16][]uint16
OcspStaplingByProtocol map[uint16]bool
SelectedCipherByProtocol map[uint16]uint16
ALPNByProtocol map[uint16]string
SecureRenegotiationSupportedByProtocol map[uint16]bool
CipherSuiteByProtocol map[uint16][]uint16
ServerHelloMessageByProtocolByCipher map[uint16]map[uint16]ServerHelloMessage
CertificatesPerProtocol map[uint16]CertificateMessage
KeyExchangeByProtocolByCipher map[uint16]map[uint16]ServerKeyExchangeMsg
IsSTARTLS bool
IsSSH bool
SupportsTLSFallbackSCSV bool
}
ScanResult is the scan result of a server TLS settings
func UnmarsharlScanResult ¶ added in v0.1.18
func UnmarsharlScanResult(data []byte) ([]ScanResult, error)
UnmarsharlScanResult builds ScanResults from bytes
func (*ScanResult) CalculateScore ¶ added in v0.1.9
func (s *ScanResult) CalculateScore() (result SecurityScore)
CalculateScore computes an SSLLab-esque score for the scan https://github.com/ssllabs/research/wiki/SS https://community.qualys.com/docs/DOC-6321-ssl-labs-grading-2018 SecurityScoreL-Server-Rating-Guide contains the overall grading of a TLS/SSL port
func (ScanResult) String ¶
func (s ScanResult) String() string
func (ScanResult) SupportsTLS ¶
func (s ScanResult) SupportsTLS() bool
SupportsTLS determines whether the port on the specified server supports TLS at all
func (ScanResult) ToJSON ¶
func (s ScanResult) ToJSON() (js string)
ToJSON returns a JSON-formatted string representation of the ScanResult
func (ScanResult) ToString ¶
func (s ScanResult) ToString(config ScanConfig) (result string)
ToString generates a string output
func (ScanResult) ToStringStruct ¶
func (s ScanResult) ToStringStruct() (out HumanScanResult)
ToStringStruct returns a string-decoded form of ScanResult
type ScanResultSorter ¶ added in v0.1.18
type ScanResultSorter []ScanResult
ScanResultSorter sorts scan results by server IP and port
func (ScanResultSorter) Len ¶ added in v0.1.18
func (k ScanResultSorter) Len() int
func (ScanResultSorter) Less ¶ added in v0.1.18
func (k ScanResultSorter) Less(i, j int) bool
func (ScanResultSorter) Swap ¶ added in v0.1.18
func (k ScanResultSorter) Swap(i, j int)
type ScanResultSummary ¶ added in v0.1.21
type ScanResultSummary struct {
Request ScanRequest
ScanStart time.Time
ScanEnd time.Time
Progress int
HostCount int
PortCount int
BestGrade string
WorstGrade string
HostGrades map[string]string
GradeToHostPorts map[string][]string
}
ScanResultSummary is the summary of a scan result session
type SecurityScore ¶ added in v0.1.9
type SecurityScore struct {
ProtocolScore int
KeyExchangeScore int
CipherEncryptionScore int
CertificateScore int
Grade string
Warnings []string
}
SecurityScore contains the overall grading of a TLS/SSL port
func (SecurityScore) OrderGrade ¶ added in v0.1.21
func (SecurityScore) OrderGrade(grade string) int
OrderGrade allows a simple numeric ordering of TLS grades. Actual values don't matter
type ServerHelloMessage ¶
type ServerHelloMessage struct {
Raw []byte
Vers uint16
Random []byte
SessionId []byte
CipherSuite uint16
CompressionMethod uint8
NextProtoNeg bool
NextProtos []string
OcspStapling bool
Scts [][]byte
TicketSupported bool
SecureRenegotiation []byte
SecureRenegotiationSupported bool
AlpnProtocol string
}
ServerHelloMessage is the TLS server hello message
type ServerKeyExchangeMsg ¶
ServerKeyExchangeMsg is the key exchange message
type TLSAuditConfig ¶ added in v0.1.22
type TLSAuditConfig struct {
DailySchedules []string `yaml:"dailySchedules"` // in the format 13:45, 01:20 etc
ServicePort int `yaml:"servicePort"`
IsProduction bool `yaml:"isProduction"`
PacketsPerSecond int `yaml:"packetsPerSecond"`
Timeout int `yaml:"timeout"`
CIDRRanges []string `yaml:"cidrRanges"`
}
TLSAuditConfig is the configuration of the nmap runner
type TLSAuditSnapshot ¶ added in v0.1.22
type TLSAuditSnapshot struct {
Timestamp time.Time
ScanResults []ScanResult
}
TLSAuditSnapshot a snapshot representing the results of a given scan session
type TLSAuditSnapshotHuman ¶ added in v0.1.22
type TLSAuditSnapshotHuman struct {
Timestamp time.Time
ScanResults []HumanScanResult
}
TLSAuditSnapshotHuman a snapshot representing the results of a given scan session
Source Files