- Updated with clang-format to clean up pipeline issues.

Cisco-Talos · Aug 20, 2024 · d64161d · d64161d
1 parent d233429
commit d64161d
Show file tree

Hide file tree

Showing 4 changed files with 88 additions and 95 deletions.
diff --git a/libclamav/crypto.c b/libclamav/crypto.c
@@ -138,64 +138,64 @@ time_t timegm(struct tm *t)
 
 /**
  * This variable determines if we are operating in FIPS mode, default to no.
-  */
+ */
 int cli_fips_mode = 0;
 
 /**
  * @brief This function determines if we are running in FIPS mode and sets the cl_fips_mode variable
- * 
+ *
  * This function is called by cl_init() and does not need to be called by the user
- * 
+ *
  * @return int Returns 1 if we are running in FIPS mode, 0 otherwise
- * 
+ *
  */
 
 void cli_setup_fips_configuration(void)
 {
-    #if OPENSSL_VERSION_MAJOR == 1
-    // OpenSSL 1.x (1.0 or 1.1)
-    #ifdef OPENSSL_FIPS
-        if (FIPS_mode()) {
-            cli_infomsg_simple("cl_setup_fips_configuration: FIPS mode provider found.\n");
-            cl_fips_mode = 1;
-        } else {
-            cli_infomsg_simple("cl_setup_fips_configuration: FIPS mode provider was not found.\n");
-            cl_fips_mode = 0;
-        }
-    #else
+#if OPENSSL_VERSION_MAJOR == 1
+// OpenSSL 1.x (1.0 or 1.1)
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode()) {
+        cli_infomsg_simple("cl_setup_fips_configuration: FIPS mode provider found.\n");
+        cl_fips_mode = 1;
+    } else {
+        cli_infomsg_simple("cl_setup_fips_configuration: FIPS mode provider was not found.\n");
         cl_fips_mode = 0;
-    #endif
-
-    #elif OPENSSL_VERSION_MAJOR == 3
-        // OpenSSL 3.0.x
-        OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
-        if (libctx == NULL) {
-            cli_warnmsg("cl_setup_fips_configuration: Failed to create libctx.\n");
-            cli_fips_mode = 0;
-            return;
-        }
+    }
+#else
+    cl_fips_mode = 0;
+#endif
 
-        OSSL_PROVIDER *fips = OSSL_PROVIDER_load(libctx, "fips");
-        if (fips != NULL) {
-            cli_infomsg_simple("cl_setup_fips_configuration: FIPS mode provider found.\n");
-            cli_fips_mode = 1;
-            OSSL_PROVIDER_unload(fips);
-            OSSL_LIB_CTX_free(libctx);
-        } else {
-            cli_infomsg_simple("cl_setup_fips_configuration: FIPS mode provider was not found.\n");
-            cli_fips_mode = 0;
-            OSSL_LIB_CTX_free(libctx);
-        }
-    #else
-        #error "Unsupported OpenSSL version"
-    #endif
+#elif OPENSSL_VERSION_MAJOR == 3
+    // OpenSSL 3.0.x
+    OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
+    if (libctx == NULL) {
+        cli_warnmsg("cl_setup_fips_configuration: Failed to create libctx.\n");
+        cli_fips_mode = 0;
+        return;
+    }
+
+    OSSL_PROVIDER *fips = OSSL_PROVIDER_load(libctx, "fips");
+    if (fips != NULL) {
+        cli_infomsg_simple("cl_setup_fips_configuration: FIPS mode provider found.\n");
+        cli_fips_mode = 1;
+        OSSL_PROVIDER_unload(fips);
+        OSSL_LIB_CTX_free(libctx);
+    } else {
+        cli_infomsg_simple("cl_setup_fips_configuration: FIPS mode provider was not found.\n");
+        cli_fips_mode = 0;
+        OSSL_LIB_CTX_free(libctx);
+    }
+#else
+#error "Unsupported OpenSSL version"
+#endif
 }
 
 /**
- * @brief Return the status of our FIPS condition.  
- * 
+ * @brief Return the status of our FIPS condition.
+ *
  * This function allows users of the library to determine if the library is running in FIPS mode.
- * 
+ *
  * @return int Returns 1 if we are running in FIPS mode, 0 otherwise
  */
 
@@ -1330,7 +1330,7 @@ void cl_hash_destroy(void *ctx)
 #if OPENSSL_VERSION_MAJOR == 1
 RSA *cli_build_ext_signing_key(void)
 {
-    RSA *rsa = RSA_new();
+    RSA *rsa  = RSA_new();
     BIGNUM *n = BN_new();
     BIGNUM *e = BN_new();
 
@@ -1356,12 +1356,12 @@ RSA *cli_build_ext_signing_key(void)
 // Do this the OpenSSL 3 way, avoiding deprecation warnings
 EVP_PKEY *cli_build_ext_signing_key(void)
 {
-    EVP_PKEY *pkey = EVP_PKEY_new();
-    BIGNUM *n = BN_new();
-    BIGNUM *e = BN_new();
+    EVP_PKEY *pkey      = EVP_PKEY_new();
+    BIGNUM *n           = BN_new();
+    BIGNUM *e           = BN_new();
     OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
-    OSSL_PARAM *params = NULL;
-    int result = 0;
+    OSSL_PARAM *params  = NULL;
+    int result          = 0;
 
     // Check bld and params
     if (!pkey || !n || !e || !bld) {
@@ -1439,7 +1439,7 @@ EVP_PKEY *cli_build_ext_signing_key(void)
 
     if (params)
         OSSL_PARAM_free(params);
-    
+
     if (ctx)
         EVP_PKEY_CTX_free(ctx);
 

diff --git a/libclamav/crypto.h b/libclamav/crypto.h
@@ -22,6 +22,7 @@
 #ifndef __CRYPTO_H
 #define __CRYPTO_H
 #include <openssl/opensslv.h>
+#include <openssl/evp.h>
 
 void cli_setup_fips_configuration(void);
 int cli_get_fips_mode(void);

diff --git a/libclamav/dsig.c b/libclamav/dsig.c
@@ -429,9 +429,9 @@ int cli_versig2(const unsigned char *sha256, const char *dsig_str, const char *n
 int cli_hex2bin(const char *hex, unsigned char *bin, int len)
 {
     // Use tricks to do this fast and without memory violations
-    unsigned char *in = (unsigned char *)hex;
+    unsigned char *in  = (unsigned char *)hex;
     unsigned char *out = bin;
-    int retlen = len/2;
+    int retlen         = len / 2;
 
     while (len--) {
         *out = 0;
@@ -463,7 +463,7 @@ cl_error_t cli_sigver_external(const char *file)
 {
     cl_error_t result = CL_ERROR;
     unsigned char sha256_bin[SHA256_DIGEST_LENGTH];
-    char *sha256 = NULL;
+    char *sha256           = NULL;
     unsigned char *sig_bin = NULL;
 
     // Use the built-in method to hash the CVD file.
@@ -498,7 +498,7 @@ cl_error_t cli_sigver_external(const char *file)
         goto done;
     }
 #else
-    #error "Unsupported OpenSSL version"
+#error "Unsupported OpenSSL version"
 #endif
 
     // Convert the sha256 hash to binary
@@ -519,10 +519,10 @@ cl_error_t cli_sigver_external(const char *file)
         result = CL_EMEM;
         goto done;
     }
-    #pragma GCC diagnostic push
-    #pragma GCC diagnostic ignored "-Wstringop-truncation"
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wstringop-truncation"
     strncpy(sigfile + strlen(sigfile) - 4, ".sig", 4);
-    #pragma GCC diagnostic pop
+#pragma GCC diagnostic pop
     fs = fopen(sigfile, "rb");
     if (fs == NULL) {
         cli_errmsg("cli_cvd_ext_sig_verify: Can't open signature file %s\n", sigfile);
@@ -532,9 +532,9 @@ cl_error_t cli_sigver_external(const char *file)
 
     // Read the signature file
     fseek(fs, 0, SEEK_END);
-    size_t siglen = (size_t) ftell(fs);
+    size_t siglen = (size_t)ftell(fs);
     fseek(fs, 0, SEEK_SET);
-    char *sig = (char *)malloc(siglen+1);
+    char *sig = (char *)malloc(siglen + 1);
     if (sig == NULL) {
         cli_errmsg("cli_cvd_ext_sig_verify: Can't allocate memory for signature\n");
         fclose(fs);
@@ -561,7 +561,7 @@ cl_error_t cli_sigver_external(const char *file)
     }
     *sig_seperator = 0;
     sig_seperator++;
-    siglen = strlen(sig_seperator)/2;
+    siglen  = strlen(sig_seperator) / 2;
     sig_bin = (unsigned char *)malloc(siglen);
     if (sig_bin == NULL) {
         cli_errmsg("cli_cvd_ext_sig_verify: Can't allocate memory for signature binary\n");
@@ -578,21 +578,20 @@ cl_error_t cli_sigver_external(const char *file)
     // If we are using a verson of openssl less than 3.0.0, we need to use the RSA_verify function
 #if OPENSSL_VERSION_MAJOR == 1
     // verify the signature
-    //int sig_verify = RSA_verify(NID_sha256, sha256, strlen(sha256), sig_bin, siglen, rsa);
+    // int sig_verify = RSA_verify(NID_sha256, sha256, strlen(sha256), sig_bin, siglen, rsa);
     int sig_verify = RSA_verify(NID_sha256, sha256_bin, SHA256_DIGEST_LENGTH, sig_bin, siglen, rsa);
     if (sig_verify != 1) {
         cli_errmsg("cli_cvd_ext_sig_verify: RSA signature verification failed for external database signature\n");
         result = CL_EVERIFY;
         goto done;
-    }
-    else {
+    } else {
         cli_dbgmsg("cli_cvd_ext_sig_verify: RSA signature verification successful for external database signature\n");
         result = CL_SUCCESS;
     }
 #elif OPENSSL_VERSION_MAJOR == 3
     // verify the signature
     EVP_PKEY_CTX *pctx = NULL;
-    
+
     pctx = EVP_PKEY_CTX_new(rsa, NULL);
     if (pctx == NULL) {
         cli_errmsg("cli_cvd_ext_sig_verify: Can't create EVP_PKEY_CTX\n");
@@ -616,27 +615,26 @@ cl_error_t cli_sigver_external(const char *file)
         cli_errmsg("cli_cvd_ext_sig_verify: RSA signature verification failed for external database signature\n");
         result = CL_EVERIFY;
         goto done;
-    }
-    else {
+    } else {
         cli_dbgmsg("cli_cvd_ext_sig_verify: RSA signature verification successful for external database signature\n");
         result = CL_SUCCESS;
     }
 
-     if(pctx) EVP_PKEY_CTX_free(pctx);
+    if (pctx) EVP_PKEY_CTX_free(pctx);
 #else
-    #error "Unsupported OpenSSL version"
+#error "Unsupported OpenSSL version"
 #endif
 
 done:
     // Clean up
-    if (sig)        free(sig);
-    if (sigfile)    free(sigfile);
-    if (sha256)     free(sha256);
-    if (sig_bin)    free(sig_bin);
+    if (sig) free(sig);
+    if (sigfile) free(sigfile);
+    if (sha256) free(sha256);
+    if (sig_bin) free(sig_bin);
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
-    if (rsa)        RSA_free(rsa);
+    if (rsa) RSA_free(rsa);
 #else
-    if (rsa)        EVP_PKEY_free(rsa);
+    if (rsa) EVP_PKEY_free(rsa);
 #endif
 
     return result;

diff --git a/libfreshclam/libfreshclam_internal.c b/libfreshclam/libfreshclam_internal.c
@@ -1483,11 +1483,10 @@ static fc_error_t getcvd(
     //
     // If we are in FIPS mode, download the external signature file
     //
-    char *sigfile = NULL;
+    char *sigfile       = NULL;
     char *extSigTmpFile = NULL;
-    char *extSigUrl = NULL;
-    if (cli_get_fips_mode())
-    {
+    char *extSigUrl     = NULL;
+    if (cli_get_fips_mode()) {
 
         // The external signature file is the same as the CVD file, but with a different extension.
         sigfile = strdup(cvdfile);
@@ -1497,13 +1496,13 @@ static fc_error_t getcvd(
             goto done;
         }
 
-        // Change the extension to .sig
-        #pragma GCC diagnostic push
-        #pragma GCC diagnostic ignored "-Wstringop-truncation"
+// Change the extension to .sig
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wstringop-truncation"
         strncpy(sigfile + strlen(sigfile) - 4, ".sig", 4);
-        #pragma GCC diagnostic pop
+#pragma GCC diagnostic pop
 
-        urlLen = strlen(server) + strlen("/") + strlen(sigfile);
+        urlLen    = strlen(server) + strlen("/") + strlen(sigfile);
         extSigUrl = malloc(urlLen + 1);
         if (!extSigUrl) {
             logg(LOGG_ERROR, "Can't allocate memory for external signature file URL!\n");
@@ -1518,10 +1517,10 @@ static fc_error_t getcvd(
             status = FC_EMEM;
             goto done;
         }
-        #pragma GCC diagnostic push
-        #pragma GCC diagnostic ignored "-Wstringop-truncation"
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wstringop-truncation"
         strncpy(extSigTmpFile + strlen(extSigTmpFile) - 4, ".sig", 4);
-        #pragma GCC diagnostic pop
+#pragma GCC diagnostic pop
 
         // Construct the URL
         snprintf(extSigUrl, urlLen + 1, "%s/%s", server, sigfile);
@@ -1553,14 +1552,13 @@ static fc_error_t getcvd(
         logg(LOGG_ERROR, "Can't rename %s to %s: %s\n", tmpfile, tmpfile_with_extension, strerror(errno));
         status = FC_EDBDIRACCESS;
         goto done;
-    }   
+    }
 
     // If we're in FIPS mode, temporarily rename the external signature file to the expected path:
     // The database file will be something like: /share/SAP/clam.d/tmp.b2b103a70a/clamav-3bbac78e36cbf974e1060de6dbbbfea3.tmp-daily.cld
     // The expected external signature will be: /share/SAP/clam.d/tmp.b2b103a70a/clamav-3bbac78e36cbf974e1060de6dbbbfea3.tmp-daily.sig
     char *extSigTmpFileWithExtension = NULL;
-    if (cli_get_fips_mode())
-    {
+    if (cli_get_fips_mode()) {
         // Temprorarily rename the the sig file to the expected path
         extSigTmpFileWithExtension = strdup(tmpfile_with_extension);
         if (!extSigTmpFileWithExtension) {
@@ -1597,14 +1595,12 @@ static fc_error_t getcvd(
     }
 
     // Rename the .sig file if we are in FIPS mode
-    if (cli_get_fips_mode())
-    {
+    if (cli_get_fips_mode()) {
         if (rename(extSigTmpFileWithExtension, extSigTmpFile) == -1) {
             logg(LOGG_ERROR, "Can't rename %s to %s: %s\n", extSigTmpFileWithExtension, extSigTmpFile, strerror(errno));
             status = FC_EDBDIRACCESS;
             goto done;
         }
-
     }
 
     if (cvd->version < remoteVersion) {
@@ -1618,8 +1614,7 @@ static fc_error_t getcvd(
     status = FC_SUCCESS;
 
 done:
-    if (cli_get_fips_mode())
-    {
+    if (cli_get_fips_mode()) {
         if (NULL != extSigTmpFileWithExtension) {
             free(extSigTmpFileWithExtension);
         }
@@ -2640,8 +2635,7 @@ fc_error_t updatedb(
     }
 
     // If we are running in FIPS mode, we need to move the .sig file in, as well.
-    if (cli_get_fips_mode())
-    {
+    if (cli_get_fips_mode()) {
         // just duplicate the newLocalFileName buffer and replace the .cld with .sig
         char *newLocalSigFilename = strdup(newLocalFilename);
         strcpy(newLocalSigFilename + strlen(newLocalSigFilename) - 4, ".sig");