[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b
Tomasz Kojm
tkojm at clamav.net
Sun Apr 4 01:15:40 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit 0c234f5ffd607fbf0e9385e276a6a3ba3f8ed5fc
Author: Tomasz Kojm <tkojm at clamav.net>
Date: Wed Jan 20 15:02:13 2010 +0100
CL_DB_CVDNOTMP is now the only way to load .cvd/.cld files; prepare
for .info signing
diff --git a/clamd/clamd.c b/clamd/clamd.c
index 23b441b..8871302 100644
--- a/clamd/clamd.c
+++ b/clamd/clamd.c
@@ -114,7 +114,7 @@ int main(int argc, char **argv)
int ret, tcpsock = 0, localsock = 0, i, min_port, max_port;
unsigned int sigs = 0;
int lsockets[2], nlsockets = 0;
- unsigned int dboptions = CL_DB_CVDNOTMP;
+ unsigned int dboptions = 0;
#ifdef C_LINUX
struct stat sb;
#endif
diff --git a/clamscan/manager.c b/clamscan/manager.c
index 5602df3..6090aaa 100644
--- a/clamscan/manager.c
+++ b/clamscan/manager.c
@@ -314,7 +314,7 @@ int scanmanager(const struct optstruct *opts)
{
mode_t fmode;
int ret = 0, fmodeint, i;
- unsigned int options = 0, dboptions = CL_DB_CVDNOTMP;
+ unsigned int options = 0, dboptions = 0;
struct cl_engine *engine;
struct stat sb;
char *file, cwd[1024], *pua_cats = NULL;
diff --git a/docs/clamdoc.tex b/docs/clamdoc.tex
index 0483853..0adc21a 100644
--- a/docs/clamdoc.tex
+++ b/docs/clamdoc.tex
@@ -867,9 +867,6 @@ N * * * * /usr/local/bin/freshclam --quiet
Initialize the phishing detection module and load .wdb and .pdb files.
\item \textbf{CL\_DB\_PUA}\\
Load signatures for Potentially Unwanted Applications.
- \item \textbf{CL\_DB\_CVDNOTMP}\\
- Load CVD files directly without unpacking them into a temporary
- directory.
\end{itemize}
\verb+cl_load()+ returns \verb+CL_SUCCESS+ on success and another code on
failure.
diff --git a/libclamav/clamav.h b/libclamav/clamav.h
index 96d3ad1..a5da093 100644
--- a/libclamav/clamav.h
+++ b/libclamav/clamav.h
@@ -73,7 +73,7 @@ typedef enum {
#define CL_DB_PHISHING 0x2
#define CL_DB_PHISHING_URLS 0x8
#define CL_DB_PUA 0x10
-#define CL_DB_CVDNOTMP 0x20
+#define CL_DB_CVDNOTMP 0x20 /* obsolete */
#define CL_DB_OFFICIAL 0x40 /* internal */
#define CL_DB_PUA_MODE 0x80
#define CL_DB_PUA_INCLUDE 0x100
@@ -84,7 +84,7 @@ typedef enum {
#define CL_DB_BYTECODE 0x2000
/* recommended db settings */
-#define CL_DB_STDOPT (CL_DB_PHISHING | CL_DB_PHISHING_URLS | CL_DB_CVDNOTMP | CL_DB_BYTECODE)
+#define CL_DB_STDOPT (CL_DB_PHISHING | CL_DB_PHISHING_URLS | CL_DB_BYTECODE)
/* scan options */
#define CL_SCAN_RAW 0x0
diff --git a/libclamav/cvd.c b/libclamav/cvd.c
index a94fcc8..c46db68 100644
--- a/libclamav/cvd.c
+++ b/libclamav/cvd.c
@@ -575,35 +575,7 @@ int cli_cvdload(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigne
engine->dbversion[1] = cvd.stime;
}
- if(options & CL_DB_CVDNOTMP) {
-
- return cli_tgzload(cfd, engine, signo, options | CL_DB_OFFICIAL);
-
- } else {
-
- if(!(dir = cli_gentemp(engine->tmpdir)))
- return CL_EMEM;
-
- if(mkdir(dir, 0700)) {
- cli_errmsg("cli_cvdload(): Can't create temporary directory %s\n", dir);
- free(dir);
- return CL_ETMPDIR;
- }
-
- if(cli_untgz(cfd, dir)) {
- cli_errmsg("cli_cvdload(): Can't unpack CVD file.\n");
- free(dir);
- return CL_ECVD;
- }
-
- /* load extracted directory */
- ret = cl_load(dir, engine, signo, options | CL_DB_OFFICIAL);
-
- cli_rmdirs(dir);
- free(dir);
-
- return ret;
- }
+ return cli_tgzload(cfd, engine, signo, options | CL_DB_OFFICIAL);
}
int cli_cvdunpack(const char *file, const char *dir)
diff --git a/libclamav/dsig.c b/libclamav/dsig.c
index b89d0b9..0c41efc 100644
--- a/libclamav/dsig.c
+++ b/libclamav/dsig.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2009 Sourcefire, Inc.
+ * Copyright (C) 2007-2010 Sourcefire, Inc.
*
* Authors: Tomasz Kojm
*
@@ -32,6 +32,7 @@
#include "dsig.h"
#include "str.h"
#include "bignum.h"
+#include "sha256.h"
#define CLI_NSTR "118640995551645342603070001658453189751527774412027743746599405743243142607464144767361060640655844749760788890022283424922762488917565551002467771109669598189410434699034532232228621591089508178591428456220796841621637175567590476666928698770143328137383952820383197532047771780196576957695822641224262693037"
@@ -145,3 +146,72 @@ int cli_versig(const char *md5, const char *dsig)
cli_dbgmsg("cli_versig: Digital signature is correct.\n");
return CL_SUCCESS;
}
+
+#define HASH_LEN 32
+#define SALT_LEN 32
+#define PAD_LEN (2048 / 8)
+#define BLK_LEN (PAD_LEN - HASH_LEN - 1)
+int cli_versig2(const unsigned char *sha256, const char *dsig_str, const char *n_str, const char *e_str)
+{
+ unsigned char *decoded, digest1[HASH_LEN], digest2[HASH_LEN], digest3[HASH_LEN], *salt;
+ unsigned char mask[BLK_LEN], data[BLK_LEN], final[8 + 2 * HASH_LEN], c[4];
+ unsigned int i, rounds;
+ SHA256_CTX ctx;
+ mp_int n, e;
+
+ mp_init(&e);
+ mp_read_radix(&e, e_str, 10);
+ mp_init(&n);
+ mp_read_radix(&n, n_str, 10);
+
+ decoded = cli_decodesig(dsig_str, PAD_LEN, e, n);
+ mp_clear(&n);
+ mp_clear(&e);
+ if(!decoded)
+ return CL_EVERIFY;
+
+ if(decoded[PAD_LEN - 1] != 0xbc) {
+ free(decoded);
+ return CL_EVERIFY;
+ }
+
+ memcpy(mask, decoded, BLK_LEN);
+ memcpy(digest2, &decoded[BLK_LEN], HASH_LEN);
+ free(decoded);
+
+ c[0] = c[1] = 0;
+ rounds = (BLK_LEN + HASH_LEN - 1) / HASH_LEN;
+ for(i = 0; i < rounds; i++) {
+ c[2] = (unsigned char) (i / 256);
+ c[3] = (unsigned char) i;
+ sha256_init(&ctx);
+ sha256_update(&ctx, digest2, HASH_LEN);
+ sha256_update(&ctx, c, 4);
+ sha256_final(&ctx, digest3);
+ if(i + 1 == rounds)
+ memcpy(&data[i * 32], digest3, BLK_LEN - i * HASH_LEN);
+ else
+ memcpy(&data[i * 32], digest3, HASH_LEN);
+ }
+
+ for(i = 0; i < BLK_LEN; i++)
+ data[i] ^= mask[i];
+ data[0] &= (0xff >> 1);
+
+ if(!(salt = memchr(data, 0x01, BLK_LEN)))
+ return CL_EVERIFY;
+ salt++;
+
+ if(data + BLK_LEN - salt != SALT_LEN)
+ return CL_EVERIFY;
+
+ memset(final, 0, 8);
+ memcpy(&final[8], sha256, HASH_LEN);
+ memcpy(&final[8 + HASH_LEN], salt, SALT_LEN);
+
+ sha256_init(&ctx);
+ sha256_update(&ctx, final, sizeof(final));
+ sha256_final(&ctx, digest1);
+
+ return memcmp(digest1, digest2, HASH_LEN) ? CL_EVERIFY : CL_SUCCESS;
+}
diff --git a/libclamav/dsig.h b/libclamav/dsig.h
index 8156b23..72498ba 100644
--- a/libclamav/dsig.h
+++ b/libclamav/dsig.h
@@ -25,9 +25,7 @@
#include "clamav-config.h"
#endif
-#include "bignum.h"
-
int cli_versig(const char *md5, const char *dsig);
-unsigned char *cli_decodesig(const char *sig, unsigned int plen, mp_int e, mp_int n);
+int cli_versig2(const unsigned char *sha256, const char *dsig_str, const char *n_str, const char *e_str);
#endif
diff --git a/libclamav/libclamav.map b/libclamav/libclamav.map
index 898eb7a..378033c 100644
--- a/libclamav/libclamav.map
+++ b/libclamav/libclamav.map
@@ -133,6 +133,7 @@ CLAMAV_PRIVATE {
mp_read_radix;
mp_clear;
cli_versig;
+ cli_versig2;
cli_filecopy;
cli_ftw;
cli_unlink;
diff --git a/libclamav/readdb.c b/libclamav/readdb.c
index e2250ed..8d1013e 100644
--- a/libclamav/readdb.c
+++ b/libclamav/readdb.c
@@ -2086,7 +2086,7 @@ int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo
ret = cli_cvdload(fs, engine, signo, !strcmp(dbname, "daily.cvd"), options, 0);
} else if(cli_strbcasestr(dbname, ".cld")) {
- ret = cli_cvdload(fs, engine, signo, !strcmp(dbname, "daily.cld"), options | CL_DB_CVDNOTMP, 1);
+ ret = cli_cvdload(fs, engine, signo, !strcmp(dbname, "daily.cld"), options, 1);
} else if(cli_strbcasestr(dbname, ".hdb")) {
ret = cli_loadmd5(fs, engine, signo, MD5_HDB, options, dbio, dbname);
diff --git a/shared/cdiff.c b/shared/cdiff.c
index 049bf77..0b58098 100644
--- a/shared/cdiff.c
+++ b/shared/cdiff.c
@@ -773,102 +773,6 @@ static int cdiff_execute(const char *cmdstr, struct cdiff_ctx *ctx, char *lbuf,
return 0;
}
-static void pss_mgf(unsigned char *in, unsigned int inlen, unsigned char *out, unsigned int outlen)
-{
- SHA256_CTX ctx;
- unsigned int i, laps;
- unsigned char cnt[4], digest[PSS_DIGEST_LENGTH];
-
-
- laps = (outlen + PSS_DIGEST_LENGTH - 1) / PSS_DIGEST_LENGTH;
-
- for(i = 0; i < laps; i++) {
- cnt[0] = (unsigned char) 0;
- cnt[1] = (unsigned char) 0;
- cnt[2] = (unsigned char) (i / 256);
- cnt[3] = (unsigned char) i;
-
- sha256_init(&ctx);
- sha256_update(&ctx, in, inlen);
- sha256_update(&ctx, cnt, sizeof(cnt));
- sha256_final(&ctx, digest);
-
- if(i != laps - 1)
- memcpy(&out[i * PSS_DIGEST_LENGTH], digest, PSS_DIGEST_LENGTH);
- else
- memcpy(&out[i * PSS_DIGEST_LENGTH], digest, outlen - i * PSS_DIGEST_LENGTH);
- }
-}
-
-static int pss_versig(const unsigned char *sha256, const char *dsig)
-{
- mp_int n, e;
- SHA256_CTX ctx;
- unsigned char *pt, digest1[PSS_DIGEST_LENGTH], digest2[PSS_DIGEST_LENGTH], *salt;
- unsigned int plen = PSS_NBITS / 8, hlen, slen, i;
- unsigned char dblock[PSS_NBITS / 8 - PSS_DIGEST_LENGTH - 1];
- unsigned char mblock[PSS_NBITS / 8 - PSS_DIGEST_LENGTH - 1];
- unsigned char fblock[8 + 2 * PSS_DIGEST_LENGTH];
-
-
- hlen = slen = PSS_DIGEST_LENGTH;
- mp_init(&n);
- mp_read_radix(&n, PSS_NSTR, 10);
- mp_init(&e);
- mp_read_radix(&e, PSS_ESTR, 10);
- if(!(pt = cli_decodesig(dsig, plen, e, n))) {
- mp_clear(&n);
- mp_clear(&e);
- return -1;
- }
- mp_clear(&n);
- mp_clear(&e);
-
- if(pt[plen - 1] != 0xbc) {
- /* cli_dbgmsg("cli_versigpss: Incorrect signature syntax (0xbc)\n"); */
- free(pt);
- return -1;
- }
-
- memcpy(mblock, pt, plen - hlen - 1);
- memcpy(digest2, &pt[plen - hlen - 1], hlen);
- free(pt);
-
- pss_mgf(digest2, hlen, dblock, plen - hlen - 1);
-
- for(i = 0; i < plen - hlen - 1; i++)
- dblock[i] ^= mblock[i];
-
- dblock[0] &= (0xff >> 1);
-
- salt = memchr(dblock, 0x01, sizeof(dblock));
- if(!salt) {
- /* cli_dbgmsg("cli_versigpss: Can't find salt\n"); */
- return -1;
- }
- salt++;
-
- if((unsigned int) (dblock + sizeof(dblock) - salt) != slen) {
- /* cli_dbgmsg("cli_versigpss: Bad salt size\n"); */
- return -1;
- }
-
- memset(fblock, 0, 8);
- memcpy(&fblock[8], sha256, hlen);
- memcpy(&fblock[8 + hlen], salt, slen);
-
- sha256_init(&ctx);
- sha256_update(&ctx, fblock, sizeof(fblock));
- sha256_final(&ctx, digest1);
-
- if(memcmp(digest1, digest2, hlen)) {
- /* cli_dbgmsg("cli_versigpss: Signature doesn't match.\n"); */
- return -1;
- }
-
- return 0;
-}
-
int cdiff_apply(int fd, unsigned short mode)
{
struct cdiff_ctx ctx;
@@ -977,7 +881,7 @@ int cdiff_apply(int fd, unsigned short mode)
}
sha256_final(&sha256ctx, digest);
- if(pss_versig(digest, dsig)) {
+ if(cli_versig2(digest, dsig, PSS_NSTR, PSS_ESTR) != CL_SUCCESS) {
logg("!cdiff_apply: Incorrect digital signature\n");
close(desc);
free(line);
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list