clamav

Commit Graph

Author	SHA1	Message	Date
Val Snyder	8d485b9bfd	FIPS-compliant CVD signing and verification Add X509 certificate chain based signing with PKCS7-PEM external signatures distributed alongside CVD's in a custom .cvd.sign format. This new signing and verification mechanism is primarily in support of FIPS compliance. Fixes: https://github.com/Cisco-Talos/clamav/issues/564 Add a Rust implementation for parsing, verifying, and unpacking CVD files. Now installs a 'certs' directory in the app config directory (e.g. <prefix>/etc/certs). The install location is configurable. The CMake option to configure the CVD certs directory is: `-D CVD_CERTS_DIRECTORY=PATH` New options to set an alternative CVD certs directory: - Commandline for freshclam, clamd, clamscan, and sigtool is: `--cvdcertsdir PATH` - Env variable for freshclam, clamd, clamscan, and sigtool is: `CVD_CERTS_DIR` - Config option for freshclam and clamd is: `CVDCertsDirectory PATH` Sigtool: - Add sign/verify commands. - Also verify CDIFF external digital signatures when applying CDIFFs. - Place commonly used commands at the top of --help string. - Fix up manpage. Freshclam: - Will try to download .sign files to verify CVDs and CDIFFs. - Fix an issue where making a CLD would only include the CFG file for daily and not if patching any other database. libclamav.so: - Bump version to 13:0:1 (aka 12.1.0). - Also remove libclamav.map versioning. Resolves: https://github.com/Cisco-Talos/clamav/issues/1304 - Add two new API's to the public clamav.h header: ```c extern cl_error_t cl_cvdverify_ex(const char file, const char certs_directory); extern cl_error_t cl_cvdunpack_ex(const char file, const char dir, bool dont_verify, const char *certs_directory); ``` The original `cl_cvdverify` and `cl_cvdunpack` are deprecated. - Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`. You may set this option with `cl_engine_set_str` and get it with `cl_engine_get_str`, to override the compiled in default CVD certs directory. libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0). Add sigtool sign/verify tests and test certs. Make it so downloadFile doesn't throw a warning if the server doesn't have the .sign file. Replace use of md5-based FP signatures in the unit tests with sha256-based FP signatures because the md5 implementation used by Python may be disabled in FIPS mode. Fixes: https://github.com/Cisco-Talos/clamav/issues/1411 CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates to build against the same OpenSSL library as is used for the C build. The Rust unit test application must also link directly with libcrypto and libssl. Fix some log messages with missing new lines. Fix missing environment variable notes in --help messages and manpages. Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in clamav-config.h.in for libclamav from variable that had the same name for use in clamav applications that use the optparser. The 'clamav-test' certs for the unit tests will live for 10 years. The 'clamav-beta.crt' public cert will only live for 120 days and will be replaced before the stable release with a production 'clamav.crt'.	2 months ago
Val Snyder	7ff29b8c37	Bump copyright dates for 2025	3 months ago
Micah Snyder	9cb28e51e6	Bump copyright dates for 2024	1 year ago
Micah Snyder	6eebecc303	Bump copyright for 2023	2 years ago
Micah Snyder	8340e55660	Tests: unit tests for cl_load(), cl_cvdverify(), cl_cvdunpack() Some basic testing is needed for the new cl_cvdunpack() API, so this commit adds basic unit tests for that. For reasons unknown, a number of cl_* API's have stubs for unit tests that weren't filled out. The CVD load/verify ones in particular required access to a signed CVD. We actually ship a very basic signed CVD with the databases now, so I added tests for those while I was at it.	3 years ago
Micah Snyder	54b69ec431	Freshclam, Sigtool: use public CVD unpack API In the interest of using the public API's as much as possible for our own applications (dog-fooding the API), this commit swaps sigtool and freshclam `cli_cvdunpack()` calls to `cl_cvdunpack()`.	3 years ago
micasnyd	140c88aa4e	Bump copyright for 2022 Includes minor format corrections.	3 years ago
Micah Snyder (micasnyd)	b9ca6ea103	Update copyright dates for 2021 Also fixes up clang-format.	4 years ago
Micah Snyder	206dbaefe8	Update copyright dates for 2020	5 years ago
Micah Snyder	52cddcbcfd	Updating and cleaning up copyright notices.	6 years ago
Micah Snyder	6289eda8e0	Eliminating AUTHORS file, and moving acknowledgements for various source code contributions to the file comment blocks for the individual files, as appropriate.	7 years ago
Micah Snyder	14e2247bd2	updating the copyright for a number of tiles.	8 years ago
Mickey Sola	46a35abe56	mass update of copyright headers	10 years ago
Shawn Webb	da6e06dd68	Provide further abstractions to the OpenSSL integration work	11 years ago
Shawn Webb	a1cbd793f3	Fix all memory leaks introduce by OpenSSL backport.	11 years ago
Shawn Webb	7fb5036fb2	Make Valgrind happy. Rely less on EVP_MD_CTX_create.	11 years ago
Shawn Webb	b2e7c931d0	Use OpenSSL for hashing.	11 years ago
Török Edvin	3afedd0761	fix GCC warnings. especially the one about gzFile vs gzFile*, gzopen returns gzFile!	13 years ago
Tomasz Kojm	cdddd014ff	sigtool: add support for building unsigned dbs (--unsigned) libclamav: handle unsigned db files (.cud)	14 years ago
Tomasz Kojm	f820268196	freshclam: detect and fix corruptions of existing db files	15 years ago
Tomasz Kojm	02e46f3fdb	libclamav: avoid loading duplicate databases (bb#1962)	15 years ago
Tomasz Kojm	de351ee1bc	libclamav: handle digitally signed .info files	16 years ago
Török Edvin	be43f951c6	BytecodeSecurity setting.	16 years ago
Tomasz Kojm	ace26bfe08	libclamav: check .info files while loading CVD/CLD	16 years ago
Tomasz Kojm	a6a9845602	libclamav: improve loading speed of compressed databases (bb#1105)	16 years ago
Tomasz Kojm	afff80efb9	libclamav, shared: minor cleanups; fix handling of long file names (bb#1349) git-svn: trunk@4670	17 years ago
Tomasz Kojm	15850fc6d4	simplify the code; don't free 'engine' git-svn-id: file:///var/lib/svn/clamav-devel/branches/newapi@4380 77e5149b-7576-45b1-b177-96237e5ba77b	17 years ago
Tomasz Kojm	ac1b219cf1	libclamav, clamd: always return correct db version in VERSION (bb#1168) git-svn: trunk@4332	17 years ago
Tomasz Kojm	e8ae4fae02	faster loading of uncompressed .cld files git-svn: trunk@3854	17 years ago
Tomasz Kojm	2023340a41	update copyrights and stick more files to GPLv2; move and add more credits to the AUTHORS file; add COPYING.BSD git-svn: trunk@3749	17 years ago
Tomasz Kojm	9d193ff26c	add support for .cld containers git-svn: trunk@3444	18 years ago
Tomasz Kojm	bb34cb31fe	update some copyrights and stick to GPL v2 git-svn: trunk@3003	18 years ago
Sven Strickroth	a99111f050	remove old CVS-stuff and make the repository look more like SVN git-svn: trunk@2755	19 years ago
Tomasz Kojm	628be229ce	cleanup git-svn: trunk@2016	19 years ago
Tomasz Kojm	48b7b4a747	update GPL headers with new address for FSF git-svn: trunk@1901	19 years ago
Tomasz Kojm	15e1a7cd82	update interface git-svn: trunk@1754	20 years ago
Tomasz Kojm	5612732cad	add support for cl_engine and cli_matcher git-svn: trunk@1726	20 years ago
Tomasz Kojm	37743d67ea	do not print outdate warning for main.cvd git-svn: trunk@864	21 years ago
Tomasz Kojm	3805ebcbe2	minor cleanup git-svn: trunk@855	21 years ago
Tomasz Kojm	2d70a403de	New fixes from Thomas Lamy. And others. git-svn: trunk@137	22 years ago
Tomasz Kojm	d9e258d5fb	Missing files added. git-svn: trunk@77	22 years ago
Luca Gibelli	e3aaff8e10	Initial revision git-svn: trunk@7	22 years ago

33 Commits (00886ee90d07a3b382041b1a9ef0c01e093f571e)