Commit graph

28 commits

Author SHA1 Message Date
Val Snyder
8d485b9bfd
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.

Fixes: https://github.com/Cisco-Talos/clamav/issues/564

Add a Rust implementation for parsing, verifying, and unpacking CVD
files.

Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
  `-D CVD_CERTS_DIRECTORY=PATH`

New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
  `--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
  `CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
  `CVDCertsDirectory PATH`

Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.

Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.

libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
  Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
  ```c
  extern cl_error_t cl_cvdverify_ex(const char *file,
                                    const char *certs_directory);

  extern cl_error_t cl_cvdunpack_ex(const char *file,
                                    const char *dir,
                                    bool dont_verify,
                                    const char *certs_directory);
  ```
  The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
  You may set this option with `cl_engine_set_str` and get it
  with `cl_engine_get_str`, to override the compiled in default
  CVD certs directory.

libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).

Add sigtool sign/verify tests and test certs.

Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.

Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411

CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.

Fix some log messages with missing new lines.

Fix missing environment variable notes in --help messages and manpages.

Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.

The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2025-03-26 19:33:25 -04:00
Micah Snyder
d755fc09c2
Fix links in github issue template
Fixes: https://github.com/Cisco-Talos/clamav/issues/1429
2025-01-02 09:59:06 -05:00
liushuyu
af39b28b26
CI: update various GitHub Actions imports in cmake.yml 2024-07-22 09:17:31 -04:00
liushuyu
7ebabe5548
CI: Upgrade GitHub Actions imports in clang-format.yml 2024-07-22 09:17:28 -04:00
Micah Snyder
fa10d0c66e GitHub Actions: Fix macOS build issues
Upgrade macOS OpenSSL dependency to use 3 instead of 1.1.

Python's pip from Homebrew now refuses to isntall globally:

error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try brew install
    xyz, where xyz is the package you are trying to
    install.

    If you wish to install a Python library that isn't in Homebrew,
    use a virtual environment:

    python3 -m venv path/to/venv
    source path/to/venv/bin/activate
    python3 -m pip install xyz

    If you wish to install a Python application that isn't in Homebrew,
    it may be easiest to use 'pipx install xyz', which will manage a
    virtual environment for you. You can install pipx with

    brew install pipx

    You may restore the old behavior of pip by passing
    the '--break-system-packages' flag to pip, or by adding
    'break-system-packages = true' to your pip.conf file. The latter
    will permanently disable this error.

    If you disable this error, we STRONGLY recommend that you additionally
    pass the '--user' flag to pip, or set 'user = true' in your pip.conf
    file. Failure to do this can result in a broken Homebrew installation.

    Read more about this behavior here: <https://peps.python.org/pep-0668/>

Using Pipx instead. Making the same change for Ubuntu just in case.
2024-05-06 09:30:20 -07:00
Micah Snyder
eb096d978e Add reporting links to Github New Issue page 2024-04-17 08:50:30 -07:00
ragusaa
ae37b2216b
Explicitly set clang-format version to 16 2024-04-03 16:35:23 -04:00
Scott Hutton
94b83af379 Monitor feature/* branches for pull requests 2024-01-23 18:54:36 -05:00
RainRat
caf324e544
Fix typos (no functional changes) 2023-11-26 18:01:19 -05:00
Micah Snyder
0f9de9e256 GitHub Actions (Windows): Fix link issue
The build is running a different link.exe than the MSVC linker,
possibly the one provided by bash.

Fix by deleting /usr/bin/link.exe

See: https://yncat.github.io/2022/02/18/github-actions%E3%81%A7-msvc-%E3%81%AE-link-%E3%81%8C%E4%BD%BF%E3%81%88%E3%81%AA%E3%81%8F%E3%81%AA%E3%82%8B%E8%A9%B1.html
2023-09-28 16:34:52 -07:00
Sebastian Andrzej Siewior
6efb77d4f8 Remove bundled tomfastmath library.
Now that the tomfastmath library is no longer used, remove it from the
tree.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
2023-03-29 15:10:25 -07:00
Micah Snyder
1547177822 Github Actions: switch to clang-format-14 2022-12-02 14:22:31 -08:00
Micah Snyder
39fbbef192
Add CodeQL static analysis scanning workflow 2022-11-17 13:25:51 -08:00
Micah Snyder
c34dd0fa26 GH Actions: Newer version of run-vcpkg, older version of Windows
The 'windows-latest' image is now windows-2022, but the vcpkg we're
using doesn't know to look for visual studio 2022. Reverting to use
windows-2019 so vcpkg works with it.

Also switching to the run-vcpkg v7.4. Not going with the new v10 series
because that changes the inputs and I'm not ready to figure out how to
change the params to make it work.
2022-06-17 15:14:49 -07:00
Micah Snyder
24a5221734 GH-actions: remove CIFuzz workflow
The CIFuzz tool was observed detecting an issue in code unrelated to a
pull request. While it was relatively benign in this case, it has the
potential to accidentally disclose a vulnerability publicly without
allowing a non-disclosure period for us to publish a fixed patch
version.

I'm not comfortable with this risk, so I'm removing the workflow.
2022-01-24 15:05:28 -07:00
micasnyd
1fbf6ae4f0 GH Actions: Update clang-format action to latest version 2022-01-09 14:23:25 -07:00
David Korczynski
aa91170063 GitHub Actions: Add CIFuzz integration
To enable fuzzers to be run before code lands

Signed-off-by: David Korczynski <david@adalogics.com>
2021-12-01 17:53:26 -08:00
Micah Snyder
a45bf34802 GH Actions: Fix build on Windows
A breaking change was made to the run-cmake action.

This commit pins the cmake actions to a specific version so they work again.
2021-10-22 16:03:31 -07:00
Micah Snyder
f75c3b3b4c Github actions: Update package list before install
To fix issues with installing older packages that may have been replaced
2021-08-05 16:54:02 -07:00
Micah Snyder
9f407d83b3 Test: update clang-format-action to v3.4.0 2021-07-16 14:43:16 -07:00
Micah Snyder
9451224323 Test: ClamDScan ExcludePath; Valgrind
Adds a basic test to validate that ExcludePath correctly excludes a
subdirectory but does not exclude subsequent files. As with the other
ClamD/Scan tests, it will test in each mode: regular, stream, and
fdpass (if available).

Unlike the other tests, this one tests ClamDScan with Valgrind instead
of ClamD.

Refactored the clamd_test.py file to reduce duplicate code, and support
enabling and disabling valgrind when running ClamDScan and ClamD.

Add pytest to the github actions environments because the results when
using pytest are far easier to read.
2021-07-15 11:56:13 -07:00
Micah Snyder
ccac5567c9 Add issue template
The template includes a comment block at the top to direct security
issue reports towards the SECURITY.md instructions.

A comment block at the bottom provides instructions for how to share
files needed to reproduce the bug.

These comments blocks disappear when the report is submitted.

The older style markdown headers are used to match the headers printed
by the ClamConf tool, so that copy-pasted output from ClamConf looks
good in the bug report.
2021-06-09 16:59:15 -07:00
Micah Snyder
d57d898652 Github actions: Fix build after repo name change 2021-05-18 17:13:57 -07:00
Micah Snyder
de0086aa91 GitHub Actions: minor corrections
The clang-format action needs to check `common` instead of `shared`.

The docker db update action needs to clone the repo first.
2021-05-02 09:46:16 -07:00
Micah Snyder
6d3685c421 Docker: milter daemon, news, docs, github action
The milter default was not set correctly so it was starting
clamav-milter by default. Added default true/false settings for each of
the docker daemon environment variables.

Added command to entrypoint to change database directory ownership to
the clamav user, in case it is a mounted volume (which get root ownership
by default).

Removed the clamav user & group from the build image, as it isn't needed
until the base image.

Added announcement details and acknowledgements to the News document.

Added details to the Docker Readme describing:

- the tag naming convention
- how to mount database volumes
- various other tweaks

Fixed the path for the update script in the GitHub Action, and changed
from alpine-latest to ubuntu-latest, because alpine-latest doesn't seem
to be an option.
2021-04-29 18:15:56 -07:00
Olliver Schinagl
21a4d59fce docker: Add script to update virus database
To reduce the need for constant database updates, also push a docker
image containing the virus database.

Ideally, this script is called every time a major virus database update
happens, but as that requires integration with other systems, lets start
by having a scheduled update.

To do this a github action workflow was added on a schedule that runs
once a month. It does require the proper secrets to be setup however and
made accessible.

Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
2021-04-29 17:55:12 -07:00
Micah Snyder
6b364826d2 Github actions: add clang-format check
Add check to make sure code is properly formatted.
2021-04-09 19:08:14 -07:00
Micah Snyder
c81968d3a7 GitHub Actions testing on Ubuntu, Mac, & Windows
Updates to fix issues in the CMake install instructions.

Updates the README.md to indicate that CMake is now preferred

Adds a GitHub Actions badge, Discord badge, and logo to the README.md.

CMake:

- Renamed ENABLE_DOCS to ENABLE_MAN_PAGES.

- Fixed build issue when milter isn't enabled on Linux. Changed the
default to build milter on non-macOS, non-Windows operating systems.

- Fix LD_LIBRARY_PATH for tests including on macOS where LD_LIBRARY_PATH
  and DYLD_LIBRARY_PATH must be manually propagated to subprocesses.

- Use UNKNOWN IMPORTED library instead of INTERFACE IMPORTED library for
  pdcurses, but still use INTERFACE IMPORTED for ncurses.
  UNKNOWN IMPORTED appears to be required so that we can use
  $<TARGET_FILE_DIR:Curses::curses> to collected the pdcurses library at
  install time on Windows.

- When building with vcpkg on Windows, CMake will automatically install
  your app local dependencies (aka the DLL runtime dependencies).
  Meanwhile, file(GET_RUNTIME_DEPENDENCIES ...) doesn't appear to work
  correctly with vcpkg packages. The solution is to use a custom target
  that has CMake perform a local install to the unit_tests directory
  when using vcpkg.
  This is in fact far easier than using GET_RUNTIME_DEPENDENCIES in the
  unit_tests for assembling the test environment but we can't use this
  method for the non-vcpkg install because it won't collect
  checkDynamic.dll for us because we don't install our tests.
  We also can't link with the static check.lib because the static
  check.lib has pthreads symbols linked in and will conflict with our
  pthread.dll.

  TL;DR: We'll continue to use file(GET_RUNTIME_DEPENDENCIES ...) for
  assembling the test enviornment on non-vcpkg builds, and use the local
  install method for vcpkg builds.

testcase.py: Wrapped a Pathlib.unlink() call in exception handling as
the missing_ok optional parameter requires a Python version too new for
common use.

Remove localtime_r from win32 compat lib.
localtime_r may be present in libcheck when building with vcpkg and
while making it a static function would also solve the issue, using
localtime_s instead like we do everywhere else should work just fine.

check_clamd: Limited the max # of connections for the stress test on Mac
to 850, to address issues found testing on macos-latest on GitHub Actions.
2021-02-25 11:41:28 -08:00