Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test failure on OpenBSD - tests/test-pe.c:390: rule does not match contents #2085

Closed
lcheylus opened this issue Jun 4, 2024 · 4 comments
Closed
Labels

Comments

@lcheylus
Copy link

lcheylus commented Jun 4, 2024

Bug

  • Build of YARA v4.5.1 on OpenBSD current/amd64 (future version 7.6) OK
  • Error when running test with make check
tests/test-pe.c:390: rule does not match contents of'tests/data/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885' (but should)

Expected behavior
All tests should pass.

Please complete the following information:

  • OS: OpenBSD current/amd64 (OpenBSD 7.5-current (GENERIC.MP) #93)
  • YARA version: 4.5.1 built from sources
  • LibreSSL 3.9.0
@lcheylus lcheylus added the bug label Jun 4, 2024
@plusvic
Copy link
Member

plusvic commented Jun 19, 2024

This looks like a difference between openssl and libressl. I don't have an installation with libressl around, could you try to comment out lines in the test below until you get a more minimalistic test that reproduces the issue?

yara/tests/test-pe.c

Lines 294 to 388 in 8616165

rule test { \
condition: \
pe.is_signed and \
pe.number_of_signatures == 1 and \
pe.signatures[0].thumbprint == \"c1bf1b8f751bf97626ed77f755f0a393106f2454\" and \
pe.signatures[0].subject == \"/C=US/ST=California/L=Menlo Park/O=Quicken, Inc./OU=Operations/CN=Quicken, Inc.\" and \
pe.signatures[0].verified and \
pe.signatures[0].digest_alg == \"sha1\" and \
pe.signatures[0].digest == \"f4ca190ec9052243b8882d492b1c12d04da7817f\" and \
pe.signatures[0].algorithm == \"sha256WithRSAEncryption\" and \
pe.signatures[0].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
pe.signatures[0].file_digest == \"f4ca190ec9052243b8882d492b1c12d04da7817f\" and \
pe.signatures[0].number_of_certificates == 4 and \
pe.signatures[0].certificates[0].not_after == 1609372799 and \
pe.signatures[0].certificates[0].not_before == 1356048000 and \
pe.signatures[0].certificates[0].version == 3 and \
pe.signatures[0].certificates[0].serial == \"7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b\" and \
pe.signatures[0].certificates[0].algorithm == \"sha1WithRSAEncryption\" and \
pe.signatures[0].certificates[0].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
pe.signatures[0].certificates[0].thumbprint == \"6c07453ffdda08b83707c09b82fb3d15f35336b1\" and \
pe.signatures[0].certificates[0].issuer == \"/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA\" and \
pe.signatures[0].certificates[0].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" and \
pe.signatures[0].certificates[1].not_after == 1609286399 and \
pe.signatures[0].certificates[1].not_before == 1350518400 and \
pe.signatures[0].certificates[1].version == 3 and \
pe.signatures[0].certificates[1].serial == \"0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50\" and \
pe.signatures[0].certificates[1].algorithm == \"sha1WithRSAEncryption\" and \
pe.signatures[0].certificates[1].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
pe.signatures[0].certificates[1].thumbprint == \"65439929b67973eb192d6ff243e6767adf0834e4\" and \
pe.signatures[0].certificates[1].issuer == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" and \
pe.signatures[0].certificates[1].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services Signer - G4\" and \
pe.signatures[0].certificates[2].not_after == 1559692799 and \
pe.signatures[0].certificates[2].not_before == 1491955200 and \
pe.signatures[0].certificates[2].version == 3 and \
pe.signatures[0].certificates[2].serial == \"21:bd:b2:cb:ec:e5:43:1e:24:f7:56:74:d6:0e:9c:1d\" and \
pe.signatures[0].certificates[2].algorithm == \"sha256WithRSAEncryption\" and \
pe.signatures[0].certificates[2].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
pe.signatures[0].certificates[2].thumbprint == \"c1bf1b8f751bf97626ed77f755f0a393106f2454\" and \
pe.signatures[0].certificates[2].issuer == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
pe.signatures[0].certificates[2].subject == \"/C=US/ST=California/L=Menlo Park/O=Quicken, Inc./OU=Operations/CN=Quicken, Inc.\" and \
pe.signatures[0].certificates[3].not_after == 1702166399 and \
pe.signatures[0].certificates[3].not_before == 1386633600 and \
pe.signatures[0].certificates[3].version == 3 and \
pe.signatures[0].certificates[3].serial == \"3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a\" and \
pe.signatures[0].certificates[3].algorithm == \"sha256WithRSAEncryption\" and \
pe.signatures[0].certificates[3].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
pe.signatures[0].certificates[3].thumbprint == \"007790f6561dad89b0bcd85585762495e358f8a5\" and \
pe.signatures[0].certificates[3].issuer == \"/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\" and \
pe.signatures[0].certificates[3].subject == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
pe.signatures[0].signer_info.digest == \"845555fec6e472a43b0714911d6c452a092e9632\" and \
pe.signatures[0].signer_info.digest_alg == \"sha1\" and \
pe.signatures[0].signer_info.length_of_chain == 2 and \
pe.signatures[0].signer_info.chain[0].not_after == 1559692799 and \
pe.signatures[0].signer_info.chain[0].not_before == 1491955200 and \
pe.signatures[0].signer_info.chain[0].version == 3 and \
pe.signatures[0].signer_info.chain[0].serial == \"21:bd:b2:cb:ec:e5:43:1e:24:f7:56:74:d6:0e:9c:1d\" and \
pe.signatures[0].signer_info.chain[0].algorithm == \"sha256WithRSAEncryption\" and \
pe.signatures[0].signer_info.chain[0].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
pe.signatures[0].signer_info.chain[0].thumbprint == \"c1bf1b8f751bf97626ed77f755f0a393106f2454\" and \
pe.signatures[0].signer_info.chain[0].issuer == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
pe.signatures[0].signer_info.chain[0].subject == \"/C=US/ST=California/L=Menlo Park/O=Quicken, Inc./OU=Operations/CN=Quicken, Inc.\" and \
pe.signatures[0].signer_info.chain[1].not_after == 1702166399 and \
pe.signatures[0].signer_info.chain[1].not_before == 1386633600 and \
pe.signatures[0].signer_info.chain[1].version == 3 and \
pe.signatures[0].signer_info.chain[1].serial == \"3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a\" and \
pe.signatures[0].signer_info.chain[1].algorithm == \"sha256WithRSAEncryption\" and \
pe.signatures[0].signer_info.chain[1].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
pe.signatures[0].signer_info.chain[1].thumbprint == \"007790f6561dad89b0bcd85585762495e358f8a5\" and \
pe.signatures[0].signer_info.chain[1].issuer == \"/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\" and \
pe.signatures[0].signer_info.chain[1].subject == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
pe.signatures[0].number_of_countersignatures == 1 and \
pe.signatures[0].countersignatures[0].length_of_chain == 2 and \
pe.signatures[0].countersignatures[0].digest == \"9fa1188e4c656d86e2d7fa133ee8138ac1ec4ec1\" and \
pe.signatures[0].countersignatures[0].digest_alg == \"sha1\" and \
pe.signatures[0].countersignatures[0].sign_time == 1528216551 and \
pe.signatures[0].countersignatures[0].verified and \
pe.signatures[0].countersignatures[0].chain[0].not_after == 1609286399 and \
pe.signatures[0].countersignatures[0].chain[0].not_before == 1350518400 and \
pe.signatures[0].countersignatures[0].chain[0].version == 3 and \
pe.signatures[0].countersignatures[0].chain[0].serial == \"0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50\" and \
pe.signatures[0].countersignatures[0].chain[0].algorithm == \"sha1WithRSAEncryption\" and \
pe.signatures[0].countersignatures[0].chain[0].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
pe.signatures[0].countersignatures[0].chain[0].thumbprint == \"65439929b67973eb192d6ff243e6767adf0834e4\" and \
pe.signatures[0].countersignatures[0].chain[0].issuer == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" and \
pe.signatures[0].countersignatures[0].chain[0].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services Signer - G4\" and \
pe.signatures[0].countersignatures[0].chain[1].not_after == 1609372799 and \
pe.signatures[0].countersignatures[0].chain[1].not_before == 1356048000 and \
pe.signatures[0].countersignatures[0].chain[1].version == 3 and \
pe.signatures[0].countersignatures[0].chain[1].serial == \"7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b\" and \
pe.signatures[0].countersignatures[0].chain[1].algorithm == \"sha1WithRSAEncryption\" and \
pe.signatures[0].countersignatures[0].chain[1].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
pe.signatures[0].countersignatures[0].chain[1].thumbprint == \"6c07453ffdda08b83707c09b82fb3d15f35336b1\" and \
pe.signatures[0].countersignatures[0].chain[1].issuer == \"/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA\" and \
pe.signatures[0].countersignatures[0].chain[1].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" \
}",

@lcheylus
Copy link
Author

After a lot of iterations (modify test-pe in tests/test-pe.c, rebuild and test with make check), I have 2 cases of minimalist test that reproduces the issue:

  • pe.signatures[0].signer_info.length_of_chain == 2
  • pe.signatures[0].countersignatures[0].length_of_chain == 2

After some searchs in issues, mine seems to be a duplicate of #2046.

@lcheylus
Copy link
Author

I would like to try to build Yara on OpenBSD using OpenSSL lib instead of LibreSSL.

  • OpenSSL version 3.1.6 installed via openssl OpenBSD packages
  • includes in /usr/local/include/eopenssl31/openssl/
  • libs in /usr/local/lib/eopenssl31/

I don't find in configure script how to use OpenSSL instead of LibreSSL. Is there an options/flag in configure script to do this ?
I checked configure.ac file for AC_CHECK_HEADERS / AC_CHECK_LIB for openssl/crypto but I don't find how to modify theses checks.

@lcheylus
Copy link
Author

lcheylus commented Jul 5, 2024

FYI, I succeeded to compile and test Yara with OpenSSL instead of LibreSSL on OpenBSD (amd64).

  • Install of OpenSSL version 3.1.6 via pkg_add openssl-3.1.6v0
$ /usr/local/bin/eopenssl31 version
OpenSSL 3.1.6 4 Jun 2024 (Library: OpenSSL 3.1.6 4 Jun 2024)
  • Build of Yara with OpenSSL
$ ./configure --enable-cuckoo --enable-magic --enable-dex --enable-macho --with-crypto CPPFLAGS=-I/usr/local/include/eopenssl31 LDFLAGS=-L/usr/local/lib/eopenssl31
$ make
(...)
$ LD_LIBRARY_PATH=/usr/local/lib/eopenssl31/ ./yara -v
4.5.1
  • Tests of Yara => no error for test-pe
$ LD_LIBRARY_PATH=/usr/local/lib/eopenssl31/ make check
(...)
make  check-TESTS
PASS: test-arena
PASS: test-alignment
PASS: test-atoms
PASS: test-api
PASS: test-rules
PASS: test-pe
PASS: test-elf
PASS: test-version
PASS: test-bitmask
PASS: test-math
PASS: test-stack
PASS: test-re-split
PASS: test-async
PASS: test-string
PASS: test-exception
PASS: test-macho
PASS: test-dex
PASS: test-dotnet
PASS: test-magic
make  all-am
============================================================================
Testsuite summary for yara 4.5.1
============================================================================
# TOTAL: 19
# PASS:  19
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================

@plusvic plusvic closed this as completed Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants