Sigtool sign/verify tests; Add test certs

Also (re)signed the test CVD's and CDIFF's with the test certs. Fixed some issues that had the unit tests depending on the installed certs rather than the test certs.
Cisco-Talos · Dec 19, 2024 · 019c862 · 019c862
1 parent eb9140f
commit 019c862
Show file tree

Hide file tree

Showing 23 changed files with 462 additions and 103 deletions.
diff --git a/etc/CMakeLists.txt b/etc/CMakeLists.txt
@@ -34,7 +34,7 @@ endif()
 install(DIRECTORY DESTINATION ${CVD_CERTS_DIRECTORY} COMPONENT programs)
 install(
     FILES
-        ${CMAKE_CURRENT_SOURCE_DIR}/certs/ca.crt
+        ${CMAKE_CURRENT_SOURCE_DIR}/certs/clamav.crt
     DESTINATION
         ${CVD_CERTS_DIRECTORY}
     COMPONENT programs)
diff --git a/etc/certs/ca.crt → etc/certs/clamav.crt b/etc/certs/ca.crt → etc/certs/clamav.crt
diff --git a/sigtool/sigtool.c b/sigtool/sigtool.c
@@ -1614,10 +1614,16 @@ static int unpack(const struct optstruct *opts)
         name[sizeof(name) - 1] = '\0';
     }
 
-    if (optget(opts, "cvdcertsdir")->active)
-        certs_directory = optget(opts, "cvdcertsdir")->strarg;
-    else
-        certs_directory = CERTSDIR;
+    certs_directory = optget(opts, "cvdcertsdir")->strarg;
+    if (NULL == certs_directory) {
+        // Check if the CVD_CERTS_DIR environment variable is set
+        certs_directory = getenv("CVD_CERTS_DIR");
+
+        // If not, use the default value
+        if (NULL == certs_directory) {
+            certs_directory = CERTSDIR;
+        }
+    }
 
     if (cl_cvdverify_ex(name, certs_directory) != CL_SUCCESS) {
         mprintf(LOGG_ERROR, "unpack: %s is not a valid CVD\n", name);

diff --git a/unit_tests/CMakeLists.txt b/unit_tests/CMakeLists.txt
@@ -264,7 +264,7 @@ set(ENVIRONMENT
     CK_DEFAULT_TIMEOUT=300
     LD_LIBRARY_PATH=${LD_LIBRARY_PATH}
     DYLD_LIBRARY_PATH=${LD_LIBRARY_PATH}
-    CVD_CERTS_DIR=${CMAKE_SOURCE_DIR}/etc/certs
+    CVD_CERTS_DIR=${CMAKE_SOURCE_DIR}/unit_tests/input/signing/public
     PATH=${NEW_PATH}
     LIBSSL=${LIBSSL}
     LIBCRYPTO=${LIBCRYPTO}

diff --git a/unit_tests/check_clamav.c b/unit_tests/check_clamav.c
@@ -416,13 +416,20 @@ START_TEST(test_cl_load)
     struct cl_engine *engine;
     unsigned int sigs = 0;
     const char *testfile;
+    const char* cvdcertsdir;
 
     ret = cl_init(CL_INIT_DEFAULT);
     ck_assert_msg(ret == CL_SUCCESS, "cl_init failed: %s", cl_strerror(ret));
 
     engine = cl_engine_new();
     ck_assert_msg(engine != NULL, "cl_engine_new failed");
 
+    cvdcertsdir = getenv("CVD_CERTS_DIR");
+    ck_assert_msg(cvdcertsdir != NULL, "CVD_CERTS_DIR not set");
+
+    ret = cl_engine_set_str(engine, CL_ENGINE_CVDCERTSDIR, cvdcertsdir);
+    ck_assert_msg(ret == CL_SUCCESS, "cl_engine_set_str failed: %s", cl_strerror(ret));
+
     /* load test cvd */
     testfile = SRCDIR PATHSEP "input" PATHSEP "freshclam_testfiles" PATHSEP "test-5.cvd";
     ret      = cl_load(testfile, engine, &sigs, CL_DB_STDOPT);
@@ -442,26 +449,30 @@ START_TEST(test_cl_cvdverify)
     FILE *orig_fs;
     FILE *new_fs;
     char cvd_bytes[5000];
+    const char* cvdcertsdir;
+
+    cvdcertsdir = getenv("CVD_CERTS_DIR");
+    ck_assert_msg(cvdcertsdir != NULL, "CVD_CERTS_DIR not set");
 
     // Should be able to verify this cvd
     testfile = SRCDIR "/input/freshclam_testfiles/test-1.cvd";
-    ret      = cl_cvdverify(testfile);
-    ck_assert_msg(CL_SUCCESS == ret, "cl_cvdverify failed for: %s -- %s", testfile, cl_strerror(ret));
+    ret      = cl_cvdverify_ex(testfile, cvdcertsdir);
+    ck_assert_msg(CL_SUCCESS == ret, "cl_cvdverify_ex failed for: %s -- %s", testfile, cl_strerror(ret));
 
     // Can't verify a cvd that doesn't exist
     testfile = SRCDIR "/input/freshclam_testfiles/test-na.cvd";
-    ret      = cl_cvdverify(testfile);
-    ck_assert_msg(CL_ECVD == ret, "cl_cvdverify should have failed for: %s -- %s", testfile, cl_strerror(ret));
+    ret      = cl_cvdverify_ex(testfile, cvdcertsdir);
+    ck_assert_msg(CL_ECVD == ret, "cl_cvdverify_ex should have failed for: %s -- %s", testfile, cl_strerror(ret));
 
-    // A cdiff is not a cvd. Cannot verify with cl_cvdverify!
+    // A cdiff is not a cvd. Cannot verify with cl_cvdverify_ex!
     testfile = SRCDIR "/input/freshclam_testfiles/test-2.cdiff";
-    ret      = cl_cvdverify(testfile);
-    ck_assert_msg(CL_ECVD == ret, "cl_cvdverify should have failed for: %s -- %s", testfile, cl_strerror(ret));
+    ret      = cl_cvdverify_ex(testfile, cvdcertsdir);
+    ck_assert_msg(CL_ECVD == ret, "cl_cvdverify_ex should have failed for: %s -- %s", testfile, cl_strerror(ret));
 
     // Can't verify an hdb file
     testfile = SRCDIR "/input/clamav.hdb";
-    ret      = cl_cvdverify(testfile);
-    ck_assert_msg(CL_ECVD == ret, "cl_cvdverify should have failed for: %s -- %s", testfile, cl_strerror(ret));
+    ret      = cl_cvdverify_ex(testfile, cvdcertsdir);
+    ck_assert_msg(CL_ECVD == ret, "cl_cvdverify_ex should have failed for: %s -- %s", testfile, cl_strerror(ret));
 
     // Modify the cvd to make it invalid
     sprintf(newtestfile, "%s/modified.cvd", tmpdir);

diff --git a/unit_tests/clamscan/fp_check_test.py b/unit_tests/clamscan/fp_check_test.py
@@ -62,20 +62,20 @@ def setUpClass(cls):
 
         # Generate hash of the zipped file.
         # Since we generated the zip in python, we don't know the hash in advance.
-        hash_md5 = hashlib.md5()
+        hash_sha256 = hashlib.sha256()
         with TC.test_file_zipped.open("rb") as f:
             for chunk in iter(lambda: f.read(4096), b""):
-                hash_md5.update(chunk)
-        hash_md5 = hash_md5.hexdigest()
+                hash_sha256.update(chunk)
+        hash_sha256 = hash_sha256.hexdigest()
 
         TC.test_file_zipped_hash_fp = TC.path_tmp / 'test_file.zip.hash.fp'
         TC.test_file_zipped_hash_fp.write_text('{hash}:{size}:test_file.zip'.format(
-            hash=hash_md5,
+            hash=hash_sha256,
             size=TC.test_file_zipped.stat().st_size))
 
         TC.test_file_zipped_hash_wild_fp = TC.path_tmp / 'test_file.zip.hash.wild.fp'
         TC.test_file_zipped_hash_wild_fp.write_text('{hash}:*:test_file.zip.wild:73'.format(
-            hash=hash_md5))
+            hash=hash_sha256))
 
     @classmethod
     def tearDownClass(cls):

diff --git a/unit_tests/input/CMakeLists.txt b/unit_tests/input/CMakeLists.txt
@@ -6,80 +6,86 @@
 # - daily.cvd
 # - another antivirus (E.g. heuristic detection of broken or packed PE files)
 #
-set(TESTFILES
-    clam.cab
-    clam.exe
-    clam.zip
-    clam.arj
-    clam.exe.rtf
-    clam.exe.szdd
-    clam.tar.gz
-    clam.chm
-    clam.sis
-    clam-aspack.exe
-    clam-pespin.exe
-    clam-upx.exe
-    clam-fsg.exe
-    clam-mew.exe
-    clam-nsis.exe
-    clam-petite.exe
-    clam-upack.exe
-    clam-wwpack.exe
-    clam.pdf
-    clam.mail
-    clam.ppt
-    clam.tnef
-    clam.ea05.exe
-    clam.ea06.exe
-    clam.d64.zip
-    clam.exe.mbox.base64
-    clam.exe.mbox.uu
-    clam.exe.binhex
-    clam.ole.doc
-    clam.impl.zip
-    clam.exe.html
-    clam.bin-be.cpio
-    clam.bin-le.cpio
-    clam.newc.cpio
-    clam.odc.cpio
-    clam-yc.exe
-    clam_IScab_int.exe
-    clam_IScab_ext.exe
-    clam_ISmsi_int.exe
-    clam_ISmsi_ext.exe
-    clam.7z
-    clam_cache_emax.tgz
-    clam.iso
-    clamjol.iso
-    clam.exe.bz2
-    clam.bz2.zip
-    clam.exe_and_mail.tar.gz
-    clam.exe.2007.one
-    clam.exe.2010.one
-    clam.exe.webapp-export.one
+set(ENCRYPTED_TESTFILES
+    clamav_hdb_scanfiles/clam.cab
+    clamav_hdb_scanfiles/clam.exe
+    clamav_hdb_scanfiles/clam.zip
+    clamav_hdb_scanfiles/clam.arj
+    clamav_hdb_scanfiles/clam.exe.rtf
+    clamav_hdb_scanfiles/clam.exe.szdd
+    clamav_hdb_scanfiles/clam.tar.gz
+    clamav_hdb_scanfiles/clam.chm
+    clamav_hdb_scanfiles/clam.sis
+    clamav_hdb_scanfiles/clam-aspack.exe
+    clamav_hdb_scanfiles/clam-pespin.exe
+    clamav_hdb_scanfiles/clam-upx.exe
+    clamav_hdb_scanfiles/clam-fsg.exe
+    clamav_hdb_scanfiles/clam-mew.exe
+    clamav_hdb_scanfiles/clam-nsis.exe
+    clamav_hdb_scanfiles/clam-petite.exe
+    clamav_hdb_scanfiles/clam-upack.exe
+    clamav_hdb_scanfiles/clam-wwpack.exe
+    clamav_hdb_scanfiles/clam.pdf
+    clamav_hdb_scanfiles/clam.mail
+    clamav_hdb_scanfiles/clam.ppt
+    clamav_hdb_scanfiles/clam.tnef
+    clamav_hdb_scanfiles/clam.ea05.exe
+    clamav_hdb_scanfiles/clam.ea06.exe
+    clamav_hdb_scanfiles/clam.d64.zip
+    clamav_hdb_scanfiles/clam.exe.mbox.base64
+    clamav_hdb_scanfiles/clam.exe.mbox.uu
+    clamav_hdb_scanfiles/clam.exe.binhex
+    clamav_hdb_scanfiles/clam.ole.doc
+    clamav_hdb_scanfiles/clam.impl.zip
+    clamav_hdb_scanfiles/clam.exe.html
+    clamav_hdb_scanfiles/clam.bin-be.cpio
+    clamav_hdb_scanfiles/clam.bin-le.cpio
+    clamav_hdb_scanfiles/clam.newc.cpio
+    clamav_hdb_scanfiles/clam.odc.cpio
+    clamav_hdb_scanfiles/clam-yc.exe
+    clamav_hdb_scanfiles/clam_IScab_int.exe
+    clamav_hdb_scanfiles/clam_IScab_ext.exe
+    clamav_hdb_scanfiles/clam_ISmsi_int.exe
+    clamav_hdb_scanfiles/clam_ISmsi_ext.exe
+    clamav_hdb_scanfiles/clam.7z
+    clamav_hdb_scanfiles/clam_cache_emax.tgz
+    clamav_hdb_scanfiles/clam.iso
+    clamav_hdb_scanfiles/clamjol.iso
+    clamav_hdb_scanfiles/clam.exe.bz2
+    clamav_hdb_scanfiles/clam.bz2.zip
+    clamav_hdb_scanfiles/clam.exe_and_mail.tar.gz
+    clamav_hdb_scanfiles/clam.exe.2007.one
+    clamav_hdb_scanfiles/clam.exe.2010.one
+    clamav_hdb_scanfiles/clam.exe.webapp-export.one
+    signing/private/test-signing.key
 )
 
 if(ENABLE_UNRAR)
-    set(TESTFILES ${TESTFILES}
-        clam-v2.rar clam-v3.rar
+    set(ENCRYPTED_TESTFILES ${ENCRYPTED_TESTFILES}
+        clamav_hdb_scanfiles/clam-v2.rar
+        clamav_hdb_scanfiles/clam-v3.rar
     )
 endif()
 
-add_custom_target(tgt_clamav_hdb_scanfiles ALL
-    COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/clamav_hdb_scanfiles)
+add_custom_target(tgt_build_unit_tests_directories ALL
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/clamav_hdb_scanfiles
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/signing/private
+)
 
 # Decrypt test file
 function(decrypt_testfile test_file)
-    add_custom_command(OUTPUT clamav_hdb_scanfiles/${test_file}
+    add_custom_command(OUTPUT ${test_file}
         COMMAND ${Python3_EXECUTABLE}
             ${CMAKE_CURRENT_SOURCE_DIR}/xor_testfile.py
-                --in_file ${CMAKE_CURRENT_SOURCE_DIR}/clamav_hdb_scanfiles/${test_file}.xor
-                --out_file ${CMAKE_CURRENT_BINARY_DIR}/clamav_hdb_scanfiles/${test_file}
+                --in_file ${CMAKE_CURRENT_SOURCE_DIR}/${test_file}.xor
+                --out_file ${CMAKE_CURRENT_BINARY_DIR}/${test_file}
         COMMENT "Decrypting test file ${test_file}...")
-    add_custom_target(tgt_${test_file} ALL DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/clamav_hdb_scanfiles/${test_file})
-    ADD_DEPENDENCIES(tgt_${test_file} tgt_clamav_hdb_scanfiles)
+    # Replace / with _ in test_file to make it a valid target name
+    string(REPLACE "/" "_" test_file_tgt ${test_file})
+    add_custom_target(tgt_${test_file_tgt} ALL DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${test_file})
+    ADD_DEPENDENCIES(tgt_${test_file_tgt} tgt_build_unit_tests_directories)
 endfunction()
 
-foreach(TESTFILE ${TESTFILES})
+foreach(TESTFILE ${ENCRYPTED_TESTFILES})
     decrypt_testfile(${TESTFILE})
 endforeach()