rpms/nmap
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI nmap-7.92-3.el9

Browse Source
This commit is contained in:
eabdullin 2024-11-12 10:25:58 +00:00
parent 49bd60559d
commit d57f4c49e8
2 changed files with 51 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
SOURCES/nmap-ems-ssl-enum-ciphers.patch Normal file
View File

@ -0,0 +1,40 @@
commit fc5fc2a26877e241bf9f175832cc89f5ec1e6925
Author: Clemens Lang <cllang@redhat.com>
Date: Mon Oct 16 13:44:40 2023 +0200
Support EMS in ssl-enum-ciphers
The FIPS 140-3 Implementation Guidelines in section D.Q require
FIPS-certified cryptographic modules to use the RFC 7627 Extended Master
Secret for modules submitted after May 16th, 2023:
> [a] new validation, […] submitted more than one year after [May 2022]
> shall use the extended master secret in the TLS 1.2 KDF.
ssl-enum-ciphers was not sending this extension, causing some servers to
abort the handshake. This lead to no support for TLS 1.2 being reported,
even though support was available with the extended master secret. Add
the EMS extension to the set of base extensions that are always sent to
avoid this situation.
Servers that do not support EMS should just ignore this extension
silently.
Signed-off-by: Clemens Lang <cllang@redhat.com>
diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
index 881b6bdcb..bd441120c 100644
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -528,6 +528,11 @@ local function base_extensions(host)
["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"]({"uncompressed"}),
-- Enable SNI if a server name is available
["server_name"] = tlsname and tls.EXTENSION_HELPERS["server_name"](tlsname),
+ -- Enable the Extended Master Secret extension, since FIPS 140-3 IG section
+ -- D.Q now requires it for servers in FIPS mode and some vendors may reject
+ -- handshakes without it. Not sending the extension would show those
+ -- servers as not supporting TLS 1.2 at all.
+ ["extended_master_secret"] = "",
}
end

14
SPECS/nmap.spec
View File

@ -7,7 +7,7 @@ Name: nmap
Epoch: 3 Epoch: 3
Version: 7.92 Version: 7.92
#global prerelease TEST5 #global prerelease TEST5
Release: 1%{?dist} Release: 3%{?dist}
Summary: Network exploration tool and security scanner Summary: Network exploration tool and security scanner
URL: http://nmap.org/ URL: http://nmap.org/
# Uses combination of licenses based on GPL license, but with extra modification # Uses combination of licenses based on GPL license, but with extra modification
@ -30,6 +30,8 @@ Patch3: ncat_reg_stdin.diff
Patch4: nmap-6.25-displayerror.patch Patch4: nmap-6.25-displayerror.patch
# https://github.com/nmap/nmap/pull/2247 # https://github.com/nmap/nmap/pull/2247
Patch5: nmap_resolve_config.patch Patch5: nmap_resolve_config.patch
# https://github.com/nmap/nmap/pull/2724
Patch6: nmap-ems-ssl-enum-ciphers.patch
BuildRequires: automake make BuildRequires: automake make
BuildRequires: autoconf BuildRequires: autoconf
@ -47,8 +49,8 @@ BuildRequires: zlib-devel
BuildRequires: gnupg2 BuildRequires: gnupg2
Requires: %{name}-ncat = %{epoch}:%{version}-%{release} Requires: %{name}-ncat = %{epoch}:%{version}-%{release}
Obsoletes: nmap-frontend Obsoletes: nmap-frontend < 7.70-1
Obsoletes: nmap-ndiff Obsoletes: nmap-ndiff < 7.70-1
%define pixmap_srcdir zenmap/share/pixmaps %define pixmap_srcdir zenmap/share/pixmaps
@ -152,6 +154,12 @@ fi
%{_mandir}/man1/ncat.1.gz %{_mandir}/man1/ncat.1.gz
%changelog %changelog
* Wed Jul 10 2024 František Hrdina <fhrdina@redhat.com> - 3:7.92-3
- Update fmf plans and gating
* Tue Jul 09 2024 Martin Osvald <mosvald@redhat.com> - 3:7.92-2
- Support EMS in ssl-enum-ciphers
* Tue Mar 21 2023 Martin Osvald <mosvald@redhat.com> - 3:7.92-1 * Tue Mar 21 2023 Martin Osvald <mosvald@redhat.com> - 3:7.92-1
- New version 7.92 - New version 7.92
- Resolves: #2180330 - Rebase nmap for TLS v1.3 support - Resolves: #2180330 - Rebase nmap for TLS v1.3 support