import CS nmap-7.92-3.el9

This commit is contained in:
eabdullin 2024-09-30 16:11:30 +00:00
parent 9b6e6fc513
commit a43039a6d3
2 changed files with 51 additions and 3 deletions

View File

@ -0,0 +1,40 @@
commit fc5fc2a26877e241bf9f175832cc89f5ec1e6925
Author: Clemens Lang <cllang@redhat.com>
Date: Mon Oct 16 13:44:40 2023 +0200
Support EMS in ssl-enum-ciphers
The FIPS 140-3 Implementation Guidelines in section D.Q require
FIPS-certified cryptographic modules to use the RFC 7627 Extended Master
Secret for modules submitted after May 16th, 2023:
> [a] new validation, […] submitted more than one year after [May 2022]
> shall use the extended master secret in the TLS 1.2 KDF.
ssl-enum-ciphers was not sending this extension, causing some servers to
abort the handshake. This lead to no support for TLS 1.2 being reported,
even though support was available with the extended master secret. Add
the EMS extension to the set of base extensions that are always sent to
avoid this situation.
Servers that do not support EMS should just ignore this extension
silently.
Signed-off-by: Clemens Lang <cllang@redhat.com>
diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
index 881b6bdcb..bd441120c 100644
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -528,6 +528,11 @@ local function base_extensions(host)
["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"]({"uncompressed"}),
-- Enable SNI if a server name is available
["server_name"] = tlsname and tls.EXTENSION_HELPERS["server_name"](tlsname),
+ -- Enable the Extended Master Secret extension, since FIPS 140-3 IG section
+ -- D.Q now requires it for servers in FIPS mode and some vendors may reject
+ -- handshakes without it. Not sending the extension would show those
+ -- servers as not supporting TLS 1.2 at all.
+ ["extended_master_secret"] = "",
}
end

View File

@ -7,7 +7,7 @@ Name: nmap
Epoch: 3
Version: 7.92
#global prerelease TEST5
Release: 1%{?dist}
Release: 3%{?dist}
Summary: Network exploration tool and security scanner
URL: http://nmap.org/
# Uses combination of licenses based on GPL license, but with extra modification
@ -30,6 +30,8 @@ Patch3: ncat_reg_stdin.diff
Patch4: nmap-6.25-displayerror.patch
# https://github.com/nmap/nmap/pull/2247
Patch5: nmap_resolve_config.patch
# https://github.com/nmap/nmap/pull/2724
Patch6: nmap-ems-ssl-enum-ciphers.patch
BuildRequires: automake make
BuildRequires: autoconf
@ -47,8 +49,8 @@ BuildRequires: zlib-devel
BuildRequires: gnupg2
Requires: %{name}-ncat = %{epoch}:%{version}-%{release}
Obsoletes: nmap-frontend
Obsoletes: nmap-ndiff
Obsoletes: nmap-frontend < 7.70-1
Obsoletes: nmap-ndiff < 7.70-1
%define pixmap_srcdir zenmap/share/pixmaps
@ -152,6 +154,12 @@ fi
%{_mandir}/man1/ncat.1.gz
%changelog
* Wed Jul 10 2024 František Hrdina <fhrdina@redhat.com> - 3:7.92-3
- Update fmf plans and gating
* Tue Jul 09 2024 Martin Osvald <mosvald@redhat.com> - 3:7.92-2
- Support EMS in ssl-enum-ciphers
* Tue Mar 21 2023 Martin Osvald <mosvald@redhat.com> - 3:7.92-1
- New version 7.92
- Resolves: #2180330 - Rebase nmap for TLS v1.3 support