cipherscan: init at rev 18b0d1b (Dec 17, 2015)

CipherScan is a simple way to find out which SSL ciphersuites are
supported by a target.

It can take advantage of the extra features in Peter Mosmans' openssl
fork (which is also included in this commit).

pkgs/development/libraries/openssl/chacha.nix

@@ -0,0 +1,70 @@
+{ stdenv, fetchFromGitHub, perl, zlib
+, withCryptodev ? false, cryptodevHeaders
+}:
+
+with stdenv.lib;
+stdenv.mkDerivation rec {
+  name = "openssl-chacha-${version}";
+  version = "2016-01-27";
+
+  src = fetchFromGitHub {
+    owner = "PeterMosmans";
+    repo = "openssl";
+    rev = "4576ede5b08242bcd6749fc284c691ed177842b7";
+    sha256 = "1030rs4bdaysxbq0mmck1dn6g5adspzkwsrnhvv16b4ig0r4ncgj";
+  };
+
+  nativeBuildInputs = [ perl zlib ];
+  buildInputs = stdenv.lib.optional withCryptodev cryptodevHeaders;
+
+  configureScript = "./config";
+
+  configureFlags = [
+    "zlib"
+    "shared"
+    "experimental-jpake"
+    "enable-md2"
+    "enable-rc5"
+    "enable-rfc3779"
+    "enable-gost"
+    "--libdir=lib"
+    "--openssldir=etc/ssl"
+  ] ++ stdenv.lib.optionals withCryptodev [
+    "-DHAVE_CRYPTODEV"
+    "-DUSE_CRYPTODEV_DIGESTS"
+  ];
+
+  makeFlags = [
+    "MANDIR=$(out)/share/man"
+  ];
+
+  # Parallel building is broken in OpenSSL.
+  enableParallelBuilding = false;
+
+  postInstall = ''
+    # If we're building dynamic libraries, then don't install static
+    # libraries.
+    if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then
+        rm "$out/lib/"*.a
+    fi
+
+    # remove dependency on Perl at runtime
+    rm -r $out/etc/ssl/misc $out/bin/c_rehash
+  '';
+
+  postFixup = ''
+    # Check to make sure we don't depend on perl
+    if grep -r '${perl}' $out; then
+      echo "Found an erroneous dependency on perl ^^^" >&2
+      exit 1
+    fi
+  '';
+
+  meta = {
+    homepage = http://www.openssl.org/;
+    description = "A cryptographic library that implements the SSL and TLS protocols";
+    platforms = [ "x86_64-linux" ];
+    maintainers = [ stdenv.lib.maintainers.cstrahan ];
+    priority = 10; # resolves collision with ‘man-pages’
+  };
+}

pkgs/tools/security/cipherscan/default.nix

@@ -0,0 +1,43 @@
+{ stdenv, lib, fetchFromGitHub, pkgconfig, openssl, makeWrapper, python, coreutils }:
+
+stdenv.mkDerivation rec {
+  name = "cipherscan-${version}";
+  version = "2015-12-17";
+  src = fetchFromGitHub {
+    owner = "jvehent";
+    repo = "cipherscan";
+    rev = "18b0d1b952d027d20e38f07329817873ec077d26";
+    sha256 = "0b6fkfm2y8w04am4krspmapcc5ngn603n5rlwyjly92z2dawc7h8";
+  };
+  buildInputs = [ makeWrapper python ];
+  patches = [ ./path.patch ];
+  buildPhase = ''
+    substituteInPlace cipherscan \
+      --replace "@OPENSSLBIN@" \
+                "${openssl}/bin/openssl" \
+      --replace "@TIMEOUTBIN@" \
+                "${coreutils}/bin/timeout" \
+      --replace "@READLINKBIN@" \
+                "${coreutils}/bin/readlink"
+
+    substituteInPlace analyze.py \
+      --replace "@OPENSSLBIN@" \
+                "${openssl}/bin/openssl"
+  '';
+  installPhase = ''
+    mkdir -p $out/bin
+
+    cp cipherscan $out/bin
+    cp openssl.cnf $out/bin
+    cp analyze.py $out/bin
+
+    wrapProgram $out/bin/analyze.py --set PYTHONPATH "$PYTHONPATH"
+  '';
+  meta = with lib; {
+    description = "Very simple way to find out which SSL ciphersuites are supported by a target";
+    homepage = "https://github.com/jvehent/cipherscan";
+    license = licenses.mpl;
+    platforms = platforms.all;
+    maintainers = with maintainers; [ cstrahan ];
+  };
+}

pkgs/tools/security/cipherscan/path.patch

@@ -0,0 +1,93 @@
+diff --git a/analyze.py b/analyze.py
+index bb62af8..e929253 100755
+--- a/analyze.py
++++ b/analyze.py
+@@ -418,13 +418,7 @@ def build_ciphers_lists(opensslbin):
+ 
+     # use system openssl if not on linux 64
+     if not opensslbin:
+-        if platform.system() == 'Linux' and platform.architecture()[0] == '64bit':
+-            opensslbin = mypath + '/openssl'
+-        elif platform.system() == 'Darwin' and platform.architecture()[0] == '64bit':
+-            opensslbin = mypath + '/openssl-darwin64'
+-        else:
+-            opensslbin='openssl'
+-            print("warning: analyze.py is using system's openssl, which may limit the tested ciphers and recommendations")
++        opensslbin = "@OPENSSLBIN@"
+ 
+     logging.debug('Loading all ciphers: ' + allC)
+     all_ciphers = subprocess.Popen([opensslbin, 'ciphers', allC],
+diff --git a/cipherscan b/cipherscan
+index 236b34f..a240d13 100755
+--- a/cipherscan
++++ b/cipherscan
+@@ -30,43 +30,12 @@ if [[ -n $NOAUTODETECT ]]; then
+ else
+     case "$(uname -s)" in
+         Darwin)
+-            opensslbin_name="openssl-darwin64"
+-
+-            READLINKBIN=$(which greadlink 2>/dev/null)
+-            if [[ -z $READLINKBIN ]]; then
+-                echo "greadlink not found. (try: brew install coreutils)" 1>&2
+-                exit 1
+-            fi
+-            TIMEOUTBIN=$(which gtimeout 2>/dev/null)
+-            if [[ -z $TIMEOUTBIN ]]; then
+-                echo "gtimeout not found. (try: brew install coreutils)" 1>&2
+-                exit 1
+-            fi
++            READLINKBIN="@READLINKBIN@"
++            TIMEOUTBIN="@TIMEOUTBIN@"
+             ;;
+         *)
+-            opensslbin_name="openssl"
+-
+-            # test that readlink or greadlink (darwin) are present
+-            READLINKBIN="$(which readlink)"
+-
+-            if [[ -z $READLINKBIN ]]; then
+-                READLINKBIN="$(which greadlink)"
+-                if [[ -z $READLINKBIN ]]; then
+-                    echo "neither readlink nor greadlink are present. install coreutils with {apt-get,yum,brew} install coreutils" 1>&2
+-                    exit 1
+-                fi
+-            fi
+-
+-            # test that timeout or gtimeout (darwin) are present
+-            TIMEOUTBIN="$(which timeout)"
+-
+-            if [[ -z $TIMEOUTBIN ]]; then
+-                TIMEOUTBIN="$(which gtimeout)"
+-                if [[ -z $TIMEOUTBIN ]]; then
+-                    echo "neither timeout nor gtimeout are present. install coreutils with {apt-get,yum,brew} install coreutils" 1>&2
+-                    exit 1
+-                fi
+-            fi
++            READLINKBIN="@READLINKBIN@"
++            TIMEOUTBIN="@TIMEOUTBIN@"
+ 
+             # Check for busybox, which has different arguments
+             TIMEOUTOUTPUT="$($TIMEOUTBIN --help 2>&1)"
+@@ -1944,20 +1913,7 @@ do
+ done
+ 
+ if [[ -z $OPENSSLBIN ]]; then
+-    readlink_result=$("$READLINKBIN" -f "$0")
+-    if [[ -z $readlink_result ]]; then
+-        echo "$READLINKBIN -f $0 failed, aborting." 1>&2
+-        exit 1
+-    fi
+-    REALPATH=$(dirname "$readlink_result")
+-    if [[ -z $REALPATH ]]; then
+-        echo "dirname $REALPATH failed, aborting." 1>&2
+-        exit 1
+-    fi
+-    OPENSSLBIN="${REALPATH}/${opensslbin_name}"
+-    if ! [[ -x "${OPENSSLBIN}" ]]; then
+-        OPENSSLBIN="$(which openssl)"  # fallback to generic openssl
+-    fi
++    OPENSSLBIN="@OPENSSLBIN@"
+ fi
+ # use custom config file to enable GOST ciphers
+ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then

pkgs/top-level/all-packages.nix

@@ -1079,6 +1079,12 @@ let
 
   chunksync = callPackage ../tools/backup/chunksync { };
 
+  cipherscan = callPackage ../tools/security/cipherscan {
+    openssl = if stdenv.system == "x86_64-linux"
+      then openssl-chacha
+      else openssl;
+  };
+
   cjdns = callPackage ../tools/networking/cjdns { };
 
   cksfv = callPackage ../tools/networking/cksfv { };
@@ -8130,6 +8136,13 @@ let
     };
   };
 
+  openssl-chacha = callPackage ../development/libraries/openssl/chacha.nix {
+    cryptodevHeaders = linuxPackages.cryptodev.override {
+      fetchurl = fetchurlBoot;
+      onlyHeaders = true;
+    };
+  };
+
   opensubdiv = callPackage ../development/libraries/opensubdiv { };
 
   openwsman = callPackage ../development/libraries/openwsman {};