mirror of
https://github.com/Cisco-Talos/clamav.git
synced 2025-10-19 10:23:17 +00:00
13c4788f36
ClamAV will not function when using a FIPS-enabled OpenSSL 3.x. This is because ClamAV uses MD5 and SHA1 algorithms for a variety of purposes including matching for malware detection, matching to prevent false positives on known-clean files, and for verification of MD5-based RSA digital signatures for determining CVD (signature database archive) authenticity. Interestingly, FIPS had been intentionally bypassed when creating hashes based whole buffers and whole files (by descriptor or `FILE`-pointer):78d4a9985aNote: this bypassed FIPS the 1.x way with: `EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);` It was NOT disabled when using `cl_hash_init()` / `cl_update_hash()` / `cl_finish_hash()`. That likely worked by coincidence in that the hash was already calculated most of the time. It certainly would have made use of those functions if the hash had not been calculated prior:78d4a9985a/libclamav/matcher.c (L743)Regardless, bypassing FIPS entirely is not the correct solution. The FIPS restrictions against using MD5 and SHA1 are valid, particularly when verifying CVD digital siganatures, but also I think when using a hash to determine if the file is known-clean (i.e. the "clean cache" and also MD5-based and SHA1-based FP signatures). This commit extends the work to bypass FIPS using the newer 3.x method: `md = EVP_MD_fetch(NULL, alg, "-fips");` It does this for the legacy `cl_hash*()` functions including `cl_hash_init()` / `cl_update_hash()` / `cl_finish_hash()`. It also introduces extended versions that allow the caller to choose if they want to bypass FIPS: - `cl_hash_data_ex()` - `cl_hash_init_ex()` - `cl_update_hash_ex()` - `cl_finish_hash_ex()` - `cl_hash_destroy_ex()` - `cl_hash_file_fd_ex()` See the `flags` parameter for each. Ironically, this commit does NOT use the new functions at this time. The rational is that ClamAV may need MD5, SHA1, and SHA-256 hashes of the same files both for determining if the file is malware, and for determining if the file is clean. So instead, this commit will do a checks when: 1. Creating a new ClamAV scanning engine. If FIPS-mode enabled, it will automatically toggle the "FIPS limits" engine option. When loading signatures, if the engine "FIPS limits" option is enabled, then MD5 and SHA1 FP signatures will be skipped. 2. Before verifying a CVD (e.g. also for loading, unpacking when verification enabled). If "FIPS limits" or FIPS-mode are enabled, then the legacy MD5-based RSA method is disabled. Note: This commit also refactors the interface for `cl_cvdverify_ex()` and `cl_cvdunpack_ex()` so they take a `flags` parameters, rather than a single `bool`. As these functions are new in this version, it does not break the ABI. The cache was already switched to use SHA2-256, so that's not a concern for checking FIPS-mode / FIPS limits options. This adds an option for `freshclam.conf` and `clamd.conf`: FIPSCryptoHashLimits yes And an equivalent command-line option for `clamscan` and `sigtool`: --fips-limits You may programmatically enable FIPS-limits for a ClamAV engine like this: ```C cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1); ``` CLAM-2792
106 lines
3.4 KiB
C
106 lines
3.4 KiB
C
/*
|
|
* Copyright (C) 2013-2025 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
|
* Copyright (C) 2007-2013 Sourcefire, Inc.
|
|
*
|
|
* Authors: Tomasz Kojm
|
|
*
|
|
* Summary: Code to parse Clamav CVD database format.
|
|
*
|
|
* Acknowledgements: ClamAV untar code is based on a public domain minitar utility
|
|
* by Charles G. Waldman.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
* MA 02110-1301, USA.
|
|
*/
|
|
|
|
#ifndef __CVD_H
|
|
#define __CVD_H
|
|
|
|
#include <stdio.h>
|
|
#include <zlib.h>
|
|
#include "clamav.h"
|
|
|
|
struct cli_dbio {
|
|
gzFile gzs;
|
|
FILE *fs;
|
|
unsigned int size, bread;
|
|
char *buf, *bufpt, *readpt;
|
|
unsigned int usebuf, bufsize, readsize;
|
|
unsigned int chkonly;
|
|
void *hashctx;
|
|
};
|
|
|
|
typedef enum cvd_type {
|
|
// unknown / uninitialized
|
|
CVD_TYPE_UNKNOWN,
|
|
// signed signature archive
|
|
CVD_TYPE_CVD,
|
|
// unsigned signature archive that was updated from a CVD or CUD
|
|
CVD_TYPE_CLD,
|
|
// unsigned signature archive
|
|
CVD_TYPE_CUD,
|
|
} cvd_type;
|
|
|
|
/**
|
|
* @brief Load a CVD, CLD, or CUD signature database archive
|
|
*
|
|
* @param engine The ClamAV engine to load the CVD into
|
|
* @param signo Pointer to the signature number
|
|
* @param options CL_DB_* options for loading the CVD
|
|
* @param dbtype Type of the database
|
|
* @param filename Name of the CVD file
|
|
* @param sign_verifier Pointer to the signature verifier
|
|
* @param chkonly Check only mode
|
|
* @return cl_error_t CL_SUCCESS on success, or an error code on failure
|
|
*/
|
|
cl_error_t cli_cvdload(
|
|
struct cl_engine *engine,
|
|
unsigned int *signo,
|
|
uint32_t options,
|
|
cvd_type dbtype,
|
|
const char *filename,
|
|
void *sign_verifier,
|
|
bool chkonly);
|
|
|
|
/**
|
|
* @brief Unpack and verify a CVD, CLD, or CUD signature database archive
|
|
*
|
|
* @param file Name of the CVD file
|
|
* @param dir Directory to unpack the CVD into
|
|
* @param dont_verify Don't verify signatures
|
|
* @param disable_legacy_dsig Disable legacy MD5-based digital signature verification
|
|
* @param verifier Pointer to the signature verifier
|
|
* @return cl_error_t CL_SUCCESS on success, or an error code on failure
|
|
*/
|
|
cl_error_t cli_cvdunpack_and_verify(
|
|
const char *file,
|
|
const char *dir,
|
|
bool dont_verify,
|
|
bool disable_legacy_dsig,
|
|
void *verifier);
|
|
|
|
/**
|
|
* @brief Verify a CVD, CLD, or CUD signature database archive
|
|
*
|
|
* @param file Name of the CVD file
|
|
* @param disable_legacy_dsig Disable legacy MD5-based digital signature verification
|
|
* @param verifier Pointer to the signature verifier
|
|
* @return cl_error_t CL_SUCCESS on success, or an error code on failure
|
|
*/
|
|
cl_error_t cli_cvdverify(
|
|
const char *file,
|
|
bool disable_legacy_dsig,
|
|
void *verifier);
|
|
|
|
#endif
|