Accepting request 554947 from home:weberho:branches:security

It would be great if someone could review that version which includes a statically linked openssl version to test for old features. Strangely the tests occasionally fails on OBS. OBS-URL: https://build.opensuse.org/request/show/554947 OBS-URL: https://build.opensuse.org/package/show/security/sslscan?expand=0&rev=10
2017-12-17 08:08:18 +00:00 · 2017-12-17 08:08:18 +00:00 · e3ad59bcf9
commit e3ad59bcf9
parent 469cc62911
6 changed files with 60 additions and 14 deletions
--- a/disable-git.patch
+++ b/disable-git.patch
@ -0,0 +1,17 @@
+diff -ur sslscan-1.11.10-rbsec-orig/Makefile sslscan-1.11.10-rbsec/Makefile
+--- sslscan-1.11.10-rbsec-orig/Makefile	2017-05-04 18:02:41.000000000 +0200
+++ sslscan-1.11.10-rbsec/Makefile	2017-12-04 09:26:13.579151107 +0100
+@@ -82,11 +82,7 @@
+ .openssl.is.fresh: opensslpull
+ 	true
+ opensslpull:
+-	if [ -d openssl -a -d openssl/.git ]; then \
+-		cd ./openssl && git checkout OpenSSL_1_0_2-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \
+-	else \
+-		git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/PeterMosmans/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
+-	fi
+	true
+ 
+ # Need to build OpenSSL differently on OSX
+ ifeq ($(OS), Darwin)
+Only in sslscan-1.11.10-rbsec/: Makefile.orig
--- a/openssl-1.0.2-chacha.tar.gz
+++ b/openssl-1.0.2-chacha.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ad3d99ec091e403a3a7a678ddda38b392e3204515425827c53dc5baa92d61d67
+size 5521202
--- a/sslscan-1.11.10-rbsec.tar.gz
+++ b/sslscan-1.11.10-rbsec.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fbb26fdbf2cf5b2f3f8c88782721b7875f206552cf83201981411e0af9521204
+size 52108
--- a/sslscan-1.11.8-rbsec.tar.gz
+++ b/sslscan-1.11.8-rbsec.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1449f8bb45d323b322cb070a74d8dcc57b43ca2dba0560e7a16151efc8b3d911
-size 51583
--- a/sslscan.changes
+++ b/sslscan.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Mon Dec  4 09:11:21 UTC 2017 - jweberhofer@weberhofer.at
+
+- Build against Peter Mosmans' branch of OpenSSL
+  Newer openSSL version do no longer include old ciphers which are
+  required by the scanner to test for those.
+
+- Upgrade to version 1.11.10
+  * Support for ChaCha ciphers
+  * Add support for STARTTLS on mysql (--starttls-mysql)
+  * Display SNI information in XML output
+  * Fix some compiler warnings
+  * Mark SHA-1 certificates as weak
+
 -------------------------------------------------------------------
 Mon Nov 28 23:49:30 UTC 2016 - jweberhofer@weberhofer.at

--- a/sslscan.spec
+++ b/sslscan.spec
@ -1,7 +1,7 @@
 #
 # spec file for package sslscan
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -16,18 +16,25 @@
 #


+%define		OSSL_VERSION 1.0.2
 Name:           sslscan
-Version:        1.11.8
+Version:        1.11.10
 Release:        0
 Summary:        SSL cipher scanning tool
-License:        SUSE-GPL-3.0+-with-openssl-exception
+License:        SUSE-GPL-3.0+-with-openssl-exception AND OpenSSL
 Group:          Productivity/Networking/Diagnostic
-Url:            https://www.titania-security.com/labs/sslscan
+URL:            https://www.titania-security.com/labs/sslscan
 Source:         https://github.com/rbsec/sslscan/archive/%{version}-rbsec.tar.gz#/%{name}-%{version}-rbsec.tar.gz
+Source1:        https://github.com/PeterMosmans/openssl/archive/%{OSSL_VERSION}-chacha.tar.gz#/openssl-%{OSSL_VERSION}-chacha.tar.gz
+#Disable fetching openssl from git
+Patch1:         disable-git.patch
 #Patches copied from Debian package
-Patch1:         fedora-sslscan-patents.patch
-BuildRequires:  openssl-devel
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+Patch10:        fedora-sslscan-patents.patch
+BuildRequires:  bc
+BuildRequires:  ed
+BuildRequires:  makedepend
+BuildRequires:  pkgconfig
+BuildRequires:  zlib-devel

 %description
 SSLScan determines what ciphers are supported on SSL-based services,
@ -36,12 +43,18 @@ ciphers of the SSL service.

 %prep
 %setup -q -n %{name}-%{version}-rbsec
-%if %{defined fedora}
+tar -xzf %{SOURCE1}
+mv openssl-%{OSSL_VERSION}-chacha openssl
 %patch1 -p1
+%if %{defined fedora}
+%patch10 -p1
 %endif

 %build
-make CFLAGS="%{optflags}" %{?_smp_mflags}
+pushd openssl
+./config
+popd
+make %{?_smp_mflags} static

 %install
 install -d "%{buildroot}%{_bindir}"
@ -49,8 +62,7 @@ install -d "%{buildroot}%{_mandir}/man1"
 make install PREFIX="%{buildroot}%{_prefix}"

 %files
-%defattr(0644,root,root,0755)
-%doc LICENSE README.md
+%doc LICENSE README.md openssl/LICENSE
 %attr(0755,root,root) %{_bindir}/sslscan
 %{_mandir}/man1/sslscan.1%{ext_man}