Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sslscan for openSUSE:Factory checked
in at 2023-04-17 17:41:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sslscan (Old)
and /work/SRC/openSUSE:Factory/.sslscan.new.2023 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sslscan"
Mon Apr 17 17:41:25 2023 rev:13 rq:1079852 version:2.0.16
Changes:
--------
--- /work/SRC/openSUSE:Factory/sslscan/sslscan.changes 2022-08-02
22:10:28.353993995 +0200
+++ /work/SRC/openSUSE:Factory/.sslscan.new.2023/sslscan.changes
2023-04-17 17:41:30.990297708 +0200
@@ -1,0 +2,7 @@
+Sun Apr 16 17:56:03 UTC 2023 - Dirk Müller <dmuel...@suse.com>
+
+- update to 2.0.16:
+ * Fix incorret detection of TLSv1.3 on Server 2019
+ * Fix incorrect XML certificate output
+
+-------------------------------------------------------------------
Old:
----
sslscan-2.0.15.tar.gz
New:
----
sslscan-2.0.16.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sslscan.spec ++++++
--- /var/tmp/diff_new_pack.gJ9vxI/_old 2023-04-17 17:41:33.126310191 +0200
+++ /var/tmp/diff_new_pack.gJ9vxI/_new 2023-04-17 17:41:33.130310214 +0200
@@ -1,7 +1,7 @@
#
# spec file for package sslscan
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: sslscan
-Version: 2.0.15
+Version: 2.0.16
Release: 0
Summary: SSL cipher scanning tool
License: SUSE-GPL-3.0+-with-openssl-exception
++++++ sslscan-2.0.15.tar.gz -> sslscan-2.0.16.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.0.15/.dockerignore
new/sslscan-2.0.16/.dockerignore
--- old/sslscan-2.0.15/.dockerignore 1970-01-01 01:00:00.000000000 +0100
+++ new/sslscan-2.0.16/.dockerignore 2023-04-08 23:36:58.000000000 +0200
@@ -0,0 +1 @@
+openssl
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.0.15/Changelog new/sslscan-2.0.16/Changelog
--- old/sslscan-2.0.15/Changelog 2022-07-03 17:42:37.000000000 +0200
+++ new/sslscan-2.0.16/Changelog 2023-04-08 23:36:58.000000000 +0200
@@ -1,5 +1,12 @@
Changelog
=========
+Version: 2.0.16
+Date : 08/04/2023
+Author : rbsec <ro...@rbsec.net>
+Changes: The following are a list of changes
+ > Fix incorret detection of TLSv1.3 on Server 2019 (credit
jtesta)
+ > Fix incorrect XML certificate output
+
Version: 2.0.15
Date : 03/07/2022
Author : rbsec <ro...@rbsec.net>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.0.15/Dockerfile
new/sslscan-2.0.16/Dockerfile
--- old/sslscan-2.0.15/Dockerfile 1970-01-01 01:00:00.000000000 +0100
+++ new/sslscan-2.0.16/Dockerfile 2023-04-08 23:36:58.000000000 +0200
@@ -0,0 +1,31 @@
+FROM alpine:latest as builder
+
+# Ensure no packages are cached before we try to do an update.
+RUN apk cache clean 2> /dev/null || exit 0
+
+RUN apk update && apk add gcc make ca-certificates git libc-dev linux-headers
openssl perl zlib-dev
+RUN update-ca-certificates
+
+ADD . builddir
+
+# Make a static build of sslscan, then strip it of debugging symbols.
+RUN cd builddir && make static
+RUN strip --strip-all /builddir/sslscan
+
+# Print the output of ldd so we can see what dynamic libraries that sslscan is
still dependent upon.
+RUN echo "ldd output:" && ldd /builddir/sslscan
+RUN echo "ls -al output:" && ls -al /builddir/sslscan
+
+
+# Start with an empty container for our final build.
+FROM scratch
+
+# Copy over the sslscan executable from the intermediate build container,
along with the dynamic libraries it is dependent upon (see output of ldd,
above).
+COPY --from=builder /builddir/sslscan /sslscan
+COPY --from=builder /lib/libz.so.1 /lib/libz.so.1
+COPY --from=builder /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1
+
+# Drop root privileges.
+USER 65535:65535
+
+ENTRYPOINT ["/sslscan"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.0.15/Makefile new/sslscan-2.0.16/Makefile
--- old/sslscan-2.0.15/Makefile 2022-07-03 17:42:37.000000000 +0200
+++ new/sslscan-2.0.16/Makefile 2023-04-08 23:36:58.000000000 +0200
@@ -155,6 +155,9 @@
static: openssl/libcrypto.a
$(MAKE) -j $(NUM_PROCS) sslscan STATIC_BUILD=TRUE
+docker:
+ docker build -t sslscan:sslscan .
+
test: static
./docker_test.sh
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.0.15/README.md new/sslscan-2.0.16/README.md
--- old/sslscan-2.0.15/README.md 2022-07-03 17:42:37.000000000 +0200
+++ new/sslscan-2.0.16/README.md 2023-04-08 23:36:58.000000000 +0200
@@ -92,6 +92,20 @@
You can verify whether you have a statically linked OpenSSL version, by
checking whether the version listed by `sslscan --version` has the `-static`
suffix.
+### Building with Docker
+
+Ensure that you local Docker installation is functional, and the build the
container with:
+
+ make docker
+
+Or manually with:
+
+ docker build -t sslscan:sslscan .
+
+You can then run sslscan with:
+
+ docker run --rm -ti sslscan:sslscan --help
+
### Building on Windows
Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can
either be done natively or by cross-compiling from Linux. See INSTALL for
instructions.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.0.15/sslscan.c new/sslscan-2.0.16/sslscan.c
--- old/sslscan-2.0.15/sslscan.c 2022-07-03 17:42:37.000000000 +0200
+++ new/sslscan-2.0.16/sslscan.c 2023-04-08 23:36:58.000000000 +0200
@@ -2362,14 +2362,14 @@
X509_free(x509Cert);
// This is abusing status a bit, but means that
we'll only get the cert once
status = false;
+
+ printf_xml(" </certificate>\n");
}
else {
printf(" Unable to parse certificate\n");
}
- printf_xml(" </certificate>\n");
-
// Free BIO
BIO_free(stdoutBIO);
if (options->xmlOutput)
@@ -4901,6 +4901,70 @@
}
+/* Returns true if the ServerHello response contains TLSv1.3 in its
supported_versions extension. */
+unsigned int checkSupportedVersionsExtensionForTLS13(bs *server_hello) {
+
+ unsigned int handshake_record_len = bs_get_byte(server_hello, 3) << 8 |
bs_get_byte(server_hello, 4);
+
+ /* The Server Hello *record* passed into this function can have multiple
handshake protocols inside. We need to find the Server Hello *handshake
protocol*, specifically, since that contains the extensions we need to parse. */
+ unsigned int handshake_record_ptr = 5;
+ while (handshake_record_ptr < handshake_record_len) {
+ unsigned int handshake_protocol_type = bs_get_byte(server_hello,
handshake_record_ptr);
+ unsigned int handshake_protocol_len = bs_get_byte(server_hello,
handshake_record_ptr + 1) << 16 | bs_get_byte(server_hello,
handshake_record_ptr + 2) << 8 | bs_get_byte(server_hello, handshake_record_ptr
+ 3);
+
+ /* We found the Server Hello handshake protocol entry... */
+ if (handshake_protocol_type == 2) {
+
+ /* The session ID field is variable, so we need to find its length first
so we can skip over it and get to the extensions section. */
+ unsigned int session_id_len = (unsigned int)bs_get_byte(server_hello,
handshake_record_ptr + 5 + 32 + 1);
+
+ /* Get the length of all the extensions. */
+ unsigned int extensions_len_offset = handshake_record_ptr + 5 + 32 + 1 +
session_id_len + 4;
+ unsigned int extensions_len = bs_get_byte(server_hello,
extensions_len_offset) << 8 | bs_get_byte(server_hello, extensions_len_offset +
1);
+
+ /* Loop through each extension. */
+ unsigned int extensions_base_offset = extensions_len_offset + 2;
+ unsigned int extensions_offset = 0;
+ while (extensions_offset < extensions_len) {
+
+ /* Get the extension type and length. */
+ unsigned int extension_type = bs_get_byte(server_hello,
extensions_base_offset + extensions_offset) << 8 | bs_get_byte(server_hello,
extensions_base_offset + extensions_offset + 1);
+ unsigned int extension_len = bs_get_byte(server_hello,
extensions_base_offset + extensions_offset + 2) << 8 |
bs_get_byte(server_hello, extensions_base_offset + extensions_offset + 3);
+
+ /* The supported_version extension is type 43. */
+ if (extension_type == 43) {
+
+ /* The length of this extension should be divisible by 2, since the
TLS versions are each 2 bytes. */
+ if ((extension_len % 2) != 0) {
+ fprintf(stderr, "Error in %s: extension length for
supported_versions is not even!: %u\n", __func__, extension_len);
+ return 0;
+ }
+
+ /* Loop through all the TLS versions in the supported_versions
extension. Each version uses two bytes. */
+ for (int i = 0; i < extension_len; i += 2) {
+ unsigned int tls_high_byte = (unsigned
int)bs_get_byte(server_hello, extensions_base_offset + extensions_offset + 4 +
i);
+ unsigned int tls_low_byte = (unsigned int)bs_get_byte(server_hello,
extensions_base_offset + extensions_offset + 5 + i);
+
+ /* If we find TLS version 0x0304 in the supported_versions
extension, then the server supports TLSv1.3! */
+ if ((tls_high_byte == 3) && (tls_low_byte == 4))
+ return 1;
+ }
+ }
+
+ extensions_offset += (4 + extension_len);
+ }
+
+ /* We already found the Server Hello protocol handshake and looked
through all the extensions. If we reached here, then there's no point in
continuing. */
+ return 0;
+ }
+
+ handshake_record_ptr += (4 + handshake_protocol_len);
+ }
+
+ return 0;
+}
+
+
/* Returns true if a specific TLS version is supported by the server. */
unsigned int checkIfTLSVersionIsSupported(struct sslCheckOptions *options,
unsigned int tls_version) {
bs *tls_extensions = NULL, *ciphersuite_list = NULL, *client_hello = NULL,
*server_hello = NULL;
@@ -4992,6 +5056,10 @@
if ((server_tls_version_high != 3) || (server_tls_version_low !=
expected_tls_version_low))
goto done;
+ /* TLSv1.3's ServerHello will be tagged as TLSv1.2 in the header, but will
include v1.3 in the supported_versions extension. Some servers (like Windows
Server 2019), when only supporting v1.2, will still respond with a ServerHello
to our v1.3 Client Hello. So to eliminate false positives, we need to check
the supported_versions extension and ensure v1.3 is listed there. */
+ if ((tls_version == TLSv1_3) &&
(!checkSupportedVersionsExtensionForTLS13(server_hello)))
+ goto done;
+
/* A valid Server Hello was returned, so this TLS version is supported. */
ret = true;
@@ -5052,6 +5120,9 @@
bs_append_ushort(ciphersuite_list, missing_ciphersuites[i].id);
}
+ /* Append TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff), otherwise some servers
will reject the connection outright. */
+ bs_append_ushort(ciphersuite_list, 255);
+
return ciphersuite_list;
}
