Add Libsodium sodium support for sha256 filehashes

.gitignore

@@ -5,6 +5,7 @@
 .DS_Store
 *.dll
 *.exe
+*.core
 
 # Auto generated build files
 src/LOCATION

.travis.yml

@@ -48,7 +48,10 @@ before_script:
 - if [[ "${PRELUDE}" == "yes" ]]; then ( sudo apt-get install libprelude-dev ); fi
 - if [[ "${ZEROMQ}" == "yes" ]]; then ( sudo apt-get install libzmq3-dev libtool autoconf libczmq-dev ); fi
 - if [[ "${OSSEC_TYPE}" == "winagent" ]]; then ( sudo apt-get install aptitude && sudo aptitude -y install mingw-w64 nsis ); fi
-- if [[ "${OSSEC_TYPE}" == "server" ]]; then ( sudo apt-get install libsqlite3-dev sqlite3 ); fi
+- if [[ "${USE_SQLITE}" == "yes" ]]; then ( sudo apt-get install libsqlite3-dev sqlite3 ); fi
+- if [[ "${USE_LIBSODIUM}" == "yes" ]]; then ( sudo add-apt-repository -y ppa:chris-lea/libsodium && sudo apt-get update
+  && sudo apt-get install libsodium-dev libsodium13
+  ); fi
 - if [[ "${OSSEC_TYPE}" == "test" ]]; then ( sudo apt-get update && sudo apt-get install check valgrind ); fi
 
 

src/Makefile

@@ -29,6 +29,8 @@ USE_PRELUDE?=no
 USE_ZEROMQ?=no
 USE_GEOIP?=no
 USE_INOTIFY=no
+USE_SQLITE?=no
+USE_LIBSODIUM?=no
 USE_PCRE2_JIT=yes
 
 ifneq (${TARGET},winagent)
@@ -143,6 +145,8 @@ OSSEC_CFLAGS=${CFLAGS}
 
 ifdef DEBUG
 	OSSEC_CFLAGS+=-g
+else
+	OSSEC_CFLAGS+=-O2
 endif #DEBUG
 
 ifneq (,$(filter ${CLEANFULL},yes y Y 1))
@@ -239,6 +243,11 @@ ifneq (,$(filter ${USE_GEOIP},auto yes y Y 1))
 	OSSEC_LDFLAGS+=-lGeoIP
 endif # USE_GEOIP
 
+ifneq (,$(filter ${USE_LIBSODIUM},auto yes y Y 1))
+	DEFINES+=-DLIBSODIUM_ENABLED
+	OSSEC_LDFLAGS+=-lsodium
+endif # USE_LIBSODIUM
+
 ifneq (,$(filter ${USE_SQLITE},auto yes y Y 1))
 	DEFINES+=-DSQLITE_ENABLED
 	ANALYSISD_FLAGS="-lsqlite3"
@@ -601,6 +610,7 @@ settings:
 	@echo "    USE_PRELUDE:      ${USE_PRELUDE}"
 	@echo "    USE_OPENSSL:      ${USE_OPENSSL}"
 	@echo "    USE_INOTIFY:      ${USE_INOTIFY}"
+	@echo "    USE_LIBSODIUM:    ${USE_LIBSODIUM}"
 	@echo "    USE_SQLITE:       ${USE_SQLITE}"
 	@echo "    USE_PCRE2_JIT:    ${USE_PCRE2_JIT}"
 	@echo "Mysql settings:"
@@ -1103,7 +1113,7 @@ syscheck_o := $(syscheck_c:.c=.o)
 syscheckd/%.o: syscheckd/%.c
 	${OSSEC_CC} ${OSSEC_CFLAGS} -DARGV0=\"ossec-syscheckd\" -c $^ -o $@
 
-ossec-syscheckd: ${syscheck_o} rootcheck.a ${ossec_libs} ${ZLIB_LIB}
+ossec-syscheckd: ${syscheck_o} rootcheck.a os_crypto.a ${ossec_libs} ${ZLIB_LIB}
 	${OSSEC_CCBIN} ${OSSEC_CFLAGS} ${ZLIB_INCLUDE} $^ ${OSSEC_LDFLAGS} -o $@
 
 #### Monitor #######

src/analysisd/decoders/syscheck.c

@@ -27,8 +27,13 @@ typedef struct __sdb {
     char perm[OS_FLSIZE + 1];
     char owner[OS_FLSIZE + 1];
     char gowner[OS_FLSIZE + 1];
+#ifdef LIBSODIUM_ENABLED
+    char md5[(OS_FLSIZE * 2) + 1];
+    char sha1[(OS_FLSIZE * 2) + 1];
+#else   //LIBSODIUM_ENABLED
     char md5[OS_FLSIZE + 1];
     char sha1[OS_FLSIZE + 1];
+#endif
 
     char agent_cp[MAX_AGENTS + 1][1];
     char *agent_ips[MAX_AGENTS + 1];
@@ -536,9 +541,26 @@ static int DB_Search(const char *f_name, const char *c_sum, Eventinfo *lf)
             if (!newmd5 || !oldmd5 || strcmp(newmd5, oldmd5) == 0) {
                 sdb.md5[0] = '\0';
             } else {
+#ifdef LIBSODIUM_ENABLED
+                char *hash_type;
+                if (strncmp(newmd5, "GENERIC", 7) == 0) {
+                    hash_type = "blake2b";
+                } else if (strncmp(newmd5, "SHA256", 6) == 0) {
+                    hash_type = "sha256";
+                } else if (strncmp(newmd5, "MD5", 3) == 0) {
+                    hash_type = "md5";
+                } else if (strncmp(newmd5, "SHA1", 4) == 0) {
+                    hash_type = "sha1";
+                } else {
+                    hash_type = "unknown";
+                }
+                snprintf(sdb.md5, OS_FLSIZE * 2, "Old %s was: '%s'\n"
+                        "New %s is: '%s'\n", hash_type, oldmd5, hash_type, newmd5);
+#else   //LIBSODIUM_ENABLED
                 snprintf(sdb.md5, OS_FLSIZE, "Old md5sum was: '%s'\n"
-                         "New md5sum is : '%s'\n",
+                         "New md5sum is: '%s'\n",
                          oldmd5, newmd5);
+#endif  //LIBSODIUM_ENABLED
                 os_strdup(oldmd5, lf->md5_before);
                 os_strdup(newmd5, lf->md5_after);
             }
@@ -547,9 +569,22 @@ static int DB_Search(const char *f_name, const char *c_sum, Eventinfo *lf)
             if (!newsha1 || !oldsha1 || strcmp(newsha1, oldsha1) == 0) {
                 sdb.sha1[0] = '\0';
             } else {
+#ifdef LIBSODIUM_ENABLED
+                char *hash_type;
+                if(strncmp(newsha1, "GENERIC", 7) == 0) {
+                    hash_type = "blake2b";
+                } else if(strncmp(newsha1, "SHA256", 6) == 0) {
+                    hash_type = "sha256";
+                } else {
+                    hash_type = "unknown";
+                }
+                snprintf(sdb.sha1, OS_FLSIZE * 2, "Old %s was: '%s'\n"
+                         "New %s is : '%s'\n", hash_type, oldsha1, hash_type, newsha1);
+#else   //LIBSODIUM_ENABLED
                 snprintf(sdb.sha1, OS_FLSIZE, "Old sha1sum was: '%s'\n"
                          "New sha1sum is : '%s'\n",
                          oldsha1, newsha1);
+#endif  //LIBSODIUM_ENABLED
                 os_strdup(oldsha1, lf->sha1_before);
                 os_strdup(newsha1, lf->sha1_after);
             }
@@ -695,25 +730,30 @@ int DecodeSyscheck(Eventinfo *lf)
     if (Config.md5_allowlist)  {
         extern sqlite3 *conn;
         if ((p = extract_token(c_sum, ":", 4))) {
-            if (!validate_md5(p)) { /* Never trust input from other origin */
-                merror("%s: Not a valid MD5 hash: '%s'", ARGV0, p);
-                return(0);
-            }
-            debug1("%s: Checking MD5 '%s' in %s", ARGV0, p, Config.md5_allowlist);
-            sprintf(stmt, "select md5sum from files where md5sum = \"%s\"", p);
-            error = sqlite3_prepare_v2(conn, stmt, 1000, &res, &tail);
-            if (error == SQLITE_OK) {
-                while (sqlite3_step(res) == SQLITE_ROW) {
-                    rec_count++;
-                }
-                if (rec_count) {    
-                    sqlite3_finalize(res);
-                    //sqlite3_close(conn);
-                    merror(MD5_NOT_CHECKED, ARGV0, p);
+            if((strncmp(p, "xxx", 3)) != 0) {
+                if (!validate_md5(p)) { /* Never trust input from other origin */
+                    merror("%s: Not a valid MD5 hash: '%s'", ARGV0, p);
                     return(0);
                 }
+                debug1("%s: Checking MD5 '%s' in %s", ARGV0, p, Config.md5_allowlist);
+                if((snprintf(stmt, OS_MAXSTR, "select md5sum from files where md5sum = \"%s\"", p)) < 0) {
+                    merror("ERROR: snprintf failed for md5sum: %s", p);
+                }
+                stmt[OS_MAXSTR] = '\0';
+                error = sqlite3_prepare_v2(conn, stmt, 1000, &res, &tail);
+                if (error == SQLITE_OK) {
+                    while (sqlite3_step(res) == SQLITE_ROW) {
+                        rec_count++;
+                    }
+                    if (rec_count) {
+                        sqlite3_finalize(res);
+                        //sqlite3_close(conn);
+                        merror(MD5_NOT_CHECKED, ARGV0, p);
+                        return(0);
+                    }
+                }
+                sqlite3_finalize(res);
             }
-            sqlite3_finalize(res);
         }
     }
 #endif

src/analysisd/rules.c

@@ -199,6 +199,7 @@ int Rules_OP_ReadRules(const char *rulefile)
                 merror("rules_op: Invalid root element \"%s\"."
                        "Only \"group\" is allowed", node[i]->element);
                 OS_ClearXML(&xml);
+                free(node);
                 return (-1);
             }
             if ((!node[i]->attributes) || (!node[i]->values) ||
@@ -208,11 +209,13 @@ int Rules_OP_ReadRules(const char *rulefile)
                 merror("rules_op: Invalid root element '%s'."
                        "Only the group name is allowed", node[i]->element);
                 OS_ClearXML(&xml);
+                free(node);
                 return (-1);
             }
         } else {
             merror(XML_READ_ERROR, ARGV0);
             OS_ClearXML(&xml);
+            free(node);
             return (-1);
         }
         i++;

src/config/syscheck-config.c

@@ -160,6 +160,8 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs
     const char *xml_check_sum = "check_sum";
     const char *xml_check_sha1sum = "check_sha1sum";
     const char *xml_check_md5sum = "check_md5sum";
+    const char *xml_check_sha256sum = "check_sha256sum";
+    const char *xml_check_genericsum = "check_genericsum";
     const char *xml_check_size = "check_size";
     const char *xml_check_owner = "check_owner";
     const char *xml_check_group = "check_group";
@@ -220,19 +222,39 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs
         attrs = g_attrs;
         values = g_values;
 
+#ifdef LIBSODIUM_ENABLED
+#ifdef DEBUG
+        merror("DEBUG: libsodium enabled");
+#endif  //DEBUG
+#endif  //LIBSODIUM_ENABLED
+
         while (*attrs && *values) {
             /* Check all */
             if (strcmp(*attrs, xml_check_all) == 0) {
                 if (strcmp(*values, "yes") == 0) {
+#ifdef LIBSODIUM_ENABLED
+                    opts |= CHECK_PERM;
+                    opts |= CHECK_SIZE;
+                    opts |= CHECK_OWNER;
+                    opts |= CHECK_GROUP;
+                    opts |= CHECK_SHA256SUM;
                     opts |= CHECK_MD5SUM;
+#else   //LIBSODIUM_ENABLED
                     opts |= CHECK_SHA1SUM;
+                    opts |= CHECK_MD5SUM;
                     opts |= CHECK_PERM;
                     opts |= CHECK_SIZE;
                     opts |= CHECK_OWNER;
                     opts |= CHECK_GROUP;
+#endif  //LIBSODIUM_ENABLED
                 } else if (strcmp(*values, "no") == 0) {
+#ifdef LIBSODIUM_ENABLED
+		    opts &= ~ ( CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_PERM
+		       | CHECK_SIZE | CHECK_OWNER | CHECK_GROUP | CHECK_SHA256SUM | CHECK_GENERIC );
+#else   //LIBSODIUM_ENABLED
 		    opts &= ~ ( CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_PERM
 		       | CHECK_SIZE | CHECK_OWNER | CHECK_GROUP );
+#endif  //LIBSODIUM_ENABLED
                 } else {
                     merror(SK_INV_OPT, __local_name, *values, *attrs);
                     ret = 0;
@@ -242,10 +264,20 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs
             /* Check sum */
             else if (strcmp(*attrs, xml_check_sum) == 0) {
                 if (strcmp(*values, "yes") == 0) {
+#ifdef LIBSODIUM_ENABLED
+                    opts |= CHECK_SHA256SUM;
+                    opts |= CHECK_GENERIC;
+#else   //LIBSODIUM_ENABLED
                     opts |= CHECK_MD5SUM;
                     opts |= CHECK_SHA1SUM;
+#endif  //LIBSODIUM_ENABLED
+
                 } else if (strcmp(*values, "no") == 0) {
+#ifdef LIBSODIUM_ENABLED
+		    opts &= ~ ( CHECK_GENERIC | CHECK_SHA256SUM );
+#else   //LIBSODIUM_ENALBED
 		    opts &= ~ ( CHECK_MD5SUM | CHECK_SHA1SUM );
+#endif
                 } else {
                     merror(SK_INV_OPT, __local_name, *values, *attrs);
                     ret = 0;
@@ -276,6 +308,30 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs
                     goto out_free;
                 }
             }
+#ifdef LIBSODIUM_ENABLED
+            else if(strncmp(*attrs, xml_check_sha256sum, 15) == 0) {
+                if(strncmp(*values, "yes", 3) == 0) {
+                    opts |= CHECK_SHA256SUM;
+                } else if(strncmp(*values, "no", 2) == 0) {
+                    opts &= ~ CHECK_SHA256SUM;
+                } else {
+                    merror(SK_INV_OPT, __local_name, *values, *attrs);
+                    ret = 0;
+                    goto out_free;
+                }
+            }
+            else if(strncmp(*attrs, xml_check_genericsum, 16) == 0) {
+                if(strncmp(*values, "yes", 3) == 0) {
+                    opts |= CHECK_GENERIC;
+                } else if(strncmp(*values, "no", 2) == 0) {
+                    opts &= ~ CHECK_GENERIC;
+                } else {
+                    merror(SK_INV_OPT, __local_name, *values, *attrs);
+                    ret = 0;
+                    goto out_free;
+                }
+            }
+#endif  //LIBSODIUM_ENABLED
             /* Check permission */
             else if (strcmp(*attrs, xml_check_perm) == 0) {
                 if (strcmp(*values, "yes") == 0) {
@@ -495,6 +551,7 @@ int Read_Syscheck(XML_NODE node, void *configp, __attribute__((unused)) void *ma
             ExpandEnvironmentStrings(node[i]->content, dirs, sizeof(dirs) - 1);
 #else
             strncpy(dirs, node[i]->content, sizeof(dirs) - 1);
+            dirs[sizeof(dirs) - 1] = '\0';
 #endif
 
             if (!read_attr(syscheck,
@@ -793,19 +850,22 @@ int Read_Syscheck(XML_NODE node, void *configp, __attribute__((unused)) void *ma
             ExpandEnvironmentStrings(node[i]->content, cmd, sizeof(cmd) - 1);
 #else
             strncpy(cmd, node[i]->content, sizeof(cmd) - 1);
+            cmd[sizeof(cmd) - 1] = '\0';
 #endif
 
             if (strlen(cmd) > 0) {
                 char statcmd[OS_MAXSTR];
                 char *ix;
                 strncpy(statcmd, cmd, sizeof(statcmd) - 1);
+                statcmd[sizeof(statcmd) - 1] = '\0';
                 if (NULL != (ix = strchr(statcmd, ' '))) {
                     *ix = '\0';
                 }
                 if (stat(statcmd, &statbuf) == 0) {
                     /* More checks needed (perms, owner, etc.) */
                     os_calloc(1, strlen(cmd) + 1, syscheck->prefilter_cmd);
                     strncpy(syscheck->prefilter_cmd, cmd, strlen(cmd));
+                    syscheck->prefilter_cmd[sizeof(syscheck->prefilter_cmd) - 1] = '\0';
                 } else {
                     merror(XML_VALUEERR, __local_name, node[i]->element, node[i]->content);
                     return (OS_INVALID);
@@ -833,24 +893,32 @@ char *syscheck_opts2str(char *buf, int buflen, int opts) {
         CHECK_SIZE,
         CHECK_OWNER,
         CHECK_GROUP,
-	CHECK_MD5SUM,
+        CHECK_MD5SUM,
         CHECK_SHA1SUM,
         CHECK_REALTIME,
         CHECK_SEECHANGES,
+#ifdef LIBSODIUM_ENABLED
+        CHECK_SHA256SUM,
+        CHECK_GENERIC,
+#endif  //LIBSODIUM_ENABLED
         CHECK_NORECURSE,
-	0
+	    0
 	};
     char *check_strings[] = {
         "perm",
         "size",
         "owner",
         "group",
-	"md5sum",
+        "md5sum",
         "sha1sum",
         "realtime",
         "report_changes",
+#ifdef LIBSODIUM_ENABLED
+        "sha256sum",
+	    "genericsum",
+#endif  //LIBSODIUM_ENABLED
         "no_recurse",
-	NULL
+	    NULL
 	};
 
     buf[0] = '\0';

src/config/syscheck-config.h

@@ -27,7 +27,6 @@
 #define CHECK_GENERIC       0001000
 #define CHECK_NORECURSE     0002000
 
-
 #include <stdio.h>
 
 #include "os_regex/os_regex.h"
@@ -54,6 +53,10 @@ typedef struct _config {
 
     int *opts;                      /* attributes set in the <directories> tag element */
 
+    char *algorithms;               /* Algorithms to use for FIM */
+    char *hash1_alg;
+    char *hash2_alg;
+
     char *remote_db;
     char *db;
 

src/headers/file_op.h

@@ -25,7 +25,7 @@ int IsDir(const char *file) __attribute__((nonnull));
 
 int CreatePID(const char *name, int pid) __attribute__((nonnull));
 
-char *GetRandomNoise();
+char *GetRandomNoise(void);
 
 int DeletePID(const char *name) __attribute__((nonnull));