Test failure on OpenBSD - tests/test-pe.c:390: rule does not match contents

[lcheylus]

Bug

• Build of YARA v4.5.1 on OpenBSD current/amd64 (future version 7.6) OK
• Error when running test with make check

tests/test-pe.c:390: rule does not match contents of'tests/data/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885' (but should)

Expected behavior
All tests should pass.

Please complete the following information:

• OS: OpenBSD current/amd64 (OpenBSD 7.5-current (GENERIC.MP) #93)
• YARA version: 4.5.1 built from sources
• LibreSSL 3.9.0

[plusvic]

This looks like a difference between openssl and libressl. I don't have an installation with libressl around, could you try to comment out lines in the test below until you get a more minimalistic test that reproduces the issue?

yara/tests/test-pe.c

Lines 294 to 388 in 8616165

	rule test { \
	condition: \
	pe.is_signed and \
	pe.number_of_signatures == 1 and \
	pe.signatures[0].thumbprint == \"c1bf1b8f751bf97626ed77f755f0a393106f2454\" and \
	pe.signatures[0].subject == \"/C=US/ST=California/L=Menlo Park/O=Quicken, Inc./OU=Operations/CN=Quicken, Inc.\" and \
	pe.signatures[0].verified and \
	pe.signatures[0].digest_alg == \"sha1\" and \
	pe.signatures[0].digest == \"f4ca190ec9052243b8882d492b1c12d04da7817f\" and \
	pe.signatures[0].algorithm == \"sha256WithRSAEncryption\" and \
	pe.signatures[0].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
	pe.signatures[0].file_digest == \"f4ca190ec9052243b8882d492b1c12d04da7817f\" and \
	pe.signatures[0].number_of_certificates == 4 and \
	pe.signatures[0].certificates[0].not_after == 1609372799 and \
	pe.signatures[0].certificates[0].not_before == 1356048000 and \
	pe.signatures[0].certificates[0].version == 3 and \
	pe.signatures[0].certificates[0].serial == \"7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b\" and \
	pe.signatures[0].certificates[0].algorithm == \"sha1WithRSAEncryption\" and \
	pe.signatures[0].certificates[0].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
	pe.signatures[0].certificates[0].thumbprint == \"6c07453ffdda08b83707c09b82fb3d15f35336b1\" and \
	pe.signatures[0].certificates[0].issuer == \"/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA\" and \
	pe.signatures[0].certificates[0].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" and \
	pe.signatures[0].certificates[1].not_after == 1609286399 and \
	pe.signatures[0].certificates[1].not_before == 1350518400 and \
	pe.signatures[0].certificates[1].version == 3 and \
	pe.signatures[0].certificates[1].serial == \"0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50\" and \
	pe.signatures[0].certificates[1].algorithm == \"sha1WithRSAEncryption\" and \
	pe.signatures[0].certificates[1].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
	pe.signatures[0].certificates[1].thumbprint == \"65439929b67973eb192d6ff243e6767adf0834e4\" and \
	pe.signatures[0].certificates[1].issuer == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" and \
	pe.signatures[0].certificates[1].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services Signer - G4\" and \
	pe.signatures[0].certificates[2].not_after == 1559692799 and \
	pe.signatures[0].certificates[2].not_before == 1491955200 and \
	pe.signatures[0].certificates[2].version == 3 and \
	pe.signatures[0].certificates[2].serial == \"21:bd:b2:cb:ec:e5:43:1e:24:f7:56:74:d6:0e:9c:1d\" and \
	pe.signatures[0].certificates[2].algorithm == \"sha256WithRSAEncryption\" and \
	pe.signatures[0].certificates[2].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
	pe.signatures[0].certificates[2].thumbprint == \"c1bf1b8f751bf97626ed77f755f0a393106f2454\" and \
	pe.signatures[0].certificates[2].issuer == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
	pe.signatures[0].certificates[2].subject == \"/C=US/ST=California/L=Menlo Park/O=Quicken, Inc./OU=Operations/CN=Quicken, Inc.\" and \
	pe.signatures[0].certificates[3].not_after == 1702166399 and \
	pe.signatures[0].certificates[3].not_before == 1386633600 and \
	pe.signatures[0].certificates[3].version == 3 and \
	pe.signatures[0].certificates[3].serial == \"3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a\" and \
	pe.signatures[0].certificates[3].algorithm == \"sha256WithRSAEncryption\" and \
	pe.signatures[0].certificates[3].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
	pe.signatures[0].certificates[3].thumbprint == \"007790f6561dad89b0bcd85585762495e358f8a5\" and \
	pe.signatures[0].certificates[3].issuer == \"/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\" and \
	pe.signatures[0].certificates[3].subject == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
	pe.signatures[0].signer_info.digest == \"845555fec6e472a43b0714911d6c452a092e9632\" and \
	pe.signatures[0].signer_info.digest_alg == \"sha1\" and \
	pe.signatures[0].signer_info.length_of_chain == 2 and \
	pe.signatures[0].signer_info.chain[0].not_after == 1559692799 and \
	pe.signatures[0].signer_info.chain[0].not_before == 1491955200 and \
	pe.signatures[0].signer_info.chain[0].version == 3 and \
	pe.signatures[0].signer_info.chain[0].serial == \"21:bd:b2:cb:ec:e5:43:1e:24:f7:56:74:d6:0e:9c:1d\" and \
	pe.signatures[0].signer_info.chain[0].algorithm == \"sha256WithRSAEncryption\" and \
	pe.signatures[0].signer_info.chain[0].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
	pe.signatures[0].signer_info.chain[0].thumbprint == \"c1bf1b8f751bf97626ed77f755f0a393106f2454\" and \
	pe.signatures[0].signer_info.chain[0].issuer == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
	pe.signatures[0].signer_info.chain[0].subject == \"/C=US/ST=California/L=Menlo Park/O=Quicken, Inc./OU=Operations/CN=Quicken, Inc.\" and \
	pe.signatures[0].signer_info.chain[1].not_after == 1702166399 and \
	pe.signatures[0].signer_info.chain[1].not_before == 1386633600 and \
	pe.signatures[0].signer_info.chain[1].version == 3 and \
	pe.signatures[0].signer_info.chain[1].serial == \"3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a\" and \
	pe.signatures[0].signer_info.chain[1].algorithm == \"sha256WithRSAEncryption\" and \
	pe.signatures[0].signer_info.chain[1].algorithm_oid == \"1.2.840.113549.1.1.11\" and \
	pe.signatures[0].signer_info.chain[1].thumbprint == \"007790f6561dad89b0bcd85585762495e358f8a5\" and \
	pe.signatures[0].signer_info.chain[1].issuer == \"/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\" and \
	pe.signatures[0].signer_info.chain[1].subject == \"/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA\" and \
	pe.signatures[0].number_of_countersignatures == 1 and \
	pe.signatures[0].countersignatures[0].length_of_chain == 2 and \
	pe.signatures[0].countersignatures[0].digest == \"9fa1188e4c656d86e2d7fa133ee8138ac1ec4ec1\" and \
	pe.signatures[0].countersignatures[0].digest_alg == \"sha1\" and \
	pe.signatures[0].countersignatures[0].sign_time == 1528216551 and \
	pe.signatures[0].countersignatures[0].verified and \
	pe.signatures[0].countersignatures[0].chain[0].not_after == 1609286399 and \
	pe.signatures[0].countersignatures[0].chain[0].not_before == 1350518400 and \
	pe.signatures[0].countersignatures[0].chain[0].version == 3 and \
	pe.signatures[0].countersignatures[0].chain[0].serial == \"0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50\" and \
	pe.signatures[0].countersignatures[0].chain[0].algorithm == \"sha1WithRSAEncryption\" and \
	pe.signatures[0].countersignatures[0].chain[0].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
	pe.signatures[0].countersignatures[0].chain[0].thumbprint == \"65439929b67973eb192d6ff243e6767adf0834e4\" and \
	pe.signatures[0].countersignatures[0].chain[0].issuer == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" and \
	pe.signatures[0].countersignatures[0].chain[0].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services Signer - G4\" and \
	pe.signatures[0].countersignatures[0].chain[1].not_after == 1609372799 and \
	pe.signatures[0].countersignatures[0].chain[1].not_before == 1356048000 and \
	pe.signatures[0].countersignatures[0].chain[1].version == 3 and \
	pe.signatures[0].countersignatures[0].chain[1].serial == \"7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b\" and \
	pe.signatures[0].countersignatures[0].chain[1].algorithm == \"sha1WithRSAEncryption\" and \
	pe.signatures[0].countersignatures[0].chain[1].algorithm_oid == \"1.2.840.113549.1.1.5\" and \
	pe.signatures[0].countersignatures[0].chain[1].thumbprint == \"6c07453ffdda08b83707c09b82fb3d15f35336b1\" and \
	pe.signatures[0].countersignatures[0].chain[1].issuer == \"/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA\" and \
	pe.signatures[0].countersignatures[0].chain[1].subject == \"/C=US/O=Symantec Corporation/CN=Symantec Time Stamping Services CA - G2\" \
	}",

[lcheylus]

After a lot of iterations (modify test-pe in tests/test-pe.c, rebuild and test with make check), I have 2 cases of minimalist test that reproduces the issue:

• pe.signatures[0].signer_info.length_of_chain == 2
• pe.signatures[0].countersignatures[0].length_of_chain == 2

After some searchs in issues, mine seems to be a duplicate of #2046.

[lcheylus]

I would like to try to build Yara on OpenBSD using OpenSSL lib instead of LibreSSL.

• OpenSSL version 3.1.6 installed via openssl OpenBSD packages
• includes in /usr/local/include/eopenssl31/openssl/
• libs in /usr/local/lib/eopenssl31/

I don't find in configure script how to use OpenSSL instead of LibreSSL. Is there an options/flag in configure script to do this ?
I checked configure.ac file for AC_CHECK_HEADERS / AC_CHECK_LIB for openssl/crypto but I don't find how to modify theses checks.

[lcheylus]

FYI, I succeeded to compile and test Yara with OpenSSL instead of LibreSSL on OpenBSD (amd64).

• Install of OpenSSL version 3.1.6 via pkg_add openssl-3.1.6v0

$ /usr/local/bin/eopenssl31 version
OpenSSL 3.1.6 4 Jun 2024 (Library: OpenSSL 3.1.6 4 Jun 2024)

• Build of Yara with OpenSSL

$ ./configure --enable-cuckoo --enable-magic --enable-dex --enable-macho --with-crypto CPPFLAGS=-I/usr/local/include/eopenssl31 LDFLAGS=-L/usr/local/lib/eopenssl31
$ make
(...)
$ LD_LIBRARY_PATH=/usr/local/lib/eopenssl31/ ./yara -v
4.5.1

• Tests of Yara => no error for test-pe

$ LD_LIBRARY_PATH=/usr/local/lib/eopenssl31/ make check
(...)
make  check-TESTS
PASS: test-arena
PASS: test-alignment
PASS: test-atoms
PASS: test-api
PASS: test-rules
PASS: test-pe
PASS: test-elf
PASS: test-version
PASS: test-bitmask
PASS: test-math
PASS: test-stack
PASS: test-re-split
PASS: test-async
PASS: test-string
PASS: test-exception
PASS: test-macho
PASS: test-dex
PASS: test-dotnet
PASS: test-magic
make  all-am
============================================================================
Testsuite summary for yara 4.5.1
============================================================================
# TOTAL: 19
# PASS:  19
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================