sec-updater: Checks for security updates
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 25 Aug 2017 09:23:20 +0000 (11:23 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 1 Sep 2017 09:19:40 +0000 (11:19 +0200)
sec-updater checks for security updates and backports in Debian/
Ubuntu repositories and sets the security flags in the strongTNC
policy database accordingly.

configure.ac
src/Makefile.am
src/checksum/Makefile.am
src/libimcv/plugins/imv_os/Makefile.am
src/libimcv/plugins/imv_os/pacman.c [deleted file]
src/libimcv/plugins/imv_os/pacman.sh [deleted file]
src/sec-updater/.gitignore [new file with mode: 0644]
src/sec-updater/Makefile.am [new file with mode: 0644]
src/sec-updater/sec-updater.8.in [new file with mode: 0644]
src/sec-updater/sec-updater.c [new file with mode: 0644]
src/sec-updater/sec-updater.sh [new file with mode: 0755]

index ea09855..ce0c9a7 100644 (file)
@@ -1969,6 +1969,7 @@ AC_CONFIG_FILES([
        src/conftest/Makefile
        src/pt-tls-client/Makefile
        src/sw-collector/Makefile
+       src/sec-updater/Makefile
        src/swanctl/Makefile
        scripts/Makefile
        testing/Makefile
@@ -2003,6 +2004,7 @@ AC_CONFIG_FILES([
        src/swanctl/swanctl.conf.5.tail
        src/pt-tls-client/pt-tls-client.1
        src/sw-collector/sw-collector.8
+       src/sec-updater/sec-updater.8
 ])
 
 AC_OUTPUT
index 1bdb833..7bef1a5 100644 (file)
@@ -132,6 +132,10 @@ if USE_IMC_SWIMA
   SUBDIRS += sw-collector
 endif
 
+if USE_IMV_SWIMA
+  SUBDIRS += sec-updater
+endif
+
 if USE_INTEGRITY_TEST
   SUBDIRS += checksum
 endif
index 1856e2a..107b26c 100644 (file)
@@ -130,6 +130,10 @@ if USE_IMC_SWIMA
   exes += $(DESTDIR)$(sbindir)/sw-collector
 endif
 
+if USE_IMV_SWIMA
+  exes += $(DESTDIR)$(sbindir)/sec-updater
+endif
+
 checksum.c : checksum_builder $(deps) $(exes)
                ./checksum_builder $(libs) $(exes) > checksum.c
 
index f5bc901..50a87d8 100644 (file)
@@ -18,12 +18,3 @@ imv_os_la_SOURCES = \
        imv_os_database.c imv_os_database.h
 
 imv_os_la_LDFLAGS = -module -avoid-version -no-undefined
-
-if !USE_WINDOWS
-ipsec_PROGRAMS = pacman
-pacman_SOURCES = pacman.c
-pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-pacman.o :     $(top_builddir)/config.status
-
-EXTRA_DIST = pacman.sh
-endif
diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c
deleted file mode 100644 (file)
index fbcab5e..0000000
+++ /dev/null
@@ -1,499 +0,0 @@
-/*
- * Copyright (C) 2012 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <getopt.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <syslog.h>
-#include <time.h>
-#include <sys/stat.h>
-
-#include "imv_os_state.h"
-
-#include <library.h>
-#include <utils/debug.h>
-
-typedef enum pacman_state_t pacman_state_t;
-
-enum pacman_state_t {
-       PACMAN_STATE_BEGIN_PACKAGE,
-       PACMAN_STATE_VERSION,
-       PACMAN_STATE_END_PACKAGE
-};
-
-typedef struct stats_t stats_t;
-
-struct stats_t {
-       time_t release;
-       int product;
-       int packages;
-       int new_packages;
-       int new_versions;
-       int updated_versions;
-       int deleted_versions;
-};
-
-/**
- * global debug output variables
- */
-static int debug_level = 1;
-static bool stderr_quiet = TRUE;
-
-/**
- * pacman dbg function
- */
-static void pacman_dbg(debug_t group, level_t level, char *fmt, ...)
-{
-       int priority = LOG_INFO;
-       char buffer[8192];
-       char *current = buffer, *next;
-       va_list args;
-
-       if (level <= debug_level)
-       {
-               if (!stderr_quiet)
-               {
-                       va_start(args, fmt);
-                       vfprintf(stderr, fmt, args);
-                       fprintf(stderr, "\n");
-                       va_end(args);
-               }
-
-               /* write in memory buffer first */
-               va_start(args, fmt);
-               vsnprintf(buffer, sizeof(buffer), fmt, args);
-               va_end(args);
-
-               /* do a syslog with every line */
-               while (current)
-               {
-                       next = strchr(current, '\n');
-                       if (next)
-                       {
-                               *(next++) = '\0';
-                       }
-                       syslog(priority, "%s\n", current);
-                       current = next;
-               }
-       }
-}
-
-/**
- * atexit handler to close everything on shutdown
- */
-static void cleanup(void)
-{
-       closelog();
-       library_deinit();
-}
-
-static void usage(void)
-{
-       printf("Parses package information files from Debian/Ubuntu repositories and\n");
-       printf("stores the extracted information in the database used by the OS IMV.\n\n");
-       printf("ipsec pacman --product <name> --file <filename> [--security]\n\n");
-       printf("  --help               print usage information\n");
-       printf("  --product <name>     name of the Debian/Ubuntu release, as stored in the DB\n");
-       printf("  --file <filename>    package information file to parse\n");
-       printf("  --security           set this when parsing a file with security updates\n");
-       printf("\n");
-}
-
-/**
- * Update the package database
- */
-static bool update_database(database_t *db, char *package, char *version,
-                                                       bool security, stats_t *stats)
-{
-       char *cur_version, *version_update = NULL, *version_delete = NULL;
-       int cur_security, security_update = 0, security_delete = 0;
-       int pac_id = 0, vid = 0, vid_update = 0, vid_delete = 0;
-       u_int cur_time;
-       bool add_version = TRUE;
-       enumerator_t *e;
-
-       /* increment package count */
-       stats->packages++;
-
-       /* check if package is already in database */
-       e = db->query(db, "SELECT id FROM packages WHERE name = ?",
-                                         DB_TEXT, package, DB_INT);
-       if (!e)
-       {
-               return FALSE;
-       }
-       if (!e->enumerate(e, &pac_id))
-       {
-               pac_id = 0;
-       }
-       e->destroy(e);
-
-       if (!pac_id && security)
-       {
-               if (db->execute(db, &pac_id, "INSERT INTO packages (name) VALUES (?)",
-                                               DB_TEXT, package) != 1)
-               {
-                       fprintf(stderr, "could not store package '%s' to database\n",
-                                                        package);
-                       return FALSE;
-               }
-               stats->new_packages++;
-       }
-
-       /* check for package versions already in database */
-       e = db->query(db,
-                       "SELECT id, release, security, time FROM versions "
-                       "WHERE package = ? AND product = ?", DB_INT, pac_id,
-                        DB_INT, stats->product, DB_INT, DB_TEXT, DB_INT, DB_UINT);
-       if (!e)
-       {
-               return FALSE;
-       }
-
-       while (e->enumerate(e, &vid, &cur_version, &cur_security, &cur_time))
-       {
-               if (streq(version, cur_version))
-               {
-                       /* already in data base */
-                       add_version = FALSE;
-                       break;
-               }
-               else if (stats->release >= cur_time)
-               {
-                       if (security)
-                       {
-                               if (cur_security)
-                               {
-                                       vid_update = vid;
-                                       version_update = strdup(cur_version);
-                                       security_update = cur_security;
-                               }
-                               else
-                               {
-                                       vid_delete = vid;
-                                       version_delete = strdup(cur_version);
-                                       security_delete = cur_security;
-                               }
-                       }
-                       else
-                       {
-                               if (!cur_security)
-                               {
-                                       vid_update = vid;
-                                       version_update = strdup(cur_version);
-                                       security_update = cur_security;
-                               }
-                       }
-               }
-               else
-               {
-                       if (security == cur_security)
-                       {
-                               add_version = FALSE;
-                       }
-               }
-       }
-       e->destroy(e);
-
-       if ((!vid && !security) || (vid && !add_version))
-       {
-               free(version_update);
-               free(version_delete);
-               return TRUE;
-       }
-
-       if ((!vid && security) || (vid && !vid_update))
-       {
-               printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
-
-               if (db->execute(db, &vid,
-                       "INSERT INTO versions "
-                       "(package, product, release, security, time) "
-                       "VALUES (?, ?, ?, ?, ?)", DB_INT, pac_id, DB_INT, stats->product,
-                       DB_TEXT, version, DB_INT, security, DB_INT, stats->release) != 1)
-               {
-                       fprintf(stderr, "could not store version '%s' to database\n",
-                                                        version);
-                       free(version_update);
-                       free(version_delete);
-                       return FALSE;
-               }
-               stats->new_versions++;
-       }
-       else
-       {
-               printf("%s (%s) %s updated by\n",
-                          package, version_update, security_update ? "[s]" : "");
-               printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
-
-               if (db->execute(db, NULL,
-                       "UPDATE versions SET release = ?, time = ? WHERE id = ?",
-                       DB_TEXT, version, DB_INT, stats->release, DB_INT, vid_update) <= 0)
-               {
-                       fprintf(stderr, "could not update version '%s' to database\n",
-                                                        version);
-                       free(version_update);
-                       free(version_delete);
-                       return FALSE;
-               }
-               stats->updated_versions++;
-       }
-
-       if (vid_delete)
-       {
-               printf("%s (%s) %s deleted\n",
-                          package, version_delete, security_delete ? "[s]" : "");
-                       if (db->execute(db, NULL,
-                       "DELETE FROM  versions WHERE id = ?",
-                       DB_INT, vid_delete) <= 0)
-               {
-                       fprintf(stderr, "could not delete version '%s' from database\n",
-                                                        version_delete);
-                       free(version_update);
-                       free(version_delete);
-                       return FALSE;
-               }
-               stats->deleted_versions++;
-       }
-       free(version_update);
-       free(version_delete);
-
-       return TRUE;
-}
-
-/**
- * Process a package file and store updates in the database
- */
-static void process_packages(char *filename, char *product, bool security)
-{
-       char *uri, line[BUF_LEN], *pos, *package = NULL, *version = NULL;
-       pacman_state_t pacman_state;
-       enumerator_t *e;
-       database_t *db;
-       int pid;
-       FILE *file;
-       stats_t stats;
-       bool success;
-
-       /* initialize statistics */
-       memset(&stats, 0x00, sizeof(stats_t));
-
-       /* Set release date to current time */
-       stats.release = time(NULL);
-
-       /* opening package file */
-       printf("loading\"%s\"\n", filename);
-       file = fopen(filename, "r");
-       if (!file)
-       {
-               fprintf(stderr, "could not open \"%s\"\n", filename);
-               exit(EXIT_FAILURE);
-       }
-
-       /* connect package database */
-       uri = lib->settings->get_str(lib->settings, "pacman.database", NULL);
-       if (!uri)
-       {
-               fprintf(stderr, "database URI pacman.database not set\n");
-               fclose(file);
-               exit(EXIT_FAILURE);
-       }
-       db = lib->db->create(lib->db, uri);
-       if (!db)
-       {
-               fprintf(stderr, "could not connect to database '%s'\n", uri);
-               fclose(file);
-               exit(EXIT_FAILURE);
-       }
-
-       /* check if product is already in database */
-       e = db->query(db, "SELECT id FROM products WHERE name = ?",
-                                 DB_TEXT, product, DB_INT);
-       if (e)
-       {
-               if (e->enumerate(e, &pid))
-               {
-                       stats.product = pid;
-               }
-               e->destroy(e);
-       }
-       if (!stats.product)
-       {
-               if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)",
-                                               DB_TEXT, product) != 1)
-               {
-                       fprintf(stderr, "could not store product '%s' to database\n",
-                                                        product);
-                       fclose(file);
-                       db->destroy(db);
-                       exit(EXIT_FAILURE);
-               }
-               stats.product = pid;
-       }
-
-       pacman_state = PACMAN_STATE_BEGIN_PACKAGE;
-
-       while (fgets(line, sizeof(line), file))
-       {
-               /* set read pointer to beginning of line */
-               pos = line;
-
-               switch (pacman_state)
-               {
-                       case PACMAN_STATE_BEGIN_PACKAGE:
-                               pos = strstr(pos, "Package: ");
-                               if (!pos)
-                               {
-                                       continue;
-                               }
-                               pos += 9;
-                               package = pos;
-                               pos = strchr(pos, '\n');
-                               if (pos)
-                               {
-                                       package = strndup(package, pos - package);
-                                       pacman_state = PACMAN_STATE_VERSION;
-                               }
-                               break;
-                       case PACMAN_STATE_VERSION:
-                               pos = strstr(pos, "Version: ");
-                               if (!pos)
-                               {
-                                       continue;
-                               }
-                               pos += 9;
-                               version = pos;
-                               pos = strchr(pos, '\n');
-                               if (pos)
-                               {
-                                       version = strndup(version, pos - version);
-                                       pacman_state = PACMAN_STATE_END_PACKAGE;
-                               }
-                               break;
-                       case PACMAN_STATE_END_PACKAGE:
-                               if (*pos != '\n')
-                               {
-                                       continue;
-                               }
-                               success = update_database(db, package, version, security, &stats);
-                               free(package);
-                               free(version);
-                               if (!success)
-                               {
-                                       fclose(file);
-                                       db->destroy(db);
-                                       exit(EXIT_FAILURE);
-                               }
-                               pacman_state = PACMAN_STATE_BEGIN_PACKAGE;
-               }
-       }
-       switch (pacman_state)
-       {
-               case PACMAN_STATE_END_PACKAGE:
-                       free(version);
-                       /* fall-through */
-               case PACMAN_STATE_VERSION:
-                       free(package);
-                       break;
-               default:
-                       break;
-       }
-       fclose(file);
-       db->destroy(db);
-
-       printf("processed %d packages, %d new packages, %d new versions, "
-                  "%d updated versions, %d deleted versions\n",
-                       stats.packages, stats.new_packages, stats.new_versions,
-                       stats.updated_versions, stats.deleted_versions);
-}
-
-static void do_args(int argc, char *argv[])
-{
-       char *filename = NULL, *product = NULL;
-       bool security = FALSE;
-
-       /* reinit getopt state */
-       optind = 0;
-
-       while (TRUE)
-       {
-               int c;
-
-               struct option long_opts[] = {
-                       { "help", no_argument, NULL, 'h' },
-                       { "file", required_argument, NULL, 'f' },
-                       { "product", required_argument, NULL, 'p' },
-                       { "security", no_argument, NULL, 's' },
-                       { 0,0,0,0 }
-               };
-
-               c = getopt_long(argc, argv, "", long_opts, NULL);
-               switch (c)
-               {
-                       case EOF:
-                               break;
-                       case 'h':
-                               usage();
-                               exit(EXIT_SUCCESS);
-                       case 'f':
-                               filename = optarg;
-                               continue;
-                       case 'p':
-                               product = optarg;
-                               continue;
-                       case 's':
-                               security = TRUE;
-                               continue;
-               }
-               break;
-       }
-
-       if (filename && product)
-       {
-               process_packages(filename, product, security);
-       }
-       else
-       {
-               usage();
-               exit(EXIT_FAILURE);
-       }
-}
-
-int main(int argc, char *argv[])
-{
-       /* enable attest debugging hook */
-       dbg = pacman_dbg;
-       openlog("pacman", 0, LOG_DEBUG);
-
-       atexit(cleanup);
-
-       /* initialize library */
-       if (!library_init(NULL, "pacman"))
-       {
-               exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
-       }
-       if (!lib->plugins->load(lib->plugins,
-                       lib->settings->get_str(lib->settings, "pacman.load", "sqlite")))
-       {
-               exit(SS_RC_INITIALIZATION_FAILED);
-       }
-       do_args(argc, argv);
-
-       exit(EXIT_SUCCESS);
-}
-
diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh
deleted file mode 100755 (executable)
index fcf35b6..0000000
+++ /dev/null
@@ -1,203 +0,0 @@
-#!/bin/sh
-
-DIR="/etc/pts"
-DATE=`date +%Y%m%d-%H%M`
-UBUNTU="http://security.ubuntu.com/ubuntu/dists"
-UBUNTU_VERSIONS="trusty saucy raring quantal precise lucid"
-UBUNTU_DIRS="main multiverse restricted universe"
-UBUNTU_ARCH="binary-amd64 binary-i386"
-DEBIAN="http://security.debian.org/dists"
-DEBIAN_VERSIONS="jessie wheezy squeeze"
-DEBIAN_DIRS="main contrib non-free"
-DEBIAN_ARCH="binary-amd64 binary-i386"
-PACMAN=/usr/libexec/ipsec/pacman
-PACMAN_LOG="$DIR/$DATE-pacman.log"
-
-mkdir -p $DIR/dists
-cd $DIR/dists
-
-for v in $UBUNTU_VERSIONS
-do
-  for a in $UBUNTU_ARCH
-  do
-    mkdir -p $v-security/$a $v-updates/$a
-    for d in $UBUNTU_DIRS
-    do
-         wget $UBUNTU/$v-security/$d/$a/Packages.bz2 -O $v-security/$a/Packages-$d.bz2
-      bunzip2 -f $v-security/$a/Packages-$d.bz2
-         wget $UBUNTU/$v-updates/$d/$a/Packages.bz2  -O $v-updates/$a/Packages-$d.bz2
-      bunzip2 -f $v-updates/$a/Packages-$d.bz2
-       done
-  done
-done
-
-for v in $DEBIAN_VERSIONS
-do
-  for a in $DEBIAN_ARCH
-  do
-    mkdir -p $v-updates/$a
-    for d in $DEBIAN_DIRS
-    do
-         wget $DEBIAN/$v/updates/$d/$a/Packages.bz2  -O $v-updates/$a/Packages-$d.bz2
-      bunzip2 -f $v-updates/$a/Packages-$d.bz2
-       done
-  done
-done
-
-for f in trusty-security/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 14.04 x86_64" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in trusty-updates/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 14.04 x86_64" --file $f >> $PACMAN_LOG
-done
-echo
-for f in trusty-security/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 14.04 i686" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in trusty-updates/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 14.04 i686" --file $f >> $PACMAN_LOG
-done
-echo
-
-for f in saucy-security/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 13.10 x86_64" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in saucy-updates/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 13.10 x86_64" --file $f >> $PACMAN_LOG
-done
-echo
-for f in saucy-security/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 13.10 i686" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in saucy-updates/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 13.10 i686" --file $f >> $PACMAN_LOG
-done
-echo
-
-for f in raring-security/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 13.04 x86_64" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in raring-updates/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 13.04 x86_64" --file $f >> $PACMAN_LOG
-done
-echo
-for f in raring-security/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 13.04 i686" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in raring-updates/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 13.04 i686" --file $f >> $PACMAN_LOG
-done
-echo
-
-for f in quantal-security/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 12.10 x86_64" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in quantal-updates/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 12.10 x86_64" --file $f >> $PACMAN_LOG
-done
-echo
-for f in quantal-security/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 12.10 i686" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in quantal-updates/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 12.10 i686" --file $f >> $PACMAN_LOG
-done
-echo
-
-for f in precise-security/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 12.04 x86_64" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in precise-updates/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 12.04 x86_64" --file $f >> $PACMAN_LOG
-done
-echo
-for f in precise-security/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 12.04 i686" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in precise-updates/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 12.04 i686" --file $f >> $PACMAN_LOG
-done
-echo
-
-for f in lucid-security/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 10.04 x86_64" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in lucid-updates/binary-amd64/*
-do
-  $PACMAN --product "Ubuntu 10.04 x86_64" --file $f >> $PACMAN_LOG
-done
-echo
-for f in lucid-security/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 10.04 i686" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in lucid-updates/binary-i386/*
-do
-  $PACMAN --product "Ubuntu 10.04 i686" --file $f >> $PACMAN_LOG
-done
-echo
-
-for f in jessie-updates/binary-amd64/*
-do
-  $PACMAN --product "Debian 8.0 x86_64" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in jessie-updates/binary-i386/*
-do
-  $PACMAN --product "Debian 8.0 i686" --file $f --security >> $PACMAN_LOG
-done
-
-for f in wheezy-updates/binary-amd64/*
-do
-  $PACMAN --product "Debian 7.0 x86_64" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in wheezy-updates/binary-i386/*
-do
-  $PACMAN --product "Debian 7.0 i686" --file $f --security >> $PACMAN_LOG
-done
-
-for f in squeeze-updates/binary-amd64/*
-do
-  $PACMAN --product "Debian 6.0 x86_64" --file $f --security >> $PACMAN_LOG
-done
-echo
-for f in squeeze-updates/binary-i386/*
-do
-  $PACMAN --product "Debian 6.0 i686" --file $f --security >> $PACMAN_LOG
-done
-
-cp $DIR/config.db $DIR/config.db-$DATE
diff --git a/src/sec-updater/.gitignore b/src/sec-updater/.gitignore
new file mode 100644 (file)
index 0000000..4c0d4c4
--- /dev/null
@@ -0,0 +1,2 @@
+sec-updater
+sec-updater.8
diff --git a/src/sec-updater/Makefile.am b/src/sec-updater/Makefile.am
new file mode 100644 (file)
index 0000000..5546cb8
--- /dev/null
@@ -0,0 +1,18 @@
+if !USE_WINDOWS
+
+sbin_PROGRAMS = sec-updater 
+
+AM_CPPFLAGS = \
+       -I$(top_srcdir)/src/libstrongswan \
+       -DPLUGINS=\""sqlite"\"
+
+sec_updater_SOURCES = sec-updater.c
+sec_updater_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+sec-updater.o : $(top_builddir)/config.status
+
+EXTRA_DIST = sec-updater.sh
+
+man8_MANS = sec-updater.8
+CLEANFILES = $(man8_MANS)
+
+endif
diff --git a/src/sec-updater/sec-updater.8.in b/src/sec-updater/sec-updater.8.in
new file mode 100644 (file)
index 0000000..e58f3b9
--- /dev/null
@@ -0,0 +1,65 @@
+.TH SEC-UPDATER 8 "2017-08-25" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+sec-updater \- Extracts security update information of Linux distributions
+.
+.SH "SYNOPSIS"
+.
+.SY "sec-updater"
+.OP \-\-debug level
+.OP \-\-quiet
+.OP \-\-security
+.BI \-\-product " name"
+.BI \-\-file " filename"
+.YS
+.
+.SY "sec-updater"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+.B sec-updater
+extracts information about security updates and backports of Linux repositories
+(e.g. Debian or Ubuntu). This information is used to update the package version
+information stored in the strongTNC SQLite database. The "dbkg --compare-versions"
+command is used to determine which package versions are affected by a given
+security update.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Prints usage information and a short summary of the available commands.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.B "\-q, \-\-quiet"
+Disable debug output to stderr.
+.TP
+.B "\-s, \-\-security"
+Set when parsing a distributions file with security updates.
+.TP
+.BI "\-p, \-\-product " name
+Name of Linux version as stored in database. eg. "Ubuntu 16.04 x86_64".
+.TP
+.BI "\-f, \-\-file " filename
+Linux package information file to parse.
+.
+.SH "CONFIGURATION"
+.
+The following parameter must be configured in strongswan.conf:
+.P
+ sec-updater {
+    database = sqlite:///etc/pts/config.db
+ }
+.P
+.
+.SH "SEE ALSO"
+.
+.BR strongswan.conf (5)
+
diff --git a/src/sec-updater/sec-updater.c b/src/sec-updater/sec-updater.c
new file mode 100644 (file)
index 0000000..d8a9fbb
--- /dev/null
@@ -0,0 +1,454 @@
+/*
+ * Copyright (C) 2012-2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <getopt.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <syslog.h>
+#include <time.h>
+#include <sys/stat.h>
+#include <stdlib.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+typedef enum sec_update_state_t sec_update_state_t;
+
+enum sec_update_state_t {
+       SEC_UPDATE_STATE_BEGIN_PACKAGE,
+       SEC_UPDATE_STATE_VERSION,
+       SEC_UPDATE_STATE_END_PACKAGE
+};
+
+typedef struct stats_t stats_t;
+
+struct stats_t {
+       time_t release;
+       int product;
+       int packages;
+       int new_versions;
+       int updated_versions;
+};
+
+/**
+ * global debug output variables
+ */
+static int debug_level = 1;
+static bool stderr_quiet = FALSE;
+
+/**
+ * sec_updater dbg function
+ */
+static void sec_updater_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+       int priority = LOG_INFO;
+       char buffer[8192];
+       char *current = buffer, *next;
+       va_list args;
+
+       if (level <= debug_level)
+       {
+               if (!stderr_quiet)
+               {
+                       va_start(args, fmt);
+                       vfprintf(stderr, fmt, args);
+                       fprintf(stderr, "\n");
+                       va_end(args);
+               }
+
+               /* write in memory buffer first */
+               va_start(args, fmt);
+               vsnprintf(buffer, sizeof(buffer), fmt, args);
+               va_end(args);
+
+               /* do a syslog with every line */
+               while (current)
+               {
+                       next = strchr(current, '\n');
+                       if (next)
+                       {
+                               *(next++) = '\0';
+                       }
+                       syslog(priority, "%s\n", current);
+                       current = next;
+               }
+       }
+}
+
+/**
+ * atexit handler to close everything on shutdown
+ */
+static void cleanup(void)
+{
+       closelog();
+       library_deinit();
+}
+
+static void usage(void)
+{
+       printf("\
+Usage:\n\
+  sec-updater --help\n\
+  sec-updater [--debug <level>] [--quiet]  [--security] --product <name> --file <filename>\n\n\
+  Options:\n\
+    --help             print usage information\n\
+    --debug            set debug level\n\
+    --quiet            suppress debug output to stderr\n\
+    --security         set when parsing a file with security updates\n\
+    --product <name>   name of the Linux version as stored in the database\n\
+    --file <filename>  package information file to parse");
+}
+
+/**
+ * Update the package database
+ */
+static bool update_database(database_t *db, char *package, char *version,
+                                                       bool security, stats_t *stats)
+{
+       int pid = 0, vid = 0, sec_flag;
+       bool first = TRUE, found = FALSE;
+       char *release;
+       enumerator_t *e;
+
+       /* increment package count */
+       stats->packages++;
+
+       /* check if package is already in database */
+       e = db->query(db, "SELECT id FROM packages WHERE name = ?",
+                                         DB_TEXT, package, DB_INT);
+       if (!e)
+       {
+               return FALSE;
+       }
+       if (!e->enumerate(e, &pid))
+       {
+               pid = 0;
+       }
+       e->destroy(e);
+
+       if (!pid)
+       {
+               return TRUE;
+       }
+
+       /* retrieve all package versions stored in database */
+       e = db->query(db,
+                       "SELECT id, release, security FROM versions "
+                       "WHERE product = ? AND package = ?",
+                        DB_INT, stats->product,  DB_INT, pid, DB_INT, DB_TEXT, DB_INT);
+       if (!e)
+       {
+               return FALSE;
+       }
+
+       while (e->enumerate(e, &vid, &release, &sec_flag))
+       {
+               char command[BUF_LEN];
+               char found_char = ' ';
+               bool update_version = FALSE;
+
+               if (streq(version, release))
+               {
+                       found = TRUE;
+                       found_char = '*';
+               }
+               else if (security)
+               {
+                        snprintf(command, BUF_LEN, "dpkg --compare-versions %s lt %s",
+                                                                                release, version);
+                       if (system(command) == 0)
+                       {
+                               found_char = '!';
+                               if (!sec_flag)
+                               {
+                                       if (db->execute(db, NULL, "UPDATE versions "
+                                               "SET security = 1 WHERE id = ?", DB_INT, vid) != 1)
+                                       {
+                                               DBG1(DBG_IMV, "  could not update version");
+                                               e->destroy(e);
+                                               return FALSE;
+                                       }
+                                       update_version = TRUE;
+                                       stats->updated_versions++;
+                               }
+                       }
+               }
+               if (debug_level < 2 && !update_version)
+               {
+                       continue;
+               }
+               if (first)
+               {
+                       DBG1(DBG_IMV, "%s", package);
+                       first = FALSE;
+               }
+               DBG1(DBG_IMV, "  %c%s %s", found_char , sec_flag ? "s" : " ", release);
+       }
+       e->destroy(e);
+
+       if (!found)
+       {
+               if (first)
+               {
+                       DBG1(DBG_IMV, "%s", package);
+               }
+               DBG1(DBG_IMV, "  +  %s", version);
+
+               if (db->execute(db, &vid,
+                       "INSERT INTO versions "
+                       "(package, product, release, security, time) "
+                       "VALUES (?, ?, ?, 0, ?)", DB_INT, pid, DB_INT, stats->product,
+                       DB_TEXT, version, DB_INT, stats->release) != 1)
+               {
+                       DBG1(DBG_IMV, "  could not store version to database");
+                       return FALSE;
+               }
+               stats->new_versions++;
+       }
+
+       return TRUE;
+}
+
+/**
+ * Process a package file and store updates in the database
+ */
+static void process_packages(char *filename, char *product, bool security)
+{
+       char *uri, line[BUF_LEN], *pos, *package = NULL, *version = NULL;
+       sec_update_state_t state;
+       enumerator_t *e;
+       database_t *db;
+       int pid;
+       FILE *file;
+       stats_t stats;
+       bool success;
+
+       /* initialize statistics */
+       memset(&stats, 0x00, sizeof(stats_t));
+
+       /* Set release date to current time */
+       stats.release = time(NULL);
+
+       /* opening package file */
+       DBG1(DBG_IMV, "loading \"%s\"", filename);
+       file = fopen(filename, "r");
+       if (!file)
+       {
+               DBG1(DBG_IMV, "  could not open \"%s\"", filename);
+               exit(EXIT_FAILURE);
+       }
+
+       /* connect package database */
+       uri = lib->settings->get_str(lib->settings, "sec-updater.database", NULL);
+       if (!uri)
+       {
+               DBG1(DBG_IMV, "database URI sec-updater.database not set");
+               fclose(file);
+               exit(EXIT_FAILURE);
+       }
+       db = lib->db->create(lib->db, uri);
+       if (!db)
+       {
+               DBG1(DBG_IMV, "could not connect to database '%s'", uri);
+               fclose(file);
+               exit(EXIT_FAILURE);
+       }
+
+       /* check if product is already in database */
+       e = db->query(db, "SELECT id FROM products WHERE name = ?",
+                                 DB_TEXT, product, DB_INT);
+       if (e)
+       {
+               if (e->enumerate(e, &pid))
+               {
+                       stats.product = pid;
+               }
+               e->destroy(e);
+       }
+       if (!stats.product)
+       {
+               if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)",
+                                               DB_TEXT, product) != 1)
+               {
+                       DBG1(DBG_IMV, "could not store product '%s' to database",
+                                                        product);
+                       fclose(file);
+                       db->destroy(db);
+                       exit(EXIT_FAILURE);
+               }
+               stats.product = pid;
+       }
+
+       state = SEC_UPDATE_STATE_BEGIN_PACKAGE;
+
+       while (fgets(line, sizeof(line), file))
+       {
+               /* set read pointer to beginning of line */
+               pos = line;
+
+               switch (state)
+               {
+                       case SEC_UPDATE_STATE_BEGIN_PACKAGE:
+                               pos = strstr(pos, "Package: ");
+                               if (!pos)
+                               {
+                                       continue;
+                               }
+                               pos += 9;
+                               package = pos;
+                               pos = strchr(pos, '\n');
+                               if (pos)
+                               {
+                                       package = strndup(package, pos - package);
+                                       state = SEC_UPDATE_STATE_VERSION;
+                               }
+                               break;
+                       case SEC_UPDATE_STATE_VERSION:
+                               pos = strstr(pos, "Version: ");
+                               if (!pos)
+                               {
+                                       continue;
+                               }
+                               pos += 9;
+                               version = pos;
+                               pos = strchr(pos, '\n');
+                               if (pos)
+                               {
+                                       version = strndup(version, pos - version);
+                                       state = SEC_UPDATE_STATE_END_PACKAGE;
+                               }
+                               break;
+                       case SEC_UPDATE_STATE_END_PACKAGE:
+                               if (*pos != '\n')
+                               {
+                                       continue;
+                               }
+                               success = update_database(db, package, version, security, &stats);
+                               free(package);
+                               free(version);
+                               if (!success)
+                               {
+                                       fclose(file);
+                                       db->destroy(db);
+                                       exit(EXIT_FAILURE);
+                               }
+                               state = SEC_UPDATE_STATE_BEGIN_PACKAGE;
+               }
+       }
+       switch (state)
+       {
+               case SEC_UPDATE_STATE_END_PACKAGE:
+                       free(version);
+                       /* fall-through */
+               case SEC_UPDATE_STATE_VERSION:
+                       free(package);
+                       break;
+               default:
+                       break;
+       }
+       fclose(file);
+       db->destroy(db);
+
+       DBG1(DBG_IMV, "processed \"%s\": %d packages, %d new versions, "
+                                 "%d updated versions", filename, stats.packages,
+                                  stats.new_versions, stats.updated_versions);
+}
+
+static void do_args(int argc, char *argv[])
+{
+       char *filename = NULL, *product = NULL;
+       bool security = FALSE;
+
+       /* reinit getopt state */
+       optind = 0;
+
+       while (TRUE)
+       {
+               int c;
+
+               struct option long_opts[] = {
+                       { "help", no_argument, NULL, 'h' },
+                       { "debug", required_argument, NULL, 'd' },
+                       { "file", required_argument, NULL, 'f' },
+                       { "product", required_argument, NULL, 'p' },
+                       { "quiet", no_argument, NULL, 'q' },
+                       { "security", no_argument, NULL, 's' },
+                       { 0,0,0,0 }
+               };
+
+               c = getopt_long(argc, argv, "", long_opts, NULL);
+               switch (c)
+               {
+                       case EOF:
+                               break;
+                       case 'h':
+                               usage();
+                               exit(EXIT_SUCCESS);
+                       case 'd':
+                               debug_level = atoi(optarg);
+                               continue;
+                       case 'f':
+                               filename = optarg;
+                               continue;
+                       case 'p':
+                               product = optarg;
+                               continue;
+                       case 'q':
+                               stderr_quiet = TRUE;
+                               continue;
+                       case 's':
+                               security = TRUE;
+                               continue;
+               }
+               break;
+       }
+
+       if (filename && product)
+       {
+               process_packages(filename, product, security);
+       }
+       else
+       {
+               usage();
+               exit(EXIT_FAILURE);
+       }
+}
+
+int main(int argc, char *argv[])
+{
+       /* enable attest debugging hook */
+       dbg = sec_updater_dbg;
+       openlog("sec-updater", 0, LOG_DEBUG);
+
+       atexit(cleanup);
+
+       /* initialize library */
+       if (!library_init(NULL, "sec-updater"))
+       {
+               exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+       }
+       if (!lib->plugins->load(lib->plugins,
+                       lib->settings->get_str(lib->settings, "sec-updater.load", "sqlite")))
+       {
+               exit(SS_RC_INITIALIZATION_FAILED);
+       }
+       do_args(argc, argv);
+
+       exit(EXIT_SUCCESS);
+}
+
diff --git a/src/sec-updater/sec-updater.sh b/src/sec-updater/sec-updater.sh
new file mode 100755 (executable)
index 0000000..1f4b694
--- /dev/null
@@ -0,0 +1,69 @@
+#!/bin/sh
+
+DIR="/etc/pts"
+DATE=`date +%Y%m%d-%H%M`
+UBUNTU="http://security.ubuntu.com/ubuntu/dists"
+UBUNTU_VERSIONS="xenial"
+UBUNTU_DIRS="main multiverse restricted universe"
+UBUNTU_ARCH="binary-amd64"
+DEBIAN="http://security.debian.org/dists"
+DEBIAN_VERSIONS="jessie"
+DEBIAN_DIRS="main contrib non-free"
+DEBIAN_ARCH="binary-amd64"
+CMD=/usr/sbin/sec-updater
+CMD_LOG="$DIR/$DATE-sec-update.log"
+
+mkdir -p $DIR/dists
+cd $DIR/dists
+
+# Download Ubuntu distribution information
+
+for v in $UBUNTU_VERSIONS
+do
+  for a in $UBUNTU_ARCH
+  do
+    mkdir -p $v-security/$a $v-updates/$a
+    for d in $UBUNTU_DIRS
+    do
+      wget $UBUNTU/$v-security/$d/$a/Packages.xz -O $v-security/$a/Packages-$d.xz
+      unxz -f $v-security/$a/Packages-$d.xz
+      wget $UBUNTU/$v-updates/$d/$a/Packages.xz  -O $v-updates/$a/Packages-$d.xz
+      unxz -f $v-updates/$a/Packages-$d.xz
+       done
+  done
+done
+
+# Download Debian distribution information
+
+for v in $DEBIAN_VERSIONS
+do
+  for a in $DEBIAN_ARCH
+  do
+    mkdir -p $v-updates/$a
+    for d in $DEBIAN_DIRS
+    do
+      wget $DEBIAN/$v/updates/$d/$a/Packages.bz2  -O $v-updates/$a/Packages-$d.bz2
+      bunzip2 -f $v-updates/$a/Packages-$d.bz2
+       done
+  done
+done
+
+# Run sec-updater in distribution information
+
+for f in xenial-security/binary-amd64/*
+do
+  echo "security: $f"
+  $CMD --product "Ubuntu 16.04 x86_64" --file $f --security >> $CMD_LOG 2>&1
+done
+echo
+for f in xenial-updates/binary-amd64/*
+do
+  echo "updates: $f"
+  $CMD --product "Ubuntu 16.04 x86_64" --file $f >> $CMD_LOG 2>&1
+done
+echo
+for f in jessie-updates/binary-amd64/*
+do
+  echo "security: $f"
+  $CMD --product "Debian 8.0 x86_64" --file $f --security >> $CMD_LOG 2>&1
+done