├── README.md
└── scripts
    └── ssl-dh-params.nse


/README.md:
--------------------------------------------------------------------------------
  1 | ### Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.
  2 | 
  3 | This script simulates SSL/TLS handshakes using ciphersuites that have ephemeral
  4 | Diffie-Hellman as the key exchange algorithm.
  5 | 
  6 | Diffie-Hellman MODP group parameters are extracted and analyzed for vulnerability
  7 | to Logjam (CVE 2015-4000) and other weaknesses.
  8 | 
  9 | Opportunistic STARTTLS sessions are established on services that support them.
 10 | 
 11 | For more details, see: http://www2.esentire.com/TLSUnjammedWP
 12 | 
 13 | ### Usage:
 14 | 
 15 | `nmap --script ssl-dh-params <target>`
 16 | 
 17 | ### Sample output:
 18 | 
 19 | #### Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
 20 | ```
 21 | | ssl-dh-params: 
 22 | |   VULNERABLE:
 23 | |   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
 24 | |     State: VULNERABLE
 25 | |       Transport Layer Security (TLS) services that use anonymous Diffie-Hellman
 26 | |       key exchange only provide protection against passive eavesdropping, and
 27 | |       are vulnerable to active man-in-the-middle attacks which could completely
 28 | |       compromise the confidentiality and integrity of any data exchanged over
 29 | |       the resulting session.
 30 | |     Check results:
 31 | |       ANONYMOUS DH GROUP 1
 32 | |         Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
 33 | |         Modulus Type: Safe prime
 34 | |         Modulus Source: Unknown/Custom-generated
 35 | |         Modulus Length: 512 bits
 36 | |         Generator Length: 8 bits
 37 | |         Public Key Length: 512 bits
 38 | |     References:
 39 | |       https://www.ietf.org/rfc/rfc2246.txt
 40 | ```
 41 | 
 42 | #### Logjam MitM Vulnerability (CVE 2015-4000)
 43 | ```
 44 | | ssl-dh-params: 
 45 | |   VULNERABLE:
 46 | |   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
 47 | |     State: VULNERABLE
 48 | |     IDs:  OSVDB:122331  CVE:CVE-2015-4000
 49 | |       The Transport Layer Security (TLS) protocol contains a flaw that is triggered
 50 | |       when handling Diffie-Hellman key exchanges defined with the DHE_EXPORT cipher.
 51 | |       This may allow a man-in-the-middle attacker to downgrade the security of a TLS
 52 | |       session to 512-bit export-grade cryptography, which is significantly weaker,
 53 | |       allowing the attacker to more easily break the encryption and monitor or tamper
 54 | |       with the encrypted stream.
 55 | |     Disclosure date: 2015-5-19
 56 | |     Check results:
 57 | |       EXPORT-GRADE DH GROUP 1
 58 | |         Ciphersuite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
 59 | |         Modulus Type: Non-safe prime
 60 | |         Modulus Source: sun.security.provider/512-bit DSA group with 160-bit prime order subgroup
 61 | |         Modulus Length: 512 bits
 62 | |         Generator Length: 512 bits
 63 | |         Public Key Length: 512 bits
 64 | |     References:
 65 | |       https://weakdh.org
 66 | |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
 67 | |       http://osvdb.org/122331
 68 | ```
 69 | 
 70 | #### Insufficient Diffie-Hellman Group Strength
 71 | ```
 72 | |   Diffie-Hellman Key Exchange Insufficient Group Strength
 73 | |     State: VULNERABLE
 74 | |       Transport Layer Security (TLS) services that use Diffie-Hellman groups of
 75 | |       insufficient strength, especially those using one of a few commonly shared
 76 | |       groups, may be susceptible to passive eavesdropping attacks.
 77 | |     Check results:
 78 | |       WEAK DH GROUP 1
 79 | |         Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 80 | |         Modulus Type: Safe prime
 81 | |         Modulus Source: Unknown/Custom-generated
 82 | |         Modulus Length: 512 bits
 83 | |         Generator Length: 8 bits
 84 | |         Public Key Length: 512 bits
 85 | |     References:
 86 | |       https://weakdh.org
 87 | ```
 88 | 
 89 | #### Potentially Unsafe Diffie-Hellman Group Parameters
 90 | ```
 91 | |   Diffie-Hellman Key Exchange Potentially Unsafe Group Parameters
 92 | |     State: VULNERABLE
 93 | |       This TLS service appears to be using a modulus that is not a safe prime and does
 94 | |       not correspond to any well-known DSA group for Diffie-Hellman key exchange.
 95 | |       These parameters MAY be secure if:
 96 | |       - They were generated according to the procedure described in FIPS 186-4 for
 97 | |         DSA Domain Parameter Generation, or
 98 | |       - The generator g generates a subgroup of large prime order
 99 | |       Additional testing may be required to verify the security of these parameters.
100 | |     Check results:
101 | |       NON-SAFE DH GROUP 1
102 | |         Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
103 | |         Modulus Type: Non-safe prime
104 | |         Modulus Source: Unknown/Custom-generated
105 | |         Modulus Length: 1024 bits
106 | |         Generator Length: 1024 bits
107 | |         Public Key Length: 1024 bits
108 | |     References:
109 | |       https://weakdh.org
110 | ```
111 | 
112 | ### Installation Instructions
113 | 
114 | The script is part of the default script collection in Nmap 7.
115 | 
116 | 


--------------------------------------------------------------------------------
/scripts/ssl-dh-params.nse:
--------------------------------------------------------------------------------
  1 | local nmap = require "nmap"
  2 | local shortport = require "shortport"
  3 | local sslcert = require "sslcert"
  4 | local stdnse = require "stdnse"
  5 | local string = require "string"
  6 | local math = require "math"
  7 | local table = require "table"
  8 | local tls = require "tls"
  9 | local vulns = require "vulns"
 10 | local have_ssl, openssl = pcall(require, "openssl")
 11 | 
 12 | description = [[
 13 | Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services.
 14 | 
 15 | This script simulates SSL/TLS handshakes using ciphersuites that have ephemeral
 16 | Diffie-Hellman as the key exchange algorithm.
 17 | 
 18 | Diffie-Hellman MODP group parameters are extracted and analyzed for vulnerability
 19 | to Logjam (CVE 2015-4000) and other weaknesses.
 20 | 
 21 | Opportunistic STARTTLS sessions are established on services that support them.
 22 | ]]
 23 | 
 24 | --
 25 | -- @usage
 26 | -- nmap --script ssl-dh-params <target>
 27 | --
 28 | -- @output
 29 | -- Host script results:
 30 | -- | ssl-dh-params:
 31 | -- |   VULNERABLE:
 32 | -- |   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
 33 | -- |     State: VULNERABLE
 34 | -- |     IDs:  OSVDB:122331  CVE:CVE-2015-4000
 35 | -- |       The Transport Layer Security (TLS) protocol contains a flaw that is triggered
 36 | -- |       when handling Diffie-Hellman key exchanges defined with the DHE_EXPORT cipher.
 37 | -- |       This may allow a man-in-the-middle attacker to downgrade the security of a TLS
 38 | -- |       session to 512-bit export-grade cryptography, which is significantly weaker,
 39 | -- |       allowing the attacker to more easily break the encryption and monitor or tamper
 40 | -- |       with the encrypted stream.
 41 | -- |     Disclosure date: 2015-5-19
 42 | -- |     Check results:
 43 | -- |       EXPORT-GRADE DH GROUP 1
 44 | -- |         Ciphersuite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
 45 | -- |         Modulus Type: Non-safe prime
 46 | -- |         Modulus Source: sun.security.provider/512-bit DSA group with 160-bit prime order subgroup
 47 | -- |         Modulus Length: 512 bits
 48 | -- |         Generator Length: 512 bits
 49 | -- |         Public Key Length: 512 bits
 50 | -- |     References:
 51 | -- |       https://weakdh.org
 52 | -- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
 53 | -- |       http://osvdb.org/122331
 54 | -- |
 55 | -- |   Diffie-Hellman Key Exchange Insufficient Diffie-Hellman Group Strength
 56 | -- |     State: VULNERABLE
 57 | -- |       Transport Layer Security (TLS) services that use Diffie-Hellman groups of
 58 | -- |       insuffficient strength, especially those using one of a few commonly shared
 59 | -- |       groups, may be susceptible to passive eavesdropping attacks.
 60 | -- |     Check results:
 61 | -- |       WEAK DH GROUP 1
 62 | -- |         Ciphersuite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 63 | -- |         Modulus Type: Safe prime
 64 | -- |         Modulus Source: Unknown/Custom-generated
 65 | -- |         Modulus Length: 512 bits
 66 | -- |         Generator Length: 8 bits
 67 | -- |         Public Key Length: 512 bits
 68 | -- |     References:
 69 | -- |       https://weakdh.org
 70 | -- |
 71 | -- |   Diffie-Hellman Key Exchange Potentially Unsafe Group Parameters
 72 | -- |     State: VULNERABLE
 73 | -- |       This TLS service appears to be using a modulus that is not a safe prime and does
 74 | -- |       not correspond to any well-known DSA group for Diffie-Hellman key exchange.
 75 | -- |       These parameters MAY be secure if:
 76 | -- |       - They were generated according to the procedure described in FIPS 186-4 for
 77 | -- |         DSA Domain Parameter Generation, or
 78 | -- |       - The generator g generates a subgroup of large prime order
 79 | -- |       Additional testing may be required to verify the security of these parameters.
 80 | -- |     Check results:
 81 | -- |       NON-SAFE DH GROUP 1
 82 | -- |         Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 83 | -- |         Modulus Type: Non-safe prime
 84 | -- |         Modulus Source: Unknown/Custom-generated
 85 | -- |         Modulus Length: 1024 bits
 86 | -- |         Generator Length: 1024 bits
 87 | -- |         Public Key Length: 1024 bits
 88 | -- |     References:
 89 | -- |       https://weakdh.org
 90 | -- |_      http://www2.esentire.com/TLSUnjammedWP
 91 | 
 92 | author = "Jacob Gajek"
 93 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 94 | categories = {"vuln", "safe"}
 95 | 
 96 | 
 97 | -- Anonymous Diffie-Hellman key exchange variants
 98 | local DH_anon_ALGORITHMS = {
 99 |   ["DH_anon_EXPORT"] = 1,
100 |   ["DH_anon"] = 1
101 | }
102 | 
103 | -- Full-strength ephemeral Diffie-Hellman key exchange variants
104 | local DHE_ALGORITHMS = {
105 |   ["DHE_RSA"] = 1,
106 |   ["DHE_DSS"] = 1,
107 |   ["DHE_PSK"] = 1
108 | }
109 | 
110 | -- Export-grade ephemeral Diffie-Hellman key exchange variants
111 | local DHE_ALGORITHMS_EXPORT = {
112 |   ["DHE_RSA_EXPORT"] = 1,
113 |   ["DHE_DSS_EXPORT"] = 1,
114 |   ["DHE_DSS_EXPORT1024"] = 1
115 | }
116 | 
117 | -- Helper function to convert hex string to byte array
118 | local function fromhex(hexstr)
119 |   return string.gsub(hexstr, "%s*(%x%x)%s*",
120 |     function(c)
121 |       return string.char(tonumber(c, 16))
122 |     end
123 |   )
124 | end
125 | 
126 | -- Common Diffie-Hellman groups
127 | --
128 | -- The primes from weakdh.org were harvested by:
129 | --    1) Scanning the IPv4 space
130 | --    2) Scanning Alexa Top 1 million (seen >100 times)
131 | --
132 | -- The list from weakdh.org overlaps the original script source code, therefore those were removed.
133 | -- The primes were not searchable on Google (hope for source code match) - they may belong to closed
134 | -- source software. If someone happens to find/match it, send a pull request.
135 | local DHE_PRIMES = {
136 |   [fromhex([[
137 |     D4BCD524 06F69B35 994B88DE 5DB89682 C8157F62 D8F33633 EE5772F1 1F05AB22
138 |     D6B5145B 9F241E5A CC31FF09 0A4BC711 48976F76 795094E7 1E790352 9F5A824B
139 |   ]])] = "mod_ssl 2.0.x/512-bit MODP group with safe prime modulus",
140 | 
141 |   [fromhex([[
142 |     E6969D3D 495BE32C 7CF180C3 BDD4798E 91B78182 51BB055E 2A206490 4A79A770
143 |     FA15A259 CBD523A6 A6EF09C4 3048D5A2 2F971F3C 20129B48 000E6EDD 061CBC05
144 |     3E371D79 4E5327DF 611EBBBE 1BAC9B5C 6044CF02 3D76E05E EA9BAD99 1B13A63C
145 |     974E9EF1 839EB5DB 125136F7 262E56A8 871538DF D823C650 5085E21F 0DD5C86B
146 |   ]])] = "mod_ssl 2.0.x/1024-bit MODP group with safe prime modulus",
147 | 
148 |   [fromhex([[
149 |     9FDB8B8A 004544F0 045F1737 D0BA2E0B 274CDF1A 9F588218 FB435316 A16E3741
150 |     71FD19D8 D8F37C39 BF863FD6 0E3E3006 80A3030C 6E4C3757 D08F70E6 AA871033
151 |   ]])] = "mod_ssl 2.2.x/512-bit MODP group with safe prime modulus",
152 | 
153 |   [fromhex([[
154 |     D67DE440 CBBBDC19 36D693D3 4AFD0AD5 0C84D239 A45F520B B88174CB 98BCE951
155 |     849F912E 639C72FB 13B4B4D7 177E16D5 5AC179BA 420B2A29 FE324A46 7A635E81
156 |     FF590137 7BEDDCFD 33168A46 1AAD3B72 DAE88600 78045B07 A7DBCA78 74087D15
157 |     10EA9FCC 9DDD3305 07DD62DB 88AEAA74 7DE0F4D6 E2BD68B0 E7393E0F 24218EB3
158 |   ]])] = "mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus",
159 | 
160 |   [fromhex([[
161 |     BBBC2DCA D8467490 7C43FCF5 80E9CFDB D958A3F5 68B42D4B 08EED4EB 0FB3504C
162 |     6C030276 E710800C 5CCBBAA8 922614C5 BEECA565 A5FDF1D2 87A2BC04 9BE67780
163 |     60E91A92 A757E304 8F68B076 F7D36CC8 F29BA5DF 81DC2CA7 25ECE662 70CC9A50
164 |     35D8CECE EF9EA027 4A63AB1E 58FAFD49 88D0F65D 146757DA 071DF045 CFE16B9B
165 |   ]])] = "nginx/1024-bit MODP group with safe prime modulus",
166 | 
167 |   [fromhex([[
168 |     FCA682CE 8E12CABA 26EFCCF7 110E526D B078B05E DECBCD1E B4A208F3 AE1617AE
169 |     01F35B91 A47E6DF6 3413C5E1 2ED0899B CD132ACD 50D99151 BDC43EE7 37592E17
170 |   ]])] = "sun.security.provider/512-bit DSA group with 160-bit prime order subgroup",
171 | 
172 |   [fromhex([[
173 |     E9E64259 9D355F37 C97FFD35 67120B8E 25C9CD43 E927B3A9 670FBEC5 D8901419
174 |     22D2C3B3 AD248009 3799869D 1E846AAB 49FAB0AD 26D2CE6A 22219D47 0BCE7D77
175 |     7D4A21FB E9C270B5 7F607002 F3CEF839 3694CF45 EE3688C1 1A8C56AB 127A3DAF
176 |   ]])] = "sun.security.provider/768-bit DSA group with 160-bit prime order subgroup",
177 | 
178 |   [fromhex([[
179 |     FD7F5381 1D751229 52DF4A9C 2EECE4E7 F611B752 3CEF4400 C31E3F80 B6512669
180 |     455D4022 51FB593D 8D58FABF C5F5BA30 F6CB9B55 6CD7813B 801D346F F26660B7
181 |     6B9950A5 A49F9FE8 047B1022 C24FBBA9 D7FEB7C6 1BF83B57 E7C6A8A6 150F04FB
182 |     83F6D3C5 1EC30235 54135A16 9132F675 F3AE2B61 D72AEFF2 2203199D D14801C7
183 |   ]])] = "sun.security.provider/1024-bit DSA group with 160-bit prime order subgroup",
184 | 
185 |   [fromhex([[
186 |     DA583C16 D9852289 D0E4AF75 6F4CCA92 DD4BE533 B804FB0F ED94EF9C 8A4403ED
187 |     574650D3 6999DB29 D776276B A2D3D412 E218F4DD 1E084CF6 D8003E7C 4774E833
188 |   ]])] = "openssl/512-bit MODP group with safe prime modulus",
189 | 
190 |   [fromhex([[
191 |     97F64261 CAB505DD 2828E13F 1D68B6D3 DBD0F313 047F40E8 56DA58CB 13B8A1BF
192 |     2B783A4C 6D59D5F9 2AFC6CFF 3D693F78 B23D4F31 60A9502E 3EFAF7AB 5E1AD5A6
193 |     5E554313 828DA83B 9FF2D941 DEE95689 FADAEA09 36ADDF19 71FE635B 20AF4703
194 |     64603C2D E059F54B 650AD8FA 0CF70121 C74799D7 587132BE 9B999BB9 B787E8AB
195 |   ]])] = "openssl/1024-bit MODP group with safe prime modulus",
196 | 
197 |   [fromhex([[
198 |     ED928935 824555CB 3BFBA276 5A690461 BF21F3AB 53D2CD21 DAFF7819 1152F10E
199 |     C1E255BD 686F6800 53B9226A 2FE49A34 1F65CC59 328ABDB1 DB49EDDF A71266C3
200 |     FD210470 18F07FD6 F7585119 72827B22 A934181D 2FCB21CF 6D92AE43 B6A829C7
201 |     27A3CB00 C5F2E5FB 0AA45985 A2BDAD45 F0B3ADF9 E08135EE D983B3CC AEEAEB66
202 |     E6A95766 B9F128A5 3F2280D7 0BA6F671 939B810E F85A90E6 CCCA6F66 5F7AC010
203 |     1A1EF0FC 2DB6080C 6228B0EC DB8928EE 0CA83D65 94691669 533C5360 13B02BA7
204 |     D48287AD 1C729E41 35FCC27C E951DE61 85FC199B 76600F33 F86BB3CA 520E29C3
205 |     07E89016 CCCC0019 B6ADC3A4 308B33A1 AFD88C8D 9D01DBA4 C4DD7F0B BD6F38C3
206 |   ]])] = "openssl/2048-bit MODP group with safe prime modulus",
207 | 
208 |   [fromhex([[
209 |     AED037C3 BDF33FA2 EEDC4390 B70A2089 7B770175 E9B92EB2 0F8061CC D4B5A591
210 |     723C7934 FDA9F9F3 274490F8 50647283 5BE05927 1C4F2C03 5A4EE756 A36613F1
211 |     382DBD47 4DE8A4A0 322122E8 C730A83C 3E4800EE BD6F8548 A5181711 BA545231
212 |     C843FAC4 175FFAF8 49C440DB 446D8462 C1C3451B 49EFA829 F5C48A4C 7BAC7F64
213 |     7EE00015 1AA9ED81 101B36AB 5C39AAFF EC54A3F8 F97C1B7B F406DCB4 2DC092A5
214 |     BAA06259 EFEB3FAB 12B42698 2E8F3EF4 B3F7B4C3 302A24C8 AA4213D8 45035CE4
215 |     A8ADD31F 816616F1 9E21A5C9 5080597F 8980AD6B 814E3585 5B79E684 4491527D
216 |     552B72B7 C78D8D6B 993A736F 8486B305 88B8F1B8 7E89668A 8BD3F13D DC517D4B
217 |   ]])] = "openssl/2048-bit MODP group with safe prime modulus",
218 | 
219 |   [fromhex([[
220 |     FEEAD19D BEAF90F6 1CFCA106 5D69DB08 839A2A2B 6AEF2488 ABD7531F BB3E462E
221 |     7DCECEFB CEDCBBBD F56549EE 95153056 8188C3D9 7294166B 6AABA0AA 5CC8555F
222 |     9125503A 180E9032 4C7F39C6 A3452F31 42EE72AB 7DFFC74C 528DB6DA 76D9C644
223 |     F55D083E 9CDE74F7 E742413B 69476617 D2670F2B F6D59FFC D7C3BDDE ED41E2BD
224 |     2CCDD9E6 12F1056C AB88C441 D7F9BA74 651ED1A8 4D407A27 D71895F7 77AB6C77
225 |     63CC00E6 F1C30B2F E7944692 7E74BC73 B8431B53 011AF5AD 1515E63D C1DE83CC
226 |     802ECE7D FC71FBDF 179F8E41 D7F1B43E BA75D5A9 C3B11D4F 1B0B5A09 88A9AACB
227 |     CCC10512 26DC8410 E41693EC 8591E31E E2F5AFDF AEDE122D 1277FC27 0BE4D25C
228 |     1137A58B E961EAC9 F27D4C71 E2391904 DD6AB27B ECE5BD6C 64C79B14 6C2D208C
229 |     D63A4B74 F8DAE638 DBE2C880 6BA10773 8A8DF5CF E214A4B7 3D03C912 75FBA572
230 |     8146CE5F EC01775B 74481ADF 86F4854D 65F5DA4B B67F882A 60CE0BCA 0ACD157A
231 |     A377F10B 091AD0B5 68893039 ECA33CDC B61BA8C9 E32A87A2 F5D8B7FD 26734D2F
232 |     09679235 2D70ADE9 F4A51D84 88BC57D3 2A638E0B 14D6693F 6776FFFB 355FEDF6
233 |     52201FA7 0CB8DB34 FB549490 951A701E 04AD49D6 71B74D08 9CAA8C0E 5E833A21
234 |     291D6978 F918F25D 5C769BDB E4BB72A8 4A1AFE6A 0BBAD18D 3EACC7B4 54AF408D
235 |     4F1CCB23 B9AE576F DAE2D1A6 8F43D275 741DB19E EDC3B81B 5E56964F 5F8C3363
236 |   ]])] = "openssl/4096-bit MODP group with safe prime modulus",
237 | 
238 |   [fromhex([[
239 |     FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74
240 |     020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437
241 |     4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF
242 |   ]])] = "RFC2409/Oakley Group 1",
243 | 
244 |   [fromhex([[
245 |     FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74
246 |     020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437
247 |     4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
248 |     EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 FFFFFFFF FFFFFFFF
249 |   ]])] = "RFC2409/Oakley Group 2",
250 | 
251 |   [fromhex([[
252 |     FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74
253 |     020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437
254 |     4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
255 |     EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05
256 |     98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB
257 |     9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
258 |   ]])] = "RFC3526/Oakley Group 5",
259 | 
260 |   [fromhex([[
261 |     FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74
262 |     020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437
263 |     4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
264 |     EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05
265 |     98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB
266 |     9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
267 |     E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 DE2BCBF6 95581718
268 |     3995497C EA956AE5 15D22618 98FA0510 15728E5A 8AACAA68 FFFFFFFF FFFFFFFF
269 |   ]])] = "RFC3526/Oakley Group 14",
270 | 
271 |   [fromhex([[
272 |     FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74
273 |     020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437
274 |     4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
275 |     EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05
276 |     98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB
277 |     9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
278 |     E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 DE2BCBF6 95581718
279 |     3995497C EA956AE5 15D22618 98FA0510 15728E5A 8AAAC42D AD33170D 04507A33
280 |     A85521AB DF1CBA64 ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7
281 |     ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B F12FFA06 D98A0864
282 |     D8760273 3EC86A64 521F2B18 177B200C BBE11757 7A615D6C 770988C0 BAD946E2
283 |     08E24FA0 74E5AB31 43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF
284 |   ]])] = "RFC3526/Oakley Group 15",
285 | 
286 |   [fromhex([[
287 |     FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74
288 |     020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437
289 |     4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
290 |     EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05
291 |     98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB
292 |     9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
293 |     E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 DE2BCBF6 95581718
294 |     3995497C EA956AE5 15D22618 98FA0510 15728E5A 8AAAC42D AD33170D 04507A33
295 |     A85521AB DF1CBA64 ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7
296 |     ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B F12FFA06 D98A0864
297 |     D8760273 3EC86A64 521F2B18 177B200C BBE11757 7A615D6C 770988C0 BAD946E2
298 |     08E24FA0 74E5AB31 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7
299 |     88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA 2583E9CA 2AD44CE8
300 |     DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6 287C5947 4E6BC05D 99B2964F A090C3A2
301 |     233BA186 515BE7ED 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9
302 |     93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199 FFFFFFFF FFFFFFFF
303 |   ]])] = "RFC3526/Oakley Group 16",
304 | 
305 |   [fromhex([[
306 |     B10B8F96 A080E01D DE92DE5E AE5D54EC 52C99FBC FB06A3C6 9A6A9DCA 52D23B61
307 |     6073E286 75A23D18 9838EF1E 2EE652C0 13ECB4AE A9061123 24975C3C D49B83BF
308 |     ACCBDD7D 90C4BD70 98488E9C 219A7372 4EFFD6FA E5644738 FAA31A4F F55BCCC0
309 |     A151AF5F 0DC8B4BD 45BF37DF 365C1A65 E68CFDA7 6D4DA708 DF1FB2BC 2E4A4371
310 |   ]])] = "RFC5114/1024-bit DSA group with 160-bit prime order subgroup",
311 | 
312 |   [fromhex([[
313 |     AD107E1E 9123A9D0 D660FAA7 9559C51F A20D64E5 683B9FD1 B54B1597 B61D0A75
314 |     E6FA141D F95A56DB AF9A3C40 7BA1DF15 EB3D688A 309C180E 1DE6B85A 1274A0A6
315 |     6D3F8152 AD6AC212 9037C9ED EFDA4DF8 D91E8FEF 55B7394B 7AD5B7D0 B6C12207
316 |     C9F98D11 ED34DBF6 C6BA0B2C 8BBC27BE 6A00E0A0 B9C49708 B3BF8A31 70918836
317 |     81286130 BC8985DB 1602E714 415D9330 278273C7 DE31EFDC 7310F712 1FD5A074
318 |     15987D9A DC0A486D CDF93ACC 44328387 315D75E1 98C641A4 80CD86A1 B9E587E8
319 |     BE60E69C C928B2B9 C52172E4 13042E9B 23F10B0E 16E79763 C9B53DCF 4BA80A29
320 |     E3FB73C1 6B8E75B9 7EF363E2 FFA31F71 CF9DE538 4E71B81C 0AC4DFFE 0C10E64F
321 |   ]])] = "RFC5114/2048-bit DSA group with 224-bit prime order subgroup",
322 | 
323 |   [fromhex([[
324 |     87A8E61D B4B6663C FFBBD19C 65195999 8CEEF608 660DD0F2 5D2CEED4 435E3B00
325 |     E00DF8F1 D61957D4 FAF7DF45 61B2AA30 16C3D911 34096FAA 3BF4296D 830E9A7C
326 |     209E0C64 97517ABD 5A8A9D30 6BCF67ED 91F9E672 5B4758C0 22E0B1EF 4275BF7B
327 |     6C5BFC11 D45F9088 B941F54E B1E59BB8 BC39A0BF 12307F5C 4FDB70C5 81B23F76
328 |     B63ACAE1 CAA6B790 2D525267 35488A0E F13C6D9A 51BFA4AB 3AD83477 96524D8E
329 |     F6A167B5 A41825D9 67E144E5 14056425 1CCACB83 E6B486F6 B3CA3F79 71506026
330 |     C0B857F6 89962856 DED4010A BD0BE621 C3A3960A 54E710C3 75F26375 D7014103
331 |     A4B54330 C198AF12 6116D227 6E11715F 693877FA D7EF09CA DB094AE9 1E1A1597
332 |   ]])] = "RFC5114/2048-bit DSA group with 256-bit prime order subgroup",
333 | 
334 |   [fromhex([[
335 |     D6C094AD 57F5374F 68D58C7B 096872D9 45CEE1F8 2664E059 4421E1D5 E3C8E98B
336 |     C3F0A6AF 8F92F19E 3FEF9337 B99B9C93 A055D55A 96E42573 4005A68E D47040FD
337 |     F00A5593 6EBA4B93 F64CBA1A 004E4513 611C9B21 7438A703 A2060C20 38D0CFAA
338 |     FFBBA48F B9DAC4B2 450DC58C B0320A03 17E2A31B 44A02787 C657FB0C 0CBEC11D
339 |   ]])] = "weakdh.org/1024-bit MODP group with non-safe prime modulus",
340 | 
341 |   [fromhex([[
342 |     C9BBF5F7 74A8297B 0F97CDDA 3A3468C7 117B6BF7 99A13D9F 1F5DAC48 7B2241FE
343 |     95EFB13C 2855DFD2 F898B3F9 9188E24E DF326DD6 8C76CC85 53728351 2D46F195
344 |     3129C693 364D8C71 202EABB3 EBC85C1D F53907FB D0B7EB49 0AD0BC99 28968680
345 |     0C46AB04 BF7CDD9A D425E6FB 25592EB6 258A0655 D75E93B2 671746AE 349E721B
346 |   ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus",
347 | 
348 |   [fromhex([[
349 |     829FEBFC E3EE0434 862D3364 A62BDE7B 65F0C74A 3A53B555 291414FC AE5E86D7
350 |     34B16DBD CC952B1C 5EB443B1 54B3B466 62E811E1 1D8BC731 34018A5E A7B5B6A9
351 |     720D84BC 28B74822 C5AF24C9 04E5BB5A DABF8FF2 A5ED7B45 6688D6CA B82F8AF0
352 |     188A456C 3ED62D2F EACF6BD3 FD47337D 884DFA09 F0A3D696 75E35806 E3AE9593
353 |   ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus",
354 | 
355 |   [fromhex([[
356 |     92402435 C3A12E44 D3730D8E 78CADFA7 8E2F5B51 A956BFF4 DB8E5652 3E9695E6
357 |     3E32506C FEB912F2 A77D22E7 1BB54C86 80893B82 AD1BCF33 7F7F7796 D3FB9681
358 |     81D9BA1F 7034ABFB 1F97B310 4CF3203F 663E8199 0B7E090F 6C4C5EE1 A0E57EC1
359 |     74D3E84A D9E72E6A C7DA6AEA 12DF297C 131854FB F21AC4E8 79C23BBC 60B4F753
360 |   ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus",
361 | 
362 |   [fromhex([[
363 |     A9A34811 446C7B69 A29FF999 7C2181EC FAAAD139 CCDE2455 755D42F4 2E700AFD
364 |     86779D54 8A7C07CA 5DE42332 61117D0A 5773F245 9C331AF1 A1B08EF8 360A14DE
365 |     4046F274 62DA36AA 47D9FDE2 92B8815D 598C3A9C 546E7ED3 95D22EC3 9119F5B9
366 |     22CC41B3 0AF220FF 47BDE1B8 8334AD29 81DDC5ED 923F11C3 DDD3B22C 949DC41B
367 |   ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus",
368 | 
369 |   [fromhex([[
370 |     CA6B8564 6DC21765 7605DACF E801FAD7 59845383 4AF126C8 CC765E0F 81014F24
371 |     93546AB7 DDE5C677 C32D5B06 05B1BBFA 4C5DBFA3 253ADB33 205B7D8C 67DF98C4
372 |     BCE81C78 13F9FC26 15F1C332 F953AB39 CE8B7FE7 E3951FB7 3131407F 4D5489B6
373 |     B17C6875 9A2EAF8B 195A8DE8 0A165E4E B7520774 B167A00F A5629FDC 5A9A25F3
374 |   ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus",
375 | 
376 |   [fromhex([[
377 |     EB373E94 AB618DF8 20D233ED 93E3EBCB 319BDAC2 0994C1DF 003986A7 9FAFFF76
378 |     54151CC9 E0641314 92698B47 496F5FDC FAF12892 679D8BC3 1580D7D4 1CD83F81
379 |     529C7951 3D58EC67 2E0E87FC D008C137 E3E5861A B2D3A02F 4D372CEE 4F220FEB
380 |     2C9039AC 997664A7 EBB75444 6AA69EB3 E0EF3C60 F91C2639 2B54EC35 A970A7BB
381 |   ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus",
382 | 
383 |   [fromhex([[
384 |     80A68ADC 5327E05C AAD07C44 64B8ADEA 908432AF 9651B237 F47A7A8B F84D568F
385 |     DFDAFAB0 6621C0C4 28450F1C 55F7D4A8 ECE383F2 7D6055AD DF60C4B8 37DCC1E3
386 |     B8374E37 99517929 39FDC3BB B4285112 C8B4A9F6 FCE4DD53 AA23F99E 2647C394
387 |     CE4D8BB8 2E773F41 EB786CE8 4CD0C3DD 4C31D755 D1CF9E9B 70C45EE2 8ECDABAB
388 |   ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus",
389 | 
390 |   [fromhex([[
391 |     C0EB5F3A 4CB30A9F FE3786E8 4C038141 69B52030 5AD49F54 EFD8CAAC 31A69B29
392 |     73CC9F57 B4B8F80D 2C5FB68B 3913B617 2042D2E5 BD53381A 5E597696 C9E97BD6
393 |     488DB339 5581320D DD4AF9CD E4A4EBE2 9118C688 28E5B392 89C26728 0B4FDC25
394 |     10C288B2 174D77EE 0AAD9C1E 17EA5ED3 7CF971B6 B19A8711 8E529826 591CA14B
395 |   ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus",
396 | 
397 |   [fromhex([[
398 |     8FC0E1E2 0574D6AB 3C76DDEA 64524C20 76446B67 98E5B6BD 2614F966 9A5061D6
399 |     99034DB4 819780EC 8EE28A4E 66B5C4E0 A634E47B F9C981A5 EC4908EE 1B83A410
400 |     813165AC 0AB6BDCF D3257188 AC49399D 541C16F2 960F9D64 B9C51EC0 85AD0BB4
401 |     FE389013 18F0CD61 65D4B1B3 1C723953 B83217F8 B3EBF870 8160E82D 7911754B
402 |   ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus"
403 | }
404 | 
405 | 
406 | -- DSA parameters
407 | local DSA_PARAMS = {
408 |   -- sun.security.provider/512-bit DSA group with 160-bit prime order subgroup
409 |   [fromhex([[
410 |     FCA682CE 8E12CABA 26EFCCF7 110E526D B078B05E DECBCD1E B4A208F3 AE1617AE
411 |     01F35B91 A47E6DF6 3413C5E1 2ED0899B CD132ACD 50D99151 BDC43EE7 37592E17
412 |   ]])] =
413 | 
414 |          fromhex([[
415 |            678471B2 7A9CF44E E91A49C5 147DB1A9 AAF244F0 5A434D64 86931D2D 14271B9E
416 |            35030B71 FD73DA17 9069B32E 2935630E 1C206235 4D0DA20A 6C416E50 BE794CA4
417 |          ]]),
418 | 
419 |   -- sun.security.provider/768-bit DSA group with 160-bit prime order subgroup
420 |   [fromhex([[
421 |     E9E64259 9D355F37 C97FFD35 67120B8E 25C9CD43 E927B3A9 670FBEC5 D8901419
422 |     22D2C3B3 AD248009 3799869D 1E846AAB 49FAB0AD 26D2CE6A 22219D47 0BCE7D77
423 |     7D4A21FB E9C270B5 7F607002 F3CEF839 3694CF45 EE3688C1 1A8C56AB 127A3DAF
424 |   ]])] =
425 | 
426 |          fromhex([[
427 |            30470AD5 A005FB14 CE2D9DCD 87E38BC7 D1B1C5FA CBAECBE9 5F190AA7 A31D23C4
428 |            DBBCBE06 17454440 1A5B2C02 0965D8C2 BD2171D3 66844577 1F74BA08 4D2029D8
429 |            3C1C1585 47F3A9F1 A2715BE2 3D51AE4D 3E5A1F6A 7064F316 933A346D 3F529252
430 |          ]]),
431 | 
432 |   -- sun.security.provider/1024-bit DSA group with 160-bit prime order subgroup
433 |   [fromhex([[
434 |     FD7F5381 1D751229 52DF4A9C 2EECE4E7 F611B752 3CEF4400 C31E3F80 B6512669
435 |     455D4022 51FB593D 8D58FABF C5F5BA30 F6CB9B55 6CD7813B 801D346F F26660B7
436 |     6B9950A5 A49F9FE8 047B1022 C24FBBA9 D7FEB7C6 1BF83B57 E7C6A8A6 150F04FB
437 |     83F6D3C5 1EC30235 54135A16 9132F675 F3AE2B61 D72AEFF2 2203199D D14801C7
438 |   ]])] =
439 | 
440 |          fromhex([[
441 |            F7E1A085 D69B3DDE CBBCAB5C 36B857B9 7994AFBB FA3AEA82 F9574C0B 3D078267
442 |            5159578E BAD4594F E6710710 8180B449 167123E8 4C281613 B7CF0932 8CC8A6E1
443 |            3C167A8B 547C8D28 E0A3AE1E 2BB3A675 916EA37F 0BFA2135 62F1FB62 7A01243B
444 |            CCA4F1BE A8519089 A883DFE1 5AE59F06 928B665E 807B5525 64014C3B FECF492A
445 |          ]]),
446 | 
447 |   -- RFC5114/1024-bit DSA group with 160-bit prime order subgroup
448 |   [fromhex([[
449 |     B10B8F96 A080E01D DE92DE5E AE5D54EC 52C99FBC FB06A3C6 9A6A9DCA 52D23B61
450 |     6073E286 75A23D18 9838EF1E 2EE652C0 13ECB4AE A9061123 24975C3C D49B83BF
451 |     ACCBDD7D 90C4BD70 98488E9C 219A7372 4EFFD6FA E5644738 FAA31A4F F55BCCC0
452 |     A151AF5F 0DC8B4BD 45BF37DF 365C1A65 E68CFDA7 6D4DA708 DF1FB2BC 2E4A4371
453 |   ]])] =
454 | 
455 |          fromhex([[
456 |            A4D1CBD5 C3FD3412 6765A442 EFB99905 F8104DD2 58AC507F D6406CFF 14266D31
457 |            266FEA1E 5C41564B 777E690F 5504F213 160217B4 B01B886A 5E91547F 9E2749F4
458 |            D7FBD7D3 B9A92EE1 909D0D22 63F80A76 A6A24C08 7A091F53 1DBF0A01 69B6A28A
459 |            D662A4D1 8E73AFA3 2D779D59 18D08BC8 858F4DCE F97C2A24 855E6EEB 22B3B2E5
460 |          ]]),
461 | 
462 |   -- RFC5114/2048-bit DSA group with 224-bit prime order subgroup
463 |   [fromhex([[
464 |     AD107E1E 9123A9D0 D660FAA7 9559C51F A20D64E5 683B9FD1 B54B1597 B61D0A75
465 |     E6FA141D F95A56DB AF9A3C40 7BA1DF15 EB3D688A 309C180E 1DE6B85A 1274A0A6
466 |     6D3F8152 AD6AC212 9037C9ED EFDA4DF8 D91E8FEF 55B7394B 7AD5B7D0 B6C12207
467 |     C9F98D11 ED34DBF6 C6BA0B2C 8BBC27BE 6A00E0A0 B9C49708 B3BF8A31 70918836
468 |     81286130 BC8985DB 1602E714 415D9330 278273C7 DE31EFDC 7310F712 1FD5A074
469 |     15987D9A DC0A486D CDF93ACC 44328387 315D75E1 98C641A4 80CD86A1 B9E587E8
470 |     BE60E69C C928B2B9 C52172E4 13042E9B 23F10B0E 16E79763 C9B53DCF 4BA80A29
471 |     E3FB73C1 6B8E75B9 7EF363E2 FFA31F71 CF9DE538 4E71B81C 0AC4DFFE 0C10E64F
472 |   ]])] =
473 | 
474 |          fromhex([[
475 |            AC4032EF 4F2D9AE3 9DF30B5C 8FFDAC50 6CDEBE7B 89998CAF 74866A08 CFE4FFE3
476 |            A6824A4E 10B9A6F0 DD921F01 A70C4AFA AB739D77 00C29F52 C57DB17C 620A8652
477 |            BE5E9001 A8D66AD7 C1766910 1999024A F4D02727 5AC1348B B8A762D0 521BC98A
478 |            E2471504 22EA1ED4 09939D54 DA7460CD B5F6C6B2 50717CBE F180EB34 118E98D1
479 |            19529A45 D6F83456 6E3025E3 16A330EF BB77A86F 0C1AB15B 051AE3D4 28C8F8AC
480 |            B70A8137 150B8EEB 10E183ED D19963DD D9E263E4 770589EF 6AA21E7F 5F2FF381
481 |            B539CCE3 409D13CD 566AFBB4 8D6C0191 81E1BCFE 94B30269 EDFE72FE 9B6AA4BD
482 |            7B5A0F1C 71CFFF4C 19C418E1 F6EC0179 81BC087F 2A7065B3 84B890D3 191F2BFA
483 |          ]]),
484 | 
485 |   -- RFC5114/2048-bit DSA group with 256-bit prime order subgroup
486 |   [fromhex([[
487 |     87A8E61D B4B6663C FFBBD19C 65195999 8CEEF608 660DD0F2 5D2CEED4 435E3B00
488 |     E00DF8F1 D61957D4 FAF7DF45 61B2AA30 16C3D911 34096FAA 3BF4296D 830E9A7C
489 |     209E0C64 97517ABD 5A8A9D30 6BCF67ED 91F9E672 5B4758C0 22E0B1EF 4275BF7B
490 |     6C5BFC11 D45F9088 B941F54E B1E59BB8 BC39A0BF 12307F5C 4FDB70C5 81B23F76
491 |     B63ACAE1 CAA6B790 2D525267 35488A0E F13C6D9A 51BFA4AB 3AD83477 96524D8E
492 |     F6A167B5 A41825D9 67E144E5 14056425 1CCACB83 E6B486F6 B3CA3F79 71506026
493 |     C0B857F6 89962856 DED4010A BD0BE621 C3A3960A 54E710C3 75F26375 D7014103
494 |     A4B54330 C198AF12 6116D227 6E11715F 693877FA D7EF09CA DB094AE9 1E1A1597
495 |   ]])] =
496 | 
497 |          fromhex([[
498 |            3FB32C9B 73134D0B 2E775066 60EDBD48 4CA7B18F 21EF2054 07F4793A 1A0BA125
499 |            10DBC150 77BE463F FF4FED4A AC0BB555 BE3A6C1B 0C6B47B1 BC3773BF 7E8C6F62
500 |            901228F8 C28CBB18 A55AE313 41000A65 0196F931 C77A57F2 DDF463E5 E9EC144B
501 |            777DE62A AAB8A862 8AC376D2 82D6ED38 64E67982 428EBC83 1D14348F 6F2F9193
502 |            B5045AF2 767164E1 DFC967C1 FB3F2E55 A4BD1BFF E83B9C80 D052B985 D182EA0A
503 |            DB2A3B73 13D3FE14 C8484B1E 052588B9 B7D2BBD2 DF016199 ECD06E15 57CD0915
504 |            B3353BBB 64E0EC37 7FD02837 0DF92B52 C7891428 CDC67EB6 184B523D 1DB246C3
505 |            2F630784 90F00EF8 D647D148 D4795451 5E2327CF EF98C582 664B4C0F 6CC41659
506 |          ]])
507 | }
508 | 
509 | 
510 | -- Add additional context (protocol) to debug output
511 | local function ctx_log(level, protocol, fmt, ...)
512 |   return stdnse.debug(level, "(%s) " .. fmt, protocol, ...)
513 | end
514 | 
515 | 
516 | -- returns a function that yields a new tls record each time it is called
517 | local function get_record_iter(sock)
518 |   local buffer = ""
519 |   local i = 1
520 |   local fragment
521 |   return function ()
522 |     local record
523 |     i, record = tls.record_read(buffer, i, fragment)
524 |     if record == nil then
525 |       local status, err
526 |       status, buffer, err = tls.record_buffer(sock, buffer, i)
527 |       if not status then
528 |         return nil, err
529 |       end
530 |       i, record = tls.record_read(buffer, i, fragment)
531 |       if record == nil then
532 |         return nil, "done"
533 |       end
534 |     end
535 |     fragment = record.fragment
536 |     return record
537 |   end
538 | end
539 | 
540 | 
541 | local function get_server_response(host, port, t)
542 |   local timeout = stdnse.get_timeout(host, 10000, 5000)
543 | 
544 |   -- Create socket.
545 |   local status, sock, err
546 |   local starttls = sslcert.getPrepareTLSWithoutReconnect(port)
547 |   if starttls then
548 |     status, sock = starttls(host, port)
549 |     if not status then
550 |       ctx_log(1, t.protocol, "Can't connect: %s", sock)
551 |       return nil
552 |     end
553 |   else
554 |     sock = nmap.new_socket()
555 |     sock:set_timeout(timeout)
556 |     status, err = sock:connect(host, port)
557 |     if not status then
558 |       ctx_log(1, t.protocol, "Can't connect: %s", err)
559 |       sock:close()
560 |       return nil
561 |     end
562 |   end
563 | 
564 |   sock:set_timeout(timeout)
565 | 
566 |   -- Send request.
567 |   local req = tls.client_hello(t)
568 |   status, err = sock:send(req)
569 |   if not status then
570 |     ctx_log(1, t.protocol, "Can't send: %s", err)
571 |     sock:close()
572 |     return nil
573 |   end
574 | 
575 |   -- Read response.
576 |   local get_next_record = get_record_iter(sock)
577 |   local records = {}
578 |   while true do
579 |     local record
580 |     record, err = get_next_record()
581 |     if not record then
582 |       ctx_log(1, t.protocol, "Couldn't read a TLS record: %s", err)
583 |       sock:close()
584 |       return records
585 |     end
586 |     -- Collect message bodies into one record per type
587 |     records[record.type] = records[record.type] or record
588 |     local done = false
589 |     for j = 1, #record.body do -- no ipairs because we append below
590 |       local b = record.body[j]
591 |       done = ((record.type == "alert" and b.level == "fatal") or
592 |         (record.type == "handshake" and b.type == "server_hello_done"))
593 |       table.insert(records[record.type].body, b)
594 |     end
595 |     if done then
596 |       sock:close()
597 |       return records
598 |     end
599 |   end
600 | end
601 | 
602 | -- If protocol fails (i.e. no ciphers will ever succeed) then returns false
603 | -- If no ciphers were supported, but the protocol is valid, then returns nil
604 | -- else returns the cipher and dh params
605 | local function get_dhe_params(host, port, protocol, ciphers)
606 |   local cipher, packed
607 |   local t = {}
608 |   local pos = 1
609 |   t.protocol = protocol
610 |   t.extensions = {}
611 | 
612 |   if host.targetname then
613 |     t.extensions.server_name = tls.EXTENSION_HELPERS.server_name(host.targetname)
614 |   end
615 | 
616 |   -- Keep ClientHello record size below 255 bytes and the number of ciphersuites
617 |   -- to 64 or less in order to avoid implementation issues with some TLS servers
618 | 
619 |   -- Get handshake record size with just one cipher
620 |   t.ciphers = { "TLS_NULL_WITH_NULL_NULL" }
621 |   local len = #tls.client_hello(t)
622 |   local room = math.floor(math.max(0, (255 - len) / 2))
623 | 
624 |   local function next_chunk(t, ciphers, pos)
625 | 
626 |     -- Compute number of ciphers to fit in next chunk
627 |     local last = math.min(#ciphers, pos + math.min(63, room))
628 |     t.ciphers = {}
629 | 
630 |     for i = pos, last do
631 |       table.insert(t.ciphers, ciphers[i])
632 |     end
633 | 
634 |     return last + 1
635 |   end
636 | 
637 |   while pos <= #ciphers do
638 |     pos = next_chunk(t, ciphers, pos)
639 |     local records = get_server_response(host, port, t)
640 |     if not records then
641 |       stdnse.debug1("Connection failed")
642 |       return false
643 |     end
644 | 
645 |     local alert = records.alert
646 |     if alert then
647 |       for j = 1, #alert.body do
648 |         ctx_log(2, protocol, "Received alert: %s", alert.body[j].description)
649 |         if alert["protocol"] ~= protocol then
650 |           ctx_log(1, protocol, "Protocol rejected.")
651 |           return false
652 |         end
653 |       end
654 |     end
655 | 
656 |     -- Extract negotiated cipher suite and key exchange data
657 |     local handshake = records.handshake
658 |     if handshake then
659 |       for j = 1, #handshake.body do
660 |         if handshake.body[j].type == "server_hello" then
661 |           if handshake.body[j].protocol ~= protocol then
662 |             ctx_log(1, protocol, "Protocol rejected in server hello")
663 |             return false
664 |           end
665 |           cipher = handshake.body[j].cipher
666 |         elseif handshake.body[j].type == "server_key_exchange" then
667 |           packed = handshake.body[j].data
668 |         end
669 |       end
670 |     end
671 | 
672 |     -- Only try next chunk if current chunk was rejected
673 |     if cipher and packed then
674 |       local info = tls.cipher_info(cipher)
675 |       local data = tls.KEX_ALGORITHMS[info.kex].server_key_exchange(packed)
676 |       return cipher, data.dhparams
677 |     end
678 |   end
679 | 
680 |   return nil
681 | end
682 | 
683 | 
684 | local function get_dhe_ciphers()
685 |   local dh_anons = {}
686 |   local dhe_ciphers = {}
687 |   local dhe_exports = {}
688 | 
689 |   for cipher, _ in pairs(tls.CIPHERS) do
690 |     local info = tls.cipher_info(cipher)
691 |     if DH_anon_ALGORITHMS[info.kex] then
692 |       dh_anons[#dh_anons + 1] = cipher
693 |     end
694 |     if DHE_ALGORITHMS[info.kex] then
695 |       dhe_ciphers[#dhe_ciphers + 1] = cipher
696 |     end
697 |     if DHE_ALGORITHMS_EXPORT[info.kex] then
698 |       dhe_exports[#dhe_exports + 1] = cipher
699 |     end
700 |   end
701 | 
702 |   return dh_anons, dhe_ciphers, dhe_exports
703 | end
704 | 
705 | local fields_order = {
706 |   "Cipher Suite",
707 |   "Modulus Type",
708 |   "Modulus Source",
709 |   "Modulus Length",
710 |   "Generator Length",
711 |   "Public Key Length",
712 | }
713 | local group_metatable = {
714 |   __tostring = function(g)
715 |     local out = {}
716 |     for i=1, #fields_order do
717 |       local k = fields_order[i]
718 |       if g[k] then
719 |         out[#out+1] = ("      %s: %s"):format(k, g[k])
720 |       end
721 |     end
722 |     return table.concat(out, "\n")
723 |   end
724 | }
725 | 
726 | local function check_dhgroup(anondh, logjam, weakdh, nosafe, cipher, dhparams)
727 |   local source = DHE_PRIMES[dhparams.p]
728 |   local length = #dhparams.p * 8
729 |   local genlen = #dhparams.g * 8
730 |   local pubkeylen = #dhparams.y * 8
731 |   local modulus = stdnse.tohex(dhparams.p)
732 |   local generator = stdnse.tohex(dhparams.g)
733 |   local pubkey = stdnse.tohex(dhparams.y)
734 |   local is_prime, is_safe
735 | 
736 |   local group = {
737 |     ["Cipher Suite"] = cipher,
738 |     ["Modulus Source"] = source or "Unknown/Custom-generated",
739 |     ["Modulus Length"] = length,
740 |     ["Modulus"] = modulus,
741 |     ["Generator Length"] = genlen,
742 |     ["Generator"] = generator,
743 |     ["Public Key Length"] = pubkeylen
744 |   }
745 |   setmetatable(group, group_metatable)
746 | 
747 |   if have_ssl then
748 |     local bn = openssl.bignum_bin2bn(dhparams.p)
749 |     is_safe, is_prime = openssl.bignum_is_safe_prime(bn)
750 |     group["Modulus Type"] = (is_safe and "Safe prime") or
751 |                      (is_prime and "Non-safe prime") or
752 |                      "Composite"
753 |   end
754 | 
755 |   if string.find(cipher, "DH_anon") then
756 |     anondh[#anondh + 1] = group
757 |   elseif string.find(cipher, "EXPORT") then
758 |     logjam[#logjam + 1] = group
759 |   elseif length <= 1024 then
760 |     weakdh[#weakdh + 1] = group
761 |   end
762 | 
763 |   -- The use of non-safe primes requires carefully generated parameters
764 |   -- in order to be secure. Do some rudimentary validation checks here.
765 |   if have_ssl and not is_safe and not DSA_PARAMS[dhparams.p] then
766 |     nosafe[#nosafe + 1] = group
767 |   elseif DSA_PARAMS[dhparams.p] and DSA_PARAMS[dhparams.p] ~= dhparams.g then
768 |     nosafe[#nosafe + 1] = group
769 |   end
770 | end
771 | 
772 | 
773 | portrule = function(host, port)
774 |   return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
775 | end
776 | 
777 | local function format_check(t, label)
778 |   local out = {}
779 |   for i, v in ipairs(t) do
780 |     out[i] = string.format("%s %d\n%s", label, i, v)
781 |   end
782 |   return out
783 | end
784 | 
785 | action = function(host, port)
786 |   local dh_anons, dhe_ciphers, dhe_exports = get_dhe_ciphers()
787 |   local cipher
788 |   local dhparams
789 |   local anondh = {}
790 |   local logjam = {}
791 |   local weakdh = {}
792 |   local nosafe = {}
793 |   local primes = {}
794 |   local anons = {}
795 | 
796 |   local vuln_table_anondh = {
797 |     title = "Anonymous Diffie-Hellman Key Exchange MitM Vulnerability",
798 |     description = [[
799 | Transport Layer Security (TLS) services that use anonymous Diffie-Hellman
800 | key exchange only provide protection against passive eavesdropping, and
801 | are vulnerable to active man-in-the-middle attacks which could completely
802 | compromise the confidentiality and integrity of any data exchanged over
803 | the resulting session.]],
804 |     state = vulns.STATE.NOT_VULN,
805 |     references = {
806 |       "https://www.ietf.org/rfc/rfc2246.txt"
807 |     }
808 |   }
809 | 
810 |   local vuln_table_logjam = {
811 |     title = "Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)",
812 |     description = [[
813 | The Transport Layer Security (TLS) protocol contains a flaw that is triggered
814 | when handling Diffie-Hellman key exchanges defined with the DHE_EXPORT cipher.
815 | This may allow a man-in-the-middle attacker to downgrade the security of a TLS
816 | session to 512-bit export-grade cryptography, which is significantly weaker,
817 | allowing the attacker to more easily break the encryption and monitor or tamper
818 | with the encrypted stream.]],
819 |     state = vulns.STATE.NOT_VULN,
820 |     IDS = {
821 |       CVE = 'CVE-2015-4000',
822 |       OSVDB = '122331'
823 |     },
824 |     SCORES = {
825 |       CVSSv2 = '4.3'
826 |     },
827 |     dates = {
828 |       disclosure = {
829 |         year = 2015, month = 5, day = 19
830 |       }
831 |     },
832 |     references = {
833 |       "https://weakdh.org"
834 |     }
835 |   }
836 | 
837 |   local vuln_table_weakdh = {
838 |     title = "Diffie-Hellman Key Exchange Insufficient Group Strength",
839 |     description = [[
840 | Transport Layer Security (TLS) services that use Diffie-Hellman groups of
841 | insufficient strength, especially those using one of a few commonly shared
842 | groups, may be susceptible to passive eavesdropping attacks.]],
843 |     state = vulns.STATE.NOT_VULN,
844 |     references = {
845 |       "https://weakdh.org"
846 |     }
847 |   }
848 | 
849 |   local vuln_table_nosafe = {
850 |     title = "Diffie-Hellman Key Exchange Incorrectly Generated Group Parameters",
851 |     description = [[
852 | This TLS service appears to be using a modulus that is not a safe prime and does
853 | not correspond to any well-known DSA group for Diffie-Hellman key exchange.
854 | These parameters MAY be secure if:
855 | - They were generated according to the procedure described in FIPS 186-4 for
856 |   DSA Domain Parameter Generation, or
857 | - The generator g generates a subgroup of large prime order
858 | Additional testing may be required to verify the security of these parameters.]],
859 |     state = vulns.STATE.NOT_VULN,
860 |     references = {
861 |       "https://weakdh.org",
862 |       "http://www2.esentire.com/TLSUnjammedWP"
863 |     }
864 |   }
865 | 
866 |   for protocol in pairs(tls.PROTOCOLS) do
867 |     -- Try anonymous DH ciphersuites
868 |     cipher, dhparams = get_dhe_params(host, port, protocol, dh_anons)
869 |     -- Explicit test for false needed because nil just means no ciphers supported.
870 |     if cipher == false then goto NEXT_PROTOCOL end
871 |     if dhparams and not anons[dhparams.p] then
872 |       vuln_table_anondh.state = vulns.STATE.VULN
873 |       check_dhgroup(anondh, logjam, weakdh, nosafe, cipher, dhparams)
874 |       anons[dhparams.p] = 1
875 |     end
876 | 
877 |     -- Try DHE_EXPORT ciphersuites
878 |     cipher, dhparams = get_dhe_params(host, port, protocol, dhe_exports)
879 |     if dhparams and not primes[dhparams.p] then
880 |       check_dhgroup(anondh, logjam, weakdh, nosafe, cipher, dhparams)
881 |       primes[dhparams.p] = 1
882 |     end
883 | 
884 |     -- Try non-export DHE ciphersuites
885 |     cipher, dhparams = get_dhe_params(host, port, protocol, dhe_ciphers)
886 |     if dhparams and not primes[dhparams.p] then
887 |       check_dhgroup(anondh, logjam, weakdh, nosafe, cipher, dhparams)
888 |       primes[dhparams.p] = 1
889 |     end
890 |     ::NEXT_PROTOCOL::
891 |   end
892 | 
893 |   local report = vulns.Report:new(SCRIPT_NAME, host, port)
894 | 
895 |   vuln_table_anondh.check_results = format_check(anondh, "ANONYMOUS DH GROUP")
896 |   vuln_table_logjam.check_results = format_check(logjam, "EXPORT-GRADE DH GROUP")
897 |   vuln_table_weakdh.check_results = format_check(weakdh, "WEAK DH GROUP")
898 |   vuln_table_nosafe.check_results = format_check(nosafe, "NON-SAFE GROUP")
899 | 
900 |   if #anondh > 0 then
901 |     vuln_table_anondh.state = vulns.STATE.VULN
902 |   end
903 | 
904 |   if #logjam > 0 then
905 |     vuln_table_logjam.state = vulns.STATE.VULN
906 |   end
907 | 
908 |   if #weakdh > 0 then
909 |     vuln_table_weakdh.state = vulns.STATE.VULN
910 |   end
911 | 
912 |   if #nosafe > 0 then
913 |     vuln_table_nosafe.state = vulns.STATE.LIKELY_VULN
914 |   end
915 | 
916 |   return report:make_output(vuln_table_anondh, vuln_table_logjam, vuln_table_weakdh, vuln_table_nosafe)
917 | end
918 | 


--------------------------------------------------------------------------------