Giter VIP home page Giter VIP logo

Comments (5)

plusvic avatar plusvic commented on August 24, 2024

Yes, it looks related to LibreSSL. The first step is trying to minify the test case, if we are lucky the problem is one specific condition within the rule. For instance, LibreSSL may be formatting issuer or subject strings in a different way. In the worst case the whole signature parsing is failing. If you already have a setup using LibreSSL, could you try removing portions of the rule condition and see if you can find a smaller test that reproduces the issue?

from yara.

orbea avatar orbea commented on August 24, 2024

could you try removing portions of the rule condition and see if you can find a smaller test that reproduces the issue?

Yes, when using this patch test-pe passes and I individually tested that each of these lines is problematic.

The issue seems to be with *.length_of_chain == 2 and *.chain[1].*, but I'm still not sure if this is a libressl or yara bug?

--- a/tests/test-pe.c
+++ b/tests/test-pe.c
@@ -342,7 +342,6 @@ int main(int argc, char** argv)
           pe.signatures[0].certificates[3].subject == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\"  and \
           pe.signatures[0].signer_info.digest == \"845555fec6e472a43b0714911d6c452a092e9632\"  and \
           pe.signatures[0].signer_info.digest_alg == \"sha1\"  and \
-          pe.signatures[0].signer_info.length_of_chain == 2  and \
           pe.signatures[0].signer_info.chain[0].not_after == 1559692799 and \
           pe.signatures[0].signer_info.chain[0].not_before == 1491955200 and \
           pe.signatures[0].signer_info.chain[0].version == 3 and \
@@ -352,17 +351,7 @@ int main(int argc, char** argv)
           pe.signatures[0].signer_info.chain[0].thumbprint == \"c1bf1b8f751bf97626ed77f755f0a393106f2454\"  and \
           pe.signatures[0].signer_info.chain[0].issuer == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\"  and \
           pe.signatures[0].signer_info.chain[0].subject == \"/C=US/ST=California/L=Menlo Park/O=Quicken, Inc./OU=Operations/CN=Quicken, Inc.\"  and \
-          pe.signatures[0].signer_info.chain[1].not_after == 1702166399 and \
-          pe.signatures[0].signer_info.chain[1].not_before == 1386633600 and \
-          pe.signatures[0].signer_info.chain[1].version == 3 and \
-          pe.signatures[0].signer_info.chain[1].serial == \"3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a\"  and \
-          pe.signatures[0].signer_info.chain[1].algorithm == \"sha256WithRSAEncryption\"  and \
-          pe.signatures[0].signer_info.chain[1].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
-          pe.signatures[0].signer_info.chain[1].thumbprint == \"007790f6561dad89b0bcd85585762495e358f8a5\"  and \
-          pe.signatures[0].signer_info.chain[1].issuer == \"/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\"  and \
-          pe.signatures[0].signer_info.chain[1].subject == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\"  and \
           pe.signatures[0].number_of_countersignatures == 1  and \
-          pe.signatures[0].countersignatures[0].length_of_chain == 2  and \
           pe.signatures[0].countersignatures[0].digest == \"9fa1188e4c656d86e2d7fa133ee8138ac1ec4ec1\"  and \
           pe.signatures[0].countersignatures[0].digest_alg == \"sha1\"  and \
           pe.signatures[0].countersignatures[0].sign_time == 1528216551  and \
@@ -375,16 +364,7 @@ int main(int argc, char** argv)
           pe.signatures[0].countersignatures[0].chain[0].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
           pe.signatures[0].countersignatures[0].chain[0].thumbprint == \"65439929b67973eb192d6ff243e6767adf0834e4\"  and \
           pe.signatures[0].countersignatures[0].chain[0].issuer == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\"  and \
-          pe.signatures[0].countersignatures[0].chain[0].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services Signer - G4\"  and \
-          pe.signatures[0].countersignatures[0].chain[1].not_after == 1609372799 and \
-          pe.signatures[0].countersignatures[0].chain[1].not_before == 1356048000 and \
-          pe.signatures[0].countersignatures[0].chain[1].version == 3 and \
-          pe.signatures[0].countersignatures[0].chain[1].serial == \"7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b\"  and \
-          pe.signatures[0].countersignatures[0].chain[1].algorithm == \"sha1WithRSAEncryption\"  and \
-          pe.signatures[0].countersignatures[0].chain[1].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
-          pe.signatures[0].countersignatures[0].chain[1].thumbprint == \"6c07453ffdda08b83707c09b82fb3d15f35336b1\"  and \
-          pe.signatures[0].countersignatures[0].chain[1].issuer == \"/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA\"  and \
-          pe.signatures[0].countersignatures[0].chain[1].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" \
+          pe.signatures[0].countersignatures[0].chain[0].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services Signer - G4\" \
       }",
       "tests/data/"
       "079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885");

from yara.

metthal avatar metthal commented on August 24, 2024

Please report it to us at avast/authenticode-parser as that's what's being used for authenticode parsing. We never really tested against LibreSSL so it might need some work.

from yara.

metthal avatar metthal commented on August 24, 2024

I tried to have a short look at it. Our authenticode-parser relies of X509_verify_cert to actually build a certificate chain, even if its incomplete. That's how it behaves in OpenSSL and it is a documented behavior. However LibreSSL seems to have taken a different approach and they even complain in their code about the behavior of OpenSSL so I suspect it might have to do something with that.

/*
 * This is the effectively broken legacy OpenSSL chain builder. It   
 * might find an unvalidated chain and leave it sitting in
 * ctx->chain. It does not correctly handle many cases where multiple
 * chains could exist.
 *
 * Oh no.. I know a dirty word...
 * Oooooooh..
 */

However, even forcing legacy verifier didn't result in what OpenSSL provides, so I might have to dig deeper. I'll let you know about any updates.

from yara.

orbea avatar orbea commented on August 24, 2024

Thanks, if there is anything I can communicate with the LibreSSL developers please let me know.

from yara.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.