mirror of https://github.com/Cisco-Talos/clamav
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
277 lines
12 KiB
277 lines
12 KiB
/*
|
|
* Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
|
|
*
|
|
* Author: Shawn Webb
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
* MA 02110-1301, USA.
|
|
*/
|
|
|
|
#if !defined(_CLAMAV_CRYPTO_H)
|
|
#define _CLAMAV_CRYPTO_H
|
|
|
|
/**
|
|
* \defgroup CryptoAPI ClamAV Crypto API
|
|
* @{
|
|
*/
|
|
|
|
#define SHA1_HASH_SIZE 20
|
|
#define SHA256_HASH_SIZE 32
|
|
|
|
/**
|
|
* Initialize the crypto system.
|
|
* @return Always returns 0
|
|
*/
|
|
int cl_initialize_crypto(void);
|
|
|
|
/** Clean up the crypto system prior to program exit.
|
|
*/
|
|
void cl_cleanup_crypto(void);
|
|
|
|
/** Generate a hash of data.
|
|
@param[in] alg The hashing algorithm to use
|
|
@param[in] buf The data to be hashed
|
|
@param[in] len The length of the to-be-hashed data
|
|
@param[out] obuf An optional buffer to store the generated hash. Use NULL to dynamically allocate buffer.
|
|
@param[out] olen An optional pointer that stores how long the generated hash is.
|
|
@return A pointer to the generated hash or obuf if obuf is not NULL.
|
|
*/
|
|
unsigned char *cl_hash_data(char *alg, const void *buf, size_t len, unsigned char *obuf, unsigned int *olen);
|
|
|
|
/** Generate a hash of a file.
|
|
@param[in] ctx A pointer to the OpenSSL EVP_MD_CTX object
|
|
@param[in] fd The file descriptor
|
|
@param[out] olen An optional pointer that stores how long the generated hash is
|
|
@return A pointer to a dynamically-created buffer that holds the generated hash
|
|
*/
|
|
unsigned char *cl_hash_file_fd_ctx(EVP_MD_CTX *ctx, int fd, unsigned int *olen);
|
|
|
|
/** Generate a hash of a file.
|
|
@param[in] fd The file descriptor
|
|
@param[in] alg The hashing algorithm to use
|
|
@param[out] olen An optional pointer that stores how long the generated hash is
|
|
@return A pointer to a dynamically-created buffer that holds the generated hash
|
|
*/
|
|
unsigned char *cl_hash_file_fd(int fd, char *alg, unsigned int *olen);
|
|
|
|
/** Generate a hash of a file.
|
|
@param[in] fp A pointer to a FILE object
|
|
@param[in] alg The hashing algorithm to use
|
|
@param[out] olen An optional pointer that stores how long the generated hash is
|
|
@return A pointer to a dynamically-created buffer that holds the generated hash
|
|
*/
|
|
unsigned char *cl_hash_file_fp(FILE *fp, char *alg, unsigned int *olen);
|
|
|
|
/** Generate a sha256 hash of data
|
|
@param[in] buf The data to hash
|
|
@param[in] len The length of the to-be-hashed data
|
|
@param[out] obuf An optional pointer to store the generated hash. Use NULL to dynamically allocate buffer.
|
|
@param[out] olen An optional pointer that stores how long the generated hash is.
|
|
@return A pointer to the buffer that holds the generated hash
|
|
*/
|
|
unsigned char *cl_sha256(const void *buf, size_t len, unsigned char *obuf, unsigned int *olen);
|
|
|
|
/** Generate a sha1 hash of data
|
|
@param[in] buf The data to hash
|
|
@param[in] len The length of the to-be-hashed data
|
|
@param[out] obuf An optional pointer to store the generated hash. Use NULL to dynamically allocate buffer.
|
|
@param[out] olen An optional pointer that stores how long the generated hash is.
|
|
@return A pointer to the buffer that holds the generated hash or obuf if obuf is not NULL
|
|
*/
|
|
unsigned char *cl_sha1(const void *buf, size_t len, unsigned char *obuf, unsigned int *olen);
|
|
|
|
/** Verify validity of signed data
|
|
@param[in] pkey The public key of the keypair that signed the data
|
|
@param[in] alg The algorithm used to hash the data
|
|
@param[in] sig The signature block
|
|
@param[in] siglen The length of the signature
|
|
@param[in] data The data that was signed
|
|
@param[in] datalen The length of the data
|
|
@param[in] decode Whether or not to base64-decode the signature prior to verification. 1 for yes, 0 for no.
|
|
@return 0 for success, -1 for error or invalid signature
|
|
*/
|
|
int cl_verify_signature(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode);
|
|
|
|
/** Verify validity of signed data
|
|
@param[in] pkey The public key of the keypair that signed the data
|
|
@param[in] alg The algorithm used to hash the data
|
|
@param[in] sig The signature block
|
|
@param[in] siglen The length of the signature
|
|
@param[in] digest The hash of the signed data
|
|
@return 0 for success, -1 for error or invalid signature
|
|
*/
|
|
int cl_verify_signature_hash(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest);
|
|
|
|
/** Verify validity of signed data
|
|
@param[in] pkey The public key of the keypair that signed the data
|
|
@param[in] alg The algorithm used to hash the data
|
|
@param[in] sig The signature block
|
|
@param[in] siglen The length of the signature
|
|
@param[in] fd The file descriptor
|
|
@return 0 for success, -1 for error or invalid signature
|
|
*/
|
|
int cl_verify_signature_fd(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, int fd);
|
|
|
|
/** Verify validity of signed data
|
|
@param[in] x509path The path to the public key of the keypair that signed the data
|
|
@param[in] alg The algorithm used to hash the data
|
|
@param[in] sig The signature block
|
|
@param[in] siglen The length of the signature
|
|
@param[in] digest The hash of the signed data
|
|
@return 0 for success, -1 for error or invalid signature
|
|
*/
|
|
int cl_verify_signature_hash_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest);
|
|
|
|
/** Verify validity of signed data
|
|
@param[in] x509path The path to the public key of the keypair that signed the data
|
|
@param[in] alg The algorithm used to hash the data
|
|
@param[in] sig The signature block
|
|
@param[in] siglen The length of the signature
|
|
@param[in] fd The file descriptor
|
|
@return 0 for success, -1 for error or invalid signature
|
|
*/
|
|
int cl_verify_signature_fd_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, int fd);
|
|
|
|
/** Verify validity of signed data
|
|
@param[in] x509path The path to the public key of the keypair that signed the data
|
|
@param[in] alg The algorithm used to hash the data
|
|
@param[in] sig The signature block
|
|
@param[in] siglen The length of the signature
|
|
@param[in] data The data that was signed
|
|
@param[in] datalen The length of the data
|
|
@param[in] decode Whether or not to base64-decode the signature prior to verification. 1 for yes, 0 for no.
|
|
@return 0 for success, -1 for error or invalid signature
|
|
*/
|
|
int cl_verify_signature_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode);
|
|
|
|
/** Verify validity of signed data
|
|
@param[in] x509 The X509 object of the public key of the keypair that signed the data
|
|
@param[in] alg The algorithm used to hash the data
|
|
@param[in] sig The signature block
|
|
@param[in] siglen The length of the signature
|
|
@param[in] digest The hash of the signed data
|
|
@return 0 for success, -1 for error or invalid signature
|
|
*/
|
|
int cl_verify_signature_hash_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest);
|
|
|
|
/** Verify validity of signed data
|
|
@param[in] x509 The X509 object of the public key of the keypair that signed the data
|
|
@param[in] alg The algorithm used to hash the data
|
|
@param[in] sig The signature block
|
|
@param[in] siglen The length of the signature
|
|
@param[in] fd The file descriptor
|
|
@return 0 for success, -1 for error or invalid signature
|
|
*/
|
|
int cl_verify_signature_fd_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, int fd);
|
|
|
|
/** Verify validity of signed data
|
|
@param[in] x509 The X509 object of the public key of the keypair that signed the data
|
|
@param[in] alg The algorithm used to hash the data
|
|
@param[in] sig The signature block
|
|
@param[in] siglen The length of the signature
|
|
@param[in] data The data that was signed
|
|
@param[in] datalen The length of the data
|
|
@param[in] decode Whether or not to base64-decode the signature prior to verification. 1 for yes, 0 for no.
|
|
@return 0 for success, -1 for error or invalid signature
|
|
*/
|
|
int cl_verify_signature_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode);
|
|
|
|
/** Get an X509 object from memory
|
|
* @param[in] data A pointer to a spot in memory that contains the PEM X509 cert
|
|
* @param[in] len The length of the data
|
|
* @return a pointer to the X509 object on success, NULL on error
|
|
*/
|
|
X509 *cl_get_x509_from_mem(void *data, unsigned int len);
|
|
|
|
/** Validate an X509 certificate chain, with the chain being located in a directory
|
|
@param[in] tsdir The path to the trust store directory
|
|
@param[in] certpath The path to the X509 certificate to be validated.
|
|
@return 0 for success, -1 for error or invalid certificate.
|
|
*/
|
|
int cl_validate_certificate_chain_ts_dir(char *tsdir, char *certpath);
|
|
|
|
/** Validate an X509 certificate chain with support for a CRL
|
|
@param[in] authorities A NULL-terminated array of strings that hold the path of the CA's X509 certificate
|
|
@param[in] crlpath An optional path to the CRL file. NULL if no CRL.
|
|
@param[in] certpath The path to the X509 certificate to be validated.
|
|
@return 0 for success, -1 for error or invalid certificate.
|
|
*/
|
|
int cl_validate_certificate_chain(char **authorities, char *crlpath, char *certpath);
|
|
|
|
/** Load an X509 certificate from a file
|
|
@param[in] certpath The path to the X509 certificate
|
|
*/
|
|
X509 *cl_load_cert(const char *certpath);
|
|
|
|
/** Parse an ASN1_TIME object
|
|
@param[in] timeobj The ASN1_TIME object
|
|
@return A pointer to a (struct tm). Adjusted for time zone and daylight savings time.
|
|
*/
|
|
struct tm *cl_ASN1_GetTimeT(ASN1_TIME *timeobj);
|
|
|
|
/** Load a CRL file into an X509_CRL object
|
|
@param[in] file The path to the CRL
|
|
@return A pointer to an X509_CRL object or NULL on error.
|
|
*/
|
|
X509_CRL *cl_load_crl(const char *timeobj);
|
|
|
|
/** Sign data with a key stored on disk
|
|
@param[in] keypath The path to the RSA private key
|
|
@param[in] alg The hash/signature algorithm to use
|
|
@param[in] hash The hash to sign
|
|
@param[out] olen A pointer that stores the size of the signature
|
|
@param[in] Whether or not to base64-encode the signature. 1 for yes, 0 for no.
|
|
@return The generated signature
|
|
*/
|
|
unsigned char *cl_sign_data_keyfile(char *keypath, char *alg, unsigned char *hash, unsigned int *olen, int encode);
|
|
|
|
/** Sign data with an RSA private key object
|
|
@param[in] pkey The RSA private key object
|
|
@param[in] alg The hash/signature algorithm to use
|
|
@param[in] hash The hash to sign
|
|
@param[out] olen A pointer that stores the size of the signature
|
|
@param[in] Whether or not to base64-encode the signature. 1 for yes, 0 for no.
|
|
@return The generated signature
|
|
*/
|
|
unsigned char *cl_sign_data(EVP_PKEY *pkey, char *alg, unsigned char *hash, unsigned int *olen, int encode);
|
|
|
|
/** Sign a file with an RSA private key object
|
|
@param[in] fd The file descriptor
|
|
@param[in] pkey The RSA private key object
|
|
@param[in] alg The hash/signature algorithm to use
|
|
@param[out] olen A pointer that stores the size of the signature
|
|
@param[in] encode Whether or not to base64-encode the signature. 1 for yes, 0 for no.
|
|
*/
|
|
unsigned char *cl_sign_file_fd(int fd, EVP_PKEY *pkey, char *alg, unsigned int *olen, int encode);
|
|
|
|
/** Sign a file with an RSA private key object
|
|
@param[in] fp A pointer to a FILE object
|
|
@param[in] pkey The RSA private key object
|
|
@param[in] alg The hash/signature algorithm to use
|
|
@param[out] olen A pointer that stores the size of the signature
|
|
@param[in] encode Whether or not to base64-encode the signature. 1 for yes, 0 for no.
|
|
*/
|
|
unsigned char *cl_sign_file_fp(FILE *fp, EVP_PKEY *pkey, char *alg, unsigned int *olen, int encode);
|
|
|
|
/** Get the Private Key stored on disk
|
|
* @param[in] keypath The path on disk where the private key is stored
|
|
* @return A pointer to the EVP_PKEY object that contains the private key in memory
|
|
*/
|
|
EVP_PKEY *cl_get_pkey_file(char *keypath);
|
|
|
|
/**
|
|
* @}
|
|
*/
|
|
|
|
#endif
|
|
|