diff options
Diffstat (limited to 'src/libimcv')
44 files changed, 360 insertions, 932 deletions
diff --git a/src/libimcv/Android.mk b/src/libimcv/Android.mk index 4df3dcb64..9f3172074 100644 --- a/src/libimcv/Android.mk +++ b/src/libimcv/Android.mk @@ -79,6 +79,8 @@ libimcv_la_SOURCES := \ swid/swid_inventory.h swid/swid_inventory.c \ swid/swid_tag.h swid/swid_tag.c \ swid/swid_tag_id.h swid/swid_tag_id.c \ + swid_gen/swid_gen.h swid_gen/swid_gen.c \ + swid_gen/swid_gen_info.h swid_gen/swid_gen_info.c \ swima/swima_data_model.h swima/swima_data_model.c \ swima/swima_record.h swima/swima_record.c \ swima/swima_event.h swima/swima_event.c \ diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in index 246ffe29d..ef2c9c35b 100644 --- a/src/libimcv/Makefile.in +++ b/src/libimcv/Makefile.in @@ -440,9 +440,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/ietf/ietf_attr.c b/src/libimcv/ietf/ietf_attr.c index 9e3e83d4d..44e0ef24f 100644 --- a/src/libimcv/ietf/ietf_attr.c +++ b/src/libimcv/ietf/ietf_attr.c @@ -47,10 +47,10 @@ ENUM_BEGIN(ietf_attr_names, IETF_ATTR_TESTING, "Forwarding Enabled", "Factory Default Password Enabled", ); -ENUM_NEXT(ietf_attr_names, IETF_ATTR_SW_REQUEST, +ENUM_NEXT(ietf_attr_names, IETF_ATTR_SWIMA_REQUEST, IETF_ATTR_SRC_METADATA_RESP, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED, - "SW Request", + "SWIMA Request", "SW Identifier Inventory", "SW Identifier Events", "SW Inventory", @@ -97,7 +97,7 @@ pa_tnc_attr_t* ietf_attr_create_from_data(uint32_t type, size_t length, case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED: return generic_attr_bool_create_from_data(length, value, pen_type_create(PEN_IETF, type)); - case IETF_ATTR_SW_REQUEST: + case IETF_ATTR_SWIMA_REQUEST: return ietf_swima_attr_req_create_from_data(length, value); case IETF_ATTR_SW_ID_INVENTORY: return ietf_swima_attr_sw_inv_create_from_data(length, value, TRUE); diff --git a/src/libimcv/ietf/ietf_attr.h b/src/libimcv/ietf/ietf_attr.h index d2ea98201..cbf4a49a2 100644 --- a/src/libimcv/ietf/ietf_attr.h +++ b/src/libimcv/ietf/ietf_attr.h @@ -48,7 +48,7 @@ enum ietf_attr_t { IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED = 12, /* draft-ietf-sacm-nea-swid-patnc */ - IETF_ATTR_SW_REQUEST = 17, + IETF_ATTR_SWIMA_REQUEST = 17, IETF_ATTR_SW_ID_INVENTORY = 18, IETF_ATTR_SW_ID_EVENTS = 19, IETF_ATTR_SW_INVENTORY = 20, diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c index 966c095e2..75f279298 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c @@ -27,16 +27,16 @@ ENUM_BEGIN(pa_tnc_error_code_names, PA_ERROR_RESERVED, "Version Not Supported", "Attribute Type Not Supported" ); -ENUM_NEXT(pa_tnc_error_code_names, PA_ERROR_SW, - PA_ERROR_SW_SUBSCRIPTION_ID_REUSE, +ENUM_NEXT(pa_tnc_error_code_names, PA_ERROR_SWIMA, + PA_ERROR_SWIMA_SUBSCRIPTION_ID_REUSE, PA_ERROR_ATTR_TYPE_NOT_SUPPORTED, - "SW Error", - "SW Subscription Denied", - "SW Response Too Large", - "SW Subscription Fulfillment Error", - "SW Subscription ID Reuse" + "SWIMA Error", + "SWIMA Subscription Denied", + "SWIMA Response Too Large", + "SWIMA Subscription Fulfillment Error", + "SWIMA Subscription ID Reuse" ); -ENUM_END(pa_tnc_error_code_names, PA_ERROR_SW_SUBSCRIPTION_ID_REUSE); +ENUM_END(pa_tnc_error_code_names, PA_ERROR_SWIMA_SUBSCRIPTION_ID_REUSE); typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t; diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h index 7dbc33828..dd0be72ff 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h @@ -33,18 +33,18 @@ typedef enum pa_tnc_error_code_t pa_tnc_error_code_t; enum pa_tnc_error_code_t { /* RFC 5792 PA-TNC */ - PA_ERROR_RESERVED = 0, - PA_ERROR_INVALID_PARAMETER = 1, - PA_ERROR_VERSION_NOT_SUPPORTED = 2, - PA_ERROR_ATTR_TYPE_NOT_SUPPORTED = 3, - PA_ERROR_PA_TNC_MSG_ROOF = 3, + PA_ERROR_RESERVED = 0, + PA_ERROR_INVALID_PARAMETER = 1, + PA_ERROR_VERSION_NOT_SUPPORTED = 2, + PA_ERROR_ATTR_TYPE_NOT_SUPPORTED = 3, + PA_ERROR_PA_TNC_MSG_ROOF = 3, /* draft-ietf-sacm-nea-swid-patnc (SWIMA) */ - PA_ERROR_SW = 32, - PA_ERROR_SW_SUBSCRIPTION_DENIED = 33, - PA_ERROR_SW_RESPONSE_TOO_LARGE = 34, - PA_ERROR_SW_SUBSCRIPTION_FULFILLMENT = 35, - PA_ERROR_SW_SUBSCRIPTION_ID_REUSE = 36 + PA_ERROR_SWIMA = 32, + PA_ERROR_SWIMA_SUBSCRIPTION_DENIED = 33, + PA_ERROR_SWIMA_RESPONSE_TOO_LARGE = 34, + PA_ERROR_SWIMA_SUBSCRIPTION_FULFILLMENT = 35, + PA_ERROR_SWIMA_SUBSCRIPTION_ID_REUSE = 36 }; /** diff --git a/src/libimcv/ietf/swima/ietf_swima_attr_req.c b/src/libimcv/ietf/swima/ietf_swima_attr_req.c index 07d0b0c5f..d67497373 100644 --- a/src/libimcv/ietf/swima/ietf_swima_attr_req.c +++ b/src/libimcv/ietf/swima/ietf_swima_attr_req.c @@ -274,7 +274,7 @@ pa_tnc_attr_t *ietf_swima_attr_req_create(uint8_t flags, uint32_t request_id) .set_targets = _set_targets, .get_targets = _get_targets, }, - .type = { PEN_IETF, IETF_ATTR_SW_REQUEST }, + .type = { PEN_IETF, IETF_ATTR_SWIMA_REQUEST }, .flags = flags & SW_REQ_RESERVED_MASK, .request_id = request_id, .targets = swima_inventory_create(), @@ -309,7 +309,7 @@ pa_tnc_attr_t *ietf_swima_attr_req_create_from_data(size_t length, chunk_t data) .set_targets = _set_targets, .get_targets = _get_targets, }, - .type = { PEN_IETF, IETF_ATTR_SW_REQUEST }, + .type = { PEN_IETF, IETF_ATTR_SWIMA_REQUEST }, .length = length, .value = chunk_clone(data), .targets = swima_inventory_create(), diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql index a872499d2..40a0f5eeb 100644 --- a/src/libimcv/imv/data.sql +++ b/src/libimcv/imv/data.sql @@ -484,30 +484,66 @@ INSERT INTO products ( /* 81 */ 'Android 6.0.1' ); -INSERT INTO products ( /* 82 */ +INSERT INTO products ( /* 82 */ name ) VALUES ( 'Debian 8.5 i686' ); -INSERT INTO products ( /* 83 */ +INSERT INTO products ( /* 83 */ name ) VALUES ( 'Debian 8.5 x86_64' ); -INSERT INTO products ( /* 84 */ +INSERT INTO products ( /* 84 */ name ) VALUES ( 'Debian 8.6 i686' ); -INSERT INTO products ( /* 85 */ +INSERT INTO products ( /* 85 */ name ) VALUES ( 'Debian 8.6 x86_64' ); +INSERT INTO products ( /* 86 */ + name +) VALUES ( + 'Debian 8.7 i686' +); + +INSERT INTO products ( /* 87 */ + name +) VALUES ( + 'Debian 8.7 x86_64' +); + +INSERT INTO products ( /* 88 */ + name +) VALUES ( + 'Debian 8.8 i686' +); + +INSERT INTO products ( /* 89 */ + name +) VALUES ( + 'Debian 8.8 x86_64' +); + +INSERT INTO products ( /* 90 */ + name +) VALUES ( + 'Debian 8.9 i686' +); + +INSERT INTO products ( /* 91 */ + name +) VALUES ( + 'Debian 8.9 x86_64' +); + /* Directories */ INSERT INTO directories ( /* 1 */ @@ -1039,6 +1075,36 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 4, 82 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 84 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 86 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 88 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 90 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 5, 2 ); @@ -1129,6 +1195,24 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 5, 87 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 89 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 91 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 6, 9 ); diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c index e96faa77e..bb0b3b75b 100644 --- a/src/libimcv/imv/imv_agent.c +++ b/src/libimcv/imv/imv_agent.c @@ -685,9 +685,9 @@ METHOD(imv_agent_t, create_language_enumerator, enumerator_t*, ); if (!this->get_attribute || - !this->get_attribute(this->id, state->get_connection_id(state), + this->get_attribute(this->id, state->get_connection_id(state), TNC_ATTRIBUTEID_PREFERRED_LANGUAGE, BUF_LEN, - e->lang_buf, &e->lang_len) == TNC_RESULT_SUCCESS || + e->lang_buf, &e->lang_len) != TNC_RESULT_SUCCESS || e->lang_len >= BUF_LEN) { e->lang_len = 0; diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql index 8bde8898f..b50c6ed12 100644 --- a/src/libimcv/imv/tables.sql +++ b/src/libimcv/imv/tables.sql @@ -253,24 +253,30 @@ CREATE INDEX "swid_entityroles_entity_id" ON "swid_entityroles" ( DROP TABLE IF EXISTS "swid_tags"; CREATE TABLE "swid_tags" ( "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + "version_id" INTEGER REFERENCES "versions" ("id"), "package_name" VARCHAR(255) NOT NULL, - "version" VARCHAR(255) NOT NULL, + "version_str" VARCHAR(255) NOT NULL, "unique_id" VARCHAR(255) NOT NULL, "swid_xml" TEXT NOT NULL, "software_id" VARCHAR(255) NOT NULL ); +DROP INDEX IF EXISTS "swid_tags_software_id"; DROP INDEX if EXISTS "swid_tags_unique_id"; +DROP INDEX IF EXISTS "swid_tags_version"; DROP INDEX IF EXISTS "swid_tags_package_name"; -DROP INDEX IF EXISTS "swid_tags_software_id"; + +CREATE INDEX "swid_tags_software_id" ON "swid_tags" ( + "software_id" +); CREATE INDEX "swid_tags_unique_id" ON "swid_tags" ( "unique_id" ); +CREATE INDEX "swid_tags_version_id" ON "swid_tags" ( + "version_id" +); CREATE INDEX "swid_tags_package_name" ON "swid_tags" ( "package_name" ); -CREATE INDEX "swid_tags_software_id" ON "swid_tags" ( - "software_id" -); DROP TABLE IF EXISTS "swid_tags_files"; CREATE TABLE "swid_tags_files" ( diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in index 1600d4d2f..bc079ff12 100644 --- a/src/libimcv/plugins/imc_attestation/Makefile.in +++ b/src/libimcv/plugins/imc_attestation/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_hcd/Makefile.in b/src/libimcv/plugins/imc_hcd/Makefile.in index b12499d82..1b71b26d0 100644 --- a/src/libimcv/plugins/imc_hcd/Makefile.in +++ b/src/libimcv/plugins/imc_hcd/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in index 14c6e02a0..e62c04bea 100644 --- a/src/libimcv/plugins/imc_os/Makefile.in +++ b/src/libimcv/plugins/imc_os/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in index 664ffdff6..a054a475b 100644 --- a/src/libimcv/plugins/imc_scanner/Makefile.in +++ b/src/libimcv/plugins/imc_scanner/Makefile.in @@ -243,9 +243,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in index b6a77dda4..f58935f2e 100644 --- a/src/libimcv/plugins/imc_swid/Makefile.in +++ b/src/libimcv/plugins/imc_swid/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-0.swidtag b/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag index 644c0989c..f10740d60 100644 --- a/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-0.swidtag +++ b/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag @@ -1,8 +1,8 @@ <?xml version="1.0" encoding="utf-8"?> <SoftwareIdentity name="strongSwan" - tagId="strongSwan-5-6-0" - version="5.6.0" versionScheme="alphanumeric" + tagId="strongSwan-5-6-1" + version="5.6.1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"> <Entity name="strongSwan Project" diff --git a/src/libimcv/plugins/imc_swima/Makefile.in b/src/libimcv/plugins/imc_swima/Makefile.in index ae1d024af..ed2191921 100644 --- a/src/libimcv/plugins/imc_swima/Makefile.in +++ b/src/libimcv/plugins/imc_swima/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_swima/imc_swima.c b/src/libimcv/plugins/imc_swima/imc_swima.c index e120cf7fc..67080e050 100644 --- a/src/libimcv/plugins/imc_swima/imc_swima.c +++ b/src/libimcv/plugins/imc_swima/imc_swima.c @@ -35,7 +35,7 @@ static const char imc_name[] = "SWIMA"; static pen_type_t msg_types[] = { - { PEN_IETF, PA_SUBTYPE_IETF_SW } + { PEN_IETF, PA_SUBTYPE_IETF_SWIMA } }; static imc_agent_t *imc_swima; @@ -180,7 +180,7 @@ static void fulfill_request(imc_state_t *state, imc_msg_t *msg, { snprintf(error_msg, msg_len, "failed to collect SW%s events, " "fallback to SW%s inventory", id_str, id_str); - attr = swima_error_create(PA_ERROR_SW, request_id, 0, error_msg); + attr = swima_error_create(PA_ERROR_SWIMA, request_id, 0, error_msg); msg->add_attribute(msg, attr); } else { @@ -207,7 +207,7 @@ static void fulfill_request(imc_state_t *state, imc_msg_t *msg, { snprintf(error_msg, msg_len, "failed to collect SW%s inventory", id_str); - attr = swima_error_create(PA_ERROR_SW, request_id, 0, error_msg); + attr = swima_error_create(PA_ERROR_SWIMA, request_id, 0, error_msg); } else { @@ -258,7 +258,7 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) type = attr->get_type(attr); - if (type.vendor_id != PEN_IETF || type.type != IETF_ATTR_SW_REQUEST) + if (type.vendor_id != PEN_IETF || type.type != IETF_ATTR_SWIMA_REQUEST) { continue; } @@ -270,7 +270,7 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) if (flags & (IETF_SWIMA_ATTR_REQ_FLAG_S | IETF_SWIMA_ATTR_REQ_FLAG_C)) { - attr = swima_error_create(PA_ERROR_SW_SUBSCRIPTION_DENIED, + attr = swima_error_create(PA_ERROR_SWIMA_SUBSCRIPTION_DENIED, request_id, 0, "no subscription available yet"); out_msg->add_attribute(out_msg, attr); break; diff --git a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-0.swidtag b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag index 644c0989c..f10740d60 100644 --- a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-0.swidtag +++ b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag @@ -1,8 +1,8 @@ <?xml version="1.0" encoding="utf-8"?> <SoftwareIdentity name="strongSwan" - tagId="strongSwan-5-6-0" - version="5.6.0" versionScheme="alphanumeric" + tagId="strongSwan-5-6-1" + version="5.6.1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"> <Entity name="strongSwan Project" diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in index a002f0baf..fc6d2f6fb 100644 --- a/src/libimcv/plugins/imc_test/Makefile.in +++ b/src/libimcv/plugins/imc_test/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in index 3872b9a57..f9eb9d6ed 100644 --- a/src/libimcv/plugins/imv_attestation/Makefile.in +++ b/src/libimcv/plugins/imv_attestation/Makefile.in @@ -256,9 +256,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c index b1ee16bf8..60a9edc0f 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c @@ -318,15 +318,24 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, enumerator_t *e; char *filename; chunk_t measurement; + int vid; + + if (!pts_db->get_product_version(pts_db, + pts->get_platform_id(pts), &vid)) + { + eval = TNC_IMV_EVALUATION_RESULT_ERROR; + break; + } e = measurements->create_enumerator(measurements); while (e->enumerate(e, &filename, &measurement)) { - if (pts_db->add_file_measurement(pts_db, - pts->get_platform_id(pts), algo, measurement, - filename, is_dir, arg_int) != SUCCESS) + if (!pts_db->add_file_measurement(pts_db, vid, algo, + measurement, filename, is_dir, arg_int)) { eval = TNC_IMV_EVALUATION_RESULT_ERROR; + e->destroy(e); + break; } } e->destroy(e); diff --git a/src/libimcv/plugins/imv_hcd/Makefile.in b/src/libimcv/plugins/imv_hcd/Makefile.in index fda666b06..99bf6d916 100644 --- a/src/libimcv/plugins/imv_hcd/Makefile.in +++ b/src/libimcv/plugins/imv_hcd/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_os/Makefile.am b/src/libimcv/plugins/imv_os/Makefile.am index f5bc9010c..50a87d877 100644 --- a/src/libimcv/plugins/imv_os/Makefile.am +++ b/src/libimcv/plugins/imv_os/Makefile.am @@ -18,12 +18,3 @@ imv_os_la_SOURCES = \ imv_os_database.c imv_os_database.h imv_os_la_LDFLAGS = -module -avoid-version -no-undefined - -if !USE_WINDOWS -ipsec_PROGRAMS = pacman -pacman_SOURCES = pacman.c -pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -pacman.o : $(top_builddir)/config.status - -EXTRA_DIST = pacman.sh -endif diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in index a8d80b3f8..d5a6f07f1 100644 --- a/src/libimcv/plugins/imv_os/Makefile.in +++ b/src/libimcv/plugins/imv_os/Makefile.in @@ -14,7 +14,6 @@ @SET_MAKE@ - VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ @@ -89,7 +88,6 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@USE_WINDOWS_FALSE@ipsec_PROGRAMS = pacman$(EXEEXT) subdir = src/libimcv/plugins/imv_os ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -136,7 +134,7 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)" +am__installdirs = "$(DESTDIR)$(imcvdir)" LTLIBRARIES = $(imcv_LTLIBRARIES) imv_os_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -150,11 +148,6 @@ am__v_lt_1 = imv_os_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(imv_os_la_LDFLAGS) $(LDFLAGS) -o $@ -PROGRAMS = $(ipsec_PROGRAMS) -am__pacman_SOURCES_DIST = pacman.c -@USE_WINDOWS_FALSE@am_pacman_OBJECTS = pacman.$(OBJEXT) -pacman_OBJECTS = $(am_pacman_OBJECTS) -@USE_WINDOWS_FALSE@pacman_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -189,8 +182,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES) -DIST_SOURCES = $(imv_os_la_SOURCES) $(am__pacman_SOURCES_DIST) +SOURCES = $(imv_os_la_SOURCES) +DIST_SOURCES = $(imv_os_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -250,9 +243,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -472,9 +467,6 @@ imv_os_la_SOURCES = \ imv_os_database.c imv_os_database.h imv_os_la_LDFLAGS = -module -avoid-version -no-undefined -@USE_WINDOWS_FALSE@pacman_SOURCES = pacman.c -@USE_WINDOWS_FALSE@pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -@USE_WINDOWS_FALSE@EXTRA_DIST = pacman.sh all: all-am .SUFFIXES: @@ -546,59 +538,6 @@ clean-imcvLTLIBRARIES: imv-os.la: $(imv_os_la_OBJECTS) $(imv_os_la_DEPENDENCIES) $(EXTRA_imv_os_la_DEPENDENCIES) $(AM_V_CCLD)$(imv_os_la_LINK) -rpath $(imcvdir) $(imv_os_la_OBJECTS) $(imv_os_la_LIBADD) $(LIBS) -install-ipsecPROGRAMS: $(ipsec_PROGRAMS) - @$(NORMAL_INSTALL) - @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ - if test -n "$$list"; then \ - echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \ - fi; \ - for p in $$list; do echo "$$p $$p"; done | \ - sed 's/$(EXEEXT)$$//' | \ - while read p p1; do if test -f $$p \ - || test -f $$p1 \ - ; then echo "$$p"; echo "$$p"; else :; fi; \ - done | \ - sed -e 'p;s,.*/,,;n;h' \ - -e 's|.*|.|' \ - -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ - sed 'N;N;N;s,\n, ,g' | \ - $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ - { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ - if ($$2 == $$4) files[d] = files[d] " " $$1; \ - else { print "f", $$3 "/" $$4, $$1; } } \ - END { for (d in files) print "f", d, files[d] }' | \ - while read type dir files; do \ - if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ - test -z "$$files" || { \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \ - } \ - ; done - -uninstall-ipsecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ - files=`for p in $$list; do echo "$$p"; done | \ - sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ - -e 's/$$/$(EXEEXT)/' \ - `; \ - test -n "$$list" || exit 0; \ - echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files - -clean-ipsecPROGRAMS: - @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \ - echo " rm -f" $$list; \ - rm -f $$list || exit $$?; \ - test -n "$(EXEEXT)" || exit 0; \ - list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f" $$list; \ - rm -f $$list - -pacman$(EXEEXT): $(pacman_OBJECTS) $(pacman_DEPENDENCIES) $(EXTRA_pacman_DEPENDENCIES) - @rm -f pacman$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(pacman_OBJECTS) $(pacman_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -610,7 +549,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_agent.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_database.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_state.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pacman.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @@ -726,9 +664,9 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) +all-am: Makefile $(LTLIBRARIES) installdirs: - for dir in "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"; do \ + for dir in "$(DESTDIR)$(imcvdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -763,8 +701,8 @@ maintainer-clean-generic: @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-imcvLTLIBRARIES clean-ipsecPROGRAMS \ - clean-libtool mostlyclean-am +clean-am: clean-generic clean-imcvLTLIBRARIES clean-libtool \ + mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) @@ -784,7 +722,7 @@ info: info-am info-am: -install-data-am: install-imcvLTLIBRARIES install-ipsecPROGRAMS +install-data-am: install-imcvLTLIBRARIES install-dvi: install-dvi-am @@ -830,29 +768,27 @@ ps: ps-am ps-am: -uninstall-am: uninstall-imcvLTLIBRARIES uninstall-ipsecPROGRAMS +uninstall-am: uninstall-imcvLTLIBRARIES .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-imcvLTLIBRARIES clean-ipsecPROGRAMS clean-libtool \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ + clean-imcvLTLIBRARIES clean-libtool cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am \ install-imcvLTLIBRARIES install-info install-info-am \ - install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-am uninstall uninstall-am uninstall-imcvLTLIBRARIES \ - uninstall-ipsecPROGRAMS + install-man install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-imcvLTLIBRARIES .PRECIOUS: Makefile -@USE_WINDOWS_FALSE@pacman.o : $(top_builddir)/config.status # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/libimcv/plugins/imv_os/imv_os_agent.c b/src/libimcv/plugins/imv_os/imv_os_agent.c index 4bf6c7e21..3fa3d0965 100644 --- a/src/libimcv/plugins/imv_os/imv_os_agent.c +++ b/src/libimcv/plugins/imv_os/imv_os_agent.c @@ -705,8 +705,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR : TNC_IMV_EVALUATION_RESULT_COMPLIANT; snprintf(result_str, BUF_LEN, "processed %d packages: " - "%d not updated, %d blacklisted, %d ok, " - "%d unknown", + "%d vulnerable, %d blacklisted, %d ok, %d unknown", count, count_update, count_blacklist, count_ok, count - count_update - count_blacklist - count_ok); break; diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c index 31b889b74..049c844bc 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.c +++ b/src/libimcv/plugins/imv_os/imv_os_database.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -51,7 +51,7 @@ METHOD(imv_os_database_t, check_packages, status_t, char *product, *package, *release, *cur_release; chunk_t name, version; int pid, gid, security, blacklist; - int count = 0, count_ok = 0, count_no_match = 0, count_blacklist = 0; + int count = 0, count_ok = 0, count_security = 0, count_blacklist = 0; enumerator_t *e; status_t status = SUCCESS; bool found, match; @@ -103,11 +103,8 @@ METHOD(imv_os_database_t, check_packages, status_t, if (!e->enumerate(e, &gid)) { /* package not present in database for any product - skip */ - if (os_type == OS_TYPE_ANDROID) - { - DBG2(DBG_IMV, "package '%s' (%.*s) not found", - package, version.len, version.ptr); - } + DBG2(DBG_IMV, "package '%s' (%.*s) not found", + package, version.len, version.ptr); free(package); e->destroy(e); continue; @@ -148,36 +145,41 @@ METHOD(imv_os_database_t, check_packages, status_t, { if (blacklist) { - DBG2(DBG_IMV, "package '%s' (%s) is blacklisted", + DBG1(DBG_IMV, "package '%s' (%s) is blacklisted", package, release); count_blacklist++; os_state->add_bad_package(os_state, package, OS_PACKAGE_STATE_BLACKLIST); } + else if (security) + { + DBG1(DBG_IMV, "package '%s' (%s) is vulnerable", + package, release); + os_state->add_bad_package(os_state, package, + OS_PACKAGE_STATE_SECURITY); + count_security++; + } else { - DBG2(DBG_IMV, "package '%s' (%s)%s is ok", package, release, - security ? " [s]" : ""); + DBG2(DBG_IMV, "package '%s' (%s) is ok", + package, release); count_ok++; } } else { DBG1(DBG_IMV, "package '%s' (%s) no match", package, release); - count_no_match++; - os_state->add_bad_package(os_state, package, - OS_PACKAGE_STATE_SECURITY); } } else { - /* package not present in database for this product - skip */ + DBG2(DBG_IMV, "package '%s' (%s) unknown", package, release); } free(package); free(release); } - os_state->set_count(os_state, count, count_no_match, - count_blacklist, count_ok); + os_state->set_count(os_state, count, count_security, count_blacklist, + count_ok); return status; } diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c index ac826a77c..af5daf0fc 100644 --- a/src/libimcv/plugins/imv_os/imv_os_state.c +++ b/src/libimcv/plugins/imv_os/imv_os_state.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -121,9 +121,9 @@ struct private_imv_os_state_t { int count; /** - * Number of not updated packages + * Number of vulnerable packages */ - int count_update; + int count_security; /** * Number of blacklisted packages @@ -372,7 +372,7 @@ METHOD(imv_state_t, get_reason_string, bool, private_imv_os_state_t *this, enumerator_t *language_enumerator, chunk_t *reason_string, char **reason_language) { - if (!this->count_update && !this->count_blacklist & !this->os_settings) + if (!this->count_security && !this->count_blacklist & !this->os_settings) { return FALSE; } @@ -383,7 +383,7 @@ METHOD(imv_state_t, get_reason_string, bool, DESTROY_IF(this->reason_string); this->reason_string = imv_reason_string_create(*reason_language, "\n"); - if (this->count_update || this->count_blacklist) + if (this->count_security || this->count_blacklist) { this->reason_string->add_reason(this->reason_string, reason_packages); } @@ -403,7 +403,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool, imv_os_info_t *os_info; bool as_xml = FALSE; - if (!this->count_update && !this->count_blacklist & !this->os_settings) + if (!this->count_security && !this->count_blacklist & !this->os_settings) { return FALSE; } @@ -430,7 +430,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool, } /* List of packages in need of an update, if any */ - if (this->count_update) + if (this->count_security) { this->remediation_string->add_instruction(this->remediation_string, instr_update_packages_title, @@ -492,26 +492,26 @@ METHOD(imv_os_state_t, get_handshake_state, imv_os_handshake_state_t, METHOD(imv_os_state_t, set_count, void, - private_imv_os_state_t *this, int count, int count_update, + private_imv_os_state_t *this, int count, int count_security, int count_blacklist, int count_ok) { this->count += count; - this->count_update += count_update; + this->count_security += count_security; this->count_blacklist += count_blacklist; this->count_ok += count_ok; } METHOD(imv_os_state_t, get_count, void, - private_imv_os_state_t *this, int *count, int *count_update, + private_imv_os_state_t *this, int *count, int *count_security, int *count_blacklist, int *count_ok) { if (count) { *count = this->count; } - if (count_update) + if (count_security) { - *count_update = this->count_update; + *count_security = this->count_security; } if (count_blacklist) { diff --git a/src/libimcv/plugins/imv_os/imv_os_state.h b/src/libimcv/plugins/imv_os/imv_os_state.h index aa9b64076..d73a47412 100644 --- a/src/libimcv/plugins/imv_os/imv_os_state.h +++ b/src/libimcv/plugins/imv_os/imv_os_state.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -81,22 +81,22 @@ struct imv_os_state_t { * Set [or with multiple attributes increment] package counters * * @param count Number of processed packages - * @param count_update Number of not updated packages + * @param count_security Number of vulnerable packages * @param count_blacklist Number of blacklisted packages * @param count_ok Number of whitelisted packages */ - void (*set_count)(imv_os_state_t *this, int count, int count_update, + void (*set_count)(imv_os_state_t *this, int count, int count_security, int count_blacklist, int count_ok); /** * Set [or with multiple attributes increment] package counters * * @param count Number of processed packages - * @param count_update Number of not updated packages + * @param count_security Number of vulnerable packages * @param count_blacklist Number of blacklisted packages * @param count_ok Number of whitelisted packages */ - void (*get_count)(imv_os_state_t *this, int *count, int *count_update, + void (*get_count)(imv_os_state_t *this, int *count, int *count_security, int *count_blacklist, int *count_ok); /** diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c deleted file mode 100644 index fbcab5eba..000000000 --- a/src/libimcv/plugins/imv_os/pacman.c +++ /dev/null @@ -1,499 +0,0 @@ -/* - * Copyright (C) 2012 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#define _GNU_SOURCE -#include <getopt.h> -#include <unistd.h> -#include <stdio.h> -#include <string.h> -#include <errno.h> -#include <syslog.h> -#include <time.h> -#include <sys/stat.h> - -#include "imv_os_state.h" - -#include <library.h> -#include <utils/debug.h> - -typedef enum pacman_state_t pacman_state_t; - -enum pacman_state_t { - PACMAN_STATE_BEGIN_PACKAGE, - PACMAN_STATE_VERSION, - PACMAN_STATE_END_PACKAGE -}; - -typedef struct stats_t stats_t; - -struct stats_t { - time_t release; - int product; - int packages; - int new_packages; - int new_versions; - int updated_versions; - int deleted_versions; -}; - -/** - * global debug output variables - */ -static int debug_level = 1; -static bool stderr_quiet = TRUE; - -/** - * pacman dbg function - */ -static void pacman_dbg(debug_t group, level_t level, char *fmt, ...) -{ - int priority = LOG_INFO; - char buffer[8192]; - char *current = buffer, *next; - va_list args; - - if (level <= debug_level) - { - if (!stderr_quiet) - { - va_start(args, fmt); - vfprintf(stderr, fmt, args); - fprintf(stderr, "\n"); - va_end(args); - } - - /* write in memory buffer first */ - va_start(args, fmt); - vsnprintf(buffer, sizeof(buffer), fmt, args); - va_end(args); - - /* do a syslog with every line */ - while (current) - { - next = strchr(current, '\n'); - if (next) - { - *(next++) = '\0'; - } - syslog(priority, "%s\n", current); - current = next; - } - } -} - -/** - * atexit handler to close everything on shutdown - */ -static void cleanup(void) -{ - closelog(); - library_deinit(); -} - -static void usage(void) -{ - printf("Parses package information files from Debian/Ubuntu repositories and\n"); - printf("stores the extracted information in the database used by the OS IMV.\n\n"); - printf("ipsec pacman --product <name> --file <filename> [--security]\n\n"); - printf(" --help print usage information\n"); - printf(" --product <name> name of the Debian/Ubuntu release, as stored in the DB\n"); - printf(" --file <filename> package information file to parse\n"); - printf(" --security set this when parsing a file with security updates\n"); - printf("\n"); -} - -/** - * Update the package database - */ -static bool update_database(database_t *db, char *package, char *version, - bool security, stats_t *stats) -{ - char *cur_version, *version_update = NULL, *version_delete = NULL; - int cur_security, security_update = 0, security_delete = 0; - int pac_id = 0, vid = 0, vid_update = 0, vid_delete = 0; - u_int cur_time; - bool add_version = TRUE; - enumerator_t *e; - - /* increment package count */ - stats->packages++; - - /* check if package is already in database */ - e = db->query(db, "SELECT id FROM packages WHERE name = ?", - DB_TEXT, package, DB_INT); - if (!e) - { - return FALSE; - } - if (!e->enumerate(e, &pac_id)) - { - pac_id = 0; - } - e->destroy(e); - - if (!pac_id && security) - { - if (db->execute(db, &pac_id, "INSERT INTO packages (name) VALUES (?)", - DB_TEXT, package) != 1) - { - fprintf(stderr, "could not store package '%s' to database\n", - package); - return FALSE; - } - stats->new_packages++; - } - - /* check for package versions already in database */ - e = db->query(db, - "SELECT id, release, security, time FROM versions " - "WHERE package = ? AND product = ?", DB_INT, pac_id, - DB_INT, stats->product, DB_INT, DB_TEXT, DB_INT, DB_UINT); - if (!e) - { - return FALSE; - } - - while (e->enumerate(e, &vid, &cur_version, &cur_security, &cur_time)) - { - if (streq(version, cur_version)) - { - /* already in data base */ - add_version = FALSE; - break; - } - else if (stats->release >= cur_time) - { - if (security) - { - if (cur_security) - { - vid_update = vid; - version_update = strdup(cur_version); - security_update = cur_security; - } - else - { - vid_delete = vid; - version_delete = strdup(cur_version); - security_delete = cur_security; - } - } - else - { - if (!cur_security) - { - vid_update = vid; - version_update = strdup(cur_version); - security_update = cur_security; - } - } - } - else - { - if (security == cur_security) - { - add_version = FALSE; - } - } - } - e->destroy(e); - - if ((!vid && !security) || (vid && !add_version)) - { - free(version_update); - free(version_delete); - return TRUE; - } - - if ((!vid && security) || (vid && !vid_update)) - { - printf("%s (%s) %s\n", package, version, security ? "[s]" : ""); - - if (db->execute(db, &vid, - "INSERT INTO versions " - "(package, product, release, security, time) " - "VALUES (?, ?, ?, ?, ?)", DB_INT, pac_id, DB_INT, stats->product, - DB_TEXT, version, DB_INT, security, DB_INT, stats->release) != 1) - { - fprintf(stderr, "could not store version '%s' to database\n", - version); - free(version_update); - free(version_delete); - return FALSE; - } - stats->new_versions++; - } - else - { - printf("%s (%s) %s updated by\n", - package, version_update, security_update ? "[s]" : ""); - printf("%s (%s) %s\n", package, version, security ? "[s]" : ""); - - if (db->execute(db, NULL, - "UPDATE versions SET release = ?, time = ? WHERE id = ?", - DB_TEXT, version, DB_INT, stats->release, DB_INT, vid_update) <= 0) - { - fprintf(stderr, "could not update version '%s' to database\n", - version); - free(version_update); - free(version_delete); - return FALSE; - } - stats->updated_versions++; - } - - if (vid_delete) - { - printf("%s (%s) %s deleted\n", - package, version_delete, security_delete ? "[s]" : ""); - if (db->execute(db, NULL, - "DELETE FROM versions WHERE id = ?", - DB_INT, vid_delete) <= 0) - { - fprintf(stderr, "could not delete version '%s' from database\n", - version_delete); - free(version_update); - free(version_delete); - return FALSE; - } - stats->deleted_versions++; - } - free(version_update); - free(version_delete); - - return TRUE; -} - -/** - * Process a package file and store updates in the database - */ -static void process_packages(char *filename, char *product, bool security) -{ - char *uri, line[BUF_LEN], *pos, *package = NULL, *version = NULL; - pacman_state_t pacman_state; - enumerator_t *e; - database_t *db; - int pid; - FILE *file; - stats_t stats; - bool success; - - /* initialize statistics */ - memset(&stats, 0x00, sizeof(stats_t)); - - /* Set release date to current time */ - stats.release = time(NULL); - - /* opening package file */ - printf("loading\"%s\"\n", filename); - file = fopen(filename, "r"); - if (!file) - { - fprintf(stderr, "could not open \"%s\"\n", filename); - exit(EXIT_FAILURE); - } - - /* connect package database */ - uri = lib->settings->get_str(lib->settings, "pacman.database", NULL); - if (!uri) - { - fprintf(stderr, "database URI pacman.database not set\n"); - fclose(file); - exit(EXIT_FAILURE); - } - db = lib->db->create(lib->db, uri); - if (!db) - { - fprintf(stderr, "could not connect to database '%s'\n", uri); - fclose(file); - exit(EXIT_FAILURE); - } - - /* check if product is already in database */ - e = db->query(db, "SELECT id FROM products WHERE name = ?", - DB_TEXT, product, DB_INT); - if (e) - { - if (e->enumerate(e, &pid)) - { - stats.product = pid; - } - e->destroy(e); - } - if (!stats.product) - { - if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)", - DB_TEXT, product) != 1) - { - fprintf(stderr, "could not store product '%s' to database\n", - product); - fclose(file); - db->destroy(db); - exit(EXIT_FAILURE); - } - stats.product = pid; - } - - pacman_state = PACMAN_STATE_BEGIN_PACKAGE; - - while (fgets(line, sizeof(line), file)) - { - /* set read pointer to beginning of line */ - pos = line; - - switch (pacman_state) - { - case PACMAN_STATE_BEGIN_PACKAGE: - pos = strstr(pos, "Package: "); - if (!pos) - { - continue; - } - pos += 9; - package = pos; - pos = strchr(pos, '\n'); - if (pos) - { - package = strndup(package, pos - package); - pacman_state = PACMAN_STATE_VERSION; - } - break; - case PACMAN_STATE_VERSION: - pos = strstr(pos, "Version: "); - if (!pos) - { - continue; - } - pos += 9; - version = pos; - pos = strchr(pos, '\n'); - if (pos) - { - version = strndup(version, pos - version); - pacman_state = PACMAN_STATE_END_PACKAGE; - } - break; - case PACMAN_STATE_END_PACKAGE: - if (*pos != '\n') - { - continue; - } - success = update_database(db, package, version, security, &stats); - free(package); - free(version); - if (!success) - { - fclose(file); - db->destroy(db); - exit(EXIT_FAILURE); - } - pacman_state = PACMAN_STATE_BEGIN_PACKAGE; - } - } - switch (pacman_state) - { - case PACMAN_STATE_END_PACKAGE: - free(version); - /* fall-through */ - case PACMAN_STATE_VERSION: - free(package); - break; - default: - break; - } - fclose(file); - db->destroy(db); - - printf("processed %d packages, %d new packages, %d new versions, " - "%d updated versions, %d deleted versions\n", - stats.packages, stats.new_packages, stats.new_versions, - stats.updated_versions, stats.deleted_versions); -} - -static void do_args(int argc, char *argv[]) -{ - char *filename = NULL, *product = NULL; - bool security = FALSE; - - /* reinit getopt state */ - optind = 0; - - while (TRUE) - { - int c; - - struct option long_opts[] = { - { "help", no_argument, NULL, 'h' }, - { "file", required_argument, NULL, 'f' }, - { "product", required_argument, NULL, 'p' }, - { "security", no_argument, NULL, 's' }, - { 0,0,0,0 } - }; - - c = getopt_long(argc, argv, "", long_opts, NULL); - switch (c) - { - case EOF: - break; - case 'h': - usage(); - exit(EXIT_SUCCESS); - case 'f': - filename = optarg; - continue; - case 'p': - product = optarg; - continue; - case 's': - security = TRUE; - continue; - } - break; - } - - if (filename && product) - { - process_packages(filename, product, security); - } - else - { - usage(); - exit(EXIT_FAILURE); - } -} - -int main(int argc, char *argv[]) -{ - /* enable attest debugging hook */ - dbg = pacman_dbg; - openlog("pacman", 0, LOG_DEBUG); - - atexit(cleanup); - - /* initialize library */ - if (!library_init(NULL, "pacman")) - { - exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); - } - if (!lib->plugins->load(lib->plugins, - lib->settings->get_str(lib->settings, "pacman.load", "sqlite"))) - { - exit(SS_RC_INITIALIZATION_FAILED); - } - do_args(argc, argv); - - exit(EXIT_SUCCESS); -} - diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh deleted file mode 100755 index fcf35b644..000000000 --- a/src/libimcv/plugins/imv_os/pacman.sh +++ /dev/null @@ -1,203 +0,0 @@ -#!/bin/sh - -DIR="/etc/pts" -DATE=`date +%Y%m%d-%H%M` -UBUNTU="http://security.ubuntu.com/ubuntu/dists" -UBUNTU_VERSIONS="trusty saucy raring quantal precise lucid" -UBUNTU_DIRS="main multiverse restricted universe" -UBUNTU_ARCH="binary-amd64 binary-i386" -DEBIAN="http://security.debian.org/dists" -DEBIAN_VERSIONS="jessie wheezy squeeze" -DEBIAN_DIRS="main contrib non-free" -DEBIAN_ARCH="binary-amd64 binary-i386" -PACMAN=/usr/libexec/ipsec/pacman -PACMAN_LOG="$DIR/$DATE-pacman.log" - -mkdir -p $DIR/dists -cd $DIR/dists - -for v in $UBUNTU_VERSIONS -do - for a in $UBUNTU_ARCH - do - mkdir -p $v-security/$a $v-updates/$a - for d in $UBUNTU_DIRS - do - wget $UBUNTU/$v-security/$d/$a/Packages.bz2 -O $v-security/$a/Packages-$d.bz2 - bunzip2 -f $v-security/$a/Packages-$d.bz2 - wget $UBUNTU/$v-updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 - bunzip2 -f $v-updates/$a/Packages-$d.bz2 - done - done -done - -for v in $DEBIAN_VERSIONS -do - for a in $DEBIAN_ARCH - do - mkdir -p $v-updates/$a - for d in $DEBIAN_DIRS - do - wget $DEBIAN/$v/updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 - bunzip2 -f $v-updates/$a/Packages-$d.bz2 - done - done -done - -for f in trusty-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 14.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in trusty-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 14.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in trusty-security/binary-i386/* -do - $PACMAN --product "Ubuntu 14.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in trusty-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 14.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in saucy-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.10 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in saucy-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.10 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in saucy-security/binary-i386/* -do - $PACMAN --product "Ubuntu 13.10 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in saucy-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 13.10 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in raring-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in raring-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in raring-security/binary-i386/* -do - $PACMAN --product "Ubuntu 13.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in raring-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 13.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in quantal-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.10 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in quantal-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.10 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in quantal-security/binary-i386/* -do - $PACMAN --product "Ubuntu 12.10 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in quantal-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 12.10 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in precise-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in precise-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in precise-security/binary-i386/* -do - $PACMAN --product "Ubuntu 12.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in precise-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 12.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in lucid-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 10.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in lucid-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 10.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in lucid-security/binary-i386/* -do - $PACMAN --product "Ubuntu 10.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in lucid-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 10.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in jessie-updates/binary-amd64/* -do - $PACMAN --product "Debian 8.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in jessie-updates/binary-i386/* -do - $PACMAN --product "Debian 8.0 i686" --file $f --security >> $PACMAN_LOG -done - -for f in wheezy-updates/binary-amd64/* -do - $PACMAN --product "Debian 7.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in wheezy-updates/binary-i386/* -do - $PACMAN --product "Debian 7.0 i686" --file $f --security >> $PACMAN_LOG -done - -for f in squeeze-updates/binary-amd64/* -do - $PACMAN --product "Debian 6.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in squeeze-updates/binary-i386/* -do - $PACMAN --product "Debian 6.0 i686" --file $f --security >> $PACMAN_LOG -done - -cp $DIR/config.db $DIR/config.db-$DATE diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in index b851f84e7..2649f499d 100644 --- a/src/libimcv/plugins/imv_scanner/Makefile.in +++ b/src/libimcv/plugins/imv_scanner/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in index c745b4597..faccb683e 100644 --- a/src/libimcv/plugins/imv_swid/Makefile.in +++ b/src/libimcv/plugins/imv_swid/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_swima/Makefile.in b/src/libimcv/plugins/imv_swima/Makefile.in index 56eafa5ad..e2132b576 100644 --- a/src/libimcv/plugins/imv_swima/Makefile.in +++ b/src/libimcv/plugins/imv_swima/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_swima/imv_swima_agent.c b/src/libimcv/plugins/imv_swima/imv_swima_agent.c index efa2b1105..1d9944200 100644 --- a/src/libimcv/plugins/imv_swima/imv_swima_agent.c +++ b/src/libimcv/plugins/imv_swima/imv_swima_agent.c @@ -44,7 +44,7 @@ typedef struct private_imv_swima_agent_t private_imv_swima_agent_t; /* Subscribed PA-TNC message subtypes */ static pen_type_t msg_types[] = { - { PEN_IETF, PA_SUBTYPE_IETF_SW } + { PEN_IETF, PA_SUBTYPE_IETF_SWIMA } }; /** @@ -175,7 +175,7 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this, reader->destroy(reader); continue; } - if (error_code.type == PA_ERROR_SW_RESPONSE_TOO_LARGE) + if (error_code.type == PA_ERROR_SWIMA_RESPONSE_TOO_LARGE) { if (!reader->read_uint32(reader, &max_attr_size)) { diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in index 8a6b9ed15..b583a32c2 100644 --- a/src/libimcv/plugins/imv_test/Makefile.in +++ b/src/libimcv/plugins/imv_test/Makefile.in @@ -243,9 +243,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/pts/pts.c b/src/libimcv/pts/pts.c index d771d07ed..09ffd7160 100644 --- a/src/libimcv/pts/pts.c +++ b/src/libimcv/pts/pts.c @@ -762,7 +762,7 @@ METHOD(pts_t, verify_quote_signature, bool, return FALSE; } - if (!aik_pubkey->verify(aik_pubkey, scheme, digest, signature)) + if (!aik_pubkey->verify(aik_pubkey, scheme, NULL, digest, signature)) { DBG1(DBG_PTS, "signature verification failed for TPM Quote Info"); DESTROY_IF(aik_pubkey); diff --git a/src/libimcv/pts/pts_database.c b/src/libimcv/pts/pts_database.c index 4a47b06f0..8b99d689b 100644 --- a/src/libimcv/pts/pts_database.c +++ b/src/libimcv/pts/pts_database.c @@ -121,15 +121,69 @@ METHOD(pts_database_t, create_file_hash_enumerator, enumerator_t*, return e; } -METHOD(pts_database_t, add_file_measurement, status_t, - private_pts_database_t *this, int pid, pts_meas_algorithms_t algo, + +METHOD(pts_database_t, get_product_version, bool, + private_pts_database_t *this, int pid, int *vid) +{ + enumerator_t *e; + int pkg_id; + + /* does empty package name already exist? */ + e = this->db->query(this->db, + "SELECT id FROM packages WHERE name = ''", DB_INT); + if (!e) + { + return FALSE; + } + if (!e->enumerate(e, &pkg_id)) + { + /* create generic product version entry */ + if (this->db->execute(this->db, &pkg_id, + "INSERT INTO packages (name) VALUES ('')") != 1) + { + DBG1(DBG_PTS, "could not insert package into database"); + e->destroy(e); + return FALSE; + } + } + e->destroy(e); + + /* does generic product version already exist? */ + e = this->db->query(this->db, + "SELECT id FROM versions WHERE product = ? AND package = ?", + DB_INT, pid, DB_INT, pkg_id); + if (!e) + { + return FALSE; + } + if (!e->enumerate(e, vid)) + { + /* create generic product version entry */ + if (this->db->execute(this->db, vid, + "INSERT INTO versions (product, package) VALUES (?, ?)", + DB_INT, pid, DB_INT, pkg_id) != 1) + { + DBG1(DBG_PTS, "could not insert version into database"); + e->destroy(e); + return FALSE; + } + } + e->destroy(e); + + return TRUE; +} + +METHOD(pts_database_t, add_file_measurement, bool, + private_pts_database_t *this, int vid, pts_meas_algorithms_t algo, chunk_t measurement, char *filename, bool is_dir, int id) { enumerator_t *e; char *name; - chunk_t hash_value; + uint8_t hash_buf[HASH_SIZE_SHA512]; + uint8_t hex_meas_buf[2*HASH_SIZE_SHA512+1], *hex_hash_buf; + chunk_t hash, hex_hash, hex_meas; int hash_id, fid; - status_t status = SUCCESS; + bool success = TRUE; if (is_dir) { @@ -139,7 +193,7 @@ METHOD(pts_database_t, add_file_measurement, status_t, DB_TEXT, filename, DB_INT, id, DB_INT); if (!e) { - return FAILED; + return FALSE; } if (!e->enumerate(e, &fid)) { @@ -149,7 +203,7 @@ METHOD(pts_database_t, add_file_measurement, status_t, DB_TEXT, filename, DB_INT, id) != 1) { DBG1(DBG_PTS, "could not insert filename into database"); - status = FAILED; + success = FALSE; } } e->destroy(e); @@ -163,58 +217,63 @@ METHOD(pts_database_t, add_file_measurement, status_t, "SELECT name FROM files WHERE id = ?", DB_INT, fid, DB_TEXT); if (!e) { - return FAILED; + return FALSE; } if (!e->enumerate(e, &name) || !streq(name, filename)) { DBG1(DBG_PTS, "filename of reference measurement does not match"); - status = FAILED; + success = FALSE; } e->destroy(e); } - if (status != SUCCESS) + if (!success) { - return status; + return FALSE; } /* does hash measurement value already exist? */ e = this->db->query(this->db, - "SELECT fh.id, fh.hash FROM file_hashes AS fh " - "JOIN versions AS v ON v.id = fh.version " - "WHERE v.product = ? AND fh.algo = ? AND fh.file = ?", - DB_INT, pid, DB_INT, algo, DB_INT, fid, DB_INT, DB_BLOB); + "SELECT id, hash FROM file_hashes " + "WHERE algo = ? AND file = ? AND version = ?", + DB_INT, algo, DB_INT, fid, DB_INT, vid, DB_INT, DB_TEXT); if (!e) { - return FAILED; + return FALSE; } - if (e->enumerate(e, &hash_id, &hash_value)) + if (e->enumerate(e, &hash_id, &hex_hash_buf)) { - if (!chunk_equals_const(measurement, hash_value)) + hex_hash = chunk_from_str(hex_hash_buf); + hash = chunk_from_hex(hex_hash, hash_buf); + + if (!chunk_equals(measurement, hash)) { /* update hash measurement value */ if (this->db->execute(this->db, &hash_id, "UPDATE file_hashes SET hash = ? WHERE id = ?", DB_BLOB, measurement, DB_INT, hash_id) != 1) { - status = FAILED; + success = FALSE; } } } else { + hex_meas = chunk_to_hex(measurement, hex_meas_buf, FALSE); + hex_meas_buf[hex_meas.len] = '\0'; + /* insert hash measurement value */ if (this->db->execute(this->db, &hash_id, - "INSERT INTO file_hashes (file, product, algo, hash) " - "VALUES (?, ?, ?, ?)", DB_INT, fid, DB_INT, pid, - DB_INT, algo, DB_BLOB, measurement) != 1) + "INSERT INTO file_hashes (file, version, algo, hash) " + "VALUES (?, ?, ?, ?)", DB_INT, fid, DB_INT, vid, + DB_INT, algo, DB_TEXT, hex_meas_buf) != 1) { - status = FAILED; + success = FALSE; } } e->destroy(e); - return status; + return success; } METHOD(pts_database_t, create_file_meas_enumerator, enumerator_t*, @@ -296,7 +355,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t, while (e->enumerate(e, &hash)) { - if (chunk_equals_const(hash, measurement)) + if (chunk_equals(hash, measurement)) { status = SUCCESS; break; @@ -424,6 +483,7 @@ pts_database_t *pts_database_create(imv_database_t *imv_db) .public = { .get_pathname = _get_pathname, .create_file_hash_enumerator = _create_file_hash_enumerator, + .get_product_version = _get_product_version, .add_file_measurement = _add_file_measurement, .create_file_meas_enumerator = _create_file_meas_enumerator, .check_comp_measurement = _check_comp_measurement, diff --git a/src/libimcv/pts/pts_database.h b/src/libimcv/pts/pts_database.h index a6c9fb3b6..3a5ff5992 100644 --- a/src/libimcv/pts/pts_database.h +++ b/src/libimcv/pts/pts_database.h @@ -60,18 +60,27 @@ struct pts_database_t { /** * Add PTS file measurement reference value * - * @param pid Primary key of software product in database + * @param pid Primary key of platform product + * @param vid Primary key of generic product version + * @return TRUE if successful + */ + bool (*get_product_version)(pts_database_t *this, int pid, int *vid); + + /** + * Add PTS file measurement reference value + * + * @param vid Primary key of generic product version * @param algo File measurement hash algorithm used * @param measurement File measurement hash * @param filename Optional name of the file to be checked * @param is_dir TRUE if part of directory measurement * @param id Primary key into direcories/files table - * @return Status + * @return TRUE if successful */ - status_t (*add_file_measurement)(pts_database_t *this, int pid, - pts_meas_algorithms_t algo, - chunk_t measurement, char *filename, - bool is_dir, int id); + bool (*add_file_measurement)(pts_database_t *this, int vid, + pts_meas_algorithms_t algo, + chunk_t measurement, char *filename, + bool is_dir, int id); /** * Get PTS measurement[s] for a given filename stored in database diff --git a/src/libimcv/pts/pts_file_meas.c b/src/libimcv/pts/pts_file_meas.c index 92f513a2d..2f8935a87 100644 --- a/src/libimcv/pts/pts_file_meas.c +++ b/src/libimcv/pts/pts_file_meas.c @@ -140,7 +140,7 @@ METHOD(pts_file_meas_t, check, bool, { while (e->enumerate(e, &hash)) { - if (chunk_equals_const(entry->measurement, hash)) + if (chunk_equals(entry->measurement, hash)) { status = SUCCESS; break; @@ -193,12 +193,13 @@ METHOD(pts_file_meas_t, verify, bool, { int fid, fid_last = 0; char *filename; - chunk_t measurement; + uint8_t measurement_buf[HASH_SIZE_SHA512], *hex_meas_buf; + chunk_t measurement, hex_meas; entry_t *entry; enumerator_t *enumerator = NULL; bool found = FALSE, match = FALSE, success = TRUE; - while (e_hash->enumerate(e_hash, &fid, &filename, &measurement)) + while (e_hash->enumerate(e_hash, &fid, &filename, &hex_meas_buf)) { if (fid != fid_last) { @@ -241,7 +242,10 @@ METHOD(pts_file_meas_t, verify, bool, if (found && !match) { - if (chunk_equals_const(measurement, entry->measurement)) + hex_meas = chunk_from_str(hex_meas_buf); + measurement = chunk_from_hex(hex_meas, measurement_buf); + + if (chunk_equals(measurement, entry->measurement)) { match = TRUE; DBG2(DBG_PTS, " %#B for '%s' is ok", diff --git a/src/libimcv/suites/test_imcv_seg.c b/src/libimcv/suites/test_imcv_seg.c index 5245be9fa..fdb03b8ae 100644 --- a/src/libimcv/suites/test_imcv_seg.c +++ b/src/libimcv/suites/test_imcv_seg.c @@ -88,7 +88,7 @@ START_TEST(test_imcv_seg_env) { /* create first segment */ attr = seg_env->first_segment(seg_env, 0); - + seg_env_attr = (tcg_seg_attr_seg_env_t*)attr; segment = seg_env_attr->get_segment(seg_env_attr, &flags); if (max_seg_size > 12) @@ -108,8 +108,8 @@ START_TEST(test_imcv_seg_env) segment = seg_env_attr->get_segment(seg_env_attr, &flags); seg = chunk_create(command + n * max_seg_size - 12, seg_size); ck_assert(chunk_equals(seg, segment)); - ck_assert(flags == last_seg ? SEG_ENV_FLAG_NONE : - SEG_ENV_FLAG_MORE); + ck_assert(flags == (last_seg ? SEG_ENV_FLAG_NONE : + SEG_ENV_FLAG_MORE)); } /* check built segment envelope attribute */ @@ -137,8 +137,8 @@ START_TEST(test_imcv_seg_env) } else { - ck_assert(flags == last_seg ? SEG_ENV_FLAG_NONE : - SEG_ENV_FLAG_MORE); + ck_assert(flags == (last_seg ? SEG_ENV_FLAG_NONE : + SEG_ENV_FLAG_MORE)); seg_env1->add_segment(seg_env1, segment, &error); } attr1->destroy(attr1); @@ -341,7 +341,7 @@ START_TEST(test_imcv_seg_contract) ita_attr = (ita_attr_command_t*)base_attr_i; ck_assert(streq(ita_attr->get_command(ita_attr), command)); base_attr_i->destroy(base_attr_i); - } + } contract_i->destroy(contract_i); contract_r->destroy(contract_r); base_attr_r->destroy(base_attr_r); @@ -389,7 +389,7 @@ START_TEST(test_imcv_seg_contract_special) contract_i->get_info_string(contract_i, info, sizeof(info), TRUE); ck_assert(max_attr_size == 1000 && max_seg_size == 47); ck_assert(!contract_i->is_null(contract_i)); - + /* create a null responder contract*/ contract_r = seg_contract_create(msg_type, SEG_CONTRACT_MAX_SIZE_VALUE, SEG_CONTRACT_MAX_SIZE_VALUE, @@ -594,7 +594,7 @@ START_TEST(test_imcv_seg_contract_invalid) TRUE, issuer_id, FALSE); base_attr = contract->add_segment(contract, attr_f, &error, &more); ck_assert(base_attr == NULL); - + if (contract_invalid_tests[_i].err_f) { ck_assert(error); @@ -641,18 +641,18 @@ START_TEST(test_imcv_seg_contract_mgr) contracts = seg_contract_manager_create(); /* add contract template as issuer */ - c1 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, + c1 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, TRUE, 1, FALSE); c1->get_info_string(c1, buf, BUF_LEN, TRUE); contracts->add_contract(contracts, c1); - + /* received contract request for msg_type1 as responder */ cx = contracts->get_contract(contracts, msg_type1, FALSE, 2); ck_assert(cx == NULL); /* add directed contract as responder */ - c2 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, + c2 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, FALSE, 2, FALSE); c2->set_responder(c2, 1); c2->get_info_string(c2, buf, BUF_LEN, TRUE); @@ -685,7 +685,7 @@ START_TEST(test_imcv_seg_contract_mgr) ck_assert(cx == NULL); /* add directed contract as responder */ - c4 = seg_contract_create(msg_type2, max_attr_size, max_seg_size, + c4 = seg_contract_create(msg_type2, max_attr_size, max_seg_size, FALSE, 2, FALSE); c4->set_responder(c4, 1); contracts->add_contract(contracts, c4); diff --git a/src/libimcv/suites/test_imcv_swima.c b/src/libimcv/suites/test_imcv_swima.c index c54669d1d..a579f7378 100644 --- a/src/libimcv/suites/test_imcv_swima.c +++ b/src/libimcv/suites/test_imcv_swima.c @@ -124,7 +124,7 @@ static req_data_t req_data[] = { START_TEST(test_imcv_swima_sw_req) { pen_type_t type; - pen_type_t pen_type = { PEN_IETF, IETF_ATTR_SW_REQUEST }; + pen_type_t pen_type = { PEN_IETF, IETF_ATTR_SWIMA_REQUEST }; pa_tnc_attr_t *attr, *attr1, *attr2; ietf_swima_attr_req_t *c_attr; swima_record_t *target; diff --git a/src/libimcv/swid_gen/swid_gen.h b/src/libimcv/swid_gen/swid_gen.h index c143f292d..3a69b984a 100644 --- a/src/libimcv/swid_gen/swid_gen.h +++ b/src/libimcv/swid_gen/swid_gen.h @@ -44,7 +44,7 @@ struct swid_gen_t { char *version, bool full, bool pretty); /** - * Generate a SWID tag + * Generate SWID tags or software identifiers for all installed packages * * @param sw_id_only Return software identifier only * @param full Generate full SWID tags with file information diff --git a/src/libimcv/swima/swima_error.c b/src/libimcv/swima/swima_error.c index 2aed2966b..bce4645f0 100644 --- a/src/libimcv/swima/swima_error.c +++ b/src/libimcv/swima/swima_error.c @@ -59,7 +59,7 @@ pa_tnc_attr_t* swima_error_create(pa_tnc_error_code_t code, uint32_t request_id, writer = bio_writer_create(4); writer->write_uint32(writer, request_id); - if (code == PA_ERROR_SW_RESPONSE_TOO_LARGE) + if (code == PA_ERROR_SWIMA_RESPONSE_TOO_LARGE) { writer->write_uint32(writer, max_attr_size); } |