commit sslscan for openSUSE:Factory

Source-Sync Mon, 13 Nov 2023 13:21:13 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package sslscan for openSUSE:Factory checked 
in at 2023-11-13 22:18:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sslscan (Old)
 and      /work/SRC/openSUSE:Factory/.sslscan.new.17445 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "sslscan"

Mon Nov 13 22:18:33 2023 rev:15 rq:1125005 version:2.1.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/sslscan/sslscan.changes  2023-09-20 
13:27:10.250306004 +0200
+++ /work/SRC/openSUSE:Factory/.sslscan.new.17445/sslscan.changes       
2023-11-13 22:21:05.491990223 +0100
@@ -1,0 +2,6 @@
+Fri Nov 10 15:21:49 UTC 2023 - Dirk MÃ¼ller <dmuel...@suse.com>
+
+- update to 2.1.1:
+  * Work around several dodgy TLS implementations
+
+-------------------------------------------------------------------

Old:
----
  sslscan-2.1.0.tar.gz

New:
----
  sslscan-2.1.1.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ sslscan.spec ++++++
--- /var/tmp/diff_new_pack.gQ0Ke5/_old  2023-11-13 22:21:06.240017765 +0100
+++ /var/tmp/diff_new_pack.gQ0Ke5/_new  2023-11-13 22:21:06.240017765 +0100
@@ -17,7 +17,7 @@
 
 
 Name:           sslscan
-Version:        2.1.0
+Version:        2.1.1
 Release:        0
 Summary:        SSL cipher scanning tool
 License:        SUSE-GPL-3.0+-with-openssl-exception

++++++ sslscan-2.1.0.tar.gz -> sslscan-2.1.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslscan-2.1.0/Changelog new/sslscan-2.1.1/Changelog
--- old/sslscan-2.1.0/Changelog 2023-09-05 15:54:34.000000000 +0200
+++ new/sslscan-2.1.1/Changelog 2023-09-19 19:17:50.000000000 +0200
@@ -1,5 +1,11 @@
 Changelog
 =========
+Version: 2.1.1
+Date   : 19/09/2023
+Author : rbsec <ro...@rbsec.net>
+Changes: The following are a list of changes
+                > Work around several dodgy TLS implementations (credit jtesta)
+
 Version: 2.1.0
 Date   : 05/09/2023
 Author : rbsec <ro...@rbsec.net>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslscan-2.1.0/Makefile new/sslscan-2.1.1/Makefile
--- old/sslscan-2.1.0/Makefile  2023-09-05 15:54:34.000000000 +0200
+++ new/sslscan-2.1.1/Makefile  2023-09-19 19:17:50.000000000 +0200
@@ -131,7 +131,7 @@
        if [ -d openssl -a -d openssl/.git ]; then \
                cd ./openssl && git checkout `git ls-remote 
https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort 
--version-sort | tail -n 1` && git pull | grep -q "Already up-to-date." && [ -e 
../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \
        else \
-       git clone --depth 1 -b `git ls-remote 
https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort 
--version-sort | tail -n 1` https://github.com/openssl/openssl ./openssl && cd 
./openssl && touch ../.openssl.is.fresh ; \
+       git clone --depth 1 -b `git ls-remote 
https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort 
-V | tail -n 1` https://github.com/openssl/openssl ./openssl && cd ./openssl && 
touch ../.openssl.is.fresh ; \
        fi
 
 # Need to build OpenSSL differently on OSX
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslscan-2.1.0/sslscan.c new/sslscan-2.1.1/sslscan.c
--- old/sslscan-2.1.0/sslscan.c 2023-09-05 15:54:34.000000000 +0200
+++ new/sslscan-2.1.1/sslscan.c 2023-09-19 19:17:50.000000000 +0200
@@ -1871,20 +1871,18 @@
 
                 // Connect SSL over socket
                 cipherStatus = SSL_connect(ssl);
+                printf_verbose("SSL_connect() returned: %d\n", cipherStatus);
 
                 sslCipherPointer = SSL_get_current_cipher(ssl);
-                cipherbits = SSL_CIPHER_get_bits(sslCipherPointer, NULL);
-
-                if (cipherStatus == 0)
-                {
-                    return false;
-                }
-                else if (cipherStatus != 1)
-                {
-                    printf_verbose("SSL_get_error(ssl, cipherStatus) said: 
%d\n", SSL_get_error(ssl, cipherStatus));
-                    return false;
+                if (sslCipherPointer == NULL) {
+                  printf_verbose("SSL_get_current_cipher() returned NULL; this 
indicates that the server did not choose a cipher from our list (%s)\n", 
options->cipherstring);
+                  SSL_shutdown(ssl);
+                  FREE_SSL(ssl);
+                  CLOSE(socketDescriptor);
+                  return false;
                 }
 
+                cipherbits = SSL_CIPHER_get_bits(sslCipherPointer, NULL);
                 cipherid = SSL_CIPHER_get_id(sslCipherPointer);
                 cipherid = cipherid & 0x00ffffff;  // remove first byte which 
is the version (0x03 for TLSv1/SSLv3)
 
@@ -1907,24 +1905,18 @@
                  milliseconds_elapsed = tval_elapsed.tv_sec * 1000 + 
(int)tval_elapsed.tv_usec / 1000;
                }
 
-                outputCipher(options, ssl, cleanSslMethod, cipherid, 
ciphername, cipherbits, (cipherStatus == 1), milliseconds_elapsed);
+                outputCipher(options, ssl, cleanSslMethod, cipherid, 
ciphername, cipherbits, 1, milliseconds_elapsed);
 
                 // Disconnect SSL over socket
-                if (cipherStatus == 1)
-                {
-                    const char *usedcipher = SSL_get_cipher_name(ssl);
-                    if(sslMethod==TLSv1_3_client_method())
-                    { // Remove cipher from TLSv1.3 list
-                      cipherRemove(options->cipherstring, usedcipher);
-                    }
-                    else
-                    {
-                      // Using strcat rather than strncat to avoid a warning 
from GCC
-                      strcat(options->cipherstring, ":!");
-                      strncat(options->cipherstring, usedcipher, 
strlen(usedcipher));
-                    }
-                    SSL_shutdown(ssl);
+                const char *usedcipher = SSL_get_cipher_name(ssl);
+                if(sslMethod == TLSv1_3_client_method())
+                  cipherRemove(options->cipherstring, usedcipher);  // Remove 
cipher from TLSv1.3 list
+                else {
+                  // Using strcat rather than strncat to avoid a warning from 
GCC
+                  strcat(options->cipherstring, ":!");
+                  strncat(options->cipherstring, usedcipher, 
strlen(usedcipher));
                 }
+                SSL_shutdown(ssl);
 
                 // Free SSL object
                 FREE_SSL(ssl);
@@ -5372,8 +5364,14 @@
     bs_append_uint32_t(client_hello, rand);
   }
 
-  /* Session ID Length: 0 */
-  bs_append_bytes(client_hello, (unsigned char []) { 0x00 }, 1);
+  /* Session ID Length: 32 */
+  bs_append_bytes(client_hello, (unsigned char []) { 32 }, 1);
+
+  /* A "random" 32-byte session ID. */
+  for (int i = 0; i < 8; i++) {
+    rand += (time_now ^ (uint32_t)((~(i + 0) << 24) | (~(i + 1) << 16) | (~(i 
+ 2) << 8) | (~(i + 3) << 0)));
+    bs_append_uint32_t(client_hello, rand);
+  }
 
   /* Add the length (in bytes) of the ciphersuites list to the Client Hello. */
   bs_append_ushort(client_hello, bs_get_len(ciphersuite_list));

commit sslscan for openSUSE:Factory

Reply via email to