Fix merge

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ jobs:
       matrix:
         cc: [clang, gcc]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: build with ${{ matrix.cc }}
         run: |
           make sslscan
@@ -20,7 +20,7 @@ jobs:
   build_mingw:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: install mingw-w64
         run: |
           sudo apt-get update -qq

Changelog

@@ -1,10 +1,19 @@
 Changelog
 =========
+Version: 2.1.6
+Date   : 02/12/2024
+Author : rbsec <[email protected]>
+Changes: The following are a list of changes
+		 > Flag CCM8 ciphers as weak and manually override their displayed
+		 bit strength to match newer versions of OpenSSL
+		 See https://github.com/openssl/openssl/pull/16652
+
 Version: 2.1.5
 Date   : 21/09/2024
 Author : rbsec <[email protected]>
 Changes: The following are a list of changes
 		 > Various build improvements
+		 > Makefile improvements
 
 Version: 2.1.4
 Date   : 16/06/2024
@@ -17,7 +26,7 @@ Date   : 21/01/2024
 Author : rbsec <[email protected]>
 Changes: The following are a list of changes
 		 > Enable quiet shutdown for scanning (credit jarnfast)
-		 > Fix Docked build on non-x64 architectures (credit jtesta)
+		 > Fix Docker build on non-x64 architectures (credit jtesta)
 
 Version: 2.1.2
 Date   : 14/11/2023

Makefile

@@ -138,12 +138,16 @@ uninstall:
 	rm -f $(DESTDIR)$(MAN1DIR)/sslscan.1
 
 .openssl.is.fresh: opensslpull
-	true
+	@true
+
 opensslpull:
+	upstream=`git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort -V | tail -n 1` ; \
 	if [ -d openssl -a -d openssl/.git ]; then \
-		cd ./openssl && git checkout `git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort --version-sort | tail -n 1` && git pull | grep -q "Already up to date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \
+		if [ "$$upstream" != "`cd ./openssl && git describe --exact-match --tags`" ]; then \
+			cd ./openssl && git fetch --depth 1 origin refs/tags/$$upstream:refs/tags/$$upstream && git checkout $$upstream && touch ../.openssl.is.fresh ; \
+		fi \
 	else \
-	git clone --depth 1 -b `git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort -V | tail -n 1` https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
+		git clone --depth 1 -b $$upstream https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
 	fi
 
 openssl/Makefile: .openssl.is.fresh

README.md

@@ -78,19 +78,23 @@ Key changes are as follows:
 
 It is possible to ignore the OpenSSL system installation and ship your own version. Although this results in a more resource-heavy `sslscan` binary (file size, memory consumption, etc.), this allows some additional checks such as TLS compression.
 
-To compile your own OpenSSL version, you'll probably need to install the OpenSSL build dependencies. The commands below can be used to do this on Debian.  If you don't have them already, you will need to enable the `deb-src` repos in your apt config. sslscan was primarily developed on Debian, so if you are
-compiling on other distributions your mileage may vary.
+To compile your own OpenSSL version, you'll probably need to install the OpenSSL build dependencies. The commands below can be used to do this on Debian.
 
-    apt-get install build-essential git zlib1g-dev
-    apt-get build-dep openssl
+    apt install git zlib1g-dev make gcc
 
 Then run
 
     make static
 
 This will clone the [OpenSSL repository](https://github.com/openssl/openssl), and configure/compile/test OpenSSL prior to compiling `sslscan`.
 
-**Please note:** Out of the box, OpenSSL cannot compiled with `clang` without further customization (which is not done by the provided `Makefile`). For more information on this, see [Modifying Build Settings](http://wiki.openssl.org/index.php/Compilation_and_Installation#Modifying_Build_Settings) in the OpenSSL wiki.
+**Please note:** By default, OpenSSL is compiled with `gcc` without further customization. To compile with `clang`, install build dependencies using the commands below.
+
+    apt install git zlib1g-dev make clang
+
+Then run
+
+    make static CC=clang
 
 You can verify whether you have a statically linked OpenSSL version, by checking whether the version listed by `sslscan --version` has the `-static` suffix.
 

missing_ciphersuites.h

@@ -20,7 +20,7 @@ struct missing_ciphersuite {
 };
 
 
-/* Auto-generated by ./iana_tls_ciphersuite_parser.py on December 10, 2019. */
+/* Auto-generated by iana_tls_ciphersuite_parser.py on November 10, 2024. */
 struct missing_ciphersuite missing_ciphersuites[] = {
   {0x0000, "TLS_NULL_WITH_NULL_NULL", -1, VALL, 0},
   {0x0001, "TLS_RSA_WITH_NULL_MD5", -1, VALL, 0},
@@ -171,6 +171,8 @@ struct missing_ciphersuite missing_ciphersuites[] = {
   {0x1303, "TLS_CHACHA20_POLY1305_SHA256", 256, VALL, 0},
   {0x1304, "TLS_AES_128_CCM_SHA256", 128, VALL, 0},
   {0x1305, "TLS_AES_128_CCM_8_SHA256", 128, VALL, 0},
+  {0x1306, "TLS_AEGIS_256_SHA512", 256, VALL, 0},
+  {0x1307, "TLS_AEGIS_128L_SHA256", 128, VALL, 0},
   {0xC001, "TLS_ECDH_ECDSA_WITH_NULL_SHA", -1, VALL, 0},
   {0xC002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", 128, VALL, 0},
   {0xC003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", 112, VALL, 0},
@@ -355,6 +357,10 @@ struct missing_ciphersuite missing_ciphersuites[] = {
   {0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC", 256, VALL, 0},
   {0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC", 256, VALL, 0},
   {0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT", 256, VALL, 0},
+  {0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", 256, VALL, 0},
+  {0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", 256, VALL, 0},
+  {0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", 256, VALL, 0},
+  {0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", 256, VALL, 0},
   {0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", 256, VALL, 0},
   {0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", 256, VALL, 0},
   {0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", 256, VALL, 0},

sslscan.c

@@ -1720,6 +1720,14 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
     } else
       printf("%s  ", cleanSslMethod);
 
+    // Short authentication tag length
+    // These are flagged as 64 bit strength in newer versions of OpenSSL
+    // But in older versions they'll still show as 256 bits, so override that here
+    // See https://github.com/openssl/openssl/pull/16652
+    if (strstr(ciphername, "CCM8")) {
+        cipherbits = 64;
+    }
+
     if (cipherbits < 10)
       tempInt = 2;
     else if (cipherbits < 100)
@@ -1778,6 +1786,18 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
             printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
         }
         strength = "medium";
+    } else if (strstr(ciphername, "CCM8")) {
+        // Short authentication tag length
+        // These are flagged as 64 bit strength in newer versions of OpenSSL
+        // But in older versions they'll still show as 256 bits, so manually flag them here
+        // See https://github.com/openssl/openssl/pull/16652
+        if (options->ianaNames) {
+            printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);
+        }
+        else {
+            printf("%s%-29s%s", COL_YELLOW, ciphername, RESET);
+        }
+        strength = "medium";
     } else if (strstr(ciphername, "_SM4_")) { /* Developed by Chinese government */
         if (options->ianaNames) {
             printf("%s%-45s%s", COL_YELLOW, ciphername, RESET);

tools/iana_tls_ciphersuite_parser.py

@@ -16,7 +16,7 @@
 # <https://www.iana.org/assignments/tls-parameters/tls-parameters.xml>.
 if len(sys.argv) != 2:
     print("\nUsage: %s tls_ciphers.csv\n\nHint: copy the TLS table in CSV format from <https://www.iana.org/assignments/tls-parameters/tls-parameters.xml>.\n" % sys.argv[0])
-    exit(0)
+    exit()
 
 csv_file = sys.argv[1]
 
@@ -58,6 +58,12 @@
             bits = 128
         elif 'ARIA_256' in cipher_name:
             bits = 256
+        elif 'AEGIS_128' in cipher_name:
+            bits = 128
+        elif 'AEGIS_256' in cipher_name:
+            bits = 256
+        elif 'SEED' in cipher_name:
+            bits = 128
         elif '3DES' in cipher_name:
             bits = 112
         elif 'DES40' in cipher_name:
@@ -93,4 +99,3 @@
         print('  {%s, "%s", %d, VALL, 0},' % (parsed_id, cipher_name, bits))
 
 print("};")
-exit 0