tlsmodel

package
v0.8.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 25, 2021 License: BSD-3-Clause Imports: 21 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (

	//NkxErrorMessage error message
	NkxErrorMessage = "Not a key exchange message"
)

Functions

func InterpretGrade added in v0.7.0 

func InterpretGrade(grade string) string

InterpretGrade is a mapping from grade to explanatory text

Types

type AdvancedScanRequest added in v0.5.4 

type AdvancedScanRequest struct {
	Config ScanConfig
	//Next two fields will be automatically set once scan starts
	Day        string //Date the scan was run in the format yyyy-mm-dd
	ScanID     string //Non-empty ScanID means this is a ScanRequest to resume an existing, possibly incomplete, scan
	ScanGroups []ScanGroup
}

AdvancedScanRequest is a model to describe a given TLS Audit scan

type BasicScanSummary added in v0.7.0 

type BasicScanSummary struct {
	HostCount         int
	PortCount         int
	BestGrade         string
	BestGradeExample  GradeExample
	WorstGrade        string
	WorstGradeExample GradeExample
	HostGrades        map[string]GradePair //mapping of "host IP" -> "BestGrade x WorstGrade"
	GradeToHostPorts  map[string][]string  //mapping of "grade" -> []{"hostIP:Port" ...}, e.g. "A+" -> []{"10.10.10.10:443"}
}

BasicScanSummary is a subset of ScanResultSammary

func GetBasicScanSummary added in v0.7.0 

func GetBasicScanSummary(results []HumanScanResult) BasicScanSummary

GetBasicScanSummary basic scan summary

type CertificateMessage 

type CertificateMessage struct {
	// Raw          []byte
	Certificates [][]byte
	Certs        []*x509.Certificate
}

CertificateMessage simply exporting the internal certificateMsg

func (*CertificateMessage) GetCertificates 

func (cert *CertificateMessage) GetCertificates() (certs []*x509.Certificate, e error)

GetCertificates returns the list of certificates in a TLS certificate message

type CipherConfig added in v0.1.9 

type CipherConfig struct {
	CipherID               uint16
	Cipher                 string
	KeyExchange            string
	Authentication         string
	IsExport               bool
	SupportsForwardSecrecy bool
	Encryption             string
	MACPRF                 string //MAC (TLS <=1.1) or PseudoRandomFunction (TLS >= 1.2)
}

CipherConfig extracts the important elements of a Ciphersuit based on its name

func GetCipherConfig added in v0.1.9 

func GetCipherConfig(cipher uint16) (config CipherConfig, err error)

GetCipherConfig extracts a `CipherConfig` using the Cipher's IANA string name Details here https://www.iana.org/assignments/tls-parameters/tls-parameters.txt

func (*CipherConfig) ComputeContextFreeMetric added in v0.1.27 

func (cc *CipherConfig) ComputeContextFreeMetric(config CipherConfigParameters) (metric CipherMetrics)

ComputeContextFreeMetric calculates interesting metrics about the cipher

func (*CipherConfig) GetEncryptionKeyLength added in v0.1.9 

func (cc *CipherConfig) GetEncryptionKeyLength() int

GetEncryptionKeyLength returns the effective key lengths of encryption algorithms used in the cipher See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf for details

func (*CipherConfig) GetKeyExchangeKeyLength added in v0.1.9 

func (cc *CipherConfig) GetKeyExchangeKeyLength(cipher, protocol uint16, scan ScanResult) int

GetKeyExchangeKeyLength returns the key length indicated by the cipher

func (*CipherConfig) GetMACPRFStrength added in v0.1.27 

func (cc *CipherConfig) GetMACPRFStrength() int

GetMACPRFStrength returns the relative strength of the MAC/PRF algorithm

func (*CipherConfig) IsAuthenticated added in v0.1.9 

func (cc *CipherConfig) IsAuthenticated() bool

IsAuthenticated returns whether the cipher supports authentication

type CipherConfigParameters added in v0.1.27 

type CipherConfigParameters struct {
	RSABitLength           int //The RSA key from the certificate
	SupportedGroupStrength int
	SupportedGroups        []string //The Supported Groups that have the indicated strength
}

CipherConfigParameters contains information about Parameters for determining the key length of key exchange algorithms and other cipher parameters

type CipherMetrics added in v0.1.27 

type CipherMetrics struct {
	Authentication        int
	KeyExchangeStrength   int
	ForwardSecrecy        int
	EncryptionKeyStrength int
	MacPRF                int
	Performance           int
	OverallScore          int
	ConfigParams          CipherConfigParameters
	CipherConfig          CipherConfig
}

CipherMetrics are various metrics of interest to compare ciphers as the bases for various desirable property ordering such as security and performance

func EnumerateCipherMetrics added in v0.1.27 

func EnumerateCipherMetrics() (metrics []CipherMetrics)

EnumerateCipherMetrics enumerates metrics for ciphers along multiple config axes

type CipherMetricsSorter added in v0.1.27 

type CipherMetricsSorter []CipherMetrics

CipherMetricsSorter sorts scan results by server IP and port

func (CipherMetricsSorter) Len added in v0.1.27 

func (k CipherMetricsSorter) Len() int

func (CipherMetricsSorter) Less added in v0.1.27 

func (k CipherMetricsSorter) Less(i, j int) bool

func (CipherMetricsSorter) Swap added in v0.1.27 

func (k CipherMetricsSorter) Swap(i, j int)

type CurveID added in v0.5.5 

type CurveID uint16

CurveID is the type of a TLS identifier for an elliptic curve. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8.

In TLS 1.3, this type is called NamedGroup, but at this time this library only supports Elliptic Curve based groups. See RFC 8446, Section 4.2.7.

type GradeExample added in v0.7.0 

type GradeExample struct {
	Grade, Server, Port, HostName string
}

GradeExample is an instance with a given grade

type GradePair added in v0.7.0 

type GradePair struct {
	Best, Worst string
}

GradePair collects the best and worst grade of a server scan

type GroupedHost added in v0.5.4 

type GroupedHost struct {
	ScanGroup    ScanGroup
	Hosts        []string
	IPAndDomains []IPAndDomain
}

GroupedHost exploded hosts from an associated ScanGroup

type HelloAndKey 

type HelloAndKey struct {
	Hello  ServerHelloMessage
	Key    ServerKeyExchangeMsg
	HasKey bool
}

HelloAndKey bundles server hello and ServerKeyExchange messages

type HostAndPort 

type HostAndPort struct {
	Hostname string
	Port     string
}

HostAndPort is a model representing a hostname and a given port

type HumanCertificate added in v0.1.22 

type HumanCertificate struct {
	Subject            string
	SubjectSerialNo    string
	SubjectCN          string
	SubjectAN          string
	SerialNumber       string
	Issuer             string
	PublicKeyAlgorithm string
	ValidFrom          string
	ValidUntil         string
	Key                string
	SignatureAlgorithm string
	Signature          string
	OcspStapling       bool
	RevocationDetail   string
	Version            int
	IsCA               bool
	HasChainIssue      bool
}

HumanCertificate is a "string" representation of various attributes of a certificate

func GetUniqueCertificates added in v0.7.0 

func GetUniqueCertificates(scan HumanScanResult) (certs []HumanCertificate)

GetUniqueCertificates returns all the unique certificates (using the certificate serial number) from a scan result

type HumanScanResult 

type HumanScanResult struct {
	Server                                 string //IP address
	HostName                               string
	Port                                   string
	SupportsTLS                            bool
	SupportedProtocols                     []string
	HasCipherPreferenceOrderByProtocol     map[string]bool
	CipherPreferenceOrderByProtocol        map[string][]string
	OcspStaplingByProtocol                 map[string]bool
	SelectedCipherByProtocol               map[string]string
	ALPNByProtocol                         map[string]string
	SecureRenegotiationSupportedByProtocol map[string]bool
	CipherSuiteByProtocol                  map[string][]string
	// ServerHelloMessageByProtocolByCipher   map[string]map[string]ServerHelloMessage
	CertificatesPerProtocol    map[string][]HumanCertificate
	CertificatesWithChainIssue map[string]bool
	// KeyExchangeByProtocolByCipher          map[string]map[string]ServerKeyExchangeMsg
	IsSTARTTLS              bool
	IsSSH                   bool
	SupportsTLSFallbackSCSV bool
	Score                   SecurityScore
	GroupID                 int //ScanRequest Host Group index
}

HumanScanResult is a Stringified version of ScanResult

func UnmarsharlScanResult added in v0.1.18 

func UnmarsharlScanResult(data []byte) ([]HumanScanResult, error)

UnmarsharlScanResult builds ScanResults from bytes

type IPAndDomain added in v0.6.6 

type IPAndDomain struct {
	IP, Domain string
}

IPAndDomain a representation of an IP and a possibly empty domain name

type KeyExchangeAlgorithm 

type KeyExchangeAlgorithm int

KeyExchangeAlgorithm says what it is

type KeyShare added in v0.5.5 

type KeyShare struct {
	Group CurveID
	Data  []byte
}

KeyShare TLS 1.3 Key Share. See RFC 8446, Section 4.2.8.

type PersistedScanRequest added in v0.1.18 

type PersistedScanRequest struct {
	Request      AdvancedScanRequest
	GroupedHosts []GroupedHost
	ScanStart    time.Time
	ScanEnd      time.Time
	Progress     int
	HostCount    int
}

PersistedScanRequest persisted version of ScanRequest

func UnmasharlPersistedScanRequest added in v0.1.18 

func UnmasharlPersistedScanRequest(data []byte) (PersistedScanRequest, error)

UnmasharlPersistedScanRequest builds PersistedScanRequest from bytes

func (PersistedScanRequest) Marshall added in v0.1.18 

func (psr PersistedScanRequest) Marshall() []byte

Marshall scan request

type ScanConfig 

type ScanConfig struct {
	ProtocolsOnly bool
	Timeout       int
	//Number of Packets per Second to send out during underlying port scan
	PacketsPerSecond int
	//Suppress certificate output
	HideCerts bool
	//Suppress output of TLS status of closed ports or ports with no TLS
	HideNoTLS bool
	//control whether to produce a running commentary of scan progress or stay quiet till the end
	Quiet       bool
	ServicePort int
}

ScanConfig describes details of how the TLS scan should be carried out

type ScanData added in v0.5.4 

type ScanData struct {
	ScanRequest AdvancedScanRequest
	Results     map[int][]HumanScanResult //ScanGroup index (in the ASR) -> human scan results
}

ScanData is the Human-readable result of a given scan

type ScanGroup added in v0.5.4 

type ScanGroup struct {
	Description string   `yaml:"description"` //Freeform text used in reporting
	CIDRRanges  []string `yaml:"cidrRanges"`
}

ScanGroup is a grouping of CIDR ranges to be scanned with descriptions, useful for reporting

type ScanProgress added in v0.1.10 

type ScanProgress struct {
	ScanID      string
	Progress    float32
	ScanResults []HumanScanResult // this is the latest scan results delta, at the end of scan all cummulative scans are sent
	Narrative   string            //freeflow text
}

ScanProgress contains partial scam results with an indication of progress

type ScanResult 

type ScanResult struct {
	Server                                 string //IP address
	HostName                               string
	Port                                   string
	SupportedProtocols                     []uint16
	HasCipherPreferenceOrderByProtocol     map[uint16]bool
	CipherPreferenceOrderByProtocol        map[uint16][]uint16
	OcspStaplingByProtocol                 map[uint16]bool
	SelectedCipherByProtocol               map[uint16]uint16
	ALPNByProtocol                         map[uint16]string
	SecureRenegotiationSupportedByProtocol map[uint16]bool
	CipherSuiteByProtocol                  map[uint16][]uint16
	ServerHelloMessageByProtocolByCipher   map[uint16]map[uint16]ServerHelloMessage
	CertificatesPerProtocol                map[uint16]CertificateMessage
	KeyExchangeByProtocolByCipher          map[uint16]map[uint16]ServerKeyExchangeMsg
	IsSTARTTLS                             bool
	IsSSH                                  bool
	SupportsTLSFallbackSCSV                bool
	Score                                  SecurityScore
	CertificatesWithChainIssue             map[string]bool //Cert Serial Number -> true
	GroupID                                int             //ScanRequest Host Group index
}

ScanResult is the scan result of a server TLS settings

func (*ScanResult) CalculateScore added in v0.1.9 

func (s *ScanResult) CalculateScore() SecurityScore

CalculateScore computes an SSLLabs-esque score for the scan https://github.com/ssllabs/research/wiki/SS https://community.qualys.com/docs/DOC-6321-ssl-labs-grading-2018 SecurityScoreL-Server-Rating-Guide contains the overall grading of a TLS/SSL port

func (ScanResult) String 

func (s ScanResult) String() string

func (ScanResult) SupportsTLS 

func (s ScanResult) SupportsTLS() bool

SupportsTLS determines whether the port on the specified server supports TLS at all

func (ScanResult) ToHumanScanResult added in v0.7.0 

func (s ScanResult) ToHumanScanResult() (out HumanScanResult)

ToHumanScanResult returns a string-decoded form of ScanResult

func (ScanResult) ToJSON 

func (s ScanResult) ToJSON() (js string)

ToJSON returns a JSON-formatted string representation of the ScanResult

func (ScanResult) ToString 

func (s ScanResult) ToString(config ScanConfig) (result string)

ToString generates a string output

type ScanResultSorter added in v0.1.18 

type ScanResultSorter []ScanResult

ScanResultSorter sorts scan results by server IP and port

func (ScanResultSorter) Len added in v0.1.18 

func (k ScanResultSorter) Len() int

func (ScanResultSorter) Less added in v0.1.18 

func (k ScanResultSorter) Less(i, j int) bool

func (ScanResultSorter) Swap added in v0.1.18 

func (k ScanResultSorter) Swap(i, j int)

type ScanResultSummary added in v0.1.21 

type ScanResultSummary struct {
	Request   AdvancedScanRequest
	ScanStart time.Time
	ScanEnd   time.Time
	Progress  int
	BasicScanSummary
}

ScanResultSummary is the summary of a scan result session

type SecurityScore added in v0.1.9 

type SecurityScore struct {
	ProtocolScore         int
	KeyExchangeScore      int
	CipherEncryptionScore int
	CertificateScore      int
	Grade                 string
	Warnings              []string
}

SecurityScore contains the overall grading of a TLS/SSL port

func (SecurityScore) OrderGrade added in v0.1.21 

func (SecurityScore) OrderGrade(grade string) int

OrderGrade allows a simple numeric ordering of TLS grades. Actual values don't matter

type ServerHelloMessage 

type ServerHelloMessage struct {
	Raw                          []byte
	Vers                         uint16
	Random                       []byte
	SessionID                    []byte
	CipherSuite                  uint16
	CompressionMethod            uint8
	NextProtoNeg                 bool
	NextProtos                   []string
	OcspStapling                 bool
	Scts                         [][]byte
	TicketSupported              bool
	SecureRenegotiation          []byte
	SecureRenegotiationSupported bool
	AlpnProtocol                 string
	SupportedVersion             uint16
	ServerShare                  KeyShare
	SelectedIdentityPresent      bool
	SelectedIdentity             uint16
	SupportedPoints              []uint8
	// contains filtered or unexported fields
}

ServerHelloMessage is the TLS server hello message

type ServerKeyExchangeMsg 

type ServerKeyExchangeMsg struct {
	// Raw []byte
	Key   []byte
	Group CurveID // for TLS v1.3
}

ServerKeyExchangeMsg is the key exchange message

type TLSAuditConfig added in v0.1.22 

type TLSAuditConfig struct {
	DailySchedules   []string    `yaml:"dailySchedules"` // in the format 13:45, 01:20 etc
	ServicePort      int         `yaml:"servicePort"`
	IsProduction     bool        `yaml:"isProduction"`
	PacketsPerSecond int         `yaml:"packetsPerSecond"`
	Timeout          int         `yaml:"timeout"`
	ScanGroups       []ScanGroup `yaml:"scanGroups"`
}

TLSAuditConfig is the configuration of the nmap runner

type TLSAuditSnapshot added in v0.1.22 

type TLSAuditSnapshot struct {
	Timestamp   time.Time
	ScanResults []ScanResult
}

TLSAuditSnapshot a snapshot representing the results of a given scan session

type TLSAuditSnapshotHuman added in v0.1.22 

type TLSAuditSnapshotHuman struct {
	Timestamp   time.Time
	ScanResults []HumanScanResult
}

TLSAuditSnapshotHuman a snapshot representing the results of a given scan session

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.