Documentation
¶
Index ¶
- Variables
- type AdvancedScanRequest
- type CertificateMessage
- type CipherConfig
- func (cc *CipherConfig) ComputeContextFreeMetric(config CipherConfigParameters) (metric CipherMetrics)
- func (cc *CipherConfig) GetEncryptionKeyLength() int
- func (cc *CipherConfig) GetKeyExchangeKeyLength(cipher, protocol uint16, scan ScanResult) int
- func (cc *CipherConfig) GetMACPRFStrength() int
- func (cc *CipherConfig) IsAuthenticated() bool
- type CipherConfigParameters
- type CipherMetrics
- type CipherMetricsSorter
- type CurveID
- type GroupedHost
- type HelloAndKey
- type HostAndPort
- type HumanCertificate
- type HumanScanResult
- type KeyExchangeAlgorithm
- type KeyShare
- type PersistedScanRequest
- type ScanConfig
- type ScanData
- type ScanGroup
- type ScanProgress
- type ScanResult
- type ScanResultSorter
- type ScanResultSummary
- type SecurityScore
- type ServerHelloMessage
- type ServerKeyExchangeMsg
- type TLSAuditConfig
- type TLSAuditSnapshot
- type TLSAuditSnapshotHuman
Constants ¶
This section is empty.
Variables ¶
var ( //SupportedGroups are named elliptic curve //see https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 SupportedGroups = map[uint16]string{ 0: "Reserved", 1: "sect163k1", 2: "sect163r1", 3: "sect163r2", 4: "sect193r1", 5: "sect193r2", 6: "sect233k1", 7: "sect233r1", 8: "sect239k1", 9: "sect283k1", 10: "sect283r1", 11: "sect409k1", 12: "sect409r1", 13: "sect571k1", 14: "sect571r1", 15: "secp160k1", 16: "secp160r1", 17: "secp160r2", 18: "secp192k1", 19: "secp192r1", 20: "secp224k1", 21: "secp224r1", 22: "secp256k1", 23: "secp256r1", 24: "secp384r1", 25: "secp521r1", 26: "brainpoolP256r1", 27: "brainpoolP384r1", 28: "brainpoolP512r1", 29: "x25519", 30: "x448", 256: "ffdhe2048", 257: "ffdhe3072", 258: "ffdhe4096", 259: "ffdhe6144", 260: "ffdhe8192", 65281: "arbitrary_explicit_prime_curves", 65282: "arbitrary_explicit_char2_curves", } //SupportedGroupStrength maps named eliptic curve to comparable RSA length //For comparable strengths of EC named curves see //1. https://www.ietf.org/rfc/rfc5114.txt (see section 4, security considerations) //2. https://www.ietf.org/rfc/rfc5480.txt and //3. pp 133 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SupportedGroupStrength = map[uint16]int{ 0: -1, 1: -1, 2: -1, 3: -1, 4: -1, 5: -1, 6: -1, 7: -1, 8: -1, 9: -1, 10: -1, 11: -1, 12: -1, 13: -1, 14: -1, 15: -1, 16: -1, 17: -1, 18: -1, 19: 1024, 20: 2048, 21: 2048, 22: 3072, 23: 3072, 24: 7680, 25: 15360, 26: 3072, 27: 7680, 28: 15360, 29: 3072, 30: 7680, 256: 2048, 257: 3072, 258: 4096, 259: 6144, 260: 8192, 65281: -1, 65282: -1, } //AllSupportedGroups are IANA-defined supported groups. Please see https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 AllSupportedGroups []uint16 // CipherSuiteMap - list of ciphersuites based on: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml // For CSV: https://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv // reserved/unknown/unassigned items are excluded. CipherSuiteMap = map[uint16]string{}/* 339 elements not displayed */ //TLS13Ciphers are newly-introduced IANA ciphers for TLS v1.3 TLS13Ciphers = []uint16{ 0x1301, 0x1302, 0x1303, 0x1304, 0x1305, } // AllCipherSuites is the numerical values of the ciphersuites AllCipherSuites []uint16 //VersionSSL20 is the protocol code of SSL v2.0 VersionSSL20 uint16 = 0x0002 //VersionTLS13 is the protocol code of TLS v1.3 see https://datatracker.ietf.org/doc/rfc8446 VersionTLS13 uint16 = 0x0304 //TLSVersions an array of supported TLS versions TLSVersions = []uint16{VersionSSL20, tls.VersionSSL30, tls.VersionTLS10, tls.VersionTLS11, tls.VersionTLS12, tls.VersionTLS13} //TLSVersionMap a mapping from TLS version to a string representation TLSVersionMap = map[uint16]string{ VersionSSL20: "SSL v2.0", tls.VersionSSL30: "SSL v3.0", tls.VersionTLS10: "TLS v1.0", tls.VersionTLS11: "TLS v1.1", tls.VersionTLS12: "TLS v1.2", tls.VersionTLS13: "TLS v1.3", } //AllALPNProtos Application Layer Protocol Negotiation. See defined list at https://tools.ietf.org/html/rfc7301#section-6 AllALPNProtos = []string{"spdy/3", "spdy/2", "spdy/1", "http/1.1"} //AllSignatureSchemes all signature schemes AllSignatureSchemes = []tls.SignatureScheme{ tls.PKCS1WithSHA256, tls.PKCS1WithSHA384, tls.PKCS1WithSHA512, tls.PSSWithSHA256, tls.PSSWithSHA384, tls.PSSWithSHA512, tls.ECDSAWithP256AndSHA256, tls.ECDSAWithP384AndSHA384, tls.ECDSAWithP521AndSHA512, tls.PKCS1WithSHA1, tls.ECDSAWithSHA1, } //ECDSASignatureSchemes ECDSA schemes ECDSASignatureSchemes = []tls.SignatureScheme{ tls.ECDSAWithP521AndSHA512, tls.ECDSAWithP384AndSHA384, tls.ECDSAWithP256AndSHA256, tls.ECDSAWithSHA1, } //AEADProtocols are TLS protocols that are capable of Authenticated Encruption with Associated Data AEADProtocols = []uint16{tls.VersionTLS12, tls.VersionTLS13} )
var (
//NkxErrorMessage error message
NkxErrorMessage = "Not a key exchange message"
)
Functions ¶
This section is empty.
Types ¶
type AdvancedScanRequest ¶ added in v0.5.4
type AdvancedScanRequest struct {
Config ScanConfig
//Next two fields will be automatically set once scan starts
Day string //Date the scan was run in the format yyyy-mm-dd
ScanID string //Non-empty ScanID means this is a ScanRequest to resume an existing, possibly incomplete, scan
ScanGroups []ScanGroup
}
AdvancedScanRequest is a model to describe a given TLS Audit scan
type CertificateMessage ¶
type CertificateMessage struct {
// Raw []byte
Certificates [][]byte
Certs []*x509.Certificate
}
CertificateMessage simply exporting the internal certificateMsg
func (*CertificateMessage) GetCertificates ¶
func (cert *CertificateMessage) GetCertificates() (certs []*x509.Certificate, e error)
GetCertificates returns the list of certificates in a TLS certificate message
type CipherConfig ¶ added in v0.1.9
type CipherConfig struct {
CipherID uint16
Cipher string
KeyExchange string
Authentication string
IsExport bool
SupportsForwardSecrecy bool
Encryption string
MACPRF string //MAC (TLS <=1.1) or PseudoRandomFunction (TLS >= 1.2)
}
CipherConfig extracts the important elements of a Ciphersuit based on its name
func GetCipherConfig ¶ added in v0.1.9
func GetCipherConfig(cipher uint16) (config CipherConfig, err error)
GetCipherConfig extracts a `CipherConfig` using the Cipher's IANA string name Details here https://www.iana.org/assignments/tls-parameters/tls-parameters.txt
func (*CipherConfig) ComputeContextFreeMetric ¶ added in v0.1.27
func (cc *CipherConfig) ComputeContextFreeMetric(config CipherConfigParameters) (metric CipherMetrics)
ComputeContextFreeMetric calculates interesting metrics about the cipher
func (*CipherConfig) GetEncryptionKeyLength ¶ added in v0.1.9
func (cc *CipherConfig) GetEncryptionKeyLength() int
GetEncryptionKeyLength returns the effective key lengths of encryption algorithms used in the cipher See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf for details
func (*CipherConfig) GetKeyExchangeKeyLength ¶ added in v0.1.9
func (cc *CipherConfig) GetKeyExchangeKeyLength(cipher, protocol uint16, scan ScanResult) int
GetKeyExchangeKeyLength returns the key length indicated by the cipher
func (*CipherConfig) GetMACPRFStrength ¶ added in v0.1.27
func (cc *CipherConfig) GetMACPRFStrength() int
GetMACPRFStrength returns the relative strength of the MAC/PRF algorithm
func (*CipherConfig) IsAuthenticated ¶ added in v0.1.9
func (cc *CipherConfig) IsAuthenticated() bool
IsAuthenticated returns whether the cipher supports authentication
type CipherConfigParameters ¶ added in v0.1.27
type CipherConfigParameters struct {
RSABitLength int //The RSA key from the certificate
SupportedGroupStrength int
SupportedGroups []string //The Supported Groups that have the indicated strength
}
CipherConfigParameters contains information about Parameters for determining the key length of key exchange algorithms and other cipher parameters
type CipherMetrics ¶ added in v0.1.27
type CipherMetrics struct {
Authentication int
KeyExchangeStrength int
ForwardSecrecy int
EncryptionKeyStrength int
MacPRF int
Performance int
OverallScore int
ConfigParams CipherConfigParameters
CipherConfig CipherConfig
}
CipherMetrics are various metrics of interest to compare ciphers as the bases for various desirable property ordering such as security and performance
func EnumerateCipherMetrics ¶ added in v0.1.27
func EnumerateCipherMetrics() (metrics []CipherMetrics)
EnumerateCipherMetrics enumerates metrics for ciphers along multiple config axes
type CipherMetricsSorter ¶ added in v0.1.27
type CipherMetricsSorter []CipherMetrics
CipherMetricsSorter sorts scan results by server IP and port
func (CipherMetricsSorter) Len ¶ added in v0.1.27
func (k CipherMetricsSorter) Len() int
func (CipherMetricsSorter) Less ¶ added in v0.1.27
func (k CipherMetricsSorter) Less(i, j int) bool
func (CipherMetricsSorter) Swap ¶ added in v0.1.27
func (k CipherMetricsSorter) Swap(i, j int)
type CurveID ¶ added in v0.5.5
type CurveID uint16
CurveID is the type of a TLS identifier for an elliptic curve. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8.
In TLS 1.3, this type is called NamedGroup, but at this time this library only supports Elliptic Curve based groups. See RFC 8446, Section 4.2.7.
type GroupedHost ¶ added in v0.5.4
GroupedHost exploded hosts from an associated ScanGroup
type HelloAndKey ¶
type HelloAndKey struct {
Hello ServerHelloMessage
Key ServerKeyExchangeMsg
HasKey bool
}
HelloAndKey bundles server hello and ServerKeyExchange messages
type HostAndPort ¶
HostAndPort is a model representing a hostname and a given port
type HumanCertificate ¶ added in v0.1.22
type HumanCertificate struct {
Subject string
SubjectSerialNo string
SubjectCN string
SubjectAN string
SerialNumber string
Issuer string
PublicKeyAlgorithm string
ValidFrom string
ValidUntil string
Key string
SignatureAlgorithm string
Signature string
OcspStapling bool
RevocationDetail string
}
HumanCertificate is a "string" representation of various attributes of a certificate
type HumanScanResult ¶
type HumanScanResult struct {
Server string
HostName string
Port string
SupportsTLS bool
SupportedProtocols []string
HasCipherPreferenceOrderByProtocol map[string]bool
CipherPreferenceOrderByProtocol map[string][]string
OcspStaplingByProtocol map[string]bool
SelectedCipherByProtocol map[string]string
ALPNByProtocol map[string]string
SecureRenegotiationSupportedByProtocol map[string]bool
CipherSuiteByProtocol map[string][]string
// ServerHelloMessageByProtocolByCipher map[string]map[string]ServerHelloMessage
CertificatesPerProtocol map[string][]HumanCertificate
// KeyExchangeByProtocolByCipher map[string]map[string]ServerKeyExchangeMsg
IsSTARTLS bool
IsSSH bool
SupportsTLSFallbackSCSV bool
Score SecurityScore
GroupID int //ScanRequest Host Group index
}
HumanScanResult is a Stringified version of ScanResult
type KeyShare ¶ added in v0.5.5
type KeyShare struct {
}
KeyShare TLS 1.3 Key Share. See RFC 8446, Section 4.2.8.
type PersistedScanRequest ¶ added in v0.1.18
type PersistedScanRequest struct {
Request AdvancedScanRequest
GroupedHosts []GroupedHost
ScanStart time.Time
ScanEnd time.Time
Progress int
HostCount int
}
PersistedScanRequest persisted version of ScanRequest
func UnmasharlPersistedScanRequest ¶ added in v0.1.18
func UnmasharlPersistedScanRequest(data []byte) (PersistedScanRequest, error)
UnmasharlPersistedScanRequest builds PersistedScanRequest from bytes
func (PersistedScanRequest) Marshall ¶ added in v0.1.18
func (psr PersistedScanRequest) Marshall() []byte
Marshall scan request
type ScanConfig ¶
type ScanConfig struct {
ProtocolsOnly bool
Timeout int
//Number of Packets per Second to send out during underlying port scan
PacketsPerSecond int
//Suppress certificate output
HideCerts bool
//Suppress output of TLS status of closed ports or ports with no TLS
HideNoTLS bool
//control whether to produce a running commentary of scan progress or stay quiet till the end
Quiet bool
ServicePort int
}
ScanConfig describes details of how the TLS scan should be carried out
type ScanData ¶ added in v0.5.4
type ScanData struct {
ScanRequest AdvancedScanRequest
Results map[int][]HumanScanResult //ScanGroup index (in the ASR) -> human scan results
}
ScanData is the Human-readable result of a given scan
type ScanGroup ¶ added in v0.5.4
type ScanGroup struct {
Description string `yaml:"description"` //Freeform text used in reporting
CIDRRanges []string `yaml:"cidrRanges"`
}
ScanGroup is a grouping of CIDR ranges to be scanned with descriptions, useful for reporting
type ScanProgress ¶ added in v0.1.10
type ScanProgress struct {
ScanID string
Progress float32
ScanResults []HumanScanResult // this is the latest scan results delta, at the end of scan all cummulative scans are sent
Narrative string //freeflow text
}
ScanProgress contains partial scam results with an indication of progress
type ScanResult ¶
type ScanResult struct {
Server string
Port string
SupportedProtocols []uint16
HasCipherPreferenceOrderByProtocol map[uint16]bool
CipherPreferenceOrderByProtocol map[uint16][]uint16
OcspStaplingByProtocol map[uint16]bool
SelectedCipherByProtocol map[uint16]uint16
ALPNByProtocol map[uint16]string
SecureRenegotiationSupportedByProtocol map[uint16]bool
CipherSuiteByProtocol map[uint16][]uint16
ServerHelloMessageByProtocolByCipher map[uint16]map[uint16]ServerHelloMessage
CertificatesPerProtocol map[uint16]CertificateMessage
KeyExchangeByProtocolByCipher map[uint16]map[uint16]ServerKeyExchangeMsg
IsSTARTLS bool
IsSSH bool
SupportsTLSFallbackSCSV bool
GroupID int //ScanRequest Host Group index
}
ScanResult is the scan result of a server TLS settings
func UnmarsharlScanResult ¶ added in v0.1.18
func UnmarsharlScanResult(data []byte) ([]ScanResult, error)
UnmarsharlScanResult builds ScanResults from bytes
func (*ScanResult) CalculateScore ¶ added in v0.1.9
func (s *ScanResult) CalculateScore() (result SecurityScore)
CalculateScore computes an SSLLab-esque score for the scan https://github.com/ssllabs/research/wiki/SS https://community.qualys.com/docs/DOC-6321-ssl-labs-grading-2018 SecurityScoreL-Server-Rating-Guide contains the overall grading of a TLS/SSL port
func (ScanResult) String ¶
func (s ScanResult) String() string
func (ScanResult) SupportsTLS ¶
func (s ScanResult) SupportsTLS() bool
SupportsTLS determines whether the port on the specified server supports TLS at all
func (ScanResult) ToJSON ¶
func (s ScanResult) ToJSON() (js string)
ToJSON returns a JSON-formatted string representation of the ScanResult
func (ScanResult) ToString ¶
func (s ScanResult) ToString(config ScanConfig) (result string)
ToString generates a string output
func (ScanResult) ToStringStruct ¶
func (s ScanResult) ToStringStruct() (out HumanScanResult)
ToStringStruct returns a string-decoded form of ScanResult
type ScanResultSorter ¶ added in v0.1.18
type ScanResultSorter []ScanResult
ScanResultSorter sorts scan results by server IP and port
func (ScanResultSorter) Len ¶ added in v0.1.18
func (k ScanResultSorter) Len() int
func (ScanResultSorter) Less ¶ added in v0.1.18
func (k ScanResultSorter) Less(i, j int) bool
func (ScanResultSorter) Swap ¶ added in v0.1.18
func (k ScanResultSorter) Swap(i, j int)
type ScanResultSummary ¶ added in v0.1.21
type ScanResultSummary struct {
Request AdvancedScanRequest
ScanStart time.Time
ScanEnd time.Time
Progress int
HostCount int
PortCount int
BestGrade string
WorstGrade string
HostGrades map[string]string
GradeToHostPorts map[string][]string
}
ScanResultSummary is the summary of a scan result session
type SecurityScore ¶ added in v0.1.9
type SecurityScore struct {
ProtocolScore int
KeyExchangeScore int
CipherEncryptionScore int
CertificateScore int
Grade string
Warnings []string
}
SecurityScore contains the overall grading of a TLS/SSL port
func (SecurityScore) OrderGrade ¶ added in v0.1.21
func (SecurityScore) OrderGrade(grade string) int
OrderGrade allows a simple numeric ordering of TLS grades. Actual values don't matter
type ServerHelloMessage ¶
type ServerHelloMessage struct {
Raw []byte
Vers uint16
Random []byte
SessionId []byte
CipherSuite uint16
CompressionMethod uint8
NextProtoNeg bool
NextProtos []string
OcspStapling bool
Scts [][]byte
TicketSupported bool
SecureRenegotiation []byte
SecureRenegotiationSupported bool
AlpnProtocol string
SupportedVersion uint16
SelectedIdentityPresent bool
SelectedIdentity uint16
RawHello interface{}
// contains filtered or unexported fields
}
ServerHelloMessage is the TLS server hello message
type ServerKeyExchangeMsg ¶
ServerKeyExchangeMsg is the key exchange message
type TLSAuditConfig ¶ added in v0.1.22
type TLSAuditConfig struct {
DailySchedules []string `yaml:"dailySchedules"` // in the format 13:45, 01:20 etc
ServicePort int `yaml:"servicePort"`
IsProduction bool `yaml:"isProduction"`
PacketsPerSecond int `yaml:"packetsPerSecond"`
Timeout int `yaml:"timeout"`
ScanGroups []ScanGroup `yaml:"scanGroups"`
}
TLSAuditConfig is the configuration of the nmap runner
type TLSAuditSnapshot ¶ added in v0.1.22
type TLSAuditSnapshot struct {
Timestamp time.Time
ScanResults []ScanResult
}
TLSAuditSnapshot a snapshot representing the results of a given scan session
type TLSAuditSnapshotHuman ¶ added in v0.1.22
type TLSAuditSnapshotHuman struct {
Timestamp time.Time
ScanResults []HumanScanResult
}
TLSAuditSnapshotHuman a snapshot representing the results of a given scan session
Source Files