Add: Add nasl functions for checking ssl/tls secure renegotiation and…

… performing re-handshake. (#889)

Add: Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. (#889)

CHANGELOG.md

@@ -19,7 +19,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
   - [#853](https://github.com/greenbone/openvas/pull/853)
   - [#862](https://github.com/greenbone/openvas/pull/862)
 - Add `find_all` to eregmatch() nasl function. Backport PR #875. [#876](https://github.com/greenbone/openvas/pull/876)
-- Fix Segmentation fault when freeing hosts and alive hosts [#888](https://github.com/greenbone/openvas/pull/888)
+- Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. [#889](https://github.com/greenbone/openvas/pull/889)
 
 ### Changed
 - function script_bugtraq_id getting skipped, linter warns. [#724](https://github.com/greenbone/openvas/pull/724)
@@ -34,6 +34,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Several minor potential security risks in different files, spotted by Code QL [854](https://github.com/greenbone/openvas-scanner/pull/854)
 - Fix plugins upload. Backport #878 [#880](https://github.com/greenbone/openvas/pull/880)
 - Fix Error Message when NVTI chache init failed. Backport #885 [#887](https://github.com/greenbone/openvas/pull/887)
+- Fix Segmentation fault when freeing hosts and alive hosts [#888](https://github.com/greenbone/openvas/pull/888)
 
 ### Removed
 - Remove handling of source_iface related preferences. [#730](https://github.com/greenbone/openvas/pull/730)

misc/network.c

@@ -643,7 +643,107 @@ open_SSL_connection (openvas_connection *fp, const char *cert, const char *key,
                    gnutls_strerror (err));
           return -1;
         }
+      FD_ZERO (&fdr);
+      FD_SET (fp->fd, &fdr);
+      FD_ZERO (&fdw);
+      FD_SET (fp->fd, &fdw);
+
+      do
+        {
+          d = tictac + fp->timeout - time (NULL);
+          if (d <= 0)
+            {
+              fp->last_err = ETIMEDOUT;
+              return -1;
+            }
+          to.tv_sec = d;
+          to.tv_usec = 0;
+          errno = 0;
+          if ((ret = select (fp->fd + 1, &fdr, &fdw, NULL, &to)) <= 0)
+            pid_perror ("select");
+        }
+      while (ret < 0 && errno == EINTR);
+
+      if (ret <= 0)
+        {
+          fp->last_err = ETIMEDOUT;
+          return -1;
+        }
+    }
+}
+
+/**
+ * @brief Check if Secure Renegotiation is supported in the server side.
+ *
+ * @param[in]   fd          Socket file descriptor.
+ *
+ * @return 1 if supported, 0 if not supported and less than 0 on error.
+ **/
+int
+socket_ssl_safe_renegotiation_status (int fd)
+{
+  openvas_connection *fp;
+
+  if (!fd_is_stream (fd))
+    {
+      g_message ("%s: Socket %d is not stream", __func__, fd);
+      return -1;
+    }
+  fp = OVAS_CONNECTION_FROM_FD (fd);
+
+  return gnutls_safe_renegotiation_status (fp->tls_session);
+}
+
+/** @brief Do a re-handshake of the TLS/SSL protocol.
+ *
+ * @param[in]   fd          Socket file descriptor.
+ *
+ * @return 1 on success, less than 0 on failure or error.
+ */
+int
+socket_ssl_do_handshake (int fd)
+{
+  int err, d, ret;
+  openvas_connection *fp;
+  time_t tictac;
+  fd_set fdw, fdr;
+  struct timeval to;
+
+  if (!fd_is_stream (fd))
+    {
+      g_message ("%s: Socket %d is not stream", __func__, fd);
+      return -1;
+    }
+  fp = OVAS_CONNECTION_FROM_FD (fd);
+
+  tictac = time (NULL);
+
+  for (;;)
+    {
+      err = gnutls_handshake (fp->tls_session);
+
+      if (err == 0)
+        {
+          g_debug ("no error during handshake");
+          return 1;
+        }
+      if (err != GNUTLS_E_INTERRUPTED && err != GNUTLS_E_AGAIN
+          && err != GNUTLS_E_WARNING_ALERT_RECEIVED)
+        {
+          g_debug ("[%d] %s: %s", getpid (), __func__, gnutls_strerror (err));
+          return -1;
+        }
+      else if (err == GNUTLS_E_WARNING_ALERT_RECEIVED)
+        {
+          int last_alert;
+
+          last_alert = gnutls_alert_get (fp->tls_session);
+          g_debug ("[%d] %s: %s", getpid (), __func__, gnutls_strerror (err));
 
+          g_debug ("* Received alert '%d': %s.\n", last_alert,
+                   gnutls_alert_get_name (last_alert));
+          return err;
+        }
       FD_ZERO (&fdr);
       FD_SET (fp->fd, &fdr);
       FD_ZERO (&fdw);
@@ -655,6 +755,7 @@ open_SSL_connection (openvas_connection *fp, const char *cert, const char *key,
           if (d <= 0)
             {
               fp->last_err = ETIMEDOUT;
+              g_debug ("%s: time out", __func__);
               return -1;
             }
           to.tv_sec = d;
@@ -668,13 +769,13 @@ open_SSL_connection (openvas_connection *fp, const char *cert, const char *key,
       if (ret <= 0)
         {
           fp->last_err = ETIMEDOUT;
+          g_debug ("%s: time out", __func__);
           return -1;
         }
     }
 }
 
-/*
- * @brief Upgrade an ENCAPS_IP socket to an SSL/TLS encapsulated one.
+/** @brief Upgrade an ENCAPS_IP socket to an SSL/TLS encapsulated one.
  *
  * @param[in]   fd          Socket file descriptor.
  * @param[in]   transport   Encapsulation type.

misc/network.h

@@ -159,6 +159,11 @@ fd_is_stream (int);
 int
 stream_set_timeout (int, int);
 
+int
+socket_ssl_safe_renegotiation_status (int);
+int
+socket_ssl_do_handshake (int);
+
 int
 socket_negotiate_ssl (int, openvas_encaps_t, struct script_infos *);
 

nasl/nasl_init.c

@@ -109,6 +109,9 @@ static init_func libfuncs[] = {
   {"recv_line", nasl_recv_line},
   {"send", nasl_send},
   {"socket_negotiate_ssl", nasl_socket_negotiate_ssl},
+  {"socket_check_ssl_safe_renegotiation",
+   nasl_socket_check_ssl_safe_renegotiation},
+  {"socket_ssl_do_handshake", nasl_socket_ssl_do_handshake},
   {"socket_get_cert", nasl_socket_get_cert},
   {"socket_get_ssl_version", nasl_socket_get_ssl_version},
   {"socket_get_ssl_ciphersuite", nasl_socket_get_ssl_ciphersuite},

nasl/nasl_socket.c

@@ -625,6 +625,67 @@ nasl_socket_negotiate_ssl (lex_ctxt *lexic)
   return retc;
 }
 
+/**
+ * @brief Check if Secure Renegotiation is supported in the server side.
+ * @naslfn{socket_check_ssl_safe_renegotiation}
+ *
+ * @naslnparam
+ *
+ * - @a socket An already stablished ssl/tls session.
+ *
+ * @naslret An 1 if supported, 0 otherwise. Null or -1 on error.
+ *
+ **/
+tree_cell *
+nasl_socket_check_ssl_safe_renegotiation (lex_ctxt *lexic)
+{
+  int soc, ret;
+  tree_cell *retc;
+  soc = get_int_var_by_name (lexic, "socket", -1);
+  if (soc < 0)
+    {
+      nasl_perror (lexic, "socket_get_cert: Erroneous socket value %d\n", soc);
+      return NULL;
+    }
+  ret = socket_ssl_safe_renegotiation_status (soc);
+
+  retc = alloc_typed_cell (CONST_INT);
+  retc->x.i_val = ret;
+  return retc;
+}
+
+/**
+ * @brief Do a re-handshake of the TLS/SSL protocol.
+ *
+ * @naslfn{socket_ssl_do_handshake}
+ *
+ * @naslnparam
+ *
+ * - @a socket An already stablished TLS/SSL session.
+ *
+ * @naslret An 1 on success, less than 0 on handshake error.
+ *          Null on nasl error.
+ *
+ * @param[in] lexic Lexical context of NASL interpreter.
+ **/
+tree_cell *
+nasl_socket_ssl_do_handshake (lex_ctxt *lexic)
+{
+  int soc, ret;
+  tree_cell *retc;
+  soc = get_int_var_by_name (lexic, "socket", -1);
+  if (soc < 0)
+    {
+      nasl_perror (lexic, "socket_get_cert: Erroneous socket value %d\n", soc);
+      return NULL;
+    }
+  ret = socket_ssl_do_handshake (soc);
+
+  retc = alloc_typed_cell (CONST_INT);
+  retc->x.i_val = ret;
+  return retc;
+}
+
 tree_cell *
 nasl_socket_get_cert (lex_ctxt *lexic)
 {

nasl/nasl_socket.h

@@ -46,6 +46,12 @@ tree_cell *
 nasl_send (lex_ctxt *);
 tree_cell *
 nasl_socket_negotiate_ssl (lex_ctxt *);
+
+tree_cell *
+nasl_socket_check_ssl_safe_renegotiation (lex_ctxt *);
+tree_cell *
+nasl_socket_ssl_do_handshake (lex_ctxt *);
+
 tree_cell *
 nasl_recv (lex_ctxt *);
 tree_cell *