Author: kroosec Date: 2016-09-16 16:48:12 +0200 (Fri, 16 Sep 2016) New Revision: 26234
Modified: trunk/openvas-scanner/ChangeLog trunk/openvas-scanner/doc/openvassd.8.in trunk/openvas-scanner/src/comm.c trunk/openvas-scanner/src/hosts.c trunk/openvas-scanner/src/ntp.c trunk/openvas-scanner/src/openvassd.c Log: Remove support for OTP over TCP sockets. * src/comm.c (is_client_present), src/hosts.c (hosts_read_client), src/ntp.c (ntp_read_prefs): Remove handling of otp over tcp. * src/openvassd.c (loading_client_handle, loading_handler_start) (scanner_thread, main_loop): Remove handling of otp over tcp. (init_ssl_ctx, init_network): Remove function. (main): Remove --listen --port --gnutls-priorities and --dh-params cli parameters. * doc/openvassd.8.in: Update documentation. Modified: trunk/openvas-scanner/ChangeLog =================================================================== --- trunk/openvas-scanner/ChangeLog 2016-09-15 14:25:36 UTC (rev 26233) +++ trunk/openvas-scanner/ChangeLog 2016-09-16 14:48:12 UTC (rev 26234) @@ -1,3 +1,18 @@ +2016-09-16 Hani Benhabiles <hani.benhabi...@greenbone.net> + + Remove support for OTP over TCP sockets. + + * src/comm.c (is_client_present), src/hosts.c (hosts_read_client), + src/ntp.c (ntp_read_prefs): Remove handling of otp over tcp. + + * src/openvassd.c (loading_client_handle, loading_handler_start) + (scanner_thread, main_loop): Remove handling of otp over tcp. + (init_ssl_ctx, init_network): Remove function. + (main): Remove --listen --port --gnutls-priorities and --dh-params + cli parameters. + + * doc/openvassd.8.in: Update documentation. + 2016-09-09 Hani Benhabiles <hani.benhabi...@greenbone.net> * src/hosts.c (forward): Don't end sending loop when nsend() returns 0. Modified: trunk/openvas-scanner/doc/openvassd.8.in =================================================================== --- trunk/openvas-scanner/doc/openvassd.8.in 2016-09-15 14:25:36 UTC (rev 26233) +++ trunk/openvas-scanner/doc/openvassd.8.in 2016-09-16 14:48:12 UTC (rev 26234) @@ -2,8 +2,8 @@ .SH NAME openvassd \- The Scanner of the Open Vulnerability Assessment System (OpenVAS) .SH SYNOPSIS -.BI "openvassd [\|-v\|] [\|-h\|] [\|-c " config-file\| "] [\|-a " address\| -.BI "] [\|-p " port-number\| "] [\|-D\|] [\|-R\|] [\|-P\|] [\|-q\|] [\|-f\|]" +.BI "openvassd [\|-v\|] [\|-h\|] [\|-c " config-file\| "] +.BI " [\|-D\|] [\|-R\|] [\|-P\|] [\|-q\|] [\|-f\|]" .SH DESCRIPTION .B OpenVAS @@ -26,37 +26,6 @@ .I @OPENVASSD_CONF@ .TP -.BI "-a " <address> ", --listen=" <address> -Tell the scanner to only listen to connections on the address -.I <address> -which is an IP, not a machine name. For instance, -"openvassd \-a 192.168.1.1" -will make -.B openvassd -only listen to requests going to -.I 192.168.1.1 -This option is useful if you are running openvassd on a gateway and if you don't -want people on the outside to connect to your -.BR openvassd . - -.TP -.BI "-p " <port-number> ", --port=" <port-number> -Tell the scanner to listen on connection on the port <port-number> rather -than listening on port 9391 (default). - -.TP -.BI " --gnutls-priorities=" <priority-string> -Sets the GnuTLS priority string for the listening socket to adjust the supported -cipher suites. - -.TP -.BI " --dh-params=" <file> -Sets the path to a PEM file containing Diffie-Hellman parameters. Needed for key -DHE-based key exchange algorithms that provide Perfect Forward Secrecy. -This file could be generated using tools like "openssl dhparam" and -"certtool \-\-generate-dh-params". - -.TP .B "-f, --foreground" Make the scanner stay in foreground (non-daemon mode) Modified: trunk/openvas-scanner/src/comm.c =================================================================== --- trunk/openvas-scanner/src/comm.c 2016-09-15 14:25:36 UTC (rev 26233) +++ trunk/openvas-scanner/src/comm.c 2016-09-16 14:48:12 UTC (rev 26234) @@ -121,8 +121,6 @@ int e; FD_ZERO (&rd); - if (fd_is_stream (soc)) - soc = openvas_get_socket_from_connection (soc); FD_SET (soc, &rd); again: tv.tv_sec = 2; Modified: trunk/openvas-scanner/src/hosts.c =================================================================== --- trunk/openvas-scanner/src/hosts.c 2016-09-15 14:25:36 UTC (rev 26233) +++ trunk/openvas-scanner/src/hosts.c 2016-09-16 14:48:12 UTC (rev 26234) @@ -312,35 +312,28 @@ hosts_read_client (struct arglist *globals) { struct timeval tv; - int e = 0, rsoc; + int e = 0; fd_set rd; if (g_soc == -1) return 0; - if (fd_is_stream (g_soc)) - rsoc = openvas_get_socket_from_connection (g_soc); - else - rsoc = g_soc; - if (rsoc == -1) - return -1; - FD_ZERO (&rd); - FD_SET (rsoc, &rd); + FD_SET (g_soc, &rd); for (;;) { tv.tv_sec = 0; tv.tv_usec = 1000; - e = select (rsoc + 1, &rd, NULL, NULL, &tv); + e = select (g_soc, &rd, NULL, NULL, &tv); if (e < 0 && errno == EINTR) continue; else break; } - if (e > 0 && FD_ISSET (rsoc, &rd) != 0) + if (e > 0 && FD_ISSET (g_soc, &rd) != 0) { int result; char buf[4096]; Modified: trunk/openvas-scanner/src/ntp.c =================================================================== --- trunk/openvas-scanner/src/ntp.c 2016-09-15 14:25:36 UTC (rev 26233) +++ trunk/openvas-scanner/src/ntp.c 2016-09-16 14:48:12 UTC (rev 26234) @@ -171,9 +171,6 @@ { int n; input[0] = '\0'; -#if DEBUG_SSL > 2 - log_write ("ntp_read_prefs > soc=%d\n", soc); -#endif n = recv_line (soc, input, input_sz - 1); if (n < 0 || input[0] == '\0') Modified: trunk/openvas-scanner/src/openvassd.c =================================================================== --- trunk/openvas-scanner/src/openvassd.c 2016-09-15 14:25:36 UTC (rev 26233) +++ trunk/openvas-scanner/src/openvassd.c 2016-09-16 14:48:12 UTC (rev 26234) @@ -52,7 +52,6 @@ #include <pwd.h> #include <grp.h> -#include <openvas/misc/network.h> /* for ovas_scanner_context_t */ #include <openvas/misc/openvas_proctitle.h> /* for proctitle_set */ #include <openvas/misc/openvas_logging.h> /* for setup_legacy_log_handler */ #include <openvas/base/pidfile.h> /* for pidfile_create */ @@ -133,11 +132,6 @@ {NULL, NULL} }; -/** - * SSL context may be kept once it is inited. - */ -static ovas_scanner_context_t ovas_scanner_ctx; - gchar *unix_socket_path = NULL; static void @@ -241,28 +235,14 @@ static void loading_client_handle (int soc) { - int soc2, opt = 1; + int opt = 1; if (soc <= 0) return; - if (unix_socket_path) - soc2 = soc; - else - soc2 = ovas_scanner_context_attach (ovas_scanner_ctx, soc); - if (soc2 < 0) - { - close (soc); - return; - } setsockopt (soc, SOL_SOCKET, SO_KEEPALIVE, &opt, sizeof (opt)); - comm_loading (soc2); - if (!unix_socket_path) - close_stream_connection (soc2); - else - { - shutdown (soc, 2); - close (soc); - } + comm_loading (soc); + shutdown (soc, 2); + close (soc); } /* @@ -319,13 +299,13 @@ while (1) { unsigned int lg_address; - struct sockaddr_in6 address6; + struct sockaddr_un address; int soc; if (loading_stop_signal || kill (parent_pid, 0) < 0) break; - lg_address = sizeof (struct sockaddr_in6); - soc = accept (global_iana_socket, (struct sockaddr *) (&address6), + lg_address = sizeof (struct sockaddr_un); + soc = accept (global_iana_socket, (struct sockaddr *) (&address), &lg_address); loading_client_handle (soc); sleep (1); @@ -422,17 +402,11 @@ static void scanner_thread (struct arglist *globals) { - char asciiaddr[INET6_ADDRSTRLEN]; - int opt = 1, soc2 = -1, soc; - struct sockaddr_storage addr; - socklen_t len; + int opt = 1, soc; nvticache_reset (); soc = arg_get_value_int (globals, "global_socket"); - len = sizeof (addr); - getpeername (soc, (struct sockaddr *) &addr, &len); - sockaddr_as_str (&addr, asciiaddr); - proctitle_set ("openvassd: Serving %s", unix_socket_path ?: asciiaddr); + proctitle_set ("openvassd: Serving %s", unix_socket_path); /* Everyone runs with a nicelevel of 10 */ if (prefs_get_bool ("be_nice")) @@ -447,74 +421,27 @@ /* Close the scanner thread - it is useless for us now */ close (global_iana_socket); - if (unix_socket_path) - soc2 = soc; - else - soc2 = ovas_scanner_context_attach (ovas_scanner_ctx, soc); - if (soc2 < 0) + if (soc < 0) goto shutdown_and_exit; - /* FIXME: The pre-gnutls code optionally printed information about - * the peer's certificate at this point. - */ - setsockopt (soc, SOL_SOCKET, SO_KEEPALIVE, &opt, sizeof (opt)); /* arg_set_value *replaces* an existing value, but it shouldn't fail here */ arg_add_value (globals, "parent_socket", ARG_INT, GSIZE_TO_POINTER (soc)); - arg_set_value (globals, "global_socket", GSIZE_TO_POINTER (soc2)); + arg_set_value (globals, "global_socket", GSIZE_TO_POINTER (soc)); - if (comm_init (soc2) < 0) - { - if (!unix_socket_path) - close_stream_connection (soc); - exit (0); - } + if (comm_init (soc) < 0) + exit (0); handle_client (globals); shutdown_and_exit: - if (soc2 >= 0 && unix_socket_path) - close_stream_connection (soc2); - else - { - shutdown (soc, 2); - close (soc); - } + shutdown (soc, 2); + close (soc); /* Kill left overs */ end_daemon_mode (); exit (0); } -static void -init_ssl_ctx (const char *priority, const char *dhparams) -{ - if (openvas_SSL_init () < 0) - { - log_write ("Could not initialize openvas SSL!\n"); - exit (1); - } - - /* Only initialize ovas_scanner_ctx once */ - if (ovas_scanner_ctx == NULL && !unix_socket_path) - { - const char *cert, *key, *passwd, *ca_file; - - ca_file = prefs_get ("ca_file"); - cert = prefs_get ("cert_file"); - key = prefs_get ("key_file"); - - passwd = prefs_get ("pem_password"); - ovas_scanner_ctx = ovas_scanner_context_new - (OPENVAS_ENCAPS_TLScustom, cert, key, passwd, ca_file, - priority, dhparams); - if (!ovas_scanner_ctx) - { - log_write ("Could not create ovas_scanner_ctx"); - exit (1); - } - } -} - /* * @brief Terminates the scanner if a termination signal was received. */ @@ -560,21 +487,18 @@ { int soc; unsigned int lg_address; - struct sockaddr_in6 address6; + struct sockaddr_un address; struct arglist *globals; check_termination (); check_reload (); wait_for_children1 (); - lg_address = sizeof (struct sockaddr_in6); - soc = accept (global_iana_socket, (struct sockaddr *) (&address6), + lg_address = sizeof (struct sockaddr_un); + soc = accept (global_iana_socket, (struct sockaddr *) (&address), &lg_address); if (soc == -1) continue; - /* - * MA: you cannot share an open SSL connection through fork/multithread - * The SSL connection shall be open _after_ the fork */ globals = g_malloc0 (sizeof (struct arglist)); arg_add_value (globals, "global_socket", ARG_INT, GSIZE_TO_POINTER (soc)); @@ -684,65 +608,6 @@ } /** - * Initialization of the network : - * we setup the socket that will listen for incoming connections on port \<port\> - * on address \<addr\> - * - * @param port Port on which to listen. - * @param[out] sock Socket to be initialized. - * @param addr Adress. - * - * @return 0 on success. -1 on failure. - */ -static int -init_network (int port, int *sock, const char *addr_str) -{ - int option = 1; - struct sockaddr_storage address; - struct sockaddr_in *addr4 = (struct sockaddr_in *) &address; - struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &address; - - if (inet_pton (AF_INET6, addr_str, &addr6->sin6_addr) > 0) - { - address.ss_family = AF_INET6; - addr6->sin6_port = htons (port); - } - else if (inet_pton (AF_INET, addr_str, &addr4->sin_addr) > 0) - { - address.ss_family = AF_INET; - addr4->sin_port = htons (port); - } - else - { - printf ("Invalid IP address.\n"); - printf ("Please use --help for more information.\n"); - return -1; - } - - if ((*sock = socket (address.ss_family, SOCK_STREAM, 0)) == -1) - { - int ec = errno; - log_write ("socket(AF_INET): %s", strerror (ec)); - return -1; - } - setsockopt (*sock, SOL_SOCKET, SO_REUSEADDR, &option, sizeof (int)); - if (bind (*sock, (struct sockaddr *) &address, sizeof (address)) == -1) - { - log_write ("bind() failed : %s\n", strerror (errno)); - return -1; - } - if (listen (*sock, 512) == -1) - { - log_write ("listen() failed : %s\n", strerror (errno)); - shutdown (*sock, 2); - close (*sock); - return -1; - } - - return 0; -} - -/** * @brief Initialize everything. * * @param stop_early 0: do some initialization, 1: no initialization. @@ -820,7 +685,7 @@ int main (int argc, char *argv[]) { - int exit_early = 0, scanner_port = 9391, ret; + int exit_early = 0, ret; pid_t handler_pid; proctitle_init (argc, argv); @@ -828,11 +693,7 @@ static gboolean display_version = FALSE; static gboolean dont_fork = FALSE; - static gchar *address = NULL; - static gchar *port = NULL; static gchar *config_file = NULL; - static gchar *gnutls_priorities = "NORMAL"; - static gchar *dh_params = NULL; static gchar *listen_owner = NULL; static gchar *listen_group = NULL; static gchar *listen_mode = NULL; @@ -846,10 +707,6 @@ "Display version information", NULL}, {"foreground", 'f', 0, G_OPTION_ARG_NONE, &dont_fork, "Do not run in daemon mode but stay in foreground", NULL}, - {"listen", 'a', 0, G_OPTION_ARG_STRING, &address, - "Listen on <address>", "<address>"}, - {"port", 'p', 0, G_OPTION_ARG_STRING, &port, - "Use port number <number>", "<number>"}, {"config-file", 'c', 0, G_OPTION_ARG_FILENAME, &config_file, "Configuration file", "<filename>"}, {"cfg-specs", 's', 0, G_OPTION_ARG_NONE, &print_specs, @@ -858,10 +715,6 @@ "Print system configuration directory (set at compile time)", NULL}, {"only-cache", 'C', 0, G_OPTION_ARG_NONE, &only_cache, "Exit once the NVT cache has been initialized or updated", NULL}, - {"gnutls-priorities", '\0', 0, G_OPTION_ARG_STRING, &gnutls_priorities, - "GnuTLS priorities string", "<string>"}, - {"dh-params", '\0', 0, G_OPTION_ARG_STRING, &dh_params, - "Diffie-Hellman parameters file", "<string>"}, {"unix-socket", 'c', 0, G_OPTION_ARG_FILENAME, &unix_socket_path, "Path of unix socket to listen on", "<filename>"}, {"listen-owner", '\0', 0, G_OPTION_ARG_STRING, &listen_owner, @@ -900,25 +753,8 @@ if (print_specs) exit_early = 2; /* no cipher initialization */ - if (unix_socket_path && (port || address)) - { - printf ("Can't use --unix-socket with --port or --address.\n"); - exit (1); - } - - /* Default behaviour is to listen on unix file socket. */ - if (!address && !port && !unix_socket_path) + if (!unix_socket_path) unix_socket_path = g_build_filename (OPENVAS_RUN_DIR, "openvassd.sock", NULL); - if (port != NULL) - { - scanner_port = atoi (port); - if ((scanner_port <= 0) || (scanner_port >= 65536)) - { - printf ("Invalid port specification.\n"); - printf ("Please use --help for more information.\n"); - exit (1); - } - } if (display_version) { @@ -950,18 +786,12 @@ if (init_openvassd (dont_fork, config_file)) return 1; - if (!exit_early && unix_socket_path) + if (!exit_early) { if (init_unix_network (&global_iana_socket, listen_owner, listen_group, listen_mode)) return 1; } - else if (!exit_early) - { - if (init_network (scanner_port, &global_iana_socket, - address ?: ipv6_is_enabled () ? "::" : "0.0.0.0")) - return 1; - } flush_all_kbs (); /* special treatment */ @@ -970,7 +800,6 @@ if (exit_early) exit (0); - init_ssl_ctx (gnutls_priorities, dh_params); // Daemon mode: if (dont_fork == FALSE) set_daemon_mode (); _______________________________________________ Openvas-commits mailing list Openvas-commits@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-commits