import nmap-7.92-3.el9

5 months ago · 86c26177b3
parent 092f174021
commit 86c26177b3
2 changed files with 51 additions and 3 deletions
--- a/SOURCES/nmap-ems-ssl-enum-ciphers.patch
+++ b/SOURCES/nmap-ems-ssl-enum-ciphers.patch
@ -0,0 +1,40 @@
+commit fc5fc2a26877e241bf9f175832cc89f5ec1e6925
+Author: Clemens Lang <cllang@redhat.com>
+Date:   Mon Oct 16 13:44:40 2023 +0200
+
+    Support EMS in ssl-enum-ciphers
+    
+    The FIPS 140-3 Implementation Guidelines in section D.Q require
+    FIPS-certified cryptographic modules to use the RFC 7627 Extended Master
+    Secret for modules submitted after May 16th, 2023:
+    
+    > [a] new validation, […] submitted more than one year after [May 2022]
+    > shall use the extended master secret in the TLS 1.2 KDF.
+    
+    ssl-enum-ciphers was not sending this extension, causing some servers to
+    abort the handshake. This lead to no support for TLS 1.2 being reported,
+    even though support was available with the extended master secret. Add
+    the EMS extension to the set of base extensions that are always sent to
+    avoid this situation.
+    
+    Servers that do not support EMS should just ignore this extension
+    silently.
+    
+    Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
+index 881b6bdcb..bd441120c 100644
+--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
+@@ -528,6 +528,11 @@ local function base_extensions(host)
+     ["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"]({"uncompressed"}),
+     -- Enable SNI if a server name is available
+     ["server_name"] = tlsname and tls.EXTENSION_HELPERS["server_name"](tlsname),
+    -- Enable the Extended Master Secret extension, since FIPS 140-3 IG section
+    -- D.Q now requires it for servers in FIPS mode and some vendors may reject
+    -- handshakes without it. Not sending the extension would show those
+    -- servers as not supporting TLS 1.2 at all.
+    ["extended_master_secret"] = "",
+   }
+ end
+ 
--- a/SPECS/nmap.spec
+++ b/SPECS/nmap.spec
@ -7,7 +7,7 @@ Name: nmap
 Epoch: 3
 Version: 7.92
 #global prerelease TEST5
-Release: 1%{?dist}
+Release: 3%{?dist}
 Summary: Network exploration tool and security scanner
 URL: http://nmap.org/
 # Uses combination of licenses based on GPL license, but with extra modification
@ -30,6 +30,8 @@ Patch3: ncat_reg_stdin.diff
 Patch4: nmap-6.25-displayerror.patch
 # https://github.com/nmap/nmap/pull/2247
 Patch5: nmap_resolve_config.patch
+# https://github.com/nmap/nmap/pull/2724
+Patch6: nmap-ems-ssl-enum-ciphers.patch

 BuildRequires: automake make
 BuildRequires: autoconf
@ -47,8 +49,8 @@ BuildRequires: zlib-devel
 BuildRequires: gnupg2
 Requires: %{name}-ncat = %{epoch}:%{version}-%{release}

-Obsoletes: nmap-frontend
-Obsoletes: nmap-ndiff
+Obsoletes: nmap-frontend < 7.70-1
+Obsoletes: nmap-ndiff < 7.70-1

 %define pixmap_srcdir zenmap/share/pixmaps

@ -152,6 +154,12 @@ fi
 %{_mandir}/man1/ncat.1.gz

 %changelog
+* Wed Jul 10 2024 František Hrdina <fhrdina@redhat.com> - 3:7.92-3
+- Update fmf plans and gating
+
+* Tue Jul 09 2024 Martin Osvald <mosvald@redhat.com> - 3:7.92-2
+- Support EMS in ssl-enum-ciphers
+
 * Tue Mar 21 2023 Martin Osvald <mosvald@redhat.com> - 3:7.92-1
 - New version 7.92
 - Resolves: #2180330 - Rebase nmap for TLS v1.3 support