Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVD dsig verification when hash starts with zeros #1415

Merged
merged 2 commits into from
Jan 12, 2025
Merged

Fix CVD dsig verification when hash starts with zeros #1415

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b8795fd
Fix CVD dsig verification when hash starts with zeros
micahsnyder Dec 3, 2024
4d389f3
Sigtool: CVD build hack for verify bug in 1.1 -> 1.4
micahsnyder Dec 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions libclamav/dsig.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ static unsigned char *cli_decodesig(const char *sig, unsigned int plen, BIGNUM *
BIGNUM *r = NULL, *p = NULL, *c = NULL;
BN_CTX *bn_ctx = NULL;
unsigned int bn_bytes;
;
unsigned char *plain_offset = NULL;

r = BN_new();
if (!r) {
Expand Down Expand Up @@ -144,9 +144,12 @@ static unsigned char *cli_decodesig(const char *sig, unsigned int plen, BIGNUM *
cli_errmsg("cli_decodesig: Can't allocate memory for 'plain'\n");
goto done;
}
if (!BN_bn2bin(p, plain)) {
goto done;
}

// If bn_bytes is smaller than plen, we need to offset the plain buffer.
// If we didn't, then a hash that should start with 00 would end with 00 instead.
plain_offset = plain + plen - bn_bytes;

BN_bn2bin(p, plain_offset);

ret_sig = plain;
plain = NULL;
Expand Down
24 changes: 22 additions & 2 deletions sigtool/sigtool.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1155,6 +1155,20 @@ static int build(const struct optstruct *opts)
free(tarfile);
return -1;
}

// Check if the MD5 starts with 00. If it does, we'll return CL_ELAST_ERROR. The caller may try again for better luck.
// This is to avoid a bug in hash verification with ClamAV 1.1 -> 1.4. The bug was fixed in 1.5.0.
// TODO: Remove this workaround when no one is using those versions.
if (pt[0] == '0' && pt[1] == '0') {
// print out the pt hash
mprintf(LOGG_INFO, "The tar.gz MD5 starts with 00, which will fail to verify in ClamAV 1.1 -> 1.4: %s\n", pt);
fclose(fh);
unlink(tarfile);
free(tarfile);
free(pt);
return CL_ELAST_ERROR;
}

rewind(fh);
sprintf(header + strlen(header), "%s:", pt);
free(pt);
Expand Down Expand Up @@ -3768,9 +3782,15 @@ int main(int argc, char **argv)
ret = asciinorm(opts);
else if (optget(opts, "utf16-decode")->enabled)
ret = utf16decode(opts);
else if (optget(opts, "build")->enabled)
else if (optget(opts, "build")->enabled) {
ret = build(opts);
else if (optget(opts, "unpack")->enabled)
if (ret == CL_ELAST_ERROR) {
// build() returns CL_ELAST_ERROR the hash starts with 00. This will fail to verify with ClamAV 1.1 -> 1.4.
// Retry the build again to get new hashes.
mprintf(LOGG_WARNING, "Retrying the build for a chance at a better hash.\n");
ret = build(opts);
}
} else if (optget(opts, "unpack")->enabled)
ret = unpack(opts);
else if (optget(opts, "unpack-current")->enabled)
ret = unpack(opts);
Expand Down
Loading