bb12504: Custom CA paths for freshclam, clamsubmit

The newer freshclam uses libcurl for downloads and downloads the
updates via https. There are systems which don't have a "default CA
store" but instead the administrator maintains a CA-bundle of certs
they trust.

This patch allows the users to specify their own CA cert path by
setting the environment variable CURL_CA_BUNDLE to the path of their
choice.

Patch courtesy of Sebastian A. Siewior

NEWS.md

@@ -13,6 +13,13 @@ ClamAV 0.103.0 includes the following improvements and changes.
 
 ### Other improvements
 
+- Added ability for freshclam and clamsubmit to override default use of openssl
+  CA bundle with a custom CA bundle. On Linux/Unix platforms (excluding macOS),
+  users may specify a custom CA bundle by setting the CURL_CA_BUNDLE environment
+  variable. On macOS and Windows, users are expected to add CA certificates to
+  their respective system's keychain/certificate store.
+  Patch courtesy of Sebastian A. Siewior
+
 ### Bug fixes
 
 ### New Requirements
@@ -21,6 +28,7 @@ ClamAV 0.103.0 includes the following improvements and changes.
 
 The ClamAV team thanks the following individuals for their code submissions:
 
+- Sebastian A. Siewior
 - Reio Remma
 
 ## 0.102.0

clamsubmit/clamsubmit.c

@@ -17,9 +17,7 @@
 #include "libclamav/others.h"
 #include "shared/misc.h"
 #include "shared/getopt.h"
-#if defined(C_DARWIN) || defined(_WIN32)
 #include "shared/cert_util.h"
-#endif
 
 #define OPTS "e:p:n:N:V:H:h?v?d"
 
@@ -256,6 +254,8 @@ int main(int argc, char *argv[])
     if (CURLE_OK != curl_easy_setopt(clam_curl, CURLOPT_SSL_CTX_FUNCTION, *sslctx_function)) {
         fprintf(stderr, "ERROR: Failed to set SSL CTX function!\n");
     }
+#else
+    set_tls_ca_bundle(clam_curl);
 #endif
 
     /*** The GET malware|fp ***/
@@ -417,6 +417,8 @@ int main(int argc, char *argv[])
     if (CURLE_OK != curl_easy_setopt(aws_curl, CURLOPT_SSL_CTX_FUNCTION, *sslctx_function)) {
         fprintf(stderr, "ERROR: Failed to set SSL CTX function!\n");
     }
+#else
+    set_tls_ca_bundle(aws_curl);
 #endif
 
     curl_formadd(&post, &last, CURLFORM_COPYNAME, "key", CURLFORM_COPYCONTENTS, json_str, CURLFORM_END);

libfreshclam/libfreshclam_internal.c

@@ -426,6 +426,8 @@ static fc_error_t create_curl_handle(
     if (CURLE_OK != curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, *sslctx_function)) {
         logg("*create_curl_handle: Failed to set SSL CTX function. Your libcurl may use an SSL backend that does not support CURLOPT_SSL_CTX_FUNCTION.\n");
     }
+#else
+    set_tls_ca_bundle(curl);
 #endif
 
     *curlHandle = curl;

shared/cert_util.h

@@ -22,6 +22,15 @@
 /* As defined by ub-common-name in https://www.ietf.org/rfc/rfc3280.txt */
 #define X509_COMMON_NAME_MAX_LEN (64)
 
+#if !(defined(C_DARWIN) || defined(_WIN32))
+/**
+ * @brief Set the tls ca bundle to a custom value using the CURL_CA_BUNDLE env var
+ *
+ * @param curl Pointer to the curl connection handle.
+ */
+void set_tls_ca_bundle(CURL *curl);
+#endif
+
 /**
  * @brief Load system and trusted root certificates into memory. Any errors
  *        while loading trusted certificates will be ignored. If error checking

shared/linux/cert_util_linux.c

@@ -27,11 +27,26 @@
 #include <stdlib.h>
 #include <inttypes.h>
 
+#include <curl/curl.h>
+
 #include "shared/output.h"
 
 #include "shared/cert_util.h"
 #include "shared/cert_util_internal.h"
 
+void set_tls_ca_bundle(CURL *curl)
+{
+    char *ca_bundle;
+
+    ca_bundle = getenv("CURL_CA_BUNDLE");
+    if (ca_bundle == NULL)
+        return;
+
+    if (curl_easy_setopt(curl, CURLOPT_CAINFO, ca_bundle) != CURLE_OK) {
+        fprintf(stderr, "Failed to set CURLOPT_CAINFO!\n");
+    }
+}
+
 cl_error_t cert_store_load(X509 **trusted_certs, size_t trusted_cert_count)
 {
     cl_error_t ret      = CL_EOPEN;