mirror of
https://github.com/Cisco-Talos/clamav.git
synced 2025-10-19 10:23:17 +00:00
8d485b9bfd
Add X509 certificate chain based signing with PKCS7-PEM external signatures distributed alongside CVD's in a custom .cvd.sign format. This new signing and verification mechanism is primarily in support of FIPS compliance. Fixes: https://github.com/Cisco-Talos/clamav/issues/564 Add a Rust implementation for parsing, verifying, and unpacking CVD files. Now installs a 'certs' directory in the app config directory (e.g. <prefix>/etc/certs). The install location is configurable. The CMake option to configure the CVD certs directory is: `-D CVD_CERTS_DIRECTORY=PATH` New options to set an alternative CVD certs directory: - Commandline for freshclam, clamd, clamscan, and sigtool is: `--cvdcertsdir PATH` - Env variable for freshclam, clamd, clamscan, and sigtool is: `CVD_CERTS_DIR` - Config option for freshclam and clamd is: `CVDCertsDirectory PATH` Sigtool: - Add sign/verify commands. - Also verify CDIFF external digital signatures when applying CDIFFs. - Place commonly used commands at the top of --help string. - Fix up manpage. Freshclam: - Will try to download .sign files to verify CVDs and CDIFFs. - Fix an issue where making a CLD would only include the CFG file for daily and not if patching any other database. libclamav.so: - Bump version to 13:0:1 (aka 12.1.0). - Also remove libclamav.map versioning. Resolves: https://github.com/Cisco-Talos/clamav/issues/1304 - Add two new API's to the public clamav.h header: ```c extern cl_error_t cl_cvdverify_ex(const char *file, const char *certs_directory); extern cl_error_t cl_cvdunpack_ex(const char *file, const char *dir, bool dont_verify, const char *certs_directory); ``` The original `cl_cvdverify` and `cl_cvdunpack` are deprecated. - Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`. You may set this option with `cl_engine_set_str` and get it with `cl_engine_get_str`, to override the compiled in default CVD certs directory. libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0). Add sigtool sign/verify tests and test certs. Make it so downloadFile doesn't throw a warning if the server doesn't have the .sign file. Replace use of md5-based FP signatures in the unit tests with sha256-based FP signatures because the md5 implementation used by Python may be disabled in FIPS mode. Fixes: https://github.com/Cisco-Talos/clamav/issues/1411 CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates to build against the same OpenSSL library as is used for the C build. The Rust unit test application must also link directly with libcrypto and libssl. Fix some log messages with missing new lines. Fix missing environment variable notes in --help messages and manpages. Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in clamav-config.h.in for libclamav from variable that had the same name for use in clamav applications that use the optparser. The 'clamav-test' certs for the unit tests will live for 10 years. The 'clamav-beta.crt' public cert will only live for 120 days and will be replaced before the stable release with a production 'clamav.crt'.
131 lines
3.7 KiB
CMake
131 lines
3.7 KiB
CMake
# Features that can be enabled for cmake (see CMakeLists.txt)
|
|
|
|
if(WIN32)
|
|
set(APP_CONFIG_DIRECTORY
|
|
"." CACHE STRING
|
|
"App Config directory.")
|
|
set(DATABASE_DIRECTORY
|
|
"database" CACHE STRING
|
|
"Database directory.")
|
|
set(CVD_CERTS_DIRECTORY
|
|
"certs" CACHE STRING
|
|
"ClamAV CA certificates directory.")
|
|
else()
|
|
set(APP_CONFIG_DIRECTORY
|
|
"etc" CACHE STRING
|
|
"App Config directory.")
|
|
set(DATABASE_DIRECTORY
|
|
"share/clamav" CACHE STRING
|
|
"Database directory.")
|
|
set(CVD_CERTS_DIRECTORY
|
|
"${APP_CONFIG_DIRECTORY}/certs" CACHE STRING
|
|
"ClamAV CA certificates directory.")
|
|
endif()
|
|
|
|
set(CLAMAV_USER "clamav" CACHE STRING "ClamAV User")
|
|
set(CLAMAV_GROUP "clamav" CACHE STRING "ClamAV Group")
|
|
|
|
set(MMAP_FOR_CROSSCOMPILING
|
|
0 CACHE STRING
|
|
"Force MMAP support for cross-compiling.")
|
|
set(DISABLE_MPOOL
|
|
0 CACHE STRING
|
|
"Disable mpool support entirely.")
|
|
|
|
set(BYTECODE_RUNTIME
|
|
"interpreter" CACHE STRING
|
|
"Bytecode Runtime, may be: 'llvm', 'interpreter', 'none'.")
|
|
set_property(CACHE BYTECODE_RUNTIME PROPERTY STRINGS llvm interpreter none)
|
|
|
|
option(OPTIMIZE
|
|
"Allow compiler optimizations. Set to OFF to disable (i.e. to set -O0)."
|
|
ON)
|
|
|
|
option(MAINTAINER_MODE
|
|
"Update generated sources. Requires flex, bison."
|
|
${MAINTAINER_MODE_DEFAULT})
|
|
|
|
option(ENABLE_WERROR
|
|
"Compile time warnings will cause build failures.")
|
|
|
|
option(ENABLE_ALL_THE_WARNINGS
|
|
"Enable as many compiler warnings as possible.")
|
|
|
|
option(ENABLE_DEBUG
|
|
"Turn on extra debug output.")
|
|
|
|
option(ENABLE_EXPERIMENTAL
|
|
"Turn on experimental features (if any).")
|
|
|
|
option(ENABLE_FRESHCLAM_DNS_FIX
|
|
"Enable workaround for broken DNS servers.")
|
|
|
|
option(ENABLE_FRESHCLAM_NO_CACHE
|
|
"Use 'Cache-Control: no-cache' in freshclam.")
|
|
|
|
option(ENABLE_STRN_INTERNAL
|
|
"Enables explicit use of internal strn functions to support cross-compilation against older libs.")
|
|
|
|
option(ENABLE_FUZZ
|
|
"Build fuzz targets. Will enable ENABLE_STATIC_LIB for you.")
|
|
|
|
option(ENABLE_EXTERNAL_MSPACK
|
|
"Use external mspack instead of internal libclammspack.")
|
|
|
|
option(ENABLE_JSON_SHARED
|
|
"Prefer linking with libjson-c shared library instead of static."
|
|
ON)
|
|
|
|
option(ENABLE_APP
|
|
"Build applications (clamscan, clamd, clamdscan, clamonacc, sigtool, clambc, clamav-milter, clamdtop, clamsubmit, clamconf)."
|
|
${ENABLE_APP_DEFAULT})
|
|
|
|
option(ENABLE_MILTER
|
|
"Build clamav-milter (requires ENABLE_APP))."
|
|
${ENABLE_MILTER_DEFAULT})
|
|
|
|
option(ENABLE_CLAMONACC
|
|
"Build clamonacc (Linux-only, requires ENABLE_APP))."
|
|
${ENABLE_CLAMONACC_DEFAULT})
|
|
|
|
option(ENABLE_MAN_PAGES
|
|
"Generate man pages."
|
|
${ENABLE_MAN_PAGES_DEFAULT})
|
|
|
|
option(ENABLE_DOXYGEN
|
|
"Generate doxygen HTML documentation for clamav.h, libfreshclam.h."
|
|
${ENABLE_DOXYGEN_DEFAULT})
|
|
|
|
option(ENABLE_EXAMPLES
|
|
"Build examples."
|
|
${ENABLE_EXAMPLES_DEFAULT})
|
|
|
|
option(ENABLE_TESTS
|
|
"Build/enable unit tests."
|
|
${ENABLE_TESTS_DEFAULT})
|
|
|
|
option(ENABLE_LIBCLAMAV_ONLY
|
|
"Build libclamav only. Excludes libfreshclam too!")
|
|
|
|
option(ENABLE_STATIC_LIB
|
|
"Build libclamav and/or libfreshclam static libraries.")
|
|
|
|
option(ENABLE_SHARED_LIB
|
|
"Build libclamav and/or libfreshclam shared libraries."
|
|
ON)
|
|
|
|
option(ENABLE_UNRAR
|
|
"Build & install libclamunrar."
|
|
${ENABLE_UNRAR_DEFAULT})
|
|
|
|
option(ENABLE_SYSTEMD
|
|
"Install systemd service files if systemd is found."
|
|
${ENABLE_SYSTEMD_DEFAULT})
|
|
|
|
# For reference determining target platform:
|
|
# Rust Targets: https://doc.rust-lang.org/nightly/rustc/platform-support.html
|
|
option(RUST_COMPILER_TARGET
|
|
"Use a custom target triple to build the Rust components. Needed for cross-compiling.")
|
|
|
|
option(DO_NOT_SET_RPATH
|
|
"Don't set the RPATH on UNIX systems.")
|