[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b
Tomasz Kojm
tkojm at clamav.net
Sun Apr 4 01:16:09 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit b2742f8878a054a7dbbb448782bd8772ae41404c
Author: Tomasz Kojm <tkojm at clamav.net>
Date: Thu Jan 21 23:02:15 2010 +0100
sigtool: create digitally signed .info files
libclamav: temporarily disable .info checking - needs to be updated
to the new format; sigtool/signd must be updated on SI
diff --git a/ChangeLog b/ChangeLog
index febb5b9..3e84066 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Thu Jan 21 23:01:34 CET 2010 (tk)
+---------------------------------
+ * sigtool: create digitally signed .info files
+
Wed Jan 20 23:53:36 CET 2010 (acab)
-----------------------------------
* libclamav/pe.c: fix handling of 15h byte skew in upx-lzma (bb#1591)
diff --git a/libclamav/cvd.c b/libclamav/cvd.c
index 68e8583..31b38e0 100644
--- a/libclamav/cvd.c
+++ b/libclamav/cvd.c
@@ -307,7 +307,8 @@ static int cli_tgzload(int fd, struct cl_engine *engine, unsigned int *signo, un
else
off = ftell(dbio->fs);
- if((!dbinfo && cli_strbcasestr(name, ".info")) || (dbinfo && CLI_DBEXT(name))) {
+ /*if((!dbinfo && cli_strbcasestr(name, ".info")) || (dbinfo && CLI_DBEXT(name))) {*/
+ if(CLI_DBEXT(name)) {
ret = cli_load(name, engine, signo, options, dbio);
if(ret) {
cli_errmsg("cli_tgzload: Can't load %s\n", name);
@@ -315,6 +316,7 @@ static int cli_tgzload(int fd, struct cl_engine *engine, unsigned int *signo, un
CLOSE_DBIO;
return CL_EMALFDB;
}
+ /*
if(!dbinfo) {
free(dbio->buf);
CLOSE_DBIO;
@@ -330,7 +332,6 @@ static int cli_tgzload(int fd, struct cl_engine *engine, unsigned int *signo, un
return CL_EMALFDB;
}
if(dbio->bread) {
- /* TODO: compare sizes; replace with sha256 */
cli_md5_final(hash, &dbio->md5ctx);
if(memcmp(db->hash, hash, 16)) {
cli_errmsg("cli_tgzload: Invalid checksum for file %s\n", name);
@@ -340,6 +341,7 @@ static int cli_tgzload(int fd, struct cl_engine *engine, unsigned int *signo, un
}
}
}
+ */
}
pad = size % TAR_BLOCKSIZE ? (TAR_BLOCKSIZE - (size % TAR_BLOCKSIZE)) : 0;
if(compr) {
@@ -601,13 +603,16 @@ int cli_cvdload(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigne
return CL_ESEEK;
}
+ /*
ret = cli_tgzload(cfd, engine, signo, options | CL_DB_OFFICIAL, &dbio, NULL);
if(ret != CL_SUCCESS)
return ret;
- /* TODO: check CVD header */
+
+ * TODO: check CVD header
dbinfo = engine->dbinfo ? engine->dbinfo->next : NULL;
if(!dbinfo)
return CL_EMALFDB;
+ */
ret = cli_tgzload(cfd, engine, signo, options | CL_DB_OFFICIAL, &dbio, dbinfo);
diff --git a/sigtool/sigtool.c b/sigtool/sigtool.c
index 12fc9e1..09228fa 100644
--- a/sigtool/sigtool.c
+++ b/sigtool/sigtool.c
@@ -304,7 +304,7 @@ static char *getdsig(const char *host, const char *user, const unsigned char *da
return NULL;
}
#endif
- if(scanf("%as", &pt) == EOF) {
+ if(scanf("%as", &pt) == EOF || !pt) {
mprintf("!getdsig: Can't get password\n");
#ifdef HAVE_TERMIOS_H
tcsetattr(0, TCSAFLUSH, &old);
@@ -346,9 +346,11 @@ static char *getdsig(const char *host, const char *user, const unsigned char *da
memset(cmd, 0, sizeof(cmd));
if(mode == 1)
+ snprintf(cmd, sizeof(cmd) - datalen, "ClamSign:%s:%s:", user, pass);
+ else if(mode == 2)
snprintf(cmd, sizeof(cmd) - datalen, "ClamSignPSS:%s:%s:", user, pass);
else
- snprintf(cmd, sizeof(cmd) - datalen, "ClamSign:%s:%s:", user, pass);
+ snprintf(cmd, sizeof(cmd) - datalen, "ClamSignPSS2:%s:%s:", user, pass);
len = strlen(cmd);
pt = cmd + len;
@@ -389,13 +391,44 @@ static char *getdsig(const char *host, const char *user, const unsigned char *da
return strdup(pt);
}
-static int writeinfo(const char *dbname, const char *header)
+static char *sha256file(const char *file, unsigned int *size)
{
FILE *fh;
- unsigned int i;
- char file[32], *md5;
+ unsigned int i, bytes;
+ unsigned char digest[32], buffer[FILEBUFF];
+ char *sha;
+ SHA256_CTX ctx;
+ sha256_init(&ctx);
+ if(!(fh = fopen(file, "r"))) {
+ mprintf("!sha256file: Can't open file %s\n", file);
+ return NULL;
+ }
+ if(size)
+ *size = 0;
+ while((bytes = fread(buffer, 1, sizeof(buffer), fh))) {
+ sha256_update(&ctx, buffer, bytes);
+ if(size)
+ *size += bytes;
+ }
+ sha256_final(&ctx, digest);
+ sha = (char *) malloc(65);
+ if(!sha)
+ return NULL;
+ for(i = 0; i < 32; i++)
+ sprintf(sha + i * 2, "%02x", digest[i]);
+ return sha;
+}
+
+static int writeinfo(const char *dbname, const char *builder, const char *header, const struct optstruct *opts)
+{
+ FILE *fh;
+ unsigned int i, bytes;
+ char file[32], *pt;
+ unsigned char digest[32], buffer[FILEBUFF];
+ SHA256_CTX ctx;
+
snprintf(file, sizeof(file), "%s.info", dbname);
if(!access(file, R_OK)) {
if(unlink(file) == -1) {
@@ -404,7 +437,7 @@ static int writeinfo(const char *dbname, const char *header)
}
}
- if(!(fh = fopen(file, "w"))) {
+ if(!(fh = fopen(file, "w+"))) {
mprintf("!writeinfo: Can't create file %s\n", file);
return -1;
}
@@ -417,21 +450,33 @@ static int writeinfo(const char *dbname, const char *header)
for(i = 0; dblist[i].name; i++) {
if(!cli_strbcasestr(dblist[i].name, ".info") && strstr(dblist[i].name, dbname) && !access(dblist[i].name, R_OK)) {
- if(!(md5 = cli_md5file(dblist[i].name))) {
- mprintf("!writeinfo: Can't generate MD5 checksum for %s\n", file);
+ if(!(pt = sha256file(dblist[i].name, &bytes))) {
+ mprintf("!writeinfo: Can't generate SHA256 for %s\n", file);
fclose(fh);
return -1;
}
- if(fprintf(fh, "%s:%s\n", dblist[i].name, md5) < 0) {
+ if(fprintf(fh, "%s:%u:%s\n", dblist[i].name, bytes, pt) < 0) {
mprintf("!writeinfo: Can't write to info file\n");
fclose(fh);
- free(md5);
+ free(pt);
return -1;
}
- free(md5);
+ free(pt);
}
}
+ rewind(fh);
+ sha256_init(&ctx);
+ while((bytes = fread(buffer, 1, sizeof(buffer), fh)))
+ sha256_update(&ctx, buffer, bytes);
+ sha256_final(&ctx, digest);
+ if(!(pt = getdsig(optget(opts, "server")->strarg, builder, digest, 32, 3))) {
+ mprintf("!writeinfo: Can't get digital signature from remote server\n");
+ fclose(fh);
+ return -1;
+ }
+ fprintf(fh, "DSIG:%s", pt);
+ free(pt);
fclose(fh);
return 0;
}
@@ -535,7 +580,7 @@ static int script2cdiff(const char *script, const char *builder, const struct op
fclose(cdiffh);
sha256_final(&ctx, digest);
- if(!(pt = getdsig(optget(opts, "server")->strarg, builder, digest, 32, 1))) {
+ if(!(pt = getdsig(optget(opts, "server")->strarg, builder, digest, 32, 2))) {
mprintf("!script2cdiff: Can't get digital signature from remote server\n");
unlink(cdiff);
free(cdiff);
@@ -691,7 +736,7 @@ static int build(const struct optstruct *opts)
builder[sizeof(builder)-1]='\0';
} else {
mprintf("Builder name: ");
- if(scanf("%as", &pt) == EOF) {
+ if(scanf("%as", &pt) == EOF || !pt) {
mprintf("!build: Can't get builder name\n");
return -1;
}
@@ -706,7 +751,7 @@ static int build(const struct optstruct *opts)
/* add current time */
sprintf(header + strlen(header), ":%u", (unsigned int) timet);
- if(writeinfo(dbname, header) == -1) {
+ if(writeinfo(dbname, builder, header, opts) == -1) {
mprintf("!build: Can't generate info file\n");
return -1;
}
@@ -763,7 +808,7 @@ static int build(const struct optstruct *opts)
sprintf(header + strlen(header), "%s:", pt);
free(pt);
- if(!(pt = getdsig(optget(opts, "server")->strarg, builder, buffer, 16, 0))) {
+ if(!(pt = getdsig(optget(opts, "server")->strarg, builder, buffer, 16, 1))) {
mprintf("!build: Can't get digital signature from remote server\n");
fclose(fh);
unlink(tarfile);
@@ -1294,11 +1339,12 @@ static int vbadump(const struct optstruct *opts)
return 0;
}
-static int comparemd5(const char *dbname)
+static int comparesha(const char *dbname)
{
- char info[32], buff[256], *md5, *pt;
+ char info[32], buff[FILEBUFF], *sha;
+ const char *tokens[3];
FILE *fh;
- int ret = 0;
+ int ret = 0, tokens_count;
snprintf(info, sizeof(info), "%s.info", getdbname(dbname));
@@ -1316,24 +1362,26 @@ static int comparemd5(const char *dbname)
while(fgets(buff, sizeof(buff), fh)) {
cli_chomp(buff);
- if(!(pt = strchr(buff, ':'))) {
+ tokens_count = cli_strtokenize(buff, ':', 3, tokens);
+ if(tokens_count != 3) {
+ if(!strcmp(tokens[0], "DSIG"))
+ continue;
mprintf("!verifydiff: Incorrect format of %s\n", info);
ret = -1;
break;
}
- *pt++ = 0;
- if(!(md5 = cli_md5file(buff))) {
+ if(!(sha = sha256file(tokens[0], NULL))) {
mprintf("!verifydiff: Can't generate MD5 for %s\n", buff);
ret = -1;
break;
}
- if(strcmp(pt, md5)) {
+ if(strcmp(sha, tokens[2])) {
mprintf("!verifydiff: %s has incorrect checksum\n", buff);
ret = -1;
- free(md5);
+ free(sha);
break;
}
- free(md5);
+ free(sha);
}
fclose(fh);
@@ -1367,7 +1415,7 @@ static int rundiff(const struct optstruct *opts)
close(fd);
if(!ret)
- ret = comparemd5(diff);
+ ret = comparesha(diff);
return ret;
}
@@ -1611,7 +1659,7 @@ static int verifydiff(const char *diff, const char *cvd, const char *incdir)
}
close(fd);
- ret = comparemd5(diff);
+ ret = comparesha(diff);
if(chdir(cwd) == -1)
mprintf("^verifydiff: Can't chdir to %s\n", cwd);
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list