Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 18:33:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

Migrate script2cdiff from sigtool.c to cdiff.rs

Browse source 
getdsig was also moved from sigtool.c to dsig.c, and renamed to cli_getdsig
This commit is contained in:
John Humlick 2021-12-02 15:07:48 -08:00 committed by Micah Snyder
parent cbcd80334d
commit d8f06806e4
6 changed files with 365 additions and 273 deletions
Download patch file Download diff file Expand all files Collapse all files

131
libclamav/dsig.c
View file

@ -37,6 +37,23 @@
#include "str.h"
#include "bignum.h"
#ifndef _WIN32
#include <sys/socket.h>
#include <sys/un.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#else
#include "w32_stat.h"
#endif
#ifdef HAVE_TERMIOS_H
#include <termios.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#define CLI_NSTR "118640995551645342603070001658453189751527774412027743746599405743243142607464144767361060640655844749760788890022283424922762488917565551002467771109669598189410434699034532232228621591089508178591428456220796841621637175567590476666928698770143328137383952820383197532047771780196576957695822641224262693037"
#define CLI_ESTR "100001027"
@ -103,6 +120,120 @@ static unsigned char *cli_decodesig(const char *sig, unsigned int plen, mp_int e
return plain;
}
const char *cli_getdsig(const char *host, const char *user, const unsigned char *data, unsigned int datalen, unsigned short mode)
{
char buff[512], cmd[128], pass[30], *pt;
struct sockaddr_in server;
int sockd, bread, len;
#ifdef HAVE_TERMIOS_H
struct termios old, new;
#endif
memset(&server, 0x00, sizeof(struct sockaddr_in));
if ((pt = getenv("SIGNDPASS"))) {
strncpy(pass, pt, sizeof(pass));
pass[sizeof(pass) - 1] = '\0';
} else {
cli_infomsg(NULL, "Password: ");
#ifdef HAVE_TERMIOS_H
if (tcgetattr(0, &old)) {
cli_errmsg("getdsig: tcgetattr() failed\n");
return NULL;
}
new = old;
new.c_lflag &= ~ECHO;
if (tcsetattr(0, TCSAFLUSH, &new)) {
cli_errmsg("getdsig: tcsetattr() failed\n");
return NULL;
}
#endif
if (scanf("%30s", pass) == EOF) {
cli_errmsg("getdsig: Can't get password\n");
#ifdef HAVE_TERMIOS_H
tcsetattr(0, TCSAFLUSH, &old);
#endif
return NULL;
}
#ifdef HAVE_TERMIOS_H
if (tcsetattr(0, TCSAFLUSH, &old)) {
cli_errmsg("getdsig: tcsetattr() failed\n");
memset(pass, 0, sizeof(pass));
return NULL;
}
#endif
cli_infomsg(NULL, "\n");
}
if ((sockd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket()");
cli_errmsg("getdsig: Can't create socket\n");
memset(pass, 0, sizeof(pass));
return NULL;
}
server.sin_family = AF_INET;
server.sin_addr.s_addr = inet_addr(host);
server.sin_port = htons(33101);
if (connect(sockd, (struct sockaddr *)&server, sizeof(struct sockaddr_in)) < 0) {
perror("connect()");
closesocket(sockd);
cli_errmsg("getdsig: Can't connect to ClamAV Signing Service at %s\n", host);
memset(pass, 0, sizeof(pass));
return NULL;
}
memset(cmd, 0, sizeof(cmd));
if (mode == 1)
snprintf(cmd, sizeof(cmd) - datalen, "ClamSign:%s:%s:", user, pass);
else if (mode == 2)
snprintf(cmd, sizeof(cmd) - datalen, "ClamSignPSS:%s:%s:", user, pass);
else
snprintf(cmd, sizeof(cmd) - datalen, "ClamSignPSS2:%s:%s:", user, pass);
len = strlen(cmd);
pt = cmd + len;
memcpy(pt, data, datalen);
len += datalen;
if (send(sockd, cmd, len, 0) < 0) {
cli_errmsg("getdsig: Can't write to socket\n");
closesocket(sockd);
memset(cmd, 0, sizeof(cmd));
memset(pass, 0, sizeof(pass));
return NULL;
}
memset(cmd, 0, sizeof(cmd));
memset(pass, 0, sizeof(pass));
memset(buff, 0, sizeof(buff));
if ((bread = recv(sockd, buff, sizeof(buff) - 1, 0)) > 0) {
buff[bread] = '\0';
if (!strstr(buff, "Signature:")) {
cli_errmsg("getdsig: Error generating digital signature\n");
cli_errmsg("getdsig: Answer from remote server: %s\n", buff);
closesocket(sockd);
return NULL;
} else {
cli_infomsg(NULL, "Signature received (length = %lu)\n", (unsigned long)strlen(buff) - 10);
}
} else {
cli_errmsg("getdsig: Communication error with remote server\n");
closesocket(sockd);
return NULL;
}
closesocket(sockd);
pt = buff;
pt += 10;
return strdup(pt);
}
int cli_versig(const char *md5, const char *dsig)
{
mp_int n, e;

1
libclamav/dsig.h
View file

@ -31,5 +31,6 @@
int cli_versig(const char *md5, const char *dsig);
int cli_versig2(const unsigned char *sha256, const char *dsig_str, const char *n_str, const char *e_str);
const char *cli_getdsig(const char *host, const char *user, const unsigned char *data, unsigned int datalen, unsigned short mode);
#endif

3
libclamav_rust/cbindgen.toml
View file

@ -17,7 +17,7 @@ no_includes = false
after_includes = ""
[export]
include = ["cdiff_apply"]
include = ["cdiff_apply", "script2cdiff"]
exclude = [
"cli_dbgmsg",
"cli_errmsg",
@ -25,6 +25,7 @@ exclude = [
"cli_warnmsg",
"cli_versig2",
"cli_get_debug_flag",
"cli_getdsig",
]
# prefix = "CAPI_"
item_types = []

8
libclamav_rust/cdiff.h
View file

@ -10,6 +10,14 @@
#include <stdint.h>
#include <stdlib.h>
/**
* # Safety
*
* This function is only meant to be called from sigtool.c
* If sigtool is ever ported to rust, this function should be
* rewritten.
*/
int32_t script2cdiff(const char *script, const char *builder, const char *server);
int32_t cdiff_apply(int32_t file_descriptor, uint16_t mode);

229
libclamav_rust/src/cdiff.rs
View file

@ -22,15 +22,19 @@ extern crate hex;
extern crate openssl;
use std::{
ffi::CStr,
ffi::CString,
fs::{self, File, OpenOptions},
io::{prelude::*, BufReader, BufWriter, Read, Seek, SeekFrom},
io::{prelude::*, BufReader, BufWriter, Read, Seek, SeekFrom, Write},
iter::*,
os::raw::c_char,
os::unix::io::FromRawFd,
process,
};
use flate2::read::GzDecoder;
use flate2::write::GzEncoder;
use flate2::Compression;
use log::*;
use openssl::sha;
use thiserror::Error;
@ -206,6 +210,15 @@ extern "C" {
/// int cli_versig2(const unsigned char *sha256, const char *dsig_str, const char *n_str, const char *e_str)
fn cli_versig2(digest: *const u8, dsig: *const i8, n: *const u8, e: *const u8) -> i32;
// static char *cli_getdsig(const char *host, const char *user, const unsigned char *data, unsigned int datalen, unsigned short mode)
fn cli_getdsig(
host: *const u8,
user: *const u8,
data: *const u8,
datalen: u32,
mode: u8,
) -> *const c_char;
/// uint8_t cli_get_debug_flag()
fn cli_get_debug_flag() -> u8;
}
@ -218,6 +231,209 @@ fn is_debug_enabled() -> bool {
}
}
/// Convert a plaintext script file of cdiff commands into a cdiff formatted file
///
/// This function makes a single C call to cli_getdsig to obtain a signed
/// signature from the sha256 of the contents written.
///
/// # Safety
///
/// This function is only meant to be called from sigtool.c
/// If sigtool is ever ported to rust, this function should be
/// rewritten.
#[no_mangle]
pub unsafe extern "C" fn script2cdiff(
script: *const c_char,
builder: *const c_char,
server: *const c_char,
) -> i32 {
// Deref the script file name pointer so we can use it
let script_file_name: &str = match std::ffi::CStr::from_ptr(script).to_str() {
Ok(s) => s,
Err(e) => {
error!("Failed to read first argument to script2diff: {}", e);
return -1;
}
};
// Make a copy of the script file name to use for the cdiff file
let cdiff_file_name_string = script_file_name.to_string();
let mut cdiff_file_name = cdiff_file_name_string.as_str();
debug!("script file name: {:?}", cdiff_file_name);
// Remove the "".script" suffix
if let Some(file_name) = cdiff_file_name.strip_suffix(".script") {
cdiff_file_name = file_name;
}
// Get right-most hyphen index
let hyphen_index: usize = match cdiff_file_name.rfind('-') {
Some(i) => i,
None => {
error!("Provided file name does not contain a hyphen.");
return -1;
}
};
// Get the version, which should be to the right of the hyphen
let version_string = match cdiff_file_name.get((hyphen_index + 1)..) {
Some(s) => s,
None => {
error!("Provided file name does not contain a version.");
return -1;
}
};
// Parse the version into usize
let version = match version_string.to_string().parse::<usize>() {
Ok(u) => u,
Err(e) => {
error!("Failed to parse version in script file name: {}", e);
return -1;
}
};
// Add .cdiff suffix
let cdiff_file_name = format!("{}.{}", cdiff_file_name, "cdiff");
debug!("Writing to: {:?}", cdiff_file_name);
// Open cdiff_file_name for writing
let mut cdiff_file: File = match File::create(&cdiff_file_name) {
Ok(f) => f,
Err(e) => {
error!("Failed to open file {} for writing: {}", cdiff_file_name, e);
return -1;
}
};
// Open the original script file for reading
let script_file: File = match File::open(&script_file_name) {
Ok(f) => f,
Err(e) => {
error!(
"Failed to open file {} for reading: {}",
script_file_name, e
);
return -1;
}
};
// Get file length
let script_file_len = match script_file.metadata() {
Ok(script_file_len) => script_file_len.len() as usize,
Err(e) => {
error!("Failed to get script file length: {}", e.to_string());
return -1;
}
};
// Write header to cdiff file
if let Err(e) = write!(cdiff_file, "ClamAV-Diff:{}:{}:", version, script_file_len) {
error!("Failed to write header to {}: {}", cdiff_file_name, e);
return -1;
}
// Set up buffered reader and gz writer
let reader = BufReader::new(script_file);
let mut gz = GzEncoder::new(cdiff_file, Compression::default());
// Read lines from script_file, compress and write to cdiff_file
for (mut line_no, line) in reader.lines().enumerate() {
// Cdiff lines start at 1
line_no += 1;
let mut line: String = match line {
Ok(s) => s,
Err(e) => {
error!("Failed to read line {}: {}", line_no, e);
return -1;
}
};
// Each line written must be newline separated per cdiff spec
line.push('\n');
if let Err(e) = gz.write_all(line.as_bytes()) {
error!("Failed to write line {}: {}", line_no, e);
return -1;
}
}
// Get cdiff file writer back from flate2
let mut cdiff_file = match gz.finish() {
Ok(file) => file,
Err(e) => {
error!("Failed to write compressed stream: {}", e);
return -1;
}
};
// Get the new cdiff file len
let cdiff_file_len = match cdiff_file.metadata() {
Ok(cdiff_file_len) => cdiff_file_len.len() as usize,
Err(e) => {
error!("Failed to get cdiff file length: {}", e);
return -1;
}
};
debug!("Wrote {} bytes to {}", cdiff_file_len, cdiff_file_name);
// Calculate SHA256 to get the DSIG
let bytes = match std::fs::read(&cdiff_file_name) {
Ok(file) => file,
Err(e) => {
error!("Failed to open {} for reading: {}", cdiff_file_name, e);
return -1;
}
};
let sha256 = sha::sha256(&bytes);
let dsig = cli_getdsig(
server as *const u8,
builder as *const u8,
sha256.to_vec().as_ptr(),
32,
2,
);
let dsig_str = CStr::from_ptr(dsig);
// Write cdiff footer delimiter
if let Err(e) = cdiff_file.write_all(b":") {
error!(
"Failed to write footer delimiter to {}: {}",
cdiff_file_name, e
);
return -1;
}
// Write dsig to cdiff footer
if let Err(e) = cdiff_file.write_all(dsig_str.to_bytes()) {
error!("Failed to write footer to {}: {}", cdiff_file_name, e);
return -1;
}
// Exit success
0
}
/// Apply cdiff (patch) file to all database files described in the cdiff.
///
/// A cdiff file contains a header consisting of a description, version, and
/// script file length (in bytes), all delimited by ':'
///
/// A cdiff file contains a gzipped body between the header and the footer, the
/// contents of which must be newline delimited. The body consists of all bytes
/// after the last ':' in the header and before the first ':' in the footer. The
/// body consists of cdiff commands.
///
/// A cdiff file contains a footer that is the signed signature of the sha256
/// file contains of the header and the body. The footer begins after the first
/// ':' character to the left of EOF.
///
/// # Safety
///
/// This function is only meant to be called from sigtool.c
/// If sigtool is ever ported to rust, this function should be
/// rewritten.
#[no_mangle]
pub extern "C" fn cdiff_apply(file_descriptor: i32, mode: u16) -> i32 {
debug!(
@ -624,13 +840,6 @@ fn cmd_close(mut ctx: &mut Context) -> Result<(), CdiffError> {
// cdiff lines start at 1
line_no += 1;
// if delete_lines {
// debug!("First element in delete list: cur_line == {} line_no == {} del_line = {}",
// line_no, del_vec[0].line_no, del_vec[0].del_line);
// debug!("is_empty {}, cur_del_node {}, del_vec_len {}",
// !del_vec.is_empty(), cur_del_node, del_vec_len);
// }
if delete_lines
&& !del_vec.is_empty()
&& cur_del_node < del_vec_len
@ -983,9 +1192,9 @@ mod tests {
.tempfile_in("./")
.expect("Failed to create temp file");
for line in initial_data {
file.write(line.as_bytes())
file.write_all(line.as_bytes())
.expect("Failed to write line to temp file");
file.write(b"\n")?;
file.write_all(b"\n")?;
}
Ok(file.into_temp_path())
}

266
sigtool/sigtool.c
View file

@ -29,36 +29,21 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <zlib.h>
#include <time.h>
#include <locale.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#ifndef _WIN32
#include <sys/socket.h>
#include <sys/un.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#else
#include "w32_stat.h"
#endif
#include <dirent.h>
#include <ctype.h>
#include <libgen.h>
#ifdef HAVE_TERMIOS_H
#include <termios.h>
#endif
// libclamav
#include "clamav.h"
#include "matcher.h"
#include "cvd.h"
#include "dsig.h"
#include "str.h"
#include "ole2_extract.h"
#include "htmlnorm.h"
@ -488,120 +473,6 @@ static int utf16decode(const struct optstruct *opts)
return 0;
}
static char *getdsig(const char *host, const char *user, const unsigned char *data, unsigned int datalen, unsigned short mode)
{
char buff[512], cmd[128], pass[30], *pt;
struct sockaddr_in server;
int sockd, bread, len;
#ifdef HAVE_TERMIOS_H
struct termios old, new;
#endif
memset(&server, 0x00, sizeof(struct sockaddr_in));
if ((pt = getenv("SIGNDPASS"))) {
strncpy(pass, pt, sizeof(pass));
pass[sizeof(pass) - 1] = '\0';
} else {
mprintf("Password: ");
#ifdef HAVE_TERMIOS_H
if (tcgetattr(0, &old)) {
mprintf("!getdsig: tcgetattr() failed\n");
return NULL;
}
new = old;
new.c_lflag &= ~ECHO;
if (tcsetattr(0, TCSAFLUSH, &new)) {
mprintf("!getdsig: tcsetattr() failed\n");
return NULL;
}
#endif
if (scanf("%30s", pass) == EOF) {
mprintf("!getdsig: Can't get password\n");
#ifdef HAVE_TERMIOS_H
tcsetattr(0, TCSAFLUSH, &old);
#endif
return NULL;
}
#ifdef HAVE_TERMIOS_H
if (tcsetattr(0, TCSAFLUSH, &old)) {
mprintf("!getdsig: tcsetattr() failed\n");
memset(pass, 0, sizeof(pass));
return NULL;
}
#endif
mprintf("\n");
}
if ((sockd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket()");
mprintf("!getdsig: Can't create socket\n");
memset(pass, 0, sizeof(pass));
return NULL;
}
server.sin_family = AF_INET;
server.sin_addr.s_addr = inet_addr(host);
server.sin_port = htons(33101);
if (connect(sockd, (struct sockaddr *)&server, sizeof(struct sockaddr_in)) < 0) {
perror("connect()");
closesocket(sockd);
mprintf("!getdsig: Can't connect to ClamAV Signing Service at %s\n", host);
memset(pass, 0, sizeof(pass));
return NULL;
}
memset(cmd, 0, sizeof(cmd));
if (mode == 1)
snprintf(cmd, sizeof(cmd) - datalen, "ClamSign:%s:%s:", user, pass);
else if (mode == 2)
snprintf(cmd, sizeof(cmd) - datalen, "ClamSignPSS:%s:%s:", user, pass);
else
snprintf(cmd, sizeof(cmd) - datalen, "ClamSignPSS2:%s:%s:", user, pass);
len = strlen(cmd);
pt = cmd + len;
memcpy(pt, data, datalen);
len += datalen;
if (send(sockd, cmd, len, 0) < 0) {
mprintf("!getdsig: Can't write to socket\n");
closesocket(sockd);
memset(cmd, 0, sizeof(cmd));
memset(pass, 0, sizeof(pass));
return NULL;
}
memset(cmd, 0, sizeof(cmd));
memset(pass, 0, sizeof(pass));
memset(buff, 0, sizeof(buff));
if ((bread = recv(sockd, buff, sizeof(buff) - 1, 0)) > 0) {
buff[bread] = '\0';
if (!strstr(buff, "Signature:")) {
mprintf("!getdsig: Error generating digital signature\n");
mprintf("!getdsig: Answer from remote server: %s\n", buff);
closesocket(sockd);
return NULL;
} else {
mprintf("Signature received (length = %lu)\n", (unsigned long)strlen(buff) - 10);
}
} else {
mprintf("!getdsig: Communication error with remote server\n");
closesocket(sockd);
return NULL;
}
closesocket(sockd);
pt = buff;
pt += 10;
return strdup(pt);
}
static char *sha256file(const char *file, unsigned int *size)
{
FILE *fh;
@ -712,7 +583,7 @@ static int writeinfo(const char *dbname, const char *builder, const char *header
while ((bytes = fread(buffer, 1, sizeof(buffer), fh)))
cl_update_hash(ctx, buffer, bytes);
cl_finish_hash(ctx, digest);
if (!(pt = getdsig(optget(opts, "server")->strarg, builder, digest, 32, 3))) {
if (!(pt = cli_getdsig(optget(opts, "server")->strarg, builder, digest, 32, 3))) {
mprintf("!writeinfo: Can't get digital signature from remote server\n");
fclose(fh);
return -1;
@ -727,135 +598,6 @@ static int writeinfo(const char *dbname, const char *builder, const char *header
static int diffdirs(const char *old, const char *new, const char *patch);
static int verifydiff(const char *diff, const char *cvd, const char *incdir);
static int script2cdiff(const char *script, const char *builder, const struct optstruct *opts)
{
char *cdiff, *pt, buffer[FILEBUFF];
unsigned char digest[32];
void *ctx;
STATBUF sb;
FILE *scripth, *cdiffh;
gzFile gzh;
unsigned int ver, osize;
int bytes;
if (CLAMSTAT(script, &sb) == -1) {
mprintf("!script2diff: Can't stat file %s\n", script);
return -1;
}
osize = (unsigned int)sb.st_size;
cdiff = strdup(script);
if (NULL == cdiff) {
mprintf("!script2cdiff: Unable to allocate memory for file name\n");
return -1;
}
pt = strstr(cdiff, ".script");
if (!pt) {
mprintf("!script2cdiff: Incorrect file name (no .script extension)\n");
free(cdiff);
return -1;
}
strcpy(pt, ".cdiff");
if (!(pt = strchr(script, '-'))) {
mprintf("!script2cdiff: Incorrect file name syntax\n");
free(cdiff);
return -1;
}
if (sscanf(++pt, "%u.script", &ver) == EOF) {
mprintf("!script2cdiff: Incorrect file name syntax\n");
free(cdiff);
return -1;
}
if (!(cdiffh = fopen(cdiff, "wb"))) {
mprintf("!script2cdiff: Can't open %s for writing\n", cdiff);
free(cdiff);
return -1;
}
if (fprintf(cdiffh, "ClamAV-Diff:%u:%u:", ver, osize) < 0) {
mprintf("!script2cdiff: Can't write to %s\n", cdiff);
fclose(cdiffh);
free(cdiff);
return -1;
}
fclose(cdiffh);
if (!(scripth = fopen(script, "rb"))) {
mprintf("!script2cdiff: Can't open file %s for reading\n", script);
unlink(cdiff);
free(cdiff);
return -1;
}
if (!(gzh = gzopen(cdiff, "ab9f"))) {
mprintf("!script2cdiff: Can't open file %s for appending\n", cdiff);
unlink(cdiff);
free(cdiff);
fclose(scripth);
return -1;
}
while ((bytes = fread(buffer, 1, sizeof(buffer), scripth)) > 0) {
if (!gzwrite(gzh, buffer, bytes)) {
mprintf("!script2cdiff: Can't gzwrite to %s\n", cdiff);
unlink(cdiff);
free(cdiff);
fclose(scripth);
gzclose(gzh);
return -1;
}
}
fclose(scripth);
gzclose(gzh);
if (!(cdiffh = fopen(cdiff, "rb"))) {
mprintf("!script2cdiff: Can't open %s for reading/writing\n", cdiff);
unlink(cdiff);
free(cdiff);
return -1;
}
ctx = cl_hash_init("sha256");
if (!(ctx)) {
unlink(cdiff);
free(cdiff);
fclose(cdiffh);
return -1;
}
while ((bytes = fread(buffer, 1, sizeof(buffer), cdiffh)))
cl_update_hash(ctx, (unsigned char *)buffer, bytes);
fclose(cdiffh);
cl_finish_hash(ctx, digest);
if (!(pt = getdsig(optget(opts, "server")->strarg, builder, digest, 32, 2))) {
mprintf("!script2cdiff: Can't get digital signature from remote server\n");
unlink(cdiff);
free(cdiff);
return -1;
}
if (!(cdiffh = fopen(cdiff, "ab"))) {
mprintf("!script2cdiff: Can't open %s for appending\n", cdiff);
free(pt);
unlink(cdiff);
free(cdiff);
return -1;
}
fprintf(cdiffh, ":%s", pt);
free(pt);
fclose(cdiffh);
mprintf("Created %s\n", cdiff);
free(cdiff);
return 0;
}
static int qcompare(const void *a, const void *b)
{
return strcmp(*(char *const *)a, *(char *const *)b);
@ -1166,7 +908,7 @@ static int build(const struct optstruct *opts)
free(pt);
if (!optget(opts, "unsigned")->enabled) {
if (!(pt = getdsig(optget(opts, "server")->strarg, builder, buffer, 16, 1))) {
if (!(pt = cli_getdsig(optget(opts, "server")->strarg, builder, buffer, 16, 1))) {
mprintf("!build: Can't get digital signature from remote server\n");
fclose(fh);
unlink(tarfile);
@ -1316,7 +1058,7 @@ static int build(const struct optstruct *opts)
mprintf("!Generated file is incorrect, renamed to %s\n", broken);
}
} else {
ret = script2cdiff(patch, builder, opts);
ret = script2cdiff(patch, builder, optget(opts, "server")->strarg);
}
return ret;