Skip to content

Fix EXE/DLL cert verification#727

Merged
val-ms merged 3 commits intoCisco-Talos:mainfrom
val-ms:CLAM-2015-cert-verify
Oct 22, 2022
Merged

Fix EXE/DLL cert verification#727
val-ms merged 3 commits intoCisco-Talos:mainfrom
val-ms:CLAM-2015-cert-verify

Conversation

@val-ms
Copy link
Contributor

@val-ms val-ms commented Oct 19, 2022

RSA certificate verification is failing because we accidentally lowered the max size of numbers for floating point multiplication with TomsFastMath when upgrading the vendored library code.

This commit restores the default from 4096 to 8192.

Fixes #604

shutton
shutton approved these changes Oct 19, 2022
View reviewed changes
Copy link
Contributor

@shutton shutton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moar bits...

val-ms added 3 commits October 19, 2022 19:19
@val-ms
Fix EXE/DLL cert verification
07295d3 
RSA certificate verification is failing because we accidentally lowered
the max size of numbers for floating point multiplication with
TomsFastMath when upgrading the vendored library code.

This commit restores the default from 4096 to 8192.
@val-ms
Fix certificate trust status tracking
39e9885 
The function `cli_scan_fmap()` is where we check PE authenticode
certificates. But it is only returning CL_CLEAN, CL_VIRUS, or file
types. It should propagate errors as well as CL_VERIFIED, if the
authenticode finds we should trust the file.
@val-ms
Update cert trust test after fix, and add new test
e2f7167 
The PE cert test can be enabled now that the cert trust feature is
fixed. In so doing I found an issue with it -- it was also using the
block-certificate signature, which overrides the trust-certificate
signatures. This made me realize that we should also have a test to make
sure the block-cert signatures take predence over the trust-cert sigs.

I fixed the original sig and added this second test case.
@val-ms val-ms force-pushed the CLAM-2015-cert-verify branch from 92fd7dc to e2f7167 Compare October 20, 2022 04:05
@val-ms val-ms added 🍒cherry-pick-candidate A PR that should be backported once approved. and removed 🍒cherry-pick-candidate A PR that should be backported once approved. labels Oct 21, 2022
@val-ms
Copy link
Contributor Author

val-ms commented Oct 22, 2022

Backporting this one is too much pain. The recent allmatch fixes work cleaned up so much error handling that made this work reliably. Simply cherrypicking this fix does not cause certificate verification to correctly trust a file. A number of bugs exist causing it to continue scanning instead of aborting. Users will have to upgrade from 0.105 -> 1.0 for cert verification to work.

@val-ms val-ms merged commit bed65c9 into Cisco-Talos:main Oct 22, 2022
@val-ms val-ms deleted the CLAM-2015-cert-verify branch October 22, 2022 00:21
@15Cyndaquil 15Cyndaquil mentioned this pull request Mar 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@shutton shutton shutton approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

What's the meaning of 'LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1' win7 x64 v105

2 participants

@val-ms @shutton