Skip to content

Commit

Permalink
Add: Encrypting and decrypting of the RADIUS server secret key
Browse files Browse the repository at this point in the history
Merge pull request #1899 from jhelmold/T4-123_RADIUS_key_is_not_encrypted
  • Loading branch information
timopollmeier authored Feb 23, 2023
2 parents 32a25b9 + 0ba9b8f commit a47802c
Show file tree
Hide file tree
Showing 5 changed files with 99 additions and 12 deletions.
2 changes: 1 addition & 1 deletion CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ include (CPack)

## Variables

set (GVMD_DATABASE_VERSION 250)
set (GVMD_DATABASE_VERSION 251)

set (GVMD_SCAP_DATABASE_VERSION 19)

Expand Down
2 changes: 1 addition & 1 deletion cmake/FindPostgreSQL.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ set(PostgreSQL_ROOT_DIR_MESSAGE "Set the PostgreSQL_ROOT system variable to wher


set(PostgreSQL_KNOWN_VERSIONS ${PostgreSQL_ADDITIONAL_VERSIONS}
"13" "12" "11" "10" "9.6" "9.5" "9.4" "9.3" "9.2" "9.1" "9.0" "8.4" "8.3" "8.2" "8.1" "8.0")
"14" "13" "12" "11" "10" "9.6" "9.5" "9.4" "9.3" "9.2" "9.1" "9.0" "8.4" "8.3" "8.2" "8.1" "8.0")

# Define additional search paths for root directories.
set( PostgreSQL_ROOT_DIRECTORIES
Expand Down
10 changes: 8 additions & 2 deletions src/gmp.c
Original file line number Diff line number Diff line change
Expand Up @@ -18658,10 +18658,15 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,

if (gvm_auth_radius_enabled ())
{
char *radius_host, *radius_key;
char *radius_host = NULL;
char *radius_key = NULL;
char *key = "";
int radius_enabled;
manage_get_radius_info (&radius_enabled, &radius_host,
&radius_key);
if (radius_key && strlen(radius_key))
key = "********";

SENDF_TO_CLIENT_OR_FAIL
("<group name=\"method:radius_connect\">"
"<auth_conf_setting>"
Expand All @@ -18677,7 +18682,8 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
"<value>%s</value>"
"</auth_conf_setting>"
"</group>",
radius_enabled ? "true" : "false", radius_host, radius_key);
radius_enabled ? "true" : "false", radius_host,
key);
g_free (radius_host);
g_free (radius_key);
}
Expand Down
55 changes: 55 additions & 0 deletions src/manage_migrators.c
Original file line number Diff line number Diff line change
Expand Up @@ -2942,6 +2942,60 @@ migrate_249_to_250 ()
return 0;
}

/**
* @brief Migrate the database from version 250 to version 251.
*
* @return 0 success, -1 error.
*/
int
migrate_250_to_251 ()
{
sql_begin_immediate ();

/* Ensure that the database is currently version 249. */

if (manage_db_version () != 250)
{
sql_rollback ();
return -1;
}

/* Update the database. */

char *secret_key = NULL;

secret_key = sql_string ("SELECT value FROM meta WHERE name = 'radius_key';");

if (secret_key)
{
char *secret;
char *quoted;
lsc_crypt_ctx_t crypt_ctx;
crypt_ctx = lsc_crypt_new ();

sql ("DELETE FROM meta WHERE name LIKE 'radius_key';");
secret = lsc_crypt_encrypt (crypt_ctx, "secret_key", secret_key, NULL);
if (secret)
{
quoted = sql_quote (secret);
sql ("INSERT INTO meta (name, value) VALUES ('radius_key', '%s');", quoted);
g_free (secret);
secret = NULL;
g_free (quoted);
}
lsc_crypt_release(crypt_ctx);
g_free (secret_key);
}

/* Set the database version to 251. */

set_db_version (251);

sql_commit ();

return 0;
}

#undef UPDATE_DASHBOARD_SETTINGS

/**
Expand Down Expand Up @@ -2998,6 +3052,7 @@ static migrator_t database_migrators[] = {
{248, migrate_247_to_248},
{249, migrate_248_to_249},
{250, migrate_249_to_250},
{251, migrate_250_to_251},
/* End marker. */
{-1, NULL}};

Expand Down
42 changes: 34 additions & 8 deletions src/manage_sql.c
Original file line number Diff line number Diff line change
Expand Up @@ -53348,16 +53348,31 @@ manage_set_ldap_info (int enabled, gchar *host, gchar *authdn,
void
manage_get_radius_info (int *enabled, char **host, char **key)
{
char *secret;

if (enabled)
*enabled = radius_auth_enabled ();

*host = sql_string ("SELECT value FROM meta WHERE name = 'radius_host';");
if (!*host)
*host = g_strdup ("127.0.0.1");

*key = sql_string ("SELECT value FROM meta WHERE name = 'radius_key';");
if (!*key)
*key = g_strdup ("testing123");
secret = sql_string ("SELECT value FROM meta WHERE name = 'radius_key';");
if (!secret)
*key = g_strdup ("");
else
{
const char *decrypted;
lsc_crypt_ctx_t crypt_ctx;
crypt_ctx = lsc_crypt_new ();
decrypted = lsc_crypt_decrypt (crypt_ctx, secret, "secret_key");
if (decrypted)
*key = g_strdup (decrypted);
else
*key = g_strdup ("");
lsc_crypt_release (crypt_ctx);
g_free (secret);
}
}

/**
Expand Down Expand Up @@ -53390,13 +53405,24 @@ manage_set_radius_info (int enabled, gchar *host, gchar *key)
g_free (quoted);
}

if (key)
if (key && strlen (key))
{
char *secret;
lsc_crypt_ctx_t crypt_ctx;
crypt_ctx = lsc_crypt_new ();

sql ("DELETE FROM meta WHERE name LIKE 'radius_key';");
quoted = sql_quote (key);
sql ("INSERT INTO meta (name, value) VALUES ('radius_key', '%s');",
quoted);
g_free (quoted);
secret = lsc_crypt_encrypt (crypt_ctx, "secret_key", key, NULL);
if (secret)
{
quoted = sql_quote (secret);
sql ("INSERT INTO meta (name, value) VALUES ('radius_key', '%s');",
quoted);
g_free (secret);
secret = NULL;
g_free (quoted);
}
lsc_crypt_release(crypt_ctx);
}

sql_commit ();
Expand Down

0 comments on commit a47802c

Please sign in to comment.