Test Failure - test-pe: tests/test-pe.c:292: rule does not match contents of'tests/data/

[orbea]

Describe the bug

The test-pe test fails.

test-pe.log:

tests/test-pe.c:292: rule does not match contents of'tests/data/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885' (but should)
FAIL test-pe (exit status: 1)

Which points to this line.

yara/tests/test-pe.c

Line 292 in 8fa55cd

assert_true_rule_file(

To Reproduce

make check

Expected behavior

Tests should pass.

Please complete the following information:

• OS: Gentoo
• YARA version: 8fa55cd
• LibreSSL version: 3.8.2

Additional context

Occurs with both my glibc and musl systems, maybe related to using LibreSSL?

test-pe.trs:

:test-result: FAIL
:global-test-result: FAIL
:recheck: yes
:copy-in-global-log: yes

[plusvic]

Yes, it looks related to LibreSSL. The first step is trying to minify the test case, if we are lucky the problem is one specific condition within the rule. For instance, LibreSSL may be formatting issuer or subject strings in a different way. In the worst case the whole signature parsing is failing. If you already have a setup using LibreSSL, could you try removing portions of the rule condition and see if you can find a smaller test that reproduces the issue?

[orbea]

could you try removing portions of the rule condition and see if you can find a smaller test that reproduces the issue?

Yes, when using this patch test-pe passes and I individually tested that each of these lines is problematic.

The issue seems to be with *.length_of_chain == 2 and *.chain[1].*, but I'm still not sure if this is a libressl or yara bug?

--- a/tests/test-pe.c
+++ b/tests/test-pe.c
@@ -342,7 +342,6 @@ int main(int argc, char** argv)
           pe.signatures[0].certificates[3].subject == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\"  and \
           pe.signatures[0].signer_info.digest == \"845555fec6e472a43b0714911d6c452a092e9632\"  and \
           pe.signatures[0].signer_info.digest_alg == \"sha1\"  and \
-          pe.signatures[0].signer_info.length_of_chain == 2  and \
           pe.signatures[0].signer_info.chain[0].not_after == 1559692799 and \
           pe.signatures[0].signer_info.chain[0].not_before == 1491955200 and \
           pe.signatures[0].signer_info.chain[0].version == 3 and \
@@ -352,17 +351,7 @@ int main(int argc, char** argv)
           pe.signatures[0].signer_info.chain[0].thumbprint == \"c1bf1b8f751bf97626ed77f755f0a393106f2454\"  and \
           pe.signatures[0].signer_info.chain[0].issuer == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\"  and \
           pe.signatures[0].signer_info.chain[0].subject == \"/C=US/ST=California/L=Menlo Park/O=Quicken, Inc./OU=Operations/CN=Quicken, Inc.\"  and \
-          pe.signatures[0].signer_info.chain[1].not_after == 1702166399 and \
-          pe.signatures[0].signer_info.chain[1].not_before == 1386633600 and \
-          pe.signatures[0].signer_info.chain[1].version == 3 and \
-          pe.signatures[0].signer_info.chain[1].serial == \"3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a\"  and \
-          pe.signatures[0].signer_info.chain[1].algorithm == \"sha256WithRSAEncryption\"  and \
-          pe.signatures[0].signer_info.chain[1].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
-          pe.signatures[0].signer_info.chain[1].thumbprint == \"007790f6561dad89b0bcd85585762495e358f8a5\"  and \
-          pe.signatures[0].signer_info.chain[1].issuer == \"/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\"  and \
-          pe.signatures[0].signer_info.chain[1].subject == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\"  and \
           pe.signatures[0].number_of_countersignatures == 1  and \
-          pe.signatures[0].countersignatures[0].length_of_chain == 2  and \
           pe.signatures[0].countersignatures[0].digest == \"9fa1188e4c656d86e2d7fa133ee8138ac1ec4ec1\"  and \
           pe.signatures[0].countersignatures[0].digest_alg == \"sha1\"  and \
           pe.signatures[0].countersignatures[0].sign_time == 1528216551  and \
@@ -375,16 +364,7 @@ int main(int argc, char** argv)
           pe.signatures[0].countersignatures[0].chain[0].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
           pe.signatures[0].countersignatures[0].chain[0].thumbprint == \"65439929b67973eb192d6ff243e6767adf0834e4\"  and \
           pe.signatures[0].countersignatures[0].chain[0].issuer == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\"  and \
-          pe.signatures[0].countersignatures[0].chain[0].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services Signer - G4\"  and \
-          pe.signatures[0].countersignatures[0].chain[1].not_after == 1609372799 and \
-          pe.signatures[0].countersignatures[0].chain[1].not_before == 1356048000 and \
-          pe.signatures[0].countersignatures[0].chain[1].version == 3 and \
-          pe.signatures[0].countersignatures[0].chain[1].serial == \"7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b\"  and \
-          pe.signatures[0].countersignatures[0].chain[1].algorithm == \"sha1WithRSAEncryption\"  and \
-          pe.signatures[0].countersignatures[0].chain[1].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
-          pe.signatures[0].countersignatures[0].chain[1].thumbprint == \"6c07453ffdda08b83707c09b82fb3d15f35336b1\"  and \
-          pe.signatures[0].countersignatures[0].chain[1].issuer == \"/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA\"  and \
-          pe.signatures[0].countersignatures[0].chain[1].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" \
+          pe.signatures[0].countersignatures[0].chain[0].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services Signer - G4\" \
       }",
       "tests/data/"
       "079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885");

[metthal]

Please report it to us at avast/authenticode-parser as that's what's being used for authenticode parsing. We never really tested against LibreSSL so it might need some work.

[metthal]

I tried to have a short look at it. Our authenticode-parser relies of X509_verify_cert to actually build a certificate chain, even if its incomplete. That's how it behaves in OpenSSL and it is a documented behavior. However LibreSSL seems to have taken a different approach and they even complain in their code about the behavior of OpenSSL so I suspect it might have to do something with that.

/*
 * This is the effectively broken legacy OpenSSL chain builder. It   
 * might find an unvalidated chain and leave it sitting in
 * ctx->chain. It does not correctly handle many cases where multiple
 * chains could exist.
 *
 * Oh no.. I know a dirty word...
 * Oooooooh..
 */  

However, even forcing legacy verifier didn't result in what OpenSSL provides, so I might have to dig deeper. I'll let you know about any updates.

[orbea]

Thanks, if there is anything I can communicate with the LibreSSL developers please let me know.