clamav

Commit Graph

Author	SHA1	Message	Date
Micah Snyder	375ecf678c	Update vendored TomsFastMath code to 0.13.1 Update the vendored TomsFastMath (TFM) library to v0.13.1. Resolves: https://bugzilla.clamav.net/show_bug.cgi?id=11992 I removed compatibility macro's from when libTomMath was used. This required removing a bunch of faux-error handling because the fast-math equivalent functions return void, and cannot fail. The previous version used had named the header "bignum_fast.h" instead of "tfm.h" and had customizations in that header to enable TFM_CHECK all the time, and also TFM_NO_ASM if __GNUC__ not defined or if the system isn't 64bit architecture. This update uses tfm.h as-is, and has CMake define TFM_CHECK and TFM_NO_ASM as needed. I've kept bignum.h as an interface to including tfm.h so that in the future we can more easily add support for system-installed TomsFastMath instead of the vendored one, taking inspiration from Debian's patch to support system-TomsFastMath. See: https://salsa.debian.org/clamav-team/clamav/-/blob/unstable/debian/patches/add-support-for-system-tomsfastmath.patch	3 years ago
micasnyd	140c88aa4e	Bump copyright for 2022 Includes minor format corrections.	3 years ago
Micah Snyder	0255f29a72	Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.	4 years ago
Micah Snyder (micasnyd)	b9ca6ea103	Update copyright dates for 2021 Also fixes up clang-format.	4 years ago
Micah Snyder	206dbaefe8	Update copyright dates for 2020	5 years ago
Andrew	431fc22439	Handle two more Authenticode parsing edge cases Certs can omit the boolean field in the Basic Constraints section, since the RFC specifies a default value for this field. This fixes the following error: LibClamAV debug: asn1_expect_objtype: expected type 01, got 02 LibClamAV debug: asn1_get_x509: An error occurred when parsing x509 extensions LibClamAV debug: asn1_parse_mscat: skipping x509 certificate with errors Ex: 05de45fd6a406dc147a4c8040a54eee947cd6eba02f28c0279ffd1a229e17130 Allow UTCDate fields in x509 certs to omit the seconds. Technically this is disallowed by RFC5280, but Windows Authenticode verification routines don't seem to mind it, so we'll allow it too. This fixes the following error: LibClamAV debug: asn1_getnum: expecting digits, found 'Z' LibClamAV debug: asn1_get_time: invalid second 4294967295 LibClamAV debug: asn1_get_x509: unable to extract the notBefore time LibClamAV debug: asn1_parse_mscat: skipping x509 certificate with errors Ex: d577010638f208ad8b6dab1a33dc583b2ec6b0c719021fb9f083dd595ede27e8 Also, add a check on CRT_RAWMAXLEN, since if it's > 256 problems will arise	6 years ago
Andrew	21588dc980	Ignore e for whitelist CRBs, allow blank serials The previous commit allowed a CRB cert's exponent to be ignored when evaluating blacklist rules, but this commit also allows the exponent to be ignored for whitelist rules as well. Also, previous versions of ClamAV allowed the serial number hash field in a CRB rule to be blank, effectively wildcarding the serial number. This functionality broke with some of the changes introduced in 0.102.0, so this commit addresses that.	6 years ago
Andrew	3cf1b1c58d	Add ability to whitelist leaf certificates	6 years ago
Andrew	92088f91f1	Add support for cert blacklisting and whitelisting upfront Instead of checking the Authenticode header as an FP prevention mechanism, we now check it in the beginning if it exists. Also, we can now do actual blacklisting with .crb rules (previously, a blacklist rule just let you override a whitelist rule).	6 years ago
Micah Snyder	52cddcbcfd	Updating and cleaning up copyright notices.	6 years ago
Micah Snyder	72fd33c8b2	clang-format'd using new .clang-format rules.	6 years ago
Andrew	b9b4c36c8b	Update tbshash to have enough space for SHA512 hashes	7 years ago
Andrew	144148f1d2	Add minimal support for parsing MD2RSA, RSA, and SHA512RSA certs	7 years ago
Andrew	4cd3d28491	Add minimal support for parsing SHA384-based certificates This doesn't add support to actually verify whitelisting rules against SHA384 signatures, but makes it so that verification doesn't fail completely if there is a SHA384 certificate somewhere in the signature.	7 years ago
Andrew	1b5c9f72e3	[WIP] Add support for SHA256 signatures Everything should be working, but I'm having a hard time finding a binary to test with that doesn't encounter other parsing issues (no countersignature, extra data in the unauthenticatedAttributes section, etc.)	7 years ago
Kevin Lin	616c0259c4	libclamav: prints raw certificate metadata	9 years ago
Mickey Sola	46a35abe56	mass update of copyright headers	10 years ago
Shawn Webb	b2e7c931d0	Use OpenSSL for hashing.	11 years ago
Shawn Webb	0f418a13cc	Print name of authenticode certificate revocation entry when in debug mode	12 years ago
Shawn Webb	56b4f4b0b9	Change the cert management code to cache the trusted/revoked root certs in the engine struct	13 years ago
Shawn webb	278b2b286d	Rudimentary blacklisting	13 years ago
aCaB	f5092717cd	few fixmes on cat manager	14 years ago
aCaB	a8e79d931d	is this faster?!	14 years ago
aCaB	2501f747c3	Restrict child cert key usages to those of the parent	14 years ago
aCaB	01e4650b04	check ext key usage	14 years ago
aCaB	10243534c4	parse usage related extensions	14 years ago
aCaB	6bc5d0cb45	embedded authenticode verification	14 years ago
aCaB	5d49bd063f	readd (broken) support for emb cats	14 years ago
aCaB	29fb5f5ce9	verify pkcs#7	14 years ago
aCaB	7bcfb2f3bf	TL;DR: a bunch of stuff	14 years ago
aCaB	5e84efebc9	add md5rsa verification	14 years ago
aCaB	71da61a7ca	root CAs, draft of rsa verification	14 years ago
aCaB	8997495d13	crtmgr_add	14 years ago
aCaB	e5c6c1aaf7	add crtmgr	14 years ago

35 Commits (b30d9c54b242aee062ae52d93e6714714d591f8e)