From df77d0241c7276a588fa3f3f45d5200a15c444b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Jos=C3=A9=20Nicola?= Date: Mon, 25 Oct 2021 04:05:03 -0300 Subject: [PATCH 1/2] Add: Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. (#889) Add: Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. (#889) (cherry picked from commit 641ab331b7e22b11e24c9fef0d2c3311af87b1af) # Conflicts: # CHANGELOG.md --- CHANGELOG.md | 35 +++++++++++++++ misc/network.c | 105 ++++++++++++++++++++++++++++++++++++++++++++- misc/network.h | 5 +++ nasl/nasl_init.c | 3 ++ nasl/nasl_socket.c | 61 ++++++++++++++++++++++++++ nasl/nasl_socket.h | 6 +++ 6 files changed, 213 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e54304b7..6fafe89ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,12 +7,47 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [21.4.3] - Unreleased - 2021-10-11 ### Added - Add nasl function sftp_enabled_check() to check if sftp subsystem is enabled in the target. +<<<<<<< HEAD - Backport [#853](https://github.com/greenbone/openvas/pull/853) - Backport [#862](https://github.com/greenbone/openvas/pull/862) - Add `find_all` to eregmatch() nasl function [#875](https://github.com/greenbone/openvas/pull/875) - Fix Segmentation fault when freeing hosts and alive hosts [#888](https://github.com/greenbone/openvas/pull/888) ### Changed +======= + - [#853](https://github.com/greenbone/openvas/pull/853) + - [#862](https://github.com/greenbone/openvas/pull/862) +- Add `find_all` to eregmatch() nasl function. Backport PR #875. [#876](https://github.com/greenbone/openvas/pull/876) +- Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. [#889](https://github.com/greenbone/openvas/pull/889) + +### Changed +- function script_bugtraq_id getting skipped, linter warns. [#724](https://github.com/greenbone/openvas/pull/724) +- Refactor dead host status sending. [#807](https://github.com/greenbone/openvas/pull/807) +- Refactor openvas.c. + [#810](https://github.com/greenbone/openvas/pull/810) + [#811](https://github.com/greenbone/openvas/pull/811) +- Handle script timeout as script preference with ID 0 [#844](https://github.com/greenbone/gvm-libs/pull/844) + +### Fixed +- Use fchmod to change file permission instead of on open to prevent race conditions [854](https://github.com/greenbone/openvas-scanner/pull/854) +- Several minor potential security risks in different files, spotted by Code QL [854](https://github.com/greenbone/openvas-scanner/pull/854) +- Fix plugins upload. Backport #878 [#880](https://github.com/greenbone/openvas/pull/880) +- Fix Error Message when NVTI chache init failed. Backport #885 [#887](https://github.com/greenbone/openvas/pull/887) +- Fix Segmentation fault when freeing hosts and alive hosts [#888](https://github.com/greenbone/openvas/pull/888) + +### Removed +- Remove handling of source_iface related preferences. [#730](https://github.com/greenbone/openvas/pull/730) + +[21.10]: https://github.com/greenbone/openvas-scanner/compare/stable...main + +## [21.4.3] (unreleased) +### Added +- Add nasl function sftp_enabled_check() to check if sftp subsystem is enabled in the target. + - [#853](https://github.com/greenbone/openvas/pull/853) + - [#862](https://github.com/greenbone/openvas/pull/862) + +### Changed +>>>>>>> 641ab331 (Add: Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. (#889)) - Changed defaults for installation locations [#826](https://github.com/greenbone/openvas-scanner/pull/826) - SYSCONFDIR is /etc by default now - LOCALSTATEDIR is /var by default now diff --git a/misc/network.c b/misc/network.c index e4227dc94..da2d90a8c 100644 --- a/misc/network.c +++ b/misc/network.c @@ -643,7 +643,107 @@ open_SSL_connection (openvas_connection *fp, const char *cert, const char *key, gnutls_strerror (err)); return -1; } + FD_ZERO (&fdr); + FD_SET (fp->fd, &fdr); + FD_ZERO (&fdw); + FD_SET (fp->fd, &fdw); + + do + { + d = tictac + fp->timeout - time (NULL); + if (d <= 0) + { + fp->last_err = ETIMEDOUT; + return -1; + } + to.tv_sec = d; + to.tv_usec = 0; + errno = 0; + if ((ret = select (fp->fd + 1, &fdr, &fdw, NULL, &to)) <= 0) + pid_perror ("select"); + } + while (ret < 0 && errno == EINTR); + + if (ret <= 0) + { + fp->last_err = ETIMEDOUT; + return -1; + } + } +} + +/** + * @brief Check if Secure Renegotiation is supported in the server side. + * + * @param[in] fd Socket file descriptor. + * + * @return 1 if supported, 0 if not supported and less than 0 on error. + **/ +int +socket_ssl_safe_renegotiation_status (int fd) +{ + openvas_connection *fp; + + if (!fd_is_stream (fd)) + { + g_message ("%s: Socket %d is not stream", __func__, fd); + return -1; + } + fp = OVAS_CONNECTION_FROM_FD (fd); + + return gnutls_safe_renegotiation_status (fp->tls_session); +} + +/** @brief Do a re-handshake of the TLS/SSL protocol. + * + * @param[in] fd Socket file descriptor. + * + * @return 1 on success, less than 0 on failure or error. + */ +int +socket_ssl_do_handshake (int fd) +{ + int err, d, ret; + openvas_connection *fp; + time_t tictac; + fd_set fdw, fdr; + struct timeval to; + + if (!fd_is_stream (fd)) + { + g_message ("%s: Socket %d is not stream", __func__, fd); + return -1; + } + fp = OVAS_CONNECTION_FROM_FD (fd); + + tictac = time (NULL); + + for (;;) + { + err = gnutls_handshake (fp->tls_session); + + if (err == 0) + { + g_debug ("no error during handshake"); + return 1; + } + if (err != GNUTLS_E_INTERRUPTED && err != GNUTLS_E_AGAIN + && err != GNUTLS_E_WARNING_ALERT_RECEIVED) + { + g_debug ("[%d] %s: %s", getpid (), __func__, gnutls_strerror (err)); + return -1; + } + else if (err == GNUTLS_E_WARNING_ALERT_RECEIVED) + { + int last_alert; + + last_alert = gnutls_alert_get (fp->tls_session); + g_debug ("[%d] %s: %s", getpid (), __func__, gnutls_strerror (err)); + g_debug ("* Received alert '%d': %s.\n", last_alert, + gnutls_alert_get_name (last_alert)); + return err; + } FD_ZERO (&fdr); FD_SET (fp->fd, &fdr); FD_ZERO (&fdw); @@ -655,6 +755,7 @@ open_SSL_connection (openvas_connection *fp, const char *cert, const char *key, if (d <= 0) { fp->last_err = ETIMEDOUT; + g_debug ("%s: time out", __func__); return -1; } to.tv_sec = d; @@ -668,13 +769,13 @@ open_SSL_connection (openvas_connection *fp, const char *cert, const char *key, if (ret <= 0) { fp->last_err = ETIMEDOUT; + g_debug ("%s: time out", __func__); return -1; } } } -/* - * @brief Upgrade an ENCAPS_IP socket to an SSL/TLS encapsulated one. +/** @brief Upgrade an ENCAPS_IP socket to an SSL/TLS encapsulated one. * * @param[in] fd Socket file descriptor. * @param[in] transport Encapsulation type. diff --git a/misc/network.h b/misc/network.h index 3751522b3..361fcf711 100644 --- a/misc/network.h +++ b/misc/network.h @@ -159,6 +159,11 @@ fd_is_stream (int); int stream_set_timeout (int, int); +int +socket_ssl_safe_renegotiation_status (int); +int +socket_ssl_do_handshake (int); + int socket_negotiate_ssl (int, openvas_encaps_t, struct script_infos *); diff --git a/nasl/nasl_init.c b/nasl/nasl_init.c index 010b9404f..31f0c4321 100644 --- a/nasl/nasl_init.c +++ b/nasl/nasl_init.c @@ -107,6 +107,9 @@ static init_func libfuncs[] = { {"recv_line", nasl_recv_line}, {"send", nasl_send}, {"socket_negotiate_ssl", nasl_socket_negotiate_ssl}, + {"socket_check_ssl_safe_renegotiation", + nasl_socket_check_ssl_safe_renegotiation}, + {"socket_ssl_do_handshake", nasl_socket_ssl_do_handshake}, {"socket_get_cert", nasl_socket_get_cert}, {"socket_get_ssl_version", nasl_socket_get_ssl_version}, {"socket_get_ssl_ciphersuite", nasl_socket_get_ssl_ciphersuite}, diff --git a/nasl/nasl_socket.c b/nasl/nasl_socket.c index 84f14da19..36929d80d 100644 --- a/nasl/nasl_socket.c +++ b/nasl/nasl_socket.c @@ -619,6 +619,67 @@ nasl_socket_negotiate_ssl (lex_ctxt *lexic) return retc; } +/** + * @brief Check if Secure Renegotiation is supported in the server side. + * @naslfn{socket_check_ssl_safe_renegotiation} + * + * @naslnparam + * + * - @a socket An already stablished ssl/tls session. + * + * @naslret An 1 if supported, 0 otherwise. Null or -1 on error. + * + **/ +tree_cell * +nasl_socket_check_ssl_safe_renegotiation (lex_ctxt *lexic) +{ + int soc, ret; + tree_cell *retc; + soc = get_int_var_by_name (lexic, "socket", -1); + if (soc < 0) + { + nasl_perror (lexic, "socket_get_cert: Erroneous socket value %d\n", soc); + return NULL; + } + ret = socket_ssl_safe_renegotiation_status (soc); + + retc = alloc_typed_cell (CONST_INT); + retc->x.i_val = ret; + return retc; +} + +/** + * @brief Do a re-handshake of the TLS/SSL protocol. + * + * @naslfn{socket_ssl_do_handshake} + * + * @naslnparam + * + * - @a socket An already stablished TLS/SSL session. + * + * @naslret An 1 on success, less than 0 on handshake error. + * Null on nasl error. + * + * @param[in] lexic Lexical context of NASL interpreter. + **/ +tree_cell * +nasl_socket_ssl_do_handshake (lex_ctxt *lexic) +{ + int soc, ret; + tree_cell *retc; + soc = get_int_var_by_name (lexic, "socket", -1); + if (soc < 0) + { + nasl_perror (lexic, "socket_get_cert: Erroneous socket value %d\n", soc); + return NULL; + } + ret = socket_ssl_do_handshake (soc); + + retc = alloc_typed_cell (CONST_INT); + retc->x.i_val = ret; + return retc; +} + tree_cell * nasl_socket_get_cert (lex_ctxt *lexic) { diff --git a/nasl/nasl_socket.h b/nasl/nasl_socket.h index a2618cf25..0eb261ad2 100644 --- a/nasl/nasl_socket.h +++ b/nasl/nasl_socket.h @@ -46,6 +46,12 @@ tree_cell * nasl_send (lex_ctxt *); tree_cell * nasl_socket_negotiate_ssl (lex_ctxt *); + +tree_cell * +nasl_socket_check_ssl_safe_renegotiation (lex_ctxt *); +tree_cell * +nasl_socket_ssl_do_handshake (lex_ctxt *); + tree_cell * nasl_recv (lex_ctxt *); tree_cell * From 6fe4d485d1dff608562f16d6516d511198923702 Mon Sep 17 00:00:00 2001 From: Juan Jose Nicola Date: Mon, 25 Oct 2021 04:48:38 -0500 Subject: [PATCH 2/2] Remove changelog entries to solved conflicts. It uses now squash commits --- CHANGELOG.md | 35 ----------------------------------- 1 file changed, 35 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6fafe89ed..2e54304b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,47 +7,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [21.4.3] - Unreleased - 2021-10-11 ### Added - Add nasl function sftp_enabled_check() to check if sftp subsystem is enabled in the target. -<<<<<<< HEAD - Backport [#853](https://github.com/greenbone/openvas/pull/853) - Backport [#862](https://github.com/greenbone/openvas/pull/862) - Add `find_all` to eregmatch() nasl function [#875](https://github.com/greenbone/openvas/pull/875) - Fix Segmentation fault when freeing hosts and alive hosts [#888](https://github.com/greenbone/openvas/pull/888) ### Changed -======= - - [#853](https://github.com/greenbone/openvas/pull/853) - - [#862](https://github.com/greenbone/openvas/pull/862) -- Add `find_all` to eregmatch() nasl function. Backport PR #875. [#876](https://github.com/greenbone/openvas/pull/876) -- Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. [#889](https://github.com/greenbone/openvas/pull/889) - -### Changed -- function script_bugtraq_id getting skipped, linter warns. [#724](https://github.com/greenbone/openvas/pull/724) -- Refactor dead host status sending. [#807](https://github.com/greenbone/openvas/pull/807) -- Refactor openvas.c. - [#810](https://github.com/greenbone/openvas/pull/810) - [#811](https://github.com/greenbone/openvas/pull/811) -- Handle script timeout as script preference with ID 0 [#844](https://github.com/greenbone/gvm-libs/pull/844) - -### Fixed -- Use fchmod to change file permission instead of on open to prevent race conditions [854](https://github.com/greenbone/openvas-scanner/pull/854) -- Several minor potential security risks in different files, spotted by Code QL [854](https://github.com/greenbone/openvas-scanner/pull/854) -- Fix plugins upload. Backport #878 [#880](https://github.com/greenbone/openvas/pull/880) -- Fix Error Message when NVTI chache init failed. Backport #885 [#887](https://github.com/greenbone/openvas/pull/887) -- Fix Segmentation fault when freeing hosts and alive hosts [#888](https://github.com/greenbone/openvas/pull/888) - -### Removed -- Remove handling of source_iface related preferences. [#730](https://github.com/greenbone/openvas/pull/730) - -[21.10]: https://github.com/greenbone/openvas-scanner/compare/stable...main - -## [21.4.3] (unreleased) -### Added -- Add nasl function sftp_enabled_check() to check if sftp subsystem is enabled in the target. - - [#853](https://github.com/greenbone/openvas/pull/853) - - [#862](https://github.com/greenbone/openvas/pull/862) - -### Changed ->>>>>>> 641ab331 (Add: Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. (#889)) - Changed defaults for installation locations [#826](https://github.com/greenbone/openvas-scanner/pull/826) - SYSCONFDIR is /etc by default now - LOCALSTATEDIR is /var by default now