From 149ee5960eead764bf1defc5b3a36c821b771062 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 17 Jul 2023 05:14:25 +0000
Subject: [PATCH 1/7] Bump greenbone/actions from 2 to 3

Bumps [greenbone/actions](https://github.com/greenbone/actions) from 2 to 3.
- [Release notes](https://github.com/greenbone/actions/releases)
- [Commits](https://github.com/greenbone/actions/compare/v2...v3)

---
updated-dependencies:
- dependency-name: greenbone/actions
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/build-container.yml      | 2 +-
 .github/workflows/build-docs.yml           | 2 +-
 .github/workflows/container.yml            | 2 +-
 .github/workflows/conventional-commits.yml | 2 +-
 .github/workflows/dependency-review.yml    | 2 +-
 .github/workflows/release-pontos.yml       | 4 ++--
 .github/workflows/sbom-upload.yml          | 2 +-
 7 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build-container.yml b/.github/workflows/build-container.yml
index ebdd9e29d..60e034a0a 100644
--- a/.github/workflows/build-container.yml
+++ b/.github/workflows/build-container.yml
@@ -27,7 +27,7 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-      - uses: greenbone/actions/is-latest-tag@v2
+      - uses: greenbone/actions/is-latest-tag@v3
         id: latest
       - name: Setup container meta information
         id: meta
diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
index 606e4ed44..c92599d83 100644
--- a/.github/workflows/build-docs.yml
+++ b/.github/workflows/build-docs.yml
@@ -11,7 +11,7 @@ jobs:
     container: greenbone/doxygen
     steps:
       - name: Run the c lang coverage action
-        uses: greenbone/actions/doc-coverage-clang@v2
+        uses: greenbone/actions/doc-coverage-clang@v3
 
   build-gmp-doc:
     name: Build GMP documentation
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index 3c0ab749a..861c91665 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      - uses: greenbone/actions/is-latest-tag@v2
+      - uses: greenbone/actions/is-latest-tag@v3
         id: latest
       - name: Setup container meta information
         id: meta
diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
index a929906e4..5d0bb41e4 100644
--- a/.github/workflows/conventional-commits.yml
+++ b/.github/workflows/conventional-commits.yml
@@ -13,4 +13,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Report Conventional Commits
-        uses: greenbone/actions/conventional-commits@v2
+        uses: greenbone/actions/conventional-commits@v3
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index bbc5a50d9..36afcc325 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -9,4 +9,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Dependency Review'
-        uses: greenbone/actions/dependency-review@v2
+        uses: greenbone/actions/dependency-review@v3
diff --git a/.github/workflows/release-pontos.yml b/.github/workflows/release-pontos.yml
index 00a2ca726..18aab9fd4 100644
--- a/.github/workflows/release-pontos.yml
+++ b/.github/workflows/release-pontos.yml
@@ -36,11 +36,11 @@ jobs:
     steps:
       - name: Selecting the Release type
         id: release-type
-        uses: greenbone/actions/release-type@v2
+        uses: greenbone/actions/release-type@v3
         with:
           release-type-input: ${{ inputs.release-type }}
       - name: Release with release action
-        uses: greenbone/actions/release@v2
+        uses: greenbone/actions/release@v3
         with:
           github-user: ${{ secrets.GREENBONE_BOT }}
           github-user-mail: ${{ secrets.GREENBONE_BOT_MAIL }}
diff --git a/.github/workflows/sbom-upload.yml b/.github/workflows/sbom-upload.yml
index 28289bdfe..fefdfeafe 100644
--- a/.github/workflows/sbom-upload.yml
+++ b/.github/workflows/sbom-upload.yml
@@ -11,4 +11,4 @@ jobs:
       contents: write
     steps:
       - name: 'SBOM upload'
-        uses: greenbone/actions/sbom-upload@v2
+        uses: greenbone/actions/sbom-upload@v3

From e0b092d36fca11ab98a427582e195982e7ec7421 Mon Sep 17 00:00:00 2001
From: Castor Sky <csky57@gmail.com>
Date: Sun, 16 Jul 2023 17:21:41 +0300
Subject: [PATCH 2/7] Add: Mail transport agent to enable email notifications
 in docker

This adds the `msmtp` and `msmtp-mta` packages to achieve ability
of sending email notifications from docker container. Default
`gvmd` image has no MTA but tries to send emails via local mailer
(and always fails for sure).

With msmtp user can send emails to a single preferred SMTP server.
---
 .docker/entrypoint.sh   |  1 +
 .docker/prod.Dockerfile |  3 +++
 .docker/setup-mta.sh    | 18 ++++++++++++++++++
 3 files changed, 22 insertions(+)
 create mode 100644 .docker/setup-mta.sh

diff --git a/.docker/entrypoint.sh b/.docker/entrypoint.sh
index 4063de001..d3506c405 100644
--- a/.docker/entrypoint.sh
+++ b/.docker/entrypoint.sh
@@ -18,4 +18,5 @@
 
 #!/bin/bash
 
+. setup-mta
 exec gosu gvmd "$@"
diff --git a/.docker/prod.Dockerfile b/.docker/prod.Dockerfile
index 375062b76..212ecde50 100644
--- a/.docker/prod.Dockerfile
+++ b/.docker/prod.Dockerfile
@@ -84,6 +84,8 @@ RUN apt-get update && \
     libgpgme11 \
     libical3 \
     libpq5 \
+    msmtp \
+    msmtp-mta \
     openssh-client \
     postgresql-client-13 \
     postgresql-client-common \
@@ -107,6 +109,7 @@ COPY --from=builder /install/ /
 
 COPY .docker/start-gvmd.sh /usr/local/bin/start-gvmd
 COPY .docker/entrypoint.sh /usr/local/bin/entrypoint
+COPY .docker/setup-mta.sh /usr/local/bin/setup-mta
 
 RUN addgroup --gid 1001 --system gvmd && \
     adduser --no-create-home --shell /bin/false --disabled-password --uid 1001 --system --group gvmd
diff --git a/.docker/setup-mta.sh b/.docker/setup-mta.sh
new file mode 100644
index 000000000..9b4c4da43
--- /dev/null
+++ b/.docker/setup-mta.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Make any changes only when MTA_HOST has been set
+if [ -n MTA_HOST ]; then
+    echo "setting up configuration file for mail agent"
+    CONFIG="/etc/msmtprc"
+    echo "host $MTA_HOST" > $CONFIG
+    [ -n MTA_PORT ] && echo "port $MTA_PORT" >> $CONFIG
+    [ -n MTA_TLS ] && echo "tls $MTA_TLS" >> $CONFIG
+    [ -n MTA_STARTTLS ] && echo "tls_starttls $MTA_STARTTLS" >> $CONFIG
+    [ -n MTA_AUTH ] && echo "auth $MTA_AUTH" >> $CONFIG
+    [ -n MTA_USER ] && echo "user $MTA_USER" >> $CONFIG
+    [ -n MTA_FROM ] && echo "from $MTA_FROM" >> $CONFIG
+    [ -n MTA_PASSWORD ] && echo "password $MTA_PASSWORD" >> $CONFIG
+    [ -n MTA_LOGFILE ] && echo "logfile $MTA_LOGFILE" >> $CONFIG
+    chown gvmd:mail $CONFIG
+    chmod 750 $CONFIG
+fi

From c9bca00f3e15458a8dc001148ae9d9c544d20514 Mon Sep 17 00:00:00 2001
From: Timo Pollmeier <timo.pollmeier@greenbone.net>
Date: Thu, 13 Jul 2023 11:52:12 +0200
Subject: [PATCH 3/7] Add: New options to set a new credential encryption key

This adds new command line options to create a new credential encryption
key, select an existing ones by UID and change parameters for new keys
(currently only the RSA key length).

This makes it simpler to implement new recommendation regarding the
secure key length and adds interfaces for supporting other key types
like elliptic curve based ones.
---
 doc/gvmd.8             |   9 +++
 doc/gvmd.8.xml         |  28 ++++++++
 doc/gvmd.html          |  22 +++++++
 src/gvmd.c             |  68 ++++++++++++++++++++
 src/lsc_crypt.c        | 138 +++++++++++++++++++++++++++++++--------
 src/lsc_crypt.h        |  32 ++++++++-
 src/manage.c           | 102 +++++++++++++++++++++++++++++
 src/manage.h           |  16 +++++
 src/manage_migrators.c |   2 +-
 src/manage_sql.c       | 143 +++++++++++++++++++++++++++++++++++------
 10 files changed, 510 insertions(+), 50 deletions(-)

diff --git a/doc/gvmd.8 b/doc/gvmd.8
index b64e38bfc..a9c0794bc 100644
--- a/doc/gvmd.8
+++ b/doc/gvmd.8
@@ -22,6 +22,9 @@ Check SecInfo alerts.
 \fB--client-watch-interval=\fINUMBER\fB\f1
 Check if client connection was closed every NUMBER seconds. 0 to disable. Defaults to 1 second.
 .TP
+\fB--create-encryption-key\f1
+Create a new credential encryption key, set it as the new default and exit. With no other options given, a 4096 bit RSA key is created. 
+.TP
 \fB--create-scanner=\fISCANNER\fB\f1
 Create global scanner SCANNER and exit.
 .TP
@@ -58,6 +61,12 @@ Do not restrict passwords to the policy.
 \fB--disable-scheduling\f1
 Disable task scheduling.
 .TP
+\fB--encryption-key-length=\fILENGTH\fB\f1
+Set key length to LENGTH bits when creating a new RSA credential encryption key. Defaults to 4096. 
+.TP
+\fB--encryption-key-type=\fITYPE\fB\f1
+Use the key type TYPE when creating a new credential encryption key. Currently only RSA is supported. 
+.TP
 \fB--encrypt-all-credentials\f1
 (Re-)Encrypt all credentials.
 .TP
diff --git a/doc/gvmd.8.xml b/doc/gvmd.8.xml
index 7498442b2..ab873160d 100644
--- a/doc/gvmd.8.xml
+++ b/doc/gvmd.8.xml
@@ -74,6 +74,16 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
            0 to disable. Defaults to 1 second.</p>
       </optdesc>
     </option>
+    <option>
+      <p><opt>--create-encryption-key</opt></p>
+      <optdesc>
+        <p>
+          Create a new credential encryption key, set it as the new default
+           and exit.
+          With no other options given, a 4096 bit RSA key is created.
+        </p>
+      </optdesc>
+    </option>
     <option>
       <p><opt>--create-scanner=<arg>SCANNER</arg></opt></p>
       <optdesc>
@@ -146,6 +156,24 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
         <p>Disable task scheduling.</p>
       </optdesc>
     </option>
+    <option>
+      <p><opt>--encryption-key-length=<arg>LENGTH</arg></opt></p>
+      <optdesc>
+        <p>
+          Set key length to LENGTH bits when creating a new RSA
+          credential encryption key. Defaults to 4096.
+        </p>
+      </optdesc>
+    </option>
+    <option>
+      <p><opt>--encryption-key-type=<arg>TYPE</arg></opt></p>
+      <optdesc>
+        <p>
+          Use the key type TYPE when creating a new credential
+          encryption key. Currently only RSA is supported.
+        </p>
+      </optdesc>
+    </option>
     <option>
       <p><opt>--encrypt-all-credentials</opt></p>
       <optdesc>
diff --git a/doc/gvmd.html b/doc/gvmd.html
index 5c3a9391f..6eda9e925 100644
--- a/doc/gvmd.html
+++ b/doc/gvmd.html
@@ -57,6 +57,14 @@ <h2>Options</h2>
       
     
     
+      <p><b>--create-encryption-key</b></p>
+      
+        <p>Create a new credential encryption key, set it as the new default
+           and exit. With no other options given, a 4096 bit RSA key is
+           created.</p>
+      
+    
+    
       <p><b>--create-scanner=<em>SCANNER</em></b></p>
       
         <p>Create global scanner SCANNER and exit.</p>
@@ -117,6 +125,20 @@ <h2>Options</h2>
       
     
     
+      <p><b>--encryption-key-length=<em>LENGTH</em></b></p>
+      
+        <p>Set key length to LENGTH bits when creating a new RSA credential
+        encryption key. Defaults to 4096.</p>
+      
+    
+    
+      <p><b>--encryption-key-type=<em>TYPE</em></b></p>
+      
+        <p>Use the key type TYPE when creating a new credential encryption key.
+           Currently only RSA is supported.</p>
+      
+    
+    
       <p><b>--encrypt-all-credentials</b></p>
       
         <p>(Re-)Encrypt all credentials.</p>
diff --git a/src/gvmd.c b/src/gvmd.c
index a75b391da..eee28049b 100644
--- a/src/gvmd.c
+++ b/src/gvmd.c
@@ -1824,12 +1824,16 @@ gvmd (int argc, char** argv, char *env[])
 
   static int auth_timeout = 15;
   static gboolean check_alerts = FALSE;
+  static gboolean create_encryption_key = FALSE;
   static gboolean migrate_database = FALSE;
   static gboolean encrypt_all_credentials = FALSE;
   static gboolean decrypt_all_credentials = FALSE;
   static gboolean disable_password_policy = FALSE;
   static gboolean disable_scheduling = FALSE;
   static gboolean dump_vt_verification = FALSE;
+  static gchar *encryption_key_type = NULL;
+  static int encryption_key_length = 0;
+  static gchar *set_encryption_key = NULL;
   static gboolean get_roles = FALSE;
   static gboolean get_users = FALSE;
   static gboolean get_scanners = FALSE;
@@ -1918,6 +1922,12 @@ gvmd (int argc, char** argv, char *env[])
           " 0 to disable. Defaults to "
           G_STRINGIFY (DEFAULT_CLIENT_WATCH_INTERVAL) " seconds.",
           "<number>" },
+        { "create-encryption-key", '\0', 0, G_OPTION_ARG_NONE,
+          &create_encryption_key,
+          "Create a new credential encryption key, set it as the new default"
+          " and exit."
+          " With no other options given, a 4096 bit RSA key is created.",
+          NULL },
         { "create-scanner", '\0', 0, G_OPTION_ARG_STRING,
           &create_scanner,
           "Create global scanner <scanner> and exit.",
@@ -1979,6 +1989,17 @@ gvmd (int argc, char** argv, char *env[])
           &dump_vt_verification,
           "Dump the string the VTs verification hash is calculated from.",
           NULL },
+        { "encryption-key-length", '\0', 0, G_OPTION_ARG_INT,
+          &encryption_key_length,
+          "Set key length to <length> bits when creating a new RSA"
+          " credential encryption key. Defaults to "
+          G_STRINGIFY (DEFAULT_ENCRYPTION_KEY_LENGTH) ".",
+          "<length>" },
+        { "encryption-key-type", '\0', 0, G_OPTION_ARG_STRING,
+          &encryption_key_type,
+          "Use the key type <type> when creating a new credential"
+          " encryption key. Currently only RSA is supported.",
+          "<type>" },
         { "encrypt-all-credentials", '\0', 0, G_OPTION_ARG_NONE,
           &encrypt_all_credentials,
           "(Re-)Encrypt all credentials.",
@@ -2180,6 +2201,11 @@ gvmd (int argc, char** argv, char *env[])
           "During CERT and SCAP sync, commit updates to the database every"
           " <number> items, 0 for unlimited, default: "
           G_STRINGIFY (SECINFO_COMMIT_SIZE_DEFAULT), "<number>" },
+        { "set-encryption-key", '\0', 0, G_OPTION_ARG_STRING,
+          &set_encryption_key,
+          "Set the encryption key with the given UID as the new default"
+          " and exit.",
+          "<uid>" },
         { "unix-socket", 'c', 0, G_OPTION_ARG_STRING,
           &manager_address_string_unix,
           "Listen on UNIX socket at <filename>.",
@@ -2438,6 +2464,17 @@ gvmd (int argc, char** argv, char *env[])
         g_debug ("No default relay mapper found.");
     }
 
+  /*
+   * Parameters for new credential encryption keys
+   */
+  if (lsc_crypt_enckey_parms_init (encryption_key_type,
+                                   encryption_key_length))
+    {
+      g_critical ("%s: failed to set encryption key parameters", __func__);
+      gvm_close_sentry ();
+      exit (EXIT_FAILURE);
+    }
+
   /**
    * LDAP debugging
    */
@@ -2834,6 +2871,37 @@ gvmd (int argc, char** argv, char *env[])
       return EXIT_SUCCESS;
     }
 
+  if (create_encryption_key)
+    {
+      int ret;
+      setproctitle ("gvmd: Creating encryption key");
+      
+      if (option_lock (&lockfile_checking))
+        return EXIT_FAILURE;
+
+      ret = manage_create_encryption_key (log_config, &database);
+      log_config_free ();
+      if (ret)
+        return EXIT_FAILURE;
+      return EXIT_SUCCESS;
+    }
+
+  if (set_encryption_key)
+    {
+      int ret;
+      setproctitle ("gvmd: Setting encryption key");
+      
+      if (option_lock (&lockfile_checking))
+        return EXIT_FAILURE;
+
+      ret = manage_set_encryption_key (log_config, &database,
+                                       set_encryption_key);
+      log_config_free ();
+      if (ret)
+        return EXIT_FAILURE;
+      return EXIT_SUCCESS;
+    }
+
   if (create_user)
     {
       int ret;
diff --git a/src/lsc_crypt.c b/src/lsc_crypt.c
index 2ced268e3..5602e0573 100644
--- a/src/lsc_crypt.c
+++ b/src/lsc_crypt.c
@@ -41,15 +41,6 @@
  */
 #define G_LOG_DOMAIN "md  crypt"
 
-/**
- * @brief The name of the encryption key.
- *
- * Note that the code will use the "=" prefix flag to indicate an
- * exact search.  Thus when creating the key it should not have a
- * comment or email address part.
- */
-#define ENCRYPTION_KEY_UID "GVM Credential Encryption"
-
 /**
  * @brief The maximum size of an encrypted value
  *
@@ -94,8 +85,15 @@ struct lsc_crypt_ctx_s
   char *plaintext;             ///< Text to be encrypted.
   size_t plaintextlen;         ///< Length of text.
   struct namelist_s *namelist; ///< Info describing PLAINTEXT.
+  gchar *enckey_uid;           ///< Encryption key UID to use.
 };
 
+
+/* Key generation parameters  */
+gchar *enckey_type = NULL;
+
+int enckey_length = 0;
+
 
 /* Simple helper functions  */
 
@@ -166,6 +164,31 @@ get32 (const void *buffer)
 
 /* Local functions. */
 
+static gchar*
+generate_parms_string (const char *enckey_uid)
+{
+  gchar *parms_string = NULL;
+
+  if (enckey_type == NULL || strcasecmp (enckey_type, "RSA") == 0)
+    {
+      parms_string = g_strdup_printf (
+          "<GnupgKeyParms format=\"internal\">\n"
+          "Key-Type: RSA\n"
+          "Key-Length: %d\n"
+          "Key-Usage: encrypt\n"
+          "Name-Real: %s\n"
+          "Expire-Date: 0\n"
+          "%%no-protection\n"
+          "%%no-ask-passphrase\n"
+          "</GnupgKeyParms>\n",
+          (enckey_length > 0) ? enckey_length 
+                              : DEFAULT_ENCRYPTION_RSA_KEY_LENGTH,
+          enckey_uid
+        );
+    }
+  return parms_string;
+}
+
 
 /**
  * @brief Create the credential encryption key
@@ -179,16 +202,14 @@ get32 (const void *buffer)
 static int
 create_the_key (lsc_crypt_ctx_t ctx)
 {
-  const char parms[] =
-    "<GnupgKeyParms format=\"internal\">\n"
-    "Key-Type: RSA\n"
-    "Key-Length: 2048\n"
-    "Key-Usage: encrypt\n"
-    "Name-Real: " ENCRYPTION_KEY_UID "\n"
-    "Expire-Date: 0\n"
-    "%no-protection\n"
-    "%no-ask-passphrase\n"
-    "</GnupgKeyParms>\n";
+  if (ctx->enckey_uid == NULL || strcmp (ctx->enckey_uid, "") == 0)
+    {
+      log_gpgme (G_LOG_LEVEL_WARNING, 0,
+                 "encryption context has no key UID set");
+      return -1;
+    }
+
+  gchar *parms = generate_parms_string (ctx->enckey_uid);
   gpg_error_t err;
 
   log_gpgme (G_LOG_LEVEL_INFO, 0, "starting key generation ...");
@@ -196,11 +217,11 @@ create_the_key (lsc_crypt_ctx_t ctx)
   if (err)
     {
       log_gpgme(G_LOG_LEVEL_WARNING, err, "error creating OpenPGP key '%s'",
-                ENCRYPTION_KEY_UID);
+                ctx->enckey_uid);
       return -1;
     }
   log_gpgme (G_LOG_LEVEL_INFO, 0,
-             "OpenPGP key '%s' has been generated", ENCRYPTION_KEY_UID);
+             "OpenPGP key '%s' has been generated", ctx->enckey_uid);
   return 0;
 }
 
@@ -222,16 +243,25 @@ find_the_key (lsc_crypt_ctx_t ctx, gboolean no_create)
   gpg_error_t err;
   int nfound, any_skipped;
   gpgme_key_t found, key;
+  gchar *enckey_filter;
 
+  if (ctx->enckey_uid == NULL || strcmp (ctx->enckey_uid, "") == 0)
+    {
+      log_gpgme (G_LOG_LEVEL_WARNING, 0,
+                 "encryption context has no key UID set");
+      return NULL;
+    }
  again:
   /* Search for the public key.  Note that the "=" prefix flag enables
      an exact search.  */
-  err = gpgme_op_keylist_start (ctx->encctx, "="ENCRYPTION_KEY_UID, 0);
+  enckey_filter = g_strdup_printf("=%s", ctx->enckey_uid);
+  err = gpgme_op_keylist_start (ctx->encctx, enckey_filter, 0);
+  g_free (enckey_filter);
   if (err)
     {
       log_gpgme (G_LOG_LEVEL_WARNING, err,
                  "error starting search for OpenPGP key '%s'",
-                 ENCRYPTION_KEY_UID);
+                 ctx->enckey_uid);
       return NULL;
     }
 
@@ -276,13 +306,17 @@ find_the_key (lsc_crypt_ctx_t ctx, gboolean no_create)
     }
   else if (!found)
     {
-      static int genkey_tried;
+      static GHashTable *genkey_tried_uids = NULL;
+      if (genkey_tried_uids == NULL)
+        genkey_tried_uids = g_hash_table_new (g_str_hash, g_str_equal);
 
       /* Try to create the key if we have not seen any matching key at
          all and if this is the first time in this process' lifetime.  */
-      if (!any_skipped && !genkey_tried && !no_create)
+      if (!any_skipped
+          && !no_create
+          && !g_hash_table_contains (genkey_tried_uids, ctx->enckey_uid))
         {
-          genkey_tried = 1;
+          g_hash_table_add (genkey_tried_uids, g_strdup (ctx->enckey_uid));
           if (!create_the_key (ctx))
             goto again; /* Created - search again.  */
         }
@@ -296,7 +330,7 @@ find_the_key (lsc_crypt_ctx_t ctx, gboolean no_create)
     {
       log_gpgme (G_LOG_LEVEL_MESSAGE, err,
                  "error searching for OpenPGP key '%s'",
-                 ENCRYPTION_KEY_UID);
+                 ctx->enckey_uid);
       gpgme_key_unref (found);
       found = NULL;
     }
@@ -475,6 +509,21 @@ do_decrypt (lsc_crypt_ctx_t ctx, const char *cipherstring,
 
 /* API */
 
+/**
+ * @brief Sets the parameters for creating a new encryption key
+ *
+ * @param[in]  type   Type of the 
+ * @param[in]  length 
+ */
+int
+lsc_crypt_enckey_parms_init (const char *type, int length)
+{
+  g_free (enckey_type);
+  enckey_type = type ? g_strdup (type) : NULL;
+  enckey_length = length;
+  return 0;
+}
+
 /**
  * @brief Return a new context for LSC encryption
  *
@@ -482,13 +531,14 @@ do_decrypt (lsc_crypt_ctx_t ctx, const char *cipherstring,
  *         lsc_crypt_release.
  */
 lsc_crypt_ctx_t
-lsc_crypt_new ()
+lsc_crypt_new (const char *enckey_uid)
 {
   char * path = g_build_filename (GVMD_STATE_DIR, "gnupg", NULL);
   lsc_crypt_ctx_t ctx;
 
   ctx = g_malloc0 (sizeof *ctx);
   ctx->encctx = gvm_init_gpgme_ctx_from_dir (path);
+  ctx->enckey_uid = enckey_uid ? g_strdup (enckey_uid) : NULL;
   g_free (path);
   if (!ctx->encctx)
     {
@@ -543,6 +593,38 @@ lsc_crypt_flush (lsc_crypt_ctx_t ctx)
   ctx->plaintext = NULL;
 }
 
+/**
+ * @brief Checks if the encryption key defined by the context already exists
+ *
+ * @param[in] ctx        The context
+ * 
+ * @return Whether the key exists
+ */
+gboolean
+lsc_crypt_enckey_exists (lsc_crypt_ctx_t ctx)
+{
+  gpgme_key_t key = find_the_key (ctx, TRUE);
+  return key != NULL;
+}
+
+/**
+ * @brief Creates the key for the given context if it does not already exists
+ *
+ * @param[in] ctx        The context
+ *
+ * @return 0 on success, 1 key already exits, -1 on other error.
+ */
+int
+lsc_crypt_create_enckey (lsc_crypt_ctx_t ctx)
+{
+  if (lsc_crypt_enckey_exists (ctx))
+    return 1;
+  if (create_the_key (ctx))
+    return -1;
+  return 0;
+}
+
+
 
 /**
  * @brief Encrypt a list of name/value pairs
diff --git a/src/lsc_crypt.h b/src/lsc_crypt.h
index bf46860c3..63b021e81 100644
--- a/src/lsc_crypt.h
+++ b/src/lsc_crypt.h
@@ -26,6 +26,30 @@
 
 #include <glib.h>
 
+/// @brief Default length for RSA encryption keys
+#define DEFAULT_ENCRYPTION_RSA_KEY_LENGTH 4096
+
+/**
+ * @brief The name of the old encryption key.
+ *
+ * Note that the code will use the "=" prefix flag to indicate an
+ * exact search.  Thus when creating the key it should not have a
+ * comment or email address part.
+ */
+#define OLD_ENCRYPTION_KEY_UID "GVM Credential Encryption"
+
+/**
+ * @brief Template for the name of the encryption key.
+ *
+ * It must contain a single %s that will be replaced with the current 
+ * date and time.
+ *
+ * Note that the code will use the "=" prefix flag to indicate an
+ * exact search.  Thus when creating the key it should not have a
+ * comment or email address part.
+ */
+#define ENCRYPTION_KEY_UID_TEMPLATE "GVM Credential Encryption - %s"
+
 /* (Defined in gvmd.c) */
 extern int disable_encrypted_credentials;
 
@@ -33,13 +57,19 @@ extern int disable_encrypted_credentials;
 struct lsc_crypt_ctx_s;
 typedef struct lsc_crypt_ctx_s *lsc_crypt_ctx_t;
 
-lsc_crypt_ctx_t lsc_crypt_new ();
+int lsc_crypt_enckey_parms_init (const char *, int);
+
+lsc_crypt_ctx_t lsc_crypt_new (const char*);
 void lsc_crypt_release (lsc_crypt_ctx_t);
 
 int lsc_crypt_create_key ();
 
 void lsc_crypt_flush (lsc_crypt_ctx_t);
 
+gboolean lsc_crypt_enckey_exists (lsc_crypt_ctx_t);
+
+int lsc_crypt_create_enckey (lsc_crypt_ctx_t ctx);
+
 char *lsc_crypt_encrypt (lsc_crypt_ctx_t,
                          const char *, ...) G_GNUC_NULL_TERMINATED;
 
diff --git a/src/manage.c b/src/manage.c
index aaf458ccc..a0fc04ccf 100644
--- a/src/manage.c
+++ b/src/manage.c
@@ -931,6 +931,108 @@ severity_to_type (double severity)
     }
 }
 
+
+
+/* Encryption key management. */
+
+/**
+ * @brief Creates a new encryption key and sets it as the new default.
+ * 
+ * @return 0 on success, -1 on failure.
+ */
+int
+manage_create_encryption_key (GSList *log_config,
+                              const db_conn_info_t *database)
+{
+  int ret = manage_option_setup (log_config, database);
+  if (ret)
+    {
+      printf ("Error setting up log config or database connection.");
+      g_warning ("Error setting up log config or database connection.");
+      return -1;
+    }
+
+  time_t now = time(NULL);
+  gchar *generated_uid
+    = g_strdup_printf (ENCRYPTION_KEY_UID_TEMPLATE, iso_time (&now));
+
+  lsc_crypt_ctx_t ctx = lsc_crypt_new (generated_uid);
+  switch (lsc_crypt_create_enckey (ctx))
+    {
+      case 0:
+        break;
+      case 1:
+        printf ("Credential encryption key '%s' already exists\n",
+                generated_uid);
+        g_warning ("%s: Credential encryption key '%s' already exists", 
+                 __func__, generated_uid);
+
+        lsc_crypt_flush(ctx);
+        g_free (generated_uid);
+        manage_option_cleanup ();
+        return -1;
+      default:
+        printf ("Could not create credential encryption key '%s'\n",
+                generated_uid);
+        g_warning ("%s: Could not create credential encryption key '%s'", 
+                 __func__, generated_uid);
+
+        lsc_crypt_flush(ctx);
+        g_free (generated_uid);
+        manage_option_cleanup ();
+        return -1;
+    }
+  set_current_encryption_key_uid (generated_uid);
+  printf ("Credential encryption key created: '%s'\n",
+          generated_uid);
+  g_message ("%s: Credential encryption key created: '%s'",
+             __func__, generated_uid);
+
+  lsc_crypt_flush(ctx);
+  g_free (generated_uid);
+  manage_option_cleanup ();
+  return 0;
+}
+
+/**
+ * @brief Sets the new default encryption key. The key must already exist.
+ *
+ * @param[in]  uid  UID of the encryption key.
+ *
+ * @return 0 on success, -1 on failure.
+ */
+int
+manage_set_encryption_key (GSList *log_config,
+                           const db_conn_info_t *database,
+                           const char *uid)
+{
+  int ret = manage_option_setup (log_config, database);
+  if (ret)
+    {
+      printf ("Error setting up log config or database connection.\n");
+      g_warning ("Error setting up log config or database connection.");
+      return -1;
+    }
+  
+  lsc_crypt_ctx_t ctx = lsc_crypt_new (uid);
+  if (! lsc_crypt_enckey_exists (ctx))
+    {
+      printf ("Credential encryption key '%s' not found\n", uid);
+      g_warning ("%s: Credential encryption key '%s' not found", __func__, uid);
+      lsc_crypt_flush(ctx);
+      manage_option_cleanup ();
+      return -1;
+    }
+
+  set_current_encryption_key_uid (uid);
+  printf ("Credential encryption key set to '%s'\n", uid);
+  g_message ("%s: Credential encryption key set to '%s'", __func__, uid);
+  lsc_crypt_flush(ctx);
+  manage_option_cleanup ();
+  return 0;
+}
+
+
 
 /* Credentials. */
 
diff --git a/src/manage.h b/src/manage.h
index 76e1c9129..f5b0838d5 100644
--- a/src/manage.h
+++ b/src/manage.h
@@ -201,6 +201,7 @@ authenticate (credentials_t*);
 
 void
 logout_user ();
+
 
 /* Database. */
 
@@ -234,6 +235,21 @@ manage_encrypt_all_credentials (GSList *, const db_conn_info_t *);
 int
 manage_decrypt_all_credentials (GSList *, const db_conn_info_t *);
 
+int
+manage_create_encryption_key (GSList *log_config,
+                              const db_conn_info_t *database);
+
+int
+manage_set_encryption_key (GSList *log_config,
+                           const db_conn_info_t *database,
+                           const char*);
+
+char *
+current_encryption_key_uid (gboolean);
+
+void
+set_current_encryption_key_uid (const char *new_uid);
+
 void
 manage_session_set_timezone (const char *);
 
diff --git a/src/manage_migrators.c b/src/manage_migrators.c
index bcefa9a22..d5c95db0b 100644
--- a/src/manage_migrators.c
+++ b/src/manage_migrators.c
@@ -2971,7 +2971,7 @@ migrate_250_to_251 ()
       char *secret;
       char *quoted;
       lsc_crypt_ctx_t crypt_ctx;
-      crypt_ctx = lsc_crypt_new ();
+      crypt_ctx = lsc_crypt_new (OLD_ENCRYPTION_KEY_UID);
 
       sql ("DELETE FROM meta WHERE name LIKE 'radius_key';");
       secret = lsc_crypt_encrypt (crypt_ctx, "secret_key", secret_key, NULL);
diff --git a/src/manage_sql.c b/src/manage_sql.c
index 6c580d94d..c5bb72419 100644
--- a/src/manage_sql.c
+++ b/src/manage_sql.c
@@ -6043,7 +6043,10 @@ encrypt_all_credentials (gboolean decrypt_flag)
                  "  WHERE credential = credentials.id"
                  "  AND type = 'private_key')"
                  " FROM credentials");
-  iterator.crypt_ctx = lsc_crypt_new ();
+
+  char *encryption_key_uid = current_encryption_key_uid (TRUE);
+  iterator.crypt_ctx = lsc_crypt_new (encryption_key_uid);
+  free (encryption_key_uid);
 
   sql_begin_immediate ();
 
@@ -6209,6 +6212,69 @@ manage_decrypt_all_credentials (GSList *log_config,
   return ret;
 }
 
+/**
+ * @brief Gets the UID of the currently configured encryption key.
+ *
+ * @param[in]  with_fallback  If TRUE, set and return old key UID if
+ *                            the key UID is undefined.
+ *
+ * @return The encryption key UID.
+ */
+char *
+current_encryption_key_uid (gboolean with_fallback)
+{
+  char *key_uid = sql_string ("SELECT value FROM meta"
+                              " WHERE name = 'encryption_key_uid';");
+
+  if (key_uid)
+    return key_uid;
+  
+  if (!with_fallback)
+    return NULL;
+
+  // Check if an old, fixed UID key exists
+  lsc_crypt_ctx_t ctx = lsc_crypt_new (OLD_ENCRYPTION_KEY_UID);
+  if (lsc_crypt_enckey_exists (ctx))
+    {
+      lsc_crypt_flush(ctx);
+      set_current_encryption_key_uid (OLD_ENCRYPTION_KEY_UID);
+      return strdup (OLD_ENCRYPTION_KEY_UID);
+    }
+  lsc_crypt_flush(ctx);
+
+  // Generate a new key UID
+  time_t now = time(NULL);
+  gchar *generated_uid
+    = g_strdup_printf (ENCRYPTION_KEY_UID_TEMPLATE, iso_time (&now));
+  set_current_encryption_key_uid (generated_uid);
+  key_uid = strdup (generated_uid);
+  g_free (generated_uid);
+  return key_uid;
+}
+
+
+/**
+ * @brief Sets the database field defining the encryption key UID.
+ *
+ * Note: This does not have any effects on any already created 
+ *       encryption contexts that may be using the old UID.
+ *
+ * @param[in]  new_uid  The new UID to set.
+ */
+void
+set_current_encryption_key_uid (const char *new_uid)
+{
+  gchar *quoted_new_uid = sql_quote (new_uid);
+  
+  sql ("INSERT INTO meta (name, value)"
+       " VALUES ('encryption_key_uid', '%s')"
+       " ON CONFLICT (name) DO UPDATE SET value = EXCLUDED.value;",
+       quoted_new_uid);
+
+  g_free (quoted_new_uid);
+}
+
+
 
 /* Collation. */
 
@@ -33913,7 +33979,9 @@ check_db_encryption_key ()
   lsc_crypt_ctx_t crypt_ctx;
   gchar *secret;
 
-  crypt_ctx = lsc_crypt_new ();
+  char *encryption_key_uid = current_encryption_key_uid (TRUE);
+  crypt_ctx = lsc_crypt_new (encryption_key_uid);
+  free (encryption_key_uid);
   /* The encryption layer creates the key if it does not exist. */
   secret = lsc_crypt_encrypt (crypt_ctx, "dummy", "dummy", NULL);
   lsc_crypt_release (crypt_ctx);
@@ -34407,7 +34475,9 @@ create_credential (const char* name, const char* comment, const char* login,
       if (!disable_encrypted_credentials)
         {
           gchar *secret;
-          crypt_ctx = lsc_crypt_new ();
+          char *encryption_key_uid = current_encryption_key_uid (TRUE);
+          crypt_ctx = lsc_crypt_new (encryption_key_uid);
+          free (encryption_key_uid);
           secret = lsc_crypt_encrypt (crypt_ctx,
                                       "password", given_password,
                                       "private_key", key_private, NULL);
@@ -34446,7 +34516,9 @@ create_credential (const char* name, const char* comment, const char* login,
       if (!disable_encrypted_credentials)
         {
           gchar *secret;
-          crypt_ctx = lsc_crypt_new ();
+          char *encryption_key_uid = current_encryption_key_uid (TRUE);
+          crypt_ctx = lsc_crypt_new (encryption_key_uid);
+          free (encryption_key_uid);
           secret = lsc_crypt_encrypt (crypt_ctx,
                                       "community", community,
                                       "password", given_password,
@@ -34488,7 +34560,9 @@ create_credential (const char* name, const char* comment, const char* login,
 
       if (!disable_encrypted_credentials)
         {
-          crypt_ctx = lsc_crypt_new ();
+          char *encryption_key_uid = current_encryption_key_uid (TRUE);
+          crypt_ctx = lsc_crypt_new (encryption_key_uid);
+          free (encryption_key_uid);
           gchar *secret = lsc_crypt_encrypt (crypt_ctx,
                                              "password", given_password,
                                              NULL);
@@ -34549,7 +34623,9 @@ create_credential (const char* name, const char* comment, const char* login,
     if (!disable_encrypted_credentials)
       {
         gchar *secret;
-        crypt_ctx = lsc_crypt_new ();
+        char *encryption_key_uid = current_encryption_key_uid (TRUE);
+        crypt_ctx = lsc_crypt_new (encryption_key_uid);
+        free (encryption_key_uid);
         if (generated_private_key)
           secret = lsc_crypt_encrypt (crypt_ctx,
                                       "password", generated_password,
@@ -35365,7 +35441,9 @@ credential_encrypted_value (credential_t credential, const char* value_name)
       gchar *secret;
       const char* decrypted;
       lsc_crypt_ctx_t crypt_ctx;
-      crypt_ctx = lsc_crypt_new ();
+      char *encryption_key_uid = current_encryption_key_uid (TRUE);
+      crypt_ctx = lsc_crypt_new (encryption_key_uid);
+      free (encryption_key_uid);
 
       secret = sql_string ("SELECT value FROM credentials_data"
                            " WHERE credential = %llu"
@@ -35496,7 +35574,9 @@ set_credential_password (credential_t credential, const char *password)
   if (!disable_encrypted_credentials)
     {
       gchar *encrypted_blob;
-      crypt_ctx = lsc_crypt_new ();
+      char *encryption_key_uid = current_encryption_key_uid (TRUE);
+      crypt_ctx = lsc_crypt_new (encryption_key_uid);
+      free (encryption_key_uid);
       encrypted_blob = lsc_crypt_encrypt (crypt_ctx,
                                           "password", password, NULL);
       if (!encrypted_blob)
@@ -35540,7 +35620,9 @@ set_credential_private_key (credential_t credential,
   if (!disable_encrypted_credentials)
     {
       gchar *encrypted_blob;
-      crypt_ctx = lsc_crypt_new ();
+      char *encryption_key_uid = current_encryption_key_uid (TRUE);
+      crypt_ctx = lsc_crypt_new (encryption_key_uid);
+      free (encryption_key_uid);
       encrypted_blob = lsc_crypt_encrypt (crypt_ctx,
                                           "private_key", private_key,
                                           "password", passphrase,
@@ -35603,7 +35685,9 @@ set_credential_snmp_secret (credential_t credential, const char* community,
   if (!disable_encrypted_credentials)
     {
       gchar *encrypted_blob;
-      crypt_ctx = lsc_crypt_new ();
+      char *encryption_key_uid = current_encryption_key_uid (TRUE);
+      crypt_ctx = lsc_crypt_new (encryption_key_uid);
+      free (encryption_key_uid);
       encrypted_blob = lsc_crypt_encrypt (crypt_ctx,
                                           "community", community,
                                           "password", password,
@@ -35728,7 +35812,11 @@ credential_iterator_encrypted_data (iterator_t* iterator, const char* type)
     {
       /* This is an encrypted credential.  */
       if (!iterator->crypt_ctx)
-        iterator->crypt_ctx = lsc_crypt_new ();
+        {
+          char *encryption_key_uid = current_encryption_key_uid (TRUE);
+          iterator->crypt_ctx = lsc_crypt_new (encryption_key_uid);
+          free (encryption_key_uid);
+        }
 
       return lsc_crypt_decrypt (iterator->crypt_ctx, secret, type);
     }
@@ -38747,7 +38835,9 @@ manage_create_scanner (GSList *log_config, const db_conn_info_t *database,
           lsc_crypt_ctx_t crypt_ctx;
           char *secret;
 
-          crypt_ctx = lsc_crypt_new ();
+          char *encryption_key_uid = current_encryption_key_uid (TRUE);
+          crypt_ctx = lsc_crypt_new (encryption_key_uid);
+          free (encryption_key_uid);
 
           secret = lsc_crypt_encrypt (crypt_ctx,
                                       "private_key", key_priv, NULL);
@@ -39051,7 +39141,9 @@ manage_modify_scanner (GSList *log_config, const db_conn_info_t *database,
               lsc_crypt_ctx_t crypt_ctx;
               char *secret;
 
-              crypt_ctx = lsc_crypt_new ();
+              char *encryption_key_uid = current_encryption_key_uid (TRUE);
+              crypt_ctx = lsc_crypt_new (encryption_key_uid);
+              free (encryption_key_uid);
 
               secret = lsc_crypt_encrypt (crypt_ctx,
                                           "private_key", key_priv, NULL);
@@ -39881,8 +39973,11 @@ scanner_iterator_key_priv (iterator_t* iterator)
     {
       const char *secret;
       if (!iterator->crypt_ctx)
-        iterator->crypt_ctx = lsc_crypt_new ();
-
+        {
+          char *encryption_key_uid = current_encryption_key_uid (TRUE);
+          iterator->crypt_ctx = lsc_crypt_new (encryption_key_uid);
+          free (encryption_key_uid);
+        }
       secret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 9);
       private_key = lsc_crypt_get_private_key (iterator->crypt_ctx, secret);
     }
@@ -40209,7 +40304,9 @@ scanner_key_priv (scanner_t scanner)
     {
       gchar *secret;
       lsc_crypt_ctx_t crypt_ctx;
-      crypt_ctx = lsc_crypt_new ();
+      char *encryption_key_uid = current_encryption_key_uid (TRUE);
+      crypt_ctx = lsc_crypt_new (encryption_key_uid);
+      free (encryption_key_uid);
 
       secret = sql_string ("SELECT value FROM credentials_data"
                            " WHERE credential"
@@ -40268,7 +40365,9 @@ scanner_password (scanner_t scanner)
     {
       gchar *secret;
       lsc_crypt_ctx_t crypt_ctx;
-      crypt_ctx = lsc_crypt_new ();
+      char *encryption_key_uid = current_encryption_key_uid (TRUE);
+      crypt_ctx = lsc_crypt_new (encryption_key_uid);
+      free (encryption_key_uid);
 
       secret = sql_string ("SELECT credentials_data.value"
                            " FROM scanners, credentials_data"
@@ -53872,7 +53971,9 @@ manage_get_radius_info (int *enabled, char **host, char **key)
     {
       const char *decrypted;
       lsc_crypt_ctx_t crypt_ctx;
-      crypt_ctx = lsc_crypt_new ();
+      char *encryption_key_uid = current_encryption_key_uid (TRUE);
+      crypt_ctx = lsc_crypt_new (encryption_key_uid);
+      free (encryption_key_uid);
       decrypted = lsc_crypt_decrypt (crypt_ctx, secret, "secret_key");
       if (decrypted)
         *key = g_strdup (decrypted);
@@ -53917,7 +54018,9 @@ manage_set_radius_info (int enabled, gchar *host, gchar *key)
     {
       char *secret;
       lsc_crypt_ctx_t crypt_ctx;
-      crypt_ctx = lsc_crypt_new ();
+      char *encryption_key_uid = current_encryption_key_uid (TRUE);
+      crypt_ctx = lsc_crypt_new (encryption_key_uid);
+      free (encryption_key_uid);
 
       sql ("DELETE FROM meta WHERE name LIKE 'radius_key';");
       secret = lsc_crypt_encrypt (crypt_ctx, "secret_key", key, NULL);
@@ -53927,7 +54030,7 @@ manage_set_radius_info (int enabled, gchar *host, gchar *key)
           sql ("INSERT INTO meta (name, value) VALUES ('radius_key', '%s');",
                quoted);
           g_free (secret);
-	  secret = NULL;
+          secret = NULL;
           g_free (quoted);
         }
       lsc_crypt_release(crypt_ctx);

From 8b7e6d1ef4639590d01f14c00cd1a951adccd76a Mon Sep 17 00:00:00 2001
From: Timo Pollmeier <timo.pollmeier@greenbone.net>
Date: Thu, 13 Jul 2023 16:24:28 +0200
Subject: [PATCH 4/7] Fix: Handle more fields in encrypt_all_credentials

The function for encrypting or decrypting all credentials now also
handles the fields "community" and "privacy_password".
---
 src/lsc_crypt.c  | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
 src/lsc_crypt.h  |  2 ++
 src/manage_sql.c | 60 ++++++++++++++++++++++++++++++++-----------
 3 files changed, 113 insertions(+), 15 deletions(-)

diff --git a/src/lsc_crypt.c b/src/lsc_crypt.c
index 5602e0573..e6dd20222 100644
--- a/src/lsc_crypt.c
+++ b/src/lsc_crypt.c
@@ -626,6 +626,72 @@ lsc_crypt_create_enckey (lsc_crypt_ctx_t ctx)
 
 
 
+/**
+ * @brief Encrypt a list of name/value pairs
+ *
+ * @param[in] ctx   The context
+ * @param[in] data  The GHashTable containing the plain text data
+ *                  using the name as key, value as value.
+ *
+ * @return A pointer to a freshly allocated string in base64 encoding.
+ *         Caller must free.  On error NULL is returned.
+ */
+char *
+lsc_crypt_encrypt_hashtable (lsc_crypt_ctx_t ctx, GHashTable *data)
+{
+  GString *stringbuf;
+  char *plaintext;
+  size_t plaintextlen;
+  char *ciphertext;
+  char *name, *value;
+  size_t len;
+
+  if (!ctx || !data)
+    return NULL;
+
+  /* Assuming a 2048 bit RSA ssh private key in PEM encoding, a buffer
+     with an initial size of 2k should be large enough.  */
+  stringbuf = g_string_sized_new (2048);
+  GHashTableIter iter;
+  g_hash_table_iter_init (&iter, data);
+
+  while (g_hash_table_iter_next (&iter,
+                                 (gpointer*)(&name),
+                                 (gpointer*)(&value)))
+    {
+      if (!value)
+        value = "";
+      len = strlen (name);
+      if (len)  /* We skip pairs with an empty name. */
+        {
+          put32 (stringbuf, len);
+          g_string_append (stringbuf, name);
+          len = strlen (value);
+          if (len > MAX_VALUE_LENGTH)
+            {
+              g_warning ("%s: value for '%s' larger than our limit (%d)",
+                         G_STRFUNC, name, MAX_VALUE_LENGTH);
+              g_string_free (stringbuf, TRUE);
+              return NULL;
+            }
+          put32 (stringbuf, len);
+          g_string_append (stringbuf, value);
+        }
+    }
+
+  plaintext = stringbuf->str;
+  plaintextlen = stringbuf->len;
+  g_string_free (stringbuf, FALSE);
+  g_assert (plaintextlen);
+
+  ciphertext = do_encrypt (ctx, plaintext, plaintextlen);
+  g_free (plaintext);
+
+  return ciphertext;
+}
+
+
+
 /**
  * @brief Encrypt a list of name/value pairs
  *
diff --git a/src/lsc_crypt.h b/src/lsc_crypt.h
index 63b021e81..fda8c74c1 100644
--- a/src/lsc_crypt.h
+++ b/src/lsc_crypt.h
@@ -70,6 +70,8 @@ gboolean lsc_crypt_enckey_exists (lsc_crypt_ctx_t);
 
 int lsc_crypt_create_enckey (lsc_crypt_ctx_t ctx);
 
+char *lsc_crypt_encrypt_hashtable (lsc_crypt_ctx_t, GHashTable*);
+
 char *lsc_crypt_encrypt (lsc_crypt_ctx_t,
                          const char *, ...) G_GNUC_NULL_TERMINATED;
 
diff --git a/src/manage_sql.c b/src/manage_sql.c
index c5bb72419..e8e498fab 100644
--- a/src/manage_sql.c
+++ b/src/manage_sql.c
@@ -6041,7 +6041,13 @@ encrypt_all_credentials (gboolean decrypt_flag)
                  "  AND type = 'password'),"
                  " (SELECT value FROM credentials_data"
                  "  WHERE credential = credentials.id"
-                 "  AND type = 'private_key')"
+                 "  AND type = 'private_key'),"
+                 " (SELECT value FROM credentials_data"
+                 "  WHERE credential = credentials.id"
+                 "  AND type = 'community'),"
+                 " (SELECT value FROM credentials_data"
+                 "  WHERE credential = credentials.id"
+                 "  AND type = 'privacy_password')"
                  " FROM credentials");
 
   char *encryption_key_uid = current_encryption_key_uid (TRUE);
@@ -6054,7 +6060,7 @@ encrypt_all_credentials (gboolean decrypt_flag)
   while (next (&iterator))
     {
       long long int rowid;
-      const char *secret, *password, *privkey;
+      const char *secret, *password, *privkey, *community, *privacy_password;
 
       ntotal++;
       if (!(ntotal % 10))
@@ -6064,9 +6070,11 @@ encrypt_all_credentials (gboolean decrypt_flag)
       secret   = iterator_string (&iterator, 1);
       password = iterator_string (&iterator, 2);
       privkey  = iterator_string (&iterator, 3);
+      community        = iterator_string (&iterator, 4);
+      privacy_password = iterator_string (&iterator, 5);
 
       /* If there is no secret, password or private key, skip the row.  */
-      if (!secret && !password && !privkey)
+      if (!secret && !password && !privkey && !privacy_password)
         continue;
 
       if (secret)
@@ -6074,9 +6082,13 @@ encrypt_all_credentials (gboolean decrypt_flag)
           lsc_crypt_flush (iterator.crypt_ctx);
           password = lsc_crypt_get_password (iterator.crypt_ctx, secret);
           privkey  = lsc_crypt_get_private_key (iterator.crypt_ctx, secret);
+          community        = lsc_crypt_decrypt (iterator.crypt_ctx,
+                                                secret, "community");
+          privacy_password = lsc_crypt_decrypt (iterator.crypt_ctx,
+                                                secret, "privacy_password");
 
-          /* If there is no password or private key, skip the row.  */
-          if (!password && !privkey)
+          /* If there is none of the expected secrets, skip the row.  */
+          if (!password && !privkey && !community && !privacy_password)
             continue;
 
           nreencrypted++;
@@ -6093,6 +6105,8 @@ encrypt_all_credentials (gboolean decrypt_flag)
         {
           set_credential_data (rowid, "password", password);
           set_credential_data (rowid, "private_key", privkey);
+          set_credential_data (rowid, "community", community);
+          set_credential_data (rowid, "privacy_password", privacy_password);
           set_credential_data (rowid, "secret", NULL);
           sql ("UPDATE credentials SET"
                " modification_time = m_now ()"
@@ -6101,18 +6115,32 @@ encrypt_all_credentials (gboolean decrypt_flag)
         }
       else
         {
+          GHashTable *plaintext_hashtable;
           char *encblob;
+          
+          plaintext_hashtable 
+            = g_hash_table_new_full (g_str_hash, g_str_equal, NULL, g_free);
 
-          if (password && privkey)
-            encblob = lsc_crypt_encrypt (iterator.crypt_ctx,
-                                         "password", password,
-                                         "private_key", privkey, NULL);
-          else if (password)
-            encblob = lsc_crypt_encrypt (iterator.crypt_ctx,
-                                         "password", password, NULL);
-          else
-            encblob = lsc_crypt_encrypt (iterator.crypt_ctx,
-                                         "private_key", privkey, NULL);
+          if (password)
+            g_hash_table_insert (plaintext_hashtable,
+                                 "password",
+                                 g_strdup (password));
+          if (privkey)
+            g_hash_table_insert (plaintext_hashtable,
+                                 "private_key",
+                                 g_strdup (privkey));
+          if (community)
+            g_hash_table_insert (plaintext_hashtable,
+                                 "community",
+                                 g_strdup (community));
+          if (privacy_password)
+            g_hash_table_insert (plaintext_hashtable,
+                                 "privacy_password",
+                                 g_strdup (privacy_password));
+
+          encblob = lsc_crypt_encrypt_hashtable (iterator.crypt_ctx,
+                                                 plaintext_hashtable);
+          g_hash_table_destroy (plaintext_hashtable);
 
           if (!encblob)
             {
@@ -6122,6 +6150,8 @@ encrypt_all_credentials (gboolean decrypt_flag)
             }
           set_credential_data (rowid, "password", NULL);
           set_credential_data (rowid, "private_key", NULL);
+          set_credential_data (rowid, "community", NULL);
+          set_credential_data (rowid, "privacy_password", NULL);
           set_credential_data (rowid, "secret", encblob);
           sql ("UPDATE credentials SET"
                " modification_time = m_now ()"

From e58d2210077af0f6b8a577993f1c0336ec5db229 Mon Sep 17 00:00:00 2001
From: Timo Pollmeier <timo.pollmeier@greenbone.net>
Date: Mon, 17 Jul 2023 15:48:14 +0200
Subject: [PATCH 5/7] Add: Add decryption/re-encryption of RADIUS key

The command line options for disabling credential encryption,
decrypting and (re-)encrypting credentials now also cover
the RADIUS secret key.
---
 src/manage.h     |   6 ++
 src/manage_sql.c | 226 +++++++++++++++++++++++++++++++++++++----------
 2 files changed, 187 insertions(+), 45 deletions(-)

diff --git a/src/manage.h b/src/manage.h
index f5b0838d5..fc5819434 100644
--- a/src/manage.h
+++ b/src/manage.h
@@ -3486,6 +3486,12 @@ manage_get_ldap_info (int *, gchar **, gchar **, int *, gchar **, int *);
 void
 manage_set_ldap_info (int, gchar *, gchar *, int, gchar *, int);
 
+char *
+get_radius_key (gboolean *);
+
+void
+set_radius_key (const char*, gboolean);
+
 void
 manage_get_radius_info (int *, char **, char **);
 
diff --git a/src/manage_sql.c b/src/manage_sql.c
index e8e498fab..23319e4b3 100644
--- a/src/manage_sql.c
+++ b/src/manage_sql.c
@@ -6173,12 +6173,72 @@ encrypt_all_credentials (gboolean decrypt_flag)
 }
 
 /**
- * @brief Encrypt or re-encrypt all credentials
+ * @brief Encrypt, re-encrypt or decrypt all auth settings.
  *
- * All plaintext credentials in the credentials table are
- * encrypted, all already encrypted credentials are encrypted again
+ * All plaintext settings in the meta table are
+ * encrypted, all already encrypted settings are encrypted again
  * using the latest key.
  *
+ * @param[in] decrypt_flag  If true decrypt all settings.
+ *
+ * @return 0 success, -1 error.
+ */
+static int
+encrypt_all_auth_settings (gboolean decrypt_flag)
+{
+  unsigned long ntotal, nencrypted, nreencrypted, ndecrypted;
+  char *radius_key = NULL;
+  gboolean radius_key_encrypted;
+  ntotal = ndecrypted = nencrypted = nreencrypted = 0;
+  
+  sql_begin_immediate ();
+
+  radius_key = get_radius_key (&radius_key_encrypted);
+  if (radius_key && strcmp (radius_key, ""))
+    {
+      ntotal ++;
+
+      if (decrypt_flag)
+        {
+          if (radius_key_encrypted)
+            ndecrypted ++;
+        }
+      else
+        {
+          if (radius_key_encrypted)
+            nreencrypted ++;
+          else
+            nencrypted ++;
+        }
+
+      set_radius_key (radius_key, decrypt_flag == FALSE);
+    }
+  free (radius_key);
+
+  sql_commit ();
+
+  if (ntotal)
+    {
+      if (decrypt_flag)
+        g_message ("%lu out of %lu auth settings decrypted",
+                  ndecrypted, ntotal);
+      else
+        g_message ("%lu out of %lu auth settings encrypted and %lu re-encrypted",
+                  nencrypted, ntotal, nreencrypted);
+    }
+  else
+    g_message ("No auth settings to encrypt or decrypt");
+
+  return 0;
+}
+
+/**
+ * @brief Encrypt or re-encrypt all credentials and auth settings
+ *
+ * All plaintext credentials and auth settings are
+ * encrypted, all already encrypted credentials and auth settings
+ * are encrypted again using the latest key.
+ *
  * @param[in] log_config    Log configuration.
  * @param[in] database      Location of manage database.
  *
@@ -6199,6 +6259,14 @@ manage_encrypt_all_credentials (GSList *log_config,
     return ret;
 
   ret = encrypt_all_credentials (FALSE);
+  if (ret)
+    {
+      printf ("Encryption failed.\n");
+      manage_option_cleanup ();
+      return ret;
+    }
+
+  ret = encrypt_all_auth_settings (FALSE);
   if (ret)
     printf ("Encryption failed.\n");
   else
@@ -6210,7 +6278,7 @@ manage_encrypt_all_credentials (GSList *log_config,
 }
 
 /**
- * @brief Decrypt all credentials
+ * @brief Decrypt all credentials and auth settings
  *
  * @param[in] log_config    Log configuration.
  * @param[in] database      Location of manage database.
@@ -6232,6 +6300,14 @@ manage_decrypt_all_credentials (GSList *log_config,
     return ret;
 
   ret = encrypt_all_credentials (TRUE);
+  if (ret)
+    {
+      printf ("Decryption failed.\n");
+      manage_option_cleanup ();
+      return ret;
+    }
+
+  ret = encrypt_all_auth_settings (TRUE);
   if (ret)
     printf ("Decryption failed.\n");
   else
@@ -53975,6 +54051,102 @@ manage_set_ldap_info (int enabled, gchar *host, gchar *authdn,
   sql_commit ();
 }
 
+/**
+ * @brief Gets the current RADIUS secret key.
+ *
+ * @param[out] is_encrypted_ret  Whether the key is encrypted. NULL to ignore.
+ * 
+ * @return Freshly allocated RADIUS secret key.
+ */
+char *
+get_radius_key (gboolean *is_encrypted)
+{
+  gchar *key = NULL, *secret;
+
+  if (sql_int64_0 ("SELECT value FROM meta"
+                   " WHERE name = 'radius_key_is_unencrypted'"))
+    {
+      if (is_encrypted)
+        *is_encrypted = FALSE;
+      key = sql_string ("SELECT value FROM meta"
+                        " WHERE name = 'radius_key';");
+    }
+  else
+    {
+      if (is_encrypted)
+        *is_encrypted = TRUE;
+      secret = sql_string ("SELECT value FROM meta"
+                           " WHERE name = 'radius_key';");
+      if (!secret)
+        key = strdup ("");
+      else
+        {
+          const char *decrypted;
+          lsc_crypt_ctx_t crypt_ctx;
+          char *encryption_key_uid = current_encryption_key_uid (TRUE);
+          crypt_ctx = lsc_crypt_new (encryption_key_uid);
+          free (encryption_key_uid);
+          decrypted = lsc_crypt_decrypt (crypt_ctx, secret, "secret_key");
+          if (decrypted)
+            key = strdup (decrypted);
+          else
+            key = strdup ("");
+          lsc_crypt_release (crypt_ctx);
+          g_free (secret);
+        }
+    }
+    
+  return key;
+}
+
+/**
+ * @brief Set RADIUS key.
+ *
+ * @param[in]  key        Secret key.
+ * @param[in]  encrypt    Whether to encrypt the key.
+ */
+void
+set_radius_key (const char *key, gboolean encrypt)
+{
+  char *quoted;
+  char *secret;
+  lsc_crypt_ctx_t crypt_ctx;
+  char *encryption_key_uid = current_encryption_key_uid (TRUE);
+  crypt_ctx = lsc_crypt_new (encryption_key_uid);
+  free (encryption_key_uid);
+
+  if (encrypt == FALSE)
+    {
+      quoted = sql_quote (key);
+      sql ("INSERT INTO meta (name, value)"
+            " VALUES ('radius_key', '%s')"
+            " ON CONFLICT (name) DO UPDATE SET value = EXCLUDED.value;",
+            quoted);
+      sql ("INSERT INTO meta (name, value)"
+            " VALUES ('radius_key_is_unencrypted', '1')"
+            " ON CONFLICT (name) DO UPDATE SET value = EXCLUDED.value;");
+    }
+  else
+    {
+      secret = lsc_crypt_encrypt (crypt_ctx, "secret_key", key, NULL);
+      if (secret)
+        {
+          quoted = sql_quote (secret);
+          sql ("INSERT INTO meta (name, value)"
+                " VALUES ('radius_key', '%s')"
+                " ON CONFLICT (name) DO UPDATE SET value = EXCLUDED.value;",
+                quoted);
+          g_free (secret);
+          secret = NULL;
+          g_free (quoted);
+        }
+      lsc_crypt_release(crypt_ctx);
+      sql ("INSERT INTO meta (name, value)"
+            " VALUES ('radius_key_is_unencrypted', '0')"
+            " ON CONFLICT (name) DO UPDATE SET value = EXCLUDED.value;");
+    }
+}
+
 /**
  * @brief Get RADIUS info.
  *
@@ -53985,8 +54157,6 @@ manage_set_ldap_info (int enabled, gchar *host, gchar *authdn,
 void
 manage_get_radius_info (int *enabled, char **host, char **key)
 {
-  char *secret;
-
   if (enabled)
     *enabled = radius_auth_enabled ();
 
@@ -53994,32 +54164,15 @@ manage_get_radius_info (int *enabled, char **host, char **key)
   if (!*host)
     *host = g_strdup ("127.0.0.1");
 
-  secret = sql_string ("SELECT value FROM meta WHERE name = 'radius_key';");
-  if (!secret)
-    *key = g_strdup ("");
-  else
-    {
-      const char *decrypted;
-      lsc_crypt_ctx_t crypt_ctx;
-      char *encryption_key_uid = current_encryption_key_uid (TRUE);
-      crypt_ctx = lsc_crypt_new (encryption_key_uid);
-      free (encryption_key_uid);
-      decrypted = lsc_crypt_decrypt (crypt_ctx, secret, "secret_key");
-      if (decrypted)
-        *key = g_strdup (decrypted);
-      else
-        *key = g_strdup ("");
-      lsc_crypt_release (crypt_ctx);
-      g_free (secret);
-    }
+  *key = get_radius_key (NULL);
 }
 
 /**
  * @brief Set RADIUS info.
  *
- * @param[out]  enabled    Whether RADIUS is enabled. -1 to keep current value.
- * @param[out]  host       RADIUS host. NULL to keep current value.
- * @param[out]  key        Secret key.  NULL to keep current value.
+ * @param[in]  enabled    Whether RADIUS is enabled. -1 to keep current value.
+ * @param[in]  host       RADIUS host. NULL to keep current value.
+ * @param[in]  key        Secret key.  NULL to keep current value.
  */
 void
 manage_set_radius_info (int enabled, gchar *host, gchar *key)
@@ -54046,24 +54199,7 @@ manage_set_radius_info (int enabled, gchar *host, gchar *key)
 
   if (key && strlen (key))
     {
-      char *secret;
-      lsc_crypt_ctx_t crypt_ctx;
-      char *encryption_key_uid = current_encryption_key_uid (TRUE);
-      crypt_ctx = lsc_crypt_new (encryption_key_uid);
-      free (encryption_key_uid);
-
-      sql ("DELETE FROM meta WHERE name LIKE 'radius_key';");
-      secret = lsc_crypt_encrypt (crypt_ctx, "secret_key", key, NULL);
-      if (secret)
-        {
-          quoted = sql_quote (secret);
-          sql ("INSERT INTO meta (name, value) VALUES ('radius_key', '%s');",
-               quoted);
-          g_free (secret);
-          secret = NULL;
-          g_free (quoted);
-        }
-      lsc_crypt_release(crypt_ctx);
+      set_radius_key (key, disable_encrypted_credentials == FALSE);
     }
 
   sql_commit ();

From 1f9359a8226c98b14101fd56cfa8a2393fe224f2 Mon Sep 17 00:00:00 2001
From: Timo Pollmeier <timo.pollmeier@greenbone.net>
Date: Tue, 18 Jul 2023 14:38:24 +0200
Subject: [PATCH 6/7] Change: Lock table for each auto-deleted report
 individually

The auto_delete_reports function no longer keeps the access exclusive
lock on the reports table for the entire loop over the reports, but
instead acquires and releases the lock for each report to delete.

This gives other processes, like ones deleting reports manually, a
better chance to acquire the lock on the reports table.
---
 src/manage_sql.c | 75 ++++++++++++++++++++++++++++++++----------------
 1 file changed, 50 insertions(+), 25 deletions(-)

diff --git a/src/manage_sql.c b/src/manage_sql.c
index 6c580d94d..d8ba2e72d 100644
--- a/src/manage_sql.c
+++ b/src/manage_sql.c
@@ -18917,15 +18917,7 @@ auto_delete_reports ()
 
   g_debug ("%s", __func__);
 
-  sql_begin_immediate ();
-
-  /* As in delete_report, this prevents other processes from getting the
-   * report ID. */
-  if (sql_int ("SELECT try_exclusive_lock('reports');") == 0)
-    {
-      sql_rollback ();
-      return;
-    }
+  GArray *reports_to_delete = g_array_new (TRUE, TRUE, sizeof(report_t));
 
   init_iterator (&tasks,
                  "SELECT id, name,"
@@ -18970,31 +18962,64 @@ auto_delete_reports ()
                      keep);
       while (next (&reports))
         {
-          int ret;
           report_t report;
 
           report = iterator_int64 (&reports, 0);
           assert (report);
 
-          g_debug ("%s: delete %llu", __func__, report);
-          ret = delete_report_internal (report);
-          if (ret == 2)
-            {
-              /* Report is in use. */
-              g_debug ("%s: %llu is in use", __func__, report);
-              continue;
-            }
-          if (ret)
-            {
-              g_warning ("%s: failed to delete %llu (%i)",
-                         __func__, report, ret);
-              sql_rollback ();
-            }
+          g_debug ("%s: %llu to be deleted", __func__, report);
+
+          g_array_append_val (reports_to_delete, report);
         }
       cleanup_iterator (&reports);
     }
   cleanup_iterator (&tasks);
-  sql_commit ();
+
+  for (int i = 0; i < reports_to_delete->len; i++)
+    {
+      int ret;
+      report_t report = g_array_index (reports_to_delete, report_t, i);
+      
+      sql_begin_immediate ();
+
+      /* As in delete_report, this prevents other processes from getting the
+       * report ID. */
+      if (sql_int ("SELECT try_exclusive_lock('reports');") == 0)
+        {
+          g_debug ("%s: could not acquire lock on reports table", __func__);
+          sql_rollback ();
+          g_array_free (reports_to_delete, TRUE);
+          return;
+        }
+
+      /* Check if report still exists in case another process has deleted it
+       *  in the meantime. */
+      if (sql_int ("SELECT count(*) FROM reports WHERE id = %llu",
+                    report) == 0)
+        {
+          g_debug ("%s: %llu no longer exists", __func__, report);
+          sql_rollback ();
+          continue;
+        }
+
+      g_debug ("%s: deleting report %llu", __func__, report);
+      ret = delete_report_internal (report);
+      if (ret == 2)
+        {
+          /* Report is in use. */
+          g_debug ("%s: %llu is in use", __func__, report);
+          continue;
+        }
+      if (ret)
+        {
+          g_warning ("%s: failed to delete %llu (%i)",
+                      __func__, report, ret);
+          sql_rollback ();
+          continue;
+        }
+      sql_commit ();
+    }
+  g_array_free (reports_to_delete, TRUE);
 }
 
 

From bbebfae4ab270c5682b9cc6333a08075217ecd84 Mon Sep 17 00:00:00 2001
From: Timo Pollmeier <timo.pollmeier@greenbone.net>
Date: Fri, 21 Jul 2023 10:08:54 +0200
Subject: [PATCH 7/7] Add missing sql_rollback in auto_delete_reports

---
 src/manage_sql.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/manage_sql.c b/src/manage_sql.c
index d8ba2e72d..5f76b0d90 100644
--- a/src/manage_sql.c
+++ b/src/manage_sql.c
@@ -19008,6 +19008,7 @@ auto_delete_reports ()
         {
           /* Report is in use. */
           g_debug ("%s: %llu is in use", __func__, report);
+          sql_rollback ();
           continue;
         }
       if (ret)