Code Monkey home page Code Monkey logo

Comments (4)

plusvic avatar plusvic commented on July 17, 2024

This looks like a difference between openssl and libressl. I don't have an installation with libressl around, could you try to comment out lines in the test below until you get a more minimalistic test that reproduces the issue?

yara/tests/test-pe.c

Lines 294 to 388 in 8616165

rule test { \
condition: \
pe.is_signed and \
pe.number_of_signatures == 1 and \
pe.signatures[0].thumbprint == \"c1bf1b8f751bf97626ed77f755f0a393106f2454\" and \
pe.signatures[0].subject == \"/C=US/ST=California/L=Menlo Park/O=Quicken, Inc./OU=Operations/CN=Quicken, Inc.\" and \
pe.signatures[0].verified and \
pe.signatures[0].digest_alg == \"sha1\" and \
pe.signatures[0].digest == \"f4ca190ec9052243b8882d492b1c12d04da7817f\" and \
pe.signatures[0].algorithm == \"sha256WithRSAEncryption\" and \
pe.signatures[0].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
pe.signatures[0].file_digest == \"f4ca190ec9052243b8882d492b1c12d04da7817f\" and \
pe.signatures[0].number_of_certificates == 4 and \
pe.signatures[0].certificates[0].not_after == 1609372799 and \
pe.signatures[0].certificates[0].not_before == 1356048000 and \
pe.signatures[0].certificates[0].version == 3 and \
pe.signatures[0].certificates[0].serial == \"7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b\" and \
pe.signatures[0].certificates[0].algorithm == \"sha1WithRSAEncryption\" and \
pe.signatures[0].certificates[0].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
pe.signatures[0].certificates[0].thumbprint == \"6c07453ffdda08b83707c09b82fb3d15f35336b1\" and \
pe.signatures[0].certificates[0].issuer == \"/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA\" and \
pe.signatures[0].certificates[0].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" and \
pe.signatures[0].certificates[1].not_after == 1609286399 and \
pe.signatures[0].certificates[1].not_before == 1350518400 and \
pe.signatures[0].certificates[1].version == 3 and \
pe.signatures[0].certificates[1].serial == \"0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50\" and \
pe.signatures[0].certificates[1].algorithm == \"sha1WithRSAEncryption\" and \
pe.signatures[0].certificates[1].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
pe.signatures[0].certificates[1].thumbprint == \"65439929b67973eb192d6ff243e6767adf0834e4\" and \
pe.signatures[0].certificates[1].issuer == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" and \
pe.signatures[0].certificates[1].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services Signer - G4\" and \
pe.signatures[0].certificates[2].not_after == 1559692799 and \
pe.signatures[0].certificates[2].not_before == 1491955200 and \
pe.signatures[0].certificates[2].version == 3 and \
pe.signatures[0].certificates[2].serial == \"21:bd:b2:cb:ec:e5:43:1e:24:f7:56:74:d6:0e:9c:1d\" and \
pe.signatures[0].certificates[2].algorithm == \"sha256WithRSAEncryption\" and \
pe.signatures[0].certificates[2].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
pe.signatures[0].certificates[2].thumbprint == \"c1bf1b8f751bf97626ed77f755f0a393106f2454\" and \
pe.signatures[0].certificates[2].issuer == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
pe.signatures[0].certificates[2].subject == \"/C=US/ST=California/L=Menlo Park/O=Quicken, Inc./OU=Operations/CN=Quicken, Inc.\" and \
pe.signatures[0].certificates[3].not_after == 1702166399 and \
pe.signatures[0].certificates[3].not_before == 1386633600 and \
pe.signatures[0].certificates[3].version == 3 and \
pe.signatures[0].certificates[3].serial == \"3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a\" and \
pe.signatures[0].certificates[3].algorithm == \"sha256WithRSAEncryption\" and \
pe.signatures[0].certificates[3].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
pe.signatures[0].certificates[3].thumbprint == \"007790f6561dad89b0bcd85585762495e358f8a5\" and \
pe.signatures[0].certificates[3].issuer == \"/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\" and \
pe.signatures[0].certificates[3].subject == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
pe.signatures[0].signer_info.digest == \"845555fec6e472a43b0714911d6c452a092e9632\" and \
pe.signatures[0].signer_info.digest_alg == \"sha1\" and \
pe.signatures[0].signer_info.length_of_chain == 2 and \
pe.signatures[0].signer_info.chain[0].not_after == 1559692799 and \
pe.signatures[0].signer_info.chain[0].not_before == 1491955200 and \
pe.signatures[0].signer_info.chain[0].version == 3 and \
pe.signatures[0].signer_info.chain[0].serial == \"21:bd:b2:cb:ec:e5:43:1e:24:f7:56:74:d6:0e:9c:1d\" and \
pe.signatures[0].signer_info.chain[0].algorithm == \"sha256WithRSAEncryption\" and \
pe.signatures[0].signer_info.chain[0].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
pe.signatures[0].signer_info.chain[0].thumbprint == \"c1bf1b8f751bf97626ed77f755f0a393106f2454\" and \
pe.signatures[0].signer_info.chain[0].issuer == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
pe.signatures[0].signer_info.chain[0].subject == \"/C=US/ST=California/L=Menlo Park/O=Quicken, Inc./OU=Operations/CN=Quicken, Inc.\" and \
pe.signatures[0].signer_info.chain[1].not_after == 1702166399 and \
pe.signatures[0].signer_info.chain[1].not_before == 1386633600 and \
pe.signatures[0].signer_info.chain[1].version == 3 and \
pe.signatures[0].signer_info.chain[1].serial == \"3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a\" and \
pe.signatures[0].signer_info.chain[1].algorithm == \"sha256WithRSAEncryption\" and \
pe.signatures[0].signer_info.chain[1].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
pe.signatures[0].signer_info.chain[1].thumbprint == \"007790f6561dad89b0bcd85585762495e358f8a5\" and \
pe.signatures[0].signer_info.chain[1].issuer == \"/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\" and \
pe.signatures[0].signer_info.chain[1].subject == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
pe.signatures[0].number_of_countersignatures == 1 and \
pe.signatures[0].countersignatures[0].length_of_chain == 2 and \
pe.signatures[0].countersignatures[0].digest == \"9fa1188e4c656d86e2d7fa133ee8138ac1ec4ec1\" and \
pe.signatures[0].countersignatures[0].digest_alg == \"sha1\" and \
pe.signatures[0].countersignatures[0].sign_time == 1528216551 and \
pe.signatures[0].countersignatures[0].verified and \
pe.signatures[0].countersignatures[0].chain[0].not_after == 1609286399 and \
pe.signatures[0].countersignatures[0].chain[0].not_before == 1350518400 and \
pe.signatures[0].countersignatures[0].chain[0].version == 3 and \
pe.signatures[0].countersignatures[0].chain[0].serial == \"0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50\" and \
pe.signatures[0].countersignatures[0].chain[0].algorithm == \"sha1WithRSAEncryption\" and \
pe.signatures[0].countersignatures[0].chain[0].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
pe.signatures[0].countersignatures[0].chain[0].thumbprint == \"65439929b67973eb192d6ff243e6767adf0834e4\" and \
pe.signatures[0].countersignatures[0].chain[0].issuer == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" and \
pe.signatures[0].countersignatures[0].chain[0].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services Signer - G4\" and \
pe.signatures[0].countersignatures[0].chain[1].not_after == 1609372799 and \
pe.signatures[0].countersignatures[0].chain[1].not_before == 1356048000 and \
pe.signatures[0].countersignatures[0].chain[1].version == 3 and \
pe.signatures[0].countersignatures[0].chain[1].serial == \"7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b\" and \
pe.signatures[0].countersignatures[0].chain[1].algorithm == \"sha1WithRSAEncryption\" and \
pe.signatures[0].countersignatures[0].chain[1].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
pe.signatures[0].countersignatures[0].chain[1].thumbprint == \"6c07453ffdda08b83707c09b82fb3d15f35336b1\" and \
pe.signatures[0].countersignatures[0].chain[1].issuer == \"/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA\" and \
pe.signatures[0].countersignatures[0].chain[1].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" \
}",

from yara.

lcheylus avatar lcheylus commented on July 17, 2024

After a lot of iterations (modify test-pe in tests/test-pe.c, rebuild and test with make check), I have 2 cases of minimalist test that reproduces the issue:

  • pe.signatures[0].signer_info.length_of_chain == 2
  • pe.signatures[0].countersignatures[0].length_of_chain == 2

After some searchs in issues, mine seems to be a duplicate of #2046.

from yara.

lcheylus avatar lcheylus commented on July 17, 2024

I would like to try to build Yara on OpenBSD using OpenSSL lib instead of LibreSSL.

  • OpenSSL version 3.1.6 installed via openssl OpenBSD packages
  • includes in /usr/local/include/eopenssl31/openssl/
  • libs in /usr/local/lib/eopenssl31/

I don't find in configure script how to use OpenSSL instead of LibreSSL. Is there an options/flag in configure script to do this ?
I checked configure.ac file for AC_CHECK_HEADERS / AC_CHECK_LIB for openssl/crypto but I don't find how to modify theses checks.

from yara.

lcheylus avatar lcheylus commented on July 17, 2024

FYI, I succeeded to compile and test Yara with OpenSSL instead of LibreSSL on OpenBSD (amd64).

  • Install of OpenSSL version 3.1.6 via pkg_add openssl-3.1.6v0
$ /usr/local/bin/eopenssl31 version
OpenSSL 3.1.6 4 Jun 2024 (Library: OpenSSL 3.1.6 4 Jun 2024)
  • Build of Yara with OpenSSL
$ ./configure --enable-cuckoo --enable-magic --enable-dex --enable-macho --with-crypto CPPFLAGS=-I/usr/local/include/eopenssl31 LDFLAGS=-L/usr/local/lib/eopenssl31
$ make
(...)
$ LD_LIBRARY_PATH=/usr/local/lib/eopenssl31/ ./yara -v
4.5.1
  • Tests of Yara => no error for test-pe
$ LD_LIBRARY_PATH=/usr/local/lib/eopenssl31/ make check
(...)
make  check-TESTS
PASS: test-arena
PASS: test-alignment
PASS: test-atoms
PASS: test-api
PASS: test-rules
PASS: test-pe
PASS: test-elf
PASS: test-version
PASS: test-bitmask
PASS: test-math
PASS: test-stack
PASS: test-re-split
PASS: test-async
PASS: test-string
PASS: test-exception
PASS: test-macho
PASS: test-dex
PASS: test-dotnet
PASS: test-magic
make  all-am
============================================================================
Testsuite summary for yara 4.5.1
============================================================================
# TOTAL: 19
# PASS:  19
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================

from yara.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.