247267 – mail/alpine: 2.22 on 12.1-RELEASE-p6 (OpenSSL 1.1.1d) produces incorrect S/MIME signatures. 12.0-STABLE r345375 (OpenSSl 1.1.1b) works

Bug 247267 - mail/alpine: 2.22 on 12.1-RELEASE-p6 (OpenSSL 1.1.1d) produces incorrect S/MIME signatures. 12.0-STABLE r345375 (OpenSSl 1.1.1b) works

Summary: mail/alpine: 2.22 on 12.1-RELEASE-p6 (OpenSSL 1.1.1d) produces incorrect S/MI...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-ports-bugs (Nobody)

URL:
Keywords:	needs-patch, needs-qa, regression

Depends on:	247435
Blocks:
	Show dependency tree / graph

Reported:	2020-06-15 02:37 UTC by Marcin Cieślak
Modified:	2020-07-11 18:10 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (mbeis) koobs: maintainer-feedback? (brnrd)

Attachments
Reproduction case files as a tarfile (65.50 KB, application/x-tar) 2020-06-15 02:37 UTC, Marcin Cieślak	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcin Cieślak 2020-06-15 02:37:28 UTC

Created attachment 215569 [details]
Reproduction case files as a tarfile

I'm trying to track the difference between

alpine 2.22 - FreeBSD 12.0-STABLE r345375
OpenSSL 1.1.1b-freebsd  26 Feb 2019
alpine built from ports

vs

alpine 2.22 - FreeBSD 12.1-RELEASE-p6  (fresh install)
OpenSSL 1.1.1d-freebsd  10 Sep 2019
alpine from packages/build from ports as well

The problem was with FreeBSD 12.1-RELEASE as well (upgrade to p6 did not change anything).

I have also copied the 12.0 alpine binary to 12.1 and vice versa and it did not fix the issue.

I have enabled S/MIME signing by default and the emails sent with alpine 2.22 from the 12.1 machine have a broken signature.

I have tracked this down to the difference in the sha256 hash in the message:

FreeBSD 12.0 machine generates a proper hash:

 2971:d=8  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:9DD6716C5FA06FB131A4F1F099D8E81B29621D73672A96B38291EFB27E553503

FreeBSD 12.1 machine generates something improper:

 2971:d=8  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:F6256B618764C64F31EF7D22F7609D2FA328F92F574048E397FFA62E99CBC917

In the attached files, "m" refers to the 12.0 machine, "q" to the 12.1 machine.

Files attached ->

two_messages/m.eml < message from 12.0 as received with gmail
two_messages/q.eml < message from 12.1 as received with gmail

S/MIME PKCS#7 binary attachments extracted with munpack:

two_messages/smime.m/smime.desc
two_messages/smime.m/smime.p7s
two_messages/smime.q/smime.desc
two_messages/smime.q/smime.p7s

Results of "openssl asn1parse -inform der" on the "p7s" files:

two_messages/m.asn1
two_messages/q.asn1


Plaintext messages obtained via "openssl cms -verify -in X.eml"

two_messages/m.plaintext
two_messages/q.plaintext

verification results:


> openssl cms -in m.eml -verify > /dev/null
Verification successful
> openssl cms -in q.eml -verify > /dev/null
Verification failure
34380907704:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:/usr/src/crypto/openssl/crypto/cms/cms_sd.c:853:
34380907704:error:2E09D06D:CMS routines:CMS_verify:content verify error:/usr/src/crypto/openssl/crypto/cms/cms_smime.c:393:

> sha256 two_messages/m.plaintext
SHA256 (two_messages/m.plaintext) = 9dd6716c5fa06fb131a4f1f099d8e81b29621d73672a96b38291efb27e553503
> sha256 two_messages/q.plaintext
SHA256 (two_messages/q.plaintext) = 9dd6716c5fa06fb131a4f1f099d8e81b29621d73672a96b38291efb27e553503

locale setting on both machines:

pl_PL.UTF-8

.pinerc .addressbook and the mailboxes have been copied from 12.0 to 12.1

Comment 1 Marcin Cieślak 2020-06-15 02:48:00 UTC

Update:

1)

those are two distinct machines, the 12.1-RELEASE-p6 has been installed from scratch (12.1-RELEASE plus freebsd-upgrade). alpine configuration and files hav been copied over, including S/MIME keys and certificates.

2) 

alpine 2.22 has been built on 12.0-STABLE from ports using 

# $FreeBSD: head/mail/alpine/Makefile 523707 2020-01-21 09:14:44Z joneum $

# make showconfig
===> The following configuration options are available for alpine-2.22:
     ASPELL=on: Spell checking support via GNU Aspell
     CONS25=on: Add a patch to support color for default console
     DOCS=on: Build and/or install documentation
     IPV6=on: IPv6 protocol support
     LDAP=off: LDAP protocol support
     MAILDIR=off: Add a patch to support maildir
     MOUSE=on: Mouse support
     NLS=on: Native Language Support
     NTLM=off: Support for Windows NT Lan Manager authentication
     PASSFILE=off: Support for a stored password file
     THREADS=on: Threading support

alpine 2.22 has been built on 12.1-RELEASE using ports tree

# $FreeBSD: head/mail/alpine/Makefile 523707 2020-01-21 09:14:44Z joneum $

% make showconfig
===> The following configuration options are available for alpine-2.22:
     ASPELL=on: Spell checking support via GNU Aspell
     CONS25=off: Add a patch to support color for default console
     DOCS=on: Build and/or install documentation
     IPV6=on: IPv6 protocol support
     LDAP=off: LDAP protocol support
     MAILDIR=off: Add a patch to support maildir
     MOUSE=on: Mouse support
     NLS=on: Native Language Support
     NTLM=off: Support for Windows NT Lan Manager authentication
     PASSFILE=off: Support for a stored password file
     THREADS=on: Threading support
===> Use 'make config' to modify these settings


3) "something improper" means the value F6256B618764C64F31EF7D22F7609D2FA328F92F574048E397FFA62E99CBC917 is not a proper SHA-256 hash of the message

Comment 2 Marcin Cieślak 2020-06-15 02:50:53 UTC

1) 12.0-STABLE is a physical machine running on 

FreeBSD 12.0-STABLE r345375 GENERIC amd64
FreeBSD clang version 7.0.1 (tags/RELEASE_701/final 349250) (based on LLVM 7.0.1)
VT(vga): resolution 640x480
CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 5600+ (2900.29-MHz K8-class CPU)
  Origin="AuthenticAMD"  Id=0x60fb2  Family=0xf  Model=0x6b  Stepping=2
  Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUS
H,MMX,FXSR,SSE,SSE2,HTT>
  Features2=0x2001<SSE3,CX16>
  AMD Features=0xea500800<SYSCALL,NX,MMX+,FFXSR,RDTSCP,LM,3DNow!+,3DNow!>
  AMD Features2=0x11f<LAHF,CMP,SVM,ExtAPIC,CR8,Prefetch>
  SVM: NAsids=64

2) 12.1-RELEASE-p6 machine is a Xen HVM guest:

FreeBSD 12.1-RELEASE-p6 GENERIC amd64
FreeBSD clang version 8.0.1 (tags/RELEASE_801/final 366581) (based on LLVM 8.0.1)
VT(vga): text 80x25
XEN: Hypervisor version 4.9 detected.
CPU: Intel(R) Xeon(R) CPU E5-2660 v2 @ 2.20GHz (2200.07-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x306e4  Family=0x6  Model=0x3e  Stepping=4
  Features=0x1fc3fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT>
  Features2=0xffba2203<SSE3,PCLMULQDQ,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND,HV>
  AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
  AMD Features2=0x1<LAHF>
  Structured Extended Features=0x281<FSGSBASE,SMEP,ERMS>
  Structured Extended Features3=0x9c000400<MD_CLEAR,IBPB,STIBP,L1DFL,SSBD>
  XSAVE Features=0x1<XSAVEOPT>
  AMD Extended Feature Extensions ID EBX=0x1000
Hypervisor: Origin = "XenVMMXenVMM"

Comment 3 Marcin Cieślak 2020-06-27 21:27:42 UTC

Good news from upstream:

there is a fix at

https://repo.or.cz/alpine.git/commit/529d58309bc7ec042b668a90817eabe4522507e0

They say it broke with 1.1.1 series but I am pretty sure it worked with 1.1.1b on FreeBSD 11.x.

However, the patch fixes it for 12.1

Comment 4 Carlo Strub freebsd_committer

2020-07-11 15:02:25 UTC

Port was updated. Please verify if this is resolved.

Comment 5 Marcin Cieślak 2020-07-11 18:09:54 UTC

Yes, alpine 2.23.2 build from ports produces valid signatures. Thanks!