Documentation ¶
Index ¶
- Variables
- func GetAllCipherSuiteNumbers() []uint16
- type AdvancedScanRequest
- type CertificateMessage
- type CipherConfig
- func (cc *CipherConfig) ComputeContextFreeMetric(config CipherConfigParameters) (metric CipherMetrics)
- func (cc *CipherConfig) GetEncryptionKeyLength() int
- func (cc *CipherConfig) GetKeyExchangeKeyLength(cipher, protocol uint16, scan ScanResult) int
- func (cc *CipherConfig) GetMACPRFStrength() int
- func (cc *CipherConfig) IsAuthenticated() bool
- type CipherConfigParameters
- type CipherMetrics
- type CipherMetricsSorter
- type CurveID
- type GroupedHost
- type HelloAndKey
- type HostAndPort
- type HumanCertificate
- type HumanScanResult
- type KeyExchangeAlgorithm
- type KeyShare
- type PersistedScanRequest
- type ScanConfig
- type ScanData
- type ScanGroup
- type ScanProgress
- type ScanResult
- type ScanResultSorter
- type ScanResultSummary
- type SecurityScore
- type ServerHelloMessage
- type ServerKeyExchangeMsg
- type TLSAuditConfig
- type TLSAuditSnapshot
- type TLSAuditSnapshotHuman
Constants ¶
This section is empty.
Variables ¶
var ( //NamedCurves are named elliptic curve //see https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 NamedCurves = map[uint16]string{ 0: "Reserved", 1: "sect163k1", 2: "sect163r1", 3: "sect163r2", 4: "sect193r1", 5: "sect193r2", 6: "sect233k1", 7: "sect233r1", 8: "sect239k1", 9: "sect283k1", 10: "sect283r1", 11: "sect409k1", 12: "sect409r1", 13: "sect571k1", 14: "sect571r1", 15: "secp160k1", 16: "secp160r1", 17: "secp160r2", 18: "secp192k1", 19: "secp192r1", 20: "secp224k1", 21: "secp224r1", 22: "secp256k1", 23: "secp256r1", 24: "secp384r1", 25: "secp521r1", 26: "brainpoolP256r1", 27: "brainpoolP384r1", 28: "brainpoolP512r1", 29: "x25519", 30: "x448", 256: "ffdhe2048", 257: "ffdhe3072", 258: "ffdhe4096", 259: "ffdhe6144", 260: "ffdhe8192", 65281: "arbitrary_explicit_prime_curves", 65282: "arbitrary_explicit_char2_curves", } //NamedCurveStrength maps named eliptic curve to comparable RSA length //For comparable strengths of EC named curves see //1. https://www.ietf.org/rfc/rfc5114.txt (see section 4, security considerations) //2. https://www.ietf.org/rfc/rfc5480.txt and //3. pp 133 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf NamedCurveStrength = map[uint16]int{ 0: -1, 1: -1, 2: -1, 3: -1, 4: -1, 5: -1, 6: -1, 7: -1, 8: -1, 9: -1, 10: -1, 11: -1, 12: -1, 13: -1, 14: -1, 15: -1, 16: -1, 17: -1, 18: -1, 19: 1024, 20: 2048, 21: 2048, 22: 3072, 23: 3072, 24: 7680, 25: 15360, 26: 3072, 27: 7680, 28: 15360, 29: 3072, 30: 7680, 256: 2048, 257: 3072, 258: 4096, 259: 6144, 260: 8192, 65281: -1, 65282: -1, } // CipherSuiteMap - list of ciphersuites based on: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml // For CSV: https://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv // reserved/unknown/unassigned items are excluded. CipherSuiteMap = map[uint16]string{}/* 339 elements not displayed */ //TLS13Ciphers are newly introduced IANA ciphers for TLS v1.3 TLS13Ciphers = []uint16{ 0x1301, 0x1302, 0x1303, 0x1304, 0x1305, } // AllCipherSuites is the numerical values of the ciphersuites AllCipherSuites []uint16 //VersionSSL20 is the protocol code of SSL v2.0 VersionSSL20 uint16 = 0x0002 //VersionTLS13 is the protocol code of TLS v1.3 see https://datatracker.ietf.org/doc/rfc8446 VersionTLS13 uint16 = 0x0304 //TLSVersions an array of supported TLS versions TLSVersions = []uint16{VersionSSL20, tls.VersionSSL30, tls.VersionTLS10, tls.VersionTLS11, tls.VersionTLS12, tls.VersionTLS13} //TLSVersionMap a mapping from TLS version to a string representation TLSVersionMap = map[uint16]string{ VersionSSL20: "SSL v2.0", tls.VersionSSL30: "SSL v3.0", tls.VersionTLS10: "TLS v1.0", tls.VersionTLS11: "TLS v1.1", tls.VersionTLS12: "TLS v1.2", tls.VersionTLS13: "TLS v1.3", } //AllALPNProtos Application Layer Protocol Negotiation. See defined list at https://tools.ietf.org/html/rfc7301#section-6 AllALPNProtos = []string{"spdy/3", "spdy/2", "spdy/1", "http/1.1"} //NkxErrorMessage error message NkxErrorMessage = "Not a key exchange message" //ECDSASignatureAlgorithms ECDSA algorithms ECDSASignatureAlgorithms = []tls.SignatureScheme{ tls.ECDSAWithP521AndSHA512, tls.ECDSAWithP384AndSHA384, tls.ECDSAWithP256AndSHA256, tls.ECDSAWithSHA1, } //TLS13KeyExchange is a constant to identify a key exchange or MAC/PRF in a TLS3 cipher TLS13KeyExchange = "TLS3" )
Functions ¶
func GetAllCipherSuiteNumbers ¶
func GetAllCipherSuiteNumbers() []uint16
GetAllCipherSuiteNumbers returns all the cipher suit numerical values
Types ¶
type AdvancedScanRequest ¶ added in v0.5.4
type AdvancedScanRequest struct { Config ScanConfig //Next two fields will be automatically set once scan starts Day string //Date the scan was run in the format yyyy-mm-dd ScanID string //Non-empty ScanID means this is a ScanRequest to resume an existing, possibly incomplete, scan ScanGroups []ScanGroup }
AdvancedScanRequest is a model to describe a given TLS Audit scan
type CertificateMessage ¶
type CertificateMessage struct { // Raw []byte Certificates [][]byte Certs []*x509.Certificate }
CertificateMessage simply exporting the internal certificateMsg
func (*CertificateMessage) GetCertificates ¶
func (cert *CertificateMessage) GetCertificates() (certs []*x509.Certificate, e error)
GetCertificates returns the list of certificates in a TLS certificate message
type CipherConfig ¶ added in v0.1.9
type CipherConfig struct { CipherID uint16 Cipher string KeyExchange string Authentication string IsExport bool SupportsForwardSecrecy bool Encryption string MACPRF string //MAC (TLS <=1.1) or PseudoRandomFunction (TLS >= 1.2) }
CipherConfig extracts the important elements of a Ciphersuit based on its name
func GetCipherConfig ¶ added in v0.1.9
func GetCipherConfig(cipher uint16) (config CipherConfig, err error)
GetCipherConfig extracts a `CipherConfig` using the Cipher's IANA string name Details here https://www.iana.org/assignments/tls-parameters/tls-parameters.txt
func (*CipherConfig) ComputeContextFreeMetric ¶ added in v0.1.27
func (cc *CipherConfig) ComputeContextFreeMetric(config CipherConfigParameters) (metric CipherMetrics)
ComputeContextFreeMetric calculates interesting metrics about the cipher
func (*CipherConfig) GetEncryptionKeyLength ¶ added in v0.1.9
func (cc *CipherConfig) GetEncryptionKeyLength() int
GetEncryptionKeyLength returns the effective key lengths of encryption algorithms used in the cipher See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf for details
func (*CipherConfig) GetKeyExchangeKeyLength ¶ added in v0.1.9
func (cc *CipherConfig) GetKeyExchangeKeyLength(cipher, protocol uint16, scan ScanResult) int
GetKeyExchangeKeyLength returns the key length indicated by the cipher
func (*CipherConfig) GetMACPRFStrength ¶ added in v0.1.27
func (cc *CipherConfig) GetMACPRFStrength() int
GetMACPRFStrength returns the relative strength of the MAC/PRF algorithm
func (*CipherConfig) IsAuthenticated ¶ added in v0.1.9
func (cc *CipherConfig) IsAuthenticated() bool
IsAuthenticated returns whether the cipher supports authentication
type CipherConfigParameters ¶ added in v0.1.27
type CipherConfigParameters struct { RSABitLength int //The RSA key from the certificate NamedCurveStrength int NamedCurves []string //The named curves that have the indicated strength }
CipherConfigParameters contains information about Parameters for determining the key length of key exchange algorithms and other cipher parameters
type CipherMetrics ¶ added in v0.1.27
type CipherMetrics struct { Authentication int KeyExchangeStrength int ForwardSecrecy int EncryptionKeyStrength int MacPRF int Performance int OverallScore int ConfigParams CipherConfigParameters CipherConfig CipherConfig }
CipherMetrics are various metrics of interest to compare ciphers as the bases for various desirable property ordering such as security and performance
func EnumerateCipherMetrics ¶ added in v0.1.27
func EnumerateCipherMetrics() (metrics []CipherMetrics)
EnumerateCipherMetrics enumerates metrics for ciphers along multiple config axes
type CipherMetricsSorter ¶ added in v0.1.27
type CipherMetricsSorter []CipherMetrics
CipherMetricsSorter sorts scan results by server IP and port
func (CipherMetricsSorter) Len ¶ added in v0.1.27
func (k CipherMetricsSorter) Len() int
func (CipherMetricsSorter) Less ¶ added in v0.1.27
func (k CipherMetricsSorter) Less(i, j int) bool
func (CipherMetricsSorter) Swap ¶ added in v0.1.27
func (k CipherMetricsSorter) Swap(i, j int)
type CurveID ¶ added in v0.5.5
type CurveID uint16
CurveID is the type of a TLS identifier for an elliptic curve. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8.
In TLS 1.3, this type is called NamedGroup, but at this time this library only supports Elliptic Curve based groups. See RFC 8446, Section 4.2.7.
type GroupedHost ¶ added in v0.5.4
GroupedHost exploded hosts from an associated ScanGroup
type HelloAndKey ¶
type HelloAndKey struct { Hello ServerHelloMessage Key ServerKeyExchangeMsg HasKey bool }
HelloAndKey bundles server hello and ServerKeyExchange messages
type HostAndPort ¶
HostAndPort is a model representing a hostname and a given port
type HumanCertificate ¶ added in v0.1.22
type HumanCertificate struct { Subject string SubjectSerialNo string SubjectCN string SubjectAN string SerialNumber string Issuer string PublicKeyAlgorithm string ValidFrom string ValidUntil string Key string SignatureAlgorithm string Signature string OcspStapling bool RevocationDetail string }
HumanCertificate is a "string" representation of various attributes of a certificate
type HumanScanResult ¶
type HumanScanResult struct { Server string HostName string Port string SupportsTLS bool SupportedProtocols []string HasCipherPreferenceOrderByProtocol map[string]bool CipherPreferenceOrderByProtocol map[string][]string OcspStaplingByProtocol map[string]bool SelectedCipherByProtocol map[string]string ALPNByProtocol map[string]string SecureRenegotiationSupportedByProtocol map[string]bool CipherSuiteByProtocol map[string][]string // ServerHelloMessageByProtocolByCipher map[string]map[string]ServerHelloMessage CertificatesPerProtocol map[string][]HumanCertificate // KeyExchangeByProtocolByCipher map[string]map[string]ServerKeyExchangeMsg IsSTARTLS bool IsSSH bool SupportsTLSFallbackSCSV bool Score SecurityScore GroupID int //ScanRequest Host Group index }
HumanScanResult is a Stringified version of ScanResult
type KeyShare ¶ added in v0.5.5
type KeyShare struct {}
KeyShare TLS 1.3 Key Share. See RFC 8446, Section 4.2.8.
type PersistedScanRequest ¶ added in v0.1.18
type PersistedScanRequest struct { Request AdvancedScanRequest GroupedHosts []GroupedHost ScanStart time.Time ScanEnd time.Time Progress int HostCount int }
PersistedScanRequest persisted version of ScanRequest
func UnmasharlPersistedScanRequest ¶ added in v0.1.18
func UnmasharlPersistedScanRequest(data []byte) (PersistedScanRequest, error)
UnmasharlPersistedScanRequest builds PersistedScanRequest from bytes
func (PersistedScanRequest) Marshall ¶ added in v0.1.18
func (psr PersistedScanRequest) Marshall() []byte
Marshall scan request
type ScanConfig ¶
type ScanConfig struct { ProtocolsOnly bool Timeout int //Number of Packets per Second to send out during underlying port scan PacketsPerSecond int //Suppress certificate output HideCerts bool //control whether to produce a running commentary of scan progress or stay quiet till the end Quiet bool ServicePort int }
ScanConfig describes details of how the TLS scan should be carried out
type ScanData ¶ added in v0.5.4
type ScanData struct { ScanRequest AdvancedScanRequest Results map[int][]HumanScanResult //ScanGroup index (in the ASR) -> human scan results }
ScanData is the Human-readable result of a given scan
type ScanGroup ¶ added in v0.5.4
type ScanGroup struct { Description string `yaml:"description"` //Freeform text used in reporting CIDRRanges []string `yaml:"cidrRanges"` }
ScanGroup is a grouping of CIDR ranges to be scanned with descriptions, useful for reporting
type ScanProgress ¶ added in v0.1.10
type ScanProgress struct { ScanID string Progress float32 ScanResults []HumanScanResult // this is the latest scan results delta, at the end of scan all cummulative scans are sent Narrative string //freeflow text }
ScanProgress contains partial scam results with an indication of progress
type ScanResult ¶
type ScanResult struct { Server string Port string SupportedProtocols []uint16 HasCipherPreferenceOrderByProtocol map[uint16]bool CipherPreferenceOrderByProtocol map[uint16][]uint16 OcspStaplingByProtocol map[uint16]bool SelectedCipherByProtocol map[uint16]uint16 ALPNByProtocol map[uint16]string SecureRenegotiationSupportedByProtocol map[uint16]bool CipherSuiteByProtocol map[uint16][]uint16 ServerHelloMessageByProtocolByCipher map[uint16]map[uint16]ServerHelloMessage CertificatesPerProtocol map[uint16]CertificateMessage KeyExchangeByProtocolByCipher map[uint16]map[uint16]ServerKeyExchangeMsg IsSTARTLS bool IsSSH bool SupportsTLSFallbackSCSV bool GroupID int //ScanRequest Host Group index }
ScanResult is the scan result of a server TLS settings
func UnmarsharlScanResult ¶ added in v0.1.18
func UnmarsharlScanResult(data []byte) ([]ScanResult, error)
UnmarsharlScanResult builds ScanResults from bytes
func (*ScanResult) CalculateScore ¶ added in v0.1.9
func (s *ScanResult) CalculateScore() (result SecurityScore)
CalculateScore computes an SSLLab-esque score for the scan https://github.com/ssllabs/research/wiki/SS https://community.qualys.com/docs/DOC-6321-ssl-labs-grading-2018 SecurityScoreL-Server-Rating-Guide contains the overall grading of a TLS/SSL port
func (ScanResult) String ¶
func (s ScanResult) String() string
func (ScanResult) SupportsTLS ¶
func (s ScanResult) SupportsTLS() bool
SupportsTLS determines whether the port on the specified server supports TLS at all
func (ScanResult) ToJSON ¶
func (s ScanResult) ToJSON() (js string)
ToJSON returns a JSON-formatted string representation of the ScanResult
func (ScanResult) ToString ¶
func (s ScanResult) ToString(config ScanConfig) (result string)
ToString generates a string output
func (ScanResult) ToStringStruct ¶
func (s ScanResult) ToStringStruct() (out HumanScanResult)
ToStringStruct returns a string-decoded form of ScanResult
type ScanResultSorter ¶ added in v0.1.18
type ScanResultSorter []ScanResult
ScanResultSorter sorts scan results by server IP and port
func (ScanResultSorter) Len ¶ added in v0.1.18
func (k ScanResultSorter) Len() int
func (ScanResultSorter) Less ¶ added in v0.1.18
func (k ScanResultSorter) Less(i, j int) bool
func (ScanResultSorter) Swap ¶ added in v0.1.18
func (k ScanResultSorter) Swap(i, j int)
type ScanResultSummary ¶ added in v0.1.21
type ScanResultSummary struct { Request AdvancedScanRequest ScanStart time.Time ScanEnd time.Time Progress int HostCount int PortCount int BestGrade string WorstGrade string HostGrades map[string]string GradeToHostPorts map[string][]string }
ScanResultSummary is the summary of a scan result session
type SecurityScore ¶ added in v0.1.9
type SecurityScore struct { ProtocolScore int KeyExchangeScore int CipherEncryptionScore int CertificateScore int Grade string Warnings []string }
SecurityScore contains the overall grading of a TLS/SSL port
func (SecurityScore) OrderGrade ¶ added in v0.1.21
func (SecurityScore) OrderGrade(grade string) int
OrderGrade allows a simple numeric ordering of TLS grades. Actual values don't matter
type ServerHelloMessage ¶
type ServerHelloMessage struct { Raw []byte Vers uint16 Random []byte SessionId []byte CipherSuite uint16 CompressionMethod uint8 NextProtoNeg bool NextProtos []string OcspStapling bool Scts [][]byte TicketSupported bool SecureRenegotiation []byte SecureRenegotiationSupported bool AlpnProtocol string SupportedVersion uint16 SelectedIdentityPresent bool SelectedIdentity uint16 RawHello interface{} // contains filtered or unexported fields }
ServerHelloMessage is the TLS server hello message
type ServerKeyExchangeMsg ¶
ServerKeyExchangeMsg is the key exchange message
type TLSAuditConfig ¶ added in v0.1.22
type TLSAuditConfig struct { DailySchedules []string `yaml:"dailySchedules"` // in the format 13:45, 01:20 etc ServicePort int `yaml:"servicePort"` IsProduction bool `yaml:"isProduction"` PacketsPerSecond int `yaml:"packetsPerSecond"` Timeout int `yaml:"timeout"` ScanGroups []ScanGroup `yaml:"scanGroups"` }
TLSAuditConfig is the configuration of the nmap runner
type TLSAuditSnapshot ¶ added in v0.1.22
type TLSAuditSnapshot struct { Timestamp time.Time ScanResults []ScanResult }
TLSAuditSnapshot a snapshot representing the results of a given scan session
type TLSAuditSnapshotHuman ¶ added in v0.1.22
type TLSAuditSnapshotHuman struct { Timestamp time.Time ScanResults []HumanScanResult }
TLSAuditSnapshotHuman a snapshot representing the results of a given scan session