WIP: FIPS-compliant CVD signing and verification

Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.

Add a Rust implementation for parsing, verifying, and unpacking CVD
files.

Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
  `-D CVD_CERTS_DIRECTORY=PATH`

New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
  `--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
  `CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
  `CVDCertsDirectory PATH`

Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.

Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.

libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
  Resolves: #1304
- Add two new API's to the public clamav.h header:
  ```c
  extern cl_error_t cl_cvdverify_ex(const char *file,
                                    const char *certs_directory);

  extern cl_error_t cl_cvdunpack_ex(const char *file,
                                    const char *dir,
                                    bool dont_verify,
                                    const char *certs_directory);
  ```
  The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
  You may set this option with `cl_engine_set_str` and get it
  with `cl_engine_get_str`, to override the compiled in default
  CVD certs directory.

libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).

Adds sigtool sign/verify tests and test certs

Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.

Author: val-ms

CMakeLists.txt

@@ -36,16 +36,16 @@ set(PACKAGE_URL       "https://www.clamav.net/")
 HexVersion(PACKAGE_VERSION_NUM ${PROJECT_VERSION_MAJOR} ${PROJECT_VERSION_MINOR} ${PROJECT_VERSION_PATCH})
 
 # libtool library versioning rules: http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
-set(LIBCLAMAV_CURRENT  12)
-set(LIBCLAMAV_REVISION 3)
-set(LIBCLAMAV_AGE      0)
+set(LIBCLAMAV_CURRENT  13)
+set(LIBCLAMAV_REVISION 0)
+set(LIBCLAMAV_AGE      1)
 
 math(EXPR LIBCLAMAV_SOVERSION "${LIBCLAMAV_CURRENT} - ${LIBCLAMAV_AGE}")
 set(LIBCLAMAV_VERSION "${LIBCLAMAV_SOVERSION}.${LIBCLAMAV_AGE}.${LIBCLAMAV_REVISION}")
 HexVersion(LIBCLAMAV_VERSION_NUM ${LIBCLAMAV_CURRENT} ${LIBCLAMAV_REVISION} ${LIBCLAMAV_AGE})
 
-set(LIBFRESHCLAM_CURRENT  3)
-set(LIBFRESHCLAM_REVISION 2)
+set(LIBFRESHCLAM_CURRENT  4)
+set(LIBFRESHCLAM_REVISION 0)
 set(LIBFRESHCLAM_AGE      0)
 
 math(EXPR LIBFRESHCLAM_SOVERSION "${LIBFRESHCLAM_CURRENT} - ${LIBFRESHCLAM_AGE}")
@@ -925,6 +925,12 @@ if(IS_ABSOLUTE ${DATABASE_DIRECTORY})
 else()
     set(DATADIR "${CMAKE_INSTALL_PREFIX}/${DATABASE_DIRECTORY}")
 endif()
+# Absolute path of ClamAV CA certificates directory
+if(IS_ABSOLUTE ${CVD_CERTS_DIRECTORY})
+    set(CERTSDIR "${CVD_CERTS_DIRECTORY}")
+else()
+    set(CERTSDIR "${CMAKE_INSTALL_PREFIX}/${CVD_CERTS_DIRECTORY}")
+endif()
 # Absolute path of the applications' config directory
 if(IS_ABSOLUTE ${APP_CONFIG_DIRECTORY})
     set(CONFDIR "${APP_CONFIG_DIRECTORY}")

CMakeOptions.cmake

@@ -7,13 +7,19 @@ if(WIN32)
     set(DATABASE_DIRECTORY
         "database" CACHE STRING
         "Database directory.")
+    set(CVD_CERTS_DIRECTORY
+        "certs" CACHE STRING
+        "ClamAV CA certificates directory.")
 else()
     set(APP_CONFIG_DIRECTORY
         "etc" CACHE STRING
         "App Config directory.")
     set(DATABASE_DIRECTORY
         "share/clamav" CACHE STRING
         "Database directory.")
+    set(CVD_CERTS_DIRECTORY
+        "${APP_CONFIG_DIRECTORY}/certs" CACHE STRING
+        "ClamAV CA certificates directory.")
 endif()
 
 set(CLAMAV_USER "clamav" CACHE STRING "ClamAV User")