[Openvas-commits] r1685 - in trunk/openvas-server: . doc include openvasd

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Mon Nov 10 10:44:22 CET 2008 

Author: mwiegand
Date: 2008-11-10 10:44:21 +0100 (Mon, 10 Nov 2008)
New Revision: 1685

Removed:
   trunk/openvas-server/doc/openvas-check-signature.1
   trunk/openvas-server/openvasd/openvas-check-signature.c
Modified:
   trunk/openvas-server/ChangeLog
   trunk/openvas-server/MANIFEST
   trunk/openvas-server/Makefile
   trunk/openvas-server/include/config.h.in
   trunk/openvas-server/openvasd/Makefile
Log:
Removed openvas-check-signature since signature verification can now be
done with existing third-party tools like gnupg. Additionally,
openvas-check-signature was the last executable to depend on the local
copies of getopt which is no longer provided by openvas-libraries.

* openvasd/openvas-check-signature.c: Removed.

* openvasd/Makefile: Removed handling of openvas-check-signature.

* include/config.h.in: Removed obsolete getopt defines.

* doc/openvas-check-signature.1: Removed documentation of
openvas-check-signature.

* MANIFEST: Updated.

* Makefile: Updated.


Modified: trunk/openvas-server/ChangeLog
===================================================================
--- trunk/openvas-server/ChangeLog	2008-11-10 09:43:26 UTC (rev 1684)
+++ trunk/openvas-server/ChangeLog	2008-11-10 09:44:21 UTC (rev 1685)
@@ -1,3 +1,23 @@
+2008-11-10  Michael Wiegand <michael.wiegand at intevation.de>
+
+	Removed openvas-check-signature since signature verification can now be
+	done with existing third-party tools like gnupg. Additionally,
+	openvas-check-signature was the last executable to depend on the local
+	copies of getopt which is no longer provided by openvas-libraries.
+
+	* openvasd/openvas-check-signature.c: Removed.
+
+	* openvasd/Makefile: Removed handling of openvas-check-signature.
+
+	* include/config.h.in: Removed obsolete getopt defines.
+
+	* doc/openvas-check-signature.1: Removed documentation of
+	openvas-check-signature.
+
+	* MANIFEST: Updated.
+
+	* Makefile: Updated.
+
 2008-11-07  Felix Wolfsteller <felix.wolfstelller at intevation.de>
 
 	* openvasd/nasl_plugins: Removed printfs.

Modified: trunk/openvas-server/MANIFEST
===================================================================
--- trunk/openvas-server/MANIFEST	2008-11-10 09:43:26 UTC (rev 1684)
+++ trunk/openvas-server/MANIFEST	2008-11-10 09:44:21 UTC (rev 1685)
@@ -11,7 +11,6 @@
 doc/nbe_file_format.txt
 doc/nsr_file_format.txt
 doc/openvas-adduser.8
-doc/openvas-check-signature.1
 doc/openvasd.8.in
 doc/openvas-mkcert.8
 doc/openvas-mkcert-client.1
@@ -55,7 +54,6 @@
 openvasd/nes_plugins.c
 openvasd/ntp_11.c
 openvasd/ntp_11.h
-openvasd/openvas-check-signature.c
 openvasd/openvasd.c
 openvasd/otp_1_0.c
 openvasd/otp_1_0.h

Modified: trunk/openvas-server/Makefile
===================================================================
--- trunk/openvas-server/Makefile	2008-11-10 09:43:26 UTC (rev 1684)
+++ trunk/openvas-server/Makefile	2008-11-10 09:44:21 UTC (rev 1685)
@@ -72,7 +72,6 @@
 	$(INSTALL) -m 755 openvasd-config $(DESTDIR)${bindir}/openvasd-config
 	$(INSTALL) -m 755 ssl/openvas-mkrand $(DESTDIR)${bindir}/openvas-mkrand
 	$(INSTALL) -m $(SERVERMODE) openvasd/openvasd $(DESTDIR)${sbindir}/openvasd
-	$(INSTALL) -m $(SERVERMODE) openvasd/openvas-check-signature $(DESTDIR)${sbindir}/openvas-check-signature
 	$(INSTALL) -m 755 openvas-adduser $(DESTDIR)${sbindir}/openvas-adduser
 	$(INSTALL) -m 755 openvas-rmuser $(DESTDIR)${sbindir}/openvas-rmuser
 	$(INSTALL) -m 755 openvas-mkcert $(DESTDIR)${sbindir}/openvas-mkcert
@@ -93,7 +92,6 @@
 	@test -d $(DESTDIR)${mandir}/man1 || $(INSTALL_DIR) -m 755 $(DESTDIR)${mandir}/man1
 	@test -d $(DESTDIR)${mandir}/man8 || $(INSTALL_DIR) -m 755 $(DESTDIR)${mandir}/man8
 	$(INSTALL) -c -m 0444 doc/openvasd-config.1 $(DESTDIR)${mandir}/man1/openvasd-config.1
-	$(INSTALL) -c -m 0444 doc/openvas-check-signature.1 $(DESTDIR)${mandir}/man1/openvas-check-signature.1
 	$(INSTALL) -c -m 0444 doc/openvas-mkrand.1 $(DESTDIR)${mandir}/man1/openvas-mkrand.1
 	$(INSTALL) -c -m 0444 doc/openvasd.8 $(DESTDIR)${mandir}/man8/openvasd.8
 	$(INSTALL) -c -m 0444 doc/openvas-adduser.8 $(DESTDIR)${mandir}/man8/openvas-adduser.8

Deleted: trunk/openvas-server/doc/openvas-check-signature.1
===================================================================
--- trunk/openvas-server/doc/openvas-check-signature.1	2008-11-10 09:43:26 UTC (rev 1684)
+++ trunk/openvas-server/doc/openvas-check-signature.1	2008-11-10 09:44:21 UTC (rev 1685)
@@ -1,64 +0,0 @@
-.TH OpenVAS 1 "February 2005" "The OpenVAS Project" "Users Manuals"
-.SH NAME
-openvas-check-signature \- A simple utility to check (or generate) the signature of plugins retrieved from www.openvas.org
-.SH SYNOPSIS
-.B openvas-check-signature [-S] filename [signaturefile]
-.P
-
-.SH DESCRIPTION
-.B openvas-check-signature
-is a simple utility used by 
-.B openvas-update-plugins
-to check the signatures of the OpenVAS plugins downloaded from 
-www.openvas.org. When executed and provided both an archive and a
-signaturefile it will verify if the file matches the signature 
-and if the signature matches the 
-.B openvas_org.pem
-certificate.
-
-It can also generate the signatures for the plugins distributed by
-www.openvas.org but you will, obviously, need the private certificate
-file to do so. You can, however, customise the code to use an
-alternate certificate file and generate plugins distributions files for
-third party servers.
-
-
-.SH OPTIONS
-.TP
-.BI -S
-Sign the archive instead of checking the signature. 
-.B openvas-check-signature
-will check for the private certificate key
-.B openvas_org.priv.pem
-and will generate a \fB.sig\fR file with the file signature.
-
-.SH EXAMPLE
-To check the signature for all the plugins downloaded from the OpenVAS
-servers use:
-
-.B openvas-check-signature all-2.0.tar.gz all-2.0.sig
-
-.SH EXIT VALUES
-.B openvas-check-signature
-will return with a 0 value if the signature matches and will return
-with an error value (1) if the signature does not match or if any
-other error is found.
-
-.SH "SEE ALSO"
-.BR openvas-update-plugins (1), openvas-fetch (1)
-
-.SH MORE INFORMATION ABOUT THE OpenVAS PROJECT
-The canonical place where you will find more information
-about the OpenVAS project is :
-
-.RS
-.UR
-http://www.openvas.org/
-.UE
-
-.SH AUTHORS
-openvas-check-signature is (C) 2004 Tenable Network Security
-.PP
-This manpage was written by Javier Fernandez-Sanguino for the Debian
-distribution, and is distributed under the GPL.
-

Modified: trunk/openvas-server/include/config.h.in
===================================================================
--- trunk/openvas-server/include/config.h.in	2008-11-10 09:43:26 UTC (rev 1684)
+++ trunk/openvas-server/include/config.h.in	2008-11-10 09:44:21 UTC (rev 1685)
@@ -192,7 +192,6 @@
 #undef HAVE_GETHRTIME
 #undef HAVE_GETRUSAGE
 #undef HAVE_LONG_FILE_NAMES
-#undef HAVE_GETOPT_H
 #undef HAVE_STRING_H
 #undef HAVE_STRINGS_H
 #undef HAVE_SYS_POLL_H

Modified: trunk/openvas-server/openvasd/Makefile
===================================================================
--- trunk/openvas-server/openvasd/Makefile	2008-11-10 09:43:26 UTC (rev 1684)
+++ trunk/openvas-server/openvasd/Makefile	2008-11-10 09:44:21 UTC (rev 1685)
@@ -36,17 +36,11 @@
        pluginscheduler.o \
        shared_socket.o 
 
-all : openvasd openvas-check-signature
+all : openvasd
 
 openvasd : $(OBJS)
 	$(CC) $(LDFLAGS) $(OPENVAS_INCLUDE) $(OBJS)  -o openvasd $(LIBS)
 
-openvas-check-signature : openvas-check-signature.o
-	$(CC) $(LDFLAGS) $(OPENVAS_INCLUDE) openvas-check-signature.o  -o openvas-check-signature $(LIBS)
-
-openvas-check-signature.o: openvas-check-signature.c
-	$(CC) $(OPENVAS_CFLAGS) $(OPENVAS_INCLUDE) -c openvas-check-signature.c 
-
 users.o : users.c users.h
 	$(CC) $(OPENVAS_CFLAGS) $(OPENVAS_INCLUDE) -c users.c 
 
@@ -136,5 +130,5 @@
 shared_socket.o : shared_socket.c
 	$(CC) $(OPENVAS_CFLAGS) $(OPENVAS_INCLUDE) -c shared_socket.c
 clean :
-	rm -f *.o openvasd openvas-check-signature *~
+	rm -f openvasd *.o *~
 

Deleted: trunk/openvas-server/openvasd/openvas-check-signature.c
===================================================================
--- trunk/openvas-server/openvasd/openvas-check-signature.c	2008-11-10 09:43:26 UTC (rev 1684)
+++ trunk/openvas-server/openvasd/openvas-check-signature.c	2008-11-10 09:44:21 UTC (rev 1685)
@@ -1,375 +0,0 @@
-/* OpenVAS
-* $Id$
-* Description: generates/checks a signature for a given file.
-*
-* Authors: - Renaud Deraison <deraison at nessus.org> (Original pre-fork develoment)
-*          - Tim Brown <mailto:timb at openvas.org> (Initial fork)
-*          - Laban Mwangi <mailto:labanm at openvas.org> (Renaming work)
-*          - Tarik El-Yassem <mailto:tarik at openvas.org> (Headers section)
-*
-* Copyright:
-* Portions Copyright (C) 2006 Software in the Public Interest, Inc.
-* Based on work Copyright (C) 1998 - 2006 Tenable Network Security, Inc.
-*
-* This program is free software; you can redistribute it and/or modify
-* it under the terms of the GNU General Public License version 2,
-* as published by the Free Software Foundation
-*
-* This program is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-* GNU General Public License for more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with this program; if not, write to the Free Software
-* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-*
-*
-*/
-
-/* FIXME: The code here is mostly a duplicate of code in
- * openvas-libnasl/nasl/nasl_crypto2.c.  The main difference is that the
- * signatures dealt with here are detached, whereas the signatures
- * handled by nasl_crypto2.c are part of the signed file.
- *
- * Also, the original OpenSSL code in this file was probably better at
- * handling larger files.  The new code read the file to sign or verify
- * completely into memory which may be inefficient for large files.
- *
- * Before something is done about it, OpenVAS needs to decide how to
- * deal with signed files in general.
- */
-
-#include <includes.h>
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
-
-
-void
-print_tls_error(char *txt, int err)
-{
-  fprintf(stderr, "%s: %s (%d)\n", txt, gnutls_strerror(err), err);
-}
-
-gnutls_datum_t
-map_file(const char * filename)
-{
-  FILE *f;
-  gnutls_datum loaded_file = { NULL, 0 };
-  long filelen;
-  void *ptr;
-
-  if (!(f = fopen(filename, "r"))
-      || fseek(f, 0, SEEK_END) != 0
-      || (filelen = ftell(f)) < 0
-      || fseek(f, 0, SEEK_SET) != 0
-      || !(ptr = emalloc((size_t) filelen))
-      || fread(ptr, 1, (size_t) filelen, f) < (size_t) filelen)
-    {
-      return loaded_file;
-    }
-
-  loaded_file.data = ptr;
-  loaded_file.size = (unsigned int) filelen;
-  return loaded_file;
-}
-
-static ptrdiff_t
-hexdecode(unsigned char *binary, const unsigned char *hex, size_t fromlen)
-{
-  char temp[3] = {0, 0, 0};
-  unsigned char * to = binary;
-  const unsigned char * from = hex;
-
-  while ((from - hex) < fromlen - 1)
-    {
-      temp[0] = from[0];
-      temp[1] = from[1];
-      *to = strtoul(temp, NULL, 16);
-      to += 1;
-      from += 2;
-    }
-
-  return to - binary;
-}
-
-
-/*
- * Signs a given file
- */
-static int
-generate_signature(char * keyfilename, char * filename)
-{
-  int result = -1;
-  int i;
-  int be_len;
-  gnutls_datum_t pem = {NULL, 0};
-  gnutls_datum_t script = {NULL, 0};
-  gnutls_x509_privkey_t privkey = NULL;
-  unsigned char* signature = NULL;
-  size_t signature_size = 0;
-  int err;
-
-  err = gnutls_x509_privkey_init(&privkey);
-  if (err)
-    {
-      print_tls_error("gnutls_x509_privkey_init", err);
-      goto fail;
-    }
-
-  pem = map_file(keyfilename);
-  if (!pem.data)
-    goto fail;
-
-  err = gnutls_x509_privkey_import(privkey, &pem, GNUTLS_X509_FMT_PEM);
-  if (err)
-    {
-      print_tls_error("gnutls_x509_privkey_import", err);
-      goto fail;
-    }
-
-  script = map_file(filename);
-  if (!script.data)
-    {
-      goto fail;
-    }
-
-  /* append the size of the file at the end of the script */
-  script.data = erealloc(script.data, script.size + sizeof(be_len));
-  be_len = htonl(script.size);
-  memcpy(script.data + script.size, &be_len, sizeof(be_len));
-  script.size += sizeof(be_len);
-
-  /* call gnutls_x509_privkey_sign_data twice: once to determine the
-   * size of the signature and then again to actually create the
-   * signature */
-  err = gnutls_x509_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &script,
-				      signature, &signature_size);
-  if (err != GNUTLS_E_SHORT_MEMORY_BUFFER)
-    {
-      print_tls_error("gnutls_x509_privkey_sign_data", err);
-      goto fail;
-    }
-
-  signature = emalloc(signature_size);
-  err = gnutls_x509_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &script,
-				      signature, &signature_size);
-  if (err)
-    {
-      print_tls_error("gnutls_x509_privkey_sign_data", err);
-      goto fail;
-    }
-
-  /* print the signature to stdout in hexadecimal */
-  for (i = 0; i < signature_size; i++)
-    {
-      printf("%.2x", signature[i]);
-    }
-  printf("\n");
-
-  result = 0;
-
- fail:
-  efree(&pem.data);
-  efree(&script.data);
-  efree(&signature);
-  gnutls_x509_privkey_deinit(privkey);
-
-  return result;
-}
-
-
-/*
- * Verify an archive signature
- *
- * Returns :
- *	-1 : if an error occured
- *	 0 : if the signature matches
- *	 1 : if the signature does NOT match
- */
-static int
-verify_signature(char * certfilename, char * filename, char * sigfilename)
-{
-  int be_len;
-  gnutls_x509_crt_t cert = NULL;
-  gnutls_datum_t pem = {NULL, 0};
-  gnutls_datum_t script = {NULL, 0};
-  gnutls_datum_t signature = {NULL, 0};
-  int result = -1;
-  int err;
-
-  pem = map_file(certfilename);
-  if (!pem.data)
-    goto fail;
-
-  err = gnutls_x509_crt_init(&cert);
-  if (err)
-    {
-      print_tls_error("gnutls_x509_crt_init", err);
-      goto fail;
-    }
-
-  err = gnutls_x509_crt_import(cert, &pem, GNUTLS_X509_FMT_PEM);
-  if (err)
-    {
-      print_tls_error("gnutls_x509_crt_import", err);
-      goto fail;
-    }
-
-  script = map_file(filename);
-  if (!script.data)
-    {
-      goto fail;
-    }
-
-  /* Make room for the size of the file at the end of the script and
-   * append the size */
-  script.data = erealloc(script.data, script.size + sizeof(be_len));
-  be_len = htonl(script.size);
-  memcpy(script.data + script.size, &be_len, sizeof(be_len));
-  script.size += sizeof(be_len);
-
-  /* read and decode the hex signature.  Decoding can be done in place
-   * because the binary signature is always shorter than its hexadecimal
-   * representation. */
-  signature = map_file(sigfilename);
-  if (!signature.data)
-    {
-      goto fail;
-    }
-  signature.size = hexdecode(signature.data, signature.data, signature.size);
-
-  err = gnutls_x509_crt_verify_data(cert, 0, &script, &signature);
-  if (err < 0)
-    {
-      print_tls_error("gnutls_x509_crt_verify_data", err);
-      goto fail;
-    }
-
-  result = err == 1 ? 0 : 1;
-
- fail:
-  gnutls_x509_crt_deinit(cert);
-  efree(&script.data);
-  efree(&signature.data);
-  efree(&pem);
-
-  return result;
-
-}
-
-
-int
-main(int argc, char ** argv)
-{
-  int do_sign = 0;
-  int do_print_usage = 0;
-  char * keyfile = NULL;
-  char * certfile = NULL;
-  int opt;
-  int option_index = 0;
-  struct option long_options[] =
-    {
-      {"help",		no_argument,	   0, 'h'},
-      {"certificate",   required_argument, 0, 'c'},
-      {"key",           required_argument, 0, 'k'},
-      {"sign",		no_argument,	   0, 's'},
-      {0, 0, 0, 0}
-    };
-
-  while ((opt = getopt_long(argc, argv, "c:hk:s", long_options, &option_index))
-	 != -1)
-    {
-      switch (opt)
-	{
-	case 'c':
-	  certfile = optarg;
-	  break;
-
-	case 'h':
-	  do_print_usage = 1;
-	  break;
-
-	case 'k':
-	  keyfile = optarg;
-	  break;
-
-	case 's':
-	  do_sign = 1;
-	  break;
-
-	case '?':
-	  fprintf(stderr, "unknown option or missing"
-		  " parameter for option '%c'\n", opt);
-	  return 1;
-
-	default:
-	  fprintf(stderr, "option '%c' not implemented\n", opt);
-	  return 1;
-	}
-    }
-
-  if (do_print_usage)
-    {
-      fprintf(stderr,
-	      "Usage: openvas-check-signature [options]"
-	      " filename [signaturefile]\n");
-      fprintf(stderr, "Options:\n");
-      fprintf(stderr, " -h           Print this help message\n");
-      fprintf(stderr, " -k keyfile   File with private key for signature\n");
-      fprintf(stderr, " -c certfile  File with certificate for signature"
-	      " verificationi\n");
-      return 0;
-    }
-
-  nessus_SSL_init(NULL);
-
-  if (do_sign)
-    {
-      if (!keyfile)
-	{
-	  fprintf(stderr, "Missing parameter -k required for"
-		  " signature generation\n");
-	  return 1;
-	}
-      if (optind >= argc)
-	{
-	  fprintf(stderr, "missing filename parameter\n");
-	  return 1;
-	}
-
-      generate_signature(keyfile, argv[optind]);
-    }
-  else
-    {
-      if (!certfile)
-	{
-	  fprintf(stderr, "Missing parameter -c required for"
-		  " signature verification\n");
-	  return 1;
-	}
-
-      if (optind + 1 >= argc)
-	{
-	  fprintf(stderr, "for signature verification, a filename and the"
-		  " signature filename must be given\n");
-	  return 1;
-	}
-      else
-	{
-	  char * filename = argv[optind];
-	  char * signaturefile = argv[optind + 1];
-
-	  if (verify_signature(certfile, filename, signaturefile) == 0)
-	    return 0;
-	  else
-	    {
-	      fprintf(stderr, "%s is not the valid signature for %s\n",
-		      signaturefile, filename);
-	      return 1;
-	    }
-	}
-    }
-
-  return 0;
-}

More information about the Openvas-commits mailing list