@@ -1,3 +1,8 @@

+Mon Oct 20 01:57:16 CEST 2003

+----------------------------------

+  * sigtool: receive digital signature from remote ClamAV Signing Service

+  * libclamav: small cvd fixes

+

 Fri Oct 17 05:08:22 CEST 2003 (tk)

 ----------------------------------

   * new Spanish documentation on ClamAV + Sendmail integration by

@@ -81,7 +81,7 @@ dnl there is now a CREATE_PREFIX_TARGET_H in this file as a shorthand for

 dnl PREFIX_CONFIG_H from a target.h file, however w/o the target.h ever created

 dnl (the prefix is a bit different, since we add an extra -target- and -host-)

 dnl 

-dnl @version: $Id: aclocal.m4,v 1.7 2003/10/17 03:16:14 kojm Exp $

+dnl @version: $Id: aclocal.m4,v 1.8 2003/10/20 00:55:10 kojm Exp $

 dnl @author Guido Draheim <guidod@gmx.de>                 STATUS: used often

 AC_DEFUN([AC_CREATE_TARGET_H],

@@ -4041,7 +4041,7 @@ dnl      AC_COMPILE_CHECK_SIZEOF(ptrdiff_t, $headers)

 dnl      AC_COMPILE_CHECK_SIZEOF(off_t, $headers)

 dnl

 dnl @author Kaveh Ghazi <ghazi@caip.rutgers.edu>

-dnl @version $Id: aclocal.m4,v 1.7 2003/10/17 03:16:14 kojm Exp $

+dnl @version $Id: aclocal.m4,v 1.8 2003/10/20 00:55:10 kojm Exp $

 dnl

 AC_DEFUN([AC_COMPILE_CHECK_SIZEOF],

 [changequote(<<, >>)dnl

@@ -999,6 +999,7 @@ Optional Features:

   --disable-libtool-lock  avoid locking (might break parallel builds)

   --disable-bzip2	  Disable bzip2 support.

   --enable-milter	  Build clamav-milter (if milter library found)

+  --disable-dsig	  Disable digital signature support.

   --disable-pthreads      Disable POSIX threads support

   --disable-cr      Don't link with C reentrant library (BSD)

   --disable-urandom       Disable test for /dev/urandom

@@ -4534,7 +4535,7 @@ test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes

 case $host in

 *-*-irix6*)

   # Find out which ABI we are using.

-  echo '#line 4537 "configure"' > conftest.$ac_ext

+  echo '#line 4538 "configure"' > conftest.$ac_ext

   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5

   (eval $ac_compile) 2>&5

   ac_status=$?

@@ -5070,7 +5071,7 @@ chmod -w .

 save_CFLAGS="$CFLAGS"

 CFLAGS="$CFLAGS -o out/conftest2.$ac_objext"

 compiler_c_o=no

-if { (eval echo configure:5073: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>out/conftest.err; } && test -s out/conftest2.$ac_objext; then

+if { (eval echo configure:5074: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>out/conftest.err; } && test -s out/conftest2.$ac_objext; then

   # The compiler can only warn and ignore the option if not recognized

   # So say no if there are warnings

   if test -s out/conftest.err; then

@@ -6863,7 +6864,7 @@ else

     lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2

   lt_status=$lt_dlunknown

   cat > conftest.$ac_ext <<EOF

-#line 6866 "configure"

+#line 6867 "configure"

 #include "confdefs.h"

 #if HAVE_DLFCN_H

@@ -6961,7 +6962,7 @@ else

     lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2

   lt_status=$lt_dlunknown

   cat > conftest.$ac_ext <<EOF

-#line 6964 "configure"

+#line 6965 "configure"

 #include "confdefs.h"

 #if HAVE_DLFCN_H

@@ -8733,6 +8734,81 @@ else

   have_milter="no"

 fi;

+want_dsig="yes"

+# Check whether --enable-dsig or --disable-dsig was given.

+if test "${enable_dsig+set}" = set; then

+  enableval="$enable_dsig"

+  want_dsig="no"

+fi;

+

+if test "$want_dsig" = "yes"

+then

+    echo "$as_me:$LINENO: checking for __gmpz_init in -lgmp" >&5

+echo $ECHO_N "checking for __gmpz_init in -lgmp... $ECHO_C" >&6

+if test "${ac_cv_lib_gmp___gmpz_init+set}" = set; then

+  echo $ECHO_N "(cached) $ECHO_C" >&6

+else

+  ac_check_lib_save_LIBS=$LIBS

+LIBS="-lgmp  $LIBS"

+cat >conftest.$ac_ext <<_ACEOF

+#line $LINENO "configure"

+#include "confdefs.h"

+

+/* Override any gcc2 internal prototype to avoid an error.  */

+#ifdef __cplusplus

+extern "C"

+#endif

+/* We use char because int might match the return type of a gcc2

+   builtin and then its argument prototype would still apply.  */

+char __gmpz_init ();

+#ifdef F77_DUMMY_MAIN

+#  ifdef __cplusplus

+     extern "C"

+#  endif

+   int F77_DUMMY_MAIN() { return 1; }

+#endif

+int

+main ()

+{

+__gmpz_init ();

+  ;

+  return 0;

+}

+_ACEOF

+rm -f conftest.$ac_objext conftest$ac_exeext

+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5

+  (eval $ac_link) 2>&5

+  ac_status=$?

+  echo "$as_me:$LINENO: \$? = $ac_status" >&5

+  (exit $ac_status); } &&

+         { ac_try='test -s conftest$ac_exeext'

+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5

+  (eval $ac_try) 2>&5

+  ac_status=$?

+  echo "$as_me:$LINENO: \$? = $ac_status" >&5

+  (exit $ac_status); }; }; then

+  ac_cv_lib_gmp___gmpz_init=yes

+else

+  echo "$as_me: failed program was:" >&5

+cat conftest.$ac_ext >&5

+ac_cv_lib_gmp___gmpz_init=no

+fi

+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext

+LIBS=$ac_check_lib_save_LIBS

+fi

+echo "$as_me:$LINENO: result: $ac_cv_lib_gmp___gmpz_init" >&5

+echo "${ECHO_T}$ac_cv_lib_gmp___gmpz_init" >&6

+if test $ac_cv_lib_gmp___gmpz_init = yes; then

+  LIBCLAMAV_LIBS="$LIBCLAMAV_LIBS -lgmp"; cat >>confdefs.h <<\_ACEOF

+#define HAVE_GMP 1

+_ACEOF

+

+else

+  echo "WARNING: GNU MP 3 or newer NOT FOUND - digital signature support will be disabled !"; want_dsig="no"

+fi

+

+fi

+

 if test "${ac_cv_header_syslog_h+set}" = set; then

   echo "$as_me:$LINENO: checking for syslog.h" >&5

 echo $ECHO_N "checking for syslog.h... $ECHO_C" >&6

@@ -81,6 +81,16 @@ AC_ARG_ENABLE(milter,

 [  --enable-milter	  Build clamav-milter (if milter library found)],

 ,have_milter="no")

+want_dsig="yes"

+AC_ARG_ENABLE(dsig,

+[  --disable-dsig	  Disable digital signature support.],

+want_dsig="no",)

+

+if test "$want_dsig" = "yes"

+then

+    AC_CHECK_LIB(gmp, __gmpz_init, [LIBCLAMAV_LIBS="$LIBCLAMAV_LIBS -lgmp"; AC_DEFINE(HAVE_GMP)], [echo "WARNING: GNU MP 3 or newer NOT FOUND - digital signature support will be disabled !"; want_dsig="no"])

+fi

+

 AC_CHECK_HEADER(syslog.h,AC_DEFINE(CLAMD_USE_SYSLOG),)

 dnl AC_CHECK_LIB(c, strtok_r,, AC_DEFINE(NO_STRTOK_R))

@@ -106,7 +106,10 @@ int cli_versig(const char *md5, const char *dsig)

     mpz_init_set_str(n, cli_nstr, 10);

     mpz_init_set_str(e, cli_estr, 10);

-    pt = cli_decodesig(dsig, 16, e, n);

+

+    if(!(pt = cli_decodesig(dsig, 16, e, n)))

+	return CL_EDSIG;

+

     pt2 = cl_str2hex(pt, 16);

     free(pt);

@@ -179,8 +179,6 @@ int cl_loaddbdir(const char *dirname, struct cl_node **root, int *virnum)

 	char *dbfile;

 	int ret;

-    if(virnum != NULL)

-	*virnum = 0;

     if((dd = opendir(dirname)) == NULL) {

         cli_errmsg("cl_loaddbdir(): Can't open directory %s\n", dirname);

@@ -38,7 +38,7 @@ int main(int argc, char **argv)

 	int ret, opt_index, i, len;

 	struct optstruct *opt;

-	const char *getopt_parameters = "hvVc:s:f:b:i:";

+	const char *getopt_parameters = "hvVc:s:f:b:i:s:";

 	static struct option long_options[] = {

 	    {"help", 0, 0, 'h'},

@@ -53,6 +53,7 @@ int main(int argc, char **argv)

 	    {"string", 1, 0, 's'},

 	    {"file", 1, 0, 'f'},

 	    {"build", 1, 0, 'b'},

+	    {"server", 1, 0, 's'},

 	    {"info", 1, 0, 'i'},

 	    {0, 0, 0, 0}

     	};

@@ -25,6 +25,11 @@

 #include <zlib.h>

 #include <time.h>

 #include <locale.h>

+#include <sys/types.h>

+#include <sys/socket.h>

+#include <sys/un.h>

+#include <netinet/in.h>

+#include <arpa/inet.h>

 #include <clamav.h>

 #include "options.h"

@@ -38,6 +43,8 @@

 #define MAX_LENGTH 200

 void help(void);

+char *getdsig(const char *host, const char *user, const char *data);

+void cvdinfo(struct optstruct *opt);

 int scanfile(const char *cmd, const char *str, const char *file)

 {

@@ -183,6 +190,10 @@ void sigtool(struct optstruct *opt)

 	}

     } else if(optc(opt, 'b')) {

+	if(!optc(opt, 's')) {

+	    mprintf("!--server, -s is required in this mode\n");

+	    exit(10);

+	}

 	build(opt);

@@ -429,7 +440,7 @@ int build(struct optstruct *opt)

 	char buffer[BUFFSIZE], *tarfile = NULL, *gzfile = NULL, header[257],

 	     smbuff[25], *pt;

         struct cl_node *root = NULL;

-	FILE *tar, *cvd;

+	FILE *tar, *cvd, *fd;

 	gzFile *gz;

 	time_t timet;

 	struct tm *brokent;

@@ -534,6 +545,7 @@ int build(struct optstruct *opt)

     strcat(header, smbuff);

     /* number of signatures */

+    //FIXME: THIS IS WRONG

     sprintf(smbuff, "%d:", no);

     strcat(header, smbuff);

@@ -544,15 +556,28 @@ int build(struct optstruct *opt)

     /* MD5 */

     pt = cl_md5file(gzfile);

     strcat(header, pt);

+    free(pt);

     strcat(header, ":");

+    /* builder - question */

+    fflush(stdin);

+    mprintf("Builder id: ");

+    fscanf(stdin, "%s", &smbuff);

+

     /* digital signature */

+    fd = fopen(gzfile, "rb");

+    __md5_stream(fd, &buffer);

+    fclose(fd);

+    if(!(pt = getdsig(getargc(opt, 's'), smbuff, buffer))) {

+	mprintf("No digital signature - no CVD file...\n");

+	exit(1);

+    }

+

+    strcat(header, pt);

+    free(pt);

     strcat(header, ":");

-    /* builder */

-    fflush(stdin);

-    mprintf("Builder name: ");

-    fscanf(stdin, "%s:", &smbuff);

+    /* builder - add */

     strcat(header, smbuff);

     /* fill up with spaces */

@@ -645,6 +670,72 @@ void help(void)

     mprintf("   --file		    -f		infected file\n");

     mprintf("	--info FILE	    -i FILE	print database information\n");

     mprintf("   --build NAME	    -b NAME		Build database\n");

+    mprintf("   --server ADDR	    -s ADDR	    ClamAV Signing Service address\n");

     exit(0);

 }

+

+char *getdsig(const char *host, const char *user, const char *data)

+{

+	char buff[300], cmd[100], *pass, *pt;

+        struct sockaddr_in server;

+	struct cfgstruct *copt, *cpt;

+	int sockd, bread, len;

+

+

+#ifdef PF_INET

+    if((sockd = socket(PF_INET, SOCK_STREAM, 0)) < 0) {

+#else

+    if((sockd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {

+#endif

+	perror("socket()");

+	mprintf("!Can't create the socket.\n");

+	return NULL;

+    }

+

+    server.sin_family = AF_INET;

+    server.sin_addr.s_addr = inet_addr(host);

+    server.sin_port = htons(33101);

+

+    if(connect(sockd, (struct sockaddr *) &server, sizeof(struct sockaddr_in)) < 0) {

+        close(sockd);

+	perror("connect()");

+	mprintf("!Can't connect to ClamAV Signing Service at %s.\n", host);

+	return NULL;

+    }

+

+    memset(cmd, 0, sizeof(cmd));

+    pass = getpass("Password:");

+    sprintf(cmd, "ClamSign:%s:%s:", user, pass);

+    len = strlen(cmd);

+    pt = cmd;

+    pt += len;

+    memcpy(pt, data, 16);

+    len += 16;

+

+    if(write(sockd, cmd, len) < 0) {

+	mprintf("!Can't write to the socket.\n");

+	close(sockd);

+	memset(cmd, 0, len);

+	memset(pass, 0, strlen(pass));

+	return NULL;

+    }

+

+    memset(cmd, 0, len);

+    memset(pass, 0, strlen(pass));

+

+    memset(buff, 0, sizeof(buff));

+    if((bread = read(sockd, buff, sizeof(buff))) > 0)

+	if(!strstr(buff, "Signature:")) {

+	    mprintf("!Signature generation error.\n");

+	    mprintf("ClamAV SDaemon: %s.\n", buff);

+	    close(sockd);

+	    return NULL;

+	} else

+	    mprintf("Signature received (length = %d).\n", strlen(buff) - 10);

+

+    close(sockd);

+    pt = buff;

+    pt += 10;

+    return strdup(pt);

+}