Fix OpenSSL 1 compatibility issue, plus minor improvements

For OpenSSL 1, `EVP_get_digestbyname()` will fail with "sha2-*" algorithm names.
Must use "sha256", etc.

I made a shim that does the conversion, and I made an improvement to ignore case
when converting alg names to our hash type enumeration.

Other fixes for a few warnings.

Author: val-ms

examples/ex_scan_callbacks.c

@@ -364,23 +364,19 @@ script_context_t *read_script_commands(const char *script_filepath)
     long script_size = ftell(script_file);
     if (script_size < 0) {
         printf("Error reading script file %s\n", script_filepath);
-        fclose(script_file);
         goto done;
     }
 
     fseek(script_file, 0, SEEK_SET);
     script_contents = calloc(script_size + 1, sizeof(char));
     if (!script_contents) {
         printf("Memory allocation failed for script contents\n");
-        fclose(script_file);
         goto done;
     }
 
     size_t bytes_read = fread(script_contents, 1, script_size, script_file);
     if (bytes_read != (size_t)script_size) {
         printf("Error reading script file %s\n", script_filepath);
-        free(script_contents);
-        fclose(script_file);
         status = 2;
         goto done;
     }
@@ -445,8 +441,6 @@ script_context_t *read_script_commands(const char *script_filepath)
 /**
  * @brief Check if the data matches the given hash.
  *
- * Note: Not bothering with md5 because clamav.h API does not provide it. 🤯
- *
  * @param data The data to check.
  * @param len The length of the data.
  * @param hash_type The type of hash (e.g., "md5", "sha1", "sha256").

libclamav/asn1.c

@@ -526,7 +526,7 @@ static int asn1_getnum(const char *s)
     return (s[0] - '0') * 10 + (s[1] - '0');
 }
 
-static int asn1_get_time(fmap_t *map, const void **asn1data, unsigned int *size, time_t *tm)
+static int asn1_get_time(fmap_t *map, const void **asn1data, unsigned int *size, int64_t *tm)
 {
     struct cli_asn1 obj;
     int ret = asn1_get_obj(map, *asn1data, size, &obj);
@@ -1134,7 +1134,7 @@ static int asn1_get_x509(fmap_t *map, const void **asn1data, unsigned int *size,
     return ret;
 }
 
-static int asn1_parse_countersignature(fmap_t *map, const void **asn1data, unsigned int *size, crtmgr *cmgr, const uint8_t *message, const unsigned int message_size, time_t not_before, time_t not_after)
+static int asn1_parse_countersignature(fmap_t *map, const void **asn1data, unsigned int *size, crtmgr *cmgr, const uint8_t *message, const unsigned int message_size, int64_t not_before, int64_t not_after)
 {
 
     struct cli_asn1 asn1, deep, deeper;
@@ -1311,7 +1311,7 @@ static int asn1_parse_countersignature(fmap_t *map, const void **asn1data, unsig
                     break;
                 case 2: /* signingTime */
                 {
-                    time_t sigdate; /* FIXME shall i use it?! */
+                    int64_t sigdate; /* FIXME shall i use it?! */
                     if (asn1_get_time(map, &deeper.content, &deep.size, &sigdate)) {
                         cli_dbgmsg("asn1_parse_countersignature: an error occurred when getting the time\n");
                         deep.size = 1;

libclamav/crypto.c

@@ -194,7 +194,12 @@ extern cl_error_t cl_hash_data_ex(
     cl_error_t status = CL_ERROR;
 
     EVP_MD_CTX *ctx = NULL;
-    EVP_MD *md      = NULL;
+
+#if OPENSSL_VERSION_MAJOR >= 3
+    EVP_MD *md = NULL;
+#else
+    const EVP_MD *md = NULL;
+#endif
 
     size_t required_hash_len;
     uint8_t *new_hash = NULL;
@@ -212,13 +217,13 @@ extern cl_error_t cl_hash_data_ex(
 #if OPENSSL_VERSION_MAJOR >= 3
     if (flags & CL_HASH_FLAG_FIPS_BYPASS) {
         /* Bypass FIPS restrictions the OpenSSL 3.0 way */
-        md = EVP_MD_fetch(NULL, alg, "-fips");
+        md = EVP_MD_fetch(NULL, to_openssl_alg(alg), "-fips");
     } else {
         /* Use FIPS compliant algorithms */
-        md = EVP_MD_fetch(NULL, alg, NULL);
+        md = EVP_MD_fetch(NULL, to_openssl_alg(alg), NULL);
     }
 #else
-    md = EVP_get_digestbyname(alg);
+    md = EVP_get_digestbyname(to_openssl_alg(alg));
 #endif
     if (NULL == md) {
         cli_errmsg("cl_hash_data_ex: Unsupported hash algorithm: %s\n", alg);
@@ -332,10 +337,14 @@ extern cl_error_t cl_hash_init_ex(
     uint32_t flags,
     cl_hash_ctx_t **ctx_out)
 {
-
     cl_error_t status = CL_ERROR;
     EVP_MD_CTX *ctx   = NULL;
-    EVP_MD *md        = NULL;
+
+#if OPENSSL_VERSION_MAJOR >= 3
+    EVP_MD *md = NULL;
+#else
+    const EVP_MD *md = NULL;
+#endif
 
     if (NULL == alg || NULL == ctx_out) {
         cli_errmsg("cl_hash_init_ex: Invalid arguments\n");
@@ -346,13 +355,13 @@ extern cl_error_t cl_hash_init_ex(
 #if OPENSSL_VERSION_MAJOR >= 3
     if (flags & CL_HASH_FLAG_FIPS_BYPASS) {
         /* Bypass FIPS restrictions the OpenSSL 3.0 way */
-        md = EVP_MD_fetch(NULL, alg, "-fips");
+        md = EVP_MD_fetch(NULL, to_openssl_alg(alg), "-fips");
     } else {
         /* Use FIPS compliant algorithms */
-        md = EVP_MD_fetch(NULL, alg, NULL);
+        md = EVP_MD_fetch(NULL, to_openssl_alg(alg), NULL);
     }
 #else
-    md = EVP_get_digestbyname(alg);
+    md = EVP_get_digestbyname(to_openssl_alg(alg));
 #endif
     if (NULL == md) {
         cli_errmsg("cl_hash_data_ex: Unsupported hash algorithm: %s\n", alg);
@@ -551,7 +560,12 @@ extern cl_error_t cl_hash_file_fd_ex(
     STATBUF sb;
 
     EVP_MD_CTX *ctx = NULL;
-    EVP_MD *md      = NULL;
+
+#if OPENSSL_VERSION_MAJOR >= 3
+    EVP_MD *md = NULL;
+#else
+    const EVP_MD *md = NULL;
+#endif
 
     size_t required_hash_len;
     uint8_t *new_hash = NULL;
@@ -596,13 +610,13 @@ extern cl_error_t cl_hash_file_fd_ex(
 #if OPENSSL_VERSION_MAJOR >= 3
     if (flags & CL_HASH_FLAG_FIPS_BYPASS) {
         /* Bypass FIPS restrictions the OpenSSL 3.0 way */
-        md = EVP_MD_fetch(NULL, alg, "-fips");
+        md = EVP_MD_fetch(NULL, to_openssl_alg(alg), "-fips");
     } else {
         /* Use FIPS compliant algorithms */
-        md = EVP_MD_fetch(NULL, alg, NULL);
+        md = EVP_MD_fetch(NULL, to_openssl_alg(alg), NULL);
     }
 #else
-    md = EVP_get_digestbyname(alg);
+    md = EVP_get_digestbyname(to_openssl_alg(alg));
 #endif
     if (NULL == md) {
         cli_errmsg("cl_hash_data_ex: Unsupported hash algorithm: %s\n", alg);
@@ -723,16 +737,22 @@ unsigned char *cl_hash_data(const char *alg, const void *buf, size_t len, unsign
     EVP_MD_CTX *ctx;
     unsigned char *ret;
     size_t mdsz;
-    EVP_MD *md;
+
+#if OPENSSL_VERSION_MAJOR >= 3
+    EVP_MD *md = NULL;
+#else
+    const EVP_MD *md = NULL;
+#endif
+
     unsigned int i;
     size_t cur;
     bool win_exception = false;
 
 #if OPENSSL_VERSION_MAJOR >= 3
     /* Bypass FIPS restrictions the OpenSSL 3.0 way */
-    md = EVP_MD_fetch(NULL, alg, "-fips");
+    md = EVP_MD_fetch(NULL, to_openssl_alg(alg), "-fips");
 #else
-    md = EVP_get_digestbyname(alg);
+    md = EVP_get_digestbyname(to_openssl_alg(alg));
 #endif
     if (!(md))
         return NULL;
@@ -844,14 +864,20 @@ unsigned char *cl_hash_data(const char *alg, const void *buf, size_t len, unsign
 unsigned char *cl_hash_file_fd(int fd, const char *alg, unsigned int *olen)
 {
     EVP_MD_CTX *ctx;
-    EVP_MD *md;
+
+#if OPENSSL_VERSION_MAJOR >= 3
+    EVP_MD *md = NULL;
+#else
+    const EVP_MD *md = NULL;
+#endif
+
     unsigned char *res;
 
 #if OPENSSL_VERSION_MAJOR >= 3
     /* Bypass FIPS restrictions the OpenSSL 3.0 way */
-    md = EVP_MD_fetch(NULL, alg, "-fips");
+    md = EVP_MD_fetch(NULL, to_openssl_alg(alg), "-fips");
 #else
-    md = EVP_get_digestbyname(alg);
+    md = EVP_get_digestbyname(to_openssl_alg(alg));
 #endif
     if (!(md))
         return NULL;
@@ -996,7 +1022,7 @@ int cl_verify_signature_hash(EVP_PKEY *pkey, const char *alg, unsigned char *sig
     const EVP_MD *md;
     size_t mdsz;
 
-    md = EVP_get_digestbyname(alg);
+    md = EVP_get_digestbyname(to_openssl_alg(alg));
     if (!(md))
         return -1;
 
@@ -1036,7 +1062,7 @@ int cl_verify_signature_fd(EVP_PKEY *pkey, const char *alg, unsigned char *sig,
     if (!(digest))
         return -1;
 
-    md = EVP_get_digestbyname(alg);
+    md = EVP_get_digestbyname(to_openssl_alg(alg));
     if (!(md)) {
         free(digest);
         return -1;
@@ -1100,7 +1126,7 @@ int cl_verify_signature(EVP_PKEY *pkey, const char *alg, unsigned char *sig, uns
         return -1;
     }
 
-    md = EVP_get_digestbyname(alg);
+    md = EVP_get_digestbyname(to_openssl_alg(alg));
     if (!(md)) {
         free(digest);
         if (decode)
@@ -1314,7 +1340,7 @@ unsigned char *cl_sign_data(EVP_PKEY *pkey, const char *alg, unsigned char *hash
     unsigned int siglen;
     unsigned char *sig;
 
-    md = EVP_get_digestbyname(alg);
+    md = EVP_get_digestbyname(to_openssl_alg(alg));
     if (!(md))
         return NULL;
 
@@ -1730,13 +1756,18 @@ X509_CRL *cl_load_crl(const char *file)
 void *cl_hash_init(const char *alg)
 {
     EVP_MD_CTX *ctx;
-    EVP_MD *md;
+
+#if OPENSSL_VERSION_MAJOR >= 3
+    EVP_MD *md = NULL;
+#else
+    const EVP_MD *md = NULL;
+#endif
 
 #if OPENSSL_VERSION_MAJOR >= 3
     /* Bypass FIPS restrictions the OpenSSL 3.0 way */
-    md = EVP_MD_fetch(NULL, alg, "-fips");
+    md = EVP_MD_fetch(NULL, to_openssl_alg(alg), "-fips");
 #else
-    md = EVP_get_digestbyname(alg);
+    md = EVP_get_digestbyname(to_openssl_alg(alg));
 #endif
     if (!(md))
         return NULL;

libclamav/filetypes.c

@@ -327,7 +327,7 @@ const struct ooxml_ftcodes {
         }                                                                       \
     } while (0)
 
-cli_file_t cli_determine_fmap_type(cli_ctx *ctx, cli_file_t basetype)
+cli_file_t cli_determine_fmap_type(cli_ctx_t ctx_t, cli_file_t basetype)
 {
     unsigned char buffer[MAGIC_BUFFER_SIZE];
     const unsigned char *buff;
@@ -337,6 +337,7 @@ cli_file_t cli_determine_fmap_type(cli_ctx *ctx, cli_file_t basetype)
     cli_file_t ret = CL_TYPE_BINARY_DATA;
     struct cli_matcher *root;
     struct cli_ac_data mdata;
+    cli_ctx *ctx = (cli_ctx *)ctx_t;
 
     if (!ctx || !ctx->engine || !ctx->fmap) {
         cli_errmsg("cli_determine_fmap_type: engine == NULL\n");

libclamav/filetypes.h

@@ -25,8 +25,7 @@
 #include <sys/types.h>
 
 #include "clamav.h"
-
-typedef struct cli_ctx_tag cli_ctx;
+#include "other_types.h"
 
 #define CL_FILE_MBUFF_SIZE 1024
 #define CL_PART_MBUFF_SIZE 1028
@@ -176,7 +175,7 @@ const char *cli_ftname(cli_file_t code);
 void cli_ftfree(const struct cl_engine *engine);
 cli_file_t cli_compare_ftm_file(const unsigned char *buf, size_t buflen, const struct cl_engine *engine);
 cli_file_t cli_compare_ftm_partition(const unsigned char *buf, size_t buflen, const struct cl_engine *engine);
-cli_file_t cli_determine_fmap_type(cli_ctx *ctx, cli_file_t basetype);
+cli_file_t cli_determine_fmap_type(cli_ctx_t ctx, cli_file_t basetype);
 int cli_addtypesigs(struct cl_engine *engine);
 
 #endif

libclamav/hfsplus.c

@@ -360,7 +360,7 @@ static cl_error_t hfsplus_scanfile(cli_ctx *ctx, hfsPlusVolumeHeader *volHeader,
     ext = 0;
     /* Dump file, extent by extent */
     do {
-        uint32_t currBlock, endBlock, outputSize = 0;
+        uint32_t currBlock, endBlock;
         if (targetSize == 0) {
             cli_dbgmsg("hfsplus_scanfile: output complete\n");
             break;
@@ -423,7 +423,6 @@ static cl_error_t hfsplus_scanfile(cli_ctx *ctx, hfsPlusVolumeHeader *volHeader,
             }
 
             targetSize -= to_write;
-            outputSize += to_write;
             currBlock++;
 
             if (targetSize == 0) {

libclamav/matcher-hash-types.h

@@ -35,13 +35,22 @@ typedef enum cli_hash_type {
 /**
  * @brief Get the name of the hash type as a string.
  *
- * Note: using the name OpenSSL uses for the hash type.
- *
  * @param type The hash type.
  * @return char* The name of the hash type.
  */
 const char* cli_hash_name(cli_hash_type_t type);
 
+/**
+ * @brief Get OpenSSL's name of the hash type as a string.
+ *
+ * Needed because older versions of OpenSSL aren't familiar with "sha2-256",
+ * "sha2-384", and "sha2-512".
+ *
+ * @param alg The name of the hash algorithm.
+ * @return char* The OpenSSL name of the hash algorithm.
+ */
+const char *to_openssl_alg(const char *alg);
+
 /**
  * @brief Get the size of the hash type.
  *