Merge branch 'sslscan2'

Author: rbsec

.travis.yml

@@ -1,5 +1,5 @@
 sudo: required
-dist: trusty
+dist: bionic
 language: c
 
 before_install:
@@ -9,8 +9,6 @@ before_install:
 script:
   - make sslscan CC=clang
   - make sslscan CC=gcc
-  # OpenSSL can't be compiled out-of-the box with clang, see
-  # http://wiki.openssl.org/index.php/Compilation_and_Installation#Modifying_Build_Settings
-  #- make static CC=clang
+  - make static CC=clang
   - make static CC=gcc
   - make -f Makefile.mingw

Changelog

@@ -1,6 +1,18 @@
 Changelog
 =========
 
+Version: 2.0.0-alpha1
+Date   : 22/02/2020
+Author : rbsec <robin@rbsec.net>
+Changes: The following are a list of changes
+         > Major rewrite of backend scanning code.
+         > Support for additional cipher suites.
+         > Support for TLSv1.3
+         > Support for SSLv2 and SSLv3 protocol detection regardless of
+		 OpenSSL.
+         > Checks for server key exchange groups.
+         > Checks for server signature algorithms.
+
 Version: 1.11.13
 Date   : 24/03/2019
 Author : rbsec <robin@rbsec.net>

Makefile

@@ -28,7 +28,7 @@ BINDIR    = $(PREFIX)/bin
 MANDIR    = $(PREFIX)/share/man
 MAN1DIR   = $(MANDIR)/man1
 
-WARNINGS  = -Wall -Wformat=2 -Wformat-security
+WARNINGS  = -Wall -Wformat=2 -Wformat-security -Wno-deprecated-declarations
 DEFINES   = -DVERSION=\"$(GIT_VERSION)\"
 
 # for dynamic linking
@@ -49,10 +49,7 @@ CFLAGS  += -D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIE
 # Don't enable some hardening flags on OS X because it uses an old version of Clang
 ifneq ($(OS), Darwin)
 ifneq ($(OS), SunOS)
-# Cygwin's linker does not support -z option.
-ifneq ($(findstring CYGWIN,$(OS)),CYGWIN)
-	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
-endif
+	LDFLAGS += -pie -z relro -z now
 endif
 endif
 
@@ -61,7 +58,7 @@ ifeq ($(STATIC_BUILD), TRUE)
 PWD          = $(shell pwd)/openssl
 LDFLAGS      += -L${PWD}/
 CFLAGS       += -I${PWD}/include/ -I${PWD}/
-LIBS         = -lssl -lcrypto -lz
+LIBS         = -lssl -lcrypto -lz -lpthread
 ifneq ($(OS), FreeBSD)
 	LIBS += -ldl
 endif
@@ -75,6 +72,14 @@ LDFLAGS   += -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/opt/openssl/lib
 CFLAGS    += -I/usr/local/include -I/usr/local/ssl/include -I/usr/local/ssl/include/openssl -I/usr/local/opt/openssl/include -I/opt/local/include -I/opt/local/include/openssl
 endif
 
+# Find the number of processors on the system (used in -j option in building OpenSSL).
+# Uses /usr/bin/nproc if available, otherwise defaults to 1.
+NUM_PROCS = 1
+ifneq (,$(wildcard /usr/bin/nproc))
+	NUM_PROCS = `/usr/bin/nproc --all`
+endif
+
+
 .PHONY: all sslscan clean install uninstall static opensslpull
 
 all: sslscan
@@ -114,28 +119,31 @@ uninstall:
 	true
 opensslpull:
 	if [ -d openssl -a -d openssl/.git ]; then \
-		cd ./openssl && git checkout OpenSSL_1_0_2-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \
+		cd ./openssl && git checkout OpenSSL_1_1_1-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \
 	else \
-		git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/PeterMosmans/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
+		git clone --depth 1 -b OpenSSL_1_1_1-stable https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
 	fi
 
 # Need to build OpenSSL differently on OSX
 ifeq ($(OS), Darwin)
 openssl/Makefile: .openssl.is.fresh
-	cd ./openssl; ./Configure -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC enable-ssl2 enable-weak-ssl-ciphers zlib darwin64-x86_64-cc
+	cd ./openssl; ./Configure -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC enable-weak-ssl-ciphers zlib darwin64-x86_64-cc
 # Any other *NIX platform
 else
 openssl/Makefile: .openssl.is.fresh
-	cd ./openssl; ./config -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC no-shares enable-weak-ssl-ciphers enable-ssl2 zlib
+	cd ./openssl; ./config -v -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC no-shared enable-weak-ssl-ciphers zlib
 endif
 
 openssl/libcrypto.a: openssl/Makefile
-	$(MAKE) -C openssl depend
-	$(MAKE) -C openssl all
-	$(MAKE) -C openssl test
+	$(MAKE) -j $(NUM_PROCS) -C openssl depend
+	$(MAKE) -j $(NUM_PROCS) -C openssl all
+#	$(MAKE) -j $(NUM_PROCS) -C openssl test # Disabled because this takes 45+ minutes for OpenSSL v1.1.1.
 
 static: openssl/libcrypto.a
-	$(MAKE) sslscan STATIC_BUILD=TRUE
+	$(MAKE) -j $(NUM_PROCS) sslscan STATIC_BUILD=TRUE
+
+test:	static
+	./docker_test.sh
 
 clean:
 	if [ -d openssl ]; then ( rm -rf openssl ); fi;

Makefile.mingw

@@ -49,8 +49,8 @@ SECURITY_OPTIONS=-fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-sec
 # Turn on linker optimizations, and DEP support (--nxcompat)
 LINK_OPTIONS=-Wl,-O1 -Wl,--discard-all -Wl,--no-undefined -Wl,--dynamicbase -Wl,--nxcompat -static
 
-CFLAGS += -Iopenssl_mingw/include -D__USE_GNU
-LDFLAGS += -lws2_32 -lgdi32
+CFLAGS += -Iopenssl_mingw/include -D__USE_GNU -DOPENSSL_NO_SSL2 -Wno-deprecated-declarations
+LDFLAGS += -lws2_32 -lgdi32 -lcrypt32
 
 # Set the version string for the program.
 VERSION = "$(shell grep -E -o -m 1 "[0-9]+\.[0-9]+\.[0-9]+" Changelog) Windows $(ARCHITECTURE) (Mingw)"
@@ -71,9 +71,9 @@ zlibpull:
 
 opensslpull:
 	if [ -d openssl_mingw -a -d openssl_mingw/.git ]; then \
-		cd ./openssl_mingw && git checkout OpenSSL_1_0_2-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl_mingw.is.fresh ] || touch ../.openssl_mingw.is.fresh ; \
+		cd ./openssl_mingw && git checkout OpenSSL_1_1_1-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl_mingw.is.fresh ] || touch ../.openssl_mingw.is.fresh ; \
 	else \
-		git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/PeterMosmans/openssl ./openssl_mingw && cd ./openssl_mingw && touch ../.openssl_mingw.is.fresh ; \
+		git clone --depth 1 -b OpenSSL_1_1_1-stable https://github.com/openssl/openssl ./openssl_mingw && cd ./openssl_mingw && touch ../.openssl_mingw.is.fresh ; \
 	fi
 
 zlib_mingw/libz.a: zlibpull

README.md

@@ -1,3 +1,25 @@
+# sslscan2
+
+An alpha build of sslscan 2 has been merged into master. If you want the old code,
+the tag [1.11.11-rbsec](https://github.com/rbsec/sslscan/tree/1.11.11-rbsec) was the last release in that branch.
+
+The main changes in sslscan2 is a major rewrite of the backend scanning code,
+which means that it is no longer reliant on the version of OpenSSL for many checks.
+This means that it is possible to support legacy protocols (SSLv2 and SSLv3), as well
+as supporting TLSv1.3 - regardless of the version of OpenSSL that it has been compiled against.
+
+This has been made possible largely by the work of [jtesta](https://github.com/jtesta), who has been
+responsible for most of the backend rewrite.
+
+Other key changes include:
+
+* Enumeration of server key exchange groups.
+* Enumeration of server signature algorithms.
+* SSLv2 and SSLv3 protocol support it scanned, but individual ciphers are not.
+* A test suite is included using Docker, to verify that sslscan is functionality correctly.
+
+There are likely to be bugs in this version, so please report any that you encounter.
+
 # README
 
 [![Build Status](https://travis-ci.org/rbsec/sslscan.svg?branch=master)](https://travis-ci.org/rbsec/sslscan)