Skip to content

Commit

Permalink
FIPS-compliant CVD signing and verification
Browse files Browse the repository at this point in the history
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.

Fixes: #564

Add a Rust implementation for parsing, verifying, and unpacking CVD
files.

Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
  `-D CVD_CERTS_DIRECTORY=PATH`

New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
  `--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
  `CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
  `CVDCertsDirectory PATH`

Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.

Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.

libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
  Resolves: #1304
- Add two new API's to the public clamav.h header:
  ```c
  extern cl_error_t cl_cvdverify_ex(const char *file,
                                    const char *certs_directory);

  extern cl_error_t cl_cvdunpack_ex(const char *file,
                                    const char *dir,
                                    bool dont_verify,
                                    const char *certs_directory);
  ```
  The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
  You may set this option with `cl_engine_set_str` and get it
  with `cl_engine_get_str`, to override the compiled in default
  CVD certs directory.

libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).

Add sigtool sign/verify tests and test certs.

Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.

Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: #1411
  • Loading branch information
micahsnyder committed Jan 14, 2025
1 parent 86a3835 commit ff84050
Show file tree
Hide file tree
Showing 73 changed files with 5,063 additions and 1,082 deletions.
16 changes: 11 additions & 5 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -36,16 +36,16 @@ set(PACKAGE_URL "https://www.clamav.net/")
HexVersion(PACKAGE_VERSION_NUM ${PROJECT_VERSION_MAJOR} ${PROJECT_VERSION_MINOR} ${PROJECT_VERSION_PATCH})

# libtool library versioning rules: http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
set(LIBCLAMAV_CURRENT 12)
set(LIBCLAMAV_REVISION 3)
set(LIBCLAMAV_AGE 0)
set(LIBCLAMAV_CURRENT 13)
set(LIBCLAMAV_REVISION 0)
set(LIBCLAMAV_AGE 1)

math(EXPR LIBCLAMAV_SOVERSION "${LIBCLAMAV_CURRENT} - ${LIBCLAMAV_AGE}")
set(LIBCLAMAV_VERSION "${LIBCLAMAV_SOVERSION}.${LIBCLAMAV_AGE}.${LIBCLAMAV_REVISION}")
HexVersion(LIBCLAMAV_VERSION_NUM ${LIBCLAMAV_CURRENT} ${LIBCLAMAV_REVISION} ${LIBCLAMAV_AGE})

set(LIBFRESHCLAM_CURRENT 3)
set(LIBFRESHCLAM_REVISION 2)
set(LIBFRESHCLAM_CURRENT 4)
set(LIBFRESHCLAM_REVISION 0)
set(LIBFRESHCLAM_AGE 0)

math(EXPR LIBFRESHCLAM_SOVERSION "${LIBFRESHCLAM_CURRENT} - ${LIBFRESHCLAM_AGE}")
Expand Down Expand Up @@ -925,6 +925,12 @@ if(IS_ABSOLUTE ${DATABASE_DIRECTORY})
else()
set(DATADIR "${CMAKE_INSTALL_PREFIX}/${DATABASE_DIRECTORY}")
endif()
# Absolute path of ClamAV CA certificates directory
if(IS_ABSOLUTE ${CVD_CERTS_DIRECTORY})
set(CERTSDIR "${CVD_CERTS_DIRECTORY}")
else()
set(CERTSDIR "${CMAKE_INSTALL_PREFIX}/${CVD_CERTS_DIRECTORY}")
endif()
# Absolute path of the applications' config directory
if(IS_ABSOLUTE ${APP_CONFIG_DIRECTORY})
set(CONFDIR "${APP_CONFIG_DIRECTORY}")
Expand Down
6 changes: 6 additions & 0 deletions CMakeOptions.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,19 @@ if(WIN32)
set(DATABASE_DIRECTORY
"database" CACHE STRING
"Database directory.")
set(CVD_CERTS_DIRECTORY
"certs" CACHE STRING
"ClamAV CA certificates directory.")
else()
set(APP_CONFIG_DIRECTORY
"etc" CACHE STRING
"App Config directory.")
set(DATABASE_DIRECTORY
"share/clamav" CACHE STRING
"Database directory.")
set(CVD_CERTS_DIRECTORY
"${APP_CONFIG_DIRECTORY}/certs" CACHE STRING
"ClamAV CA certificates directory.")
endif()

set(CLAMAV_USER "clamav" CACHE STRING "ClamAV User")
Expand Down
Loading

0 comments on commit ff84050

Please sign in to comment.