Skip to content

Commit

Permalink
Add: Add nasl functions for checking ssl/tls secure renegotiation and…
Browse files Browse the repository at this point in the history
… performing re-handshake. (#889)

Add: Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. (#889)
(cherry picked from commit 641ab33)

# Conflicts:
#	CHANGELOG.md
  • Loading branch information
jjnicola authored and mergify-bot committed Oct 25, 2021
1 parent ba4a149 commit df77d02
Show file tree
Hide file tree
Showing 6 changed files with 213 additions and 2 deletions.
35 changes: 35 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,47 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [21.4.3] - Unreleased - 2021-10-11
### Added
- Add nasl function sftp_enabled_check() to check if sftp subsystem is enabled in the target.
<<<<<<< HEAD
- Backport [#853](https://github.com/greenbone/openvas/pull/853)
- Backport [#862](https://github.com/greenbone/openvas/pull/862)
- Add `find_all` to eregmatch() nasl function [#875](https://github.com/greenbone/openvas/pull/875)
- Fix Segmentation fault when freeing hosts and alive hosts [#888](https://github.com/greenbone/openvas/pull/888)

### Changed
=======
- [#853](https://github.com/greenbone/openvas/pull/853)
- [#862](https://github.com/greenbone/openvas/pull/862)
- Add `find_all` to eregmatch() nasl function. Backport PR #875. [#876](https://github.com/greenbone/openvas/pull/876)
- Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. [#889](https://github.com/greenbone/openvas/pull/889)

### Changed
- function script_bugtraq_id getting skipped, linter warns. [#724](https://github.com/greenbone/openvas/pull/724)
- Refactor dead host status sending. [#807](https://github.com/greenbone/openvas/pull/807)
- Refactor openvas.c.
[#810](https://github.com/greenbone/openvas/pull/810)
[#811](https://github.com/greenbone/openvas/pull/811)
- Handle script timeout as script preference with ID 0 [#844](https://github.com/greenbone/gvm-libs/pull/844)

### Fixed
- Use fchmod to change file permission instead of on open to prevent race conditions [854](https://github.com/greenbone/openvas-scanner/pull/854)
- Several minor potential security risks in different files, spotted by Code QL [854](https://github.com/greenbone/openvas-scanner/pull/854)
- Fix plugins upload. Backport #878 [#880](https://github.com/greenbone/openvas/pull/880)
- Fix Error Message when NVTI chache init failed. Backport #885 [#887](https://github.com/greenbone/openvas/pull/887)
- Fix Segmentation fault when freeing hosts and alive hosts [#888](https://github.com/greenbone/openvas/pull/888)

### Removed
- Remove handling of source_iface related preferences. [#730](https://github.com/greenbone/openvas/pull/730)

[21.10]: https://github.com/greenbone/openvas-scanner/compare/stable...main

## [21.4.3] (unreleased)
### Added
- Add nasl function sftp_enabled_check() to check if sftp subsystem is enabled in the target.
- [#853](https://github.com/greenbone/openvas/pull/853)
- [#862](https://github.com/greenbone/openvas/pull/862)

### Changed
>>>>>>> 641ab331 (Add: Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. (#889))
- Changed defaults for installation locations [#826](https://github.com/greenbone/openvas-scanner/pull/826)
- SYSCONFDIR is /etc by default now
- LOCALSTATEDIR is /var by default now
Expand Down
105 changes: 103 additions & 2 deletions misc/network.c
Original file line number Diff line number Diff line change
Expand Up @@ -643,7 +643,107 @@ open_SSL_connection (openvas_connection *fp, const char *cert, const char *key,
gnutls_strerror (err));
return -1;
}
FD_ZERO (&fdr);
FD_SET (fp->fd, &fdr);
FD_ZERO (&fdw);
FD_SET (fp->fd, &fdw);

do
{
d = tictac + fp->timeout - time (NULL);
if (d <= 0)
{
fp->last_err = ETIMEDOUT;
return -1;
}
to.tv_sec = d;
to.tv_usec = 0;
errno = 0;
if ((ret = select (fp->fd + 1, &fdr, &fdw, NULL, &to)) <= 0)
pid_perror ("select");
}
while (ret < 0 && errno == EINTR);

if (ret <= 0)
{
fp->last_err = ETIMEDOUT;
return -1;
}
}
}

/**
* @brief Check if Secure Renegotiation is supported in the server side.
*
* @param[in] fd Socket file descriptor.
*
* @return 1 if supported, 0 if not supported and less than 0 on error.
**/
int
socket_ssl_safe_renegotiation_status (int fd)
{
openvas_connection *fp;

if (!fd_is_stream (fd))
{
g_message ("%s: Socket %d is not stream", __func__, fd);
return -1;
}
fp = OVAS_CONNECTION_FROM_FD (fd);

return gnutls_safe_renegotiation_status (fp->tls_session);
}

/** @brief Do a re-handshake of the TLS/SSL protocol.
*
* @param[in] fd Socket file descriptor.
*
* @return 1 on success, less than 0 on failure or error.
*/
int
socket_ssl_do_handshake (int fd)
{
int err, d, ret;
openvas_connection *fp;
time_t tictac;
fd_set fdw, fdr;
struct timeval to;

if (!fd_is_stream (fd))
{
g_message ("%s: Socket %d is not stream", __func__, fd);
return -1;
}
fp = OVAS_CONNECTION_FROM_FD (fd);

tictac = time (NULL);

for (;;)
{
err = gnutls_handshake (fp->tls_session);

if (err == 0)
{
g_debug ("no error during handshake");
return 1;
}
if (err != GNUTLS_E_INTERRUPTED && err != GNUTLS_E_AGAIN
&& err != GNUTLS_E_WARNING_ALERT_RECEIVED)
{
g_debug ("[%d] %s: %s", getpid (), __func__, gnutls_strerror (err));
return -1;
}
else if (err == GNUTLS_E_WARNING_ALERT_RECEIVED)
{
int last_alert;

last_alert = gnutls_alert_get (fp->tls_session);
g_debug ("[%d] %s: %s", getpid (), __func__, gnutls_strerror (err));

g_debug ("* Received alert '%d': %s.\n", last_alert,
gnutls_alert_get_name (last_alert));
return err;
}
FD_ZERO (&fdr);
FD_SET (fp->fd, &fdr);
FD_ZERO (&fdw);
Expand All @@ -655,6 +755,7 @@ open_SSL_connection (openvas_connection *fp, const char *cert, const char *key,
if (d <= 0)
{
fp->last_err = ETIMEDOUT;
g_debug ("%s: time out", __func__);
return -1;
}
to.tv_sec = d;
Expand All @@ -668,13 +769,13 @@ open_SSL_connection (openvas_connection *fp, const char *cert, const char *key,
if (ret <= 0)
{
fp->last_err = ETIMEDOUT;
g_debug ("%s: time out", __func__);
return -1;
}
}
}

/*
* @brief Upgrade an ENCAPS_IP socket to an SSL/TLS encapsulated one.
/** @brief Upgrade an ENCAPS_IP socket to an SSL/TLS encapsulated one.
*
* @param[in] fd Socket file descriptor.
* @param[in] transport Encapsulation type.
Expand Down
5 changes: 5 additions & 0 deletions misc/network.h
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,11 @@ fd_is_stream (int);
int
stream_set_timeout (int, int);

int
socket_ssl_safe_renegotiation_status (int);
int
socket_ssl_do_handshake (int);

int
socket_negotiate_ssl (int, openvas_encaps_t, struct script_infos *);

Expand Down
3 changes: 3 additions & 0 deletions nasl/nasl_init.c
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,9 @@ static init_func libfuncs[] = {
{"recv_line", nasl_recv_line},
{"send", nasl_send},
{"socket_negotiate_ssl", nasl_socket_negotiate_ssl},
{"socket_check_ssl_safe_renegotiation",
nasl_socket_check_ssl_safe_renegotiation},
{"socket_ssl_do_handshake", nasl_socket_ssl_do_handshake},
{"socket_get_cert", nasl_socket_get_cert},
{"socket_get_ssl_version", nasl_socket_get_ssl_version},
{"socket_get_ssl_ciphersuite", nasl_socket_get_ssl_ciphersuite},
Expand Down
61 changes: 61 additions & 0 deletions nasl/nasl_socket.c
Original file line number Diff line number Diff line change
Expand Up @@ -619,6 +619,67 @@ nasl_socket_negotiate_ssl (lex_ctxt *lexic)
return retc;
}

/**
* @brief Check if Secure Renegotiation is supported in the server side.
* @naslfn{socket_check_ssl_safe_renegotiation}
*
* @naslnparam
*
* - @a socket An already stablished ssl/tls session.
*
* @naslret An 1 if supported, 0 otherwise. Null or -1 on error.
*
**/
tree_cell *
nasl_socket_check_ssl_safe_renegotiation (lex_ctxt *lexic)
{
int soc, ret;
tree_cell *retc;
soc = get_int_var_by_name (lexic, "socket", -1);
if (soc < 0)
{
nasl_perror (lexic, "socket_get_cert: Erroneous socket value %d\n", soc);
return NULL;
}
ret = socket_ssl_safe_renegotiation_status (soc);

retc = alloc_typed_cell (CONST_INT);
retc->x.i_val = ret;
return retc;
}

/**
* @brief Do a re-handshake of the TLS/SSL protocol.
*
* @naslfn{socket_ssl_do_handshake}
*
* @naslnparam
*
* - @a socket An already stablished TLS/SSL session.
*
* @naslret An 1 on success, less than 0 on handshake error.
* Null on nasl error.
*
* @param[in] lexic Lexical context of NASL interpreter.
**/
tree_cell *
nasl_socket_ssl_do_handshake (lex_ctxt *lexic)
{
int soc, ret;
tree_cell *retc;
soc = get_int_var_by_name (lexic, "socket", -1);
if (soc < 0)
{
nasl_perror (lexic, "socket_get_cert: Erroneous socket value %d\n", soc);
return NULL;
}
ret = socket_ssl_do_handshake (soc);

retc = alloc_typed_cell (CONST_INT);
retc->x.i_val = ret;
return retc;
}

tree_cell *
nasl_socket_get_cert (lex_ctxt *lexic)
{
Expand Down
6 changes: 6 additions & 0 deletions nasl/nasl_socket.h
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@ tree_cell *
nasl_send (lex_ctxt *);
tree_cell *
nasl_socket_negotiate_ssl (lex_ctxt *);

tree_cell *
nasl_socket_check_ssl_safe_renegotiation (lex_ctxt *);
tree_cell *
nasl_socket_ssl_do_handshake (lex_ctxt *);

tree_cell *
nasl_recv (lex_ctxt *);
tree_cell *
Expand Down

0 comments on commit df77d02

Please sign in to comment.