diff --git a/doc/gvmd.html b/doc/gvmd.html
index 5c3a9391f..6eda9e925 100644
--- a/doc/gvmd.html
+++ b/doc/gvmd.html
@@ -57,6 +57,14 @@ Options
+ --create-encryption-key
+
+ Create a new credential encryption key, set it as the new default
+ and exit. With no other options given, a 4096 bit RSA key is
+ created.
+
+
+
--create-scanner=SCANNER
Create global scanner SCANNER and exit.
@@ -117,6 +125,20 @@ Options
+ --encryption-key-length=LENGTH
+
+ Set key length to LENGTH bits when creating a new RSA credential
+ encryption key. Defaults to 4096.
+
+
+
+ --encryption-key-type=TYPE
+
+ Use the key type TYPE when creating a new credential encryption key.
+ Currently only RSA is supported.
+
+
+
--encrypt-all-credentials
(Re-)Encrypt all credentials.
diff --git a/src/gvmd.c b/src/gvmd.c
index a75b391da..eee28049b 100644
--- a/src/gvmd.c
+++ b/src/gvmd.c
@@ -1824,12 +1824,16 @@ gvmd (int argc, char** argv, char *env[])
static int auth_timeout = 15;
static gboolean check_alerts = FALSE;
+ static gboolean create_encryption_key = FALSE;
static gboolean migrate_database = FALSE;
static gboolean encrypt_all_credentials = FALSE;
static gboolean decrypt_all_credentials = FALSE;
static gboolean disable_password_policy = FALSE;
static gboolean disable_scheduling = FALSE;
static gboolean dump_vt_verification = FALSE;
+ static gchar *encryption_key_type = NULL;
+ static int encryption_key_length = 0;
+ static gchar *set_encryption_key = NULL;
static gboolean get_roles = FALSE;
static gboolean get_users = FALSE;
static gboolean get_scanners = FALSE;
@@ -1918,6 +1922,12 @@ gvmd (int argc, char** argv, char *env[])
" 0 to disable. Defaults to "
G_STRINGIFY (DEFAULT_CLIENT_WATCH_INTERVAL) " seconds.",
"" },
+ { "create-encryption-key", '\0', 0, G_OPTION_ARG_NONE,
+ &create_encryption_key,
+ "Create a new credential encryption key, set it as the new default"
+ " and exit."
+ " With no other options given, a 4096 bit RSA key is created.",
+ NULL },
{ "create-scanner", '\0', 0, G_OPTION_ARG_STRING,
&create_scanner,
"Create global scanner and exit.",
@@ -1979,6 +1989,17 @@ gvmd (int argc, char** argv, char *env[])
&dump_vt_verification,
"Dump the string the VTs verification hash is calculated from.",
NULL },
+ { "encryption-key-length", '\0', 0, G_OPTION_ARG_INT,
+ &encryption_key_length,
+ "Set key length to bits when creating a new RSA"
+ " credential encryption key. Defaults to "
+ G_STRINGIFY (DEFAULT_ENCRYPTION_KEY_LENGTH) ".",
+ "" },
+ { "encryption-key-type", '\0', 0, G_OPTION_ARG_STRING,
+ &encryption_key_type,
+ "Use the key type when creating a new credential"
+ " encryption key. Currently only RSA is supported.",
+ "" },
{ "encrypt-all-credentials", '\0', 0, G_OPTION_ARG_NONE,
&encrypt_all_credentials,
"(Re-)Encrypt all credentials.",
@@ -2180,6 +2201,11 @@ gvmd (int argc, char** argv, char *env[])
"During CERT and SCAP sync, commit updates to the database every"
" items, 0 for unlimited, default: "
G_STRINGIFY (SECINFO_COMMIT_SIZE_DEFAULT), "" },
+ { "set-encryption-key", '\0', 0, G_OPTION_ARG_STRING,
+ &set_encryption_key,
+ "Set the encryption key with the given UID as the new default"
+ " and exit.",
+ "" },
{ "unix-socket", 'c', 0, G_OPTION_ARG_STRING,
&manager_address_string_unix,
"Listen on UNIX socket at .",
@@ -2438,6 +2464,17 @@ gvmd (int argc, char** argv, char *env[])
g_debug ("No default relay mapper found.");
}
+ /*
+ * Parameters for new credential encryption keys
+ */
+ if (lsc_crypt_enckey_parms_init (encryption_key_type,
+ encryption_key_length))
+ {
+ g_critical ("%s: failed to set encryption key parameters", __func__);
+ gvm_close_sentry ();
+ exit (EXIT_FAILURE);
+ }
+
/**
* LDAP debugging
*/
@@ -2834,6 +2871,37 @@ gvmd (int argc, char** argv, char *env[])
return EXIT_SUCCESS;
}
+ if (create_encryption_key)
+ {
+ int ret;
+ setproctitle ("gvmd: Creating encryption key");
+
+ if (option_lock (&lockfile_checking))
+ return EXIT_FAILURE;
+
+ ret = manage_create_encryption_key (log_config, &database);
+ log_config_free ();
+ if (ret)
+ return EXIT_FAILURE;
+ return EXIT_SUCCESS;
+ }
+
+ if (set_encryption_key)
+ {
+ int ret;
+ setproctitle ("gvmd: Setting encryption key");
+
+ if (option_lock (&lockfile_checking))
+ return EXIT_FAILURE;
+
+ ret = manage_set_encryption_key (log_config, &database,
+ set_encryption_key);
+ log_config_free ();
+ if (ret)
+ return EXIT_FAILURE;
+ return EXIT_SUCCESS;
+ }
+
if (create_user)
{
int ret;
diff --git a/src/lsc_crypt.c b/src/lsc_crypt.c
index 2ced268e3..5602e0573 100644
--- a/src/lsc_crypt.c
+++ b/src/lsc_crypt.c
@@ -41,15 +41,6 @@
*/
#define G_LOG_DOMAIN "md crypt"
-/**
- * @brief The name of the encryption key.
- *
- * Note that the code will use the "=" prefix flag to indicate an
- * exact search. Thus when creating the key it should not have a
- * comment or email address part.
- */
-#define ENCRYPTION_KEY_UID "GVM Credential Encryption"
-
/**
* @brief The maximum size of an encrypted value
*
@@ -94,8 +85,15 @@ struct lsc_crypt_ctx_s
char *plaintext; ///< Text to be encrypted.
size_t plaintextlen; ///< Length of text.
struct namelist_s *namelist; ///< Info describing PLAINTEXT.
+ gchar *enckey_uid; ///< Encryption key UID to use.
};
+�
+/* Key generation parameters */
+gchar *enckey_type = NULL;
+
+int enckey_length = 0;
+
�
/* Simple helper functions */
@@ -166,6 +164,31 @@ get32 (const void *buffer)
�
/* Local functions. */
+static gchar*
+generate_parms_string (const char *enckey_uid)
+{
+ gchar *parms_string = NULL;
+
+ if (enckey_type == NULL || strcasecmp (enckey_type, "RSA") == 0)
+ {
+ parms_string = g_strdup_printf (
+ "\n"
+ "Key-Type: RSA\n"
+ "Key-Length: %d\n"
+ "Key-Usage: encrypt\n"
+ "Name-Real: %s\n"
+ "Expire-Date: 0\n"
+ "%%no-protection\n"
+ "%%no-ask-passphrase\n"
+ "\n",
+ (enckey_length > 0) ? enckey_length
+ : DEFAULT_ENCRYPTION_RSA_KEY_LENGTH,
+ enckey_uid
+ );
+ }
+ return parms_string;
+}
+
/**
* @brief Create the credential encryption key
@@ -179,16 +202,14 @@ get32 (const void *buffer)
static int
create_the_key (lsc_crypt_ctx_t ctx)
{
- const char parms[] =
- "\n"
- "Key-Type: RSA\n"
- "Key-Length: 2048\n"
- "Key-Usage: encrypt\n"
- "Name-Real: " ENCRYPTION_KEY_UID "\n"
- "Expire-Date: 0\n"
- "%no-protection\n"
- "%no-ask-passphrase\n"
- "\n";
+ if (ctx->enckey_uid == NULL || strcmp (ctx->enckey_uid, "") == 0)
+ {
+ log_gpgme (G_LOG_LEVEL_WARNING, 0,
+ "encryption context has no key UID set");
+ return -1;
+ }
+
+ gchar *parms = generate_parms_string (ctx->enckey_uid);
gpg_error_t err;
log_gpgme (G_LOG_LEVEL_INFO, 0, "starting key generation ...");
@@ -196,11 +217,11 @@ create_the_key (lsc_crypt_ctx_t ctx)
if (err)
{
log_gpgme(G_LOG_LEVEL_WARNING, err, "error creating OpenPGP key '%s'",
- ENCRYPTION_KEY_UID);
+ ctx->enckey_uid);
return -1;
}
log_gpgme (G_LOG_LEVEL_INFO, 0,
- "OpenPGP key '%s' has been generated", ENCRYPTION_KEY_UID);
+ "OpenPGP key '%s' has been generated", ctx->enckey_uid);
return 0;
}
@@ -222,16 +243,25 @@ find_the_key (lsc_crypt_ctx_t ctx, gboolean no_create)
gpg_error_t err;
int nfound, any_skipped;
gpgme_key_t found, key;
+ gchar *enckey_filter;
+ if (ctx->enckey_uid == NULL || strcmp (ctx->enckey_uid, "") == 0)
+ {
+ log_gpgme (G_LOG_LEVEL_WARNING, 0,
+ "encryption context has no key UID set");
+ return NULL;
+ }
again:
/* Search for the public key. Note that the "=" prefix flag enables
an exact search. */
- err = gpgme_op_keylist_start (ctx->encctx, "="ENCRYPTION_KEY_UID, 0);
+ enckey_filter = g_strdup_printf("=%s", ctx->enckey_uid);
+ err = gpgme_op_keylist_start (ctx->encctx, enckey_filter, 0);
+ g_free (enckey_filter);
if (err)
{
log_gpgme (G_LOG_LEVEL_WARNING, err,
"error starting search for OpenPGP key '%s'",
- ENCRYPTION_KEY_UID);
+ ctx->enckey_uid);
return NULL;
}
@@ -276,13 +306,17 @@ find_the_key (lsc_crypt_ctx_t ctx, gboolean no_create)
}
else if (!found)
{
- static int genkey_tried;
+ static GHashTable *genkey_tried_uids = NULL;
+ if (genkey_tried_uids == NULL)
+ genkey_tried_uids = g_hash_table_new (g_str_hash, g_str_equal);
/* Try to create the key if we have not seen any matching key at
all and if this is the first time in this process' lifetime. */
- if (!any_skipped && !genkey_tried && !no_create)
+ if (!any_skipped
+ && !no_create
+ && !g_hash_table_contains (genkey_tried_uids, ctx->enckey_uid))
{
- genkey_tried = 1;
+ g_hash_table_add (genkey_tried_uids, g_strdup (ctx->enckey_uid));
if (!create_the_key (ctx))
goto again; /* Created - search again. */
}
@@ -296,7 +330,7 @@ find_the_key (lsc_crypt_ctx_t ctx, gboolean no_create)
{
log_gpgme (G_LOG_LEVEL_MESSAGE, err,
"error searching for OpenPGP key '%s'",
- ENCRYPTION_KEY_UID);
+ ctx->enckey_uid);
gpgme_key_unref (found);
found = NULL;
}
@@ -475,6 +509,21 @@ do_decrypt (lsc_crypt_ctx_t ctx, const char *cipherstring,
�
/* API */
+/**
+ * @brief Sets the parameters for creating a new encryption key
+ *
+ * @param[in] type Type of the
+ * @param[in] length
+ */
+int
+lsc_crypt_enckey_parms_init (const char *type, int length)
+{
+ g_free (enckey_type);
+ enckey_type = type ? g_strdup (type) : NULL;
+ enckey_length = length;
+ return 0;
+}
+
/**
* @brief Return a new context for LSC encryption
*
@@ -482,13 +531,14 @@ do_decrypt (lsc_crypt_ctx_t ctx, const char *cipherstring,
* lsc_crypt_release.
*/
lsc_crypt_ctx_t
-lsc_crypt_new ()
+lsc_crypt_new (const char *enckey_uid)
{
char * path = g_build_filename (GVMD_STATE_DIR, "gnupg", NULL);
lsc_crypt_ctx_t ctx;
ctx = g_malloc0 (sizeof *ctx);
ctx->encctx = gvm_init_gpgme_ctx_from_dir (path);
+ ctx->enckey_uid = enckey_uid ? g_strdup (enckey_uid) : NULL;
g_free (path);
if (!ctx->encctx)
{
@@ -543,6 +593,38 @@ lsc_crypt_flush (lsc_crypt_ctx_t ctx)
ctx->plaintext = NULL;
}
+/**
+ * @brief Checks if the encryption key defined by the context already exists
+ *
+ * @param[in] ctx The context
+ *
+ * @return Whether the key exists
+ */
+gboolean
+lsc_crypt_enckey_exists (lsc_crypt_ctx_t ctx)
+{
+ gpgme_key_t key = find_the_key (ctx, TRUE);
+ return key != NULL;
+}
+
+/**
+ * @brief Creates the key for the given context if it does not already exists
+ *
+ * @param[in] ctx The context
+ *
+ * @return 0 on success, 1 key already exits, -1 on other error.
+ */
+int
+lsc_crypt_create_enckey (lsc_crypt_ctx_t ctx)
+{
+ if (lsc_crypt_enckey_exists (ctx))
+ return 1;
+ if (create_the_key (ctx))
+ return -1;
+ return 0;
+}
+
+
/**
* @brief Encrypt a list of name/value pairs
diff --git a/src/lsc_crypt.h b/src/lsc_crypt.h
index bf46860c3..63b021e81 100644
--- a/src/lsc_crypt.h
+++ b/src/lsc_crypt.h
@@ -26,6 +26,30 @@
#include
+/// @brief Default length for RSA encryption keys
+#define DEFAULT_ENCRYPTION_RSA_KEY_LENGTH 4096
+
+/**
+ * @brief The name of the old encryption key.
+ *
+ * Note that the code will use the "=" prefix flag to indicate an
+ * exact search. Thus when creating the key it should not have a
+ * comment or email address part.
+ */
+#define OLD_ENCRYPTION_KEY_UID "GVM Credential Encryption"
+
+/**
+ * @brief Template for the name of the encryption key.
+ *
+ * It must contain a single %s that will be replaced with the current
+ * date and time.
+ *
+ * Note that the code will use the "=" prefix flag to indicate an
+ * exact search. Thus when creating the key it should not have a
+ * comment or email address part.
+ */
+#define ENCRYPTION_KEY_UID_TEMPLATE "GVM Credential Encryption - %s"
+
/* (Defined in gvmd.c) */
extern int disable_encrypted_credentials;
@@ -33,13 +57,19 @@ extern int disable_encrypted_credentials;
struct lsc_crypt_ctx_s;
typedef struct lsc_crypt_ctx_s *lsc_crypt_ctx_t;
-lsc_crypt_ctx_t lsc_crypt_new ();
+int lsc_crypt_enckey_parms_init (const char *, int);
+
+lsc_crypt_ctx_t lsc_crypt_new (const char*);
void lsc_crypt_release (lsc_crypt_ctx_t);
int lsc_crypt_create_key ();
void lsc_crypt_flush (lsc_crypt_ctx_t);
+gboolean lsc_crypt_enckey_exists (lsc_crypt_ctx_t);
+
+int lsc_crypt_create_enckey (lsc_crypt_ctx_t ctx);
+
char *lsc_crypt_encrypt (lsc_crypt_ctx_t,
const char *, ...) G_GNUC_NULL_TERMINATED;
diff --git a/src/manage.c b/src/manage.c
index aaf458ccc..a0fc04ccf 100644
--- a/src/manage.c
+++ b/src/manage.c
@@ -931,6 +931,108 @@ severity_to_type (double severity)
}
}
+
+�
+/* Encryption key management. */
+
+/**
+ * @brief Creates a new encryption key and sets it as the new default.
+ *
+ * @return 0 on success, -1 on failure.
+ */
+int
+manage_create_encryption_key (GSList *log_config,
+ const db_conn_info_t *database)
+{
+ int ret = manage_option_setup (log_config, database);
+ if (ret)
+ {
+ printf ("Error setting up log config or database connection.");
+ g_warning ("Error setting up log config or database connection.");
+ return -1;
+ }
+
+ time_t now = time(NULL);
+ gchar *generated_uid
+ = g_strdup_printf (ENCRYPTION_KEY_UID_TEMPLATE, iso_time (&now));
+
+ lsc_crypt_ctx_t ctx = lsc_crypt_new (generated_uid);
+ switch (lsc_crypt_create_enckey (ctx))
+ {
+ case 0:
+ break;
+ case 1:
+ printf ("Credential encryption key '%s' already exists\n",
+ generated_uid);
+ g_warning ("%s: Credential encryption key '%s' already exists",
+ __func__, generated_uid);
+
+ lsc_crypt_flush(ctx);
+ g_free (generated_uid);
+ manage_option_cleanup ();
+ return -1;
+ default:
+ printf ("Could not create credential encryption key '%s'\n",
+ generated_uid);
+ g_warning ("%s: Could not create credential encryption key '%s'",
+ __func__, generated_uid);
+
+ lsc_crypt_flush(ctx);
+ g_free (generated_uid);
+ manage_option_cleanup ();
+ return -1;
+ }
+ set_current_encryption_key_uid (generated_uid);
+ printf ("Credential encryption key created: '%s'\n",
+ generated_uid);
+ g_message ("%s: Credential encryption key created: '%s'",
+ __func__, generated_uid);
+
+ lsc_crypt_flush(ctx);
+ g_free (generated_uid);
+ manage_option_cleanup ();
+ return 0;
+}
+
+/**
+ * @brief Sets the new default encryption key. The key must already exist.
+ *
+ * @param[in] uid UID of the encryption key.
+ *
+ * @return 0 on success, -1 on failure.
+ */
+int
+manage_set_encryption_key (GSList *log_config,
+ const db_conn_info_t *database,
+ const char *uid)
+{
+ int ret = manage_option_setup (log_config, database);
+ if (ret)
+ {
+ printf ("Error setting up log config or database connection.\n");
+ g_warning ("Error setting up log config or database connection.");
+ return -1;
+ }
+
+ lsc_crypt_ctx_t ctx = lsc_crypt_new (uid);
+ if (! lsc_crypt_enckey_exists (ctx))
+ {
+ printf ("Credential encryption key '%s' not found\n", uid);
+ g_warning ("%s: Credential encryption key '%s' not found", __func__, uid);
+ lsc_crypt_flush(ctx);
+ manage_option_cleanup ();
+ return -1;
+ }
+
+ set_current_encryption_key_uid (uid);
+ printf ("Credential encryption key set to '%s'\n", uid);
+ g_message ("%s: Credential encryption key set to '%s'", __func__, uid);
+ lsc_crypt_flush(ctx);
+ manage_option_cleanup ();
+ return 0;
+}
+
+
�
/* Credentials. */
diff --git a/src/manage.h b/src/manage.h
index 76e1c9129..f5b0838d5 100644
--- a/src/manage.h
+++ b/src/manage.h
@@ -201,6 +201,7 @@ authenticate (credentials_t*);
void
logout_user ();
+
�
/* Database. */
@@ -234,6 +235,21 @@ manage_encrypt_all_credentials (GSList *, const db_conn_info_t *);
int
manage_decrypt_all_credentials (GSList *, const db_conn_info_t *);
+int
+manage_create_encryption_key (GSList *log_config,
+ const db_conn_info_t *database);
+
+int
+manage_set_encryption_key (GSList *log_config,
+ const db_conn_info_t *database,
+ const char*);
+
+char *
+current_encryption_key_uid (gboolean);
+
+void
+set_current_encryption_key_uid (const char *new_uid);
+
void
manage_session_set_timezone (const char *);
diff --git a/src/manage_migrators.c b/src/manage_migrators.c
index bcefa9a22..d5c95db0b 100644
--- a/src/manage_migrators.c
+++ b/src/manage_migrators.c
@@ -2971,7 +2971,7 @@ migrate_250_to_251 ()
char *secret;
char *quoted;
lsc_crypt_ctx_t crypt_ctx;
- crypt_ctx = lsc_crypt_new ();
+ crypt_ctx = lsc_crypt_new (OLD_ENCRYPTION_KEY_UID);
sql ("DELETE FROM meta WHERE name LIKE 'radius_key';");
secret = lsc_crypt_encrypt (crypt_ctx, "secret_key", secret_key, NULL);
diff --git a/src/manage_sql.c b/src/manage_sql.c
index 6c580d94d..c5bb72419 100644
--- a/src/manage_sql.c
+++ b/src/manage_sql.c
@@ -6043,7 +6043,10 @@ encrypt_all_credentials (gboolean decrypt_flag)
" WHERE credential = credentials.id"
" AND type = 'private_key')"
" FROM credentials");
- iterator.crypt_ctx = lsc_crypt_new ();
+
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ iterator.crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
sql_begin_immediate ();
@@ -6209,6 +6212,69 @@ manage_decrypt_all_credentials (GSList *log_config,
return ret;
}
+/**
+ * @brief Gets the UID of the currently configured encryption key.
+ *
+ * @param[in] with_fallback If TRUE, set and return old key UID if
+ * the key UID is undefined.
+ *
+ * @return The encryption key UID.
+ */
+char *
+current_encryption_key_uid (gboolean with_fallback)
+{
+ char *key_uid = sql_string ("SELECT value FROM meta"
+ " WHERE name = 'encryption_key_uid';");
+
+ if (key_uid)
+ return key_uid;
+
+ if (!with_fallback)
+ return NULL;
+
+ // Check if an old, fixed UID key exists
+ lsc_crypt_ctx_t ctx = lsc_crypt_new (OLD_ENCRYPTION_KEY_UID);
+ if (lsc_crypt_enckey_exists (ctx))
+ {
+ lsc_crypt_flush(ctx);
+ set_current_encryption_key_uid (OLD_ENCRYPTION_KEY_UID);
+ return strdup (OLD_ENCRYPTION_KEY_UID);
+ }
+ lsc_crypt_flush(ctx);
+
+ // Generate a new key UID
+ time_t now = time(NULL);
+ gchar *generated_uid
+ = g_strdup_printf (ENCRYPTION_KEY_UID_TEMPLATE, iso_time (&now));
+ set_current_encryption_key_uid (generated_uid);
+ key_uid = strdup (generated_uid);
+ g_free (generated_uid);
+ return key_uid;
+}
+
+
+/**
+ * @brief Sets the database field defining the encryption key UID.
+ *
+ * Note: This does not have any effects on any already created
+ * encryption contexts that may be using the old UID.
+ *
+ * @param[in] new_uid The new UID to set.
+ */
+void
+set_current_encryption_key_uid (const char *new_uid)
+{
+ gchar *quoted_new_uid = sql_quote (new_uid);
+
+ sql ("INSERT INTO meta (name, value)"
+ " VALUES ('encryption_key_uid', '%s')"
+ " ON CONFLICT (name) DO UPDATE SET value = EXCLUDED.value;",
+ quoted_new_uid);
+
+ g_free (quoted_new_uid);
+}
+
+
�
/* Collation. */
@@ -33913,7 +33979,9 @@ check_db_encryption_key ()
lsc_crypt_ctx_t crypt_ctx;
gchar *secret;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
/* The encryption layer creates the key if it does not exist. */
secret = lsc_crypt_encrypt (crypt_ctx, "dummy", "dummy", NULL);
lsc_crypt_release (crypt_ctx);
@@ -34407,7 +34475,9 @@ create_credential (const char* name, const char* comment, const char* login,
if (!disable_encrypted_credentials)
{
gchar *secret;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
secret = lsc_crypt_encrypt (crypt_ctx,
"password", given_password,
"private_key", key_private, NULL);
@@ -34446,7 +34516,9 @@ create_credential (const char* name, const char* comment, const char* login,
if (!disable_encrypted_credentials)
{
gchar *secret;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
secret = lsc_crypt_encrypt (crypt_ctx,
"community", community,
"password", given_password,
@@ -34488,7 +34560,9 @@ create_credential (const char* name, const char* comment, const char* login,
if (!disable_encrypted_credentials)
{
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
gchar *secret = lsc_crypt_encrypt (crypt_ctx,
"password", given_password,
NULL);
@@ -34549,7 +34623,9 @@ create_credential (const char* name, const char* comment, const char* login,
if (!disable_encrypted_credentials)
{
gchar *secret;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
if (generated_private_key)
secret = lsc_crypt_encrypt (crypt_ctx,
"password", generated_password,
@@ -35365,7 +35441,9 @@ credential_encrypted_value (credential_t credential, const char* value_name)
gchar *secret;
const char* decrypted;
lsc_crypt_ctx_t crypt_ctx;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
secret = sql_string ("SELECT value FROM credentials_data"
" WHERE credential = %llu"
@@ -35496,7 +35574,9 @@ set_credential_password (credential_t credential, const char *password)
if (!disable_encrypted_credentials)
{
gchar *encrypted_blob;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
encrypted_blob = lsc_crypt_encrypt (crypt_ctx,
"password", password, NULL);
if (!encrypted_blob)
@@ -35540,7 +35620,9 @@ set_credential_private_key (credential_t credential,
if (!disable_encrypted_credentials)
{
gchar *encrypted_blob;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
encrypted_blob = lsc_crypt_encrypt (crypt_ctx,
"private_key", private_key,
"password", passphrase,
@@ -35603,7 +35685,9 @@ set_credential_snmp_secret (credential_t credential, const char* community,
if (!disable_encrypted_credentials)
{
gchar *encrypted_blob;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
encrypted_blob = lsc_crypt_encrypt (crypt_ctx,
"community", community,
"password", password,
@@ -35728,7 +35812,11 @@ credential_iterator_encrypted_data (iterator_t* iterator, const char* type)
{
/* This is an encrypted credential. */
if (!iterator->crypt_ctx)
- iterator->crypt_ctx = lsc_crypt_new ();
+ {
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ iterator->crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
+ }
return lsc_crypt_decrypt (iterator->crypt_ctx, secret, type);
}
@@ -38747,7 +38835,9 @@ manage_create_scanner (GSList *log_config, const db_conn_info_t *database,
lsc_crypt_ctx_t crypt_ctx;
char *secret;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
secret = lsc_crypt_encrypt (crypt_ctx,
"private_key", key_priv, NULL);
@@ -39051,7 +39141,9 @@ manage_modify_scanner (GSList *log_config, const db_conn_info_t *database,
lsc_crypt_ctx_t crypt_ctx;
char *secret;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
secret = lsc_crypt_encrypt (crypt_ctx,
"private_key", key_priv, NULL);
@@ -39881,8 +39973,11 @@ scanner_iterator_key_priv (iterator_t* iterator)
{
const char *secret;
if (!iterator->crypt_ctx)
- iterator->crypt_ctx = lsc_crypt_new ();
-
+ {
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ iterator->crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
+ }
secret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 9);
private_key = lsc_crypt_get_private_key (iterator->crypt_ctx, secret);
}
@@ -40209,7 +40304,9 @@ scanner_key_priv (scanner_t scanner)
{
gchar *secret;
lsc_crypt_ctx_t crypt_ctx;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
secret = sql_string ("SELECT value FROM credentials_data"
" WHERE credential"
@@ -40268,7 +40365,9 @@ scanner_password (scanner_t scanner)
{
gchar *secret;
lsc_crypt_ctx_t crypt_ctx;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
secret = sql_string ("SELECT credentials_data.value"
" FROM scanners, credentials_data"
@@ -53872,7 +53971,9 @@ manage_get_radius_info (int *enabled, char **host, char **key)
{
const char *decrypted;
lsc_crypt_ctx_t crypt_ctx;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
decrypted = lsc_crypt_decrypt (crypt_ctx, secret, "secret_key");
if (decrypted)
*key = g_strdup (decrypted);
@@ -53917,7 +54018,9 @@ manage_set_radius_info (int enabled, gchar *host, gchar *key)
{
char *secret;
lsc_crypt_ctx_t crypt_ctx;
- crypt_ctx = lsc_crypt_new ();
+ char *encryption_key_uid = current_encryption_key_uid (TRUE);
+ crypt_ctx = lsc_crypt_new (encryption_key_uid);
+ free (encryption_key_uid);
sql ("DELETE FROM meta WHERE name LIKE 'radius_key';");
secret = lsc_crypt_encrypt (crypt_ctx, "secret_key", key, NULL);
@@ -53927,7 +54030,7 @@ manage_set_radius_info (int enabled, gchar *host, gchar *key)
sql ("INSERT INTO meta (name, value) VALUES ('radius_key', '%s');",
quoted);
g_free (secret);
- secret = NULL;
+ secret = NULL;
g_free (quoted);
}
lsc_crypt_release(crypt_ctx);