2019-03-26 15:09:52 -04:00
/*
2025-02-14 10:24:30 -05:00
* Copyright ( C ) 2013 - 2025 Cisco Systems , Inc . and / or its affiliates . All rights reserved .
2019-03-26 15:09:52 -04:00
* Copyright ( C ) 2007 - 2013 Sourcefire , Inc .
* Copyright ( C ) 2002 - 2007 Tomasz Kojm < tkojm @ clamav . net >
*
* HTTP / 1.1 compliance by Arkadiusz Miskiewicz < misiek @ pld . org . pl >
* Proxy support by Nigel Horne < njh @ bandsman . co . uk >
* Proxy authorization support by Gernot Tenchio < g . tenchio @ telco - tech . de >
* ( uses fmt_base64 ( ) from libowfat ( http : //www.fefe.de))
*
* CDIFF code ( C ) 2006 Sensory Networks , Inc .
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation ; either version 2 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , write to the Free Software
* Foundation , Inc . , 51 Franklin Street , Fifth Floor , Boston ,
* MA 02110 - 1301 , USA .
*/
# if HAVE_CONFIG_H
# include "clamav-config.h"
# endif
/* for strptime, it is POSIX, but defining _XOPEN_SOURCE to 600
* fails on Solaris because it would require a c99 compiler ,
* 500 fails completely on Solaris , and FreeBSD , and w / o _XOPEN_SOURCE
* strptime is not defined on Linux */
# define __EXTENSIONS
# include <stdio.h>
# include <stdlib.h>
# ifdef HAVE_UNISTD_H
# include <unistd.h>
# endif
# include <string.h>
# ifdef HAVE_STRINGS_H
# include <strings.h>
# endif
# include <ctype.h>
# ifndef _WIN32
# include <netinet/in.h>
# include <netdb.h>
# include <arpa/inet.h>
# include <sys/socket.h>
# include <sys/time.h>
# endif
# include <sys/types.h>
# include <time.h>
# include <fcntl.h>
# ifndef _WIN32
# include <sys/wait.h>
# endif
# include <sys/stat.h>
# include <dirent.h>
# include <errno.h>
# include <zlib.h>
2019-07-08 13:28:39 -07:00
# include <math.h>
2019-03-26 15:09:52 -04:00
# include <curl/curl.h>
2021-03-21 19:47:21 -07:00
# include <openssl/rand.h>
2019-03-26 15:09:52 -04:00
# include "target.h"
Add CMake build tooling
This patch adds experimental-quality CMake build tooling.
The libmspack build required a modification to use "" instead of <> for
header #includes. This will hopefully be included in the libmspack
upstream project when adding CMake build tooling to libmspack.
Removed use of libltdl when using CMake.
Flex & Bison are now required to build.
If -DMAINTAINER_MODE, then GPERF is also required, though it currently
doesn't actually do anything. TODO!
I found that the autotools build system was generating the lexer output
but not actually compiling it, instead using previously generated (and
manually renamed) lexer c source. As a consequence, changes to the .l
and .y files weren't making it into the build. To resolve this, I
removed generated flex/bison files and fixed the tooling to use the
freshly generated files. Flex and bison are now required build tools.
On Windows, this adds a dependency on the winflexbison package,
which can be obtained using Chocolatey or may be manually installed.
CMake tooling only has partial support for building with external LLVM
library, and no support for the internal LLVM (to be removed in the
future). I.e. The CMake build currently only supports the bytecode
interpreter.
Many files used include paths relative to the top source directory or
relative to the current project, rather than relative to each build
target. Modern CMake support requires including internal dependency
headers the same way you would external dependency headers (albeit
with "" instead of <>). This meant correcting all header includes to
be relative to the build targets and not relative to the workspace.
For example, ...
```c
include "../libclamav/clamav.h"
include "clamd/clamd_others.h"
```
... becomes:
```c
// libclamav
include "clamav.h"
// clamd
include "clamd_others.h"
```
Fixes header name conflicts by renaming a few of the files.
Converted the "shared" code into a static library, which depends on
libclamav. The ironically named "shared" static library provides
features common to the ClamAV apps which are not required in
libclamav itself and are not intended for use by downstream projects.
This change was required for correct modern CMake practices but was
also required to use the automake "subdir-objects" option.
This eliminates warnings when running autoreconf which, in the next
version of autoconf & automake are likely to break the build.
libclamav used to build in multiple stages where an earlier stage is
a static library containing utils required by the "shared" code.
Linking clamdscan and clamdtop with this libclamav utils static lib
allowed these two apps to function without libclamav. While this is
nice in theory, the practical gains are minimal and it complicates
the build system. As such, the autotools and CMake tooling was
simplified for improved maintainability and this feature was thrown
out. clamdtop and clamdscan now require libclamav to function.
Removed the nopthreads version of the autotools
libclamav_internal_utils static library and added pthread linking to
a couple apps that may have issues building on some platforms without
it, with the intention of removing needless complexity from the
source. Kept the regular version of libclamav_internal_utils.la
though it is no longer used anywhere but in libclamav.
Added an experimental doxygen build option which attempts to build
clamav.h and libfreshclam doxygen html docs.
The CMake build tooling also may build the example program(s), which
isn't a feature in the Autotools build system.
Changed C standard to C90+ due to inline linking issues with socket.h
when linking libfreshclam.so on Linux.
Generate common.rc for win32.
Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef
from misc.c.
Add CMake files to the automake dist, so users can try the new
CMake tooling w/out having to build from a git clone.
clamonacc changes:
- Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other
similar macros.
- Added a new clamav-clamonacc.service systemd unit file, based on
the work of ChadDevOps & Aaron Brighton.
- Added missing clamonacc man page.
Updates to clamdscan man page, add missing options.
Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use
libclamav).
Rename Windows mspack.dll to libmspack.dll so all ClamAV-built
libraries have the lib-prefix with Visual Studio as with CMake.
2020-08-13 00:25:34 -07:00
// libclamav
# include "clamav.h"
# include "others.h"
# include "str.h"
# include "cvd.h"
# include "regex_list.h"
2021-03-04 19:39:50 -08:00
// common
Add CMake build tooling
This patch adds experimental-quality CMake build tooling.
The libmspack build required a modification to use "" instead of <> for
header #includes. This will hopefully be included in the libmspack
upstream project when adding CMake build tooling to libmspack.
Removed use of libltdl when using CMake.
Flex & Bison are now required to build.
If -DMAINTAINER_MODE, then GPERF is also required, though it currently
doesn't actually do anything. TODO!
I found that the autotools build system was generating the lexer output
but not actually compiling it, instead using previously generated (and
manually renamed) lexer c source. As a consequence, changes to the .l
and .y files weren't making it into the build. To resolve this, I
removed generated flex/bison files and fixed the tooling to use the
freshly generated files. Flex and bison are now required build tools.
On Windows, this adds a dependency on the winflexbison package,
which can be obtained using Chocolatey or may be manually installed.
CMake tooling only has partial support for building with external LLVM
library, and no support for the internal LLVM (to be removed in the
future). I.e. The CMake build currently only supports the bytecode
interpreter.
Many files used include paths relative to the top source directory or
relative to the current project, rather than relative to each build
target. Modern CMake support requires including internal dependency
headers the same way you would external dependency headers (albeit
with "" instead of <>). This meant correcting all header includes to
be relative to the build targets and not relative to the workspace.
For example, ...
```c
include "../libclamav/clamav.h"
include "clamd/clamd_others.h"
```
... becomes:
```c
// libclamav
include "clamav.h"
// clamd
include "clamd_others.h"
```
Fixes header name conflicts by renaming a few of the files.
Converted the "shared" code into a static library, which depends on
libclamav. The ironically named "shared" static library provides
features common to the ClamAV apps which are not required in
libclamav itself and are not intended for use by downstream projects.
This change was required for correct modern CMake practices but was
also required to use the automake "subdir-objects" option.
This eliminates warnings when running autoreconf which, in the next
version of autoconf & automake are likely to break the build.
libclamav used to build in multiple stages where an earlier stage is
a static library containing utils required by the "shared" code.
Linking clamdscan and clamdtop with this libclamav utils static lib
allowed these two apps to function without libclamav. While this is
nice in theory, the practical gains are minimal and it complicates
the build system. As such, the autotools and CMake tooling was
simplified for improved maintainability and this feature was thrown
out. clamdtop and clamdscan now require libclamav to function.
Removed the nopthreads version of the autotools
libclamav_internal_utils static library and added pthread linking to
a couple apps that may have issues building on some platforms without
it, with the intention of removing needless complexity from the
source. Kept the regular version of libclamav_internal_utils.la
though it is no longer used anywhere but in libclamav.
Added an experimental doxygen build option which attempts to build
clamav.h and libfreshclam doxygen html docs.
The CMake build tooling also may build the example program(s), which
isn't a feature in the Autotools build system.
Changed C standard to C90+ due to inline linking issues with socket.h
when linking libfreshclam.so on Linux.
Generate common.rc for win32.
Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef
from misc.c.
Add CMake files to the automake dist, so users can try the new
CMake tooling w/out having to build from a git clone.
clamonacc changes:
- Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other
similar macros.
- Added a new clamav-clamonacc.service systemd unit file, based on
the work of ChadDevOps & Aaron Brighton.
- Added missing clamonacc man page.
Updates to clamdscan man page, add missing options.
Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use
libclamav).
Rename Windows mspack.dll to libmspack.dll so all ClamAV-built
libraries have the lib-prefix with Visual Studio as with CMake.
2020-08-13 00:25:34 -07:00
# include "optparser.h"
# include "output.h"
2021-12-08 15:25:19 -08:00
# include "clamav_rust.h"
Add CMake build tooling
This patch adds experimental-quality CMake build tooling.
The libmspack build required a modification to use "" instead of <> for
header #includes. This will hopefully be included in the libmspack
upstream project when adding CMake build tooling to libmspack.
Removed use of libltdl when using CMake.
Flex & Bison are now required to build.
If -DMAINTAINER_MODE, then GPERF is also required, though it currently
doesn't actually do anything. TODO!
I found that the autotools build system was generating the lexer output
but not actually compiling it, instead using previously generated (and
manually renamed) lexer c source. As a consequence, changes to the .l
and .y files weren't making it into the build. To resolve this, I
removed generated flex/bison files and fixed the tooling to use the
freshly generated files. Flex and bison are now required build tools.
On Windows, this adds a dependency on the winflexbison package,
which can be obtained using Chocolatey or may be manually installed.
CMake tooling only has partial support for building with external LLVM
library, and no support for the internal LLVM (to be removed in the
future). I.e. The CMake build currently only supports the bytecode
interpreter.
Many files used include paths relative to the top source directory or
relative to the current project, rather than relative to each build
target. Modern CMake support requires including internal dependency
headers the same way you would external dependency headers (albeit
with "" instead of <>). This meant correcting all header includes to
be relative to the build targets and not relative to the workspace.
For example, ...
```c
include "../libclamav/clamav.h"
include "clamd/clamd_others.h"
```
... becomes:
```c
// libclamav
include "clamav.h"
// clamd
include "clamd_others.h"
```
Fixes header name conflicts by renaming a few of the files.
Converted the "shared" code into a static library, which depends on
libclamav. The ironically named "shared" static library provides
features common to the ClamAV apps which are not required in
libclamav itself and are not intended for use by downstream projects.
This change was required for correct modern CMake practices but was
also required to use the automake "subdir-objects" option.
This eliminates warnings when running autoreconf which, in the next
version of autoconf & automake are likely to break the build.
libclamav used to build in multiple stages where an earlier stage is
a static library containing utils required by the "shared" code.
Linking clamdscan and clamdtop with this libclamav utils static lib
allowed these two apps to function without libclamav. While this is
nice in theory, the practical gains are minimal and it complicates
the build system. As such, the autotools and CMake tooling was
simplified for improved maintainability and this feature was thrown
out. clamdtop and clamdscan now require libclamav to function.
Removed the nopthreads version of the autotools
libclamav_internal_utils static library and added pthread linking to
a couple apps that may have issues building on some platforms without
it, with the intention of removing needless complexity from the
source. Kept the regular version of libclamav_internal_utils.la
though it is no longer used anywhere but in libclamav.
Added an experimental doxygen build option which attempts to build
clamav.h and libfreshclam doxygen html docs.
The CMake build tooling also may build the example program(s), which
isn't a feature in the Autotools build system.
Changed C standard to C90+ due to inline linking issues with socket.h
when linking libfreshclam.so on Linux.
Generate common.rc for win32.
Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef
from misc.c.
Add CMake files to the automake dist, so users can try the new
CMake tooling w/out having to build from a git clone.
clamonacc changes:
- Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other
similar macros.
- Added a new clamav-clamonacc.service systemd unit file, based on
the work of ChadDevOps & Aaron Brighton.
- Added missing clamonacc man page.
Updates to clamdscan man page, add missing options.
Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use
libclamav).
Rename Windows mspack.dll to libmspack.dll so all ClamAV-built
libraries have the lib-prefix with Visual Studio as with CMake.
2020-08-13 00:25:34 -07:00
# include "tar.h"
# include "clamdcom.h"
# include "cert_util.h"
2019-03-26 15:09:52 -04:00
# include "libfreshclam.h"
# include "libfreshclam_internal.h"
# include "dns.h"
# define DB_FILENAME_MAX 60
# define CVD_HEADER_SIZE 512
/*
* Globals
*/
/* Callback function pointers */
fccb_download_complete g_cb_download_complete = NULL ;
/* Configuration options */
char * g_localIP = NULL ;
char * g_userAgent = NULL ;
char * g_proxyServer = NULL ;
uint16_t g_proxyPort = 0 ;
char * g_proxyUsername = NULL ;
char * g_proxyPassword = NULL ;
char * g_tempDirectory = NULL ;
char * g_databaseDirectory = NULL ;
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
void * g_signVerifier = NULL ;
2019-03-26 15:09:52 -04:00
uint32_t g_maxAttempts = 0 ;
uint32_t g_connectTimeout = 0 ;
uint32_t g_requestTimeout = 0 ;
uint32_t g_bCompressLocalDatabase = 0 ;
2021-05-24 18:37:33 -07:00
freshclam_dat_v1_t * g_freshclamDat = NULL ;
2021-03-21 19:47:21 -07:00
2024-03-15 16:40:20 -04:00
uint8_t g_lastRay [ CFRAY_LEN + 1 ] = { 0 } ;
FIPS & FIPS-like limits on hash algs for cryptographic uses
ClamAV will not function when using a FIPS-enabled OpenSSL 3.x.
This is because ClamAV uses MD5 and SHA1 algorithms for a variety of
purposes including matching for malware detection, matching to prevent
false positives on known-clean files, and for verification of MD5-based
RSA digital signatures for determining CVD (signature database archive)
authenticity.
Interestingly, FIPS had been intentionally bypassed when creating hashes
based whole buffers and whole files (by descriptor or `FILE`-pointer):
https://github.com/Cisco-Talos/clamav/commit/78d4a9985a06a418dd1338c94ee5db461035d75b
Note: this bypassed FIPS the 1.x way with:
`EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);`
It was NOT disabled when using `cl_hash_init()` / `cl_update_hash()` /
`cl_finish_hash()`. That likely worked by coincidence in that the hash
was already calculated most of the time. It certainly would have made
use of those functions if the hash had not been calculated prior:
https://github.com/Cisco-Talos/clamav/blob/78d4a9985a06a418dd1338c94ee5db461035d75b/libclamav/matcher.c#L743
Regardless, bypassing FIPS entirely is not the correct solution.
The FIPS restrictions against using MD5 and SHA1 are valid, particularly
when verifying CVD digital siganatures, but also I think when using a
hash to determine if the file is known-clean (i.e. the "clean cache" and
also MD5-based and SHA1-based FP signatures).
This commit extends the work to bypass FIPS using the newer 3.x method:
`md = EVP_MD_fetch(NULL, alg, "-fips");`
It does this for the legacy `cl_hash*()` functions including
`cl_hash_init()` / `cl_update_hash()` / `cl_finish_hash()`.
It also introduces extended versions that allow the caller to choose if
they want to bypass FIPS:
- `cl_hash_data_ex()`
- `cl_hash_init_ex()`
- `cl_update_hash_ex()`
- `cl_finish_hash_ex()`
- `cl_hash_destroy_ex()`
- `cl_hash_file_fd_ex()`
See the `flags` parameter for each.
Ironically, this commit does NOT use the new functions at this time.
The rational is that ClamAV may need MD5, SHA1, and SHA-256 hashes of
the same files both for determining if the file is malware, and for
determining if the file is clean.
So instead, this commit will do a checks when:
1. Creating a new ClamAV scanning engine. If FIPS-mode enabled, it will
automatically toggle the "FIPS limits" engine option.
When loading signatures, if the engine "FIPS limits" option is enabled,
then MD5 and SHA1 FP signatures will be skipped.
2. Before verifying a CVD (e.g. also for loading, unpacking when
verification enabled).
If "FIPS limits" or FIPS-mode are enabled, then the legacy MD5-based RSA
method is disabled.
Note: This commit also refactors the interface for `cl_cvdverify_ex()`
and `cl_cvdunpack_ex()` so they take a `flags` parameters, rather than a
single `bool`. As these functions are new in this version, it does not
break the ABI.
The cache was already switched to use SHA2-256, so that's not a concern
for checking FIPS-mode / FIPS limits options.
This adds an option for `freshclam.conf` and `clamd.conf`:
FIPSCryptoHashLimits yes
And an equivalent command-line option for `clamscan` and `sigtool`:
--fips-limits
You may programmatically enable FIPS-limits for a ClamAV engine like this:
```C
cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);
```
CLAM-2792
2025-07-01 20:41:47 -04:00
bool g_bFipsLimits = false ;
2021-03-21 19:47:21 -07:00
/** @brief Generate a Version 4 UUID according to RFC-4122
*
* Uses the openssl RAND_bytes function to generate a Version 4 UUID .
*
2021-03-25 13:31:46 -07:00
* Copyright 2021 Karthik Velakur with some modifications by the ClamAV team .
2021-03-21 19:47:21 -07:00
* License : MIT
* From : https : //gist.github.com/kvelakur/9069c9896577c3040030
*
* @ param buffer A buffer that is SIZEOF_UUID_V4
*/
2021-03-25 13:31:46 -07:00
static void uuid_v4_gen ( char * buffer )
2021-03-21 19:47:21 -07:00
{
union {
struct
{
uint32_t time_low ;
uint16_t time_mid ;
uint16_t time_hi_and_version ;
uint8_t clk_seq_hi_res ;
uint8_t clk_seq_low ;
uint8_t node [ 6 ] ;
} ;
uint8_t __rnd [ 16 ] ;
} uuid ;
2021-03-25 13:31:46 -07:00
if ( 0 > = RAND_bytes ( uuid . __rnd , sizeof ( uuid . __rnd ) ) ) {
/* Failed to generate random bytes for new UUID */
memset ( uuid . __rnd , 0 , sizeof ( uuid . __rnd ) ) ;
uuid . time_low = ( uint32_t ) time ( NULL ) ;
}
2021-03-21 19:47:21 -07:00
// Refer Section 4.2 of RFC-4122
// https://tools.ietf.org/html/rfc4122#section-4.2
uuid . clk_seq_hi_res = ( uint8_t ) ( ( uuid . clk_seq_hi_res & 0x3F ) | 0x80 ) ;
uuid . time_hi_and_version = ( uint16_t ) ( ( uuid . time_hi_and_version & 0x0FFF ) | 0x4000 ) ;
snprintf ( buffer , SIZEOF_UUID_V4 , " %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x " ,
uuid . time_low , uuid . time_mid , uuid . time_hi_and_version ,
uuid . clk_seq_hi_res , uuid . clk_seq_low ,
uuid . node [ 0 ] , uuid . node [ 1 ] , uuid . node [ 2 ] ,
uuid . node [ 3 ] , uuid . node [ 4 ] , uuid . node [ 5 ] ) ;
buffer [ SIZEOF_UUID_V4 - 1 ] = 0 ;
2021-03-25 13:31:46 -07:00
return ;
2021-03-21 19:47:21 -07:00
}
2021-05-24 18:37:33 -07:00
fc_error_t load_freshclam_dat ( void )
2021-03-21 19:47:21 -07:00
{
2021-06-02 13:26:51 -07:00
fc_error_t status = FC_EINIT ;
int handle = - 1 ;
ssize_t bread = 0 ;
2021-05-24 18:37:33 -07:00
freshclam_dat_v1_t * mdat = NULL ;
2021-06-02 13:26:51 -07:00
uint32_t version = 0 ;
char magic [ 13 ] = { 0 } ;
2021-03-21 19:47:21 -07:00
/* Change directory to database directory */
if ( chdir ( g_databaseDirectory ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Can't change dir to %s \n " , g_databaseDirectory ) ;
2021-03-21 19:47:21 -07:00
status = FC_EDIRECTORY ;
goto done ;
}
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Current working dir is %s \n " , g_databaseDirectory ) ;
2021-03-21 19:47:21 -07:00
2021-05-24 18:37:33 -07:00
if ( - 1 = = ( handle = open ( " freshclam.dat " , O_RDONLY | O_BINARY ) ) ) {
2021-03-21 19:47:21 -07:00
char currdir [ PATH_MAX ] ;
if ( getcwd ( currdir , sizeof ( currdir ) ) )
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Can't open freshclam.dat in %s \n " , currdir ) ;
2021-03-21 19:47:21 -07:00
else
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Can't open freshclam.dat in the current directory \n " ) ;
2021-03-21 19:47:21 -07:00
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " It probably doesn't exist yet. That's ok. \n " ) ;
2021-03-21 19:47:21 -07:00
status = FC_EFILE ;
goto done ;
}
if ( strlen ( MIRRORS_DAT_MAGIC ) ! = ( bread = read ( handle , & magic , strlen ( MIRRORS_DAT_MAGIC ) ) ) ) {
char error_message [ 260 ] ;
cli_strerror ( errno , error_message , 260 ) ;
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Can't read magic from freshclam.dat. Bytes read: %zi, error: %s \n " , bread , error_message ) ;
2021-03-21 19:47:21 -07:00
goto done ;
}
if ( 0 ! = strncmp ( magic , MIRRORS_DAT_MAGIC , strlen ( MIRRORS_DAT_MAGIC ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Magic bytes for freshclam.dat did not match expectations. \n " ) ;
2021-03-21 19:47:21 -07:00
goto done ;
}
if ( sizeof ( uint32_t ) ! = ( bread = read ( handle , & version , sizeof ( uint32_t ) ) ) ) {
char error_message [ 260 ] ;
cli_strerror ( errno , error_message , 260 ) ;
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Can't read version from freshclam.dat. Bytes read: %zi, error: %s \n " , bread , error_message ) ;
2021-03-21 19:47:21 -07:00
goto done ;
}
switch ( version ) {
case 1 : {
/* Verify that file size is as expected. */
off_t file_size = lseek ( handle , 0L , SEEK_END ) ;
2024-03-15 16:40:20 -04:00
size_t minSize = strlen ( MIRRORS_DAT_MAGIC ) + sizeof ( freshclam_dat_v1_t ) ;
if ( minSize > ( size_t ) file_size ) {
logg ( LOGG_DEBUG , " freshclam.dat is smaller than expected: %zu != %ld \n " , sizeof ( freshclam_dat_v1_t ) , file_size ) ;
2021-03-21 19:47:21 -07:00
goto done ;
}
/* Rewind to just after the magic bytes and read data struct */
2021-07-22 13:40:35 -07:00
if ( - 1 = = lseek ( handle , strlen ( MIRRORS_DAT_MAGIC ) , SEEK_SET ) ) {
char error_message [ 260 ] ;
cli_strerror ( errno , error_message , 260 ) ;
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Can't seek to %lu, error: %s \n " , strlen ( MIRRORS_DAT_MAGIC ) , error_message ) ;
2021-07-22 13:40:35 -07:00
goto done ;
}
2021-03-21 19:47:21 -07:00
2021-05-24 18:37:33 -07:00
mdat = malloc ( sizeof ( freshclam_dat_v1_t ) ) ;
2021-03-21 19:47:21 -07:00
if ( NULL = = mdat ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Failed to allocate memory for freshclam.dat \n " ) ;
2021-03-21 19:47:21 -07:00
status = FC_EMEM ;
goto done ;
}
2021-05-24 18:37:33 -07:00
if ( sizeof ( freshclam_dat_v1_t ) ! = ( bread = read ( handle , mdat , sizeof ( freshclam_dat_v1_t ) ) ) ) {
2021-03-21 19:47:21 -07:00
char error_message [ 260 ] ;
cli_strerror ( errno , error_message , 260 ) ;
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Can't read from freshclam.dat. Bytes read: %zi, error: %s \n " , bread , error_message ) ;
2021-03-21 19:47:21 -07:00
goto done ;
}
2024-03-15 16:40:20 -04:00
if ( sizeof ( g_lastRay ) ! = ( bread = read ( handle , & g_lastRay , sizeof ( g_lastRay ) ) ) ) {
char error_message [ 260 ] ;
cli_strerror ( errno , error_message , 260 ) ;
2024-05-16 11:34:58 -04:00
logg ( LOGG_DEBUG , " Last cf-ray not present in freshclam.dat. \n " ) ;
2024-03-15 16:40:20 -04:00
memset ( g_lastRay , 0 , sizeof ( g_lastRay ) ) ;
}
2021-03-25 13:31:46 -07:00
/* Got it. */
2021-03-21 19:47:21 -07:00
close ( handle ) ;
2021-03-25 13:31:46 -07:00
handle = - 1 ;
2021-03-21 19:47:21 -07:00
/* This is the latest version.
If we change the format in the future , we may wish to create a new
2021-05-24 18:37:33 -07:00
freshclam . dat struct , import the relevant bits to the new format ,
and then save ( overwrite ) freshclam . dat with the new data . */
if ( NULL ! = g_freshclamDat ) {
free ( g_freshclamDat ) ;
2021-03-25 13:31:46 -07:00
}
2021-05-24 18:37:33 -07:00
g_freshclamDat = mdat ;
2021-06-02 13:26:51 -07:00
mdat = NULL ;
2021-03-21 19:47:21 -07:00
break ;
}
default : {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " freshclam.dat version is different than expected: %u != %u \n " , 1 , version ) ;
2021-03-21 19:47:21 -07:00
goto done ;
}
}
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Loaded freshclam.dat: \n " ) ;
logg ( LOGG_DEBUG , " version: %d \n " , g_freshclamDat - > version ) ;
logg ( LOGG_DEBUG , " uuid: %s \n " , g_freshclamDat - > uuid ) ;
2021-05-24 18:37:33 -07:00
if ( g_freshclamDat - > retry_after > 0 ) {
2021-03-21 19:47:21 -07:00
char retry_after_string [ 26 ] ;
2021-05-24 18:37:33 -07:00
struct tm * tm_info = localtime ( & g_freshclamDat - > retry_after ) ;
2021-03-25 13:31:46 -07:00
if ( NULL = = tm_info ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Failed to query the local time for the retry-after date! \n " ) ;
2021-03-25 13:31:46 -07:00
goto done ;
}
2021-03-21 19:47:21 -07:00
strftime ( retry_after_string , 26 , " %Y-%m-%d %H:%M:%S " , tm_info ) ;
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " retry-after: %s \n " , retry_after_string ) ;
2021-03-21 19:47:21 -07:00
}
status = FC_SUCCESS ;
done :
if ( - 1 ! = handle ) {
close ( handle ) ;
}
if ( FC_SUCCESS ! = status ) {
2021-03-25 13:31:46 -07:00
if ( NULL ! = mdat ) {
free ( mdat ) ;
}
2021-05-24 18:37:33 -07:00
if ( NULL ! = g_freshclamDat ) {
free ( g_freshclamDat ) ;
g_freshclamDat = NULL ;
2021-03-25 13:31:46 -07:00
}
2021-03-21 19:47:21 -07:00
}
return status ;
}
2021-05-24 18:37:33 -07:00
fc_error_t save_freshclam_dat ( void )
2021-03-21 19:47:21 -07:00
{
fc_error_t status = FC_EINIT ;
int handle = - 1 ;
2021-05-24 18:37:33 -07:00
if ( NULL = = g_freshclamDat ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Attempted to save freshclam.dat before initializing data struct! \n " ) ;
2021-03-25 13:31:46 -07:00
goto done ;
}
2021-05-24 18:37:33 -07:00
if ( - 1 = = ( handle = open ( " freshclam.dat " , O_WRONLY | O_CREAT | O_TRUNC | O_BINARY , 0644 ) ) ) {
2021-03-21 19:47:21 -07:00
char currdir [ PATH_MAX ] ;
if ( getcwd ( currdir , sizeof ( currdir ) ) )
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Can't create freshclam.dat in %s \n " , currdir ) ;
2021-03-21 19:47:21 -07:00
else
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Can't create freshclam.dat in the current directory \n " ) ;
2021-03-21 19:47:21 -07:00
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " Hint: The database directory must be writable for UID %d or GID %d \n " , getuid ( ) , getgid ( ) ) ;
2021-03-21 19:47:21 -07:00
status = FC_EDBDIRACCESS ;
goto done ;
}
if ( - 1 = = write ( handle , MIRRORS_DAT_MAGIC , strlen ( MIRRORS_DAT_MAGIC ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Can't write to freshclam.dat \n " ) ;
2021-03-21 19:47:21 -07:00
}
2021-05-24 18:37:33 -07:00
if ( - 1 = = write ( handle , g_freshclamDat , sizeof ( freshclam_dat_v1_t ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Can't write to freshclam.dat \n " ) ;
2021-03-21 19:47:21 -07:00
}
2024-03-15 16:40:20 -04:00
if ( - 1 = = write ( handle , & g_lastRay , sizeof ( g_lastRay ) ) ) {
logg ( LOGG_ERROR , " Can't write to freshclam.dat \n " ) ;
}
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Saved freshclam.dat \n " ) ;
2021-03-21 19:47:21 -07:00
status = FC_SUCCESS ;
done :
if ( - 1 ! = handle ) {
close ( handle ) ;
}
return status ;
}
2021-05-24 18:37:33 -07:00
fc_error_t new_freshclam_dat ( void )
2021-03-21 19:47:21 -07:00
{
fc_error_t status = FC_EINIT ;
2021-05-24 18:37:33 -07:00
freshclam_dat_v1_t * mdat = calloc ( 1 , sizeof ( freshclam_dat_v1_t ) ) ;
2021-03-21 19:47:21 -07:00
if ( NULL = = mdat ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Failed to allocate memory for freshclam.dat \n " ) ;
2021-03-21 19:47:21 -07:00
status = FC_EMEM ;
goto done ;
}
mdat - > version = 1 ;
mdat - > retry_after = 0 ;
2021-03-25 13:31:46 -07:00
uuid_v4_gen ( mdat - > uuid ) ;
2021-03-21 19:47:21 -07:00
2021-05-24 18:37:33 -07:00
if ( NULL ! = g_freshclamDat ) {
free ( g_freshclamDat ) ;
2021-03-25 13:31:46 -07:00
}
2021-05-24 18:37:33 -07:00
g_freshclamDat = mdat ;
2021-03-21 19:47:21 -07:00
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Creating new freshclam.dat \n " ) ;
2021-03-21 19:47:21 -07:00
2021-05-24 18:37:33 -07:00
if ( FC_SUCCESS ! = save_freshclam_dat ( ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Failed to save freshclam.dat! \n " ) ;
2021-03-21 19:47:21 -07:00
status = FC_EFILE ;
goto done ;
}
status = FC_SUCCESS ;
done :
if ( FC_SUCCESS ! = status ) {
if ( NULL ! = mdat ) {
free ( mdat ) ;
}
2021-05-24 18:37:33 -07:00
g_freshclamDat = NULL ;
2021-03-21 19:47:21 -07:00
}
return status ;
}
2019-03-26 15:09:52 -04:00
/**
* @ brief Get DNS text record field # for official databases .
*
* @ param database Official database name .
* @ return int DNS text record field #
*/
static int textrecordfield ( const char * database )
{
if ( ! strcmp ( database , " main " ) ) {
return 1 ;
} else if ( ! strcmp ( database , " daily " ) ) {
return 2 ;
} else if ( ! strcmp ( database , " bytecode " ) ) {
return 7 ;
} else if ( ! strcmp ( database , " safebrowsing " ) ) {
return 6 ;
}
return 0 ;
}
2021-03-25 13:31:46 -07:00
# if (LIBCURL_VERSION_MAJOR > 7) || ((LIBCURL_VERSION_MAJOR == 7) && (LIBCURL_VERSION_MINOR >= 61))
2019-07-08 13:28:39 -07:00
/* In libcurl 7.61.0, support was added for extracting the time in plain
microseconds . Older libcurl versions are stuck in using ' double ' for this
information so we complicate this example a bit by supporting either
approach . */
# define TIME_IN_US 1
# define TIMETYPE curl_off_t
# define TIMEOPT CURLINFO_TOTAL_TIME_T
# define MINIMAL_PROGRESS_FUNCTIONALITY_INTERVAL 3000000
# else
# define TIMETYPE double
# define TIMEOPT CURLINFO_TOTAL_TIME
# define MINIMAL_PROGRESS_FUNCTIONALITY_INTERVAL 3
# endif
# define STOP_DOWNLOAD_AFTER_THIS_MANY_BYTES 6000
struct xfer_progress {
TIMETYPE lastRunTime ; /* type depends on version, see above */
uint8_t bComplete ;
CURL * curl ;
} ;
2020-05-30 20:39:20 -04:00
static void printTime ( double seconds )
2019-08-09 15:42:55 -04:00
{
2020-05-30 20:39:20 -04:00
if ( seconds > = 3600 ) {
fprintf ( stdout , " %2.0fh %02.0fm " , trunc ( seconds / 3600 ) , trunc ( fmod ( seconds , 3600.0 ) / 60 ) ) ;
} else if ( seconds > = 60 ) {
fprintf ( stdout , " %2.0fm %02.0fs " , trunc ( seconds / 60 ) , trunc ( fmod ( seconds , 60.0 ) ) ) ;
} else {
fprintf ( stdout , " %6.1fs " , seconds ) ;
2020-07-24 08:32:47 -07:00
}
2020-05-30 20:39:20 -04:00
}
static void printBytes ( curl_off_t bytes , int bPad )
{
if ( bytes > = ( 1024 * 1024 ) ) {
const char * format = bPad ? " %7.02fMiB " : " %.02fMiB " ;
2020-07-24 08:32:47 -07:00
double megabytes = bytes / ( double ) ( 1024 * 1024 ) ;
2020-05-30 20:39:20 -04:00
fprintf ( stdout , format , megabytes ) ;
} else if ( bytes > = 1024 ) {
const char * format = bPad ? " %7.02fKiB " : " %.02fKiB " ;
2020-07-24 08:32:47 -07:00
double kilobytes = bytes / ( double ) ( 1024 ) ;
2020-05-30 20:39:20 -04:00
fprintf ( stdout , format , kilobytes ) ;
2019-08-09 15:42:55 -04:00
} else {
2020-05-30 20:39:20 -04:00
const char * format = bPad ? " %9 " CURL_FORMAT_CURL_OFF_T " B " : " % " CURL_FORMAT_CURL_OFF_T " B " ;
fprintf ( stdout , format , bytes ) ;
2019-08-09 15:42:55 -04:00
}
}
2019-07-08 13:28:39 -07:00
/**
* Function from curl example code , Copyright ( C ) 1998 - 2018 , Daniel Stenberg , see COPYING . curl for license details
* Progress bar callback function ( CURLOPT_XFERINFOFUNCTION ) .
*/
static int xferinfo ( void * prog ,
curl_off_t TotalToDownload , curl_off_t NowDownloaded ,
curl_off_t TotalToUpload , curl_off_t NowUploaded )
{
struct xfer_progress * xferProg = ( struct xfer_progress * ) prog ;
CURL * curl = xferProg - > curl ;
TIMETYPE curtime = 0 ;
TIMETYPE remtime = 0 ;
uint32_t i = 0 ;
2020-05-30 20:39:20 -04:00
uint32_t totalNumDots = 25 ;
2019-07-08 13:28:39 -07:00
uint32_t numDots = 0 ;
double fractiondownloaded = 0.0 ;
2020-07-31 16:04:38 -07:00
UNUSEDPARAM ( TotalToUpload ) ;
UNUSEDPARAM ( NowUploaded ) ;
2019-07-08 13:28:39 -07:00
if ( ( TotalToDownload < = 0.0 ) | | ( xferProg - > bComplete ) ) {
return 0 ;
}
fractiondownloaded = ( double ) NowDownloaded / ( double ) TotalToDownload ;
numDots = round ( fractiondownloaded * totalNumDots ) ;
curl_easy_getinfo ( curl , TIMEOPT , & curtime ) ;
xferProg - > lastRunTime = curtime ;
2019-12-24 08:13:47 -05:00
# ifndef _WIN32
fprintf ( stdout , " \ e[?7l " ) ;
# endif
2019-07-08 13:28:39 -07:00
# ifdef TIME_IN_US
if ( fractiondownloaded < = 0.0 ) {
2020-05-30 20:39:20 -04:00
fprintf ( stdout , " Time: " ) ;
printTime ( curtime / 1000000.0 ) ;
fprintf ( stdout , " " ) ;
2019-07-08 13:28:39 -07:00
} else {
2020-06-06 14:40:08 -04:00
remtime = ( curtime / fractiondownloaded ) - curtime ;
2020-05-30 20:39:20 -04:00
fprintf ( stdout , " Time: " ) ;
printTime ( curtime / 1000000.0 ) ;
fprintf ( stdout , " , ETA: " ) ;
printTime ( remtime / 1000000.0 ) ;
fprintf ( stdout , " " ) ;
2019-07-08 13:28:39 -07:00
}
# else
if ( fractiondownloaded < = 0.0 ) {
2020-05-30 20:39:20 -04:00
fprintf ( stdout , " Time: " ) ;
printTime ( curtime ) ;
fprintf ( stdout , " " ) ;
2019-07-08 13:28:39 -07:00
} else {
2020-06-06 14:40:08 -04:00
remtime = ( curtime / fractiondownloaded ) - curtime ;
2020-05-30 20:39:20 -04:00
fprintf ( stdout , " Time: " ) ;
printTime ( curtime ) ;
fprintf ( stdout , " , ETA: " ) ;
printTime ( remtime ) ;
fprintf ( stdout , " " ) ;
2019-07-08 13:28:39 -07:00
}
# endif
2019-08-09 15:42:55 -04:00
fprintf ( stdout , " [ " ) ;
2019-07-08 13:28:39 -07:00
if ( numDots > 0 ) {
if ( numDots > 1 ) {
for ( i = 0 ; i < numDots - 1 ; i + + ) {
fprintf ( stdout , " = " ) ;
}
}
2020-05-30 20:39:20 -04:00
fprintf ( stdout , " > " ) ;
i + + ;
2019-07-08 13:28:39 -07:00
}
for ( ; i < totalNumDots ; i + + ) {
2020-05-30 20:39:20 -04:00
fprintf ( stdout , " " ) ;
2019-07-08 13:28:39 -07:00
}
2019-08-09 15:42:55 -04:00
fprintf ( stdout , " ] " ) ;
2020-06-06 14:40:08 -04:00
printBytes ( NowDownloaded , 1 ) ;
fprintf ( stdout , " / " ) ;
printBytes ( TotalToDownload , 0 ) ;
2019-08-09 15:42:55 -04:00
2019-07-08 13:28:39 -07:00
if ( NowDownloaded < TotalToDownload ) {
2020-05-30 20:39:20 -04:00
fprintf ( stdout , " \r " ) ;
2019-07-08 13:28:39 -07:00
} else {
2020-05-30 20:39:20 -04:00
fprintf ( stdout , " \n " ) ;
2019-07-08 13:28:39 -07:00
xferProg - > bComplete = 1 ;
}
2019-12-24 08:13:47 -05:00
# ifndef _WIN32
fprintf ( stdout , " \ e[?7h " ) ;
# endif
2019-07-08 13:28:39 -07:00
fflush ( stdout ) ;
return 0 ;
}
2021-03-25 13:31:46 -07:00
# if (LIBCURL_VERSION_MAJOR < 7) || ((LIBCURL_VERSION_MAJOR == 7) && (LIBCURL_VERSION_MINOR < 32))
2019-07-08 13:28:39 -07:00
/**
* Function from curl example code , Copyright ( C ) 1998 - 2018 , Daniel Stenberg , see COPYING . curl for license details
* Older style progress bar callback shim ; for libcurl older than 7.32 .0 ( CURLOPT_PROGRESSFUNCTION ) .
*/
static int older_progress ( void * prog ,
double TotalToDownload , double NowDownloaded ,
double TotalToUpload , double NowUploaded )
{
return xferinfo ( prog ,
( curl_off_t ) TotalToDownload ,
( curl_off_t ) NowDownloaded ,
( curl_off_t ) TotalToUpload ,
( curl_off_t ) NowUploaded ) ;
}
# endif
2019-03-26 15:09:52 -04:00
static fc_error_t create_curl_handle (
int bHttp ,
int bAllowRedirect ,
CURL * * curlHandle )
{
fc_error_t status = FC_EARG ;
2019-07-08 13:28:39 -07:00
CURL * curl = NULL ;
2019-09-18 14:38:43 -04:00
# if (LIBCURL_VERSION_MAJOR > 7) || ((LIBCURL_VERSION_MAJOR == 7) && (LIBCURL_VERSION_MINOR >= 33))
2019-03-26 15:09:52 -04:00
CURLcode curl_ret = CURLE_OK ;
2019-07-08 13:28:39 -07:00
# endif
2019-03-26 15:09:52 -04:00
char userAgent [ 128 ] ;
if ( NULL = = curlHandle ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Invalid arguments! \n " ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
* curlHandle = NULL ;
curl = curl_easy_init ( ) ;
if ( NULL = = curl ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: curl_easy_init failed! \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EINIT ;
goto done ;
}
2021-03-21 19:47:21 -07:00
if ( g_userAgent ) {
2019-03-26 15:09:52 -04:00
strncpy ( userAgent , g_userAgent , sizeof ( userAgent ) ) ;
2021-03-21 19:47:21 -07:00
} else {
/*
* Use a randomly generated UUID in the User - Agent
* We ' ll try to load it from a file in the database directory .
* If none exists , we ' ll create a new one and save it to said file .
*/
2019-03-26 15:09:52 -04:00
snprintf ( userAgent , sizeof ( userAgent ) ,
2021-03-21 19:47:21 -07:00
PACKAGE " /%s (OS: " TARGET_OS_TYPE " , ARCH: " TARGET_ARCH_TYPE " , CPU: " TARGET_CPU_TYPE " , UUID: %s) " ,
get_version ( ) ,
2021-05-24 18:37:33 -07:00
g_freshclamDat - > uuid ) ;
2021-03-21 19:47:21 -07:00
}
2019-03-26 15:09:52 -04:00
userAgent [ sizeof ( userAgent ) - 1 ] = 0 ;
if ( mprintf_verbose ) {
/* ask libcurl to show us the verbose output */
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_VERBOSE , 1L ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_VERBOSE! \n " ) ;
2019-03-26 15:09:52 -04:00
}
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_STDERR , stdout ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to direct curl debug output to stdout! \n " ) ;
2019-03-26 15:09:52 -04:00
}
}
if ( bHttp ) {
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_USERAGENT , userAgent ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_USERAGENT (%s)! \n " , userAgent ) ;
2019-03-26 15:09:52 -04:00
}
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_CONNECTTIMEOUT , g_connectTimeout ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_CONNECTTIMEOUT (%u)! \n " , g_connectTimeout ) ;
2019-03-26 15:09:52 -04:00
}
2021-08-23 18:35:55 +01:00
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_LOW_SPEED_TIME , g_requestTimeout ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_LOW_SPEED_TIME (%u)! \n " , g_requestTimeout ) ;
2021-08-23 18:35:55 +01:00
}
if ( g_requestTimeout > 0 ) {
/* Minimum speed is 1 byte/second over the previous g_requestTimeout seconds. */
int minimumSpeed = 1 ;
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_LOW_SPEED_LIMIT , minimumSpeed ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_LOW_SPEED_LIMIT (%u)! \n " , minimumSpeed ) ;
2021-08-23 18:35:55 +01:00
}
2019-03-26 15:09:52 -04:00
}
if ( bAllowRedirect ) {
/* allow three redirects */
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_FOLLOWLOCATION , 1L ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_FOLLOWLOCATION! \n " ) ;
2019-03-26 15:09:52 -04:00
}
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_MAXREDIRS , 3L ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_MAXREDIRS! \n " ) ;
2019-03-26 15:09:52 -04:00
}
}
}
2019-09-18 14:38:43 -04:00
# if (LIBCURL_VERSION_MAJOR > 7) || ((LIBCURL_VERSION_MAJOR == 7) && (LIBCURL_VERSION_MINOR >= 33))
2019-03-26 15:09:52 -04:00
if ( g_localIP ) {
if ( NULL = = strchr ( g_localIP , ' : ' ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Local IPv4 address requested: %s \n " , g_localIP ) ;
2019-03-26 15:09:52 -04:00
curl_ret = curl_easy_setopt ( curl , CURLOPT_DNS_LOCAL_IP4 , g_localIP ) ; // Option requires libcurl built with c-ares
switch ( curl_ret ) {
case CURLE_BAD_FUNCTION_ARGUMENT :
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Unable to bind DNS resolves to %s. Invalid IPv4 address. \n " , g_localIP ) ;
2019-03-26 15:09:52 -04:00
status = FC_ECONFIG ;
goto done ;
break ;
case CURLE_UNKNOWN_OPTION :
case CURLE_NOT_BUILT_IN :
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Unable to bind DNS resolves to %s. Option requires that libcurl was built with c-ares. \n " , g_localIP ) ;
2019-03-26 15:09:52 -04:00
status = FC_ECONFIG ;
goto done ;
default :
break ;
}
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_IPRESOLVE , CURL_IPRESOLVE_V4 ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_IPRESOLVE (IPv4)! \n " ) ;
2019-03-26 15:09:52 -04:00
}
} else {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Local IPv6 address requested: %s \n " , g_localIP ) ;
2019-03-26 15:09:52 -04:00
curl_ret = curl_easy_setopt ( curl , CURLOPT_DNS_LOCAL_IP6 , g_localIP ) ; // Option requires libcurl built with c-ares
switch ( curl_ret ) {
case CURLE_BAD_FUNCTION_ARGUMENT :
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " create_curl_handle: Unable to bind DNS resolves to %s. Invalid IPv4 address. \n " , g_localIP ) ;
2019-03-26 15:09:52 -04:00
status = FC_ECONFIG ;
goto done ;
break ;
case CURLE_UNKNOWN_OPTION :
case CURLE_NOT_BUILT_IN :
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " create_curl_handle: Unable to bind DNS resolves to %s. Option requires that libcurl was built with c-ares. \n " , g_localIP ) ;
2019-03-26 15:09:52 -04:00
status = FC_ECONFIG ;
goto done ;
default :
break ;
}
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_IPRESOLVE , CURL_IPRESOLVE_V6 ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_IPRESOLVE (IPv6)! \n " ) ;
2019-03-26 15:09:52 -04:00
}
}
}
2019-09-18 14:38:43 -04:00
# endif
2019-03-26 15:09:52 -04:00
if ( g_proxyServer ) {
/*
* Proxy requested .
*/
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Using proxy: %s:%u \n " , g_proxyServer , g_proxyPort ) ;
2019-03-26 15:09:52 -04:00
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_PROXY , g_proxyServer ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_PROXY (%s)! \n " , g_proxyServer ) ;
2019-03-26 15:09:52 -04:00
}
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_PROXYPORT , g_proxyPort ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_PROXYPORT (%u)! \n " , g_proxyPort ) ;
2019-03-26 15:09:52 -04:00
}
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_HTTPPROXYTUNNEL , 1L ) ) { // Necessary?
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_HTTPPROXYTUNNEL (1)! \n " ) ;
2019-03-26 15:09:52 -04:00
}
# ifdef CURLOPT_SUPPRESS_CONNECT_HEADERS
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_SUPPRESS_CONNECT_HEADERS , 1L ) ) { // Necessary?
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_SUPPRESS_CONNECT_HEADERS (1)! \n " ) ;
2019-03-26 15:09:52 -04:00
}
# endif
if ( g_proxyUsername ) {
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_PROXYUSERNAME , g_proxyUsername ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_PROXYUSERNAME (%s)! \n " , g_proxyUsername ) ;
2019-03-26 15:09:52 -04:00
}
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_PROXYPASSWORD , g_proxyPassword ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " create_curl_handle: Failed to set CURLOPT_PROXYPASSWORD (%s)! \n " , g_proxyPassword ) ;
2019-03-26 15:09:52 -04:00
}
}
}
2019-06-16 21:16:16 -04:00
# if defined(C_DARWIN) || defined(_WIN32)
2019-03-26 15:09:52 -04:00
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_SSL_CTX_FUNCTION , * sslctx_function ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " create_curl_handle: Failed to set SSL CTX function. Your libcurl may use an SSL backend that does not support CURLOPT_SSL_CTX_FUNCTION. \n " ) ;
2019-03-26 15:09:52 -04:00
}
2020-03-27 12:13:11 -07:00
# else
2023-08-02 15:51:04 -07:00
/* Use an alternate CA bundle, if specified by the CURL_CA_BUNDLE environment variable. */
2020-03-27 12:13:11 -07:00
set_tls_ca_bundle ( curl ) ;
2019-03-26 15:09:52 -04:00
# endif
2023-08-02 15:51:04 -07:00
/* Authenticate using a client certificate and private key, if specified by the FRESHCLAM_CLIENT_CERT, FRESHCLAM_CLIENT_KEY, and FRESHCLAM_CLIENT_KEY_PASSWD environment variables. */
2023-08-08 10:35:14 -07:00
if ( CL_SUCCESS ! = set_tls_client_certificate ( curl ) ) {
2024-01-19 09:08:36 -08:00
logg ( LOGG_DEBUG , " create_curl_handle: Failed to set certificate and private key for client authentication. \n " ) ;
2023-08-08 10:35:14 -07:00
goto done ;
}
2023-08-02 15:51:04 -07:00
2019-03-26 15:09:52 -04:00
* curlHandle = curl ;
status = FC_SUCCESS ;
done :
if ( FC_SUCCESS ! = status ) {
if ( NULL ! = curl ) {
curl_easy_cleanup ( curl ) ;
}
}
return status ;
}
struct MemoryStruct {
char * buffer ;
size_t size ;
} ;
static size_t WriteMemoryCallback ( void * contents , size_t size , size_t nmemb , void * userp )
{
size_t real_size = size * nmemb ;
struct MemoryStruct * receivedData = ( struct MemoryStruct * ) userp ;
if ( ( NULL = = contents ) | | ( NULL = = userp ) ) {
return 0 ;
}
char * newBuffer = realloc ( receivedData - > buffer , receivedData - > size + real_size + 1 ) ;
if ( NULL = = newBuffer ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead - recv callback: Failed to allocate memory CVD header data. \n " ) ;
2019-03-26 15:09:52 -04:00
return 0 ;
}
receivedData - > buffer = newBuffer ;
memcpy ( & ( receivedData - > buffer [ receivedData - > size ] ) , contents , real_size ) ;
receivedData - > size + = real_size ;
receivedData - > buffer [ receivedData - > size ] = 0 ;
return real_size ;
}
struct FileStruct {
int handle ;
size_t size ;
} ;
static size_t WriteFileCallback ( void * contents , size_t size , size_t nmemb , void * userp )
{
size_t real_size = size * nmemb ;
struct FileStruct * receivedFile = ( struct FileStruct * ) userp ;
size_t bytes_written = 0 ;
if ( ( NULL = = contents ) | | ( NULL = = userp ) ) {
return 0 ;
}
bytes_written = write ( receivedFile - > handle , contents , real_size ) ;
receivedFile - > size + = bytes_written ;
return bytes_written ;
}
2024-03-15 16:40:20 -04:00
size_t HeaderCallback ( char * buffer ,
size_t size ,
size_t nitems ,
void * userdata )
{
const char * const needle = " cf-ray: " ;
size_t totBytes = size * nitems ;
if ( totBytes > = strlen ( needle ) + CFRAY_LEN ) {
if ( 0 = = strncmp ( needle , buffer , strlen ( needle ) ) ) {
2024-03-26 09:07:26 -07:00
uint8_t * last = ( uint8_t * ) userdata ;
2024-03-15 16:40:20 -04:00
memcpy ( last , & ( buffer [ strlen ( needle ) ] ) , CFRAY_LEN ) ;
last [ CFRAY_LEN ] = 0 ;
}
}
return size * nitems ;
}
2019-03-26 15:09:52 -04:00
/**
* @ brief Get the cvd header info struct for the newest available database .
*
* The last - modified datetime will be used to set the If - Modified - Since header .
* If the remote CVD isn ' t newer , we should get an HTTP 304 and return
* FC_UPTODATE instead of FC_SUCCESS , and cvd will be NULL .
*
* @ param cvdfile database name including extension .
* @ param ifModifiedSince modified time of local database . May be 0 to always get the CVD header .
* @ param server server to use to retrieve for database header .
* @ param logerr non - zero to upgrade warnings to errors .
2021-07-16 11:47:23 -07:00
* @ param [ out ] cvd CVD header of newest available CVD , if FC_SUCCESS
2019-03-26 15:09:52 -04:00
* @ return fc_error_t FC_SUCCESS if CVD header obtained .
* @ return fc_error_t FC_UPTODATE if received 304 in response to ifModifiedSince date .
2023-11-26 15:01:19 -08:00
* @ return fc_error_t Another error code if failure occurred .
2019-03-26 15:09:52 -04:00
*/
static fc_error_t remote_cvdhead (
const char * cvdfile ,
uint32_t ifModifiedSince ,
char * server ,
int logerr ,
struct cl_cvd * * cvd )
{
fc_error_t ret ;
fc_error_t status = FC_EARG ;
int bHttpServer = 0 ;
char * url = NULL ;
size_t urlLen = 0 ;
char head [ CVD_HEADER_SIZE + 1 ] ;
struct MemoryStruct receivedData = { 0 } ;
unsigned int i ;
struct cl_cvd * cvdhead ;
CURL * curl = NULL ;
CURLcode curl_ret ;
char errbuf [ CURL_ERROR_SIZE ] ;
struct curl_slist * slist = NULL ;
2019-07-08 13:28:39 -07:00
struct xfer_progress prog ;
2019-03-26 15:09:52 -04:00
long http_code = 0 ;
if ( NULL = = cvd ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Invalid arguments. \n " ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
* cvd = NULL ;
if ( 0 = = strncasecmp ( server , " http " , strlen ( " http " ) ) ) {
bHttpServer = 1 ;
}
/*
* Request CVD header .
*/
urlLen = strlen ( server ) + strlen ( " / " ) + strlen ( cvdfile ) ;
url = malloc ( urlLen + 1 ) ;
snprintf ( url , urlLen + 1 , " %s/%s " , server , cvdfile ) ;
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " Trying to retrieve CVD header from %s \n " , url ) ;
2019-03-26 15:09:52 -04:00
if ( FC_SUCCESS ! = ( ret = create_curl_handle (
bHttpServer , // Set extra HTTP-specific headers.
1 , // Allow redirects.
& curl ) ) ) { // [out] curl session handle.
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to create curl handle. \n " ) ;
2019-03-26 15:09:52 -04:00
status = ret ;
goto done ;
}
2019-08-04 17:44:20 -04:00
# ifdef HAVE_UNISTD_H
if ( ! mprintf_quiet & & ( mprintf_progress | | isatty ( fileno ( stdout ) ) ) )
# else
if ( ! mprintf_quiet )
# endif
{
2019-07-08 13:28:39 -07:00
prog . lastRunTime = 0 ;
prog . curl = curl ;
prog . bComplete = 0 ;
2021-03-25 13:31:46 -07:00
# if (LIBCURL_VERSION_MAJOR > 7) || ((LIBCURL_VERSION_MAJOR == 7) && (LIBCURL_VERSION_MINOR >= 32))
2019-07-08 13:28:39 -07:00
/* xferinfo was introduced in 7.32.0, no earlier libcurl versions will
compile as they won ' t have the symbols around .
If built with a newer libcurl , but running with an older libcurl :
curl_easy_setopt ( ) will fail in run - time trying to set the new
callback , making the older callback get used .
New libcurls will prefer the new callback and instead use that one even
if both callbacks are set . */
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_XFERINFOFUNCTION , xferinfo ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to set transfer info function! \n " ) ;
2019-07-08 13:28:39 -07:00
}
/* pass the struct pointer into the xferinfo function, note that this is
2019-09-23 22:00:49 -04:00
an alias to CURLOPT_PROGRESSDATA */
2019-07-08 13:28:39 -07:00
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_XFERINFODATA , & prog ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to set transfer info data structure! \n " ) ;
2019-07-08 13:28:39 -07:00
}
# else
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_PROGRESSFUNCTION , older_progress ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to set progress function! \n " ) ;
2019-07-08 13:28:39 -07:00
}
/* pass the struct pointer into the progress function */
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_PROGRESSDATA , & prog ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to set progress data structure! \n " ) ;
2019-07-08 13:28:39 -07:00
}
# endif
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_NOPROGRESS , 0L ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to disable progress function! \n " ) ;
2019-07-08 13:28:39 -07:00
}
}
2019-03-26 15:09:52 -04:00
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_URL , url ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to set CURLOPT_URL for curl session (%s). \n " , url ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
goto done ;
}
if ( bHttpServer ) {
/*
* For HTTP , set some extra headers .
*/
struct curl_slist * temp = NULL ;
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_HTTPGET , 1L ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to set CURLOPT_HTTPGET for curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
# ifdef FRESHCLAM_NO_CACHE
if ( NULL = = ( temp = curl_slist_append ( slist , " Cache-Control: no-cache " ) ) ) { // Necessary?
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to append \" Cache-Control: no-cache \" header to custom curl header list. \n " ) ;
2019-03-26 15:09:52 -04:00
} else {
slist = temp ;
}
# endif
if ( NULL = = ( temp = curl_slist_append ( slist , " Connection: close " ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to append \" Connection: close \" header to custom curl header list. \n " ) ;
2019-03-26 15:09:52 -04:00
} else {
slist = temp ;
}
if ( NULL ! = slist ) {
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_HTTPHEADER , slist ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to add custom header list to curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
}
}
if ( 0 ! = ifModifiedSince ) {
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_TIMEVALUE , ifModifiedSince ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to set if-Modified-Since time value for curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
/* If-Modified-Since the above time stamp */
else if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_TIMECONDITION , CURL_TIMECOND_IFMODSINCE ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to set if-Modified-Since time condition for curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
}
/* Request only the first 512 bytes (CVD_HEADER_SIZE) */
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_RANGE , " 0-511 " ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to set CURLOPT_RANGE CVD_HEADER_SIZE for curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
2022-05-08 14:59:09 -07:00
receivedData . buffer = malloc ( 1 ) ; /* will be grown as needed by the realloc above */
receivedData . size = 0 ; /* no data at this point */
2019-03-26 15:09:52 -04:00
/* Send all data to this function */
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_WRITEFUNCTION , WriteMemoryCallback ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to set write-data memory callback function for curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
/* Pass our 'receivedData' struct to the callback function */
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_WRITEDATA , ( void * ) & receivedData ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " remote_cvdhead: Failed to set receivedData struct for write-data callback function for curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
/*
* Perform download .
*/
memset ( errbuf , 0 , sizeof ( errbuf ) ) ;
curl_ret = curl_easy_perform ( curl ) ;
if ( curl_ret ! = CURLE_OK ) {
/*
* Show the error information .
* If no detailed error information was written to errbuf
* show the more generic information from curl_easy_strerror instead .
*/
size_t len = strlen ( errbuf ) ;
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " remote_cvdhead: Download failed (%d) " , curl_ret ) ;
2019-03-26 15:09:52 -04:00
if ( len )
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " Message: %s%s " , errbuf , ( ( errbuf [ len - 1 ] ! = ' \n ' ) ? " \n " : " " ) ) ;
2019-03-26 15:09:52 -04:00
else
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " Message: %s \n " , curl_easy_strerror ( curl_ret ) ) ;
2019-05-21 17:40:45 -04:00
status = FC_ECONNECTION ;
2019-03-26 15:09:52 -04:00
goto done ;
}
/* Check HTTP code */
curl_easy_getinfo ( curl , CURLINFO_RESPONSE_CODE , & http_code ) ;
switch ( http_code ) {
case 200 :
case 206 : {
status = FC_SUCCESS ;
break ;
}
case 304 : {
status = FC_UPTODATE ;
goto done ;
}
2021-03-21 19:47:21 -07:00
case 403 : {
status = FC_EFORBIDDEN ;
2021-10-06 17:02:44 -07:00
/* Try again in no less than 24 hours if freshclam received a 403 FORBIDDEN. */
g_freshclamDat - > retry_after = time ( NULL ) + 60 * 60 * 24 ;
( void ) save_freshclam_dat ( ) ;
2021-03-21 19:47:21 -07:00
break ;
}
case 429 : {
status = FC_ERETRYLATER ;
2021-03-25 13:31:46 -07:00
curl_off_t retry_after = 0 ;
# if (LIBCURL_VERSION_MAJOR > 7) || ((LIBCURL_VERSION_MAJOR == 7) && (LIBCURL_VERSION_MINOR >= 66))
/* CURLINFO_RETRY_AFTER was introduced in libcurl 7.66 */
2021-03-21 19:47:21 -07:00
/* Find out how long we should wait before allowing a retry. */
curl_easy_getinfo ( curl , CURLINFO_RETRY_AFTER , & retry_after ) ;
2021-03-25 13:31:46 -07:00
# endif
2021-03-21 19:47:21 -07:00
if ( retry_after > 0 ) {
/* The response gave us a Retry-After date. Use that. */
2021-05-24 18:37:33 -07:00
g_freshclamDat - > retry_after = time ( NULL ) + ( time_t ) retry_after ;
2021-03-21 19:47:21 -07:00
} else {
2021-03-25 13:31:46 -07:00
/* Try again in no less than 4 hours if the response didn't specify
or if CURLINFO_RETRY_AFTER is not supported . */
2021-05-24 18:37:33 -07:00
g_freshclamDat - > retry_after = time ( NULL ) + 60 * 60 * 4 ;
2021-03-21 19:47:21 -07:00
}
2021-05-24 18:37:33 -07:00
( void ) save_freshclam_dat ( ) ;
2021-03-21 19:47:21 -07:00
break ;
}
2019-03-26 15:09:52 -04:00
case 404 : {
if ( g_proxyServer )
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " remote_cvdhead: file not found: %s (Proxy: %s:%u) \n " , url , g_proxyServer , g_proxyPort ) ;
2019-03-26 15:09:52 -04:00
else
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " remote_cvdhead: file not found: %s \n " , url ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
goto done ;
}
case 522 : {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " remote_cvdhead: Origin Connection Time-out. Cloudflare was unable to reach the origin web server and the request timed out. URL: %s \n " , url ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
goto done ;
}
default : {
if ( g_proxyServer )
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " remote_cvdhead: Unexpected response (%li) from %s (Proxy: %s:%u) \n " ,
http_code , server , g_proxyServer , g_proxyPort ) ;
2019-03-26 15:09:52 -04:00
else
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " remote_cvdhead: Unexpected response (%li) from %s \n " ,
http_code , server ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
goto done ;
}
}
/*
* Identify start of CVD header in response body .
*/
if ( receivedData . size < CVD_HEADER_SIZE ) {
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " remote_cvdhead: Malformed CVD header (too short) \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
goto done ;
}
/*
* Copy CVD header byte - by - byte from response body to CVD header buffer .
* Validate that data contains only printable characters and no NULL terminators .
*/
memset ( head , 0 , sizeof ( head ) ) ;
for ( i = 0 ; i < CVD_HEADER_SIZE ; i + + ) {
if ( ! receivedData . buffer | |
( receivedData . buffer & & ! * receivedData . buffer ) | |
( receivedData . buffer & & ! isprint ( receivedData . buffer [ i ] ) ) ) {
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " remote_cvdhead: Malformed CVD header (bad chars) \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
goto done ;
}
head [ i ] = receivedData . buffer [ i ] ;
}
/*
* Parse CVD info into CVD info struct .
*/
if ( ! ( cvdhead = cl_cvdparse ( head ) ) ) {
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " remote_cvdhead: Malformed CVD header (can't parse) \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
goto done ;
} else {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " OK \n " ) ;
2019-03-26 15:09:52 -04:00
}
* cvd = cvdhead ;
status = FC_SUCCESS ;
done :
if ( NULL ! = receivedData . buffer ) {
free ( receivedData . buffer ) ;
}
if ( NULL ! = slist ) {
curl_slist_free_all ( slist ) ;
}
if ( NULL ! = curl ) {
curl_easy_cleanup ( curl ) ;
}
if ( NULL ! = url ) {
free ( url ) ;
}
return status ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
/**
* @ brief Download a file from a remote server .
*
* @ param url URL of file to download .
* @ param destfile Local file to save downloaded file to .
* @ param bAllowRedirect Allow redirects .
* @ param logerr Log a failure as an error instead of a warning .
* @ param quiet Don ' t warn if we get a 404. Just a debug message .
* @ param ifModifiedSince If - Modified - Since time to use in request .
* @ return fc_error_t FC_SUCCESS if download successful .
*/
2019-03-26 15:09:52 -04:00
static fc_error_t downloadFile (
const char * url ,
const char * destfile ,
int bAllowRedirect ,
int logerr ,
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
int quiet ,
2019-03-26 15:09:52 -04:00
time_t ifModifiedSince )
{
fc_error_t ret ;
fc_error_t status = FC_EARG ;
int bHttpServer = 0 ;
CURL * curl = NULL ;
CURLcode curl_ret ;
char errbuf [ CURL_ERROR_SIZE ] ;
struct curl_slist * slist = NULL ;
2019-07-08 13:28:39 -07:00
struct xfer_progress prog ;
2019-03-26 15:09:52 -04:00
long http_code = 0 ;
struct FileStruct receivedFile = { - 1 , 0 } ;
if ( ( NULL = = url ) | | ( NULL = = destfile ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Invalid arguments. \n " ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Retrieving %s \n " , url ) ;
2019-03-26 15:09:52 -04:00
if ( 0 = = strncasecmp ( url , " http " , strlen ( " http " ) ) ) {
bHttpServer = 1 ;
}
if ( FC_SUCCESS ! = ( ret = create_curl_handle ( bHttpServer , bAllowRedirect , & curl ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to create curl handle. \n " ) ;
2019-03-26 15:09:52 -04:00
status = ret ;
goto done ;
}
2019-08-04 17:44:20 -04:00
# ifdef HAVE_UNISTD_H
if ( ! mprintf_quiet & & ( mprintf_progress | | isatty ( fileno ( stdout ) ) ) )
# else
if ( ! mprintf_quiet )
# endif
{
2019-07-08 13:28:39 -07:00
prog . lastRunTime = 0 ;
prog . curl = curl ;
prog . bComplete = 0 ;
2021-03-25 13:31:46 -07:00
# if (LIBCURL_VERSION_MAJOR > 7) || ((LIBCURL_VERSION_MAJOR == 7) && (LIBCURL_VERSION_MINOR >= 32))
2019-07-08 13:28:39 -07:00
/* xferinfo was introduced in 7.32.0, no earlier libcurl versions will
compile as they won ' t have the symbols around .
If built with a newer libcurl , but running with an older libcurl :
curl_easy_setopt ( ) will fail in run - time trying to set the new
callback , making the older callback get used .
New libcurls will prefer the new callback and instead use that one even
if both callbacks are set . */
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_XFERINFOFUNCTION , xferinfo ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to set transfer info function! \n " ) ;
2019-07-08 13:28:39 -07:00
}
/* pass the struct pointer into the xferinfo function, note that this is
an alias to CURLOPT_PROGRESSDATA */
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_XFERINFODATA , & prog ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to set transfer info data structure! \n " ) ;
2019-07-08 13:28:39 -07:00
}
# else
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_PROGRESSFUNCTION , older_progress ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to set progress function! \n " ) ;
2019-07-08 13:28:39 -07:00
}
/* pass the struct pointer into the progress function */
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_PROGRESSDATA , & prog ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to set progress data structure! \n " ) ;
2019-07-08 13:28:39 -07:00
}
# endif
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_NOPROGRESS , 0L ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to disable progress function! \n " ) ;
2019-07-08 13:28:39 -07:00
}
}
2019-03-26 15:09:52 -04:00
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_URL , url ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to set CURLOPT_URL for curl session (%s). \n " , url ) ;
2019-03-26 15:09:52 -04:00
}
if ( 0 ! = ifModifiedSince ) {
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_TIMEVALUE , ifModifiedSince ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to set if-Modified-Since time value for curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
/* If-Modified-Since the above time stamp */
else if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_TIMECONDITION , CURL_TIMECOND_IFMODSINCE ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to set if-Modified-Since time condition for curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
}
if ( bHttpServer ) {
/*
* For HTTP , set some extra headers .
*/
struct curl_slist * temp = NULL ;
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_HTTPGET , 1L ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to set CURLOPT_HTTPGET for curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
# ifdef FRESHCLAM_NO_CACHE
if ( NULL = = ( temp = curl_slist_append ( slist , " Cache-Control: no-cache " ) ) ) { // Necessary?
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to append \" Cache-Control: no-cache \" header to custom curl header list. \n " ) ;
2019-03-26 15:09:52 -04:00
} else {
slist = temp ;
}
# endif
if ( NULL = = ( temp = curl_slist_append ( slist , " Connection: close " ) ) ) { // Necessary?
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to append \" Connection: close \" header to custom curl header list. \n " ) ;
2019-03-26 15:09:52 -04:00
} else {
slist = temp ;
}
if ( NULL ! = slist ) {
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_HTTPHEADER , slist ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to add custom header list to curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
}
}
/* Write the response body to the destination file handle */
if ( - 1 = = ( receivedFile . handle = open ( destfile , O_WRONLY | O_CREAT | O_EXCL | O_BINARY , 0644 ) ) ) {
char currdir [ PATH_MAX ] ;
if ( getcwd ( currdir , sizeof ( currdir ) ) )
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Can't create new file %s in %s \n " , destfile , currdir ) ;
2019-03-26 15:09:52 -04:00
else
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Can't create new file %s in the current directory \n " , destfile ) ;
2019-03-26 15:09:52 -04:00
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " Hint: The database directory must be writable for UID %d or GID %d \n " , getuid ( ) , getgid ( ) ) ;
2019-03-26 15:09:52 -04:00
status = FC_EDBDIRACCESS ;
goto done ;
}
receivedFile . size = 0 ;
/* Send all data to this function */
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_WRITEFUNCTION , WriteFileCallback ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to set write-data fwrite callback function for curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_WRITEDATA , ( void * ) & receivedFile ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " downloadFile: Failed to set write-data file handle for curl session. \n " ) ;
2019-03-26 15:09:52 -04:00
}
2024-03-26 09:07:26 -07:00
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_HEADERDATA , g_lastRay ) ) {
2024-03-15 16:40:20 -04:00
logg ( LOGG_ERROR , " downloadFile: Failed to set header-data for header callback for curl session. \n " ) ;
}
if ( CURLE_OK ! = curl_easy_setopt ( curl , CURLOPT_HEADERFUNCTION , HeaderCallback ) ) {
logg ( LOGG_ERROR , " downloadFile: Failed to set header-data callback function for curl session. \n " ) ;
}
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " downloadFile: Download source: %s \n " , url ) ;
logg ( LOGG_DEBUG , " downloadFile: Download destination: %s \n " , destfile ) ;
2019-03-26 15:09:52 -04:00
/* Perform download */
memset ( errbuf , 0 , sizeof ( errbuf ) ) ;
curl_ret = curl_easy_perform ( curl ) ;
if ( curl_ret ! = CURLE_OK ) {
/*
* Show the error information .
* If no detailed error information was written to errbuf
* show the more generic information from curl_easy_strerror instead .
*/
size_t len = strlen ( errbuf ) ;
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " Download failed (%d) " , curl_ret ) ;
2019-03-26 15:09:52 -04:00
if ( len )
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " Message: %s%s " , errbuf , ( ( errbuf [ len - 1 ] ! = ' \n ' ) ? " \n " : " " ) ) ;
2019-03-26 15:09:52 -04:00
else
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " Message: %s \n " , curl_easy_strerror ( curl_ret ) ) ;
2019-05-21 17:40:45 -04:00
status = FC_ECONNECTION ;
2019-03-26 15:09:52 -04:00
goto done ;
}
/* Check HTTP code */
curl_easy_getinfo ( curl , CURLINFO_RESPONSE_CODE , & http_code ) ;
switch ( http_code ) {
case 200 :
case 206 : {
2021-09-28 15:13:55 -07:00
if ( 0 = = receivedFile . size ) {
status = FC_EEMPTYFILE ;
} else {
status = FC_SUCCESS ;
}
2019-03-26 15:09:52 -04:00
break ;
}
case 304 : {
status = FC_UPTODATE ;
break ;
}
2021-03-20 21:25:18 -07:00
case 403 : {
status = FC_EFORBIDDEN ;
2021-10-06 17:02:44 -07:00
/* Try again in no less than 24 hours if freshclam received a 403 FORBIDDEN. */
g_freshclamDat - > retry_after = time ( NULL ) + 60 * 60 * 24 ;
( void ) save_freshclam_dat ( ) ;
2021-03-20 21:25:18 -07:00
break ;
}
case 429 : {
status = FC_ERETRYLATER ;
2021-03-25 13:31:46 -07:00
curl_off_t retry_after = 0 ;
# if (LIBCURL_VERSION_MAJOR > 7) || ((LIBCURL_VERSION_MAJOR == 7) && (LIBCURL_VERSION_MINOR >= 66))
/* CURLINFO_RETRY_AFTER was introduced in libcurl 7.66 */
2021-03-21 19:47:21 -07:00
/* Find out how long we should wait before allowing a retry. */
curl_easy_getinfo ( curl , CURLINFO_RETRY_AFTER , & retry_after ) ;
2021-03-25 13:31:46 -07:00
# endif
2021-03-21 19:47:21 -07:00
if ( retry_after > 0 ) {
/* The response gave us a Retry-After date. Use that. */
2021-05-24 18:37:33 -07:00
g_freshclamDat - > retry_after = time ( NULL ) + ( time_t ) retry_after ;
2021-03-21 19:47:21 -07:00
} else {
2021-03-25 13:31:46 -07:00
/* Try again in no less than 4 hours if the response didn't specify
or if CURLINFO_RETRY_AFTER is not supported . */
2021-05-24 18:37:33 -07:00
g_freshclamDat - > retry_after = time ( NULL ) + 60 * 60 * 4 ;
2021-03-21 19:47:21 -07:00
}
2021-05-24 18:37:33 -07:00
( void ) save_freshclam_dat ( ) ;
2021-03-21 19:47:21 -07:00
2021-03-20 21:25:18 -07:00
break ;
}
2019-03-26 15:09:52 -04:00
case 404 : {
if ( g_proxyServer )
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
logg ( quiet ? LOGG_DEBUG : LOGG_WARNING , " downloadFile: file not found: %s (Proxy: %s:%u) \n " , url , g_proxyServer , g_proxyPort ) ;
2019-03-26 15:09:52 -04:00
else
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
logg ( quiet ? LOGG_DEBUG : LOGG_WARNING , " downloadFile: file not found: %s \n " , url ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
break ;
}
case 522 : {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " downloadFile: Origin Connection Time-out. Cloudflare was unable to reach the origin web server and the request timed out. URL: %s \n " , url ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
break ;
}
default : {
if ( g_proxyServer )
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " downloadFile: Unexpected response (%li) from %s (Proxy: %s:%u) \n " ,
http_code , url , g_proxyServer , g_proxyPort ) ;
2019-03-26 15:09:52 -04:00
else
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " downloadFile: Unexpected response (%li) from %s \n " ,
http_code , url ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
}
}
done :
if ( NULL ! = slist ) {
curl_slist_free_all ( slist ) ;
}
if ( NULL ! = curl ) {
curl_easy_cleanup ( curl ) ;
}
if ( - 1 ! = receivedFile . handle ) {
close ( receivedFile . handle ) ;
}
if ( FC_UPTODATE < status ) {
if ( NULL ! = destfile ) {
unlink ( destfile ) ;
}
}
return status ;
}
static fc_error_t getcvd (
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
const char * database ,
2019-03-26 15:09:52 -04:00
const char * cvdfile ,
const char * tmpfile ,
char * server ,
2021-03-20 21:25:18 -07:00
uint32_t ifModifiedSince ,
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
uint32_t remoteVersion ,
char * * sign_file ,
uint32_t * downloadedVersion ,
2019-03-26 15:09:52 -04:00
int logerr )
{
fc_error_t ret ;
2020-04-18 10:46:57 -04:00
cl_error_t cl_ret ;
2019-03-26 15:09:52 -04:00
fc_error_t status = FC_EARG ;
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
struct cl_cvd * cvd = NULL ;
char extension [ 5 ] = { 0 } ;
char * tmpsignfile = NULL ;
size_t tmpsignfileLen = 0 ;
char * url = NULL ;
size_t urlLen = 0 ;
char * sign_filename = NULL ;
size_t sign_filenameLen = 0 ;
char * sign_file_url = NULL ;
size_t sign_file_urlLen = 0 ;
2019-03-26 15:09:52 -04:00
if ( ( NULL = = cvdfile ) | | ( NULL = = tmpfile ) | | ( NULL = = server ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " getcvd: Invalid arguments. \n " ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
if ( NULL ! = sign_file ) {
* sign_file = NULL ;
}
2019-03-26 15:09:52 -04:00
urlLen = strlen ( server ) + strlen ( " / " ) + strlen ( cvdfile ) ;
url = malloc ( urlLen + 1 ) ;
snprintf ( url , urlLen + 1 , " %s/%s " , server , cvdfile ) ;
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
ret = downloadFile ( url , tmpfile , 1 , logerr , 0 , ifModifiedSince ) ;
2021-03-20 21:25:18 -07:00
if ( ret = = FC_UPTODATE ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " %s is up-to-date. \n " , cvdfile ) ;
2021-03-20 21:25:18 -07:00
status = ret ;
goto done ;
} else if ( ret > FC_UPTODATE ) {
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " Can't download %s from %s \n " , cvdfile , url ) ;
2019-03-26 15:09:52 -04:00
status = ret ;
goto done ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
// grab the extension from the cvdfile
strncpy ( extension , cvdfile + strlen ( cvdfile ) - 4 , 4 ) ;
2019-03-26 15:09:52 -04:00
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
if ( NULL = = ( cvd = cl_cvdhead ( tmpfile ) ) ) {
logg ( LOGG_ERROR , " Can't read CVD header of new %s database. \n " , cvdfile ) ;
2019-03-26 15:09:52 -04:00
status = FC_EBADCVD ;
goto done ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
// try to get the sign file before verifying the cvd
// use the cvd name + version to get the signature file
// sign-file = database + "-" + version + ".sign"
sign_filenameLen = strlen ( database ) + strlen ( " - " ) + 10 + strlen ( " .cvd " ) + strlen ( " .sign " ) ;
sign_filename = malloc ( sign_filenameLen + 1 ) ;
snprintf ( sign_filename , sign_filenameLen + 1 , " %s-%u%s.sign " , database , cvd - > version , extension ) ;
// sign-file-url = server + "/" + sign_filename
sign_file_urlLen = strlen ( server ) + strlen ( " / " ) + strlen ( sign_filename ) ;
sign_file_url = malloc ( sign_file_urlLen + 1 ) ;
snprintf ( sign_file_url , sign_file_urlLen + 1 , " %s/%s " , server , sign_filename ) ;
// sign-file-tempfilename = g_tempDirectory + sign_filename
tmpsignfileLen = strlen ( g_tempDirectory ) + strlen ( PATHSEP ) + strlen ( sign_filename ) ;
tmpsignfile = malloc ( tmpsignfileLen + 1 ) ;
snprintf ( tmpsignfile , tmpsignfileLen + 1 , " %s " PATHSEP " %s " , g_tempDirectory , sign_filename ) ;
ret = downloadFile ( sign_file_url , tmpsignfile , 1 , logerr , 1 , 0 ) ;
if ( ret ! = FC_SUCCESS ) {
logg ( LOGG_DEBUG , " No external .sign digital signature file for %s-%u \n " , database , cvd - > version ) ;
// It's not an error if the .sign file doesn't exist.
// Just continue with the cvd verification and hope we can use the legacy md5-based rsa method.
} else {
// Set the output variable to the sign file name so we can move it later.
logg ( LOGG_DEBUG , " Downloaded digital signature file: %s \n " , tmpsignfile ) ;
if ( NULL ! = sign_file ) {
CLI_SAFER_STRDUP_OR_GOTO_DONE (
tmpsignfile ,
* sign_file ,
logg ( LOGG_ERROR , " getcvd: Failed to duplicate sign file name. \n " ) ;
status = FC_EMEM ) ;
}
2019-03-26 15:09:52 -04:00
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
// Now that we have the cvd and the sign file, we can verify the cvd.
FIPS & FIPS-like limits on hash algs for cryptographic uses
ClamAV will not function when using a FIPS-enabled OpenSSL 3.x.
This is because ClamAV uses MD5 and SHA1 algorithms for a variety of
purposes including matching for malware detection, matching to prevent
false positives on known-clean files, and for verification of MD5-based
RSA digital signatures for determining CVD (signature database archive)
authenticity.
Interestingly, FIPS had been intentionally bypassed when creating hashes
based whole buffers and whole files (by descriptor or `FILE`-pointer):
https://github.com/Cisco-Talos/clamav/commit/78d4a9985a06a418dd1338c94ee5db461035d75b
Note: this bypassed FIPS the 1.x way with:
`EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);`
It was NOT disabled when using `cl_hash_init()` / `cl_update_hash()` /
`cl_finish_hash()`. That likely worked by coincidence in that the hash
was already calculated most of the time. It certainly would have made
use of those functions if the hash had not been calculated prior:
https://github.com/Cisco-Talos/clamav/blob/78d4a9985a06a418dd1338c94ee5db461035d75b/libclamav/matcher.c#L743
Regardless, bypassing FIPS entirely is not the correct solution.
The FIPS restrictions against using MD5 and SHA1 are valid, particularly
when verifying CVD digital siganatures, but also I think when using a
hash to determine if the file is known-clean (i.e. the "clean cache" and
also MD5-based and SHA1-based FP signatures).
This commit extends the work to bypass FIPS using the newer 3.x method:
`md = EVP_MD_fetch(NULL, alg, "-fips");`
It does this for the legacy `cl_hash*()` functions including
`cl_hash_init()` / `cl_update_hash()` / `cl_finish_hash()`.
It also introduces extended versions that allow the caller to choose if
they want to bypass FIPS:
- `cl_hash_data_ex()`
- `cl_hash_init_ex()`
- `cl_update_hash_ex()`
- `cl_finish_hash_ex()`
- `cl_hash_destroy_ex()`
- `cl_hash_file_fd_ex()`
See the `flags` parameter for each.
Ironically, this commit does NOT use the new functions at this time.
The rational is that ClamAV may need MD5, SHA1, and SHA-256 hashes of
the same files both for determining if the file is malware, and for
determining if the file is clean.
So instead, this commit will do a checks when:
1. Creating a new ClamAV scanning engine. If FIPS-mode enabled, it will
automatically toggle the "FIPS limits" engine option.
When loading signatures, if the engine "FIPS limits" option is enabled,
then MD5 and SHA1 FP signatures will be skipped.
2. Before verifying a CVD (e.g. also for loading, unpacking when
verification enabled).
If "FIPS limits" or FIPS-mode are enabled, then the legacy MD5-based RSA
method is disabled.
Note: This commit also refactors the interface for `cl_cvdverify_ex()`
and `cl_cvdunpack_ex()` so they take a `flags` parameters, rather than a
single `bool`. As these functions are new in this version, it does not
break the ABI.
The cache was already switched to use SHA2-256, so that's not a concern
for checking FIPS-mode / FIPS limits options.
This adds an option for `freshclam.conf` and `clamd.conf`:
FIPSCryptoHashLimits yes
And an equivalent command-line option for `clamscan` and `sigtool`:
--fips-limits
You may programmatically enable FIPS-limits for a ClamAV engine like this:
```C
cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);
```
CLAM-2792
2025-07-01 20:41:47 -04:00
if ( CL_SUCCESS ! = ( cl_ret = cli_cvdverify ( tmpfile , g_bFipsLimits , g_signVerifier ) ) ) {
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
logg ( LOGG_ERROR , " Verification: %s \n " , cl_strerror ( cl_ret ) ) ;
status = FC_EBADCVD ;
2019-03-26 15:09:52 -04:00
goto done ;
}
if ( cvd - > version < remoteVersion ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " The %s database downloaded from %s is older than the version advertised in the DNS TXT record. \n " ,
2021-03-22 13:36:02 -07:00
cvdfile ,
server ) ;
status = FC_EMIRRORNOTSYNC ;
goto done ;
2019-03-26 15:09:52 -04:00
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
if ( NULL ! = downloadedVersion ) {
* downloadedVersion = cvd - > version ;
}
2019-03-26 15:09:52 -04:00
status = FC_SUCCESS ;
done :
if ( NULL ! = cvd ) {
cl_cvdfree ( cvd ) ;
}
if ( NULL ! = url ) {
free ( url ) ;
}
2021-03-22 13:36:02 -07:00
if (
( FC_SUCCESS ! = status ) & &
( FC_EMIRRORNOTSYNC ! = status ) /* Keep older version, it's better than nothing. */
) {
2019-03-26 15:09:52 -04:00
if ( NULL ! = tmpfile ) {
unlink ( tmpfile ) ;
}
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
if ( NULL ! = sign_filename ) {
free ( sign_filename ) ;
}
if ( NULL ! = sign_file_url ) {
free ( sign_file_url ) ;
}
if ( NULL ! = tmpsignfile ) {
free ( tmpsignfile ) ;
}
2019-03-26 15:09:52 -04:00
return status ;
}
/**
2022-08-30 14:57:04 -07:00
* @ brief Create a temp dir for storing CDIFFs for incremental database update .
2019-03-26 15:09:52 -04:00
*
2022-08-30 14:57:04 -07:00
* Will create the temp dir if it does not already exist and populate it with the
* unpacked CVD . Then it will chdir to that directory .
*
* But if that directory already exists , it will simply chdir to it .
2019-03-26 15:09:52 -04:00
*
* @ param database The database we ' re updating .
2021-07-16 11:47:23 -07:00
* @ param [ out ] tmpdir The name of the temp dir to use .
2019-03-26 15:09:52 -04:00
* @ return fc_error_t
*/
static fc_error_t mkdir_and_chdir_for_cdiff_tmp ( const char * database , const char * tmpdir )
{
fc_error_t status = FC_EDIRECTORY ;
char cvdfile [ DB_FILENAME_MAX ] ;
if ( ( NULL = = database ) | | ( NULL = = tmpdir ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " mkdir_and_chdir_for_cdiff_tmp: Invalid arguments. \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EARG ;
goto done ;
}
if ( - 1 = = access ( tmpdir , R_OK | W_OK ) ) {
/*
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
* Temp directory for incremental update ( cdiff download ) does not yet exist .
2019-03-26 15:09:52 -04:00
*/
int ret ;
2022-11-01 15:53:41 -07:00
bool is_cld = false ;
2019-03-26 15:09:52 -04:00
/*
* 1 ) Double - check that we have a CVD or CLD . Without either one , incremental update won ' t work .
*/
ret = snprintf ( cvdfile , sizeof ( cvdfile ) , " %s.cvd " , database ) ;
if ( ( ( int ) sizeof ( cvdfile ) < = ret ) | | ( - 1 = = ret ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " mkdir_and_chdir_for_cdiff_tmp: database parameter value too long to create cvd file name: %s \n " , database ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
if ( - 1 = = access ( cvdfile , R_OK ) ) {
ret = snprintf ( cvdfile , sizeof ( cvdfile ) , " %s.cld " , database ) ;
if ( ( ( int ) sizeof ( cvdfile ) < = ret ) | | ( - 1 = = ret ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " mkdir_and_chdir_for_cdiff_tmp: database parameter value too long to create cld file name: %s \n " , database ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
if ( - 1 = = access ( cvdfile , R_OK ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " mkdir_and_chdir_for_cdiff_tmp: Can't find (or access) local CVD or CLD for %s database \n " , database ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
2022-11-01 15:53:41 -07:00
is_cld = true ;
2019-03-26 15:09:52 -04:00
}
/*
* 2 ) Create the incremental update temp directory .
*/
if ( - 1 = = mkdir ( tmpdir , 0755 ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " mkdir_and_chdir_for_cdiff_tmp: Can't create directory %s \n " , tmpdir ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
2022-08-30 14:57:04 -07:00
/*
* 3 ) Unpack the existing CVD / CLD database to this directory .
*/
FIPS & FIPS-like limits on hash algs for cryptographic uses
ClamAV will not function when using a FIPS-enabled OpenSSL 3.x.
This is because ClamAV uses MD5 and SHA1 algorithms for a variety of
purposes including matching for malware detection, matching to prevent
false positives on known-clean files, and for verification of MD5-based
RSA digital signatures for determining CVD (signature database archive)
authenticity.
Interestingly, FIPS had been intentionally bypassed when creating hashes
based whole buffers and whole files (by descriptor or `FILE`-pointer):
https://github.com/Cisco-Talos/clamav/commit/78d4a9985a06a418dd1338c94ee5db461035d75b
Note: this bypassed FIPS the 1.x way with:
`EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);`
It was NOT disabled when using `cl_hash_init()` / `cl_update_hash()` /
`cl_finish_hash()`. That likely worked by coincidence in that the hash
was already calculated most of the time. It certainly would have made
use of those functions if the hash had not been calculated prior:
https://github.com/Cisco-Talos/clamav/blob/78d4a9985a06a418dd1338c94ee5db461035d75b/libclamav/matcher.c#L743
Regardless, bypassing FIPS entirely is not the correct solution.
The FIPS restrictions against using MD5 and SHA1 are valid, particularly
when verifying CVD digital siganatures, but also I think when using a
hash to determine if the file is known-clean (i.e. the "clean cache" and
also MD5-based and SHA1-based FP signatures).
This commit extends the work to bypass FIPS using the newer 3.x method:
`md = EVP_MD_fetch(NULL, alg, "-fips");`
It does this for the legacy `cl_hash*()` functions including
`cl_hash_init()` / `cl_update_hash()` / `cl_finish_hash()`.
It also introduces extended versions that allow the caller to choose if
they want to bypass FIPS:
- `cl_hash_data_ex()`
- `cl_hash_init_ex()`
- `cl_update_hash_ex()`
- `cl_finish_hash_ex()`
- `cl_hash_destroy_ex()`
- `cl_hash_file_fd_ex()`
See the `flags` parameter for each.
Ironically, this commit does NOT use the new functions at this time.
The rational is that ClamAV may need MD5, SHA1, and SHA-256 hashes of
the same files both for determining if the file is malware, and for
determining if the file is clean.
So instead, this commit will do a checks when:
1. Creating a new ClamAV scanning engine. If FIPS-mode enabled, it will
automatically toggle the "FIPS limits" engine option.
When loading signatures, if the engine "FIPS limits" option is enabled,
then MD5 and SHA1 FP signatures will be skipped.
2. Before verifying a CVD (e.g. also for loading, unpacking when
verification enabled).
If "FIPS limits" or FIPS-mode are enabled, then the legacy MD5-based RSA
method is disabled.
Note: This commit also refactors the interface for `cl_cvdverify_ex()`
and `cl_cvdunpack_ex()` so they take a `flags` parameters, rather than a
single `bool`. As these functions are new in this version, it does not
break the ABI.
The cache was already switched to use SHA2-256, so that's not a concern
for checking FIPS-mode / FIPS limits options.
This adds an option for `freshclam.conf` and `clamd.conf`:
FIPSCryptoHashLimits yes
And an equivalent command-line option for `clamscan` and `sigtool`:
--fips-limits
You may programmatically enable FIPS-limits for a ClamAV engine like this:
```C
cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);
```
CLAM-2792
2025-07-01 20:41:47 -04:00
if ( CL_SUCCESS ! = cli_cvdunpack_and_verify ( cvdfile , tmpdir , is_cld = = true , g_bFipsLimits , g_signVerifier ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " mkdir_and_chdir_for_cdiff_tmp: Can't unpack %s into %s \n " , cvdfile , tmpdir ) ;
2019-03-26 15:09:52 -04:00
cli_rmdirs ( tmpdir ) ;
goto done ;
}
}
if ( - 1 = = chdir ( tmpdir ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " mkdir_and_chdir_for_cdiff_tmp: Can't change directory to %s \n " , tmpdir ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
status = FC_SUCCESS ;
done :
return status ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
static fc_error_t downloadPatchAndApply (
2019-03-26 15:09:52 -04:00
const char * database ,
const char * tmpdir ,
int version ,
char * server ,
int logerr )
{
fc_error_t ret ;
fc_error_t status = FC_EARG ;
char patch [ DB_FILENAME_MAX ] ;
Freshclam: Download missing .sign files for up-to-date .cvd's (#1587)
If the database directory has an up-to-date .cvd (not .cld) which lacks
a .sign file, then Freshclam should try to download the .cvd.sign file.
If no .sign file is available, it will debug-log it and will not
complain loudly.
Example output:
```
❯ ./install/bin/freshclam
ClamAV update process started at Fri Oct 3 17:20:04 2025
daily.cvd database is up-to-date (version: 27780, sigs: 2076928, f-level: 90, builder: tomjudge)
Time: 0.2s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file daily-27780.cvd.sign
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Time: 0.1s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file main-62.cvd.sign
bytecode.cvd database is up-to-date (version: 339, sigs: 80, f-level: 90, builder: nrandolp)
Time: 0.5s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file bytecode-339.cvd.sign
```
2025-10-05 17:42:59 -04:00
char patch_sign_file [ DB_FILENAME_MAX + 5 /* ".sign" */ + 1 ] ;
2019-03-26 15:09:52 -04:00
char olddir [ PATH_MAX ] ;
char * url = NULL ;
size_t urlLen = 0 ;
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
char * sign_url = NULL ;
size_t sign_urlLen = 0 ;
FFIError * cdiff_apply_error = NULL ;
2019-03-26 15:09:52 -04:00
olddir [ 0 ] = ' \0 ' ;
if ( ( NULL = = database ) | | ( NULL = = tmpdir ) | | ( NULL = = server ) | | ( 0 = = version ) ) {
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
logg ( LOGG_ERROR , " downloadPatchAndApply: Invalid arguments. \n " ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
if ( NULL = = getcwd ( olddir , sizeof ( olddir ) ) ) {
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
logg ( LOGG_ERROR , " downloadPatchAndApply: Can't get path of current working directory \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EDIRECTORY ;
goto done ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
/*
* Unpack the database into a new temp directory where we ' ll apply the patch , and chdir to it .
* If the directory already exists , we ' ll just chdir to it .
*/
2019-03-26 15:09:52 -04:00
if ( FC_SUCCESS ! = mkdir_and_chdir_for_cdiff_tmp ( database , tmpdir ) ) {
status = FC_EDIRECTORY ;
goto done ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
/*
* Download the patch .
*/
2019-03-26 15:09:52 -04:00
snprintf ( patch , sizeof ( patch ) , " %s-%d.cdiff " , database , version ) ;
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
2019-03-26 15:09:52 -04:00
urlLen = strlen ( server ) + strlen ( " / " ) + strlen ( patch ) ;
url = malloc ( urlLen + 1 ) ;
Freshclam: Download missing .sign files for up-to-date .cvd's (#1587)
If the database directory has an up-to-date .cvd (not .cld) which lacks
a .sign file, then Freshclam should try to download the .cvd.sign file.
If no .sign file is available, it will debug-log it and will not
complain loudly.
Example output:
```
❯ ./install/bin/freshclam
ClamAV update process started at Fri Oct 3 17:20:04 2025
daily.cvd database is up-to-date (version: 27780, sigs: 2076928, f-level: 90, builder: tomjudge)
Time: 0.2s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file daily-27780.cvd.sign
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Time: 0.1s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file main-62.cvd.sign
bytecode.cvd database is up-to-date (version: 339, sigs: 80, f-level: 90, builder: nrandolp)
Time: 0.5s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file bytecode-339.cvd.sign
```
2025-10-05 17:42:59 -04:00
if ( NULL = = url ) {
logg ( LOGG_ERROR , " downloadPatchAndApply: Can't allocate memory for URL \n " ) ;
status = FC_EMEM ;
goto done ;
}
2019-03-26 15:09:52 -04:00
snprintf ( url , urlLen + 1 , " %s/%s " , server , patch ) ;
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
if ( FC_SUCCESS ! = ( ret = downloadFile ( url , patch , 1 , logerr , 0 , 0 ) ) ) {
2019-03-26 15:09:52 -04:00
if ( ret = = FC_EEMPTYFILE ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " Empty script %s, need to download entire database \n " , patch ) ;
2019-03-26 15:09:52 -04:00
} else {
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " downloadPatchAndApply: Can't download %s from %s \n " , patch , url ) ;
2019-03-26 15:09:52 -04:00
}
status = ret ;
goto done ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
/*
* Download the patch sign file .
*/
snprintf ( patch_sign_file , sizeof ( patch_sign_file ) , " %s.sign " , patch ) ;
Freshclam: Download missing .sign files for up-to-date .cvd's (#1587)
If the database directory has an up-to-date .cvd (not .cld) which lacks
a .sign file, then Freshclam should try to download the .cvd.sign file.
If no .sign file is available, it will debug-log it and will not
complain loudly.
Example output:
```
❯ ./install/bin/freshclam
ClamAV update process started at Fri Oct 3 17:20:04 2025
daily.cvd database is up-to-date (version: 27780, sigs: 2076928, f-level: 90, builder: tomjudge)
Time: 0.2s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file daily-27780.cvd.sign
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Time: 0.1s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file main-62.cvd.sign
bytecode.cvd database is up-to-date (version: 339, sigs: 80, f-level: 90, builder: nrandolp)
Time: 0.5s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file bytecode-339.cvd.sign
```
2025-10-05 17:42:59 -04:00
patch_sign_file [ sizeof ( patch_sign_file ) - 1 ] = 0 ;
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
sign_urlLen = strlen ( server ) + strlen ( " / " ) + strlen ( patch_sign_file ) ;
sign_url = malloc ( sign_urlLen + 1 ) ;
Freshclam: Download missing .sign files for up-to-date .cvd's (#1587)
If the database directory has an up-to-date .cvd (not .cld) which lacks
a .sign file, then Freshclam should try to download the .cvd.sign file.
If no .sign file is available, it will debug-log it and will not
complain loudly.
Example output:
```
❯ ./install/bin/freshclam
ClamAV update process started at Fri Oct 3 17:20:04 2025
daily.cvd database is up-to-date (version: 27780, sigs: 2076928, f-level: 90, builder: tomjudge)
Time: 0.2s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file daily-27780.cvd.sign
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Time: 0.1s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file main-62.cvd.sign
bytecode.cvd database is up-to-date (version: 339, sigs: 80, f-level: 90, builder: nrandolp)
Time: 0.5s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file bytecode-339.cvd.sign
```
2025-10-05 17:42:59 -04:00
if ( NULL = = sign_url ) {
logg ( LOGG_ERROR , " downloadPatchAndApply: Can't allocate memory for sign URL \n " ) ;
status = FC_EMEM ;
goto done ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
snprintf ( sign_url , sign_urlLen + 1 , " %s/%s " , server , patch_sign_file ) ;
if ( FC_SUCCESS ! = ( ret = downloadFile ( sign_url , patch_sign_file , 1 , logerr , 1 , 0 ) ) ) {
// No sign file is not an error.
2025-06-03 19:03:20 -04:00
// Just means we'll have to fall back to the legacy sha2-256-based rsa method for verifying CDIFFs.
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
logg ( LOGG_DEBUG , " No external .sign digital signature file for %s \n " , patch ) ;
} else {
logg ( LOGG_DEBUG , " Downloaded digital signature file: %s \n " , patch_sign_file ) ;
2019-03-26 15:09:52 -04:00
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
/*
* Apply the patch .
*/
if ( ! cdiff_apply (
patch ,
g_signVerifier ,
1 ,
& cdiff_apply_error ) ) {
logg ( LOGG_ERROR , " downloadPatchAndApply: Can't apply '%s': %s \n " ,
patch , ffierror_fmt ( cdiff_apply_error ) ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
status = FC_SUCCESS ;
done :
if ( NULL ! = url ) {
free ( url ) ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
if ( NULL ! = sign_url ) {
free ( sign_url ) ;
2019-03-26 15:09:52 -04:00
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
if ( NULL ! = cdiff_apply_error ) {
ffierror_free ( cdiff_apply_error ) ;
2019-03-26 15:09:52 -04:00
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
/*
* Change back to the original directory .
*/
2019-03-26 15:09:52 -04:00
if ( ' \0 ' ! = olddir [ 0 ] ) {
if ( - 1 = = chdir ( olddir ) ) {
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
logg ( LOGG_ERROR , " downloadPatchAndApply: Can't chdir to %s \n " , olddir ) ;
2019-03-26 15:09:52 -04:00
status = FC_EDIRECTORY ;
}
}
return status ;
}
/**
* @ brief Get CVD header info for local CVD / CLD database .
*
* @ param database Database name
2021-07-16 11:47:23 -07:00
* @ param [ out ] localname ( optional ) filename of local database .
2019-03-26 15:09:52 -04:00
* @ return struct cl_cvd * CVD info struct of local database , if found . NULL if not found .
*/
static struct cl_cvd * currentdb ( const char * database , char * * localname )
{
char filename [ DB_FILENAME_MAX ] ;
struct cl_cvd * cvd = NULL ;
if ( NULL = = database ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " currentdb: Invalid args! \n " ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
snprintf ( filename , sizeof ( filename ) , " %s.cvd " , database ) ;
filename [ sizeof ( filename ) - 1 ] = 0 ;
if ( - 1 = = access ( filename , R_OK ) ) {
/* CVD not found. */
snprintf ( filename , sizeof ( filename ) , " %s.cld " , database ) ;
filename [ sizeof ( filename ) - 1 ] = 0 ;
if ( - 1 = = access ( filename , R_OK ) ) {
/* CLD also not found. Fail out. */
goto done ;
}
}
if ( NULL = = ( cvd = cl_cvdhead ( filename ) ) ) {
goto done ;
}
if ( localname ) {
2024-01-09 17:44:33 -05:00
* localname = cli_safer_strdup ( filename ) ;
2019-03-26 15:09:52 -04:00
}
done :
return cvd ;
}
static fc_error_t buildcld (
const char * tmpdir ,
const char * database ,
const char * newfile ,
int bCompress )
{
fc_error_t status = FC_EARG ;
2020-05-07 14:12:17 -04:00
char olddir [ PATH_MAX ] = { 0 } ;
2019-03-26 15:09:52 -04:00
char info [ DB_FILENAME_MAX ] ;
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
char cfg [ DB_FILENAME_MAX ] ;
2019-03-26 15:09:52 -04:00
char buff [ CVD_HEADER_SIZE + 1 ] ;
char * pt ;
struct dirent * dent = NULL ;
DIR * dir = NULL ;
gzFile gzs = NULL ;
int fd = - 1 ;
if ( ( NULL = = tmpdir ) | | ( NULL = = database ) | | ( NULL = = newfile ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Invalid arguments. \n " ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
if ( ! getcwd ( olddir , sizeof ( olddir ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Can't get path of current working directory \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EDIRECTORY ;
goto done ;
}
if ( - 1 = = chdir ( tmpdir ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Can't access directory %s \n " , tmpdir ) ;
2019-03-26 15:09:52 -04:00
status = FC_EDIRECTORY ;
goto done ;
}
snprintf ( info , sizeof ( info ) , " %s.info " , database ) ;
info [ sizeof ( info ) - 1 ] = 0 ;
if ( - 1 = = ( fd = open ( info , O_RDONLY | O_BINARY ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Can't open %s \n " , info ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFILE ;
goto done ;
}
if ( - 1 = = read ( fd , buff , CVD_HEADER_SIZE ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Can't read %s \n " , info ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFILE ;
goto done ;
}
buff [ CVD_HEADER_SIZE ] = 0 ;
close ( fd ) ;
fd = - 1 ;
if ( NULL = = ( pt = strchr ( buff , ' \n ' ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Bad format of %s \n " , info ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
memset ( pt , ' ' , CVD_HEADER_SIZE + buff - pt ) ;
if ( - 1 = = ( fd = open ( newfile , O_WRONLY | O_CREAT | O_EXCL | O_BINARY , 0644 ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Can't open %s for writing \n " , newfile ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFILE ;
goto done ;
}
if ( CVD_HEADER_SIZE ! = write ( fd , buff , CVD_HEADER_SIZE ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Can't write to %s \n " , newfile ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFILE ;
goto done ;
}
if ( bCompress ) {
close ( fd ) ;
fd = - 1 ;
if ( NULL = = ( gzs = gzopen ( newfile , " ab9f " ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: gzopen() failed for %s \n " , newfile ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
}
if ( - 1 = = access ( " COPYING " , R_OK ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: COPYING file not found \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
if ( - 1 = = tar_addfile ( fd , gzs , " COPYING " ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Can't add COPYING to new %s.cld - please check if there is enough disk space available \n " , database ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
if ( - 1 ! = access ( info , R_OK ) ) {
if ( - 1 = = tar_addfile ( fd , gzs , info ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Can't add %s to new %s.cld - please check if there is enough disk space available \n " , info , database ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
snprintf ( cfg , sizeof ( cfg ) , " %s.cfg " , database ) ;
cfg [ sizeof ( cfg ) - 1 ] = 0 ;
if ( - 1 ! = access ( cfg , R_OK ) ) {
if ( - 1 = = tar_addfile ( fd , gzs , cfg ) ) {
logg ( LOGG_ERROR , " buildcld: Can't add %s to new %s.cld - please check if there is enough disk space available \n " , cfg , database ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
}
2021-08-16 09:28:29 -07:00
if ( NULL = = ( dir = opendir ( tmpdir ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Can't open directory %s \n " , tmpdir ) ;
2019-03-26 15:09:52 -04:00
status = FC_EDIRECTORY ;
goto done ;
}
while ( NULL ! = ( dent = readdir ( dir ) ) ) {
if ( dent - > d_ino ) {
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
if ( ! strcmp ( dent - > d_name , " . " ) | | ! strcmp ( dent - > d_name , " .. " ) | | ! strcmp ( dent - > d_name , " COPYING " ) | | ! strcmp ( dent - > d_name , cfg ) | | ! strcmp ( dent - > d_name , info ) )
2019-03-26 15:09:52 -04:00
continue ;
if ( tar_addfile ( fd , gzs , dent - > d_name ) = = - 1 ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Can't add %s to new %s.cld - please check if there is enough disk space available \n " , dent - > d_name , database ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
}
}
status = FC_SUCCESS ;
done :
if ( - 1 ! = fd ) {
if ( - 1 = = close ( fd ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: close() failed for %s \n " , newfile ) ;
2019-03-26 15:09:52 -04:00
}
}
if ( NULL ! = gzs ) {
if ( gzclose ( gzs ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: gzclose() failed for %s \n " , newfile ) ;
2019-03-26 15:09:52 -04:00
}
}
if ( NULL ! = dir ) {
closedir ( dir ) ;
}
if ( FC_SUCCESS ! = status ) {
if ( NULL ! = newfile ) {
unlink ( newfile ) ;
}
}
if ( ' \0 ' ! = olddir [ 0 ] ) {
if ( - 1 = = chdir ( olddir ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " buildcld: Can't return to previous directory %s \n " , olddir ) ;
2019-03-26 15:09:52 -04:00
status = FC_EDIRECTORY ;
}
}
return status ;
}
static fc_error_t query_remote_database_version (
const char * database ,
uint32_t ifModifiedSince ,
const char * dnsUpdateInfo ,
char * server ,
int bPrivateMirror ,
int logerr ,
uint32_t * remoteVersion ,
char * * remoteFilename )
{
fc_error_t ret ;
fc_error_t status = FC_EARG ;
uint32_t newVersion = 0 ;
char cvdfile [ DB_FILENAME_MAX ] ;
char cldfile [ DB_FILENAME_MAX ] ;
# ifdef HAVE_RESOLV_H
char * dnqueryDomain = NULL ;
char * extradnsreply = NULL ;
# endif
struct cl_cvd * remote = NULL ;
int remote_is_cld = 0 ;
if ( ( NULL = = database ) | | ( NULL = = server ) | | ( NULL = = remoteVersion ) | | ( NULL = = remoteFilename ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " query_remote_database_version: Invalid args! \n " ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
* remoteVersion = 0 ;
* remoteFilename = NULL ;
snprintf ( cvdfile , sizeof ( cvdfile ) , " %s.cvd " , database ) ;
cvdfile [ sizeof ( cvdfile ) - 1 ] = 0 ;
snprintf ( cldfile , sizeof ( cldfile ) , " %s.cld " , database ) ;
cldfile [ sizeof ( cldfile ) - 1 ] = 0 ;
if ( ( ! bPrivateMirror ) & & ( NULL ! = dnsUpdateInfo ) ) {
/*
* Use Primary DNS Update Info record to find the version .
*/
int field = 0 ;
char * verStrDnsPrimary = NULL ;
if ( 0 = = ( field = textrecordfield ( database ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " query_remote_database_version: Database name \" %s \" isn't listed in DNS update info. \n " , database ) ;
2019-03-26 15:09:52 -04:00
} else if ( NULL = = ( verStrDnsPrimary = cli_strtok ( dnsUpdateInfo , field , " : " ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " Invalid DNS update info. Falling back to HTTP mode. \n " ) ;
2019-03-26 15:09:52 -04:00
} else if ( ! cli_isnumber ( verStrDnsPrimary ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " Broken database version in TXT record. Falling back to HTTP mode. \n " ) ;
2019-03-26 15:09:52 -04:00
} else {
newVersion = atoi ( verStrDnsPrimary ) ;
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " query_remote_database_version: %s version from DNS: %d \n " , cvdfile , newVersion ) ;
2019-03-26 15:09:52 -04:00
}
free ( verStrDnsPrimary ) ;
# ifdef HAVE_RESOLV_H
if ( newVersion = = 0 ) {
/*
* Primary DNS Update Info record didn ' t have the version # for this database .
* Try to use a < database > . cvd . clamav . net DNS query to find the version # .
*/
size_t dnqueryDomainLen = strlen ( database ) + strlen ( " .cvd.clamav.net " ) ;
dnqueryDomain = malloc ( dnqueryDomainLen + 1 ) ;
snprintf ( dnqueryDomain , dnqueryDomainLen + 1 , " %s.cvd.clamav.net " , database ) ;
if ( NULL = = ( extradnsreply = dnsquery ( dnqueryDomain , T_TXT , NULL ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " No timestamp in TXT record for %s \n " , cvdfile ) ;
2019-03-26 15:09:52 -04:00
} else {
char * recordTimeStr = NULL ;
char * verStrDnsExtra = NULL ;
if ( NULL = = ( recordTimeStr = cli_strtok ( extradnsreply , DNS_EXTRADBINFO_RECORDTIME , " : " ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " No recordtime field in TXT record for %s \n " , cvdfile ) ;
2019-03-26 15:09:52 -04:00
} else {
int recordTime ;
time_t currentTime ;
recordTime = atoi ( recordTimeStr ) ;
free ( recordTimeStr ) ;
time ( & currentTime ) ;
2022-07-12 15:04:49 -04:00
if ( ( int ) currentTime - recordTime > DNS_WARNING_THRESHOLD_SECONDS ) {
logg ( LOGG_WARNING , " DNS record is older than %d hours. \n " , DNS_WARNING_THRESHOLD_HOURS ) ;
2019-03-26 15:09:52 -04:00
} else if ( NULL ! = ( verStrDnsExtra = cli_strtok ( extradnsreply , 0 , " : " ) ) ) {
if ( ! cli_isnumber ( verStrDnsExtra ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " Broken database version in TXT record for %s \n " , cvdfile ) ;
2019-03-26 15:09:52 -04:00
} else {
newVersion = atoi ( verStrDnsExtra ) ;
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " %s version from DNS: %d \n " , cvdfile , newVersion ) ;
2019-03-26 15:09:52 -04:00
}
free ( verStrDnsExtra ) ;
} else {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " Invalid DNS reply. Falling back to HTTP mode. \n " ) ;
2019-03-26 15:09:52 -04:00
}
}
}
}
# endif
}
if ( newVersion = = 0 ) {
/*
* Was unable to use DNS info records to determine database version .
* Use HTTP GET to get version info from CVD / CLD header .
*/
if ( bPrivateMirror ) {
/*
* For a private mirror , get the CLD instead of the CVD .
*
* On the mirror , they should have CDIFFs / scripted / incremental
* updates enabled , so they should have CLD ' s to distribute .
*/
ret = remote_cvdhead ( cldfile , ifModifiedSince , server , logerr , & remote ) ;
if ( ( FC_SUCCESS = = ret ) | | ( FC_UPTODATE = = ret ) ) {
remote_is_cld = 1 ;
} else {
/*
* Failed to get CLD update , and it ' s unknown if the status is up - to - date .
*
* If it ' s a relatively new mirror , the CLD won ' t have been replaced with a CVD yet .
* Attempt to get the CVD instead .
*/
ret = remote_cvdhead ( cvdfile , ifModifiedSince , server , logerr , & remote ) ;
}
} else {
/*
* Official update servers will only have the CVD .
*/
ret = remote_cvdhead ( cvdfile , ifModifiedSince , server , logerr , & remote ) ;
}
switch ( ret ) {
case FC_SUCCESS : {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " %s database version obtained using HTTP GET: %u \n " , database , remote - > version ) ;
2019-03-26 15:09:52 -04:00
break ;
}
case FC_UPTODATE : {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " %s database version up-to-date, according to HTTP response code from server. \n " , database ) ;
2019-03-26 15:09:52 -04:00
status = FC_UPTODATE ;
goto done ;
}
default : {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " Failed to get %s database version information from server: %s \n " , database , server ) ;
2019-03-26 15:09:52 -04:00
status = ret ;
goto done ;
}
}
newVersion = remote - > version ;
}
if ( remote_is_cld ) {
2024-01-09 17:44:33 -05:00
* remoteFilename = cli_safer_strdup ( cldfile ) ;
2019-03-26 15:09:52 -04:00
} else {
2024-01-09 17:44:33 -05:00
* remoteFilename = cli_safer_strdup ( cvdfile ) ;
2019-03-26 15:09:52 -04:00
}
* remoteVersion = newVersion ;
status = FC_SUCCESS ;
done :
if ( NULL ! = remote ) {
cl_cvdfree ( remote ) ;
}
# ifdef HAVE_RESOLV_H
if ( NULL ! = dnqueryDomain ) {
free ( dnqueryDomain ) ;
}
if ( NULL ! = extradnsreply ) {
free ( extradnsreply ) ;
}
# endif
return status ;
}
static fc_error_t check_for_new_database_version (
const char * database ,
const char * dnsUpdateInfo ,
char * server ,
int bPrivateMirror ,
int logerr ,
uint32_t * localVersion ,
uint32_t * remoteVersion ,
char * * localFilename ,
2021-03-20 21:25:18 -07:00
char * * remoteFilename ,
uint32_t * localTimestamp )
2019-03-26 15:09:52 -04:00
{
fc_error_t ret ;
fc_error_t status = FC_EARG ;
char * localname = NULL ;
struct cl_cvd * local_database = NULL ;
char * remotename = NULL ;
2021-03-20 21:25:18 -07:00
uint32_t localver = 0 ;
uint32_t remotever = 0 ;
2019-03-26 15:09:52 -04:00
if ( ( NULL = = database ) | | ( NULL = = server ) | |
( NULL = = localVersion ) | | ( NULL = = remoteVersion ) | |
2021-03-20 21:25:18 -07:00
( NULL = = localFilename ) | | ( NULL = = remoteFilename ) | |
( NULL = = localTimestamp ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " check_for_new_database_version: Invalid args! \n " ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
* localVersion = 0 ;
* remoteVersion = 0 ;
* localFilename = NULL ;
* remoteFilename = NULL ;
2021-03-20 21:25:18 -07:00
* localTimestamp = 0 ;
2019-03-26 15:09:52 -04:00
/*
* Check local database version ( if exists )
*/
if ( NULL = = ( local_database = currentdb ( database , & localname ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " check_for_new_database_version: No local copy of \" %s \" database. \n " , database ) ;
2019-03-26 15:09:52 -04:00
} else {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " check_for_new_database_version: Local copy of %s found: %s. \n " , database , localname ) ;
2021-03-20 21:25:18 -07:00
* localTimestamp = local_database - > stime ;
localver = local_database - > version ;
2019-03-26 15:09:52 -04:00
}
/*
* Look up the latest available database version .
*/
ret = query_remote_database_version (
database ,
2021-03-20 21:25:18 -07:00
* localTimestamp ,
2019-03-26 15:09:52 -04:00
dnsUpdateInfo ,
server ,
bPrivateMirror ,
logerr ,
& remotever ,
& remotename ) ;
switch ( ret ) {
2022-08-27 10:46:21 -07:00
case FC_SUCCESS :
2019-03-26 15:09:52 -04:00
if ( 0 = = localver ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " %s database available for download (remote version: %d) \n " ,
2019-03-26 15:09:52 -04:00
database , remotever ) ;
break ;
} else if ( localver < remotever ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " %s database available for update (local version: %d, remote version: %d) \n " ,
2019-03-26 15:09:52 -04:00
database , localver , remotever ) ;
break ;
}
2021-03-21 19:47:21 -07:00
/* fall-through */
2022-08-27 10:46:21 -07:00
case FC_UPTODATE :
2019-03-26 15:09:52 -04:00
if ( NULL = = local_database ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " check_for_new_database_version: server claims we're up-to-date, but we don't have a local database! \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
goto done ;
}
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " %s database is up-to-date (version: %d, sigs: %d, f-level: %d, builder: %s) \n " ,
2019-03-26 15:09:52 -04:00
localname ,
local_database - > version ,
local_database - > sigs ,
local_database - > fl ,
local_database - > builder ) ;
/* The remote version wouldn't be set if the server returned "Not-Modified".
We know it will be the same as the local version though . */
remotever = localver ;
break ;
2022-08-27 10:46:21 -07:00
case FC_EFORBIDDEN :
2021-03-21 19:47:21 -07:00
/* We tried to look up the version using HTTP and were actively blocked. */
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " check_for_new_database_version: Blocked from using server %s. \n " , server ) ;
2021-03-21 19:47:21 -07:00
status = FC_EFORBIDDEN ;
goto done ;
2022-08-27 10:46:21 -07:00
default :
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " check_for_new_database_version: Failed to find %s database using server %s. \n " , database , server ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDGET ;
goto done ;
}
* remoteVersion = remotever ;
if ( NULL ! = remotename ) {
2024-01-09 17:44:33 -05:00
* remoteFilename = cli_safer_strdup ( remotename ) ;
2019-03-26 15:09:52 -04:00
if ( NULL = = * remoteFilename ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " check_for_new_database_version: Failed to allocate memory for remote filename. \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EMEM ;
goto done ;
}
}
if ( NULL ! = localname ) {
* localVersion = localver ;
2024-01-09 17:44:33 -05:00
* localFilename = cli_safer_strdup ( localname ) ;
2019-03-26 15:09:52 -04:00
if ( NULL = = * localFilename ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " check_for_new_database_version: Failed to allocate memory for local filename. \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EMEM ;
goto done ;
}
}
status = FC_SUCCESS ;
done :
if ( NULL ! = localname ) {
free ( localname ) ;
}
if ( NULL ! = remotename ) {
free ( remotename ) ;
}
if ( NULL ! = local_database ) {
cl_cvdfree ( local_database ) ;
}
return status ;
}
fc_error_t updatedb (
const char * database ,
const char * dnsUpdateInfo ,
char * server ,
int bPrivateMirror ,
void * context ,
int bScriptedUpdates ,
int logerr ,
int * signo ,
char * * dbFilename ,
int * bUpdated )
{
fc_error_t ret ;
fc_error_t status = FC_EARG ;
struct cl_cvd * cvd = NULL ;
2021-03-20 21:25:18 -07:00
uint32_t localTimestamp = 0 ;
uint32_t localVersion = 0 ;
uint32_t remoteVersion = 0 ;
char * localFilename = NULL ;
char * remoteFilename = NULL ;
char * newLocalFilename = NULL ;
2019-03-26 15:09:52 -04:00
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
char * cld_build_dir = NULL ;
char * tmpfile = NULL ;
char * signfile = NULL ;
uint32_t downloadedVersion = 0 ;
FFIError * glob_rm_error = NULL ;
2019-03-26 15:09:52 -04:00
unsigned int flevel ;
unsigned int i , j ;
if ( ( NULL = = database ) | | ( NULL = = server ) | | ( NULL = = signo ) | | ( NULL = = dbFilename ) | | ( NULL = = bUpdated ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " updatedb: Invalid args! \n " ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
* signo = 0 ;
* dbFilename = NULL ;
* bUpdated = 0 ;
/*
* Check if new version exists .
*/
if ( FC_SUCCESS ! = ( ret = check_for_new_database_version (
database ,
dnsUpdateInfo ,
server ,
bPrivateMirror ,
logerr ,
& localVersion ,
& remoteVersion ,
& localFilename ,
2021-03-20 21:25:18 -07:00
& remoteFilename ,
& localTimestamp ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " updatedb: %s database update failed. \n " , database ) ;
2019-03-26 15:09:52 -04:00
status = ret ;
goto done ;
}
Freshclam: Download missing .sign files for up-to-date .cvd's (#1587)
If the database directory has an up-to-date .cvd (not .cld) which lacks
a .sign file, then Freshclam should try to download the .cvd.sign file.
If no .sign file is available, it will debug-log it and will not
complain loudly.
Example output:
```
❯ ./install/bin/freshclam
ClamAV update process started at Fri Oct 3 17:20:04 2025
daily.cvd database is up-to-date (version: 27780, sigs: 2076928, f-level: 90, builder: tomjudge)
Time: 0.2s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file daily-27780.cvd.sign
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Time: 0.1s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file main-62.cvd.sign
bytecode.cvd database is up-to-date (version: 339, sigs: 80, f-level: 90, builder: nrandolp)
Time: 0.5s, ETA: 0.0s [========================>] 8.87KiB/8.87KiB
Downloaded missing CVD .sign file bytecode-339.cvd.sign
```
2025-10-05 17:42:59 -04:00
if ( NULL ! = localFilename ) {
if ( localVersion = = remoteVersion ) {
* dbFilename = cli_safer_strdup ( localFilename ) ;
/* check if localFilename ends with ".cvd" (i.e., not ".cld") */
if ( NULL ! = strstr ( localFilename , " .cvd " ) ) {
/* CVD file detected, lets see if we have the .sign file.
Just in case one was published for the database we have and we missed it . */
char cvd_sign_file [ DB_FILENAME_MAX + 5 /* ".sign" */ + 1 ] ;
snprintf ( cvd_sign_file , sizeof ( cvd_sign_file ) , " %s-%d.cvd.sign " , database , localVersion ) ;
cvd_sign_file [ sizeof ( cvd_sign_file ) - 1 ] = 0 ;
if ( - 1 = = access ( cvd_sign_file , R_OK ) ) {
/* CVD .sign file not found. We should try to download it. */
char * sign_url = NULL ;
size_t sign_urlLen = 0 ;
sign_urlLen = strlen ( server ) + strlen ( " / " ) + strlen ( cvd_sign_file ) ;
sign_url = malloc ( sign_urlLen + 1 ) ;
if ( NULL = = sign_url ) {
logg ( LOGG_ERROR , " updatedb: Can't allocate memory for sign URL \n " ) ;
status = FC_EMEM ;
goto done ;
}
snprintf ( sign_url , sign_urlLen + 1 , " %s/%s " , server , cvd_sign_file ) ;
logg ( LOGG_DEBUG , " Trying to download missing CVD .sign file %s \n " , sign_url ) ;
ret = downloadFile (
sign_url ,
cvd_sign_file ,
1 ,
logerr ,
1 ,
0 ) ;
if ( FC_SUCCESS ! = ret ) {
// Not a big deal if we can't get it, just debug-log it, and move on.
logg ( LOGG_DEBUG , " No .sign file found for %s \n " , localFilename ) ;
} else {
logg ( LOGG_INFO , " Downloaded missing CVD .sign file %s \n " , cvd_sign_file ) ;
}
free ( sign_url ) ;
}
}
goto up_to_date ;
} else if ( localVersion > remoteVersion ) {
* dbFilename = cli_safer_strdup ( localFilename ) ;
goto up_to_date ;
}
2019-03-26 15:09:52 -04:00
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
/*
* Download CVD or CLD to a file in the temp directory .
*/
// Create a temp file for the new database.
tmpfile = calloc ( 1 , strlen ( g_tempDirectory ) + strlen ( PATHSEP ) + strlen ( remoteFilename ) + 1 ) ;
2019-03-26 15:09:52 -04:00
if ( ! tmpfile ) {
status = FC_EMEM ;
goto done ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
snprintf ( tmpfile , strlen ( g_tempDirectory ) + strlen ( PATHSEP ) + strlen ( remoteFilename ) + 1 ,
" %s " PATHSEP " %s " , g_tempDirectory , remoteFilename ) ;
2019-03-26 15:09:52 -04:00
if ( ( localVersion = = 0 ) | | ( ! bScriptedUpdates ) ) {
/*
* Download entire file .
*/
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
ret = getcvd ( database , remoteFilename , tmpfile , server , localTimestamp , remoteVersion , & signfile , & downloadedVersion , logerr ) ;
2021-03-20 21:25:18 -07:00
if ( FC_UPTODATE = = ret ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " Expected newer version of %s database but the server's copy is not newer than our local file (version %d). \n " , database , localVersion ) ;
2021-03-20 21:25:18 -07:00
if ( NULL ! = localFilename ) {
2021-03-25 13:31:46 -07:00
/* Received a 304 (not modified), must be up-to-date after all */
2024-01-09 17:44:33 -05:00
* dbFilename = cli_safer_strdup ( localFilename ) ;
2021-03-20 21:25:18 -07:00
}
goto up_to_date ;
2021-03-22 13:36:02 -07:00
} else if ( FC_EMIRRORNOTSYNC = = ret ) {
/* Let's accept this older version, but keep the error code.
* We ' ll have fc_update_database ( ) retry using CDIFFs .
*/
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Received an older %s CVD than was advertised. We'll keep it and try updating to the latest version with CDIFFs. \n " , database ) ;
2021-03-22 13:36:02 -07:00
status = ret ;
2021-03-20 21:25:18 -07:00
} else if ( FC_SUCCESS ! = ret ) {
2019-03-26 15:09:52 -04:00
status = ret ;
goto done ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
// The file name won't change for a simple download.
// It will only change if we're doing a scripted update.
2024-01-09 17:44:33 -05:00
newLocalFilename = cli_safer_strdup ( remoteFilename ) ;
2019-03-26 15:09:52 -04:00
} else {
/*
* Attempt scripted / CDIFF incremental update .
*/
2021-04-02 20:59:13 -07:00
ret = FC_SUCCESS ;
uint32_t numPatchesReceived = 0 ;
2019-03-26 15:09:52 -04:00
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
// Create a temp directory where we'll build the new CLD.
cld_build_dir = cli_gentemp_with_prefix ( g_tempDirectory , " cld " ) ;
if ( ! cld_build_dir ) {
2019-03-26 15:09:52 -04:00
status = FC_EMEM ;
goto done ;
}
2019-08-04 17:44:20 -04:00
# ifdef HAVE_UNISTD_H
if ( ! mprintf_quiet & & ( mprintf_progress | | isatty ( fileno ( stdout ) ) ) )
# else
if ( ! mprintf_quiet )
# endif
{
2019-07-08 13:28:39 -07:00
if ( remoteVersion - localVersion = = 1 ) {
2022-02-16 00:13:55 +01:00
mprintf ( LOGG_INFO , " Current database is 1 version behind. \n " ) ;
2019-07-08 13:28:39 -07:00
} else {
2022-02-16 00:13:55 +01:00
mprintf ( LOGG_INFO , " Current database is %u versions behind. \n " , remoteVersion - localVersion ) ;
2019-07-08 13:28:39 -07:00
}
}
2019-03-26 15:09:52 -04:00
for ( i = localVersion + 1 ; i < = remoteVersion ; i + + ) {
for ( j = 1 ; j < = g_maxAttempts ; j + + ) {
int llogerr = logerr ;
if ( logerr )
llogerr = ( j = = g_maxAttempts ) ;
2019-07-08 13:28:39 -07:00
2019-08-04 17:44:20 -04:00
# ifdef HAVE_UNISTD_H
if ( ! mprintf_quiet & & ( mprintf_progress | | isatty ( fileno ( stdout ) ) ) )
# else
if ( ! mprintf_quiet )
# endif
{
2022-02-16 00:13:55 +01:00
mprintf ( LOGG_INFO , " Downloading database patch # %u... \n " , i ) ;
2019-07-08 13:28:39 -07:00
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
// If the build directory doesn't exist, we'll create it and unpack the database into it.
// Then we download and apply the patch.
ret = downloadPatchAndApply ( database , cld_build_dir , i , server , llogerr ) ;
2019-03-26 15:09:52 -04:00
if ( ret = = FC_ECONNECTION | | ret = = FC_EFAILEDGET ) {
continue ;
} else {
break ;
}
}
2021-04-02 20:59:13 -07:00
if ( FC_SUCCESS = = ret ) {
numPatchesReceived + = 1 ;
} else {
2019-03-26 15:09:52 -04:00
break ;
2021-04-02 20:59:13 -07:00
}
2019-03-26 15:09:52 -04:00
}
2021-04-02 20:59:13 -07:00
if (
( FC_EEMPTYFILE = = ret ) | | /* Request a new CVD if we got an empty CDIFF. */
2023-04-10 20:26:23 -07:00
( FC_EFAILEDUPDATE = = ret ) | | /* Request a new CVD if we failed to apply a CDIFF. */
2021-04-02 20:59:13 -07:00
( FC_SUCCESS ! = ret & & ( /* Or if the incremental update failed: */
( 0 = = numPatchesReceived ) & & /* 1. Ask for the CVD if we didn't get any patches, */
( localVersion < remoteVersion - 1 ) /* 2. AND if we're more than 1 version out of date. */
) ) ) {
2019-03-26 15:09:52 -04:00
/*
* Incremental update failed or intentionally disabled .
*/
if ( ret = = FC_EEMPTYFILE ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " Empty CDIFF found. Skip incremental updates for this version and download %s \n " , remoteFilename ) ;
2019-03-26 15:09:52 -04:00
} else {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " Incremental update failed, trying to download %s \n " , remoteFilename ) ;
2019-03-26 15:09:52 -04:00
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
ret = getcvd ( database , remoteFilename , tmpfile , server , localTimestamp , remoteVersion , & signfile , & downloadedVersion , logerr ) ;
2019-03-26 15:09:52 -04:00
if ( FC_SUCCESS ! = ret ) {
2021-06-23 10:07:24 -07:00
if ( FC_EMIRRORNOTSYNC = = ret ) {
2021-03-22 13:36:02 -07:00
/* Note: We can't retry with CDIFF's if FC_EMIRRORNOTSYNC happened here.
* If we did there could be an infinite loop .
* Best option is to accept the older CVD .
*/
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " Received an older %s CVD than was advertised. Incremental updates either failed or are disabled, so we'll have to settle for a slightly out-of-date database. \n " , database ) ;
2021-03-22 13:36:02 -07:00
status = FC_SUCCESS ;
} else {
status = ret ;
goto done ;
}
2019-03-26 15:09:52 -04:00
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
// We gave up on patching, so it's back to a simple file download.
// The file name won't change for a simple download.
2024-01-09 17:44:33 -05:00
newLocalFilename = cli_safer_strdup ( remoteFilename ) ;
2021-04-02 20:59:13 -07:00
} else if ( 0 = = numPatchesReceived ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " The database server doesn't have the latest patch for the %s database (version %u). The server will likely have updated if you check again in a few hours. \n " , database , remoteVersion ) ;
2024-01-09 17:44:33 -05:00
* dbFilename = cli_safer_strdup ( localFilename ) ;
2021-04-02 20:59:13 -07:00
goto up_to_date ;
2019-03-26 15:09:52 -04:00
} else {
/*
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
* CDIFFs downloaded and applied ; Use CDIFFs to turn old CVD / CLD into new updated CLD .
2019-03-26 15:09:52 -04:00
*/
2021-04-02 20:59:13 -07:00
if ( numPatchesReceived < remoteVersion - localVersion ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " Downloaded %u patches for %s, which is fewer than the %u expected patches. \n " , numPatchesReceived , database , remoteVersion - localVersion ) ;
logg ( LOGG_INFO , " We'll settle for this partial-update, at least for now. \n " ) ;
2021-04-02 20:59:13 -07:00
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
// For a scripted update, the new database will have
// a .cld extension.
// Overwrite the tmpfile's .cvd extension with a .cld extension
sprintf ( tmpfile + strlen ( tmpfile ) - 3 , " cld " ) ;
// And set the new filename that we'll used to copy to the DB directory
size_t newLocalFilenameLen = strlen ( database ) + strlen ( " .cld " ) ;
newLocalFilename = malloc ( newLocalFilenameLen + 1 ) ;
snprintf ( newLocalFilename , newLocalFilenameLen + 1 , " %s.cld " , database ) ;
if ( FC_SUCCESS ! = buildcld ( cld_build_dir , database , tmpfile , g_bCompressLocalDatabase ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " updatedb: Incremental update failed. Failed to build CLD. \n " ) ;
2023-04-12 22:49:17 -07:00
status = FC_EBADCVD ;
2019-03-26 15:09:52 -04:00
goto done ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
// CLD's can't be signed, so we don't need to worry about the signature file.
// It's in the tmp directory so we don't need to manually delete it.
// Just free up the filename and we won't copy it into the DB directory later.
CLI_FREE_AND_SET_NULL ( signfile ) ;
2019-03-26 15:09:52 -04:00
}
}
/*
* Update downloaded .
* Test database before replacing original database with new database .
*/
if ( NULL ! = g_cb_download_complete ) {
/* Run callback to test it. */
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " updatedb: Running g_cb_download_complete callback... \n " ) ;
2019-03-26 15:09:52 -04:00
if ( FC_SUCCESS ! = ( ret = g_cb_download_complete ( tmpfile , context ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " updatedb: callback failed: %s (%d) \n " , fc_strerror ( ret ) , ret ) ;
2019-03-26 15:09:52 -04:00
status = ret ;
goto done ;
}
}
2019-12-23 16:52:14 -05:00
/*
2019-03-26 15:09:52 -04:00
* Replace original database with new database .
*/
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
logg ( LOGG_DEBUG , " updatedb: Moving %s to %s " PATHSEP " %s \n " , tmpfile , g_databaseDirectory , newLocalFilename ) ;
2019-03-26 15:09:52 -04:00
# ifdef _WIN32
if ( ! access ( newLocalFilename , R_OK ) & & unlink ( newLocalFilename ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Update failed. Can't delete the old database %s to replace it with a new database. Please fix the problem manually and try again. \n " , newLocalFilename ) ;
2021-09-28 15:13:55 -07:00
status = FC_EDBDIRACCESS ;
2019-03-26 15:09:52 -04:00
goto done ;
}
# endif
if ( rename ( tmpfile , newLocalFilename ) = = - 1 ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " updatedb: Can't rename %s to %s: %s \n " , tmpfile , newLocalFilename , strerror ( errno ) ) ;
2019-03-26 15:09:52 -04:00
status = FC_EDBDIRACCESS ;
goto done ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
// If there are any old signature files for this database in the DB directory, delete them.
// We'll use a glob pattern to match the signature files
char * pattern = calloc ( 1 , strlen ( database ) + strlen ( " -*.sign " ) + 1 ) ;
if ( ! pattern ) {
logg ( LOGG_ERROR , " updatedb: Failed to allocate memory for signature file pattern. \n " ) ;
status = FC_EMEM ;
goto done ;
}
sprintf ( pattern , " %s-*.sign " , database ) ;
if ( ! glob_rm ( pattern , & glob_rm_error ) ) {
cli_errmsg ( " updatedb: Failed to glob-delete old .sign files with pattern '%s': %s \n " ,
pattern , ffierror_fmt ( glob_rm_error ) ) ;
ffierror_free ( glob_rm_error ) ;
free ( pattern ) ;
status = FC_ERROR ;
goto done ;
}
free ( pattern ) ;
// If we have a signature file, move it from the temp directory to the database directory
if ( NULL ! = signfile ) {
char * newSignFilename = NULL ;
logg ( LOGG_DEBUG , " updatedb: Moving signature file %s to database directory \n " , signfile ) ;
// get the basename of the signfile
2025-08-11 18:02:09 -04:00
if ( CL_SUCCESS ! = cli_basename ( signfile , strlen ( signfile ) , & newSignFilename , false /* posix_support_backslash_pathsep */ ) ) {
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
logg ( LOGG_ERROR , " updatedb: Failed to get basename of '%s' \n " , signfile ) ;
goto done ;
}
if ( rename ( signfile , newSignFilename ) = = - 1 ) {
logg ( LOGG_ERROR , " updatedb: Can't rename %s to %s: %s \n " , signfile , newSignFilename , strerror ( errno ) ) ;
free ( newSignFilename ) ;
status = FC_EDBDIRACCESS ;
goto done ;
}
free ( newSignFilename ) ;
}
2019-03-26 15:09:52 -04:00
/* If we just updated from a CVD to a CLD, delete the old CVD */
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
if ( ( NULL ! = localFilename ) & & strcmp ( newLocalFilename , localFilename ) ) {
( void ) unlink ( localFilename ) ;
}
2019-03-26 15:09:52 -04:00
/* Parse header to record number of sigs. */
if ( NULL = = ( cvd = cl_cvdhead ( newLocalFilename ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " updatedb: Can't parse new database %s \n " , newLocalFilename ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFILE ;
goto done ;
}
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " %s updated (version: %d, sigs: %d, f-level: %d, builder: %s) \n " ,
2019-03-26 15:09:52 -04:00
newLocalFilename , cvd - > version , cvd - > sigs , cvd - > fl , cvd - > builder ) ;
flevel = cl_retflevel ( ) ;
if ( flevel < cvd - > fl ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " Your ClamAV installation is OUTDATED! \n " ) ;
logg ( LOGG_WARNING , " Current functionality level = %d, recommended = %d \n " , flevel , cvd - > fl ) ;
logg ( LOGG_INFO , " DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html \n " ) ;
2019-03-26 15:09:52 -04:00
}
* signo = cvd - > sigs ;
* bUpdated = 1 ;
2024-01-09 17:44:33 -05:00
* dbFilename = cli_safer_strdup ( newLocalFilename ) ;
2019-03-26 15:09:52 -04:00
if ( NULL = = * dbFilename ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " updatedb: Failed to allocate memory for database filename. \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EMEM ;
goto done ;
}
up_to_date :
2021-03-22 13:36:02 -07:00
if ( status ! = FC_EMIRRORNOTSYNC ) {
status = FC_SUCCESS ;
}
2019-03-26 15:09:52 -04:00
done :
if ( NULL ! = cvd ) {
cl_cvdfree ( cvd ) ;
}
if ( NULL ! = localFilename ) {
free ( localFilename ) ;
}
if ( NULL ! = remoteFilename ) {
free ( remoteFilename ) ;
}
if ( NULL ! = newLocalFilename ) {
free ( newLocalFilename ) ;
}
if ( NULL ! = tmpfile ) {
unlink ( tmpfile ) ;
free ( tmpfile ) ;
}
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
if ( NULL ! = cld_build_dir ) {
cli_rmdirs ( cld_build_dir ) ;
free ( cld_build_dir ) ;
}
if ( NULL ! = signfile ) {
free ( signfile ) ;
2019-03-26 15:09:52 -04:00
}
return status ;
}
fc_error_t updatecustomdb (
const char * url ,
void * context ,
int logerr ,
int * signo ,
char * * dbFilename ,
int * bUpdated )
{
fc_error_t ret ;
fc_error_t status = FC_EARG ;
unsigned int sigs = 0 ;
char * tmpfile = NULL ;
const char * databaseName ;
STATBUF statbuf ;
time_t dbtime = 0 ;
if ( ( NULL = = url ) | | ( NULL = = signo ) | | ( NULL = = dbFilename ) | | ( NULL = = bUpdated ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " updatecustomdb: Invalid args! \n " ) ;
2019-03-26 15:09:52 -04:00
goto done ;
}
* signo = 0 ;
* dbFilename = NULL ;
* bUpdated = 0 ;
tmpfile = cli_gentemp ( g_tempDirectory ) ;
if ( ! tmpfile ) {
status = FC_EFAILEDUPDATE ;
goto done ;
}
if ( ! strncasecmp ( url , " file:// " , strlen ( " file:// " ) ) ) {
/*
* Copy from local file .
*/
time_t remote_dbtime ;
const char * rpath ;
rpath = & url [ strlen ( " file:// " ) ] ;
# ifdef _WIN32
databaseName = strrchr ( rpath , ' \\ ' ) ;
# else
databaseName = strrchr ( rpath , ' / ' ) ;
# endif
if ( ( NULL = = databaseName ) | | strlen ( databaseName + + ) < strlen ( " .ext " ) + 1 ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " DatabaseCustomURL: Incorrect URL \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
if ( CLAMSTAT ( rpath , & statbuf ) = = - 1 ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " DatabaseCustomURL: file %s missing \n " , rpath ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
remote_dbtime = statbuf . st_mtime ;
dbtime = ( CLAMSTAT ( databaseName , & statbuf ) ! = - 1 ) ? statbuf . st_mtime : 0 ;
if ( dbtime > remote_dbtime ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " %s is up-to-date (version: custom database) \n " , databaseName ) ;
2019-03-26 15:09:52 -04:00
goto up_to_date ;
}
/* FIXME: preserve file permissions, calculate % */
if ( - 1 = = cli_filecopy ( rpath , tmpfile ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " DatabaseCustomURL: Can't copy file %s into database directory \n " , rpath ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " Downloading %s [100%%] \n " , databaseName ) ;
2019-03-26 15:09:52 -04:00
} else {
/*
* Download from URL . http ( s ) or ftp ( s )
*/
databaseName = strrchr ( url , ' / ' ) ;
if ( ( NULL = = databaseName ) | | ( strlen ( databaseName + + ) < 5 ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " DatabaseCustomURL: Incorrect URL \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFAILEDUPDATE ;
goto done ;
}
dbtime = ( CLAMSTAT ( databaseName , & statbuf ) ! = - 1 ) ? statbuf . st_mtime : 0 ;
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.
Fixes: https://github.com/Cisco-Talos/clamav/issues/564
Add a Rust implementation for parsing, verifying, and unpacking CVD
files.
Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
`--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
`CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
`CVDCertsDirectory PATH`
Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.
Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.
libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
```c
extern cl_error_t cl_cvdverify_ex(const char *file,
const char *certs_directory);
extern cl_error_t cl_cvdunpack_ex(const char *file,
const char *dir,
bool dont_verify,
const char *certs_directory);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it
with `cl_engine_get_str`, to override the compiled in default
CVD certs directory.
libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).
Add sigtool sign/verify tests and test certs.
Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.
Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411
CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.
Fix some log messages with missing new lines.
Fix missing environment variable notes in --help messages and manpages.
Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.
The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2024-11-21 14:01:09 -05:00
ret = downloadFile ( url , tmpfile , 1 , logerr , 0 , dbtime ) ;
2019-03-26 15:09:52 -04:00
if ( ret = = FC_UPTODATE ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " %s is up-to-date (version: custom database) \n " , databaseName ) ;
2019-03-26 15:09:52 -04:00
goto up_to_date ;
} else if ( ret > FC_UPTODATE ) {
2023-04-12 22:49:17 -07:00
logg ( logerr ? LOGG_ERROR : LOGG_WARNING , " Can't download %s from %s \n " , databaseName , url ) ;
2019-03-26 15:09:52 -04:00
status = ret ;
goto done ;
}
}
/*
* Update downloaded .
* Test database before replacing original database with new database .
*/
if ( NULL ! = g_cb_download_complete ) {
char * tmpfile_with_extension = NULL ;
size_t tmpfile_with_extension_len = strlen ( tmpfile ) + 1 + strlen ( databaseName ) ;
/* Suffix tmpfile with real database name & extension so it can be loaded. */
tmpfile_with_extension = malloc ( tmpfile_with_extension_len + 1 ) ;
if ( ! tmpfile_with_extension ) {
status = FC_ETESTFAIL ;
goto done ;
}
snprintf ( tmpfile_with_extension , tmpfile_with_extension_len + 1 , " %s-%s " , tmpfile , databaseName ) ;
if ( rename ( tmpfile , tmpfile_with_extension ) = = - 1 ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Custom database update failed: Can't rename %s to %s: %s \n " , tmpfile , tmpfile_with_extension , strerror ( errno ) ) ;
More Coverity bug fixes
Fixed the following Coverity issues:
- 225236 - In cli_egg_extract_file: Dereference of an explicit
null value (CWE-476). The first fail case checked handle for
NULL and then dereferenced it in the done block
- 225209 - In executeIfNewVersion: Leak of memory or pointers
to system resources (CWE-404). modifiedCommand was defined
twice, with the inner instance being assigned to and the
outer instance being freed
- 225201 - In regex_list_match: Code can never be reached
because of a logical contradiction (CWE-561). The code had
logic off to the side that may have been missed:
filter_search_rc = filter_search(&matcher->filter, (const unsigned char *)bufrev, buffer_len) != -1;
if (filter_search_rc == -1) {
- 225198 - In phishingCheck: Leak of memory or pointers to
system resources (CWE-404). A fail case caused by malloc
failing would leak previously allocated memory.
- 225197 - In updatecustomdb: A pointer to freed memory
is dereferenced, used as a function argument, or otherwise
used (CWE-416). In a fail case, a pointer was freed and
then used in a debug print statement
- 225190 - In updatedb: A pointer to freed memory is
dereferenced, used as a function argument, or otherwise used
(CWE-416). In a fail case, a pointer was freed and then used
in a debug print statement
- 225195 - In cli_egg_open: The sizeof operator is used on a
wrong argument that incidentally has the same size (CWE-467).
sizeof(char **) was being used instead of sizeof(char *)
- 225193 - In egg_parse_comment_header: Code can never be
reached because of a logical contradiction (CWE-561).
A cleanup case for variable comment was unnecessary, and
to fix comment was removed entirely.
- 225147 - In get_server_node: Code can never be reached
because of a logical contradiction (CWE-561). A cleanup
case for variable url was unnecessary
- 225168 - In download_complete_callback: Missing break
statement between cases in switch statement (CWE-484).
In the case where forking failed, freshclam would check
the database without forking but then continue on to
execute the code intended to be done in the child process
because of a missing break statement
- 225152 - In cli_egg_lzma_decompress: Use of an
uninitialized variable (CWE-457). Certain fail cases
would call cli_LzmaShutdown on an uninitialized stream.
Now it’s only called after initialization occurs.
2020-05-08 11:57:32 -04:00
free ( tmpfile_with_extension ) ;
2019-03-26 15:09:52 -04:00
status = FC_EDBDIRACCESS ;
goto done ;
}
free ( tmpfile ) ;
tmpfile = tmpfile_with_extension ;
tmpfile_with_extension = NULL ;
/* Run callback to test it. */
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " updatecustomdb: Running g_cb_download_complete callback... \n " ) ;
2019-03-26 15:09:52 -04:00
if ( FC_SUCCESS ! = ( ret = g_cb_download_complete ( tmpfile , context ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_DEBUG , " updatecustomdb: callback failed: %s (%d) \n " , fc_strerror ( ret ) , ret ) ;
2019-03-26 15:09:52 -04:00
status = ret ;
goto done ;
}
}
/*
* Replace original database with new database .
*/
# ifdef _WIN32
if ( ! access ( databaseName , R_OK ) & & unlink ( databaseName ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Custom database update failed. Can't delete the old database %s to replace it with a new database. Please fix the problem manually and try again. \n " , databaseName ) ;
2021-09-28 15:13:55 -07:00
status = FC_EDBDIRACCESS ;
2019-03-26 15:09:52 -04:00
goto done ;
}
# endif
if ( rename ( tmpfile , databaseName ) = = - 1 ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " updatecustomdb: Can't rename %s to %s: %s \n " , tmpfile , databaseName , strerror ( errno ) ) ;
2019-03-26 15:09:52 -04:00
status = FC_EDBDIRACCESS ;
goto done ;
}
/*
* Record # of signatures in updated database .
*/
if ( cli_strbcasestr ( databaseName , " .cld " ) | | cli_strbcasestr ( databaseName , " .cvd " ) ) {
struct cl_cvd * cvd = NULL ;
unsigned int flevel ;
if ( NULL = = ( cvd = cl_cvdhead ( databaseName ) ) ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " updatecustomdb: Can't parse new database %s \n " , databaseName ) ;
2019-03-26 15:09:52 -04:00
status = FC_EFILE ;
goto done ;
}
sigs = cvd - > sigs ;
flevel = cl_retflevel ( ) ;
if ( flevel < cvd - > fl ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_WARNING , " Your ClamAV installation is OUTDATED! \n " ) ;
logg ( LOGG_WARNING , " Current functionality level = %d, recommended = %d \n " , flevel , cvd - > fl ) ;
logg ( LOGG_INFO , " DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html \n " ) ;
2019-03-26 15:09:52 -04:00
}
cl_cvdfree ( cvd ) ;
} else if ( cli_strbcasestr ( databaseName , " .cbc " ) ) {
sigs = 1 ;
} else {
sigs = countlines ( databaseName ) ;
}
2022-02-16 00:13:55 +01:00
logg ( LOGG_INFO , " %s updated (version: custom database, sigs: %u) \n " , databaseName , sigs ) ;
2019-03-26 15:09:52 -04:00
* signo = sigs ;
* bUpdated = 1 ;
up_to_date :
2024-01-09 17:44:33 -05:00
* dbFilename = cli_safer_strdup ( databaseName ) ;
2019-03-26 15:09:52 -04:00
if ( NULL = = * dbFilename ) {
2022-02-16 00:13:55 +01:00
logg ( LOGG_ERROR , " Failed to allocate memory for database filename. \n " ) ;
2019-03-26 15:09:52 -04:00
status = FC_EMEM ;
goto done ;
}
status = FC_SUCCESS ;
done :
if ( NULL ! = tmpfile ) {
unlink ( tmpfile ) ;
free ( tmpfile ) ;
}
return status ;
}
