[packages/nmap] - rel 3; switch to patch since tls lib also needed
arekm
arekm at pld-linux.org
Thu Apr 10 13:28:35 CEST 2014
commit a1de3686abcb60f17601c2786a97586e9a2124a8
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Thu Apr 10 13:28:32 2014 +0200
- rel 3; switch to patch since tls lib also needed
nmap-heartbleed.patch | 1139 +++++++++++++++++++++++++++++++++++++++++++++++++
nmap.spec | 10 +-
2 files changed, 1142 insertions(+), 7 deletions(-)
---
diff --git a/nmap.spec b/nmap.spec
index d0a9dc4..1d362e4 100644
--- a/nmap.spec
+++ b/nmap.spec
@@ -14,17 +14,16 @@ Summary(ru.UTF-8): Утилита сканирования сети и ауди
Summary(uk.UTF-8): Утиліта сканування мережі та аудиту безпеки
Name: nmap
Version: 6.40
-Release: 2
+Release: 3
License: GPL v2 clarified, with OpenSSL exception
Group: Networking/Utilities
Source0: http://nmap.org/dist/%{name}-%{version}.tar.bz2
# Source0-md5: c0e2f3370e1fb97fb53185b15aa22aff
-Source1: https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse
-# Source1-md5: f727de80f9a9ee307394e5b29b991c04
Patch0: %{name}-am18.patch
Patch1: %{name}-system-lua.patch
Patch2: %{name}-system-dnet.patch
Patch3: %{name}-desktop.patch
+Patch4: %{name}-heartbleed.patch
URL: http://nmap.org/
BuildRequires: autoconf >= 2.50
BuildRequires: automake
@@ -125,6 +124,7 @@ Ten pakiet zawiera zenmap, czyli graficzny frontend dla nmapa.
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
%build
ln -s config/acinclude.m4 libdnet-stripped
@@ -161,10 +161,6 @@ install docs/zenmap.1 $RPM_BUILD_ROOT%{_mandir}/man1
%py_comp $RPM_BUILD_ROOT%{py_sitescriptdir}
%py_postclean
-# drop after upgrade to version that provides ssl-heartbleed.nse
-[ -f $RPM_BUILD_ROOT%{_datadir}/nmap/scripts/ssl-heartbleed.nse ] && exit 1
-install %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/nmap/scripts
-
ln -sf /etc/certs/ca-certificates.crt $RPM_BUILD_ROOT/%{_datadir}/ncat/ca-bundle.crt
# remove unneeded files
diff --git a/nmap-heartbleed.patch b/nmap-heartbleed.patch
new file mode 100644
index 0000000..7b073b6
--- /dev/null
+++ b/nmap-heartbleed.patch
@@ -0,0 +1,1139 @@
+diff -urN nmap-6.40.org/nselib/tls.lua nmap-6.40/nselib/tls.lua
+--- nmap-6.40.org/nselib/tls.lua 1970-01-01 01:00:00.000000000 +0100
++++ nmap-6.40/nselib/tls.lua 2014-04-08 22:12:22.000000000 +0200
+@@ -0,0 +1,874 @@
++---
++-- A library providing functions for doing TLS/SSL communications
++--
++-- These functions will build strings and process buffers. Socket communication
++-- is left to the script to implement.
++--
++-- @author "Daniel Miller <bonsaiviking at gmail.com>"
++
++local stdnse = require "stdnse"
++local bin = require "bin"
++local os = require "os"
++local table = require "table"
++_ENV = stdnse.module("tls", stdnse.seeall)
++
++-- Most of the values in the tables below are from:
++-- http://www.iana.org/assignments/tls-parameters/
++PROTOCOLS = {
++ ["SSLv3"] = 0x0300,
++ ["TLSv1.0"] = 0x0301,
++ ["TLSv1.1"] = 0x0302,
++ ["TLSv1.2"] = 0x0303
++}
++
++--
++-- TLS Record Types
++--
++TLS_RECORD_HEADER_LENGTH = 5
++
++TLS_CONTENTTYPE_REGISTRY = {
++ ["change_cipher_spec"] = 20,
++ ["alert"] = 21,
++ ["handshake"] = 22,
++ ["application_data"] = 23,
++ ["heartbeat"] = 24
++}
++
++--
++-- TLS Alert Levels
++--
++TLS_ALERT_LEVELS = {
++ ["warning"] = 1,
++ ["fatal"] = 2,
++}
++
++--
++-- TLS Alert Record Types
++--
++TLS_ALERT_REGISTRY = {
++ ["close_notify"] = 0,
++ ["unexpected_message"] = 10,
++ ["bad_record_mac"] = 20,
++ ["decryption_failed"] = 21,
++ ["record_overflow"] = 22,
++ ["decompression_failure"] = 30,
++ ["handshake_failure"] = 40,
++ ["no_certificate"] = 41,
++ ["bad_certificate"] = 42,
++ ["unsupported_certificate"] = 43,
++ ["certificate_revoked"] = 44,
++ ["certificate_expired"] = 45,
++ ["certificate_unknown"] = 46,
++ ["illegal_parameter"] = 47,
++ ["unknown_ca"] = 48,
++ ["access_denied"] = 49,
++ ["decode_error"] = 50,
++ ["decrypt_error"] = 51,
++ ["export_restriction"] = 60,
++ ["protocol_version"] = 70,
++ ["insufficient_security"] = 71,
++ ["internal_error"] = 80,
++ ["user_canceled"] = 90,
++ ["no_renegotiation"] = 100,
++ ["unsupported_extension"] = 110,
++ ["certificate_unobtainable"] = 111,
++ ["unrecognized_name"] = 112,
++ ["bad_certificate_status_response"] = 113,
++ ["bad_certificate_hash_value"] = 114,
++ ["unknown_psk_identity"] = 115
++}
++
++--
++-- TLS Handshake Record Types
++--
++TLS_HANDSHAKETYPE_REGISTRY = {
++ ["hello_request"] = 0,
++ ["client_hello"] = 1,
++ ["server_hello"] = 2,
++ ["hello_verify_request"] = 3,
++ ["NewSessionTicket"] = 4,
++ ["certificate"] = 11,
++ ["server_key_exchange"] = 12,
++ ["certificate_request"] = 13,
++ ["server_hello_done"] = 14,
++ ["certificate_verify"] = 15,
++ ["client_key_exchange"] = 16,
++ ["finished"] = 20,
++ ["certificate_url"] = 21,
++ ["certificate_status"] = 22,
++ ["supplemental_data"] = 23,
++ ["next_protocol"] = 67,
++}
++
++--
++-- Compression Algorithms
++-- http://www.iana.org/assignments/comp-meth-ids
++--
++COMPRESSORS = {
++ ["NULL"] = 0,
++ ["DEFLATE"] = 1,
++ ["LZS"] = 64
++}
++
++---
++-- RFC 4492 section 5.1.1 "Supported Elliptic Curves Extension".
++ELLIPTIC_CURVES = {
++ sect163k1 = 1,
++ sect163r1 = 2,
++ sect163r2 = 3,
++ sect193r1 = 4,
++ sect193r2 = 5,
++ sect233k1 = 6,
++ sect233r1 = 7,
++ sect239k1 = 8,
++ sect283k1 = 9,
++ sect283r1 = 10,
++ sect409k1 = 11,
++ sect409r1 = 12,
++ sect571k1 = 13,
++ sect571r1 = 14,
++ secp160k1 = 15,
++ secp160r1 = 16,
++ secp160r2 = 17,
++ secp192k1 = 18,
++ secp192r1 = 19,
++ secp224k1 = 20,
++ secp224r1 = 21,
++ secp256k1 = 22,
++ secp256r1 = 23,
++ secp384r1 = 24,
++ secp521r1 = 25,
++ arbitrary_explicit_prime_curves = 0xFF01,
++ arbitrary_explicit_char2_curves = 0xFF02,
++}
++
++---
++-- RFC 4492 section 5.1.2 "Supported Point Formats Extension".
++EC_POINT_FORMATS = {
++ uncompressed = 0,
++ ansiX962_compressed_prime = 1,
++ ansiX962_compressed_char2 = 2,
++}
++
++---
++-- Extensions
++-- RFC 6066, draft-agl-tls-nextprotoneg-03
++-- https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
++--
++EXTENSIONS = {
++ ["server_name"] = 0,
++ ["max_fragment_length"] = 1,
++ ["client_certificate_url"] = 2,
++ ["trusted_ca_keys"] = 3,
++ ["truncated_hmac"] = 4,
++ ["status_request"] = 5,
++ ["user_mapping"] = 6,
++ ["client_authz"] = 7,
++ ["server_authz"] = 8,
++ ["cert_type"] = 9,
++ ["elliptic_curves"] = 10,
++ ["ec_point_formats"] = 11,
++ ["srp"] = 12,
++ ["signature_algorithms"] = 13,
++ ["use_srtp"] = 14,
++ ["heartbeat"] = 15,
++ ["application_layer_protocol_negotiation"] = 16,
++ ["status_request_v2"] = 17,
++ ["signed_certificate_timestamp"] = 18,
++ ["client_certificate_type"] = 19,
++ ["server_certificate_type"] = 20,
++ ["padding"] = 21, -- Temporary, expires 2015-03-12
++ ["SessionTicket TLS"] = 35,
++ ["next_protocol_negotiation"] = 13172,
++ ["renegotiation_info"] = 65281,
++}
++
++---
++-- Builds data for each extension
++-- Defaults to tostring (i.e. pass in the packed data you want directly)
++EXTENSION_HELPERS = {
++ ["server_name"] = function (server_name)
++ -- Only supports host_name type (0), as per RFC
++ -- Support for other types could be added later
++ return bin.pack(">P", bin.pack(">CP", 0, server_name))
++ end,
++ ["max_fragment_length"] = tostring,
++ ["client_certificate_url"] = tostring,
++ ["trusted_ca_keys"] = tostring,
++ ["truncated_hmac"] = tostring,
++ ["status_request"] = tostring,
++ ["elliptic_curves"] = function (elliptic_curves)
++ local list = {}
++ for _, name in ipairs(elliptic_curves) do
++ list[#list+1] = bin.pack(">S", ELLIPTIC_CURVES[name])
++ end
++ return bin.pack(">P", table.concat(list))
++ end,
++ ["ec_point_formats"] = function (ec_point_formats)
++ local list = {}
++ for _, format in ipairs(ec_point_formats) do
++ list[#list+1] = bin.pack(">C", EC_POINT_FORMATS[format])
++ end
++ return bin.pack(">p", table.concat(list))
++ end,
++ ["next_protocol_negotiation"] = tostring,
++}
++
++--
++-- Encryption Algorithms
++--
++CIPHERS = {
++["TLS_NULL_WITH_NULL_NULL"] = 0x0000,
++["TLS_RSA_WITH_NULL_MD5"] = 0x0001,
++["TLS_RSA_WITH_NULL_SHA"] = 0x0002,
++["TLS_RSA_EXPORT_WITH_RC4_40_MD5"] = 0x0003,
++["TLS_RSA_WITH_RC4_128_MD5"] = 0x0004,
++["TLS_RSA_WITH_RC4_128_SHA"] = 0x0005,
++["TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5"] = 0x0006,
++["TLS_RSA_WITH_IDEA_CBC_SHA"] = 0x0007,
++["TLS_RSA_EXPORT_WITH_DES40_CBC_SHA"] = 0x0008,
++["TLS_RSA_WITH_DES_CBC_SHA"] = 0x0009,
++["TLS_RSA_WITH_3DES_EDE_CBC_SHA"] = 0x000A,
++["TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA"] = 0x000B,
++["TLS_DH_DSS_WITH_DES_CBC_SHA"] = 0x000C,
++["TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"] = 0x000D,
++["TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA"] = 0x000E,
++["TLS_DH_RSA_WITH_DES_CBC_SHA"] = 0x000F,
++["TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"] = 0x0010,
++["TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"] = 0x0011,
++["TLS_DHE_DSS_WITH_DES_CBC_SHA"] = 0x0012,
++["TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"] = 0x0013,
++["TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"] = 0x0014,
++["TLS_DHE_RSA_WITH_DES_CBC_SHA"] = 0x0015,
++["TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"] = 0x0016,
++["TLS_DH_anon_EXPORT_WITH_RC4_40_MD5"] = 0x0017,
++["TLS_DH_anon_WITH_RC4_128_MD5"] = 0x0018,
++["TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA"] = 0x0019,
++["TLS_DH_anon_WITH_DES_CBC_SHA"] = 0x001A,
++["TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"] = 0x001B,
++["SSL_FORTEZZA_KEA_WITH_NULL_SHA"] = 0x001C,
++["SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"] = 0x001D,
++["TLS_KRB5_WITH_DES_CBC_SHA-or-SSL_FORTEZZA_KEA_WITH_RC4_128_SHA"] = 0x001E, --TLS vs SSLv3
++["TLS_KRB5_WITH_3DES_EDE_CBC_SHA"] = 0x001F,
++["TLS_KRB5_WITH_RC4_128_SHA"] = 0x0020,
++["TLS_KRB5_WITH_IDEA_CBC_SHA"] = 0x0021,
++["TLS_KRB5_WITH_DES_CBC_MD5"] = 0x0022,
++["TLS_KRB5_WITH_3DES_EDE_CBC_MD5"] = 0x0023,
++["TLS_KRB5_WITH_RC4_128_MD5"] = 0x0024,
++["TLS_KRB5_WITH_IDEA_CBC_MD5"] = 0x0025,
++["TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA"] = 0x0026,
++["TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA"] = 0x0027,
++["TLS_KRB5_EXPORT_WITH_RC4_40_SHA"] = 0x0028,
++["TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5"] = 0x0029,
++["TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5"] = 0x002A,
++["TLS_KRB5_EXPORT_WITH_RC4_40_MD5"] = 0x002B,
++["TLS_PSK_WITH_NULL_SHA"] = 0x002C,
++["TLS_DHE_PSK_WITH_NULL_SHA"] = 0x002D,
++["TLS_RSA_PSK_WITH_NULL_SHA"] = 0x002E,
++["TLS_RSA_WITH_AES_128_CBC_SHA"] = 0x002F,
++["TLS_DH_DSS_WITH_AES_128_CBC_SHA"] = 0x0030,
++["TLS_DH_RSA_WITH_AES_128_CBC_SHA"] = 0x0031,
++["TLS_DHE_DSS_WITH_AES_128_CBC_SHA"] = 0x0032,
++["TLS_DHE_RSA_WITH_AES_128_CBC_SHA"] = 0x0033,
++["TLS_DH_anon_WITH_AES_128_CBC_SHA"] = 0x0034,
++["TLS_RSA_WITH_AES_256_CBC_SHA"] = 0x0035,
++["TLS_DH_DSS_WITH_AES_256_CBC_SHA"] = 0x0036,
++["TLS_DH_RSA_WITH_AES_256_CBC_SHA"] = 0x0037,
++["TLS_DHE_DSS_WITH_AES_256_CBC_SHA"] = 0x0038,
++["TLS_DHE_RSA_WITH_AES_256_CBC_SHA"] = 0x0039,
++["TLS_DH_anon_WITH_AES_256_CBC_SHA"] = 0x003A,
++["TLS_RSA_WITH_NULL_SHA256"] = 0x003B,
++["TLS_RSA_WITH_AES_128_CBC_SHA256"] = 0x003C,
++["TLS_RSA_WITH_AES_256_CBC_SHA256"] = 0x003D,
++["TLS_DH_DSS_WITH_AES_128_CBC_SHA256"] = 0x003E,
++["TLS_DH_RSA_WITH_AES_128_CBC_SHA256"] = 0x003F,
++["TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"] = 0x0040,
++["TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"] = 0x0041,
++["TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA"] = 0x0042,
++["TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA"] = 0x0043,
++["TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA"] = 0x0044,
++["TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"] = 0x0045,
++["TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA"] = 0x0046,
++["TLS_ECDH_ECDSA_WITH_NULL_SHA-draft"] = 0x0047, --draft-ietf-tls-ecc-00
++["TLS_ECDH_ECDSA_WITH_RC4_128_SHA-draft"] = 0x0048, --draft-ietf-tls-ecc-00
++["TLS_ECDH_ECDSA_WITH_DES_CBC_SHA-draft"] = 0x0049, --draft-ietf-tls-ecc-00
++["TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x004A, --draft-ietf-tls-ecc-00
++["TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA-draft"] = 0x004B, --draft-ietf-tls-ecc-00
++["TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA-draft"] = 0x004C, --draft-ietf-tls-ecc-00
++["TLS_ECDH_ECNRA_WITH_DES_CBC_SHA-draft"] = 0x004D, --draft-ietf-tls-ecc-00
++["TLS_ECDH_ECNRA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x004E, --draft-ietf-tls-ecc-00
++["TLS_ECMQV_ECDSA_NULL_SHA-draft"] = 0x004F, --draft-ietf-tls-ecc-00
++["TLS_ECMQV_ECDSA_WITH_RC4_128_SHA-draft"] = 0x0050, --draft-ietf-tls-ecc-00
++["TLS_ECMQV_ECDSA_WITH_DES_CBC_SHA-draft"] = 0x0051, --draft-ietf-tls-ecc-00
++["TLS_ECMQV_ECDSA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x0052, --draft-ietf-tls-ecc-00
++["TLS_ECMQV_ECNRA_NULL_SHA-draft"] = 0x0053, --draft-ietf-tls-ecc-00
++["TLS_ECMQV_ECNRA_WITH_RC4_128_SHA-draft"] = 0x0054, --draft-ietf-tls-ecc-00
++["TLS_ECMQV_ECNRA_WITH_DES_CBC_SHA-draft"] = 0x0055, --draft-ietf-tls-ecc-00
++["TLS_ECMQV_ECNRA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x0056, --draft-ietf-tls-ecc-00
++["TLS_ECDH_anon_NULL_WITH_SHA-draft"] = 0x0057, --draft-ietf-tls-ecc-00
++["TLS_ECDH_anon_WITH_RC4_128_SHA-draft"] = 0x0058, --draft-ietf-tls-ecc-00
++["TLS_ECDH_anon_WITH_DES_CBC_SHA-draft"] = 0x0059, --draft-ietf-tls-ecc-00
++["TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA-draft"] = 0x005A, --draft-ietf-tls-ecc-00
++["TLS_ECDH_anon_EXPORT_WITH_DES40_CBC_SHA-draft"] = 0x005B, --draft-ietf-tls-ecc-00
++["TLS_ECDH_anon_EXPORT_WITH_RC4_40_SHA-draft"] = 0x005C, --draft-ietf-tls-ecc-00
++["TLS_RSA_EXPORT1024_WITH_RC4_56_MD5"] = 0x0060,
++["TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5"] = 0x0061,
++["TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA"] = 0x0062,
++["TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA"] = 0x0063,
++["TLS_RSA_EXPORT1024_WITH_RC4_56_SHA"] = 0x0064,
++["TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA"] = 0x0065,
++["TLS_DHE_DSS_WITH_RC4_128_SHA"] = 0x0066,
++["TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"] = 0x0067,
++["TLS_DH_DSS_WITH_AES_256_CBC_SHA256"] = 0x0068,
++["TLS_DH_RSA_WITH_AES_256_CBC_SHA256"] = 0x0069,
++["TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"] = 0x006A,
++["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"] = 0x006B,
++["TLS_DH_anon_WITH_AES_128_CBC_SHA256"] = 0x006C,
++["TLS_DH_anon_WITH_AES_256_CBC_SHA256"] = 0x006D,
++["TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD"] = 0x0072, --draft-ietf-tls-openpgp-keys-05
++["TLS_DHE_DSS_WITH_AES_128_CBC_RMD"] = 0x0073, --draft-ietf-tls-openpgp-keys-05
++["TLS_DHE_DSS_WITH_AES_256_CBC_RMD"] = 0x0074, --draft-ietf-tls-openpgp-keys-05
++["TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD"] = 0x0077, --draft-ietf-tls-openpgp-keys-05
++["TLS_DHE_RSA_WITH_AES_128_CBC_RMD"] = 0x0078, --draft-ietf-tls-openpgp-keys-05
++["TLS_DHE_RSA_WITH_AES_256_CBC_RMD"] = 0x0079, --draft-ietf-tls-openpgp-keys-05
++["TLS_RSA_WITH_3DES_EDE_CBC_RMD"] = 0x007C, --draft-ietf-tls-openpgp-keys-05
++["TLS_RSA_WITH_AES_128_CBC_RMD"] = 0x007D, --draft-ietf-tls-openpgp-keys-05
++["TLS_RSA_WITH_AES_256_CBC_RMD"] = 0x007E, --draft-ietf-tls-openpgp-keys-05
++["TLS_GOSTR341094_WITH_28147_CNT_IMIT"] = 0x0080, --draft-chudov-cryptopro-cptls-04
++["TLS_GOSTR341001_WITH_28147_CNT_IMIT"] = 0x0081, --draft-chudov-cryptopro-cptls-04
++["TLS_GOSTR341094_WITH_NULL_GOSTR3411"] = 0x0082, --draft-chudov-cryptopro-cptls-04
++["TLS_GOSTR341001_WITH_NULL_GOSTR3411"] = 0x0083, --draft-chudov-cryptopro-cptls-04
++["TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"] = 0x0084,
++["TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA"] = 0x0085,
++["TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA"] = 0x0086,
++["TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA"] = 0x0087,
++["TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"] = 0x0088,
++["TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA"] = 0x0089,
++["TLS_PSK_WITH_RC4_128_SHA"] = 0x008A,
++["TLS_PSK_WITH_3DES_EDE_CBC_SHA"] = 0x008B,
++["TLS_PSK_WITH_AES_128_CBC_SHA"] = 0x008C,
++["TLS_PSK_WITH_AES_256_CBC_SHA"] = 0x008D,
++["TLS_DHE_PSK_WITH_RC4_128_SHA"] = 0x008E,
++["TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA"] = 0x008F,
++["TLS_DHE_PSK_WITH_AES_128_CBC_SHA"] = 0x0090,
++["TLS_DHE_PSK_WITH_AES_256_CBC_SHA"] = 0x0091,
++["TLS_RSA_PSK_WITH_RC4_128_SHA"] = 0x0092,
++["TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA"] = 0x0093,
++["TLS_RSA_PSK_WITH_AES_128_CBC_SHA"] = 0x0094,
++["TLS_RSA_PSK_WITH_AES_256_CBC_SHA"] = 0x0095,
++["TLS_RSA_WITH_SEED_CBC_SHA"] = 0x0096,
++["TLS_DH_DSS_WITH_SEED_CBC_SHA"] = 0x0097,
++["TLS_DH_RSA_WITH_SEED_CBC_SHA"] = 0x0098,
++["TLS_DHE_DSS_WITH_SEED_CBC_SHA"] = 0x0099,
++["TLS_DHE_RSA_WITH_SEED_CBC_SHA"] = 0x009A,
++["TLS_DH_anon_WITH_SEED_CBC_SHA"] = 0x009B,
++["TLS_RSA_WITH_AES_128_GCM_SHA256"] = 0x009C,
++["TLS_RSA_WITH_AES_256_GCM_SHA384"] = 0x009D,
++["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"] = 0x009E,
++["TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"] = 0x009F,
++["TLS_DH_RSA_WITH_AES_128_GCM_SHA256"] = 0x00A0,
++["TLS_DH_RSA_WITH_AES_256_GCM_SHA384"] = 0x00A1,
++["TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"] = 0x00A2,
++["TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"] = 0x00A3,
++["TLS_DH_DSS_WITH_AES_128_GCM_SHA256"] = 0x00A4,
++["TLS_DH_DSS_WITH_AES_256_GCM_SHA384"] = 0x00A5,
++["TLS_DH_anon_WITH_AES_128_GCM_SHA256"] = 0x00A6,
++["TLS_DH_anon_WITH_AES_256_GCM_SHA384"] = 0x00A7,
++["TLS_PSK_WITH_AES_128_GCM_SHA256"] = 0x00A8,
++["TLS_PSK_WITH_AES_256_GCM_SHA384"] = 0x00A9,
++["TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"] = 0x00AA,
++["TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"] = 0x00AB,
++["TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"] = 0x00AC,
++["TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"] = 0x00AD,
++["TLS_PSK_WITH_AES_128_CBC_SHA256"] = 0x00AE,
++["TLS_PSK_WITH_AES_256_CBC_SHA384"] = 0x00AF,
++["TLS_PSK_WITH_NULL_SHA256"] = 0x00B0,
++["TLS_PSK_WITH_NULL_SHA384"] = 0x00B1,
++["TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"] = 0x00B2,
++["TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"] = 0x00B3,
++["TLS_DHE_PSK_WITH_NULL_SHA256"] = 0x00B4,
++["TLS_DHE_PSK_WITH_NULL_SHA384"] = 0x00B5,
++["TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"] = 0x00B6,
++["TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"] = 0x00B7,
++["TLS_RSA_PSK_WITH_NULL_SHA256"] = 0x00B8,
++["TLS_RSA_PSK_WITH_NULL_SHA384"] = 0x00B9,
++["TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BA,
++["TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BB,
++["TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BC,
++["TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BD,
++["TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BE,
++["TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BF,
++["TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C0,
++["TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C1,
++["TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C2,
++["TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C3,
++["TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C4,
++["TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C5,
++["TLS_ECDH_ECDSA_WITH_NULL_SHA"] = 0xC001,
++["TLS_ECDH_ECDSA_WITH_RC4_128_SHA"] = 0xC002,
++["TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"] = 0xC003,
++["TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"] = 0xC004,
++["TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"] = 0xC005,
++["TLS_ECDHE_ECDSA_WITH_NULL_SHA"] = 0xC006,
++["TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"] = 0xC007,
++["TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"] = 0xC008,
++["TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"] = 0xC009,
++["TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"] = 0xC00A,
++["TLS_ECDH_RSA_WITH_NULL_SHA"] = 0xC00B,
++["TLS_ECDH_RSA_WITH_RC4_128_SHA"] = 0xC00C,
++["TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"] = 0xC00D,
++["TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"] = 0xC00E,
++["TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"] = 0xC00F,
++["TLS_ECDHE_RSA_WITH_NULL_SHA"] = 0xC010,
++["TLS_ECDHE_RSA_WITH_RC4_128_SHA"] = 0xC011,
++["TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"] = 0xC012,
++["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"] = 0xC013,
++["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"] = 0xC014,
++["TLS_ECDH_anon_WITH_NULL_SHA"] = 0xC015,
++["TLS_ECDH_anon_WITH_RC4_128_SHA"] = 0xC016,
++["TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA"] = 0xC017,
++["TLS_ECDH_anon_WITH_AES_128_CBC_SHA"] = 0xC018,
++["TLS_ECDH_anon_WITH_AES_256_CBC_SHA"] = 0xC019,
++["TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA"] = 0xC01A,
++["TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA"] = 0xC01B,
++["TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA"] = 0xC01C,
++["TLS_SRP_SHA_WITH_AES_128_CBC_SHA"] = 0xC01D,
++["TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA"] = 0xC01E,
++["TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA"] = 0xC01F,
++["TLS_SRP_SHA_WITH_AES_256_CBC_SHA"] = 0xC020,
++["TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA"] = 0xC021,
++["TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA"] = 0xC022,
++["TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"] = 0xC023,
++["TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"] = 0xC024,
++["TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"] = 0xC025,
++["TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"] = 0xC026,
++["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"] = 0xC027,
++["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"] = 0xC028,
++["TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"] = 0xC029,
++["TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"] = 0xC02A,
++["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] = 0xC02B,
++["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"] = 0xC02C,
++["TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"] = 0xC02D,
++["TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"] = 0xC02E,
++["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] = 0xC02F,
++["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] = 0xC030,
++["TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"] = 0xC031,
++["TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"] = 0xC032,
++["TLS_ECDHE_PSK_WITH_RC4_128_SHA"] = 0xC033,
++["TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA"] = 0xC034,
++["TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"] = 0xC035,
++["TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA"] = 0xC036,
++["TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"] = 0xC037,
++["TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384"] = 0xC038,
++["TLS_ECDHE_PSK_WITH_NULL_SHA"] = 0xC039,
++["TLS_ECDHE_PSK_WITH_NULL_SHA256"] = 0xC03A,
++["TLS_ECDHE_PSK_WITH_NULL_SHA384"] = 0xC03B,
++["TLS_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC03C,
++["TLS_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC03D,
++["TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256"] = 0xC03E,
++["TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384"] = 0xC03F,
++["TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC040,
++["TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC041,
++["TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256"] = 0xC042,
++["TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384"] = 0xC043,
++["TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC044,
++["TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC045,
++["TLS_DH_anon_WITH_ARIA_128_CBC_SHA256"] = 0xC046,
++["TLS_DH_anon_WITH_ARIA_256_CBC_SHA384"] = 0xC047,
++["TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256"] = 0xC048,
++["TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384"] = 0xC049,
++["TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256"] = 0xC04A,
++["TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384"] = 0xC04B,
++["TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC04C,
++["TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC04D,
++["TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC04E,
++["TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC04F,
++["TLS_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC050,
++["TLS_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC051,
++["TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC052,
++["TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC053,
++["TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC054,
++["TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC055,
++["TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256"] = 0xC056,
++["TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384"] = 0xC057,
++["TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256"] = 0xC058,
++["TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384"] = 0xC059,
++["TLS_DH_anon_WITH_ARIA_128_GCM_SHA256"] = 0xC05A,
++["TLS_DH_anon_WITH_ARIA_256_GCM_SHA384"] = 0xC05B,
++["TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256"] = 0xC05C,
++["TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384"] = 0xC05D,
++["TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256"] = 0xC05E,
++["TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384"] = 0xC05F,
++["TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC060,
++["TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC061,
++["TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC062,
++["TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC063,
++["TLS_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC064,
++["TLS_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC065,
++["TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC066,
++["TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC067,
++["TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC068,
++["TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC069,
++["TLS_PSK_WITH_ARIA_128_GCM_SHA256"] = 0xC06A,
++["TLS_PSK_WITH_ARIA_256_GCM_SHA384"] = 0xC06B,
++["TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256"] = 0xC06C,
++["TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384"] = 0xC06D,
++["TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256"] = 0xC06E,
++["TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384"] = 0xC06F,
++["TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC070,
++["TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC071,
++["TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC072,
++["TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC073,
++["TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC074,
++["TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC075,
++["TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC076,
++["TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC077,
++["TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC078,
++["TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC079,
++["TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC07A,
++["TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC07B,
++["TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC07C,
++["TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC07D,
++["TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC07E,
++["TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC07F,
++["TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC080,
++["TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC081,
++["TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC082,
++["TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC083,
++["TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC084,
++["TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC085,
++["TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC086,
++["TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC087,
++["TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC088,
++["TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC089,
++["TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC08A,
++["TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC08B,
++["TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC08C,
++["TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC08D,
++["TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC08E,
++["TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC08F,
++["TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC090,
++["TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC091,
++["TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC092,
++["TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC093,
++["TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC094,
++["TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC095,
++["TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC096,
++["TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC097,
++["TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC098,
++["TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC099,
++["TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC09A,
++["TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC09B,
++["TLS_RSA_WITH_AES_128_CCM"] = 0xC09C,
++["TLS_RSA_WITH_AES_256_CCM"] = 0xC09D,
++["TLS_DHE_RSA_WITH_AES_128_CCM"] = 0xC09E,
++["TLS_DHE_RSA_WITH_AES_256_CCM"] = 0xC09F,
++["TLS_RSA_WITH_AES_128_CCM_8"] = 0xC0A0,
++["TLS_RSA_WITH_AES_256_CCM_8"] = 0xC0A1,
++["TLS_DHE_RSA_WITH_AES_128_CCM_8"] = 0xC0A2,
++["TLS_DHE_RSA_WITH_AES_256_CCM_8"] = 0xC0A3,
++["TLS_PSK_WITH_AES_128_CCM"] = 0xC0A4,
++["TLS_PSK_WITH_AES_256_CCM"] = 0xC0A5,
++["TLS_DHE_PSK_WITH_AES_128_CCM"] = 0xC0A6,
++["TLS_DHE_PSK_WITH_AES_256_CCM"] = 0xC0A7,
++["TLS_PSK_WITH_AES_128_CCM_8"] = 0xC0A8,
++["TLS_PSK_WITH_AES_256_CCM_8"] = 0xC0A9,
++["TLS_PSK_DHE_WITH_AES_128_CCM_8"] = 0xC0AA,
++["TLS_PSK_DHE_WITH_AES_256_CCM_8"] = 0xC0AB,
++["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] = 0xCC13,
++["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"] = 0xCC14,
++["TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] = 0xCC15,
++["SSL_RSA_FIPS_WITH_DES_CBC_SHA"] = 0xFEFE,
++["SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"] = 0xFEFF,
++}
++
++local function find_key(t, value)
++ local k, v
++
++ for k, v in pairs(t) do
++ if v == value then
++ return k
++ end
++ end
++
++ return nil
++end
++
++---
++-- Read a SSL/TLS record
++-- @param buffer The read buffer
++-- @param i The position in the buffer to start reading
++-- @return The current position in the buffer
++-- @return The record that was read, as a table
++function record_read(buffer, i)
++ local b, h, j, len
++
++ ------------
++ -- Header --
++ ------------
++
++ -- Ensure we have enough data for the header.
++ if #buffer - i < TLS_RECORD_HEADER_LENGTH then
++ return i, nil
++ end
++
++ -- Parse header.
++ h = {}
++ j, h["type"] = bin.unpack("C", buffer, i)
++ j, h["protocol"] = bin.unpack(">S", buffer, j)
++ j, h["length"] = bin.unpack(">S", buffer, j)
++
++ -- Ensure we have enough data for the body.
++ len = j + h["length"] - 1
++ if #buffer < len then
++ return i, nil
++ end
++
++ -- Convert to human-readable form.
++ h["type"] = find_key(TLS_CONTENTTYPE_REGISTRY, h["type"])
++ h["protocol"] = find_key(PROTOCOLS, h["protocol"])
++
++ ----------
++ -- Body --
++ ----------
++
++ h["body"] = {}
++ while j < len do
++ -- RFC 2246, 6.2.1 "multiple client messages of the same ContentType may
++ -- be coalesced into a single TLSPlaintext record"
++ -- TODO: implement reading of fragmented records
++ b = {}
++ table.insert(h["body"], b)
++ if h["type"] == "alert" then
++ -- Parse body.
++ j, b["level"] = bin.unpack("C", buffer, j)
++ j, b["description"] = bin.unpack("C", buffer, j)
++
++ -- Convert to human-readable form.
++ b["level"] = find_key(TLS_ALERT_LEVELS, b["level"])
++ b["description"] = find_key(TLS_ALERT_REGISTRY, b["description"])
++ elseif h["type"] == "handshake" then
++ -- Parse body.
++ j, b["type"] = bin.unpack("C", buffer, j)
++ local blen, blen_upper
++ j, blen_upper, blen = bin.unpack("C>S", buffer, j)
++ blen = blen + blen_upper * 0x10000
++ local msg_end = j + blen
++
++ -- Convert to human-readable form.
++ b["type"] = find_key(TLS_HANDSHAKETYPE_REGISTRY, b["type"])
++
++ if b["type"] == "server_hello" then
++ -- Parse body.
++ j, b["protocol"] = bin.unpack(">S", buffer, j)
++ j, b["time"] = bin.unpack(">I", buffer, j)
++ j, b["random"] = bin.unpack("A28", buffer, j)
++ j, b["session_id_length"] = bin.unpack("C", buffer, j)
++ j, b["session_id"] = bin.unpack("A" .. b["session_id_length"], buffer, j)
++ j, b["cipher"] = bin.unpack(">S", buffer, j)
++ j, b["compressor"] = bin.unpack("C", buffer, j)
++ -- Optional extensions for TLS only
++ if j < msg_end and h["protocol"] ~= "SSLv3" then
++ local num_exts
++ b["extensions"] = {}
++ j, num_exts = bin.unpack(">S", buffer, j)
++ for e = 0, num_exts do
++ if j >= msg_end then break end
++ local extcode, datalen
++ j, extcode = bin.unpack(">S", buffer, j)
++ extcode = find_key(EXTENSIONS, extcode) or extcode
++ j, b["extensions"][extcode] = bin.unpack(">P", buffer, j)
++ end
++ end
++
++ -- Convert to human-readable form.
++ b["protocol"] = find_key(PROTOCOLS, b["protocol"])
++ b["cipher"] = find_key(CIPHERS, b["cipher"])
++ b["compressor"] = find_key(COMPRESSORS, b["compressor"])
++ else
++ -- TODO: implement other handshake message types
++ stdnse.print_debug(2, "Unknown handshake message type: %s", b["type"])
++ j = msg_end
++ end
++ elseif h["type"] == "heartbeat" then
++ j, b["type"], b["payload_length"] = bin.unpack("C>S", buffer, j)
++ j, b["payload"], b["padding"] = bin.unpack("PP", buffer, j)
++ else
++ stdnse.print_debug("Unknown message type: %s", h["type"])
++ end
++ end
++
++ -- Ignore unparsed bytes.
++ j = len+1
++
++ return j, h
++end
++
++---
++-- Build a SSL/TLS record
++-- @param type The type of record ("handshake", "change_cipher_spec", etc.)
++-- @param protocol The protocol and version ("SSLv3", "TLSv1.0", etc.)
++-- @param b The record body
++-- @return The SSL/TLS record as a string
++function record_write(type, protocol, b)
++ return table.concat({
++ -- Set the header as a handshake.
++ bin.pack("C", TLS_CONTENTTYPE_REGISTRY[type]),
++ -- Set the protocol.
++ bin.pack(">S", PROTOCOLS[protocol]),
++ -- Set the length of the header body.
++ bin.pack(">S", #b),
++ b
++ })
++end
++
++---
++-- Build a client_hello message
++--
++-- The options table has the following keys:
++-- * <code>"protocol"</code> - The TLS protocol version string
++-- * <code>"ciphers"</code> - a table containing the cipher suite names. Defaults to the NULL cipher
++-- * <code>"compressors"</code> - a table containing the compressor names. Default: NULL
++-- * <code>"extensions"</code> - a table containing the extension names. Default: no extensions
++-- @param t Table of options
++-- @return The client_hello record as a string
++function client_hello(t)
++ local b, ciphers, compressor, compressors, h, len
++
++ ----------
++ -- Body --
++ ----------
++
++ b = {}
++ -- Set the protocol.
++ table.insert(b, bin.pack(">S", PROTOCOLS[t["protocol"]]))
++
++ -- Set the random data.
++ table.insert(b, bin.pack(">I", os.time()))
++
++ -- Set the random data.
++ table.insert(b, stdnse.generate_random_string(28))
++
++ -- Set the session ID.
++ table.insert(b, bin.pack("C", 0))
++
++ -- Cipher suites.
++ ciphers = {}
++ if t["ciphers"] ~= nil then
++ -- Add specified ciphers.
++ for _, cipher in pairs(t["ciphers"]) do
++ table.insert(ciphers, bin.pack(">S", CIPHERS[cipher]))
++ end
++ else
++ -- Use NULL cipher
++ table.insert(ciphers, bin.pack(">S", CIPHERS["TLS_NULL_WITH_NULL_NULL"]))
++ end
++ table.insert(b, bin.pack(">P", table.concat(ciphers)))
++
++ -- Compression methods.
++ compressors = {}
++ if t["compressors"] ~= nil then
++ -- Add specified compressors.
++ for _, compressor in pairs(t["compressors"]) do
++ if compressor ~= "NULL" then
++ table.insert(compressors, bin.pack("C", COMPRESSORS[compressor]))
++ end
++ end
++ end
++ -- Always include NULL as last choice
++ table.insert(compressors, bin.pack("C", COMPRESSORS["NULL"]))
++ table.insert(b, bin.pack(">p", table.concat(compressors)))
++
++ -- TLS extensions
++ if PROTOCOLS[t["protocol"]] and
++ PROTOCOLS[t["protocol"]] ~= PROTOCOLS["SSLv3"] then
++ local extensions = {}
++ if t["extensions"] ~= nil then
++ -- Add specified extensions.
++ for extension, data in pairs(t["extensions"]) do
++ if type(extension) == "number" then
++ table.insert(extensions, bin.pack(">S", extension))
++ else
++ table.insert(extensions, bin.pack(">S", EXTENSIONS[extension]))
++ end
++ table.insert(extensions, bin.pack(">P", data))
++ end
++ end
++ -- Extensions are optional
++ if #extensions ~= 0 then
++ table.insert(b, bin.pack(">P", table.concat(extensions)))
++ end
++ end
++
++ ------------
++ -- Header --
++ ------------
++
++ b = table.concat(b)
++
++ h = {}
++
++ -- Set type to ClientHello.
++ table.insert(h, bin.pack("C", TLS_HANDSHAKETYPE_REGISTRY["client_hello"]))
++
++ -- Set the length of the body.
++ len = bin.pack(">I", #b)
++ -- body length is 24 bits big-endian, so the 3 LSB of len
++ table.insert(h, len:sub(2,4))
++
++ table.insert(h, b)
++
++ return record_write("handshake", t["protocol"], table.concat(h))
++end
++
++local function read_atleast(s, n)
++ local buf = {}
++ local count = 0
++ while count < n do
++ local status, data = s:receive_bytes(n - count)
++ if not status then
++ return status, data, table.concat(buf)
++ end
++ buf[#buf+1] = data
++ count = count + #data
++ end
++ return true, table.concat(buf)
++end
++
++--- Get an entire record into a buffer
++--
++-- Caller is responsible for closing the socket if necessary.
++-- @param sock The socket to read additional data from
++-- @param buffer The string buffer holding any previously-read data
++-- (default: "")
++-- @param i The position in the buffer where the record should start
++-- (default: 1)
++-- @return status Socket status
++-- @return Buffer containing at least 1 record if status is true
++-- @return Error text if there was an error
++function record_buffer(sock, buffer, i)
++ buffer = buffer or ""
++ i = i or 1
++ local count = #buffer:sub(i)
++ local status, resp, rem
++ if count < TLS_RECORD_HEADER_LENGTH then
++ status, resp, rem = read_atleast(sock, TLS_RECORD_HEADER_LENGTH - count)
++ if not status then
++ return false, buffer .. rem, resp
++ end
++ buffer = buffer .. resp
++ count = count + #resp
++ end
++ -- ContentType, ProtocolVersion, length
++ local _, _, _, len = bin.unpack(">CSS", buffer, i)
++ if count < TLS_RECORD_HEADER_LENGTH + len then
++ status, resp = read_atleast(sock, TLS_RECORD_HEADER_LENGTH + len - count)
++ if not status then
++ return false, buffer, resp
++ end
++ buffer = buffer .. resp
++ end
++ return true, buffer
++end
++
++return _ENV;
+diff -urN nmap-6.40.org/scripts/ssl-heartbleed.nse nmap-6.40/scripts/ssl-heartbleed.nse
+--- nmap-6.40.org/scripts/ssl-heartbleed.nse 1970-01-01 01:00:00.000000000 +0100
++++ nmap-6.40/scripts/ssl-heartbleed.nse 2014-04-09 23:54:27.000000000 +0200
+@@ -0,0 +1,257 @@
++description = [[
++Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160).
++The code is based on the Python script ssltest.py authored by Jared Stafford (jspenguin at jspenguin.org)
++]]
++
++---
++-- @usage
++-- nmap -p 443 --script ssl-heartbleed <target>
++--
++-- @output
++-- PORT STATE SERVICE
++-- 443/tcp open https
++-- | ssl-heartbleed:
++-- | VULNERABLE:
++-- | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
++-- | State: VULNERABLE
++-- | Risk factor: High
++-- | Description:
++-- | OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
++-- |
++-- | References:
++-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
++-- | http://www.openssl.org/news/secadv_20140407.txt
++-- |_ http://cvedetails.com/cve/2014-0160/
++--
++--
++-- @args ssl-heartbleed.protocols (default tries all) TLS 1.0, TLS 1.1, or TLS 1.2
++--
++
++local bin = require('bin')
++local match = require('match')
++local nmap = require('nmap')
++local shortport = require('shortport')
++local sslcert = require('sslcert')
++local stdnse = require('stdnse')
++local string = require('string')
++local table = require('table')
++local tls = require('tls')
++local vulns = require('vulns')
++
++author = "Patrik Karlsson <patrik at cqure.net>"
++license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
++categories = { "vuln", "safe" }
++
++local arg_protocols = stdnse.get_script_args(SCRIPT_NAME .. ".protocols") or {'TLSv1.0', 'TLSv1.1', 'TLSv1.2'}
++
++portrule = function(host, port)
++ return shortport.ssl(host, port) or sslcert.isPortSupported(port)
++end
++
++local function recvhdr(s)
++ local status, hdr = s:receive_buf(match.numbytes(5), true)
++ if not status then
++ stdnse.print_debug(3, 'Unexpected EOF receiving record header - server closed connection')
++ return
++ end
++ local pos, typ, ver, ln = bin.unpack('>CSS', hdr)
++ return status, typ, ver, ln
++end
++
++local function recvmsg(s, len)
++ local status, pay = s:receive_buf(match.numbytes(len), true)
++ if not status then
++ stdnse.print_debug(3, 'Unexpected EOF receiving record payload - server closed connection')
++ return
++ end
++ return true, pay
++end
++
++local function testversion(host, port, version)
++
++ local hello = bin.pack('H>SH', "16", version, table.concat(
++ {
++ "00 dc", -- record length
++ "01", -- handshake type ClientHello
++ "00 00 d8", -- body length
++ "03 02", -- TLSv1.1
++ "53 43 5b 90", -- date/time (Tue Apr 8 02:14:40 2014)
++ "9d9b720bbc0cbc2b92a84897cfbd3904cc160a8503909f770433d4de", -- random
++ "00", -- session ID
++ "00 66", -- cipher suites length (102 = 51 suites)
++ "c0 14", -- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
++ "c0 0a", -- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
++ "c0 22", -- TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
++ "c0 21", -- TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
++ "00 39", -- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
++ "00 38", -- TLS_DHE_DSS_WITH_AES_256_CBC_SHA
++ "00 88", -- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
++ "00 87", -- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
++ "c0 0f", -- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
++ "c0 05", -- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
++ "00 35", -- TLS_RSA_WITH_AES_256_CBC_SHA
++ "00 84", -- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
++ "c0 12", -- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
++ "c0 08", -- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
++ "c0 1c", -- TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
++ "c0 1b", -- TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
++ "00 16", -- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
++ "00 13", -- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
++ "c0 0d", -- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
++ "c0 03", -- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
++ "00 0a", -- TLS_RSA_WITH_3DES_EDE_CBC_SHA
++ "c0 13", -- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
++ "c0 09", -- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
++ "c0 1f", -- TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
++ "c0 1e", -- TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
++ "00 33", -- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
++ "00 32", -- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
++ "00 9a", -- TLS_DHE_RSA_WITH_SEED_CBC_SHA
++ "00 99", -- TLS_DHE_DSS_WITH_SEED_CBC_SHA
++ "00 45", -- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
++ "00 44", -- TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
++ "c0 0e", -- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
++ "c0 04", -- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
++ "00 2f", -- TLS_RSA_WITH_AES_128_CBC_SHA
++ "00 96", -- TLS_RSA_WITH_SEED_CBC_SHA
++ "00 41", -- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
++ "c0 11", -- TLS_ECDHE_RSA_WITH_RC4_128_SHA
++ "c0 07", -- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
++ "c0 0c", -- TLS_ECDH_RSA_WITH_RC4_128_SHA
++ "c0 02", -- TLS_ECDH_ECDSA_WITH_RC4_128_SHA
++ "00 05", -- TLS_RSA_WITH_RC4_128_SHA
++ "00 04", -- TLS_RSA_WITH_RC4_128_MD5
++ "00 15", -- TLS_DHE_RSA_WITH_DES_CBC_SHA
++ "00 12", -- TLS_DHE_DSS_WITH_DES_CBC_SHA
++ "00 09", -- TLS_RSA_WITH_DES_CBC_SHA
++ "00 14", -- TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
++ "00 11", -- TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
++ "00 08", -- TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
++ "00 06", -- TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
++ "00 03", -- TLS_RSA_EXPORT_WITH_RC4_40_MD5
++ "00 ff", -- TLS_EMPTY_RENEGOTIATION_INFO_SCSV (RFC 5746)
++ "01", -- compressors length
++ "00", -- NULL compressor
++ "00 49", -- extensions length
++ "00 0b", -- ec_point_formats
++ "00 04", -- ec_point_formats length
++ "03", -- point formats length
++ "00", -- ec_point_formats uncompressed
++ "01", -- ec_point_formats ansiX962_compressed_prime
++ "02", -- ec_point_formats ansiX962_compressed_char2
++ "00 0a", -- elliptic_curves
++ "00 34", -- elliptic_curves length
++ "00 32", -- elliptic curves length
++ "00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11", -- elliptic_curves data (all curves)
++ "00 23", -- SessionTicket TLS
++ "00 00", -- SessionTicket length
++ "00 0f", -- heartbeat
++ "00 01", -- heartbeat length
++ "01", -- heartbeat data: peer_allowed_to_send
++ })
++ )
++
++ local hb = bin.pack('H>SH', '18', version, table.concat({
++ "00 03", -- record length
++ "01", -- HeartbeatType HeartbeatRequest
++ "0f e9", -- payload length (falsified)
++ -- payload length is based on 4096 - 16 bytes padding - 8 bytes packet header + 1 to overflow
++ })
++ )
++
++ local s
++ local specialized = sslcert.getPrepareTLSWithoutReconnect(port)
++ if specialized then
++ local status
++ status, s = specialized(host, port)
++ if not status then
++ stdnse.print_debug(3, "Connection to server failed")
++ return
++ end
++ else
++ s = nmap.new_socket()
++ local status = s:connect(host, port)
++ if not status then
++ stdnse.print_debug(3, "Connection to server failed")
++ return
++ end
++ end
++
++ s:set_timeout(5000)
++
++ if not s:send(hello) then
++ stdnse.print_debug(3, "Failed to send packet to server")
++ return
++ end
++
++ while(true) do
++ local status, typ, ver, pay, len
++ status, typ, ver, len = recvhdr(s)
++ if not status or ver ~= version then
++ return
++ end
++ status, pay = recvmsg(s, len)
++ if ( typ == 22 and string.byte(pay,1) == 14 ) then break end
++ end
++
++ s:send(hb)
++ while(true) do
++ local status, typ, ver, len = recvhdr(s)
++ if not status then
++ stdnse.print_debug(3, 'No heartbeat response received, server likely not vulnerable')
++ break
++ end
++ if typ == 24 then
++ local pay
++ status, pay = recvmsg(s, len)
++ s:close()
++ if #pay > 3 then
++ return true
++ else
++ stdnse.print_debug(3, 'Server processed malformed heartbeat, but did not return any extra data.')
++ break
++ end
++ elseif typ == 21 then
++ stdnse.print_debug(3, 'Server returned error, likely not vulnerable')
++ break
++ end
++ end
++
++end
++
++action = function(host, port)
++ local vuln_table = {
++ title = "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.",
++ state = vulns.STATE.NOT_VULN,
++ risk_factor = "High",
++ description = [[
++OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
++ ]],
++
++ references = {
++ 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160',
++ 'http://www.openssl.org/news/secadv_20140407.txt ',
++ 'http://cvedetails.com/cve/2014-0160/'
++ }
++ }
++
++ local report = vulns.Report:new(SCRIPT_NAME, host, port)
++ local test_vers = arg_protocols
++
++ if type(test_vers) == 'string' then
++ test_vers = { test_vers }
++ end
++
++ for _, ver in ipairs(test_vers) do
++ if nil == tls.PROTOCOLS[ver] then
++ return "\n Unsupported protocol version: " .. ver
++ end
++ local status = testversion(host, port, tls.PROTOCOLS[ver])
++ if ( status ) then
++ vuln_table.state = vulns.STATE.VULN
++ break
++ end
++ end
++
++ return report:make_output(vuln_table)
++end
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/nmap.git/commitdiff/a1de3686abcb60f17601c2786a97586e9a2124a8
More information about the pld-cvs-commit
mailing list