From 705c6c2569b88970bcdc2af08c2f3ca25c87c39b Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Tue, 26 Nov 2024 10:12:32 +0100 Subject: [PATCH 1/4] Fix: Avoid DB check inserts in cleanup-sequences When running gvmd with the --optimize=cleanup-sequences option, the database checks during initialization will avoid most inserts. Setting database_version and max_hosts in the meta table now uses INSERT ... ON CONFLICT instead of deleting the previous entry. Skipping the inserts prevents the cleanup failing if one of the sequence has already run out of ids. The change to the meta table update reduces the risk of the meta table id sequence running out. --- src/manage.c | 9 +- src/manage.h | 2 +- src/manage_sql.c | 142 ++++++++++++++++++++++---------- src/manage_sql.h | 2 +- src/manage_sql_configs.c | 7 +- src/manage_sql_configs.h | 2 +- src/manage_sql_nvts.c | 6 +- src/manage_sql_port_lists.c | 7 +- src/manage_sql_report_formats.c | 11 ++- src/manage_sql_report_formats.h | 2 +- src/manage_sql_secinfo.c | 3 +- 11 files changed, 135 insertions(+), 58 deletions(-) diff --git a/src/manage.c b/src/manage.c index c194bae68..f9e0899c4 100644 --- a/src/manage.c +++ b/src/manage.c @@ -978,7 +978,8 @@ int manage_create_encryption_key (GSList *log_config, const db_conn_info_t *database) { - int ret = manage_option_setup (log_config, database); + int ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) { printf ("Error setting up log config or database connection."); @@ -1042,7 +1043,8 @@ manage_set_encryption_key (GSList *log_config, const db_conn_info_t *database, const char *uid) { - int ret = manage_option_setup (log_config, database); + int ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) { printf ("Error setting up log config or database connection.\n"); @@ -5707,7 +5709,8 @@ manage_rebuild_gvmd_data_from_feed (const char *types, return -1; } - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) { if (error_msg) diff --git a/src/manage.h b/src/manage.h index 0285d708d..8882d7a52 100644 --- a/src/manage.h +++ b/src/manage.h @@ -127,7 +127,7 @@ init_manage (GSList*, const db_conn_info_t *, int, int, int, int, manage_connection_forker_t, int); int -init_manage_helper (GSList *, const db_conn_info_t *, int); +init_manage_helper (GSList *, const db_conn_info_t *, int, int); void init_manage_process (const db_conn_info_t*); diff --git a/src/manage_sql.c b/src/manage_sql.c index 945ae9aa0..6e653b13d 100644 --- a/src/manage_sql.c +++ b/src/manage_sql.c @@ -930,13 +930,15 @@ cert_check_time () * * @param[in] log_config Log configuration. * @param[in] database Database. + * @param[in] avoid_db_check_inserts Whether to avoid inserts in DB check. * * @return 0 success, -1 error, -2 database is too old, * -3 database needs to be initialised from server, * -5 database is too new. */ int -manage_option_setup (GSList *log_config, const db_conn_info_t *database) +manage_option_setup (GSList *log_config, const db_conn_info_t *database, + int avoid_db_check_inserts) { int ret; @@ -947,7 +949,8 @@ manage_option_setup (GSList *log_config, const db_conn_info_t *database) } ret = init_manage_helper (log_config, database, - MANAGE_ABSOLUTE_MAX_IPS_PER_TARGET); + MANAGE_ABSOLUTE_MAX_IPS_PER_TARGET, + avoid_db_check_inserts); assert (ret != -4); switch (ret) { @@ -6159,10 +6162,9 @@ manage_cert_db_version () void set_db_version (int version) { - sql ("DELETE FROM %s.meta WHERE name = 'database_version';", - sql_schema ()); sql ("INSERT INTO %s.meta (name, value)" - " VALUES ('database_version', '%i');", + " VALUES ('database_version', '%i')" + " ON CONFLICT (name) DO UPDATE SET value = EXCLUDED.value;", sql_schema (), version); } @@ -6408,7 +6410,8 @@ manage_encrypt_all_credentials (GSList *log_config, g_info (" (Re-)encrypting all credentials."); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -6449,7 +6452,8 @@ manage_decrypt_all_credentials (GSList *log_config, g_info (" Decrypting all credentials."); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -6712,7 +6716,8 @@ manage_check_alerts (GSList *log_config, const db_conn_info_t *database) g_info (" Checking alerts."); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -15835,11 +15840,16 @@ manage_update_nvti_cache () /** * @brief Ensure the predefined scanner exists. * + * @param[in] avoid_db_check_inserts Whether to avoid inserts. + * * @return 0 if success, -1 if error. */ static int -check_db_scanners () +check_db_scanners (int avoid_db_check_inserts) { + if (avoid_db_check_inserts) + return 0; + if (sql_int ("SELECT count(*) FROM scanners WHERE uuid = '%s';", SCANNER_UUID_DEFAULT) == 0) { @@ -15868,11 +15878,16 @@ check_db_scanners () /** * @brief Initialize the default settings. * + * @param[in] avoid_db_check_inserts Whether to avoid inserts. + * * Ensure all the default manager settings exist. */ static void -check_db_settings () +check_db_settings (int avoid_db_check_inserts) { + if (avoid_db_check_inserts) + return; + if (sql_int ("SELECT count(*) FROM settings" " WHERE uuid = '6765549a-934e-11e3-b358-406186ea4fc5'" " AND " ACL_IS_GLOBAL () ";") @@ -16219,10 +16234,15 @@ check_db_versions () /** * @brief Ensures the sanity of nvts cache in DB. + * + * @param[in] avoid_db_check_inserts Whether to avoid inserts. */ static void -check_db_nvt_selectors () +check_db_nvt_selectors (int avoid_db_check_inserts) { + if (avoid_db_check_inserts) + return; + /* Ensure every part of the predefined selector exists. * This restores entries lost due to the error solved 2010-08-13 by r8805. */ if (sql_int ("SELECT count(*) FROM nvt_selectors WHERE name =" @@ -16359,10 +16379,15 @@ add_permissions_on_globals (const gchar *role_uuid) /** * @brief Ensure the predefined permissions exists. + * + * @param[in] avoid_db_check_inserts Whether to avoid inserts. */ static void -check_db_permissions () +check_db_permissions (int avoid_db_check_inserts) { + if (avoid_db_check_inserts) + return; + command_t *command; if (sql_int ("SELECT count(*) FROM permissions" @@ -16521,10 +16546,15 @@ check_db_permissions () /** * @brief Ensure the predefined roles exists. + * + * @param[in] avoid_db_check_inserts Whether to avoid inserts. */ static void -check_db_roles () +check_db_roles (int avoid_db_check_inserts) { + if (avoid_db_check_inserts) + return; + if (sql_int ("SELECT count(*) FROM roles WHERE uuid = '" ROLE_UUID_ADMIN "';") == 0) sql ("INSERT INTO roles" @@ -16680,11 +16710,11 @@ manage_migrate_relay_sensors () * Only called by init_manage_internal, and ultimately only by the main process. * * @param[in] check_encryption_key Whether to check encryption key. - * + * @param[in] avoid_db_check_inserts Whether to avoid inserts in DB check. * @return 0 success, -1 error. */ static int -check_db (int check_encryption_key) +check_db (int check_encryption_key, int avoid_db_check_inserts) { /* The file locks managed at startup ensure that this is the only Manager * process accessing the db. Nothing else should be accessing the db, access @@ -16695,19 +16725,19 @@ check_db (int check_encryption_key) create_tables (); check_db_sequences (); set_db_version (GVMD_DATABASE_VERSION); - check_db_roles (); - check_db_nvt_selectors (); + check_db_roles (avoid_db_check_inserts); + check_db_nvt_selectors (avoid_db_check_inserts); check_db_nvts (); - check_db_port_lists (); + check_db_port_lists (avoid_db_check_inserts); clean_auth_cache (); - if (check_db_scanners ()) + if (check_db_scanners (avoid_db_check_inserts)) goto fail; - if (check_db_report_formats ()) + if (check_db_report_formats (avoid_db_check_inserts)) goto fail; if (check_db_report_formats_trash ()) goto fail; - check_db_permissions (); - check_db_settings (); + check_db_permissions (avoid_db_check_inserts); + check_db_settings (avoid_db_check_inserts); cleanup_schedule_times (); if (check_encryption_key && check_db_encryption_key ()) goto fail; @@ -16874,6 +16904,7 @@ cleanup_tables () * with GMP when an alert occurs. * @param[in] skip_db_check Skip DB check. * @param[in] check_encryption_key Check encryption key if doing DB check. + * @param[in] avoid_db_check_inserts Whether to avoid inserts in DB check. * * @return 0 success, -1 error, -2 database is too old, * -4 max_ips_per_target out of range, -5 database is too new. @@ -16888,7 +16919,8 @@ init_manage_internal (GSList *log_config, int stop_tasks, manage_connection_forker_t fork_connection, int skip_db_check, - int check_encryption_key) + int check_encryption_key, + int avoid_db_check_inserts) { int ret; @@ -16974,7 +17006,7 @@ init_manage_internal (GSList *log_config, * 2 a helper processes (--create-user, --get-users, etc) when the * main process is not running. */ - ret = check_db (check_encryption_key); + ret = check_db (check_encryption_key, avoid_db_check_inserts); if (ret) return ret; @@ -16982,8 +17014,10 @@ init_manage_internal (GSList *log_config, /* Set max_hosts in db, so database server side can access it. */ - sql ("DELETE FROM meta WHERE name = 'max_hosts';"); - sql ("INSERT INTO meta (name, value) VALUES ('max_hosts', %i);", max_hosts); + sql ("INSERT INTO meta (name, value)" + " VALUES ('max_hosts', %i)" + " ON CONFLICT (name) DO UPDATE SET value = EXCLUDED.value;", + max_hosts); } if (stop_tasks) @@ -16997,7 +17031,7 @@ init_manage_internal (GSList *log_config, if (skip_db_check == 0) /* Requires NVT cache. */ - check_db_configs (); + check_db_configs (avoid_db_check_inserts); sql_close (); gvmd_db_conn_info.name = database->name ? g_strdup (database->name) : NULL; @@ -17051,7 +17085,8 @@ init_manage (GSList *log_config, const db_conn_info_t *database, 1, /* Stop active tasks. */ fork_connection, skip_db_check, - 1); /* Check encryption key if checking db. */ + 1, /* Check encryption key if checking db. */ + 0 /* Do not avoid inserts if checking db. */); } /** @@ -17063,7 +17098,8 @@ init_manage (GSList *log_config, const db_conn_info_t *database, * * @param[in] log_config Log configuration. * @param[in] database Location of database. - * @param[in] max_ips_per_target Max number of IPs per target. + * @param[in] max_ips_per_target Max number of IPs per target. + * @param[in] avoid_db_check_inserts Whether to avoid inserts in DB check. * * @return 0 success, -1 error, -2 database is too old, -3 database needs * to be initialised from server, -4 max_ips_per_target out of range, @@ -17071,7 +17107,7 @@ init_manage (GSList *log_config, const db_conn_info_t *database, */ int init_manage_helper (GSList *log_config, const db_conn_info_t *database, - int max_ips_per_target) + int max_ips_per_target, int avoid_db_check_inserts) { return init_manage_internal (log_config, database, @@ -17088,7 +17124,8 @@ init_manage_helper (GSList *log_config, const db_conn_info_t *database, lockfile_locked ("gvm-serving") ? 1 /* Skip DB check. */ : 0, /* Do DB check. */ - 0); /* Dummy. */ + 0, /* Dummy. */ + avoid_db_check_inserts); } /** @@ -40245,7 +40282,8 @@ manage_create_scanner (GSList *log_config, const db_conn_info_t *database, g_info (" Creating scanner."); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -40434,7 +40472,8 @@ manage_delete_scanner (GSList *log_config, const db_conn_info_t *database, return 3; } - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -40502,7 +40541,8 @@ manage_modify_scanner (GSList *log_config, const db_conn_info_t *database, g_info (" Modifying scanner."); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -40721,7 +40761,8 @@ manage_verify_scanner (GSList *log_config, const db_conn_info_t *database, g_info (" Verifying scanner."); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -42206,7 +42247,8 @@ manage_get_scanners (GSList *log_config, const db_conn_info_t *database) g_info (" Getting scanners."); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -46145,7 +46187,8 @@ manage_get_roles (GSList *log_config, const db_conn_info_t *database, g_info (" Getting roles."); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -52790,7 +52833,8 @@ manage_modify_setting (GSList *log_config, const db_conn_info_t *database, return 3; } - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -52944,7 +52988,8 @@ manage_create_user (GSList *log_config, const db_conn_info_t *database, g_info (" Creating user."); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -53034,7 +53079,8 @@ manage_delete_user (GSList *log_config, const db_conn_info_t *database, g_info (" Deleting user."); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -53099,7 +53145,8 @@ manage_get_users (GSList *log_config, const db_conn_info_t *database, g_info (" Getting users."); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -53203,7 +53250,8 @@ manage_set_password (GSList *log_config, const db_conn_info_t *database, return -1; } - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return ret; @@ -58214,7 +58262,15 @@ manage_optimize (GSList *log_config, const db_conn_info_t *database, return 1; } - ret = manage_option_setup (log_config, database); + int avoid_db_check_inserts = 0; + /* The optimize=cleanup-sequences option may be used if a sequence has + * already reached its maximum value, so avoid any inserts that may cause + * a sequence maximum error. * + */ + if (strcasecmp (name, "cleanup-sequences") == 0) + avoid_db_check_inserts = 1; + + ret = manage_option_setup (log_config, database, avoid_db_check_inserts); if (ret) return ret; diff --git a/src/manage_sql.h b/src/manage_sql.h index c98e15adc..d24868e61 100644 --- a/src/manage_sql.h +++ b/src/manage_sql.h @@ -448,7 +448,7 @@ void check_alerts (); int -manage_option_setup (GSList *, const db_conn_info_t *); +manage_option_setup (GSList *, const db_conn_info_t *, int); void manage_option_cleanup (); diff --git a/src/manage_sql_configs.c b/src/manage_sql_configs.c index 28e2bb10e..07e25734e 100644 --- a/src/manage_sql_configs.c +++ b/src/manage_sql_configs.c @@ -4532,12 +4532,17 @@ update_config (config_t config, const gchar *name, /** * @brief Check configs, for startup. + * + * @param[in] avoid_db_check_inserts Whether to avoid inserts. */ void -check_db_configs () +check_db_configs (int avoid_db_check_inserts) { migrate_predefined_configs (); + if (avoid_db_check_inserts) + return; + if (sync_configs_with_feed (FALSE) <= -1) g_warning ("%s: Failed to sync configs with feed", __func__); diff --git a/src/manage_sql_configs.h b/src/manage_sql_configs.h index 888d4e4fb..901878423 100644 --- a/src/manage_sql_configs.h +++ b/src/manage_sql_configs.h @@ -97,7 +97,7 @@ update_config (config_t, const gchar *, const gchar *, const gchar *, int, const array_t*, const array_t*, const gchar *); void -check_db_configs (); +check_db_configs (int); void check_whole_only_in_configs (); diff --git a/src/manage_sql_nvts.c b/src/manage_sql_nvts.c index 04e9cf3c8..73aab286c 100644 --- a/src/manage_sql_nvts.c +++ b/src/manage_sql_nvts.c @@ -2654,7 +2654,8 @@ manage_rebuild (GSList *log_config, const db_conn_info_t *database) return -1; } - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) { feed_lockfile_unlock (&lockfile); @@ -2727,7 +2728,8 @@ manage_dump_vt_verification (GSList *log_config, return -1; } - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) { feed_lockfile_unlock (&lockfile); diff --git a/src/manage_sql_port_lists.c b/src/manage_sql_port_lists.c index c24abaea6..b56b9fcc2 100644 --- a/src/manage_sql_port_lists.c +++ b/src/manage_sql_port_lists.c @@ -2652,12 +2652,17 @@ update_port_list (port_list_t port_list, const gchar *name, /** * @brief Check port lists, for startup. + * + * @param[in] avoid_db_check_inserts Whether to avoid inserts. */ void -check_db_port_lists () +check_db_port_lists (int avoid_db_check_inserts) { migrate_predefined_port_lists (); + if (avoid_db_check_inserts) + return; + if (sync_port_lists_with_feed (FALSE) <= -1) g_warning ("%s: Failed to sync port lists with feed", __func__); diff --git a/src/manage_sql_report_formats.c b/src/manage_sql_report_formats.c index becfcb4c5..0a1b49b39 100644 --- a/src/manage_sql_report_formats.c +++ b/src/manage_sql_report_formats.c @@ -4895,16 +4895,21 @@ check_db_trash_report_formats () /** * @brief Ensure the predefined report formats exist. * + * @param[in] avoid_db_check_inserts Whether to avoid inserts. + * * @return 0 success, -1 error. */ int -check_db_report_formats () +check_db_report_formats (int avoid_db_check_inserts) { if (migrate_predefined_report_formats ()) return -1; - if (sync_report_formats_with_feed (FALSE) <= -1) - g_warning ("%s: Failed to sync report formats with feed", __func__); + if (avoid_db_check_inserts == 0) + { + if (sync_report_formats_with_feed (FALSE) <= -1) + g_warning ("%s: Failed to sync report formats with feed", __func__); + } if (check_db_trash_report_formats ()) return -1; diff --git a/src/manage_sql_report_formats.h b/src/manage_sql_report_formats.h index 1ea556752..de7a04be2 100644 --- a/src/manage_sql_report_formats.h +++ b/src/manage_sql_report_formats.h @@ -83,7 +83,7 @@ int migrate_predefined_report_formats (); int -check_db_report_formats (); +check_db_report_formats (int); int check_db_report_formats_trash (); diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c index 48cf21772..c80247780 100644 --- a/src/manage_sql_secinfo.c +++ b/src/manage_sql_secinfo.c @@ -5754,7 +5754,8 @@ manage_rebuild_scap (GSList *log_config, const db_conn_info_t *database) g_info (" Rebuilding SCAP data"); - ret = manage_option_setup (log_config, database); + ret = manage_option_setup (log_config, database, + 0 /* avoid_db_check_inserts */); if (ret) return -1; From 16ef4c47e64a39de8cbd7c245d827b68a8fc50f1 Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Thu, 28 Nov 2024 10:09:42 +0100 Subject: [PATCH 2/4] Add: New Kerberos credential type The new type "krb5" is added to the create_credential, modify_credential and get_credentials commands. This will later be usable in scan targets for Kerberos 5 authentication. --- src/gmp.c | 67 +++++++++++++++++++++++++++ src/manage.c | 2 + src/manage.h | 10 +++- src/manage_sql.c | 77 +++++++++++++++++++++++++++---- src/schema_formats/XML/GMP.xml.in | 40 ++++++++++++++++ 5 files changed, 185 insertions(+), 11 deletions(-) diff --git a/src/gmp.c b/src/gmp.c index 2084b8a6a..231e40eaa 100644 --- a/src/gmp.c +++ b/src/gmp.c @@ -449,6 +449,7 @@ typedef struct char *certificate; ///< Certificate for client certificate auth. char *comment; ///< Comment. char *copy; ///< UUID of resource to copy. + char *kdc; ///< Kerberos KDC (key distribution centers). int key; ///< Whether the command included a key element. char *key_phrase; ///< Passphrase for key. char *key_private; ///< Private key from key. @@ -460,6 +461,7 @@ typedef struct char *auth_algorithm; ///< SNMP Authentication algorithm. char *privacy_password; ///< SNMP Privacy password. char *privacy_algorithm; ///< SNMP Privacy algorithm. + char *realm; ///< Kerberos realm. char *type; ///< Type of credential. } create_credential_data_t; @@ -475,6 +477,7 @@ create_credential_data_reset (create_credential_data_t *data) free (data->certificate); free (data->comment); free (data->copy); + free (data->kdc); free (data->key_phrase); free (data->key_private); free (data->key_public); @@ -485,6 +488,7 @@ create_credential_data_reset (create_credential_data_t *data) free (data->auth_algorithm); free (data->privacy_password); free (data->privacy_algorithm); + free (data->realm); free (data->type); memset (data, 0, sizeof (create_credential_data_t)); @@ -2515,6 +2519,7 @@ typedef struct char *comment; ///< Comment. char *community; ///< SNMP Community string. char *credential_id; ///< ID of credential to modify. + char *kdc; ///< Kerberos KDC (key distribution centers). int key; ///< Whether the command included a key element. char *key_phrase; ///< Passphrase for key. char *key_private; ///< Private key from key. @@ -2524,6 +2529,7 @@ typedef struct char *password; ///< Password associated with login name. char *privacy_algorithm; ///< SNMP Privacy algorithm. char *privacy_password; ///< SNMP Privacy password. + char *realm; ///< Kerberos realm. } modify_credential_data_t; /** @@ -2540,6 +2546,7 @@ modify_credential_data_reset (modify_credential_data_t *data) free (data->comment); free (data->community); free (data->credential_id); + free (data->kdc); free (data->key_phrase); free (data->key_private); free (data->key_public); @@ -2548,6 +2555,7 @@ modify_credential_data_reset (modify_credential_data_t *data) free (data->password); free (data->privacy_algorithm); free (data->privacy_password); + free (data->realm); memset (data, 0, sizeof (modify_credential_data_t)); } @@ -4088,6 +4096,7 @@ typedef enum CLIENT_CREATE_CREDENTIAL_COMMENT, CLIENT_CREATE_CREDENTIAL_COMMUNITY, CLIENT_CREATE_CREDENTIAL_COPY, + CLIENT_CREATE_CREDENTIAL_KDC, CLIENT_CREATE_CREDENTIAL_KEY, CLIENT_CREATE_CREDENTIAL_KEY_PHRASE, CLIENT_CREATE_CREDENTIAL_KEY_PRIVATE, @@ -4098,6 +4107,7 @@ typedef enum CLIENT_CREATE_CREDENTIAL_PRIVACY, CLIENT_CREATE_CREDENTIAL_PRIVACY_ALGORITHM, CLIENT_CREATE_CREDENTIAL_PRIVACY_PASSWORD, + CLIENT_CREATE_CREDENTIAL_REALM, CLIENT_CREATE_CREDENTIAL_TYPE, CLIENT_CREATE_FILTER, CLIENT_CREATE_FILTER_COMMENT, @@ -4420,6 +4430,7 @@ typedef enum CLIENT_MODIFY_CREDENTIAL_CERTIFICATE, CLIENT_MODIFY_CREDENTIAL_COMMENT, CLIENT_MODIFY_CREDENTIAL_COMMUNITY, + CLIENT_MODIFY_CREDENTIAL_KDC, CLIENT_MODIFY_CREDENTIAL_KEY, CLIENT_MODIFY_CREDENTIAL_KEY_PHRASE, CLIENT_MODIFY_CREDENTIAL_KEY_PRIVATE, @@ -4430,6 +4441,7 @@ typedef enum CLIENT_MODIFY_CREDENTIAL_PRIVACY, CLIENT_MODIFY_CREDENTIAL_PRIVACY_ALGORITHM, CLIENT_MODIFY_CREDENTIAL_PRIVACY_PASSWORD, + CLIENT_MODIFY_CREDENTIAL_REALM, CLIENT_MODIFY_FILTER, CLIENT_MODIFY_FILTER_COMMENT, CLIENT_MODIFY_FILTER_NAME, @@ -6283,6 +6295,10 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context, gvm_append_string (&modify_credential_data->community, ""); set_client_state (CLIENT_MODIFY_CREDENTIAL_COMMUNITY); } + else if (strcasecmp ("KDC", element_name) == 0) + { + set_client_state (CLIENT_MODIFY_CREDENTIAL_KDC); + } else if (strcasecmp ("KEY", element_name) == 0) { modify_credential_data->key = 1; @@ -6302,6 +6318,10 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context, gvm_append_string (&modify_credential_data->privacy_algorithm, ""); } + else if (strcasecmp ("REALM", element_name) == 0) + { + set_client_state (CLIENT_MODIFY_CREDENTIAL_REALM); + } ELSE_READ_OVER; case CLIENT_MODIFY_CREDENTIAL_KEY: @@ -6962,6 +6982,8 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context, set_client_state (CLIENT_CREATE_CREDENTIAL_COMMENT); else if (strcasecmp ("COMMUNITY", element_name) == 0) set_client_state (CLIENT_CREATE_CREDENTIAL_COMMUNITY); + else if (strcasecmp ("KDC", element_name) == 0) + set_client_state (CLIENT_CREATE_CREDENTIAL_KDC); else if (strcasecmp ("KEY", element_name) == 0) { create_credential_data->key = 1; @@ -6980,6 +7002,8 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context, } else if (strcasecmp ("PRIVACY", element_name) == 0) set_client_state (CLIENT_CREATE_CREDENTIAL_PRIVACY); + else if (strcasecmp ("REALM", element_name) == 0) + set_client_state (CLIENT_CREATE_CREDENTIAL_REALM); else if (strcasecmp ("TYPE", element_name) == 0) set_client_state (CLIENT_CREATE_CREDENTIAL_TYPE); ELSE_READ_OVER; @@ -12338,6 +12362,19 @@ handle_get_credentials (gmp_parser_t *gmp_parser, GError **error) SEND_TO_CLIENT_OR_FAIL (formats_xml); g_free (formats_xml); + if (type && (strcmp (type, "krb5") == 0)) + { + const char *kdc, *realm; + kdc = credential_iterator_kdc (&credentials); + realm = credential_iterator_realm (&credentials); + + SENDF_TO_CLIENT_OR_FAIL + ("%s" + "%s", + kdc ? kdc : "", + realm ? realm : ""); + } + if (type && (strcmp (type, "snmp") == 0)) { const char *auth_algorithm, *privacy_algorithm; @@ -21333,6 +21370,8 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, create_credential_data->auth_algorithm, create_credential_data->privacy_password, create_credential_data->privacy_algorithm, + create_credential_data->kdc, + create_credential_data->realm, create_credential_data->type, create_credential_data->allow_insecure, &new_credential)) @@ -21440,6 +21479,16 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, (XML_ERROR_SYNTAX ("create_credential", "Cannot determine type for new credential")); break; + case 19: + SEND_TO_CLIENT_OR_FAIL + (XML_ERROR_SYNTAX ("create_credential", + "Selected type requires a kdc")); + break; + case 20: + SEND_TO_CLIENT_OR_FAIL + (XML_ERROR_SYNTAX ("create_credential", + "Selected type requires a realm")); + break; case 99: SEND_TO_CLIENT_OR_FAIL (XML_ERROR_SYNTAX ("create_credential", @@ -21462,6 +21511,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, CLOSE (CLIENT_CREATE_CREDENTIAL, COMMENT); CLOSE (CLIENT_CREATE_CREDENTIAL, COMMUNITY); CLOSE (CLIENT_CREATE_CREDENTIAL, COPY); + CLOSE (CLIENT_CREATE_CREDENTIAL, KDC); CLOSE (CLIENT_CREATE_CREDENTIAL, KEY); CLOSE (CLIENT_CREATE_CREDENTIAL_KEY, PHRASE); CLOSE (CLIENT_CREATE_CREDENTIAL_KEY, PRIVATE); @@ -21472,6 +21522,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, CLOSE (CLIENT_CREATE_CREDENTIAL, PRIVACY); CLOSE (CLIENT_CREATE_CREDENTIAL_PRIVACY, ALGORITHM); CLOSE (CLIENT_CREATE_CREDENTIAL_PRIVACY, PASSWORD); + CLOSE (CLIENT_CREATE_CREDENTIAL, REALM); CLOSE (CLIENT_CREATE_CREDENTIAL, TYPE); case CLIENT_CREATE_FILTER: @@ -24527,6 +24578,8 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, modify_credential_data->auth_algorithm, modify_credential_data->privacy_password, modify_credential_data->privacy_algorithm, + modify_credential_data->kdc, + modify_credential_data->realm, modify_credential_data->allow_insecure)) { case 0: @@ -24649,6 +24702,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, CLOSE (CLIENT_MODIFY_CREDENTIAL, CERTIFICATE); CLOSE (CLIENT_MODIFY_CREDENTIAL, COMMENT); CLOSE (CLIENT_MODIFY_CREDENTIAL, COMMUNITY); + CLOSE (CLIENT_MODIFY_CREDENTIAL, KDC); CLOSE (CLIENT_MODIFY_CREDENTIAL, KEY); CLOSE (CLIENT_MODIFY_CREDENTIAL_KEY, PHRASE); CLOSE (CLIENT_MODIFY_CREDENTIAL_KEY, PRIVATE); @@ -24659,6 +24713,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, CLOSE (CLIENT_MODIFY_CREDENTIAL, PRIVACY); CLOSE (CLIENT_MODIFY_CREDENTIAL_PRIVACY, ALGORITHM); CLOSE (CLIENT_MODIFY_CREDENTIAL_PRIVACY, PASSWORD); + CLOSE (CLIENT_MODIFY_CREDENTIAL, REALM); case CLIENT_MODIFY_FILTER: { @@ -27309,6 +27364,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context, APPEND (CLIENT_MODIFY_CREDENTIAL_COMMUNITY, &modify_credential_data->community); + APPEND (CLIENT_MODIFY_CREDENTIAL_KDC, + &modify_credential_data->kdc); + APPEND (CLIENT_MODIFY_CREDENTIAL_KEY_PHRASE, &modify_credential_data->key_phrase); @@ -27333,6 +27391,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context, APPEND (CLIENT_MODIFY_CREDENTIAL_PRIVACY_PASSWORD, &modify_credential_data->privacy_password); + APPEND (CLIENT_MODIFY_CREDENTIAL_REALM, + &modify_credential_data->realm); + case CLIENT_MODIFY_REPORT_CONFIG: modify_report_config_element_text (text, text_len); @@ -27440,6 +27501,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context, APPEND (CLIENT_CREATE_CREDENTIAL_COPY, &create_credential_data->copy); + APPEND (CLIENT_CREATE_CREDENTIAL_KDC, + &create_credential_data->kdc); + APPEND (CLIENT_CREATE_CREDENTIAL_KEY_PHRASE, &create_credential_data->key_phrase); @@ -27464,6 +27528,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context, APPEND (CLIENT_CREATE_CREDENTIAL_PRIVACY_PASSWORD, &create_credential_data->privacy_password); + APPEND (CLIENT_CREATE_CREDENTIAL_REALM, + &create_credential_data->realm); + APPEND (CLIENT_CREATE_CREDENTIAL_TYPE, &create_credential_data->type); diff --git a/src/manage.c b/src/manage.c index c194bae68..682124c79 100644 --- a/src/manage.c +++ b/src/manage.c @@ -4416,6 +4416,8 @@ credential_full_type (const char* abbreviation) return NULL; else if (strcasecmp (abbreviation, "cc") == 0) return "client certificate"; + else if (strcasecmp (abbreviation, "krb5") == 0) + return "Kerberos 5"; else if (strcasecmp (abbreviation, "pw") == 0) return "password only"; else if (strcasecmp (abbreviation, "snmp") == 0) diff --git a/src/manage.h b/src/manage.h index 0285d708d..ea42e6154 100644 --- a/src/manage.h +++ b/src/manage.h @@ -2293,7 +2293,7 @@ int create_credential (const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, - const char*, credential_t*); + const char*, const char*, const char*, credential_t*); int copy_credential (const char*, const char*, const char*, @@ -2303,7 +2303,7 @@ int modify_credential (const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, - const char*); + const char*, const char*, const char*); int delete_credential (const char *, int); @@ -2344,6 +2344,12 @@ credential_iterator_privacy_password (iterator_t*); const char* credential_iterator_public_key (iterator_t*); +const char* +credential_iterator_kdc (iterator_t*); + +const char* +credential_iterator_realm (iterator_t*); + const char* credential_iterator_private_key (iterator_t*); diff --git a/src/manage_sql.c b/src/manage_sql.c index 945ae9aa0..af10ceb59 100644 --- a/src/manage_sql.c +++ b/src/manage_sql.c @@ -35670,6 +35670,8 @@ validate_credential_username_for_format (const gchar *username, * @param[in] auth_algorithm SNMP authentication algorithm, or NULL. * @param[in] privacy_password SNMP privacy password. * @param[in] privacy_algorithm SNMP privacy algorithm. + * @param[in] kdc Kerberos KDC (key distribution centers). + * @param[in] realm Kerberos realm. * @param[in] given_type Credential type or NULL. * @param[in] allow_insecure Whether to allow insecure uses. * @param[out] credential Created Credential. @@ -35683,6 +35685,7 @@ validate_credential_username_for_format (const gchar *username, * 14 privacy algorithm missing, * 15 invalid auth algorithm, 16 invalid privacy algorithm, * 17 invalid certificate, 18 cannot determine type, + * 19 key distribution center missing, 20 realm missing, * 99 permission denied, -1 error. */ int @@ -35692,6 +35695,7 @@ create_credential (const char* name, const char* comment, const char* login, const char* certificate, const char* community, const char* auth_algorithm, const char* privacy_password, const char* privacy_algorithm, + const char* kdc, const char *realm, const char* given_type, const char* allow_insecure, credential_t *credential) { @@ -35738,7 +35742,8 @@ create_credential (const char* name, const char* comment, const char* login, && strcmp (given_type, "snmp") && strcmp (given_type, "smime") && strcmp (given_type, "up") - && strcmp (given_type, "usk")) + && strcmp (given_type, "usk") + && strcmp (given_type, "krb5")) { sql_rollback (); return 4; @@ -35753,6 +35758,8 @@ create_credential (const char* name, const char* comment, const char* login, quoted_type = g_strdup ("cc"); else if (login && key_private) quoted_type = g_strdup ("usk"); + else if (login && given_password && (realm || kdc)) + quoted_type = g_strdup ("krb5"); else if (login && given_password) quoted_type = g_strdup ("up"); else if (login && key_private == NULL && given_password == NULL) @@ -35773,7 +35780,8 @@ create_credential (const char* name, const char* comment, const char* login, && (strcmp (quoted_type, "cc") == 0 || strcmp (quoted_type, "pgp") == 0 || strcmp (quoted_type, "smime") == 0 - || strcmp (quoted_type, "snmp") == 0)) + || strcmp (quoted_type, "snmp") == 0 + || strcmp (quoted_type, "krb5") == 0)) ret = 10; // Type does not support autogenerate using_snmp_v3 = 0; @@ -35787,7 +35795,8 @@ create_credential (const char* name, const char* comment, const char* login, ret = 5; else if (given_password == NULL && auto_generate == 0 && (strcmp (quoted_type, "up") == 0 - || strcmp (quoted_type, "pw") == 0)) + || strcmp (quoted_type, "pw") == 0 + || strcmp (quoted_type, "krb5") == 0)) // (username) password requires a password ret = 6; else if (key_private == NULL && auto_generate == 0 @@ -35801,6 +35810,12 @@ create_credential (const char* name, const char* comment, const char* login, else if (key_public == NULL && auto_generate == 0 && strcmp (quoted_type, "pgp") == 0) ret = 9; + else if (kdc == NULL && auto_generate == 0 + && strcmp (quoted_type, "krb5") == 0) + ret = 19; + else if (realm == NULL && auto_generate == 0 + && strcmp (quoted_type, "krb5") == 0) + ret = 20; else if (strcmp (quoted_type, "snmp") == 0) { if (login || given_password || auth_algorithm @@ -35876,9 +35891,10 @@ create_credential (const char* name, const char* comment, const char* login, "username", login); } + if (kdc) + set_credential_data (new_credential, "kdc", kdc); if (key_public) set_credential_data (new_credential, "public_key", key_public); - if (certificate) { gchar *certificate_truncated; @@ -35899,6 +35915,8 @@ create_credential (const char* name, const char* comment, const char* login, if (privacy_algorithm) set_credential_data (new_credential, "privacy_algorithm", privacy_algorithm); + if (realm) + set_credential_data (new_credential, "realm", realm); g_free (quoted_type); @@ -36177,6 +36195,8 @@ copy_credential (const char* name, const char* comment, * @param[in] auth_algorithm Authentication algorithm of Credential. * @param[in] privacy_password Privacy password of Credential. * @param[in] privacy_algorithm Privacy algorithm of Credential. + * @param[in] kdc Kerberos KDC (key distribution centers). + * @param[in] realm Kerberos realm. * @param[in] allow_insecure Whether to allow insecure use. * * @return 0 success, 1 failed to find credential, 2 credential with new name @@ -36196,6 +36216,7 @@ modify_credential (const char *credential_id, const char* certificate, const char* community, const char* auth_algorithm, const char* privacy_password, const char* privacy_algorithm, + const char* kdc, const char* realm, const char* allow_insecure) { credential_t credential; @@ -36471,6 +36492,15 @@ modify_credential (const char *credential_id, { set_credential_data (credential, "secret", ""); } + else if (strcmp (type, "krb5") == 0) + { + if (password) + set_credential_password (credential, password); + if (kdc) + set_credential_data (credential, "kdc", kdc); + if (realm) + set_credential_data (credential, "realm", realm); + } else { g_warning ("%s: Unknown credential type: %s", __func__, type); @@ -36666,6 +36696,14 @@ delete_credential (const char *credential_id, int ultimate) " WHERE credential = credentials.id AND type = 'public_key')", \ NULL, \ KEYWORD_TYPE_STRING }, \ + { "(SELECT value FROM credentials_data" \ + " WHERE credential = credentials.id AND type = 'kdc')" , \ + "kdc", \ + KEYWORD_TYPE_STRING }, \ + { "(SELECT value FROM credentials_data" \ + " WHERE credential = credentials.id AND type = 'realm')", \ + "realm", \ + KEYWORD_TYPE_STRING }, \ /* private data */ \ { "(SELECT value FROM credentials_data" \ " WHERE credential = credentials.id AND type = 'secret')", \ @@ -37248,20 +37286,20 @@ credential_iterator_encrypted_data (iterator_t* iterator, const char* type) if (iterator->done) return NULL; - secret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 7); + secret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 9); if (type == NULL) { g_warning ("%s: NULL data type given", __func__); return NULL; } else if (strcmp (type, "password") == 0) - unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 8); + unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 10); else if (strcmp (type, "private_key") == 0) - unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 9); + unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 11); else if (strcmp (type, "community") == 0) - unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 10); + unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 12); else if (strcmp (type, "privacy_password") == 0) - unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 11); + unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 13); else { g_warning ("%s: unknown data type \"%s\"", __func__, type); @@ -37362,6 +37400,27 @@ DEF_ACCESS (credential_iterator_privacy_algorithm, DEF_ACCESS (credential_iterator_public_key, GET_ITERATOR_COLUMN_COUNT + 6); +/** + * @brief Get the key distribution center from an LSC credential iterator. + * + * @param[in] iterator Iterator. + * + * @return Key distribution center, or NULL if iteration is complete. Freed by + * cleanup_iterator. + */ +DEF_ACCESS (credential_iterator_kdc, + GET_ITERATOR_COLUMN_COUNT + 7); + +/** + * @brief Get the realm from an LSC credential iterator. + * + * @param[in] iterator Iterator. + * + * @return Realm, or NULL if iteration is complete. Freed by cleanup_iterator. + */ +DEF_ACCESS (credential_iterator_realm, + GET_ITERATOR_COLUMN_COUNT + 8); + /** * @brief Get the password from a Credential iterator. * diff --git a/src/schema_formats/XML/GMP.xml.in b/src/schema_formats/XML/GMP.xml.in index 986a61a21..5225f9350 100644 --- a/src/schema_formats/XML/GMP.xml.in +++ b/src/schema_formats/XML/GMP.xml.in @@ -3987,12 +3987,14 @@ along with this program. If not, see . copy allow_insecure certificate + kdc key login password auth_algorithm community privacy + realm type @@ -4028,6 +4030,11 @@ along with this program. If not, see . text + + kdc + text + The Kerberos KDC (key distribution center(s)) + key @@ -4114,11 +4121,17 @@ along with this program. If not, see . + + realm + text + The Kerberos realm + type The type of credential to create

cc: Client certificate

+

krb5: Kerberos 5

pgp: PGP encryption key

pw: Password only

smime: S/MIME certificate

@@ -4129,6 +4142,7 @@ along with this program. If not, see . cc + krb5 pgp pw smime @@ -10911,6 +10925,8 @@ END:VCALENDAR certificate + kdc + realm owner @@ -11037,6 +11053,7 @@ END:VCALENDAR The type of the credential

cc: Client certificate

+

krb5: Kerberos 5

pgp: PGP encryption key

pw: Password only

smime: S/MIME certificate

@@ -11047,6 +11064,7 @@ END:VCALENDAR cc + krb5 pgp pw smime @@ -11199,6 +11217,16 @@ END:VCALENDAR certificate text + + kdc + text + The Kerberos KDC (key distribution center(s)) + + + realm + text + The Kerberos realm + filters @@ -26744,12 +26772,14 @@ END:VCALENDAR name allow_insecure certificate + kdc key login password community auth_algorithm privacy + realm name @@ -26777,6 +26807,11 @@ END:VCALENDAR text + + kdc + text + The Kerberos KDC (key distribution center(s)) + key @@ -26863,6 +26898,11 @@ END:VCALENDAR + + realm + text + The Kerberos realm + From 5bcc39e0b4f73a85665553a3301d0aeeea2a9cb6 Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Thu, 28 Nov 2024 10:09:42 +0100 Subject: [PATCH 3/4] Add: New Kerberos credential type The new type "krb5" is added to the create_credential, modify_credential and get_credentials commands. This will later be usable in scan targets for Kerberos 5 authentication. --- src/gmp.c | 67 +++++++++++++++++++++++++++ src/manage.c | 2 + src/manage.h | 10 +++- src/manage_sql.c | 77 +++++++++++++++++++++++++++---- src/schema_formats/XML/GMP.xml.in | 40 ++++++++++++++++ 5 files changed, 185 insertions(+), 11 deletions(-) diff --git a/src/gmp.c b/src/gmp.c index 2084b8a6a..231e40eaa 100644 --- a/src/gmp.c +++ b/src/gmp.c @@ -449,6 +449,7 @@ typedef struct char *certificate; ///< Certificate for client certificate auth. char *comment; ///< Comment. char *copy; ///< UUID of resource to copy. + char *kdc; ///< Kerberos KDC (key distribution centers). int key; ///< Whether the command included a key element. char *key_phrase; ///< Passphrase for key. char *key_private; ///< Private key from key. @@ -460,6 +461,7 @@ typedef struct char *auth_algorithm; ///< SNMP Authentication algorithm. char *privacy_password; ///< SNMP Privacy password. char *privacy_algorithm; ///< SNMP Privacy algorithm. + char *realm; ///< Kerberos realm. char *type; ///< Type of credential. } create_credential_data_t; @@ -475,6 +477,7 @@ create_credential_data_reset (create_credential_data_t *data) free (data->certificate); free (data->comment); free (data->copy); + free (data->kdc); free (data->key_phrase); free (data->key_private); free (data->key_public); @@ -485,6 +488,7 @@ create_credential_data_reset (create_credential_data_t *data) free (data->auth_algorithm); free (data->privacy_password); free (data->privacy_algorithm); + free (data->realm); free (data->type); memset (data, 0, sizeof (create_credential_data_t)); @@ -2515,6 +2519,7 @@ typedef struct char *comment; ///< Comment. char *community; ///< SNMP Community string. char *credential_id; ///< ID of credential to modify. + char *kdc; ///< Kerberos KDC (key distribution centers). int key; ///< Whether the command included a key element. char *key_phrase; ///< Passphrase for key. char *key_private; ///< Private key from key. @@ -2524,6 +2529,7 @@ typedef struct char *password; ///< Password associated with login name. char *privacy_algorithm; ///< SNMP Privacy algorithm. char *privacy_password; ///< SNMP Privacy password. + char *realm; ///< Kerberos realm. } modify_credential_data_t; /** @@ -2540,6 +2546,7 @@ modify_credential_data_reset (modify_credential_data_t *data) free (data->comment); free (data->community); free (data->credential_id); + free (data->kdc); free (data->key_phrase); free (data->key_private); free (data->key_public); @@ -2548,6 +2555,7 @@ modify_credential_data_reset (modify_credential_data_t *data) free (data->password); free (data->privacy_algorithm); free (data->privacy_password); + free (data->realm); memset (data, 0, sizeof (modify_credential_data_t)); } @@ -4088,6 +4096,7 @@ typedef enum CLIENT_CREATE_CREDENTIAL_COMMENT, CLIENT_CREATE_CREDENTIAL_COMMUNITY, CLIENT_CREATE_CREDENTIAL_COPY, + CLIENT_CREATE_CREDENTIAL_KDC, CLIENT_CREATE_CREDENTIAL_KEY, CLIENT_CREATE_CREDENTIAL_KEY_PHRASE, CLIENT_CREATE_CREDENTIAL_KEY_PRIVATE, @@ -4098,6 +4107,7 @@ typedef enum CLIENT_CREATE_CREDENTIAL_PRIVACY, CLIENT_CREATE_CREDENTIAL_PRIVACY_ALGORITHM, CLIENT_CREATE_CREDENTIAL_PRIVACY_PASSWORD, + CLIENT_CREATE_CREDENTIAL_REALM, CLIENT_CREATE_CREDENTIAL_TYPE, CLIENT_CREATE_FILTER, CLIENT_CREATE_FILTER_COMMENT, @@ -4420,6 +4430,7 @@ typedef enum CLIENT_MODIFY_CREDENTIAL_CERTIFICATE, CLIENT_MODIFY_CREDENTIAL_COMMENT, CLIENT_MODIFY_CREDENTIAL_COMMUNITY, + CLIENT_MODIFY_CREDENTIAL_KDC, CLIENT_MODIFY_CREDENTIAL_KEY, CLIENT_MODIFY_CREDENTIAL_KEY_PHRASE, CLIENT_MODIFY_CREDENTIAL_KEY_PRIVATE, @@ -4430,6 +4441,7 @@ typedef enum CLIENT_MODIFY_CREDENTIAL_PRIVACY, CLIENT_MODIFY_CREDENTIAL_PRIVACY_ALGORITHM, CLIENT_MODIFY_CREDENTIAL_PRIVACY_PASSWORD, + CLIENT_MODIFY_CREDENTIAL_REALM, CLIENT_MODIFY_FILTER, CLIENT_MODIFY_FILTER_COMMENT, CLIENT_MODIFY_FILTER_NAME, @@ -6283,6 +6295,10 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context, gvm_append_string (&modify_credential_data->community, ""); set_client_state (CLIENT_MODIFY_CREDENTIAL_COMMUNITY); } + else if (strcasecmp ("KDC", element_name) == 0) + { + set_client_state (CLIENT_MODIFY_CREDENTIAL_KDC); + } else if (strcasecmp ("KEY", element_name) == 0) { modify_credential_data->key = 1; @@ -6302,6 +6318,10 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context, gvm_append_string (&modify_credential_data->privacy_algorithm, ""); } + else if (strcasecmp ("REALM", element_name) == 0) + { + set_client_state (CLIENT_MODIFY_CREDENTIAL_REALM); + } ELSE_READ_OVER; case CLIENT_MODIFY_CREDENTIAL_KEY: @@ -6962,6 +6982,8 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context, set_client_state (CLIENT_CREATE_CREDENTIAL_COMMENT); else if (strcasecmp ("COMMUNITY", element_name) == 0) set_client_state (CLIENT_CREATE_CREDENTIAL_COMMUNITY); + else if (strcasecmp ("KDC", element_name) == 0) + set_client_state (CLIENT_CREATE_CREDENTIAL_KDC); else if (strcasecmp ("KEY", element_name) == 0) { create_credential_data->key = 1; @@ -6980,6 +7002,8 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context, } else if (strcasecmp ("PRIVACY", element_name) == 0) set_client_state (CLIENT_CREATE_CREDENTIAL_PRIVACY); + else if (strcasecmp ("REALM", element_name) == 0) + set_client_state (CLIENT_CREATE_CREDENTIAL_REALM); else if (strcasecmp ("TYPE", element_name) == 0) set_client_state (CLIENT_CREATE_CREDENTIAL_TYPE); ELSE_READ_OVER; @@ -12338,6 +12362,19 @@ handle_get_credentials (gmp_parser_t *gmp_parser, GError **error) SEND_TO_CLIENT_OR_FAIL (formats_xml); g_free (formats_xml); + if (type && (strcmp (type, "krb5") == 0)) + { + const char *kdc, *realm; + kdc = credential_iterator_kdc (&credentials); + realm = credential_iterator_realm (&credentials); + + SENDF_TO_CLIENT_OR_FAIL + ("%s" + "%s", + kdc ? kdc : "", + realm ? realm : ""); + } + if (type && (strcmp (type, "snmp") == 0)) { const char *auth_algorithm, *privacy_algorithm; @@ -21333,6 +21370,8 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, create_credential_data->auth_algorithm, create_credential_data->privacy_password, create_credential_data->privacy_algorithm, + create_credential_data->kdc, + create_credential_data->realm, create_credential_data->type, create_credential_data->allow_insecure, &new_credential)) @@ -21440,6 +21479,16 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, (XML_ERROR_SYNTAX ("create_credential", "Cannot determine type for new credential")); break; + case 19: + SEND_TO_CLIENT_OR_FAIL + (XML_ERROR_SYNTAX ("create_credential", + "Selected type requires a kdc")); + break; + case 20: + SEND_TO_CLIENT_OR_FAIL + (XML_ERROR_SYNTAX ("create_credential", + "Selected type requires a realm")); + break; case 99: SEND_TO_CLIENT_OR_FAIL (XML_ERROR_SYNTAX ("create_credential", @@ -21462,6 +21511,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, CLOSE (CLIENT_CREATE_CREDENTIAL, COMMENT); CLOSE (CLIENT_CREATE_CREDENTIAL, COMMUNITY); CLOSE (CLIENT_CREATE_CREDENTIAL, COPY); + CLOSE (CLIENT_CREATE_CREDENTIAL, KDC); CLOSE (CLIENT_CREATE_CREDENTIAL, KEY); CLOSE (CLIENT_CREATE_CREDENTIAL_KEY, PHRASE); CLOSE (CLIENT_CREATE_CREDENTIAL_KEY, PRIVATE); @@ -21472,6 +21522,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, CLOSE (CLIENT_CREATE_CREDENTIAL, PRIVACY); CLOSE (CLIENT_CREATE_CREDENTIAL_PRIVACY, ALGORITHM); CLOSE (CLIENT_CREATE_CREDENTIAL_PRIVACY, PASSWORD); + CLOSE (CLIENT_CREATE_CREDENTIAL, REALM); CLOSE (CLIENT_CREATE_CREDENTIAL, TYPE); case CLIENT_CREATE_FILTER: @@ -24527,6 +24578,8 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, modify_credential_data->auth_algorithm, modify_credential_data->privacy_password, modify_credential_data->privacy_algorithm, + modify_credential_data->kdc, + modify_credential_data->realm, modify_credential_data->allow_insecure)) { case 0: @@ -24649,6 +24702,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, CLOSE (CLIENT_MODIFY_CREDENTIAL, CERTIFICATE); CLOSE (CLIENT_MODIFY_CREDENTIAL, COMMENT); CLOSE (CLIENT_MODIFY_CREDENTIAL, COMMUNITY); + CLOSE (CLIENT_MODIFY_CREDENTIAL, KDC); CLOSE (CLIENT_MODIFY_CREDENTIAL, KEY); CLOSE (CLIENT_MODIFY_CREDENTIAL_KEY, PHRASE); CLOSE (CLIENT_MODIFY_CREDENTIAL_KEY, PRIVATE); @@ -24659,6 +24713,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context, CLOSE (CLIENT_MODIFY_CREDENTIAL, PRIVACY); CLOSE (CLIENT_MODIFY_CREDENTIAL_PRIVACY, ALGORITHM); CLOSE (CLIENT_MODIFY_CREDENTIAL_PRIVACY, PASSWORD); + CLOSE (CLIENT_MODIFY_CREDENTIAL, REALM); case CLIENT_MODIFY_FILTER: { @@ -27309,6 +27364,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context, APPEND (CLIENT_MODIFY_CREDENTIAL_COMMUNITY, &modify_credential_data->community); + APPEND (CLIENT_MODIFY_CREDENTIAL_KDC, + &modify_credential_data->kdc); + APPEND (CLIENT_MODIFY_CREDENTIAL_KEY_PHRASE, &modify_credential_data->key_phrase); @@ -27333,6 +27391,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context, APPEND (CLIENT_MODIFY_CREDENTIAL_PRIVACY_PASSWORD, &modify_credential_data->privacy_password); + APPEND (CLIENT_MODIFY_CREDENTIAL_REALM, + &modify_credential_data->realm); + case CLIENT_MODIFY_REPORT_CONFIG: modify_report_config_element_text (text, text_len); @@ -27440,6 +27501,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context, APPEND (CLIENT_CREATE_CREDENTIAL_COPY, &create_credential_data->copy); + APPEND (CLIENT_CREATE_CREDENTIAL_KDC, + &create_credential_data->kdc); + APPEND (CLIENT_CREATE_CREDENTIAL_KEY_PHRASE, &create_credential_data->key_phrase); @@ -27464,6 +27528,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context, APPEND (CLIENT_CREATE_CREDENTIAL_PRIVACY_PASSWORD, &create_credential_data->privacy_password); + APPEND (CLIENT_CREATE_CREDENTIAL_REALM, + &create_credential_data->realm); + APPEND (CLIENT_CREATE_CREDENTIAL_TYPE, &create_credential_data->type); diff --git a/src/manage.c b/src/manage.c index f9e0899c4..1878928ba 100644 --- a/src/manage.c +++ b/src/manage.c @@ -4418,6 +4418,8 @@ credential_full_type (const char* abbreviation) return NULL; else if (strcasecmp (abbreviation, "cc") == 0) return "client certificate"; + else if (strcasecmp (abbreviation, "krb5") == 0) + return "Kerberos 5"; else if (strcasecmp (abbreviation, "pw") == 0) return "password only"; else if (strcasecmp (abbreviation, "snmp") == 0) diff --git a/src/manage.h b/src/manage.h index 8882d7a52..b5e1711cc 100644 --- a/src/manage.h +++ b/src/manage.h @@ -2293,7 +2293,7 @@ int create_credential (const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, - const char*, credential_t*); + const char*, const char*, const char*, credential_t*); int copy_credential (const char*, const char*, const char*, @@ -2303,7 +2303,7 @@ int modify_credential (const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, const char*, - const char*); + const char*, const char*, const char*); int delete_credential (const char *, int); @@ -2344,6 +2344,12 @@ credential_iterator_privacy_password (iterator_t*); const char* credential_iterator_public_key (iterator_t*); +const char* +credential_iterator_kdc (iterator_t*); + +const char* +credential_iterator_realm (iterator_t*); + const char* credential_iterator_private_key (iterator_t*); diff --git a/src/manage_sql.c b/src/manage_sql.c index 6e653b13d..6f2daa2b1 100644 --- a/src/manage_sql.c +++ b/src/manage_sql.c @@ -35707,6 +35707,8 @@ validate_credential_username_for_format (const gchar *username, * @param[in] auth_algorithm SNMP authentication algorithm, or NULL. * @param[in] privacy_password SNMP privacy password. * @param[in] privacy_algorithm SNMP privacy algorithm. + * @param[in] kdc Kerberos KDC (key distribution centers). + * @param[in] realm Kerberos realm. * @param[in] given_type Credential type or NULL. * @param[in] allow_insecure Whether to allow insecure uses. * @param[out] credential Created Credential. @@ -35720,6 +35722,7 @@ validate_credential_username_for_format (const gchar *username, * 14 privacy algorithm missing, * 15 invalid auth algorithm, 16 invalid privacy algorithm, * 17 invalid certificate, 18 cannot determine type, + * 19 key distribution center missing, 20 realm missing, * 99 permission denied, -1 error. */ int @@ -35729,6 +35732,7 @@ create_credential (const char* name, const char* comment, const char* login, const char* certificate, const char* community, const char* auth_algorithm, const char* privacy_password, const char* privacy_algorithm, + const char* kdc, const char *realm, const char* given_type, const char* allow_insecure, credential_t *credential) { @@ -35775,7 +35779,8 @@ create_credential (const char* name, const char* comment, const char* login, && strcmp (given_type, "snmp") && strcmp (given_type, "smime") && strcmp (given_type, "up") - && strcmp (given_type, "usk")) + && strcmp (given_type, "usk") + && strcmp (given_type, "krb5")) { sql_rollback (); return 4; @@ -35790,6 +35795,8 @@ create_credential (const char* name, const char* comment, const char* login, quoted_type = g_strdup ("cc"); else if (login && key_private) quoted_type = g_strdup ("usk"); + else if (login && given_password && (realm || kdc)) + quoted_type = g_strdup ("krb5"); else if (login && given_password) quoted_type = g_strdup ("up"); else if (login && key_private == NULL && given_password == NULL) @@ -35810,7 +35817,8 @@ create_credential (const char* name, const char* comment, const char* login, && (strcmp (quoted_type, "cc") == 0 || strcmp (quoted_type, "pgp") == 0 || strcmp (quoted_type, "smime") == 0 - || strcmp (quoted_type, "snmp") == 0)) + || strcmp (quoted_type, "snmp") == 0 + || strcmp (quoted_type, "krb5") == 0)) ret = 10; // Type does not support autogenerate using_snmp_v3 = 0; @@ -35824,7 +35832,8 @@ create_credential (const char* name, const char* comment, const char* login, ret = 5; else if (given_password == NULL && auto_generate == 0 && (strcmp (quoted_type, "up") == 0 - || strcmp (quoted_type, "pw") == 0)) + || strcmp (quoted_type, "pw") == 0 + || strcmp (quoted_type, "krb5") == 0)) // (username) password requires a password ret = 6; else if (key_private == NULL && auto_generate == 0 @@ -35838,6 +35847,12 @@ create_credential (const char* name, const char* comment, const char* login, else if (key_public == NULL && auto_generate == 0 && strcmp (quoted_type, "pgp") == 0) ret = 9; + else if (kdc == NULL && auto_generate == 0 + && strcmp (quoted_type, "krb5") == 0) + ret = 19; + else if (realm == NULL && auto_generate == 0 + && strcmp (quoted_type, "krb5") == 0) + ret = 20; else if (strcmp (quoted_type, "snmp") == 0) { if (login || given_password || auth_algorithm @@ -35913,9 +35928,10 @@ create_credential (const char* name, const char* comment, const char* login, "username", login); } + if (kdc) + set_credential_data (new_credential, "kdc", kdc); if (key_public) set_credential_data (new_credential, "public_key", key_public); - if (certificate) { gchar *certificate_truncated; @@ -35936,6 +35952,8 @@ create_credential (const char* name, const char* comment, const char* login, if (privacy_algorithm) set_credential_data (new_credential, "privacy_algorithm", privacy_algorithm); + if (realm) + set_credential_data (new_credential, "realm", realm); g_free (quoted_type); @@ -36214,6 +36232,8 @@ copy_credential (const char* name, const char* comment, * @param[in] auth_algorithm Authentication algorithm of Credential. * @param[in] privacy_password Privacy password of Credential. * @param[in] privacy_algorithm Privacy algorithm of Credential. + * @param[in] kdc Kerberos KDC (key distribution centers). + * @param[in] realm Kerberos realm. * @param[in] allow_insecure Whether to allow insecure use. * * @return 0 success, 1 failed to find credential, 2 credential with new name @@ -36233,6 +36253,7 @@ modify_credential (const char *credential_id, const char* certificate, const char* community, const char* auth_algorithm, const char* privacy_password, const char* privacy_algorithm, + const char* kdc, const char* realm, const char* allow_insecure) { credential_t credential; @@ -36508,6 +36529,15 @@ modify_credential (const char *credential_id, { set_credential_data (credential, "secret", ""); } + else if (strcmp (type, "krb5") == 0) + { + if (password) + set_credential_password (credential, password); + if (kdc) + set_credential_data (credential, "kdc", kdc); + if (realm) + set_credential_data (credential, "realm", realm); + } else { g_warning ("%s: Unknown credential type: %s", __func__, type); @@ -36703,6 +36733,14 @@ delete_credential (const char *credential_id, int ultimate) " WHERE credential = credentials.id AND type = 'public_key')", \ NULL, \ KEYWORD_TYPE_STRING }, \ + { "(SELECT value FROM credentials_data" \ + " WHERE credential = credentials.id AND type = 'kdc')" , \ + "kdc", \ + KEYWORD_TYPE_STRING }, \ + { "(SELECT value FROM credentials_data" \ + " WHERE credential = credentials.id AND type = 'realm')", \ + "realm", \ + KEYWORD_TYPE_STRING }, \ /* private data */ \ { "(SELECT value FROM credentials_data" \ " WHERE credential = credentials.id AND type = 'secret')", \ @@ -37285,20 +37323,20 @@ credential_iterator_encrypted_data (iterator_t* iterator, const char* type) if (iterator->done) return NULL; - secret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 7); + secret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 9); if (type == NULL) { g_warning ("%s: NULL data type given", __func__); return NULL; } else if (strcmp (type, "password") == 0) - unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 8); + unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 10); else if (strcmp (type, "private_key") == 0) - unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 9); + unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 11); else if (strcmp (type, "community") == 0) - unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 10); + unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 12); else if (strcmp (type, "privacy_password") == 0) - unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 11); + unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 13); else { g_warning ("%s: unknown data type \"%s\"", __func__, type); @@ -37399,6 +37437,27 @@ DEF_ACCESS (credential_iterator_privacy_algorithm, DEF_ACCESS (credential_iterator_public_key, GET_ITERATOR_COLUMN_COUNT + 6); +/** + * @brief Get the key distribution center from an LSC credential iterator. + * + * @param[in] iterator Iterator. + * + * @return Key distribution center, or NULL if iteration is complete. Freed by + * cleanup_iterator. + */ +DEF_ACCESS (credential_iterator_kdc, + GET_ITERATOR_COLUMN_COUNT + 7); + +/** + * @brief Get the realm from an LSC credential iterator. + * + * @param[in] iterator Iterator. + * + * @return Realm, or NULL if iteration is complete. Freed by cleanup_iterator. + */ +DEF_ACCESS (credential_iterator_realm, + GET_ITERATOR_COLUMN_COUNT + 8); + /** * @brief Get the password from a Credential iterator. * diff --git a/src/schema_formats/XML/GMP.xml.in b/src/schema_formats/XML/GMP.xml.in index 986a61a21..5225f9350 100644 --- a/src/schema_formats/XML/GMP.xml.in +++ b/src/schema_formats/XML/GMP.xml.in @@ -3987,12 +3987,14 @@ along with this program. If not, see . copy allow_insecure certificate + kdc key login password auth_algorithm community privacy + realm type @@ -4028,6 +4030,11 @@ along with this program. If not, see . text + + kdc + text + The Kerberos KDC (key distribution center(s)) + key @@ -4114,11 +4121,17 @@ along with this program. If not, see . + + realm + text + The Kerberos realm + type The type of credential to create

cc: Client certificate

+

krb5: Kerberos 5

pgp: PGP encryption key

pw: Password only

smime: S/MIME certificate

@@ -4129,6 +4142,7 @@ along with this program. If not, see . cc + krb5 pgp pw smime @@ -10911,6 +10925,8 @@ END:VCALENDAR certificate + kdc + realm owner @@ -11037,6 +11053,7 @@ END:VCALENDAR The type of the credential

cc: Client certificate

+

krb5: Kerberos 5

pgp: PGP encryption key

pw: Password only

smime: S/MIME certificate

@@ -11047,6 +11064,7 @@ END:VCALENDAR cc + krb5 pgp pw smime @@ -11199,6 +11217,16 @@ END:VCALENDAR certificate text + + kdc + text + The Kerberos KDC (key distribution center(s)) + + + realm + text + The Kerberos realm + filters @@ -26744,12 +26772,14 @@ END:VCALENDAR name allow_insecure certificate + kdc key login password community auth_algorithm privacy + realm name @@ -26777,6 +26807,11 @@ END:VCALENDAR text + + kdc + text + The Kerberos KDC (key distribution center(s)) + key @@ -26863,6 +26898,11 @@ END:VCALENDAR + + realm + text + The Kerberos realm + From 5c0d5fa8887acea08473cb623de322991ad12b1e Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Fri, 29 Nov 2024 09:38:41 +0100 Subject: [PATCH 4/4] Fix prototype and simplify check_db_... functions The new parameter has been added to the check_db_port_lists prototype and various check_db_... functions that would only return if the avoid_db_check_inserts parameter is true have the parameter removed and are instead wrapped in if conditions. --- src/manage_sql.c | 57 +++++++++++++------------------------ src/manage_sql_port_lists.h | 2 +- 2 files changed, 20 insertions(+), 39 deletions(-) diff --git a/src/manage_sql.c b/src/manage_sql.c index 6f2daa2b1..d79371261 100644 --- a/src/manage_sql.c +++ b/src/manage_sql.c @@ -15840,16 +15840,11 @@ manage_update_nvti_cache () /** * @brief Ensure the predefined scanner exists. * - * @param[in] avoid_db_check_inserts Whether to avoid inserts. - * * @return 0 if success, -1 if error. */ static int -check_db_scanners (int avoid_db_check_inserts) +check_db_scanners () { - if (avoid_db_check_inserts) - return 0; - if (sql_int ("SELECT count(*) FROM scanners WHERE uuid = '%s';", SCANNER_UUID_DEFAULT) == 0) { @@ -15878,16 +15873,11 @@ check_db_scanners (int avoid_db_check_inserts) /** * @brief Initialize the default settings. * - * @param[in] avoid_db_check_inserts Whether to avoid inserts. - * * Ensure all the default manager settings exist. */ static void -check_db_settings (int avoid_db_check_inserts) +check_db_settings () { - if (avoid_db_check_inserts) - return; - if (sql_int ("SELECT count(*) FROM settings" " WHERE uuid = '6765549a-934e-11e3-b358-406186ea4fc5'" " AND " ACL_IS_GLOBAL () ";") @@ -16234,15 +16224,10 @@ check_db_versions () /** * @brief Ensures the sanity of nvts cache in DB. - * - * @param[in] avoid_db_check_inserts Whether to avoid inserts. */ static void -check_db_nvt_selectors (int avoid_db_check_inserts) +check_db_nvt_selectors () { - if (avoid_db_check_inserts) - return; - /* Ensure every part of the predefined selector exists. * This restores entries lost due to the error solved 2010-08-13 by r8805. */ if (sql_int ("SELECT count(*) FROM nvt_selectors WHERE name =" @@ -16379,15 +16364,10 @@ add_permissions_on_globals (const gchar *role_uuid) /** * @brief Ensure the predefined permissions exists. - * - * @param[in] avoid_db_check_inserts Whether to avoid inserts. */ static void -check_db_permissions (int avoid_db_check_inserts) +check_db_permissions () { - if (avoid_db_check_inserts) - return; - command_t *command; if (sql_int ("SELECT count(*) FROM permissions" @@ -16546,15 +16526,10 @@ check_db_permissions (int avoid_db_check_inserts) /** * @brief Ensure the predefined roles exists. - * - * @param[in] avoid_db_check_inserts Whether to avoid inserts. */ static void -check_db_roles (int avoid_db_check_inserts) +check_db_roles () { - if (avoid_db_check_inserts) - return; - if (sql_int ("SELECT count(*) FROM roles WHERE uuid = '" ROLE_UUID_ADMIN "';") == 0) sql ("INSERT INTO roles" @@ -16725,19 +16700,25 @@ check_db (int check_encryption_key, int avoid_db_check_inserts) create_tables (); check_db_sequences (); set_db_version (GVMD_DATABASE_VERSION); - check_db_roles (avoid_db_check_inserts); - check_db_nvt_selectors (avoid_db_check_inserts); + if (avoid_db_check_inserts == 0) + { + check_db_roles (); + check_db_nvt_selectors (); + } check_db_nvts (); check_db_port_lists (avoid_db_check_inserts); clean_auth_cache (); - if (check_db_scanners (avoid_db_check_inserts)) + if (avoid_db_check_inserts == 0 && check_db_scanners ()) goto fail; if (check_db_report_formats (avoid_db_check_inserts)) goto fail; if (check_db_report_formats_trash ()) goto fail; - check_db_permissions (avoid_db_check_inserts); - check_db_settings (avoid_db_check_inserts); + if (avoid_db_check_inserts == 0) + { + check_db_permissions (); + check_db_settings (); + } cleanup_schedule_times (); if (check_encryption_key && check_db_encryption_key ()) goto fail; @@ -17086,7 +17067,7 @@ init_manage (GSList *log_config, const db_conn_info_t *database, fork_connection, skip_db_check, 1, /* Check encryption key if checking db. */ - 0 /* Do not avoid inserts if checking db. */); + 0 /* Do not avoid inserts if checking db. */); } /** @@ -17125,7 +17106,7 @@ init_manage_helper (GSList *log_config, const db_conn_info_t *database, ? 1 /* Skip DB check. */ : 0, /* Do DB check. */ 0, /* Dummy. */ - avoid_db_check_inserts); + avoid_db_check_inserts); } /** @@ -58328,7 +58309,7 @@ manage_optimize (GSList *log_config, const db_conn_info_t *database, */ if (strcasecmp (name, "cleanup-sequences") == 0) avoid_db_check_inserts = 1; - + ret = manage_option_setup (log_config, database, avoid_db_check_inserts); if (ret) return ret; diff --git a/src/manage_sql_port_lists.h b/src/manage_sql_port_lists.h index 9d20c199c..0539cf253 100644 --- a/src/manage_sql_port_lists.h +++ b/src/manage_sql_port_lists.h @@ -74,6 +74,6 @@ update_port_list (port_list_t, const gchar *, const gchar *, array_t *, const gchar *); void -check_db_port_lists (); +check_db_port_lists (int); #endif /* not _GVMD_MANAGE_SQL_PORT_LISTS_H */