
Nmap Development mailing list archives
Re: [NSE] SSL support
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 5 Aug 2012 13:07:46 +0200
On Sun, Aug 5, 2012 at 11:20 AM, Patrick Donnelly <batrick () batbytes com>wrote:
Hi Patrik, On Sun, Aug 5, 2012 at 4:43 AM, Patrik Karlsson <patrik () cqure net> wrote:I noticed/fixed a few things; * A few libraries have "require openssl" before the silent_require call.Imay have contributed to this by doing my fix-up runs based on the resultofnse_check_globals. Patrick, would it be possible to getnse_check_globals tounderstand the silent_require calls and even thepcall(require("openssl"))? It already does. What probably happened is (a) the script writer didn't save the returned library from silent_require to a local or (b) the library was never required and nse_check_globals patched the script to require the library. There's little magic to nse_check_globals. If it finds an indexed global variable and that variable name exists in nselib/*.lua or nselib/*.luadoc, then it detects this as an unrequired library. For example, in http-title.nse: -- local http = require "http" ... function action (host, port) http.get(host, port, ...) end Will give us an unrequired library error because the http variable is global and corresponds to a library in nselib: Checking: scripts/http-title.nse Found unrequired NSE library "http" on line 38:39. In contrast: local http = require "http" ... function action (host, port) httP.get(host, port, "/foo") end will just give us a bad indexed global error: Checking: scripts/http-title.nse Found bad indexed global "httP" on line 38:38. So the return value of stdnse.silent_require is stored in a local, nse_check_globals will be happy. There's no difference between require or stdnse.silent_require. So, for nselib/afp.lua, it looks like this should have been: $ svn diff nselib/afp.lua Index: nselib/afp.lua =================================================================== --- nselib/afp.lua (revision 29493) +++ nselib/afp.lua (working copy) @@ -114,19 +114,14 @@ local bin = require "bin" local bit = require "bit" local nmap = require "nmap" -local openssl = require "openssl" local os = require "os" local stdnse = require "stdnse" local string = require "string" local table = require "table" _ENV = stdnse.module("afp", stdnse.seeall); -local HAVE_SSL = false +local openssl = stdnse.silent_require "openssl" -if pcall(require,'openssl') then - HAVE_SSL = true -end - -- Table of valid REQUESTs local REQUEST = { CloseSession = 0x01, @@ -890,10 +885,6 @@ local data_offset = 0 local status, response - if not HAVE_SSL then - return false, "OpenSSL not available, aborting ..." - end - -- currently we only support AFP3.3 if afp_version == nil or ( afp_version ~= "AFP3.3" and afp_version ~= "AFP3.2" and afp_version ~= "AFP3.1" ) then return false, "Incorrect AFP version" Note that the pcall(require, "openssl") doesn't save the return value of require to a local named "openssl". This would have also worked: local status, openssl = pcall(require, "openssl") if not status then HAVE_SSL = false end* Some scripts requiring a library, which in turn had a silent_requires, returned "attempt to yield across metamethod/C-call boundary" during the --script-updatedb. I solved this by adding a silent_require for that library in thosescripts.Not sure whether this is the best way, but I some some traces of that inafew scripts and it works.This is my fault. silent_require should be throwing an error, not yielding. Please run through these again with the updated nse_main.lua.* nse_main.lua didn't seem to handle scripts having a silent_require very well, as the scripts would fail to load, returning nil which wasn'tcaughtwhen attempting to sort the categories and write it to the scripts.db. I think the attached patch may solve this appropriately as well.That looks good. -- - Patrick Donnelly
Thanks. In regards to afp.lua, if we wan't some functionality in the library to work, which is the case for afp.lua, but catch the missing openssl requirement in login, wouldn't we need to take the pcall approach in this case? //Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] SSL support Patrik Karlsson (Aug 05)
- Re: [NSE] SSL support Patrick Donnelly (Aug 05)
- Re: [NSE] SSL support Patrik Karlsson (Aug 05)
- Re: [NSE] SSL support Patrik Karlsson (Aug 05)
- Re: [NSE] SSL support Patrick Donnelly (Aug 05)
- Re: [NSE] SSL support Patrik Karlsson (Aug 05)
- Re: [NSE] SSL support Patrik Karlsson (Aug 05)
- Re: [NSE] SSL support Patrick Donnelly (Aug 05)
- Re: [NSE] SSL support Patrick Donnelly (Aug 05)