Rather than set nasl_no_signature_check = yes,
and not being able to get the keyfiles to contain more than one key,
I built this patch which will allow for a second local keypair to be
used for plugin signatures.
Assuming install location /usr/local/nessus:
--- 1 KEY GENERATION and INSTALLATION ---
anon$ cat generate_and_install_local_cert.sh
#!/bin/bash
openssl genrsa -aes256 -f4 -out ./local_signing_key.priv.pem 4096
openssl rsa -pubout -in ./local_signing_key.priv.pem > local_signing_key.pem
cp local_signing_key.priv.pem local_signing_key.pem /usr/local/nessus/var/nessus
cd /usr/local/nessus/var/nessus
cp local_plugin_signing.key nessus_org.priv.pem
cd -
--- 2 PATCH FOR libnasl/nasl/nasl_crypto2.c ---
anon$ cat add_local_signing_key.patch
--- nasl_crypto2.c 2005-06-12 19:09:54.000000000 +0000
+++ nasl_crypto2.c 2005-06-13 00:30:41.137971416 +0000
@@ -873,7 +873,9 @@
char * t;
unsigned char md[SHA_DIGEST_LENGTH+1];
RSA * rsa = NULL;
+ RSA * rsa_local = NULL;
FILE * fp = fopen(NESSUS_STATE_DIR "/nessus/nessus_org.pem", "r");
+ FILE * fp_local = fopen(NESSUS_STATE_DIR
"/nessus/local_signing_key.pem", "r");
char sig[16384];
unsigned char bin_sig[8192];
int binsz = 0;
@@ -891,7 +893,11 @@
rsa = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL);
+ rsa_local = PEM_read_RSA_PUBKEY(fp_local, NULL, NULL, NULL);
+
fclose(fp);
+ fclose(fp_local);
+
if ( rsa == NULL ) return -1;
msg = map_file(filename, &msg_len);
@@ -924,11 +930,17 @@
if ( binsz >= sizeof(bin_sig) ) goto err; /* Too long signature */
}
-
-
res = RSA_verify(NID_sha1, md, SHA_DIGEST_LENGTH, bin_sig, binsz, rsa);
RSA_free(rsa);
efree(&msg);
+
+ /* if fail, attempt comparision with local key */
+ if ( res == 0 ) {
+ res = RSA_verify(NID_sha1, md, SHA_DIGEST_LENGTH, bin_sig,
binsz, rsa_local);
+ }
+
+ RSA_free(rsa_local);
+
return res == 1 ? 0 : 1;
err:
--- 3 UNINSTALL NESSUS AND NASL LIBS ---
/usr/local/nessus/sbin/uninstall-nessus
(make sure old versions of libnasl aren't lying around)
(check /usr/local/lib/ for libnasl* files)
--- 4 BUILD SEQUENCE W/ PATCH ---
anon$ cat buildnessus.sh
for x in libnasl-2.2.4 nessus-core-2.2.4 nessus-libraries-2.2.4
nessus-plugins-2.2.4
do echo "extracting $x"
tar zxf archives/$x.tar.gz
done
echo "extraction complete"
cd nessus-libraries
make distclean
./configure --prefix=/usr/local/nessus && make && make install
cd ../libnasl
echo "patching libnasl"
cd nasl
patch -p0 -u < ../../add_local_signing_key.patch
cd ..
make distclean
./configure --prefix=/usr/local/nessus && make && make install
cd ../nessus-core
make distclean
./configure --prefix=/usr/local/nessus && make && make install
cd ../nessus-plugins
make distclean
./configure --prefix=/usr/local/nessus && make && make install
--- 5 TEST LIBNASL ---
anon$ echo "exit(); " > test.nasl && nasl -p test.nasl
anon$ nasl -S test.nasl > test.signed.nasl
Enter PEM pass phrase:
anon$ nasl -p test.signed.nasl
anon$ echo "#foo" >> test.signed.nasl
anon$ nasl -p test.signed.nasl
test.signed.nasl: bad signature. Will not execute this script
--------------------------
HTH
anon
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Sun Jun 12 2005 - 20:53:12 PDT