From 870ad92214da0c75a9a0362c8a41a2c84918ef63 Mon Sep 17 00:00:00 2001 From: tinyboxvk <13696594+tinyboxvk@users.noreply.github.com> Date: Sat, 9 Nov 2024 14:54:25 +0000 Subject: [PATCH 1/9] Update ci.yml --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bf434e7..46d1ec9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ jobs: matrix: cc: [clang, gcc] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: build with ${{ matrix.cc }} run: | make sslscan @@ -20,7 +20,7 @@ jobs: build_mingw: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: install mingw-w64 run: | sudo apt-get update -qq From 2615db4a34ea58627748487e4e1e7413a9bc2744 Mon Sep 17 00:00:00 2001 From: tinyboxvk <13696594+tinyboxvk@users.noreply.github.com> Date: Sun, 10 Nov 2024 15:52:51 +0000 Subject: [PATCH 2/9] Update iana_tls_ciphersuite_parser.py --- tools/iana_tls_ciphersuite_parser.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/iana_tls_ciphersuite_parser.py b/tools/iana_tls_ciphersuite_parser.py index be06258..bc016fa 100755 --- a/tools/iana_tls_ciphersuite_parser.py +++ b/tools/iana_tls_ciphersuite_parser.py @@ -58,6 +58,12 @@ bits = 128 elif 'ARIA_256' in cipher_name: bits = 256 + elif 'AEGIS_128' in cipher_name: + bits = 128 + elif 'AEGIS_256' in cipher_name: + bits = 256 + elif 'SEED' in cipher_name: + bits = 128 elif '3DES' in cipher_name: bits = 112 elif 'DES40' in cipher_name: From 51ede1ad1f3959586f1fe883df8adcbd3a6dd7b4 Mon Sep 17 00:00:00 2001 From: tinyboxvk <13696594+tinyboxvk@users.noreply.github.com> Date: Sun, 10 Nov 2024 15:54:34 +0000 Subject: [PATCH 3/9] Update iana_tls_ciphersuite_parser.py --- tools/iana_tls_ciphersuite_parser.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/iana_tls_ciphersuite_parser.py b/tools/iana_tls_ciphersuite_parser.py index bc016fa..5ff0d5f 100755 --- a/tools/iana_tls_ciphersuite_parser.py +++ b/tools/iana_tls_ciphersuite_parser.py @@ -16,7 +16,7 @@ # . if len(sys.argv) != 2: print("\nUsage: %s tls_ciphers.csv\n\nHint: copy the TLS table in CSV format from .\n" % sys.argv[0]) - exit(0) + exit() csv_file = sys.argv[1] @@ -99,4 +99,3 @@ print(' {%s, "%s", %d, VALL, 0},' % (parsed_id, cipher_name, bits)) print("};") -exit 0 From fd0fb145fbbb409d3aeda9c5fef0003354fc933f Mon Sep 17 00:00:00 2001 From: tinyboxvk <13696594+tinyboxvk@users.noreply.github.com> Date: Sun, 10 Nov 2024 15:56:20 +0000 Subject: [PATCH 4/9] Update missing_ciphersuites.h --- missing_ciphersuites.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/missing_ciphersuites.h b/missing_ciphersuites.h index 9914fa7..9dfdea7 100644 --- a/missing_ciphersuites.h +++ b/missing_ciphersuites.h @@ -20,7 +20,7 @@ struct missing_ciphersuite { }; -/* Auto-generated by ./iana_tls_ciphersuite_parser.py on December 10, 2019. */ +/* Auto-generated by iana_tls_ciphersuite_parser.py on November 10, 2024. */ struct missing_ciphersuite missing_ciphersuites[] = { {0x0000, "TLS_NULL_WITH_NULL_NULL", -1, VALL, 0}, {0x0001, "TLS_RSA_WITH_NULL_MD5", -1, VALL, 0}, @@ -171,6 +171,8 @@ struct missing_ciphersuite missing_ciphersuites[] = { {0x1303, "TLS_CHACHA20_POLY1305_SHA256", 256, VALL, 0}, {0x1304, "TLS_AES_128_CCM_SHA256", 128, VALL, 0}, {0x1305, "TLS_AES_128_CCM_8_SHA256", 128, VALL, 0}, + {0x1306, "TLS_AEGIS_256_SHA512", 256, VALL, 0}, + {0x1307, "TLS_AEGIS_128L_SHA256", 128, VALL, 0}, {0xC001, "TLS_ECDH_ECDSA_WITH_NULL_SHA", -1, VALL, 0}, {0xC002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", 128, VALL, 0}, {0xC003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", 112, VALL, 0}, @@ -355,6 +357,10 @@ struct missing_ciphersuite missing_ciphersuites[] = { {0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC", 256, VALL, 0}, {0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC", 256, VALL, 0}, {0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT", 256, VALL, 0}, + {0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", 256, VALL, 0}, + {0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", 256, VALL, 0}, + {0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", 256, VALL, 0}, + {0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", 256, VALL, 0}, {0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", 256, VALL, 0}, {0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", 256, VALL, 0}, {0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", 256, VALL, 0}, From bcedfbbbe8bc6b69a14fbaec45bde7b063ae1795 Mon Sep 17 00:00:00 2001 From: tinyboxvk <13696594+tinyboxvk@users.noreply.github.com> Date: Sun, 10 Nov 2024 18:44:36 +0000 Subject: [PATCH 5/9] Update README.md --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 2e2ec5b..a9071e8 100644 --- a/README.md +++ b/README.md @@ -78,11 +78,9 @@ Key changes are as follows: It is possible to ignore the OpenSSL system installation and ship your own version. Although this results in a more resource-heavy `sslscan` binary (file size, memory consumption, etc.), this allows some additional checks such as TLS compression. -To compile your own OpenSSL version, you'll probably need to install the OpenSSL build dependencies. The commands below can be used to do this on Debian. If you don't have them already, you will need to enable the `deb-src` repos in your apt config. sslscan was primarily developed on Debian, so if you are -compiling on other distributions your mileage may vary. +To compile your own OpenSSL version, you'll probably need to install the OpenSSL build dependencies. The commands below can be used to do this on Debian. - apt-get install build-essential git zlib1g-dev - apt-get build-dep openssl + apt install git zlib1g-dev make Then run @@ -90,7 +88,9 @@ Then run This will clone the [OpenSSL repository](https://github.com/openssl/openssl), and configure/compile/test OpenSSL prior to compiling `sslscan`. -**Please note:** Out of the box, OpenSSL cannot compiled with `clang` without further customization (which is not done by the provided `Makefile`). For more information on this, see [Modifying Build Settings](http://wiki.openssl.org/index.php/Compilation_and_Installation#Modifying_Build_Settings) in the OpenSSL wiki. +**Please note:** By default, OpenSSL is compiled with `gcc` without further customization. To compile with `clang`, run + + make static CC=clang You can verify whether you have a statically linked OpenSSL version, by checking whether the version listed by `sslscan --version` has the `-static` suffix. From 34b5a3f485f8e674a7ca882b13151703021d2672 Mon Sep 17 00:00:00 2001 From: tinyboxvk <13696594+tinyboxvk@users.noreply.github.com> Date: Sun, 10 Nov 2024 18:55:49 +0000 Subject: [PATCH 6/9] Update README.md --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a9071e8..c04abf8 100644 --- a/README.md +++ b/README.md @@ -80,7 +80,7 @@ It is possible to ignore the OpenSSL system installation and ship your own versi To compile your own OpenSSL version, you'll probably need to install the OpenSSL build dependencies. The commands below can be used to do this on Debian. - apt install git zlib1g-dev make + apt install git zlib1g-dev make gcc Then run @@ -88,7 +88,11 @@ Then run This will clone the [OpenSSL repository](https://github.com/openssl/openssl), and configure/compile/test OpenSSL prior to compiling `sslscan`. -**Please note:** By default, OpenSSL is compiled with `gcc` without further customization. To compile with `clang`, run +**Please note:** By default, OpenSSL is compiled with `gcc` without further customization. To compile with `clang`, install build dependencies using the commands below. + + apt install git zlib1g-dev make clang + +Then run make static CC=clang From 4f2f9fa3d3d2e520cd8f1ffda6aab3b7bc0bbcaa Mon Sep 17 00:00:00 2001 From: rbsec Date: Mon, 2 Dec 2024 17:12:26 +0000 Subject: [PATCH 7/9] Mark CCM8 ciphers as weak and manually override their display bit strength --- Changelog | 16 +++++++++++++++- sslscan.c | 20 ++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 9cea395..eb24a54 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,19 @@ Changelog ========= +Version: 2.1.6 +Date : 02/12/2024 +Author : rbsec +Changes: The following are a list of changes + > Flag CCM8 ciphers as weak and manually override their displayed + bit strength to match newer versions of OpenSSL + See https://github.com/openssl/openssl/pull/16652 + +Version: 2.1.5 +Date : 21/09/2024 +Author : rbsec +Changes: The following are a list of changes + > Makefile improvements + Version: 2.1.4 Date : 16/06/2024 Author : rbsec @@ -11,7 +25,7 @@ Date : 21/01/2024 Author : rbsec Changes: The following are a list of changes > Enable quiet shutdown for scanning (credit jarnfast) - > Fix Docked build on non-x64 architectures (credit jtesta) + > Fix Docker build on non-x64 architectures (credit jtesta) Version: 2.1.2 Date : 14/11/2023 diff --git a/sslscan.c b/sslscan.c index 952ab60..f22991e 100644 --- a/sslscan.c +++ b/sslscan.c @@ -1720,6 +1720,14 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs } else printf("%s ", cleanSslMethod); + // Short authentication tag length + // These are flagged as 64 bit strength in newer versions of OpenSSL + // But in older versions they'll still show as 256 bits, so override that here + // See https://github.com/openssl/openssl/pull/16652 + if (strstr(ciphername, "CCM8")) { + cipherbits = 64; + } + if (cipherbits < 10) tempInt = 2; else if (cipherbits < 100) @@ -1778,6 +1786,18 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs printf("%s%-29s%s", COL_YELLOW, ciphername, RESET); } strength = "medium"; + } else if (strstr(ciphername, "CCM8")) { + // Short authentication tag length + // These are flagged as 64 bit strength in newer versions of OpenSSL + // But in older versions they'll still show as 256 bits, so manually flag them here + // See https://github.com/openssl/openssl/pull/16652 + if (options->ianaNames) { + printf("%s%-45s%s", COL_YELLOW, ciphername, RESET); + } + else { + printf("%s%-29s%s", COL_YELLOW, ciphername, RESET); + } + strength = "medium"; } else if (strstr(ciphername, "_SM4_")) { /* Developed by Chinese government */ if (options->ianaNames) { printf("%s%-45s%s", COL_YELLOW, ciphername, RESET); From ef96008c0c4c83c9bb1f377b24b436a3763cf26a Mon Sep 17 00:00:00 2001 From: Gordon Tetlow Date: Fri, 6 Dec 2024 17:25:42 -0800 Subject: [PATCH 8/9] Cleanup update logic for embedded openssl git tree. Due to the shallow clone, the existing openssl tree never updates as the tag we are attempting to move to does not exist in our tree causing the "git checkout" command to fail the pipeline. Instead, if the latest blessed version of the upstream (as defined by the regex we used to decide which openssl version we support) is different than our local tree, use "git fetch" to grab the new tag and then use "git checkout" to move our local tree to it. Tested on: Way too many trees of openssl in different states --- Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index faed6e2..e4b25ad 100644 --- a/Makefile +++ b/Makefile @@ -140,10 +140,13 @@ uninstall: .openssl.is.fresh: opensslpull true opensslpull: + upstream=`git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort -V | tail -n 1` ; \ if [ -d openssl -a -d openssl/.git ]; then \ - cd ./openssl && git checkout `git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort --version-sort | tail -n 1` && git pull | grep -q "Already up to date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \ + if [ "$$upstream" != "`cd ./openssl && git describe --exact-match --tags`" ]; then \ + cd ./openssl && git fetch --depth 1 origin refs/tags/$$upstream:refs/tags/$$upstream && git checkout $$upstream && touch ../.openssl.is.fresh ; \ + fi \ else \ - git clone --depth 1 -b `git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort -V | tail -n 1` https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \ + git clone --depth 1 -b $$upstream https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \ fi openssl/Makefile: .openssl.is.fresh From bcf271c4874781f21d4a0744dcc6866a1cd6fa00 Mon Sep 17 00:00:00 2001 From: Gordon Tetlow Date: Fri, 6 Dec 2024 17:31:47 -0800 Subject: [PATCH 9/9] Fix small whitespace nit and supress the empty target echo. --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index e4b25ad..47c73ad 100644 --- a/Makefile +++ b/Makefile @@ -138,7 +138,8 @@ uninstall: rm -f $(DESTDIR)$(MAN1DIR)/sslscan.1 .openssl.is.fresh: opensslpull - true + @true + opensslpull: upstream=`git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort -V | tail -n 1` ; \ if [ -d openssl -a -d openssl/.git ]; then \