Bug 247267 - mail/alpine: 2.22 on 12.1-RELEASE-p6 (OpenSSL 1.1.1d) produces incorrect S/MIME signatures. 12.0-STABLE r345375 (OpenSSl 1.1.1b) works
Summary: mail/alpine: 2.22 on 12.1-RELEASE-p6 (OpenSSL 1.1.1d) produces incorrect S/MI...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords: needs-patch, needs-qa, regression
Depends on: 247435
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-15 02:37 UTC by Marcin Cieślak
Modified: 2020-07-11 18:10 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (mbeis)
koobs: maintainer-feedback? (brnrd)


Attachments
Reproduction case files as a tarfile (65.50 KB, application/x-tar)
2020-06-15 02:37 UTC, Marcin Cieślak
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Cieślak 2020-06-15 02:37:28 UTC
Created attachment 215569 [details]
Reproduction case files as a tarfile

I'm trying to track the difference between

alpine 2.22 - FreeBSD 12.0-STABLE r345375
OpenSSL 1.1.1b-freebsd  26 Feb 2019
alpine built from ports

vs

alpine 2.22 - FreeBSD 12.1-RELEASE-p6  (fresh install)
OpenSSL 1.1.1d-freebsd  10 Sep 2019
alpine from packages/build from ports as well

The problem was with FreeBSD 12.1-RELEASE as well (upgrade to p6 did not change anything).

I have also copied the 12.0 alpine binary to 12.1 and vice versa and it did not fix the issue.

I have enabled S/MIME signing by default and the emails sent with alpine 2.22 from the 12.1 machine have a broken signature.

I have tracked this down to the difference in the sha256 hash in the message:

FreeBSD 12.0 machine generates a proper hash:

 2971:d=8  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:9DD6716C5FA06FB131A4F1F099D8E81B29621D73672A96B38291EFB27E553503

FreeBSD 12.1 machine generates something improper:

 2971:d=8  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:F6256B618764C64F31EF7D22F7609D2FA328F92F574048E397FFA62E99CBC917

In the attached files, "m" refers to the 12.0 machine, "q" to the 12.1 machine.

Files attached ->

two_messages/m.eml < message from 12.0 as received with gmail
two_messages/q.eml < message from 12.1 as received with gmail

S/MIME PKCS#7 binary attachments extracted with munpack:

two_messages/smime.m/smime.desc
two_messages/smime.m/smime.p7s
two_messages/smime.q/smime.desc
two_messages/smime.q/smime.p7s

Results of "openssl asn1parse -inform der" on the "p7s" files:

two_messages/m.asn1
two_messages/q.asn1


Plaintext messages obtained via "openssl cms -verify -in X.eml"

two_messages/m.plaintext
two_messages/q.plaintext

verification results:


> openssl cms -in m.eml -verify > /dev/null
Verification successful
> openssl cms -in q.eml -verify > /dev/null
Verification failure
34380907704:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:/usr/src/crypto/openssl/crypto/cms/cms_sd.c:853:
34380907704:error:2E09D06D:CMS routines:CMS_verify:content verify error:/usr/src/crypto/openssl/crypto/cms/cms_smime.c:393:

> sha256 two_messages/m.plaintext
SHA256 (two_messages/m.plaintext) = 9dd6716c5fa06fb131a4f1f099d8e81b29621d73672a96b38291efb27e553503
> sha256 two_messages/q.plaintext
SHA256 (two_messages/q.plaintext) = 9dd6716c5fa06fb131a4f1f099d8e81b29621d73672a96b38291efb27e553503

locale setting on both machines:

pl_PL.UTF-8

.pinerc .addressbook and the mailboxes have been copied from 12.0 to 12.1
Comment 1 Marcin Cieślak 2020-06-15 02:48:00 UTC
Update:

1)

those are two distinct machines, the 12.1-RELEASE-p6 has been installed from scratch (12.1-RELEASE plus freebsd-upgrade). alpine configuration and files hav been copied over, including S/MIME keys and certificates.

2) 

alpine 2.22 has been built on 12.0-STABLE from ports using 

# $FreeBSD: head/mail/alpine/Makefile 523707 2020-01-21 09:14:44Z joneum $

# make showconfig
===> The following configuration options are available for alpine-2.22:
     ASPELL=on: Spell checking support via GNU Aspell
     CONS25=on: Add a patch to support color for default console
     DOCS=on: Build and/or install documentation
     IPV6=on: IPv6 protocol support
     LDAP=off: LDAP protocol support
     MAILDIR=off: Add a patch to support maildir
     MOUSE=on: Mouse support
     NLS=on: Native Language Support
     NTLM=off: Support for Windows NT Lan Manager authentication
     PASSFILE=off: Support for a stored password file
     THREADS=on: Threading support

alpine 2.22 has been built on 12.1-RELEASE using ports tree

# $FreeBSD: head/mail/alpine/Makefile 523707 2020-01-21 09:14:44Z joneum $

% make showconfig
===> The following configuration options are available for alpine-2.22:
     ASPELL=on: Spell checking support via GNU Aspell
     CONS25=off: Add a patch to support color for default console
     DOCS=on: Build and/or install documentation
     IPV6=on: IPv6 protocol support
     LDAP=off: LDAP protocol support
     MAILDIR=off: Add a patch to support maildir
     MOUSE=on: Mouse support
     NLS=on: Native Language Support
     NTLM=off: Support for Windows NT Lan Manager authentication
     PASSFILE=off: Support for a stored password file
     THREADS=on: Threading support
===> Use 'make config' to modify these settings


3) "something improper" means the value F6256B618764C64F31EF7D22F7609D2FA328F92F574048E397FFA62E99CBC917 is not a proper SHA-256 hash of the message
Comment 2 Marcin Cieślak 2020-06-15 02:50:53 UTC
1) 12.0-STABLE is a physical machine running on 

FreeBSD 12.0-STABLE r345375 GENERIC amd64
FreeBSD clang version 7.0.1 (tags/RELEASE_701/final 349250) (based on LLVM 7.0.1)
VT(vga): resolution 640x480
CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 5600+ (2900.29-MHz K8-class CPU)
  Origin="AuthenticAMD"  Id=0x60fb2  Family=0xf  Model=0x6b  Stepping=2
  Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUS
H,MMX,FXSR,SSE,SSE2,HTT>
  Features2=0x2001<SSE3,CX16>
  AMD Features=0xea500800<SYSCALL,NX,MMX+,FFXSR,RDTSCP,LM,3DNow!+,3DNow!>
  AMD Features2=0x11f<LAHF,CMP,SVM,ExtAPIC,CR8,Prefetch>
  SVM: NAsids=64

2) 12.1-RELEASE-p6 machine is a Xen HVM guest:

FreeBSD 12.1-RELEASE-p6 GENERIC amd64
FreeBSD clang version 8.0.1 (tags/RELEASE_801/final 366581) (based on LLVM 8.0.1)
VT(vga): text 80x25
XEN: Hypervisor version 4.9 detected.
CPU: Intel(R) Xeon(R) CPU E5-2660 v2 @ 2.20GHz (2200.07-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x306e4  Family=0x6  Model=0x3e  Stepping=4
  Features=0x1fc3fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT>
  Features2=0xffba2203<SSE3,PCLMULQDQ,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND,HV>
  AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
  AMD Features2=0x1<LAHF>
  Structured Extended Features=0x281<FSGSBASE,SMEP,ERMS>
  Structured Extended Features3=0x9c000400<MD_CLEAR,IBPB,STIBP,L1DFL,SSBD>
  XSAVE Features=0x1<XSAVEOPT>
  AMD Extended Feature Extensions ID EBX=0x1000
Hypervisor: Origin = "XenVMMXenVMM"
Comment 3 Marcin Cieślak 2020-06-27 21:27:42 UTC
Good news from upstream:

there is a fix at

https://repo.or.cz/alpine.git/commit/529d58309bc7ec042b668a90817eabe4522507e0

They say it broke with 1.1.1 series but I am pretty sure it worked with 1.1.1b on FreeBSD 11.x.

However, the patch fixes it for 12.1
Comment 4 Carlo Strub freebsd_committer 2020-07-11 15:02:25 UTC
Port was updated. Please verify if this is resolved.
Comment 5 Marcin Cieślak 2020-07-11 18:09:54 UTC
Yes, alpine 2.23.2 build from ports produces valid signatures. Thanks!