Skip to content

Commit

Permalink
Fix VTs hash check and add --dump-vt-verification
Browse files Browse the repository at this point in the history 
The collation of the VTs and preferences is now set explicitly in the
SQL used to get the string the VTs verification hash is calculated from
to ensure the VTs and preferences are sorted consistently.
The unhashed string is now also generated in a function and the command
line option --dump-vt-verification has been added.
  • Loading branch information
@timopollmeier
timopollmeier committed Jul 5, 2021
1 parent f2572ba commit c6708fd
Show file tree
Hide file tree
Showing 4 changed files with 102 additions and 29 deletions.
24 changes: 24 additions & 0 deletions src/gvmd.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1787,6 +1787,7 @@ gvmd (int argc, char** argv)
static gboolean decrypt_all_credentials = FALSE;
static gboolean disable_password_policy = FALSE;
static gboolean disable_scheduling = FALSE;
static gboolean dump_vt_verification = FALSE;
static gboolean get_roles = FALSE;
static gboolean get_users = FALSE;
static gboolean get_scanners = FALSE;
Expand Down Expand Up @@ -1915,6 +1916,10 @@ gvmd (int argc, char** argv)
&disable_scheduling,
"Disable task scheduling.",
NULL },
{ "dump-vt-verification", '\0', 0, G_OPTION_ARG_NONE,
&dump_vt_verification,
"Dump the string the VTs verification hash is calculated from.",
NULL },
{ "encrypt-all-credentials", '\0', 0, G_OPTION_ARG_NONE,
&encrypt_all_credentials,
"(Re-)Encrypt all credentials.",
Expand Down Expand Up @@ -2568,6 +2573,25 @@ gvmd (int argc, char** argv)
}
return EXIT_SUCCESS;
}

if (dump_vt_verification)
{
int ret;

proctitle_set ("gvmd: --dump-vt-verification");

if (option_lock (&lockfile_checking))
return EXIT_FAILURE;

ret = manage_dump_vt_verification (log_config, &database);
log_config_free ();
if (ret)
{
printf ("Failed to rebuild SCAP data.\n");
return EXIT_FAILURE;
}
return EXIT_SUCCESS;
}

if (create_scanner)
{
Expand Down
3 changes: 3 additions & 0 deletions src/manage.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3671,6 +3671,9 @@ manage_update_nvts_osp (const gchar *);
int
manage_rebuild (GSList *, const db_conn_info_t *);

int
manage_dump_vt_verification (GSList *, const db_conn_info_t *);


/* Wizards. */

Expand Down
29 changes: 29 additions & 0 deletions src/manage_pg.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -843,6 +843,35 @@ manage_create_sql_functions ()

/* Functions in SQL. */

sql ("CREATE OR REPLACE FUNCTION vts_verification_str () RETURNS text AS $$"
" WITH pref_str AS ("
" SELECT name,"
" substring(name, '^(.*?):') AS oid,"
" substring (name, '^.*?:([^:]+):') AS pref_id,"
" (substring (name, '^.*?:([^:]+):')"
" || substring (name,"
" '^[^:]*:[^:]*:[^:]*:(.*)')"
" || value) AS pref"
" FROM nvt_preferences"
" ),"
" nvt_str AS ("
" SELECT (SELECT nvts.oid"
" || max(modification_time)"
" || coalesce (string_agg(pref_str.pref, ''"
" ORDER BY (pref_id"
" COLLATE \"C.UTF-8\")),"
" ''))"
" AS vt_string"
" FROM nvts"
" LEFT JOIN pref_str ON nvts.oid = pref_str.oid"
" GROUP BY nvts.oid"
" ORDER BY (nvts.oid COLLATE \"C.UTF-8\") ASC"
" )"
" SELECT coalesce (string_agg (nvt_str.vt_string, ''), '')"
" FROM nvt_str"
"$$ LANGUAGE SQL"
" STABLE;");

sql ("CREATE OR REPLACE FUNCTION t () RETURNS boolean AS $$"
" SELECT true;"
"$$ LANGUAGE SQL"
Expand Down
75 changes: 46 additions & 29 deletions src/manage_sql_nvts.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1594,35 +1594,10 @@ update_nvts_from_vts (entity_t *get_vts_response,
* All values are concatenated without a separator.
*/
db_vts_hash
= sql_string ("WITH pref_str AS ("
" SELECT name,"
" substring(name, '^(.*?):') AS oid,"
" substring (name, '^.*?:([^:]+):') AS pref_id,"
" (substring (name, '^.*?:([^:]+):')"
" || substring (name,"
" '^[^:]*:[^:]*:[^:]*:(.*)')"
" || value) AS pref"
" FROM nvt_preferences"
" ),"
" nvt_str AS ("
" SELECT (SELECT nvts.oid"
" || max(modification_time)"
" || coalesce (string_agg(pref_str.pref, ''"
" ORDER BY pref_id),"
" ''))"
" AS vt_string"
" FROM nvts"
" LEFT JOIN pref_str ON nvts.oid = pref_str.oid"
" GROUP BY nvts.oid"
" ORDER BY nvts.oid ASC"
" )"
" SELECT encode"
" (digest"
" (coalesce (string_agg (nvt_str.vt_string, ''),"
" ''),"
" 'sha256'),"
" 'hex')"
" FROM nvt_str;");
= sql_string ("SELECT encode ("
" digest (vts_verification_str (), 'SHA256'),"
" 'hex'"
" );");

if (strcmp (osp_vt_hash, db_vts_hash ? db_vts_hash : ""))
{
Expand Down Expand Up @@ -2224,3 +2199,45 @@ manage_rebuild (GSList *log_config, const db_conn_info_t *database)

return ret;
}

/**
* @brief Dump the string used to calculate the VTs verification hash
* to stdout.
*
* @return 0 success, 1 VT integrity check failed, -1 error,
* -2 database is wrong version,
* -3 database needs to be initialised from server, -5 sync active.
*/
int
manage_dump_vt_verification (GSList *log_config,
const db_conn_info_t *database)
{
int ret;
static lockfile_t lockfile;
char *verification_str;

switch (feed_lockfile_lock_timeout (&lockfile))
{
case 1:
printf ("A feed sync is already running.\n");
return -5;
case -1:
printf ("Error getting sync lock.\n");
return -1;
}

ret = manage_option_setup (log_config, database);
if (ret)
{
feed_lockfile_unlock (&lockfile);
return ret;
}

verification_str = sql_string ("SELECT vts_verification_str ();");
printf ("%s\n", verification_str);

feed_lockfile_unlock (&lockfile);
manage_option_cleanup ();

return 0;
}

0 comments on commit c6708fd

Please sign in to comment.