From 99a06e0d5faf72767a01545528895d110ac14d94 Mon Sep 17 00:00:00 2001 From: Juan Jose Nicola Date: Mon, 20 Jul 2020 14:31:52 +0200 Subject: [PATCH] Add scanner-only option to enable tls debugging. --- CHANGELOG.md | 3 +++ doc/openvas.8.in | 11 +++++++++++ src/openvas.c | 17 +++++++++++++++++ src/utils.c | 3 ++- 4 files changed, 33 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 34dd837bb..a0af2a905 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [unreleased] +### Added +- Add scanner-only option to enable tls debugging. [#558](https://github.com/greenbone/openvas/pull/558) + ### Changed -Store results in main_kb instead of host_kb. [#550](https://github.com/greenbone/openvas/pull/550) diff --git a/doc/openvas.8.in b/doc/openvas.8.in index ed8d43503..b696fd1c6 100644 --- a/doc/openvas.8.in +++ b/doc/openvas.8.in @@ -76,6 +76,17 @@ so you need to find a balance between these two options. Note that launching too .IP log_whole_attack If this option is set to 'yes', openvas will store the name, pid, date and target of each plugin launched. This is helpful for monitoring and debugging purpose, however this option might make openvas fill your disk rather quickly. +.IP debug_tls +This is an scanner-only option which allows you to set the TLS log level. +The level is an integer between 0 and 9. Higher values mean more verbosity and +might make openvas fill your disk rather quickly. +The default value is 0 (disabled). + +Larger values should only be used with care, since they may reveal sensitive +information in the scanner logs. + +Use a debug level over 10 to enable all debugging options. + .IP log_plugins_name_at_load If this option is set to 'yes', openvas will log the name of each plugin being loaded at startup, or each time it receives the HUP signal. diff --git a/src/openvas.c b/src/openvas.c index 52a0a7121..1b7d59f10 100644 --- a/src/openvas.c +++ b/src/openvas.c @@ -45,6 +45,7 @@ #include /* for open() */ #include /* for gcry_control */ #include +#include /* for gnutls_global_set_log_* */ #include #include /* for setup_log_handler, load_log_configuration, free_log_configuration*/ #include /* for prefs_get() */ @@ -127,8 +128,15 @@ static openvas_option openvas_defaults[] = { {"db_address", KB_PATH_DEFAULT}, {"vendor_version", "\0"}, {"test_alive_hosts_only", "no"}, + {"debug_tls", "0"}, {NULL, NULL}}; +static void +my_gnutls_log_func (int level, const char *text) +{ + g_message ("(%d) %s", level, text); +} + static void set_globals_from_preferences (void) { @@ -363,6 +371,15 @@ start_single_task_scan (void) g_message ("Could not initialize openvas SSL!"); #endif + if (prefs_get ("debug_tls") != NULL && atoi (prefs_get ("debug_tls")) > 0) + { + g_warning ("TLS debug is enabled and should only be used with care, " + "since it may reveal sensitive information in the scanner " + "logs and might make openvas fill your disk rather quickly."); + gnutls_global_set_log_function (my_gnutls_log_func); + gnutls_global_set_log_level (atoi (prefs_get ("debug_tls"))); + } + #ifdef OPENVAS_GIT_REVISION g_message ("openvas %s (GIT revision %s) started", OPENVAS_VERSION, OPENVAS_GIT_REVISION); diff --git a/src/utils.c b/src/utils.c index a20a4f027..622694674 100644 --- a/src/utils.c +++ b/src/utils.c @@ -255,7 +255,8 @@ is_scanner_only_pref (const char *pref) || !strcmp (pref, "log_whole_attack") || !strcmp (pref, "log_plugins_name_at_load") || !strcmp (pref, "nasl_no_signature_check") - || !strcmp (pref, "vendor_version") + || !strcmp (pref, "vendor_version") || !strcmp (pref, "drop_privileges") + || !strcmp (pref, "debug_tls") /* Preferences starting with sys_ are scanner-side only. */ || !strncmp (pref, "sys_", 4)) return 1;