2
* Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License version 2 as
8
* published by the Free Software Foundation.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
20
* In addition, as a special exception, the copyright holders give
21
* permission to link the code of portions of this program with the
22
* OpenSSL library under certain conditions as described in each
23
* individual source file, and distribute linked combinations
26
* You must obey the GNU General Public License in all respects
27
* for all of the code used other than OpenSSL. If you modify
28
* file(s) with this exception, you may extend this exception to your
29
* version of the file(s), but you are not obligated to do so. If you
30
* do not wish to do so, delete this exception statement from your
31
* version. If you delete this exception statement from all source
32
* files in the program, then also delete it here.
36
#include "clamav-config.h"
49
#include <sys/types.h>
58
#include <openssl/ssl.h>
59
#include <openssl/err.h>
60
#include "libclamav/crypto.h"
65
#include "libclamav/conv.h"
66
#include "libclamav/str.h"
69
char * strptime(const char *buf, const char *fmt, struct tm *tm);
73
#define MIN(x,y) ((x)<(y)?(x):(y))
76
#if !defined(HAVE_TIMEGM) && !defined(_WIN32)
78
* Solaris 10 and earlier don't have timegm. Provide a portable version of it.
79
* A special thank you to Dave Simonson for helping test and develop this.
81
time_t timegm(struct tm *t)
92
return -1; /* can't deal with output from strptime */
105
return -1; /* can't deal with output from gmtime */
110
return (tl - (tb - tl));
114
int cl_initialize_crypto(void)
116
SSL_load_error_strings();
118
OpenSSL_add_all_digests();
119
OpenSSL_add_all_algorithms();
120
OpenSSL_add_all_ciphers();
121
ERR_load_crypto_strings();
126
void cl_cleanup_crypto(void)
131
unsigned char *cl_hash_data(char *alg, const void *buf, size_t len, unsigned char *obuf, unsigned int *olen)
140
md = EVP_get_digestbyname(alg);
144
mdsz = EVP_MD_size(md);
146
ret = (obuf != NULL) ? obuf : (unsigned char *)malloc(mdsz);
150
ctx = EVP_MD_CTX_create();
158
if (!EVP_DigestInit_ex(ctx, md, NULL)) {
165
EVP_MD_CTX_destroy(ctx);
171
size_t todo = MIN(EVP_MD_block_size(md), len-cur);
172
if (!EVP_DigestUpdate(ctx, (void *)(((unsigned char *)buf)+cur), todo)) {
179
EVP_MD_CTX_destroy(ctx);
186
if (!EVP_DigestFinal_ex(ctx, ret, &i)) {
193
EVP_MD_CTX_destroy(ctx);
197
EVP_MD_CTX_destroy(ctx);
205
unsigned char *cl_hash_file_fd(int fd, char *alg, unsigned int *olen)
211
md = EVP_get_digestbyname(alg);
215
ctx = EVP_MD_CTX_create();
219
if (!EVP_DigestInit_ex(ctx, md, NULL)) {
220
EVP_MD_CTX_destroy(ctx);
224
res = cl_hash_file_fd_ctx(ctx, fd, olen);
225
EVP_MD_CTX_destroy(ctx);
230
unsigned char *cl_hash_file_fd_ctx(EVP_MD_CTX *ctx, int fd, unsigned int *olen)
235
unsigned int hashlen;
238
unsigned int blocksize;
246
mdsz = EVP_MD_CTX_size(ctx);
248
if (FSTAT(fd, &sb) < 0) {
255
blocksize = sb.st_blksize;
258
buf = (unsigned char *)malloc(blocksize);
263
hash = (unsigned char *)malloc(mdsz);
270
while ((nread = _read(fd, buf, blocksize)) > 0) {
272
while ((nread = read(fd, buf, blocksize)) > 0) {
274
if (!EVP_DigestUpdate(ctx, buf, nread)) {
282
if (!EVP_DigestFinal_ex(ctx, hash, &hashlen)) {
297
unsigned char *cl_hash_file_fp(FILE *fp, char *alg, unsigned int *olen)
299
return cl_hash_file_fd(fileno(fp), alg, olen);
302
unsigned char *cl_sha256(const void *buf, size_t len, unsigned char *obuf, unsigned int *olen)
304
return cl_hash_data("sha256", buf, len, obuf, olen);
307
unsigned char *cl_sha1(const void *buf, size_t len, unsigned char *obuf, unsigned int *olen)
309
return cl_hash_data("sha1", buf, len, obuf, olen);
312
int cl_verify_signature_hash(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest)
318
md = EVP_get_digestbyname(alg);
322
ctx = EVP_MD_CTX_create();
326
mdsz = EVP_MD_size(md);
328
if (!EVP_VerifyInit_ex(ctx, md, NULL)) {
329
EVP_MD_CTX_destroy(ctx);
333
if (!EVP_VerifyUpdate(ctx, digest, mdsz)) {
334
EVP_MD_CTX_destroy(ctx);
338
if (EVP_VerifyFinal(ctx, sig, siglen, pkey) != 0) {
339
EVP_MD_CTX_destroy(ctx);
343
EVP_MD_CTX_destroy(ctx);
347
int cl_verify_signature_fd(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, int fd)
352
unsigned char *digest;
354
digest = cl_hash_file_fd(fd, alg, NULL);
358
md = EVP_get_digestbyname(alg);
364
mdsz = EVP_MD_size(md);
366
ctx = EVP_MD_CTX_create();
372
if (!EVP_VerifyInit_ex(ctx, md, NULL)) {
374
EVP_MD_CTX_destroy(ctx);
378
if (!EVP_VerifyUpdate(ctx, digest, mdsz)) {
380
EVP_MD_CTX_destroy(ctx);
384
if (EVP_VerifyFinal(ctx, sig, siglen, pkey) != 0) {
386
EVP_MD_CTX_destroy(ctx);
391
EVP_MD_CTX_destroy(ctx);
395
int cl_verify_signature(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode)
400
unsigned char *digest;
403
unsigned char *newsig;
406
newsig = (unsigned char *)cl_base64_decode((char *)sig, siglen, NULL, &newsiglen);
414
digest = cl_hash_data(alg, data, datalen, NULL, NULL);
422
md = EVP_get_digestbyname(alg);
431
mdsz = EVP_MD_size(md);
433
ctx = EVP_MD_CTX_create();
442
if (!EVP_VerifyInit_ex(ctx, md, NULL)) {
447
EVP_MD_CTX_destroy(ctx);
451
if (!EVP_VerifyUpdate(ctx, digest, mdsz)) {
456
EVP_MD_CTX_destroy(ctx);
460
if (EVP_VerifyFinal(ctx, sig, siglen, pkey) != 0) {
465
EVP_MD_CTX_destroy(ctx);
473
EVP_MD_CTX_destroy(ctx);
477
int cl_verify_signature_hash_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest)
483
fp = fopen(x509path, "r");
488
x509 = PEM_read_X509(fp, NULL, NULL, NULL);
496
res = cl_verify_signature_hash_x509(x509, alg, sig, siglen, digest);
503
int cl_verify_signature_fd_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, int fd)
509
fp = fopen(x509path, "r");
514
x509 = PEM_read_X509(fp, NULL, NULL, NULL);
522
res = cl_verify_signature_fd_x509(x509, alg, sig, siglen, fd);
529
int cl_verify_signature_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode)
535
fp = fopen(x509path, "r");
540
x509 = PEM_read_X509(fp, NULL, NULL, NULL);
548
res = cl_verify_signature_x509(x509, alg, sig, siglen, data, datalen, decode);
555
int cl_verify_signature_hash_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest)
560
pkey = X509_get_pubkey(x509);
564
res = cl_verify_signature_hash(pkey, alg, sig, siglen, digest);
571
int cl_verify_signature_fd_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, int fd)
576
pkey = X509_get_pubkey(x509);
580
res = cl_verify_signature_fd(pkey, alg, sig, siglen, fd);
587
int cl_verify_signature_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode)
592
pkey = X509_get_pubkey(x509);
596
res = cl_verify_signature(pkey, alg, sig, siglen, data, datalen, decode);
603
unsigned char *cl_sign_data_keyfile(char *keypath, char *alg, unsigned char *hash, unsigned int *olen, int encode)
609
fp = fopen(keypath, "r");
614
pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
622
res = cl_sign_data(pkey, alg, hash, olen, encode);
629
unsigned char *cl_sign_data(EVP_PKEY *pkey, char *alg, unsigned char *hash, unsigned int *olen, int encode)
636
md = EVP_get_digestbyname(alg);
640
ctx = EVP_MD_CTX_create();
644
sig = (unsigned char *)calloc(1, EVP_PKEY_size(pkey));
646
EVP_MD_CTX_destroy(ctx);
650
if (!EVP_SignInit_ex(ctx, md, NULL)) {
652
EVP_MD_CTX_destroy(ctx);
656
if (!EVP_SignUpdate(ctx, hash, EVP_MD_size(md))) {
658
EVP_MD_CTX_destroy(ctx);
662
if (!EVP_SignFinal(ctx, sig, &siglen, pkey)) {
664
EVP_MD_CTX_destroy(ctx);
669
unsigned char *newsig = (unsigned char *)cl_base64_encode(sig, siglen);
672
EVP_MD_CTX_destroy(ctx);
678
siglen = (unsigned int)strlen((const char *)newsig);
682
EVP_MD_CTX_destroy(ctx);
686
unsigned char *cl_sign_file_fd(int fd, EVP_PKEY *pkey, char *alg, unsigned int *olen, int encode)
688
unsigned char *hash, *res;
689
unsigned int hashlen;
691
hash = cl_hash_file_fd(fd, alg, &hashlen);
696
res = cl_sign_data(pkey, alg, hash, olen, encode);
702
unsigned char *cl_sign_file_fp(FILE *fp, EVP_PKEY *pkey, char *alg, unsigned int *olen, int encode)
704
return cl_sign_file_fd(fileno(fp), pkey, alg, olen, encode);
707
EVP_PKEY *cl_get_pkey_file(char *keypath)
712
fp = fopen(keypath, "r");
716
if (!(pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL))) {
726
X509 *cl_get_x509_from_mem(void *data, unsigned int len)
731
cbio = BIO_new_mem_buf(data, len);
735
cert = PEM_read_bio_X509(cbio, NULL, 0, NULL);
741
int cl_validate_certificate_chain_ts_dir(char *tsdir, char *certpath)
743
char **authorities=NULL, **t, *fullpath;
747
struct dirent *dirent;
748
#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2)
751
char b[offsetof(struct dirent, d_name) + NAME_MAX + 1];
759
#if defined(HAVE_READDIR_R_3)
760
while (!readdir_r(dp, &result.d, &dirent) && dirent) {
761
#elif defined(HAVE_READDIR_R_2)
762
while ((dirent = (struct dirent *)readdir_r(dp, &result.d))) {
764
while ((dirent = readdir(dp))) {
766
if (dirent->d_name[0] == '.')
769
if (!cli_strbcasestr(dirent->d_name, ".crt"))
772
t = (char **)realloc(authorities, sizeof(char **) * (nauths + 1));
776
free(authorities[--nauths]);
785
authorities[nauths] = (char *)malloc(strlen(tsdir) + strlen(dirent->d_name) + 2);
786
if (!authorities[nauths]) {
789
free(authorities[nauths--]);
790
free(authorities[0]);
798
sprintf(authorities[nauths], "%s"PATHSEP"%s", tsdir, dirent->d_name);
804
t = (char **)realloc(authorities, sizeof(char **) * (nauths + 1));
808
free(authorities[--nauths]);
816
authorities[nauths] = NULL;
818
res = cl_validate_certificate_chain(authorities, NULL, certpath);
821
free(authorities[--nauths]);
828
int cl_validate_certificate_chain(char **authorities, char *crlpath, char *certpath)
830
X509_STORE *store=NULL;
831
X509_STORE_CTX *store_ctx;
832
X509_LOOKUP *lookup=NULL;
834
X509_VERIFY_PARAM *param=NULL;
839
store = X509_STORE_new();
843
X509_STORE_set_flags(store, 0);
845
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
847
X509_STORE_free(store);
853
crl = cl_load_crl(crlpath);
855
X509_STORE_free(store);
859
X509_STORE_add_crl(store, crl);
860
param = X509_VERIFY_PARAM_new();
862
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
863
X509_STORE_set1_param(store, param);
865
X509_STORE_free(store);
871
/* Support multi-tiered setups */
872
for (i=0; authorities[i]; i++) {
873
if (!X509_LOOKUP_load_file(lookup, authorities[i], X509_FILETYPE_PEM)) {
874
X509_STORE_free(store);
878
X509_VERIFY_PARAM_free(param);
883
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
885
X509_STORE_free(store);
889
X509_VERIFY_PARAM_free(param);
893
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
895
store_ctx = X509_STORE_CTX_new();
897
X509_STORE_free(store);
901
X509_VERIFY_PARAM_free(param);
905
cert = cl_load_cert(certpath);
907
X509_STORE_CTX_free(store_ctx);
908
X509_STORE_free(store);
912
X509_VERIFY_PARAM_free(param);
917
if (!X509_STORE_CTX_init(store_ctx, store, cert, NULL)) {
918
X509_STORE_CTX_free(store_ctx);
919
X509_STORE_free(store);
923
X509_VERIFY_PARAM_free(param);
930
res = X509_verify_cert(store_ctx);
932
X509_STORE_CTX_free(store_ctx);
937
X509_VERIFY_PARAM_free(param);
939
X509_STORE_free(store);
946
X509 *cl_load_cert(const char *certpath)
951
bio = BIO_new(BIO_s_file());
955
if (BIO_read_filename(bio, certpath) != 1) {
960
cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
967
struct tm *cl_ASN1_GetTimeT(ASN1_TIME *timeobj)
972
const char *fmt=NULL;
975
struct tm localtm, *ltm;
980
if (!(timeobj) || !(timeobj->data))
983
str = (char *)(timeobj->data);
984
if (strlen(str) < 12)
987
t = (struct tm *)calloc(1, sizeof(struct tm));
991
if (timeobj->type == V_ASN1_UTCTIME) {
993
fmt = "%y%m%d%H%M%S";
1001
else if (timeobj->type == V_ASN1_GENERALIZEDTIME) {
1002
/* four digit year */
1003
fmt = "%Y%m%d%H%M%S";
1004
if (str[5] == '0') {
1017
if (!strptime(str, fmt, t)) {
1022
/* Convert to local time */
1023
localt = time(NULL);
1025
ltm = localtime(&localt);
1026
memcpy((void *)(&localtm), (void *)ltm, sizeof(struct tm));
1028
localtime_r(&localt, &localtm);
1030
t->tm_isdst = localtm.tm_isdst;
1034
X509_CRL *cl_load_crl(const char *file)
1044
fp = fopen(file, "r");
1048
x = PEM_read_X509_CRL(fp, NULL, NULL, NULL);
1053
tm = cl_ASN1_GetTimeT(x->crl->nextUpdate);
1059
#if !defined(_WIN32)
1060
if (timegm(tm) < time(NULL)) {
1073
void *cl_hash_init(const char *alg)
1078
md = EVP_get_digestbyname(alg);
1082
ctx = EVP_MD_CTX_create();
1087
if (!EVP_DigestInit_ex(ctx, md, NULL)) {
1088
EVP_MD_CTX_destroy(ctx);
1095
int cl_update_hash(void *ctx, void *data, size_t sz)
1097
if (!(ctx) || !(data))
1100
if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx, data, sz))
1106
int cl_finish_hash(void *ctx, void *buf)
1110
if (!(ctx) || !(buf))
1113
if (!EVP_DigestFinal_ex((EVP_MD_CTX *)ctx, (unsigned char *)buf, NULL))
1116
EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx);
1121
void cl_hash_destroy(void *ctx)
1126
EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx);