Merge branch 'main' into GEA-254_Uploading_DER_file_as_TippingPoint_c…

…ertificate_corrupts_alert
greenbone · Jul 21, 2023 · 728ded2 · 728ded2
2 parents c3c836c + e12a123
commit 728ded2
Show file tree

Hide file tree

Showing 20 changed files with 884 additions and 136 deletions.
diff --git a/.docker/entrypoint.sh b/.docker/entrypoint.sh
@@ -18,4 +18,5 @@
 
 #!/bin/bash
 
+. setup-mta
 exec gosu gvmd "$@"
diff --git a/.docker/prod.Dockerfile b/.docker/prod.Dockerfile
@@ -84,6 +84,8 @@ RUN apt-get update && \
     libgpgme11 \
     libical3 \
     libpq5 \
+    msmtp \
+    msmtp-mta \
     openssh-client \
     postgresql-client-13 \
     postgresql-client-common \
@@ -107,6 +109,7 @@ COPY --from=builder /install/ /
 
 COPY .docker/start-gvmd.sh /usr/local/bin/start-gvmd
 COPY .docker/entrypoint.sh /usr/local/bin/entrypoint
+COPY .docker/setup-mta.sh /usr/local/bin/setup-mta
 
 RUN addgroup --gid 1001 --system gvmd && \
     adduser --no-create-home --shell /bin/false --disabled-password --uid 1001 --system --group gvmd

diff --git a/.docker/setup-mta.sh b/.docker/setup-mta.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Make any changes only when MTA_HOST has been set
+if [ -n MTA_HOST ]; then
+    echo "setting up configuration file for mail agent"
+    CONFIG="/etc/msmtprc"
+    echo "host $MTA_HOST" > $CONFIG
+    [ -n MTA_PORT ] && echo "port $MTA_PORT" >> $CONFIG
+    [ -n MTA_TLS ] && echo "tls $MTA_TLS" >> $CONFIG
+    [ -n MTA_STARTTLS ] && echo "tls_starttls $MTA_STARTTLS" >> $CONFIG
+    [ -n MTA_AUTH ] && echo "auth $MTA_AUTH" >> $CONFIG
+    [ -n MTA_USER ] && echo "user $MTA_USER" >> $CONFIG
+    [ -n MTA_FROM ] && echo "from $MTA_FROM" >> $CONFIG
+    [ -n MTA_PASSWORD ] && echo "password $MTA_PASSWORD" >> $CONFIG
+    [ -n MTA_LOGFILE ] && echo "logfile $MTA_LOGFILE" >> $CONFIG
+    chown gvmd:mail $CONFIG
+    chmod 750 $CONFIG
+fi
diff --git a/.github/workflows/build-container.yml b/.github/workflows/build-container.yml
@@ -27,7 +27,7 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-      - uses: greenbone/actions/is-latest-tag@v2
+      - uses: greenbone/actions/is-latest-tag@v3
         id: latest
       - name: Setup container meta information
         id: meta

diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
@@ -11,7 +11,7 @@ jobs:
     container: greenbone/doxygen
     steps:
       - name: Run the c lang coverage action
-        uses: greenbone/actions/doc-coverage-clang@v2
+        uses: greenbone/actions/doc-coverage-clang@v3
 
   build-gmp-doc:
     name: Build GMP documentation

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      - uses: greenbone/actions/is-latest-tag@v2
+      - uses: greenbone/actions/is-latest-tag@v3
         id: latest
       - name: Setup container meta information
         id: meta

diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
@@ -13,4 +13,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Report Conventional Commits
-        uses: greenbone/actions/conventional-commits@v2
+        uses: greenbone/actions/conventional-commits@v3
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -9,4 +9,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Dependency Review'
-        uses: greenbone/actions/dependency-review@v2
+        uses: greenbone/actions/dependency-review@v3
diff --git a/.github/workflows/release-pontos.yml b/.github/workflows/release-pontos.yml
@@ -36,11 +36,11 @@ jobs:
     steps:
       - name: Selecting the Release type
         id: release-type
-        uses: greenbone/actions/release-type@v2
+        uses: greenbone/actions/release-type@v3
         with:
           release-type-input: ${{ inputs.release-type }}
       - name: Release with release action
-        uses: greenbone/actions/release@v2
+        uses: greenbone/actions/release@v3
         with:
           github-user: ${{ secrets.GREENBONE_BOT }}
           github-user-mail: ${{ secrets.GREENBONE_BOT_MAIL }}

diff --git a/.github/workflows/sbom-upload.yml b/.github/workflows/sbom-upload.yml
@@ -11,4 +11,4 @@ jobs:
       contents: write
     steps:
       - name: 'SBOM upload'
-        uses: greenbone/actions/sbom-upload@v2
+        uses: greenbone/actions/sbom-upload@v3
diff --git a/doc/gvmd.8 b/doc/gvmd.8
@@ -22,6 +22,9 @@ Check SecInfo alerts.
 \fB--client-watch-interval=\fINUMBER\fB\f1
 Check if client connection was closed every NUMBER seconds. 0 to disable. Defaults to 1 second.
 .TP
+\fB--create-encryption-key\f1
+Create a new credential encryption key, set it as the new default and exit. With no other options given, a 4096 bit RSA key is created. 
+.TP
 \fB--create-scanner=\fISCANNER\fB\f1
 Create global scanner SCANNER and exit.
 .TP
@@ -58,6 +61,12 @@ Do not restrict passwords to the policy.
 \fB--disable-scheduling\f1
 Disable task scheduling.
 .TP
+\fB--encryption-key-length=\fILENGTH\fB\f1
+Set key length to LENGTH bits when creating a new RSA credential encryption key. Defaults to 4096. 
+.TP
+\fB--encryption-key-type=\fITYPE\fB\f1
+Use the key type TYPE when creating a new credential encryption key. Currently only RSA is supported. 
+.TP
 \fB--encrypt-all-credentials\f1
 (Re-)Encrypt all credentials.
 .TP

diff --git a/doc/gvmd.8.xml b/doc/gvmd.8.xml
@@ -74,6 +74,16 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
            0 to disable. Defaults to 1 second.</p>
       </optdesc>
     </option>
+    <option>
+      <p><opt>--create-encryption-key</opt></p>
+      <optdesc>
+        <p>
+          Create a new credential encryption key, set it as the new default
+           and exit.
+          With no other options given, a 4096 bit RSA key is created.
+        </p>
+      </optdesc>
+    </option>
     <option>
       <p><opt>--create-scanner=<arg>SCANNER</arg></opt></p>
       <optdesc>
@@ -146,6 +156,24 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
         <p>Disable task scheduling.</p>
       </optdesc>
     </option>
+    <option>
+      <p><opt>--encryption-key-length=<arg>LENGTH</arg></opt></p>
+      <optdesc>
+        <p>
+          Set key length to LENGTH bits when creating a new RSA
+          credential encryption key. Defaults to 4096.
+        </p>
+      </optdesc>
+    </option>
+    <option>
+      <p><opt>--encryption-key-type=<arg>TYPE</arg></opt></p>
+      <optdesc>
+        <p>
+          Use the key type TYPE when creating a new credential
+          encryption key. Currently only RSA is supported.
+        </p>
+      </optdesc>
+    </option>
     <option>
       <p><opt>--encrypt-all-credentials</opt></p>
       <optdesc>

diff --git a/doc/gvmd.html b/doc/gvmd.html
@@ -57,6 +57,14 @@ <h2>Options</h2>
 
 
 
+      <p><b>--create-encryption-key</b></p>
+
+        <p>Create a new credential encryption key, set it as the new default
+           and exit. With no other options given, a 4096 bit RSA key is
+           created.</p>
+
+
+
       <p><b>--create-scanner=<em>SCANNER</em></b></p>
 
         <p>Create global scanner SCANNER and exit.</p>
@@ -117,6 +125,20 @@ <h2>Options</h2>
 
 
 
+      <p><b>--encryption-key-length=<em>LENGTH</em></b></p>
+
+        <p>Set key length to LENGTH bits when creating a new RSA credential
+        encryption key. Defaults to 4096.</p>
+
+
+
+      <p><b>--encryption-key-type=<em>TYPE</em></b></p>
+
+        <p>Use the key type TYPE when creating a new credential encryption key.
+           Currently only RSA is supported.</p>
+
+
+
       <p><b>--encrypt-all-credentials</b></p>
 
         <p>(Re-)Encrypt all credentials.</p>

diff --git a/src/gvmd.c b/src/gvmd.c
@@ -1824,12 +1824,16 @@ gvmd (int argc, char** argv, char *env[])
 
   static int auth_timeout = 15;
   static gboolean check_alerts = FALSE;
+  static gboolean create_encryption_key = FALSE;
   static gboolean migrate_database = FALSE;
   static gboolean encrypt_all_credentials = FALSE;
   static gboolean decrypt_all_credentials = FALSE;
   static gboolean disable_password_policy = FALSE;
   static gboolean disable_scheduling = FALSE;
   static gboolean dump_vt_verification = FALSE;
+  static gchar *encryption_key_type = NULL;
+  static int encryption_key_length = 0;
+  static gchar *set_encryption_key = NULL;
   static gboolean get_roles = FALSE;
   static gboolean get_users = FALSE;
   static gboolean get_scanners = FALSE;
@@ -1918,6 +1922,12 @@ gvmd (int argc, char** argv, char *env[])
           " 0 to disable. Defaults to "
           G_STRINGIFY (DEFAULT_CLIENT_WATCH_INTERVAL) " seconds.",
           "<number>" },
+        { "create-encryption-key", '\0', 0, G_OPTION_ARG_NONE,
+          &create_encryption_key,
+          "Create a new credential encryption key, set it as the new default"
+          " and exit."
+          " With no other options given, a 4096 bit RSA key is created.",
+          NULL },
         { "create-scanner", '\0', 0, G_OPTION_ARG_STRING,
           &create_scanner,
           "Create global scanner <scanner> and exit.",
@@ -1979,6 +1989,17 @@ gvmd (int argc, char** argv, char *env[])
           &dump_vt_verification,
           "Dump the string the VTs verification hash is calculated from.",
           NULL },
+        { "encryption-key-length", '\0', 0, G_OPTION_ARG_INT,
+          &encryption_key_length,
+          "Set key length to <length> bits when creating a new RSA"
+          " credential encryption key. Defaults to "
+          G_STRINGIFY (DEFAULT_ENCRYPTION_KEY_LENGTH) ".",
+          "<length>" },
+        { "encryption-key-type", '\0', 0, G_OPTION_ARG_STRING,
+          &encryption_key_type,
+          "Use the key type <type> when creating a new credential"
+          " encryption key. Currently only RSA is supported.",
+          "<type>" },
         { "encrypt-all-credentials", '\0', 0, G_OPTION_ARG_NONE,
           &encrypt_all_credentials,
           "(Re-)Encrypt all credentials.",
@@ -2180,6 +2201,11 @@ gvmd (int argc, char** argv, char *env[])
           "During CERT and SCAP sync, commit updates to the database every"
           " <number> items, 0 for unlimited, default: "
           G_STRINGIFY (SECINFO_COMMIT_SIZE_DEFAULT), "<number>" },
+        { "set-encryption-key", '\0', 0, G_OPTION_ARG_STRING,
+          &set_encryption_key,
+          "Set the encryption key with the given UID as the new default"
+          " and exit.",
+          "<uid>" },
         { "unix-socket", 'c', 0, G_OPTION_ARG_STRING,
           &manager_address_string_unix,
           "Listen on UNIX socket at <filename>.",
@@ -2438,6 +2464,17 @@ gvmd (int argc, char** argv, char *env[])
         g_debug ("No default relay mapper found.");
     }
 
+  /*
+   * Parameters for new credential encryption keys
+   */
+  if (lsc_crypt_enckey_parms_init (encryption_key_type,
+                                   encryption_key_length))
+    {
+      g_critical ("%s: failed to set encryption key parameters", __func__);
+      gvm_close_sentry ();
+      exit (EXIT_FAILURE);
+    }
+
   /**
    * LDAP debugging
    */
@@ -2834,6 +2871,37 @@ gvmd (int argc, char** argv, char *env[])
       return EXIT_SUCCESS;
     }
 
+  if (create_encryption_key)
+    {
+      int ret;
+      setproctitle ("gvmd: Creating encryption key");
+
+      if (option_lock (&lockfile_checking))
+        return EXIT_FAILURE;
+
+      ret = manage_create_encryption_key (log_config, &database);
+      log_config_free ();
+      if (ret)
+        return EXIT_FAILURE;
+      return EXIT_SUCCESS;
+    }
+
+  if (set_encryption_key)
+    {
+      int ret;
+      setproctitle ("gvmd: Setting encryption key");
+
+      if (option_lock (&lockfile_checking))
+        return EXIT_FAILURE;
+
+      ret = manage_set_encryption_key (log_config, &database,
+                                       set_encryption_key);
+      log_config_free ();
+      if (ret)
+        return EXIT_FAILURE;
+      return EXIT_SUCCESS;
+    }
+
   if (create_user)
     {
       int ret;