From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 02 19:37:58 2020 Received: (at submit) by debbugs.gnu.org; 2 Apr 2020 23:37:58 +0000 Received: from localhost ([127.0.0.1]:40968 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jK9PJ-0005B6-Tk for submit@debbugs.gnu.org; Thu, 02 Apr 2020 19:37:58 -0400 Received: from lists.gnu.org ([209.51.188.17]:36336) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jK9Ob-00058I-6I for submit@debbugs.gnu.org; Thu, 02 Apr 2020 19:37:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43552) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jK9OY-0004Hs-Vp for bug-gnu-emacs@gnu.org; Thu, 02 Apr 2020 19:37:13 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: ** X-Spam-Status: No, score=2.1 required=5.0 tests=BAYES_50,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,SPOOFED_FREEMAIL,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jK9OX-0000Wh-32 for bug-gnu-emacs@gnu.org; Thu, 02 Apr 2020 19:37:10 -0400 Received: from mout.web.de ([212.227.17.12]:54615) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1jK9OW-0000VY-KT for bug-gnu-emacs@gnu.org; Thu, 02 Apr 2020 19:37:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1585870626; bh=WXwwSpyMdQI/LRgnqRbcMBCaFUk6/rbnO8zoXdDx5iA=; h=X-UI-Sender-Class:From:To:Subject:Date; b=AMtSVYqWD9+z5cLDE+dUbynX4okbzj/pt30va0ErUKG8vwGiN0qTdbaxDlVkEIukn PLNc9ZW8cn4A95suuzWrJNPIQv7B1kXLxTkLVaaFwzSKO3W+B+IWIgDt1Y/6RB8cC+ 7QMilH0lB8dppiXMRDPg1RG2k0lgZ2kLMCmSJSNI= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([93.202.164.254]) by smtp.web.de (mrweb103 [213.165.67.124]) with ESMTPSA (Nemesis) id 0MS2D8-1jm6Op2vlq-00TB4R for ; Fri, 03 Apr 2020 01:37:05 +0200 From: Sebastian Fieber To: bug-gnu-emacs@gnu.org Subject: 28.0.50; epg decrypt does not verify signed content in smime encrypted and signed message X-Debbugs-Package: emacs,gnus Date: Fri, 03 Apr 2020 01:37:04 +0200 Message-ID: <87o8s9cvdr.fsf@web.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:ct27pkZWmmdHx0OY1qd0RC/a81U6Y1MvboaLOcoVc9gPnF0YKYF bkjhKNL9F8ZJcg936bS0KWn+Ckz/Gt4IoZeSojaB5QIlFLTiwOsGXhtLiJeZzD5FjxFZaG8 U7YovBlVoeDHHp7bFOYGtMYBcv0JDX5Nknu7xqGeFfpfQOCcDSHjSRDerwzX5m0fQRZdaBe h5T4MZUKUWDJgX0G7nBCA== X-UI-Out-Filterresults: notjunk:1;V03:K0:SXRqKOTHW3g=:HujRtTMPYpI6GKBCRR03Qq /Dx9Q89XydR8sxWGiVA2Vcl9Ut6Y2k7Rj3CLLjghLARFIvUXywNV7pB7mGhB1Kdbjeihr6frr 4KPsXWkXKXaopHZt7q+P+CPmPg2rplZ/P8yPeD22eCUawXGLHhpmwzjhe4QRXtMsi0MVEK72v lZcAQtLqN3eDcvCn2hsRP/92XhoQ0xWFPmeRB/y9JusGEs4tprHQnmVbTLVXFEiDs6XL0EHvo K47WvRW8yFIRhFQDva5h6+w2gSRK6t8zodPlqXhY7sFCe+x8hvs+aS2S+FeUeDYDx+33hXjR7 JaGDJ6V+V2SEXQ7RzbgrA1h1pXfWtTD7iue616BfpQ1r0uB4IeDVlTXBqy8+syhrFWF/Y6lZM tLFR9YY8CGhq5I8ajQmETatrB6/GpGUel1oaMxcwMsuGgM6A9i4oDg+1lXrXyMl7yh3f/R0Ip GViKO1riQbVR188Q+0U89wvAEloCNEbWvN9oEc6T2W6hiXZlQiuv4/f0IkMoHxT/KfSZ9fH2+ fNB9fvG7JgxqGxmHd+vvlnWD3tw7ipDQsJoe636aPh0retT3adCnjPW9POUKfxCYIA8jrA1ZN QX2xJZxsnjIefSPJOvXQq6TyOhFdnBMHg05AoHkCzBCs8SsJNnR0/D3iZOZCPuouaqJ17ZEdf Qti/FJT/PR72P1wNwrU2Qcux/NxCazd0cHLf5iQizCZwiajgmt1YOks4+ipjoVnHyw96jjGkx lvi9EA4appz6BDn2oLGjK8+2TT6a4IIuNWfLcLDoIaCa1NpCCHqLd44IX9ulUnlUypyOv9UXj lOv9GFErH5LxJ2s8iUrPoNf4kPCcg9h6Yk2YyNW0nA2vqURL+yOcWhnaUADopQn927PooH5iO g+xBL/LkKXbGyCAIPnqOHpNQPOuQ0/g9KHc417yR4Ngdh+IF1AkU5z0hvFp5SqheLdDwmfO92 +ADwxyjE74AJMsftnxgvU4907BHm3JNZrTh56i3Akcs5JrE6AnZwVNkJKkPxE9yxuzLPHveKw 56HyH5HlXut8py5lCiXmqS+2z0lccGdzDxUq4pOQvjNL6xMGV1294A+0/611qhU9jDniFs/uz LJdAIIgCeiPleZu7F4678scHIbuanIlN3PWlWbwSwiGAzJ5vKcdRHNzwoLYi9boE1Z5vmfkGJ ymIt5fou24WLlRQJbrF62GDh2FVPnBwJVGOvumSjbpyvsKh7QOGRagZCXuQ/noEtrJmuDMosG NbnorPrlI7LwPK6Jm X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 212.227.17.12 X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hey there, I'm currently running master on commit 1242ae904a9b7871658f11fb98da5730ea8838c9. When I open an smime encrypted AND signed message in gnus with a content type looking like this: Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: disroot.org] 0.9 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom; id=sebastian.fieber%40web.de; ip=209.51.188.17; r=debbugs.gnu.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (sebastian.fieber[at]web.de) 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [209.51.188.17 listed in list.dnswl.org] 2.0 SPOOFED_FREEMAIL No description available. X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Thu, 02 Apr 2020 19:37:57 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) Hey there, I'm currently running master on commit 1242ae904a9b7871658f11fb98da5730ea8838c9. When I open an smime encrypted AND signed message in gnus with a content type looking like this: Content-Type: application/pkcs7-mime; smime-type=3Denveloped-data; name=3D"smime.p7m" I end up with a buffer looking like this: Content-Type: application/x-pkcs7-mime; name=3Dsmime.p7m; smime-type=3Dsign= ed-data Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=3Dsmime.p7m [base64 encoded smime.p7m] This is the signed content which would have to be verified again. I tried to fix this myself but are really unfamiliar with the gnus codebase. I tried to run mm-dissect-buffer on this content alone which gives some results. I think a fix would look like this: there just needs to be some checking whats inside the enveloped data that is being correctly decrypted and if its another application/(x-)pkcs7-mime just handle this one too. Best regards Sebastian In GNU Emacs 28.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.14, c= airo version 1.17.3) of 2020-03-21 built on comedian Repository revision: 1242ae904a9b7871658f11fb98da5730ea8838c9 Repository branch: makepkg Windowing system distributor 'The X.Org Foundation', version 11.0.12007000 System Description: Arch Linux Recent messages: nnimap web splitting mail...done nnimap read 2k from disroot.org Reading active file via nndraft...done Checking new news...done Auto-saving... Outdated usage of =E2=80=98bbdb-search=E2=80=99 Parsing BBDB file =E2=80=98~/.emacs.d/bbdb=E2=80=99...done Buffer *unsent mail* modified; kill anyway? (y or n) y next-line: End of buffer is undefined Configured using: 'configure --prefix=3D/usr --sysconfdir=3D/etc --libexecdir=3D/usr/lib --localstatedir=3D/var --mandir=3D/usr/share/man --pdfdir=3D/usr/share/doc/emacs/pdf --without-gconf --with-sound=3Dalsa --with-x-toolkit=3Dgtk3 --without-toolkit-scroll-bars --with-mailutils --with-gameuser=3Dyes --with-xft 'CFLAGS=3D-march=3Dx86-64 -mtune=3Dgeneri= c -O2 -pipe -fstack-protector-strong -fno-plt' LDFLAGS=3D-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now CPPFLAGS=3D-D_FORTIFY_SOURCE=3D2' Configured features: XPM JPEG TIFF GIF PNG RSVG CAIRO SOUND GPM DBUS GSETTINGS GLIB NOTIFY INOTIFY ACL GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF ZLIB GTK3 X11 XDBE XIM MODULES THREADS LIBSYSTEMD JSON PDUMPER LCMS2 GMP Important settings: value of $LC_MONETARY: de_DE.utf8 value of $LC_NUMERIC: de_DE.utf8 value of $LC_TIME: de_DE.utf8 value of $LANG: en_US.utf8 locale-coding-system: utf-8-unix Major mode: Group Minor modes in effect: gnus-agent-group-mode: t shell-dirtrack-mode: t gnus-undo-mode: t auto-insert-mode: t yas-global-mode: t yas-minor-mode: t global-company-mode: t company-mode: t global-morlock-mode: t eval-sexp-fu-flash-mode: t persistent-scratch-autosave-mode: t smartparens-global-mode: t guru-global-mode: t guru-mode: t show-paren-mode: t editorconfig-mode: t solaire-global-mode: t minibuffer-depth-indicate-mode: t save-place-mode: t guide-key-mode: t immortal-scratch-mode: t winner-mode: t diff-hl-flydiff-mode: t global-diff-hl-mode: t doom-modeline-mode: t projectile-mode: t savehist-mode: t tooltip-mode: t global-eldoc-mode: t electric-indent-mode: t mouse-wheel-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t temp-buffer-resize-mode: t buffer-read-only: t column-number-mode: t line-number-mode: t Load-path shadows: /home/judas/.emacs.d/elpa/cmake-mode-20190710.1319/cmake-mode hides /usr/sh= are/emacs/site-lisp/cmake-mode /home/judas/.emacs.d/elpa/less-css-mode-20161001.453/less-css-mode hides /u= sr/share/emacs/28.0.50/lisp/textmodes/less-css-mode Features: (shadow emacsbug bbdb-message sendmail nnir finder finder-inf lisp-mnt skeleton gnus-html url-queue url-cache mm-url expand-region subword-mode-expansions text-mode-expansions the-org-mode-expansions er-basic-expansions expand-region-core expand-region-custom pulse sort smiley gnus-cite pp cl-print debug magit-utils mule-util jka-compr misearch multi-isearch info-colors eieio-opt speedbar ezimage dframe help-fns radix-tree mm-archive mail-extr gnus-async gnus-bcklg qp gnus-ml disp-table nndraft nnmh utf-7 nnfolder tabify editorconfig-core editorconfig-core-handle editorconfig-fnmatch bbdb-gnus bbdb-mua bbdb-com crm gnutls network-stream nsm gnus-agent gnus-srvr gnus-score score-mode nnvirtual gnus-msg nntp gnus-cache vc-git edebug backtrace lisp-extra-font-lock local-layer personal gnus-icalendar org-capture ob-plantuml ob-ditaa ob-python ob-shell shell ob-json sound-wav deferred notifications dbus ox-md ox-odt rng-loc rng-uri rng-parse rng-match rng-dt rng-util rng-pttrn nxml-parse nxml-ns nxml-enc xmltok nxml-util ox-latex ox-icalendar ox-html table ox-ascii ox-publish ox org-element avl-tree org ob ob-tangle ob-ref ob-lob ob-table ob-exp org-macro org-footnote org-src ob-comint org-pcomplete pcomplete org-list org-faces org-entities noutline outline org-version ob-emacs-lisp ob-core ob-eval org-table ol org-keys org-compat org-macs org-loaddefs find-func gnus-art mm-uu mml2015 mm-view mml-smime smime dig gnus-sum url url-proxy url-privacy url-expand url-methods url-history mailcap shr url-cookie url-domsuf url-util svg xml dom gnus-group gnus-undo gnus-start gnus-cloud nnimap nnmail mail-source utf7 netrc nnoo parse-time iso8601 gnus-spec gnus-int gnus-range message rmc puny dired dired-loaddefs format-spec rfc822 mml mml-sec mailabbrev mailheader gnus-win mm-decode mm-bodies mm-encode mail-parse rfc2231 gmm-utils icalendar diary-lib diary-loaddefs cal-menu calendar cal-loaddefs epa-file epa derived epg epg-config bbdb bbdb-site timezone gnus nnheader gnus-util rmail rmail-loaddefs rfc2047 rfc2045 ietf-drums text-property-search time-date mail-utils mm-util mail-prsvr wid-edit ansible-layer dotnet-layer mark-layer visible-mark sf-kbd sf-guix haskell-layer cc-layer js-layer eglot-layer latex-layer org-layer python-layer perl-layer php-layer web-layer gnus-layer convenience-layer yatemplate autoinsert auto-complete-layer string-inflection clojure-snippets cl-extra yasnippet company-oddmuse company-keywords company-etags etags fileloop generator company-gtags company-dabbrev-code company-dabbrev company-files company-capf company-cmake company-xcode company-clang company-semantic company-eclim company-template company-bbdb company pcase elisp-layer morlock paxedit rainbow-delimiters paredit eval-sexp-fu std-layer server display-line-numbers cap-words superword subword highlight-symbol persistent-scratch smartparens help-mode xref project guru-mode edmacro kmacro paren editorconfig face-remap solaire-mode mb-depth saveplace guide-key advice popwin ace-window avy immortal-scratch cc-styles cc-align cc-engine cc-vars cc-defs winner diff-hl-flydiff diff diff-hl vc-dir ewoc vc vc-dispatcher diff-mode easy-mmode doom-modeline doom-modeline-segments doom-modeline-env doom-modeline-core shrink-path f s all-the-icons all-the-icons-faces data-material data-weathericons data-octicons data-fileicons data-faicons data-alltheicons memoize dash projectile grep ibuf-ext ibuffer ibuffer-loaddefs thingatpt savehist diminish sf-autoloads loader cerbere-mode-autoloads docblock-mode-autoloads warnings compile comint ansi-color ring hyperlight-theme rx tex-site info package easymenu browse-url url-handlers url-parse auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs password-cache json subr-x map url-vars seq byte-opt gv bytecomp byte-compile cconv cl-loaddefs cl-lib early-init tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core term/tty-colors frame minibuffer cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese composite charscript charprop case-table epa-hook jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote threads dbusbind inotify lcms2 dynamic-setting system-font-setting font-render-setting cairo move-toolbar gtk x-toolkit x multi-tty make-network-process emacs) Memory information: ((conses 16 550291 213990) (symbols 48 39611 1) (strings 32 198004 26591) (string-bytes 1 7496295) (vectors 16 68196) (vector-slots 8 1612421 168866) (floats 8 876 1697) (intervals 56 23869 2698) (buffers 1000 68)) From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 03 03:28:58 2020 Received: (at 40397) by debbugs.gnu.org; 3 Apr 2020 07:28:58 +0000 Received: from localhost ([127.0.0.1]:41120 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jKGl7-0007uO-Vy for submit@debbugs.gnu.org; Fri, 03 Apr 2020 03:28:58 -0400 Received: from mout.web.de ([212.227.15.3]:41923) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jKG7A-0005gK-Vl for 40397@debbugs.gnu.org; Fri, 03 Apr 2020 02:47:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1585896454; bh=UVXnrRrJMD2YwBhaS7luz3P8atFu5y9RVL28ti/+u6Q=; h=X-UI-Sender-Class:From:To:Subject:Date; b=GYmDiM8sFCW2K2A9NMgpwrpLZn0uHaac3dQS+YnJDf9Rw5fvueoLG77G0GUwX5DdO L8JuuN/fv4i9PCBQvOzTMmAcjyZ09jI2SXvRoGVg4bC7UUIBLIYiy9oRkhM7H7Gjr3 U3VQel5fW+1xOFlGEWHShxwyxKZCnCHoZRTC1xZ4= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([93.202.160.233]) by smtp.web.de (mrweb001 [213.165.67.108]) with ESMTPSA (Nemesis) id 0MX0lw-1jntxa1dem-00VwzU for <40397@debbugs.gnu.org>; Fri, 03 Apr 2020 08:47:34 +0200 From: Sebastian Fieber To: 40397@debbugs.gnu.org Subject: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime Date: Fri, 03 Apr 2020 08:47:33 +0200 Message-ID: <87imih5am2.fsf@web.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Provags-ID: V03:K1:yj2jaJRgDYJvKAYT9KMbvoNiJSMe6agjc9vastoQD0sVqijtxCs yWA0HPMbeZ6uSb2VWCTOLPoKxYT/LRmDzrP2zIdo5OspwD5EhNSQ1ll+QWUUevr5wWb+3Jj gKVLIhTMNJ4pzrQjmKFJOfgybDFT3R1mdt+MpzH0Am56vXmEYezVICV/A5Ry06BGZYQSuND 4CW7h1njW++IudDYrmkuA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:1yH+YQ2n65E=:J+Bh4GabwpVhs9fGB8+Skz gzR9OvC7jKyQlPadxdS3wwk66qLIegWhmCX5OxU0tW65DNFRMI5FNZtSxgOwrkjhyJpzHQfVZ 8kq8F4MnCAGglWt7BOuPXwKcQ5RgYCgop05uRH/nB4lDEz9bNaSsW6McnTOqUTAGuXw15rfE5 TiFujs34UlsHsSCCP15ZsI5Dspodzpaukjtn49B3C4NeZYsZ640PRsh6qOUNBdxBCVlgMjuG7 VvnB2PL91p3mwCgzj9gBwkez2gtumrKWTpgCG05Qk3EHH/e0XljJE83CezrYVcmB/EDVlHeLe qDIbASmdzP7QyJpTRPF+4pOcd8BRt/6zslwoEjf2ciWlDX9OdleC0tPM7ONDUDJCarHcor8nJ InqaU2aWmAfhShD0d7xszNDTdA2EmGeh0zsDJ726xpB75ryJ6txJgdQoNj4Atoele+ufY0mUF OY1SAum1WMjJd7RptfyertKiDlqgZHU+eGLRGXS0zH6RRpL5+NMtvmsKWlGoRCM7HcOkyKHrk xzWEylkfjaulbHXCU1vIQPFh5o8I64I991y2smP6AYdf3N4g3Jof1q4xtgS5eYni6nHAWq5d/ RaO9wzlybJZqKyRYYF9f/Mo0IRLBZJ0v4zy+UHw8HRnwfa9HSSZUKXXsAiLUzjZl4jAv2pZYW UzXS7kP8SnFOZgeau7KjaskKOJY3kFz/SqA+upJi1N6JzzbF162o4Ab4s52Z3qRi3ToB2pXSr DeNrAO4etZUB89jzT5X09JhZbiIlo+k6WFqlV17TZrYPBhQV3g2C/bNGrhAIgFySnf/9MSMI1 XXy8WQX6bYbxizddndI+h4FY/IOYpfET3ucvCUG0spizH424oEkMpubWbJuM5zli2DQMj6eij u2XxXJ2xqcL3iGRJnnn3nVjE+kQTq8d1vFJYjvQ/7R4PNPevT29F5Oqie9H5t/Wc/RiVUXxva Dzg4d3hXFTnn1+G55fqgo6Z2SLYUEkD065QMQdN5BkwSG8aJD0yAs4txBm1683rTYh/hdqyVW ALifi7ULRKeTNkFORv2qzX4rjqwdqEXS12REmNsIhLo5LpUQfM0iqclC+ctkhvK+jdXdLcPiK hNLTBM9rBwOhola0hiWvaA3e8mMTyVcFwzoWkLWaQAqOb/6OMVyzq3ZSAO8onxpY+tYxDJFPt 6R81WsuJ4RL2HJvVONTz+gHS1//NW7qbumb5da0KAckYE5I+DqHwJsdsF+xBlKOUSgzKpLU7D Pgamg4O1oAuNzR7zD X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40397 X-Mailman-Approved-At: Fri, 03 Apr 2020 03:28:56 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain Hey there, I just thought this may be hard to test as one has to have a smime certificate to properly receive an encrypted mail. If someone can point me to the right approach how to fix this I may be able to dive a bit deeper into the gnus code and submit a bug report. This is what I have tried now just to get something: If I alter mm-view-pkcs7-decrypt after the insert epg-decrypt-string to call something like this: --=-=-= Content-Type: application/emacs-lisp Content-Disposition: inline Content-Transfer-Encoding: quoted-printable (point-min) (gnus-mime-display-part (mm-dissect-buffer t t)) --=-=-= Content-Type: text/plain and adjust mm-view-pkcs7-get-type to handle a third case --=-=-= Content-Type: application/emacs-lisp Content-Disposition: inline Content-Transfer-Encoding: quoted-printable ((string-match-p mm-pkcs7-signed-magic (base64-decode-string (buffer-string= ))) 'signed) --=-=-= Content-Type: text/plain and also mm-copy-to-buffer to check for carriage returns like this: --=-=-= Content-Type: application/emacs-lisp Content-Disposition: inline Content-Transfer-Encoding: quoted-printable (search-forward-regexp "^\r\n" nil 'move) --=-=-= Content-Type: text/plain (can't send the carriage return properly so \r it is here instead of ^M) I am able to get an article buffer that still has the base64 encoded signed blob in it but after it the verified content. I have no idea where gnus normalizes the line endings to just newlines and why the mm-view-pkcs7-get-type adjustment is needed. But calling gnus-ime-display-part is of course not the right approach here. First there should be some check if the decrypted content needs to be parsed and handled again but I have no idea which function to write or feed the decrypted content to. I hope this may be helpful Best regards Sebastian --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 03 20:02:17 2020 Received: (at 40397) by debbugs.gnu.org; 4 Apr 2020 00:02:17 +0000 Received: from localhost ([127.0.0.1]:43345 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jKWGP-0003R0-12 for submit@debbugs.gnu.org; Fri, 03 Apr 2020 20:02:17 -0400 Received: from mout.web.de ([212.227.15.3]:56307) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jKVde-0000LB-Kd for 40397@debbugs.gnu.org; Fri, 03 Apr 2020 19:22:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1585956128; bh=yLQpmzSn1KXhFG4rMovR28nDuB/s49PKs2xJbdmi7SI=; h=X-UI-Sender-Class:From:To:Subject:References:Date:In-Reply-To; b=QsGDgUAdxbqdxnr50GSbmcpSyZFBE0Q+zX6m7HhawMeQVqzPqNp14ZsBt4cun3YHV kpLEoWeiy/2IdxEkNTAqQ/IZeDVVWq0C3DnR8+9WAx1cXVHl06h6DmT2i5Faituj06 Amyxia5NXWyu7oEuEgRg8mlXRz0eGcOqo5L4lLio= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([93.202.160.233]) by smtp.web.de (mrweb004 [213.165.67.108]) with ESMTPSA (Nemesis) id 0MZzln-1jcJuJ0AwR-00Lk8T for <40397@debbugs.gnu.org>; Sat, 04 Apr 2020 01:22:08 +0200 From: Sebastian Fieber To: 40397@debbugs.gnu.org Subject: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime References: <87imih5am2.fsf@web.de> Date: Sat, 04 Apr 2020 01:22:06 +0200 In-Reply-To: <87imih5am2.fsf@web.de> (Sebastian Fieber's message of "Fri, 03 Apr 2020 08:47:33 +0200") Message-ID: <87r1x4dujl.fsf@web.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Provags-ID: V03:K1:v1V8aHiL/N3wCfkHtoXMyd2VpFPpYTUQifxYoln69gcT3AQW74y +5yzq6H0/o4Q68QfekyKkHzPb9Vb8cxgmNzUSicVofAISO5iTbix8Im2Gko5C+FYqknz9Ii cY+hm9K3HJKO/wt5lxx5dJ+igsVbtWjmm3TURa/d4jNz6Pvgn3wD/3cOlmM2sWcsmFJWmDQ qjZ/GSkvwygivRJPPf8rQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:E1M/tLn6xQg=:eTmrHv6ele2tzAuCxAdwnZ FLXCE8KMbBN79Ykbmc6b0Yra6YYpST7TXSJzQDSHBu0ftp39wNgMxABllyMVfHuojK7xpb/90 SGSV4Z9g7IRIbBWPAu1KPRZulD5CGc18dNNv/W7HgBR9J7ajJP/heIo/PDa4LMMEKikK+Q/Ys RsOe1etDqdD0UoQoKgfB/dNbBLylySmuht9JWoX2vOmMcnKenWLeg+K3VqpC8+hJa3mDAGJEi e256XqG1+cwrjT5j+yz16Y5LGKPy31ttqGRlM1YbjxlT7gGtVn1ll5/rnfHLCHzL9i507l1+7 YQrt/cCOILtnX4cX/P5o+FrVuyIv4JtrgOdANYr43ftoVQAvL6ZyWy+dG5sqeJokRDEjisMlZ iYPaIkTCS5vh1TnHo3DyNEfZg5MVx6q7lmbHE6/bT0kyfggRjHAvqiKrnV7Sry7KLYVMRV5wO H9YFnYDcjov6zihgDOFp19Fo445lf+5uWSJpBO8ps89OhHV9tkkVUdqqqMeCYEQJewEHOwUtc 0MnvWbwTOKo5H6cp9ni5eqEiMwc+ZWjNu4AIwvcZhKrXL1mIRJI6WKQPkVd7ApFk8G+ePakfx kZc21hMMhs11/Q/3RBKJ0GFbf3xF3lmP9TLXVZp5u8vruRSM768ddEp3xRhIcW2V4Lt23fu34 +59mZYlQxZv0785pTr0sVlZwRcHxBWJ/o5JThWvKVH2upTWmK9+7+CaS+DHSw2Hro3A6asAfD VOFcP6F6uPyS90PbuAAfxkoSb0yFakF8hgDZr51+/obeECXY67rTzPcX3PUzqaeGEuORkSrED aUVCWssgCpaz78O0tKb7tdAaXkRtxhBTdU+Xnr29AsuKNLhBPowcMr5vJL/AUu9aXtzrQ3fLf RkXPuVr13czOUmQfMZTSGHyXe0/S4sJGVAuGazNwVHBUVCHpuZEHknxYzwEvMj5Cd8Ng84c18 J4q3F8qnmlXABQHM2Lsv0nnQRHW3GpVBb6b6jGTRDGh7RBk9KVcr8RA0b4umOmQebO0Cnz8p1 0bRclFmn1fK8BhTUhS+Oaxp8a0+iKaocIZlDFHRPBheN5sSrNtKDw+osCNHWmtQiB4GG98V8/ SlMc0ue0RRqveXFjc/BzK/sTUwmgMl+zaz5g0aZ5ecGzyKFSaucyq6hwjCqI2P3QRqqKJ/g+D zI1HwSM02GDv3Xpyk+s6muIlQ2qQSUFP/hoQ2Yf1SSl9slXi65hkGcbmftLr8E5DTHpAzj2pT Sgumf7dJ60L7b4cW3 X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40397 X-Mailman-Approved-At: Fri, 03 Apr 2020 20:02:15 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain Hey, Just forget my last mail. I just dug a bit deeper and found the culprit I think. With commit 84ef1ea8b524f8998fc8674b99cf8069e38dce4f these lines were added: --8<---------------cut here---------------start------------->8--- modified lisp/gnus/mm-decode.el @@ -1672,6 +1672,8 @@ If RECURSIVE, search recursively." (t (y-or-n-p (format "Decrypt (S/MIME) part? ")))) (mm-view-pkcs7 parts from)) + (goto-char (point-min)) + (insert "Content-type: text/plain\n\n") (setq parts (mm-dissect-buffer t))))) ((equal subtype "signed") (unless (and (setq protocol @@ -1739,6 +1741,7 @@ If RECURSIVE, search recursively." --8<---------------cut here---------------end--------------->8--- I don't quite know why the content-type is forced here to text/plain. So if this line is removed the mm-dissect-buffer call does it's thing and returns correctly whats inside the envelope (the real content-type header in the decrypted envelope is parsed). Well almost... I wrote in my last mail that I had to adjust mm-copy-to-buffer: > and also mm-copy-to-buffer to check for carriage returns like this: > > (search-forward-regexp "^\r\n" nil 'move) > > (can't send the carriage return properly so \r it is here instead of ^M) This is still needed as the decrypted content may still have carriage returns in it. One could also remove the carriage returns in mm-view-pkcs7-decrypt function of course. I'm not quite sure which is the better approach. In such a case the "Decrypt (S/MIME) part?" is asked too times. But hey that isn't too bad I think. I have attached a patch with the explained fix. Best regards Sebastian --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-fix-bug-40397.patch Content-Transfer-Encoding: quoted-printable =46rom ee7ff9a8a083860d39d011c7e4df30cb63490fb9 Mon Sep 17 00:00:00 2001 From: fallchildren Date: Sat, 4 Apr 2020 01:16:12 +0200 Subject: [PATCH] fix bug #40397 This fixes S/MIME encrypted AND signed mails where in the encrypted pkcs7 envelope is a signed pkcs7 structure. - don't insert Content-type header in front of decrypted content for smime decryption using mm-view-pkcs7 - also check for carriage return in mm-copy-to-buffer =2D-- lisp/gnus/mm-decode.el | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lisp/gnus/mm-decode.el b/lisp/gnus/mm-decode.el index 96695aabfd..d321fbeaaa 100644 =2D-- a/lisp/gnus/mm-decode.el +++ b/lisp/gnus/mm-decode.el @@ -759,7 +759,7 @@ MIME-Version header before proceeding." (mb enable-multibyte-characters) beg) (goto-char (point-min)) - (search-forward-regexp "^\n" nil 'move) ;; There might be no body. + (search-forward-regexp "^=0D?\n" nil 'move) ;; There might be no body= . (setq beg (point)) (with-current-buffer (generate-new-buffer " *mm*") @@ -1681,7 +1681,6 @@ If RECURSIVE, search recursively." (format "Decrypt (S/MIME) part? ")))) (mm-view-pkcs7 parts from)) (goto-char (point-min)) - (insert "Content-type: text/plain\n\n") (setq parts (mm-dissect-buffer t))))) ((equal subtype "signed") (unless (and (setq protocol =2D- 2.25.2 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 04 20:37:51 2020 Received: (at 40397) by debbugs.gnu.org; 5 Apr 2020 00:37:51 +0000 Received: from localhost ([127.0.0.1]:44994 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jKtIN-0003Xe-3t for submit@debbugs.gnu.org; Sat, 04 Apr 2020 20:37:51 -0400 Received: from mout.web.de ([212.227.17.12]:60197) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jKtIL-0003XC-KH for 40397@debbugs.gnu.org; Sat, 04 Apr 2020 20:37:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1586047063; bh=234XrRTNhixHwgu3+61FAo6WLtbbnPtFBiPExxQeMd8=; h=X-UI-Sender-Class:From:To:Subject:References:Date:In-Reply-To; b=Sk31qHCyjoFKgK1WXCajlB6/sAcfm/FZTvASXdDLHbxoiYwjPk9xwnOgEw/B1fsz4 6zBst3eGrj1fK0yme+aTDtngKNRuM0KKecAmei08YisLtntQZVRpyJQbOdVdAfM4YD xpeZCjMQN0BPlO4uo7SrDaA43zMcATuCQrbSMjTA= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([79.202.68.80]) by smtp.web.de (mrweb103 [213.165.67.124]) with ESMTPSA (Nemesis) id 0LgHPM-1j07L10S9M-00niQe for <40397@debbugs.gnu.org>; Sun, 05 Apr 2020 02:37:43 +0200 From: Sebastian Fieber To: 40397@debbugs.gnu.org Subject: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> Date: Sun, 05 Apr 2020 02:37:42 +0200 In-Reply-To: <87r1x4dujl.fsf@web.de> (Sebastian Fieber's message of "Sat, 04 Apr 2020 01:22:06 +0200") Message-ID: <87lfna22eh.fsf@web.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K1:A7o9SpDrSHY+IpI62jRwVarGsNE1LRxD6LtRwkx7dPl4IhDrVjg 2MF0wb6j5HWuX5FCLBWIDFI4BT1pvg/CMxitVxpTVDJHsug6kZNqZj48OOlUOofSnjbQBgy wkhZyigGAToCTGbILzP56v2O/vRD7nccT8vAW0w5Xaikkn6KFf2kFy/NEx7KU2RmhIPAAs2 KQ0iyth+LXWJH1UA328EQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:1mPOxmclUdI=:IOTdfiHnHCeMLeJkICggsc 5URjvA+PTtMSjSpJH7nAh5mOeCkDyBQT74rjZ9XgE6K1V/ZpQsnzU5dpPlc+Tr98zonGZkz4B UobQpyIXhMY4AyLGzT/pBDcCRAGHou8sF+ae41lq2sfYiBqod8Zv5bDeRTqVsIkS1khUQioF6 7tdOM0Spxw5AWrupGLuJc2CccQrGdMlmC7ClVEa4/dgJ/5C6mQUuRvtUYzNV0p3wdAIB0hQrR JnM6n9w6cTZCFIqGf6JSpX0XARovN+5Hm0N+/jfIAbZ2WKlP0fu/BdBcpNUaM07qkBSvxjVFj 6JO25NA1wjmNtUhFv7fF8RWAtegaCn9lSXKzOi+l/XdnZ5M1UjGvOWdW/m78vISvIk6SpND0z Npqp183BPMaUflrnBeNAuXiTtW9YH2j8+juFTS++2HOgIdsI57xKdCIjgLklRyNLp/o7Hq5r8 2zZoFdD742ZiichedSHqohcBnCyOtzZ4NwCsBl1QJf++rvnyz80YoNjsPMiPW2CnvsO2osmTX o4pvS7qR19tKNXmpEctPeGGeZI/ejgCRLnHEjIgQCnNj6JlLuTpM0kDrpigB87k/sMTQz5IIe n4OhTojx6F2PnJubUYkC1wzYa7AtxlihSESB1ldC0resS8OnwPyPESXb+87ehUdLlK0u8I+tE FfeSyi0T7eVu1ytbKT2OGtvoJZE2i4dy0hjwiQ3Gmd7Nw5A7/HCNp/ZpY0+PoZBuROhnTxrRJ UBGjACNLXoa7B/Jk+2K3+uzXOWGkkuJ+OULT7Oa27lEhwSbs6gV4QjABrU8fhfgkDCMMmmMA7 xPpqUfDmGRdYhl2g5IA3aA2GdS6jQnJb9OUZ0SOSwTlh7rTEIMIW8hEkTboK88ziFthgJiG5h UI8al/zLTij4/p4r4cCsVtC6tCJF4tbfCQlpeTZ0SNCIG41/YOjCWGtZ6HqIjnYUVGtaKqld3 NeqqFIxuDxQsK0EKza4Q/ZBX/iJBPypkV2TFCP62lwbp3hdgBkM6fBmWy09TLrzwxEcxPRdNP /nWRDsGF+L8Uxiqag70flGUWlNcFv/dkTaoRKO1HyYvTFlEtFyXYQA5Ly4LXTIxOEQNrqmzz7 FPPAPqZRICg5yWJyp0IZ6wM0lU88oQjx/QC8icl6CKBK4Ec/BonU8YCsDyM3T1OhJGqIgHO/3 Iw0lezVdprzdOAyiWvRrOF7BvlLzb6DJoss3zsUFBLjBfJ3RbgYFzC1rSvj/u9huQpGNeur5d 98AtIaIz2WIKdqMfM X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40397 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Sa, Apr 04 2020, Sebastian Fieber wrote: > In such a case the "Decrypt (S/MIME) part?" is asked too times. But hey > that isn't too bad I think. I just had some time to look into this even further and I noticed that the mm-sec buttons for signatures/encryption are not displayed for the whole application/pkcs7-mime stuff, too. I am working on a patch to fix this. I think most of the code would look like the one in mml-smime.el (the calls to mm-sec-* and getting error/success messages from epg). The hard part is to get the mm-security-handle or better the information added about the pkcs7-mime signature by the mm-sec-* calls to some function that will add these (which is gnus-mime-display-security ?). The problem here is that the part is lost when the signature is verified as the actual signed content parts will have replace it. Best regards Sebastian From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 05 20:05:10 2020 Received: (at 40397) by debbugs.gnu.org; 6 Apr 2020 00:05:10 +0000 Received: from localhost ([127.0.0.1]:46911 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLFGH-0006SY-WF for submit@debbugs.gnu.org; Sun, 05 Apr 2020 20:05:10 -0400 Received: from mout.web.de ([212.227.15.3]:50995) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLFGE-0006Rc-6z for 40397@debbugs.gnu.org; Sun, 05 Apr 2020 20:05:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1586131500; bh=Pwq65vujkK3dLEd6Dcu2bxsO/NZ+4Q3gA2z4p9hQT2I=; h=X-UI-Sender-Class:From:To:Subject:References:Date:In-Reply-To; b=eELMsddVZt8Hc7rw4W8K6BQcFKMQTiIa0ZpuPfQdTS3x1bYP2S+8RiBp4U0gwMRxS rzdpd/uqDLOJjmFhfFMkCzxHOpJESIkI+k/mfErt4e5/4lRlGwPHe/NyH/7cI0c60E uSSK40NsBMSgtD43My5fvlKAagklWFpaSuCTNWLo= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([93.202.163.134]) by smtp.web.de (mrweb004 [213.165.67.108]) with ESMTPSA (Nemesis) id 0LZkTs-1itraJ3JlM-00lYow for <40397@debbugs.gnu.org>; Mon, 06 Apr 2020 02:04:59 +0200 From: Sebastian Fieber To: 40397@debbugs.gnu.org Subject: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> Date: Mon, 06 Apr 2020 02:04:58 +0200 In-Reply-To: <87lfna22eh.fsf@web.de> (Sebastian Fieber's message of "Sun, 05 Apr 2020 02:37:42 +0200") Message-ID: <874ktxtr6d.fsf@web.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Provags-ID: V03:K1:bi0vJKYnNYvH2BLAtF1sKsUvaPF5CYlmm2lFN+EkMA7C5jzLxwX vBuBpr7H8cVEHwtXbZTN6VTynbDpR9OFmJaqQ9zBAm9nynBjPIZ49TU9ZkKQqMDWEArn4Yd GbyiBp2VV2JsbG7dAi6nl7uvfIEipxbRVhwPHWkR2hPeF0l2mOSXNleOTSYewG8VL8XOzRV duVetDtcFQMhBcDDlF+zA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:8WjlaBr1JT0=:m95iiRoZ3ZV06Ry8eAKybO yYnXj3llcR+oZMzEHcMHNDPTawS3nXJuFA/BPXOrzw33i0HkeA7DrhiAec/Xyamc6JZL7Ispn 0Ph5Ur+tbQ/19pglgeIehXDmh/z+Qiea7XK0dmivgHO2lQF9qFAIaEco7kJ1/gfOh+4djJnSO bf0W9HOzh3yBquitNSDWN6COHinwpSqAg+AbXzvwjaQ5vDOxjqOxqCm+PItfbOis/mWaIrVEi ZD2voPGIDtnf8qvE5ubmmDrlXrzhCWulVuETSTQDRwSJ/6XLzlKLVPOAIyAl6Y5fs7WegyUZc RMbmIUFSFZoUbh0Vz2hETXWf+WsRAcrBarP/AVhSE/sXTh/rw4EwIjI1ayO8MDhA+C2+gPGDL I4hyI+xmNXDx8uQqf4EUDC5KiFTk3yxQDCh5hoGChwv+O0xR9PzzjYMaGbDpfV9uwZ2hWXPve i4+AzPLhclLQQtB510vMVIzCoZnPO3sa/hW0ltoPAzViqbacMhoZu7ybBg22tkCOtC0r4Yb6q KCNhJpaprHBx78IoldGKoVLAZSLSOnuVG9I9PByL3tLdsVdnPDToXoSHkC4wJqcSNdGrcI7Te qP5pNYJKnlbq1Xa6TMY/UK2j+PhR6LoUVuchKnL8K5RmshAAv3Qfhc0k9rbSHIcvEw6OL+sNx IumDwwh13DHpPxSQOjBRS4+MwIXDGVTNXyenv68M9fmAPPKjb5HH/qjNW5Ny8I6KSk/VGaV4w H62Vry3x0y6g2G+0chB9nopM64yySs7tphVFYZGpyLWbcCO0ih3sClg/6Ep94yh7XTkiKez+D sM3ujX8k4FQYHHs1Gcq8d5b/vDddcr+y0tBUCM9LsA3kwgwiYAz3G6WzSgs04RurRM3bZuCNG s7klgz4U6iCr/wXjgx9i5TSDs3t+e/6bbQkNH7F8/HMh6pcl/Go1FxyRNyn8FWGH4Tz/JyiBn aq5yheIC2712jnXyZXDqkhuA6YvqbFks8wnIp5MD9uBEF81wEG2ZE8X8zBTVo6nvTvspYZWZs /f9tlFpKpXgz+Bh73CBmDd/ypHSailDmoZuZXOFh4NLguh7i9sw5zSludgmK54Ap62EB8MO6e qQqDf/JrlKLcfAumQzJB8a6OilOCnDrdd+4X+ThuO0kMc109D8xCazlssuYWh38rWIk2z5M8S bZ6BQHWDlAhiN5fW6j5M35wE0f+s9k6EakVsXvNjPRdK5KzI8/1y/FBVPRkbaGNA2jqlGHWwD BTNT+JmiqWxLVJd0o X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40397 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain On So, Apr 05 2020, Sebastian Fieber wrote: > I just had some time to look into this even further and I noticed that > the mm-sec buttons for signatures/encryption are not displayed for the > whole application/pkcs7-mime stuff, too. I am working on a patch to fix > this. > > I think most of the code would look like the one in mml-smime.el (the > calls to mm-sec-* and getting error/success messages from epg). The > hard part is to get the mm-security-handle or better the information > added about the pkcs7-mime signature by the mm-sec-* calls to some > function that will add these (which is gnus-mime-display-security ?). > The problem here is that the part is lost when the signature is verified > as the actual signed content parts will have replace it. > > Best regards > Sebastian Hey, here is the resulting more thorough patch replacing the one before. It's not finished completely as error handling and reporting via mm-sec-error is still missing in mm-view-pkcs7-[decrypt/verify]. But displaying verification and encryption information via gnus-mime-display-security does work (at least in the good case). See the patch for more information. I'd welcome any comments :) --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-fix-bug-40397.patch Content-Transfer-Encoding: quoted-printable =46rom 2d623b52c7810a293ad8309018ebc4973f1ff2e3 Mon Sep 17 00:00:00 2001 From: fallchildren Date: Sat, 4 Apr 2020 01:16:12 +0200 Subject: [PATCH] fix bug #40397 This fixes S/MIME encrypted AND signed mails where in the encrypted pkcs7 envelope is a signed pkcs7 structure. - don't force Content-type header to text/plain in front of decrypted content for smime decryption using mm-view-pkcs7 - structure the result of mm-dissect-buffer of application/pkcs7-mime like a multipart mail so there is no loosing of information of verification and decryption results which can now be displayed by gnus-mime-display-security - adjust gnus-mime-display-part to handle application/pkcs7-mime like multipart/encrypted or multipart/signed - add dummy entries to mm-verify-function-alist and mm-decrypt-function-alist so gnus-mime-display-security correctly displays "S/MIME" and not "unknown protocol" - adjust mm-possibly-verify-or-decrypt to check for smime-type to ask wether to verfiy or decrypt part and not to ask to decrypt either way - adjust mm-view-pkcs7-decrypt and verify to call mm-sec-status so success information can be displayed by gnus-mime-display-security - in mm-view-pkcs7-decrypt also replace "^M\n" with newline and not only "\r\n" - I have no idea why this is needed TODO: mm-view-pkcs7-decrypt and verify error handling and reporting. ATM there is only the good case implemented - at least for reporting with gnus-mime-display-security. =2D-- lisp/gnus/gnus-art.el | 28 ++++++++++++++++ lisp/gnus/mm-decode.el | 74 +++++++++++++++++++++++++++++------------- lisp/gnus/mm-view.el | 32 +++++++++++++++--- 3 files changed, 108 insertions(+), 26 deletions(-) diff --git a/lisp/gnus/gnus-art.el b/lisp/gnus/gnus-art.el index 6b9610d312..4ab629eda0 100644 =2D-- a/lisp/gnus/gnus-art.el +++ b/lisp/gnus/gnus-art.el @@ -5986,6 +5986,34 @@ If nil, don't show those extra buttons." ((equal (car handle) "multipart/encrypted") (gnus-add-wash-type 'encrypted) (gnus-mime-display-security handle)) + ;; pkcs7-mime handling: + ;; + ;; although not really multipart these are structured internally by + ;; mm-dissect-buffer like multipart to not discard the decryption + ;; and verification results + ;; + ;; application/pkcs7-mime + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_signed-data")) + (gnus-add-wash-type 'signed) + (gnus-mime-display-security handle)) + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_enveloped-data")) + (gnus-add-wash-type 'encrypted) + (gnus-mime-display-security handle)) + ;; application/x-pkcs7-mime + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_signed-data")) + (gnus-add-wash-type 'signed) + (gnus-mime-display-security handle)) + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_enveloped-data")) + (gnus-add-wash-type 'encrypted) + (gnus-mime-display-security handle)) ;; Other multiparts are handled like multipart/mixed. (t (gnus-mime-display-mixed (cdr handle))))) diff --git a/lisp/gnus/mm-decode.el b/lisp/gnus/mm-decode.el index 96695aabfd..5af2e50f66 100644 =2D-- a/lisp/gnus/mm-decode.el +++ b/lisp/gnus/mm-decode.el @@ -473,6 +473,7 @@ The file will be saved in the directory `mm-tmp-direct= ory'.") (autoload 'mml2015-verify-test "mml2015") (autoload 'mml-smime-verify "mml-smime") (autoload 'mml-smime-verify-test "mml-smime") +(autoload 'mm-view-pkcs7-verify "mm-view") (defvar mm-verify-function-alist '(("application/pgp-signature" mml2015-verify "PGP" mml2015-verify-test= ) @@ -481,7 +482,15 @@ The file will be saved in the directory `mm-tmp-direc= tory'.") ("application/pkcs7-signature" mml-smime-verify "S/MIME" mml-smime-verify-test) ("application/x-pkcs7-signature" mml-smime-verify "S/MIME" - mml-smime-verify-test))) + mml-smime-verify-test) + ("application/x-pkcs7-signature" mml-smime-verify "S/MIME" + mml-smime-verify-test) + ;; these are only used for security-buttons and contain the + ;; smime-type after the underscore + ("application/pkcs7-mime_signed-data" mm-view-pkcs7-verify "S/MIME" + nil) + ("application/x-pkcs7-mime_signed-data" mml-view-pkcs7-verify "S/MIME= " + nil))) (defcustom mm-verify-option 'never "Option of verifying signed parts. @@ -500,11 +509,16 @@ result of the verification." (autoload 'mml2015-decrypt "mml2015") (autoload 'mml2015-decrypt-test "mml2015") +(autoload 'mm-view-pkcs7-decrypt "mm-view") (defvar mm-decrypt-function-alist '(("application/pgp-encrypted" mml2015-decrypt "PGP" mml2015-decrypt-te= st) ("application/x-gnus-pgp-encrypted" mm-uu-pgp-encrypted-extract-1 "PG= P" - mm-uu-pgp-encrypted-test))) + mm-uu-pgp-encrypted-test) + ;; these are only used for security-buttons and contain the + ;; smime-type after the underscore + ("application/pkcs7-mime_enveloped-data" mm-view-pkcs7-decrypt "S/MIM= E" nil) + ("application/x-pkcs7-mime_enveloped-data" mm-view-pkcs7-decrypt "S/M= IME" nil))) (defcustom mm-decrypt-option nil "Option of decrypting encrypted parts. @@ -682,14 +696,23 @@ MIME-Version header before proceeding." (car ctl)) (cons (car ctl) (mm-dissect-multipart ctl from)))) (t - (mm-possibly-verify-or-decrypt - (mm-dissect-singlepart - ctl - (and cte (intern (downcase (mail-header-strip-cte cte)))) - no-strict-mime - (and cd (mail-header-parse-content-disposition cd)) - description id) - ctl from)))) + (let* ((intermediate-result + (mm-possibly-verify-or-decrypt + (mm-dissect-singlepart + ctl + (and cte (intern (downcase (mail-header-strip-cte cte)))) + no-strict-mime + (and cd (mail-header-parse-content-disposition cd)) + description id) + ctl from))) + (when (and (equal type "application") + (or (equal subtype "pkcs7-mime") + (equal subtype "x-pkcs7-mime"))) + ;; if this is a pkcs7-mime lets treat this special and + ;; more like multipart so the pkcs7-mime part does not + ;; get ignored + (setq intermediate-result (list (car ctl) intermediate-res= ult))) + intermediate-result)))) (when id (when (string-match " *<\\(.*\\)> *" id) (setq id (match-string 1 id))) @@ -759,7 +782,7 @@ MIME-Version header before proceeding." (mb enable-multibyte-characters) beg) (goto-char (point-min)) - (search-forward-regexp "^\n" nil 'move) ;; There might be no body. + (search-forward-regexp "^?\n" nil 'move) ;; There might be no body. (setq beg (point)) (with-current-buffer (generate-new-buffer " *mm*") @@ -1672,17 +1695,24 @@ If RECURSIVE, search recursively." (cond ((or (equal type "application/x-pkcs7-mime") (equal type "application/pkcs7-mime")) - (with-temp-buffer - (when (and (cond - ((eq mm-decrypt-option 'never) nil) - ((eq mm-decrypt-option 'always) t) - ((eq mm-decrypt-option 'known) t) - (t (y-or-n-p - (format "Decrypt (S/MIME) part? ")))) - (mm-view-pkcs7 parts from)) - (goto-char (point-min)) - (insert "Content-type: text/plain\n\n") - (setq parts (mm-dissect-buffer t))))) + (let* ((smime-type (cdr (assoc 'smime-type ctl))) + (envelope-p (string=3D smime-type "enveloped-data")) + (decrypt-or-sign-option (if envelope-p + mm-decrypt-option + mm-sign-option)) + (question (if envelope-p + "Decrypt (S/MIME) part? " + "Verify signed (S/MIME) part? "))) + (with-temp-buffer + (when (and (cond + ((eq decrypt-or-sign-option 'never) nil) + ((eq decrypt-or-sign-option 'always) t) + ((eq decrypt-or-sign-option 'known) t) + (t (y-or-n-p + (format question)))) + (mm-view-pkcs7 parts from)) + (goto-char (point-min)) + (setq parts (mm-dissect-buffer t)))))) ((equal subtype "signed") (unless (and (setq protocol (mm-handle-multipart-ctl-parameter ctl 'protocol)) diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el index 828ac633dc..4c7350b55a 100644 =2D-- a/lisp/gnus/mm-view.el +++ b/lisp/gnus/mm-view.el @@ -591,8 +591,20 @@ If MODE is not set, try to find mode automatically." (with-temp-buffer (insert-buffer-substring (mm-handle-buffer handle)) (goto-char (point-min)) - (let ((part (base64-decode-string (buffer-string)))) - (epg-verify-string (epg-make-context 'CMS) part)))) + (let* ((part (base64-decode-string (buffer-string))) + (context (epg-make-context 'CMS)) + (plain (epg-verify-string context part))) + (mm-sec-status + 'gnus-info + (epg-verify-result-to-string (epg-context-result-for contex= t 'verify)) + 'gnus-details + nil + 'protocol + ;; just mimik pkcs7-signature actually we are in pkcs7-mime + (concat (substring-no-properties (caadr handle)) + "_" + (cdr (assoc 'smime-type (cadr handle))))) + plain))) (with-temp-buffer (insert "MIME-Version: 1.0\n") (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m") @@ -612,7 +624,19 @@ If MODE is not set, try to find mode automatically." ;; Use EPG/gpgsm (let ((part (base64-decode-string (buffer-string)))) (erase-buffer) - (insert (epg-decrypt-string (epg-make-context 'CMS) part))) + (insert + (let* ((context (epg-make-context 'CMS)) + (plain (epg-decrypt-string context part))) + (mm-sec-status + 'gnus-info + "OK" + 'gnus-details + nil + 'protocol + (concat (substring-no-properties (caadr handle)) + "_" + (cdr (assoc 'smime-type (cadr handle))))) + plain))) ;; Use openssl (insert "MIME-Version: 1.0\n") (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m") @@ -626,7 +650,7 @@ If MODE is not set, try to find mode automatically." smime-keys nil nil nil (car-safe (car-safe smime-keys))))) from)) (goto-char (point-min)) - (while (search-forward "\r\n" nil t) + (while (search-forward-regexp "\r\n|=0D\n" nil t) (replace-match "\n")) (goto-char (point-min))) =2D- 2.25.2 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 05 21:17:13 2020 Received: (at 40397) by debbugs.gnu.org; 6 Apr 2020 01:17:13 +0000 Received: from localhost ([127.0.0.1]:46944 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLGO0-0001yY-PT for submit@debbugs.gnu.org; Sun, 05 Apr 2020 21:17:13 -0400 Received: from mail-qt1-f169.google.com ([209.85.160.169]:37712) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLGNx-0001y0-Im for 40397@debbugs.gnu.org; Sun, 05 Apr 2020 21:17:11 -0400 Received: by mail-qt1-f169.google.com with SMTP id n17so1547409qtv.4 for <40397@debbugs.gnu.org>; Sun, 05 Apr 2020 18:17:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=axICZTAdKzRxcwlN1iJyBaxt06jeh5WZJYbdYNpCrKw=; b=EAXyfC31ZizODjmGT4pAd2NK2jX2a8mSSsITGYsrORDy9Bul9UF5aZ0e87/UYlffn/ e2pSy3QVEcdBOwb66SbnafI24KTfuBM02lZS3otuE5HbqgvqnWakag8q2iP9+bPHGXeM QwYcD+qRpivs+2U+QpRqsC5rXnQ+aUgYmupVsPasPiPyrZuTuNS8UfFYPGalfsIKiq7C B9lE4xgSjTZCF/SmZkRRGPfcnAbqqNK1TfMJ4rUKaFnJ7/Rt+Xy7fjPW3yiBxbfel719 qY4MltnwwkIy7ObhL5oRVbV7EehP9bz1cFs1j2L1pGHSQVhF67kDpTTXG2ttvKCZw7Qp krEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=axICZTAdKzRxcwlN1iJyBaxt06jeh5WZJYbdYNpCrKw=; b=qEK2zqWvo76sovDsKRy1Q33oNEoQwYLELbqWMgOLQpPsKXRpSkAeyRcJyGfJmkkGJx j61rGbl2MkhvalaYqsTib24CwopC8c8Iytt1aoRKJLLyHhVL6p0vvSQDdXx+v2p8f4jx JkXkXvwY1J1xzF4mNMQyk1d3WSJznYL5TFKUbUPaRKdt+4bl60dNl0juhwe9WgGdce9n lg29qO3fMm8mnwkwmX8xOSF6w5sMxFowq6mFQvAtSQrV0jiyKMkZpVhlyqklhwnoGrV+ Y0HZAtRUktr4CEi93B9TIlUqfXV9m0m6gfsRynguEZR45hpVpngcHAt1e/3QXLbITzf3 surQ== X-Gm-Message-State: AGi0PuYtmCNZLsQOVfxA0Bi7RZINkU0pIQGaRru5vTX50mhrgu8NYyrA r+2fiwHpziHsLx3FOucJjBwqL3sZ X-Google-Smtp-Source: APiQypJbEOmcRIX0ueoTpmijQlQtbUf20I5owhvLEyGTeqTiBtaP8nTAJoLz1oQuI0PONFLFZXDEgQ== X-Received: by 2002:ac8:fcf:: with SMTP id f15mr18557097qtk.233.1586135823759; Sun, 05 Apr 2020 18:17:03 -0700 (PDT) Received: from minid (cbl-45-2-119-47.yyz.frontiernetworks.ca. [45.2.119.47]) by smtp.gmail.com with ESMTPSA id q13sm3961676qki.136.2020.04.05.18.17.02 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 05 Apr 2020 18:17:02 -0700 (PDT) From: Noam Postavsky To: Sebastian Fieber Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> Date: Sun, 05 Apr 2020 21:17:01 -0400 In-Reply-To: <874ktxtr6d.fsf@web.de> (Sebastian Fieber's message of "Mon, 06 Apr 2020 02:04:58 +0200") Message-ID: <87d08lh0qa.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.90 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Sebastian Fieber writes: > - (while (search-forward "\r\n" nil t) > + (while (search-forward-regexp "\r\n|\^M\n" nil t) This can't be right, it would search for a literal "|" on an otherwise empty line. And if you put "\\|" which is what I think you meant, then both alternatives would be the same, so it still doesn't make sense. From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 06 03:01:56 2020 Received: (at 40397) by debbugs.gnu.org; 6 Apr 2020 07:01:56 +0000 Received: from localhost ([127.0.0.1]:47088 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLLlc-0006OR-Gr for submit@debbugs.gnu.org; Mon, 06 Apr 2020 03:01:56 -0400 Received: from mout.web.de ([212.227.17.11]:38651) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLLla-0006Ns-Bh for 40397@debbugs.gnu.org; Mon, 06 Apr 2020 03:01:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1586156507; bh=NPRFjhZGocO2lGUrbrZvWylpmnU/1ihYDltpk+jBPP8=; h=X-UI-Sender-Class:From:To:Cc:Subject:References:Date:In-Reply-To; b=bcaA32bE28zeU04dkPjG7vYOpJ6WkGUAIqL6VOwu/G+xsoG24DD4YlV5wPZtGobLo UJhjmUL/J106HrSr09cHNU8A8URel0M9dhIRTNx8M8pubuGXZN6bFSUQdrYQ7i1nPt HcOA9dKEQsSgE4sw5ByAYfEZsZdWhpmFabH+2U2c= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([93.202.167.161]) by smtp.web.de (mrweb101 [213.165.67.124]) with ESMTPSA (Nemesis) id 0MQvsg-1jk4gv1KwQ-00ULYJ; Mon, 06 Apr 2020 09:01:47 +0200 From: Sebastian Fieber To: Noam Postavsky Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> Date: Mon, 06 Apr 2020 09:01:45 +0200 In-Reply-To: <87d08lh0qa.fsf@gmail.com> (Noam Postavsky's message of "Sun, 05 Apr 2020 21:17:01 -0400") Message-ID: <87wo6tayhy.fsf@web.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K1:3rUMwJnPokteLbiz3GjKsblcBMBCKfg3/gSzlw7CrbOy3r1Akkr UHh+jihu8725UPzZTJKCZQHV5VG+TfrJcWf8shiyZy+neS+KIW2MYEaNIwXtkwv1sHA0Hsz HdaBUhX7ybFQTABL3FSG9kBKbQztQetxUV0cfsH8NMCzRP3FGCCZ4Zr189odHpPvwQCOfId 2Qqqxnc0ASYNgQHrDpDAg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:LpYynqDoJVk=:t/ATLJnA23DGoY87DFT/tK 6wB8yyfrTirqpcWUtmxgtvtJbduu8qvf6WWWXEjj0fIhPd6SNHkfcFMUXKUYqp7GARbc5xjri kgqApvLHw238QwS2AAhL73IinZ5/mV1RbsKiS7RjBj4Y9u5L6QLSVXMOU2SMfFrOg9aBAlXYX ls3gcOM3wLBrULELDhwgDuHSCL4P7OHcMADJ2/qzSAHmb04EMZH/kR+x5wNAfZirziBCuvqxG 2JC2PIlNuUipjQ394iE9PHkH8UIzaqJbRR9hy24BjzvQqb/9F/4WwawrOLvULE9LAAg8sDvdV Az2a1uOt6to6/U/dPH0n8z0OJWr0nhcxqMmsEsFFUMSueU4Z4L6c7g6U7OqCW0MVNlPQlMe8I RmFXtYDXLBUKkbNuPw0U2w2+6O/7HrKm5AyAwUPaTUNUXrA6VisHhesAYS48JrQY+8w0+PL9b 5tG4SSmhpoAtrCMzhHPmOJQsBSfe7SvdzqP3Hn0NOjxOqtNQx+vtfaardom5dTpuh2Fhk7yM1 jotk6fdfwkd1urcyeo5+CIDCrM2r14btGRCdFCvLiIob72xcczEUhcvgbbr+F0xniee7gVHj5 bLBca0aJ8cXT5eZFpa+YieifM+Mq7iajarCQxCaCrDFRy+qjYvpyOWq4zc4ttHwUuNkywProd 9d1PK32kjUCorfjq/U3ftHeC63ZM9PoLUPfGLgebP9kumfUgLIzq1p4CallIuEwxcOxxT6X0P F7kiDgcOUKNHudQuJAU4rP4OSQfpXrN8Xe2UlQHdmmoyXcoYZTB6bTLqFF0VtHsTADF6wS+5i /KeR/bZo0Ne1qI3Xd5CROhyY9sS+iWw+9TSudiEiVImXwNZCsmD4o/mOB/vx5DemrCGsklhgy 8JUDtXp1Z3KDiMI0+1XlZd8GpbU9TlPjdL+l6gbTLRLQzNiWKqK1D4a+pS3Le7CR304EHManS IGMm5ucOtTK9HvMOHxsfiOZYYLz9UwikcPh1MUHF/4QrQij74huH+8DRdAaNypKdv3CYtvTdX KVFFVFAz0zwblXY8fouHdKD6FA7ffBG/8ePNXbhQAtENPEByYqeTzqTFTs6PMnH196RQrzmSR 9ck72I+X/ip4a8R4XjeeSrnkupG0dVzbfeZXQGqD32is9bIusjmuDsDTkCCGtfiNB872uhtJ+ rV9/HSVE4px+pqumfr/7ubHThKjEDaPzchq6skSPupv5KCJazwNMXVgel5V8s15VyzH4ahzrb /mj+0HpfXk8NGODyA X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On So, Apr 05 2020, Noam Postavsky wrote: > Sebastian Fieber writes: > >> - (while (search-forward "\r\n" nil t) >> + (while (search-forward-regexp "\r\n|\^M\n" nil t) > > This can't be right, it would search for a literal "|" on an otherwise > empty line. And if you put "\\|" which is what I think you meant, then > both alternatives would be the same, so it still doesn't make sense. Yes, and there is another problem with this. Should have tested this mit emacs -Q. Let me fix that and prepare a new patch. Since you have looked over the patch: What do you think about the approach to internally structure application/pkcs7-mime parts like multipart parts containing the mime type with text properties until the decrypted, maybe verified singlepart in the car of the handle? From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 06 12:32:42 2020 Received: (at 40397) by debbugs.gnu.org; 6 Apr 2020 16:32:42 +0000 Received: from localhost ([127.0.0.1]:49135 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLUfx-0007pq-QN for submit@debbugs.gnu.org; Mon, 06 Apr 2020 12:32:42 -0400 Received: from mail-qk1-f174.google.com ([209.85.222.174]:34420) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLUfu-0007pK-Ke for 40397@debbugs.gnu.org; Mon, 06 Apr 2020 12:32:39 -0400 Received: by mail-qk1-f174.google.com with SMTP id i186so7870078qke.1 for <40397@debbugs.gnu.org>; Mon, 06 Apr 2020 09:32:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=vc6aPsFIcTf0jrI2JPtzGTIZalkFlSX8B8KtB3qEmrw=; b=tinejAI/SDOLMEFjlsgSqqiIzNABZSo6ywiskfeLc6t317TU5LGnI7F3kaV8NGfNSg 8VuQJcff9/5/YHPXRiQXTIIZ2IbTbJ65mnecr4vpmx9dqhK5EKI5Tbsfpq/2bNih/2OP egUETqUCxy4/gnPKEhgA37P97YT6E/q134l7mBQAW5k6TDOnbsbIGWlHl+psq2foAYzj 3KN6tJAKW5W6hcTfjqmf7256P3pBW9O5yENgnRJig44Irsec580y6kLlewCgGfvDaZj4 yrv+RfwRrnA/jCqr3DlhuBCymHRbnrsqCFZ8Iki7+9LO3fX4zTHTuZwh6xBRUPGefGUY MvIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=vc6aPsFIcTf0jrI2JPtzGTIZalkFlSX8B8KtB3qEmrw=; b=VEh+4HJlqxSOXJidHj0BqnPppJUM+uToGMxqa5WOtYdXnvl/hgfsxGQp6k0hThFpUr DQq9X/4G2OtaS5+SgZ4DZ+wsaWIezjFZb1312K4hmPtQI/gKSw4UbRUdFYD1RIrmF1S8 4H6Y/YXHh6DZWNOh7tzdDoVUTvdVTIP54vbfCLFexYTisNhDhqKWlEqfCg6eHedWezSz cie6qGbY1jtbxH633jHySKm40AVx8SVgEGAA45nbhu3xWC1i3qVCeCA3WAEyCE2DE6PB s7jderQd88FpaN4GMSnoo0XphIohx3B8ExAtAbNGzJpU4r6p4YIziXF56+gd6+E+vHiS wICQ== X-Gm-Message-State: AGi0PuYhmDH/X60kU1mUN9XPTDu7/BuCt/B8IWkal6jFzEs/QenURU+l 9IfYkJmqhK4IYPde703jnBPOCmzmWdc= X-Google-Smtp-Source: APiQypLspWGuOUH2NQswMngmiiJhlVPTr5VkIaHszaCQ+Vo5Ub+kryIgq9Nu3cuZud3mivQMtmZ53g== X-Received: by 2002:a05:620a:668:: with SMTP id a8mr11880860qkh.307.1586190752420; Mon, 06 Apr 2020 09:32:32 -0700 (PDT) Received: from vhost2 (CPE001143542e1f-CMf81d0f809fa0.cpe.net.cable.rogers.com. [99.230.38.42]) by smtp.gmail.com with ESMTPSA id z40sm4824929qtj.45.2020.04.06.09.32.31 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 06 Apr 2020 09:32:31 -0700 (PDT) From: Noam Postavsky To: Sebastian Fieber Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> Date: Mon, 06 Apr 2020 12:32:29 -0400 In-Reply-To: <87wo6tayhy.fsf@web.de> (Sebastian Fieber's message of "Mon, 06 Apr 2020 09:01:45 +0200") Message-ID: <85r1x0mv6q.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (windows-nt) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Sebastian Fieber writes: > On So, Apr 05 2020, Noam Postavsky wrote: > >> Sebastian Fieber writes: >> >>> - (while (search-forward "\r\n" nil t) >>> + (while (search-forward-regexp "\r\n|\^M\n" nil t) >> >> This can't be right, it would search for a literal "|" on an otherwise >> empty line. And if you put "\\|" which is what I think you meant, then >> both alternatives would be the same, so it still doesn't make sense. > > Yes, and there is another problem with this. Should have tested this mit > emacs -Q. Let me fix that and prepare a new patch. This hunk looks a bit suspicious to me as well, I don't think you can apply operators like "?" to anchors. @@ -759,7 +782,7 @@ MIME-Version header before proceeding." (mb enable-multibyte-characters) beg) (goto-char (point-min)) - (search-forward-regexp "^\n" nil 'move) ;; There might be no body. + (search-forward-regexp "^?\n" nil 'move) ;; There might be no body. (setq beg (point)) (with-current-buffer (generate-new-buffer " *mm*") > Since you have looked over the patch: What do you think about the > approach to internally structure application/pkcs7-mime parts like > multipart parts containing the mime type with text properties until the > decrypted, maybe verified singlepart in the car of the handle? Sorry, I'm not familiar enough with how this code is currently structured to say anything intelligent about that. From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 07 15:22:39 2020 Received: (at 40397) by debbugs.gnu.org; 7 Apr 2020 19:22:39 +0000 Received: from localhost ([127.0.0.1]:50907 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLtnz-0008Oh-2K for submit@debbugs.gnu.org; Tue, 07 Apr 2020 15:22:39 -0400 Received: from mout.web.de ([212.227.15.14]:35579) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLtnw-0008OS-9q for 40397@debbugs.gnu.org; Tue, 07 Apr 2020 15:22:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1586287348; bh=xuyE6rDgs9o68zhK8FJp0SO3YQJ8/uiidNYY5EIrMOI=; h=X-UI-Sender-Class:From:To:Cc:Subject:References:Date; b=FUTBV6r9fBD0ESljQb9t4fKtQAlEvF4g5bWyngpSWLmOQb8g08PLy/J66vMpkNHup w+Gfd3beeWoKKNid6KFSMqbzEOvN6WTjPg5QzjMwxsRXG9p4IUn146aVJg9WLQw3iI 8WFMhBLYnv7O5Uwy8HPw1CkM8SuPbjf2MrC9dXQ8= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([79.202.68.127]) by smtp.web.de (mrweb004 [213.165.67.108]) with ESMTPSA (Nemesis) id 0Lx2Wv-1jFOUn0hsv-016eCz; Tue, 07 Apr 2020 21:22:28 +0200 From: Sebastian Fieber To: Noam Postavsky Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> Date: Tue, 07 Apr 2020 21:22:26 +0200 Message-ID: <87h7xv9k3x.fsf@web.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Provags-ID: V03:K1:O9qUJpAwcOcVNFfOb5kVRq/0SAH8euWGHTvRHLre60YPyfPzc5T 5tS5D5JU26k7BRpRgquWXFcFhISZDUH1tgfbYMkDOvFEVNJWmbANdBO6K0IXjZa6Q8/S3BP jbgJ1O9iGxonQOo48T19OiJKP4kEOOrOA0gHWAv/1D4uGY0fnGw5qXLnOqKJl89VOZ0QA7L lcVZEWD0jgU95Qpxgi3jg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:wC0DoX3rcv8=:FfznE5E451mns2ORSo/o/h fCmlzAuFIkDQ1uaGXJ+R3155ts6BcoK2aZK13uRq/U9I/zfjO7Z1cxcEVxxHH+ZBLngCyJhrt 62xFWMmeN/Tb7ueMhrfE9evoh8kop2xhIUjrUk/qLA2jx+sINPAx7DfqzzqoinHY2jRWjJkhg bzCk6fLeTngh1bHwP/9O4vuJJKIl4NHuN8ljct1Nu4PvVnANqli2q8fEsdQn951paAO2v7Hpy O/NjN9oHBkz/B0v7xN5Fd++J4ENOaLPx8aFIx+DPinajqO8RpBz9ZTBJRxUpBiSczwiRHoG8q cmVm9K6GIulBopQqnqA6YKcOOsqmg9KH3RaU35VvLAIXTksZySM6mHqVtUo6OGAHMfjGYCMYL GSgjf5L+8WocMBPQMKceMb17+B3o9+32Zn3ljdaD1DriGAM52uxWIg0LeSlMjPeuQ2iuUhUtQ Q0QizmUv/JE2IVQ9q71bP2sJYbrN+mxFh5ox0mh4zdS7eKndH6tBs/vWBLWiIF1xMSyNatlza d1rzZQVP/i34OmjUsCv09e7zwiITIDLTcepfgOP6Unbgib63uARrV/QxeRVBnn1dfE1JkaylR CyLOJDp1nY2GMZgiThO8e5bAgXYFkczs9HGFyw30JMT1kRYPpH3KYCUEOl+9lYuveuRYU8zIG 0pWVCzpH2rfz33aPsIQtSGz3l69CkNJmU79bVX6YbFlOHKf95WGmiJo3e4CKo/eZbkIhgoy40 PdssCzCAF/oC65AV/Vp5BPCAzDrwBIwOCpHQOLkWc74LQpXn7U3Rq4LTeMRi/i/VcRcwvKXjv +FuOkQdEFndx/aYCv7ktc1GC+H0w5Pr3hbrTbpFBC4eaO+bYNVhcYAu/lHfpbX3qLbEwK/C5x zfMURAkiCMe88kSRPdnpxD2+iGD7Bts5c2EKyuu30vc4l99u1k0SIQDKi2hu7o2fdUWVYgCBK 2oVD6q5LRT7VDPXVSXix5e/PgjaKAfCS4I1krmcksZJXwxhghCF/dmdlYXNoHZXbXsqxMuEQv MuYRGOaucWMzW+bgqjkVrDkbjQWJk1cxQgfbpXs8c00R9/OI0v2rVMzOJ1avxFbYJ95rXAJuA J0U0ZWAS86DZHJzz2rvtKcEuryCEX7ToeN93eKMMCxf1xkbW1lk4tCGuPI18f76UCsBxjUwr7 kftAZGOxAFvXaj1RFlwDAi7ACyRzaCRqFJ0cS+jWCIpbqG8UCFDomIg7u1wENZrg917CYmfSn IFdV/3wdo6JhKV9jm X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain On Mo, Apr 06 2020, Noam Postavsky wrote: > This hunk looks a bit suspicious to me as well, I don't think you can > apply operators like "?" to anchors. > > @@ -759,7 +782,7 @@ MIME-Version header before proceeding." > (mb enable-multibyte-characters) > beg) > (goto-char (point-min)) > - (search-forward-regexp "^\n" nil 'move) ;; There might be no body. > + (search-forward-regexp "^?\n" nil 'move) ;; There might be no body. > (setq beg (point)) > (with-current-buffer > (generate-new-buffer " *mm*") > Yes, this sections is also wrong. >> Since you have looked over the patch: What do you think about the >> approach to internally structure application/pkcs7-mime parts like >> multipart parts containing the mime type with text properties until the >> decrypted, maybe verified singlepart in the car of the handle? > Sorry, I'm not familiar enough with how this code is currently > structured to say anything intelligent about that. No problem :) I have attached a new patch which fixes the problem and also does implement support for the security buttons for application/pkcs7-mime parts. This is quite nice as application/pkcs7-mime parts are not handled automatically by default in gnus. ATM you have to set mm-decrypt-option and mm-verify-option at least to 'ask. So with this supported it should now work out of the box even without setting mm-decrypt-option and mm-verify-option because now gnus shows the buttons properly and one can click on them and decrypt/verify the part "manually". This time the patch should be clean and was tested properly at least with mml-smime-use 'epg. I'm not quite sure if the patch breaks using openssl as I didn't get this running. Maybe someone can test this? If this does break using openssl modifying mm-views decrypt and verify function should suffice to fix any problems. The gist of the patch is: treat application/pkcs7-mime like multipart mails and especially multipart/encrypted with protocol application/pgp-encrypted and change not more stuff than necessary. Here is the commit message which is a bit more detailed (also found in the patch): "This fixes S/MIME encrypted AND signed mails where in the encrypted pkcs7 envelope is a signed pkcs7 structure. Also this patch enables proper security-buttons for pkcs7-mime encrypted and/or signed mails. Changes: - don't force Content-type header to text/plain in front of decrypted content for smime decryption using mm-view-pkcs7. This fixes the initial bug where the signed part was not verified due to the wrong content type header. - structure the result of mm-dissect-buffer of application/pkcs7-mime like a multipart mail so there is no loosing of information of verification and decryption results which can now be displayed by gnus-mime-display-security - adjust gnus-mime-display-part to handle application/pkcs7-mime like multipart/encrypted or multipart/signed - add dummy entries to mm-verify-function-alist and mm-decrypt-function-alist so gnus-mime-display-security correctly displays "S/MIME" and not "unknown protocol" - don't just check for multipart/signed in gnus-insert-mime-security-button but also for the pkcs7-mime mimetypes to print "Encrypted" or "Signed" accordingly in the security button - adjust mm-possibly-verify-or-decrypt to check for smime-type to ask wether to verify or decrypt the part and not to always ask to decrypt - adjust mm-view-pkcs7-decrypt and verify to call mm-sec-status so success information can be displayed by gnus-mime-display-security - in mm-view-pkcs7-verify also remove carriage returns like in mm-view-pkcs7-decrypt - adjust gnus-mime-security-verify-or-decrypt to handle pkcs7-mime right with the done changes TODO: mm-view-pkcs7-decrypt and verify error handling and reporting. ATM there is only the good case implemented - at least for reporting with gnus-mime-display-security." --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-fix-bug-40397.patch >From 3f85a1a72953f0877d2edcf56e872e7fe760b9f9 Mon Sep 17 00:00:00 2001 From: Sebastian Fieber Date: Mon, 6 Apr 2020 20:45:05 +0200 Subject: [PATCH] fix bug #40397 This fixes S/MIME encrypted AND signed mails where in the encrypted pkcs7 envelope is a signed pkcs7 structure. Also this patch enables proper security-buttons for pkcs7-mime encrypted and/or signed mails. Changes: - don't force Content-type header to text/plain in front of decrypted content for smime decryption using mm-view-pkcs7. This fixes the initial bug where the signed part was not verified due to the wrong content type header. - structure the result of mm-dissect-buffer of application/pkcs7-mime like a multipart mail so there is no loosing of information of verification and decryption results which can now be displayed by gnus-mime-display-security - adjust gnus-mime-display-part to handle application/pkcs7-mime like multipart/encrypted or multipart/signed - add dummy entries to mm-verify-function-alist and mm-decrypt-function-alist so gnus-mime-display-security correctly displays "S/MIME" and not "unknown protocol" - don't just check for multipart/signed in gnus-insert-mime-security-button but also for the pkcs7-mime mimetypes to print "Encrypted" or "Signed" accordingly in the security button - adjust mm-possibly-verify-or-decrypt to check for smime-type to ask wether to verify or decrypt the part and not to always ask to decrypt - adjust mm-view-pkcs7-decrypt and verify to call mm-sec-status so success information can be displayed by gnus-mime-display-security - in mm-view-pkcs7-verify also remove carriage returns like in mm-view-pkcs7-decrypt - adjust gnus-mime-security-verify-or-decrypt to handle pkcs7-mime right with the done changes TODO: mm-view-pkcs7-decrypt and verify error handling and reporting. ATM there is only the good case implemented - at least for reporting with gnus-mime-display-security. --- lisp/gnus/gnus-art.el | 60 ++++++++++++++++++++++++++++--- lisp/gnus/mm-decode.el | 81 +++++++++++++++++++++++++++++++----------- lisp/gnus/mm-view.el | 25 +++++++++++-- 3 files changed, 138 insertions(+), 28 deletions(-) diff --git a/lisp/gnus/gnus-art.el b/lisp/gnus/gnus-art.el index 6b9610d312..b130650df6 100644 --- a/lisp/gnus/gnus-art.el +++ b/lisp/gnus/gnus-art.el @@ -5986,6 +5986,34 @@ gnus-mime-display-part ((equal (car handle) "multipart/encrypted") (gnus-add-wash-type 'encrypted) (gnus-mime-display-security handle)) + ;; pkcs7-mime handling: + ;; + ;; although not really multipart these are structured internally by + ;; mm-dissect-buffer like multipart to not discard the decryption + ;; and verification results + ;; + ;; application/pkcs7-mime + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_signed-data")) + (gnus-add-wash-type 'signed) + (gnus-mime-display-security handle)) + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_enveloped-data")) + (gnus-add-wash-type 'encrypted) + (gnus-mime-display-security handle)) + ;; application/x-pkcs7-mime + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_signed-data")) + (gnus-add-wash-type 'signed) + (gnus-mime-display-security handle)) + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_enveloped-data")) + (gnus-add-wash-type 'encrypted) + (gnus-mime-display-security handle)) ;; Other multiparts are handled like multipart/mixed. (t (gnus-mime-display-mixed (cdr handle))))) @@ -8733,9 +8761,16 @@ gnus-mime-security-verify-or-decrypt (with-current-buffer (mm-handle-multipart-original-buffer handle) (let* ((mm-verify-option 'known) (mm-decrypt-option 'known) - (nparts (mm-possibly-verify-or-decrypt (cdr handle) handle))) + (pkcs7-mime-p (or (equal (car handle) "application/pkcs7-mime") + (equal (car handle) "application/x-pkcs7-mime"))) + (nparts (if pkcs7-mime-p + (list (mm-possibly-verify-or-decrypt (cadr handle) (cadadr handle))) + (mm-possibly-verify-or-decrypt (cdr handle) handle)))) (unless (eq nparts (cdr handle)) - (mm-destroy-parts (cdr handle)) + ;; if pkcs7-mime don't destroy the parts as the buffer in + ;; the cdr still needs to be accessible + (when (not pkcs7-mime-p) + (mm-destroy-parts (cdr handle))) (setcdr handle nparts)))) (gnus-mime-display-security handle) (when region @@ -8793,8 +8828,25 @@ gnus-insert-mime-security-button (or (nth 2 (assoc protocol mm-verify-function-alist)) (nth 2 (assoc protocol mm-decrypt-function-alist)) "Unknown") - (if (equal (car handle) "multipart/signed") - " Signed" " Encrypted") + (cond ((equal (car handle) "multipart/signed") " Signed") + ((equal (car handle) "multipart/encrypted") " Encrypted") + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_signed-data")) + " Signed") + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_enveloped-data")) + " Encrypted") + ;; application/x-pkcs7-mime + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_signed-data")) + " Signed") + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_enveloped-data")) + " Encrypted")) " Part")) (gnus-tmp-info (or (mm-handle-multipart-ctl-parameter handle 'gnus-info) diff --git a/lisp/gnus/mm-decode.el b/lisp/gnus/mm-decode.el index 96695aabfd..da1a7c36a5 100644 --- a/lisp/gnus/mm-decode.el +++ b/lisp/gnus/mm-decode.el @@ -473,6 +473,7 @@ mm-dissect-default-type (autoload 'mml2015-verify-test "mml2015") (autoload 'mml-smime-verify "mml-smime") (autoload 'mml-smime-verify-test "mml-smime") +(autoload 'mm-view-pkcs7-verify "mm-view") (defvar mm-verify-function-alist '(("application/pgp-signature" mml2015-verify "PGP" mml2015-verify-test) @@ -481,7 +482,15 @@ mm-verify-function-alist ("application/pkcs7-signature" mml-smime-verify "S/MIME" mml-smime-verify-test) ("application/x-pkcs7-signature" mml-smime-verify "S/MIME" - mml-smime-verify-test))) + mml-smime-verify-test) + ("application/x-pkcs7-signature" mml-smime-verify "S/MIME" + mml-smime-verify-test) + ;; these are only used for security-buttons and contain the + ;; smime-type after the underscore + ("application/pkcs7-mime_signed-data" mm-view-pkcs7-verify "S/MIME" + nil) + ("application/x-pkcs7-mime_signed-data" mml-view-pkcs7-verify "S/MIME" + nil))) (defcustom mm-verify-option 'never "Option of verifying signed parts. @@ -500,11 +509,16 @@ mm-verify-option (autoload 'mml2015-decrypt "mml2015") (autoload 'mml2015-decrypt-test "mml2015") +(autoload 'mm-view-pkcs7-decrypt "mm-view") (defvar mm-decrypt-function-alist '(("application/pgp-encrypted" mml2015-decrypt "PGP" mml2015-decrypt-test) ("application/x-gnus-pgp-encrypted" mm-uu-pgp-encrypted-extract-1 "PGP" - mm-uu-pgp-encrypted-test))) + mm-uu-pgp-encrypted-test) + ;; these are only used for security-buttons and contain the + ;; smime-type after the underscore + ("application/pkcs7-mime_enveloped-data" mm-view-pkcs7-decrypt "S/MIME" nil) + ("application/x-pkcs7-mime_enveloped-data" mm-view-pkcs7-decrypt "S/MIME" nil))) (defcustom mm-decrypt-option nil "Option of decrypting encrypted parts. @@ -682,14 +696,29 @@ mm-dissect-buffer (car ctl)) (cons (car ctl) (mm-dissect-multipart ctl from)))) (t - (mm-possibly-verify-or-decrypt - (mm-dissect-singlepart - ctl - (and cte (intern (downcase (mail-header-strip-cte cte)))) - no-strict-mime - (and cd (mail-header-parse-content-disposition cd)) - description id) - ctl from)))) + (let* ((handle + (mm-dissect-singlepart + ctl + (and cte (intern (downcase (mail-header-strip-cte cte)))) + no-strict-mime + (and cd (mail-header-parse-content-disposition cd)) + description id)) + (intermediate-result (mm-possibly-verify-or-decrypt handle ctl from))) + (when (and (equal type "application") + (or (equal subtype "pkcs7-mime") + (equal subtype "x-pkcs7-mime"))) + (add-text-properties 0 + (length (car ctl)) + (list 'protocol + (concat (substring-no-properties (car ctl)) + "_" + (cdr (assoc 'smime-type ctl)))) + (car ctl)) + ;; if this is a pkcs7-mime lets treat this special and + ;; more like multipart so the pkcs7-mime part does not + ;; get ignored + (setq intermediate-result (cons (car ctl) (list intermediate-result)))) + intermediate-result)))) (when id (when (string-match " *<\\(.*\\)> *" id) (setq id (match-string 1 id))) @@ -1672,17 +1701,27 @@ mm-possibly-verify-or-decrypt (cond ((or (equal type "application/x-pkcs7-mime") (equal type "application/pkcs7-mime")) - (with-temp-buffer - (when (and (cond - ((eq mm-decrypt-option 'never) nil) - ((eq mm-decrypt-option 'always) t) - ((eq mm-decrypt-option 'known) t) - (t (y-or-n-p - (format "Decrypt (S/MIME) part? ")))) - (mm-view-pkcs7 parts from)) - (goto-char (point-min)) - (insert "Content-type: text/plain\n\n") - (setq parts (mm-dissect-buffer t))))) + (add-text-properties 0 (length (car ctl)) + (list 'buffer (car parts)) + (car ctl)) + (let* ((smime-type (cdr (assoc 'smime-type ctl))) + (envelope-p (string= smime-type "enveloped-data")) + (decrypt-or-sign-option (if envelope-p + mm-decrypt-option + mm-verify-option)) + (question (if envelope-p + "Decrypt (S/MIME) part? " + "Verify signed (S/MIME) part? "))) + (with-temp-buffer + (when (and (cond + ((eq decrypt-or-sign-option 'never) nil) + ((eq decrypt-or-sign-option 'always) t) + ((eq decrypt-or-sign-option 'known) t) + (t (y-or-n-p + (format question))))) + (mm-view-pkcs7 parts from) + (goto-char (point-min)) + (setq parts (mm-dissect-buffer t)))))) ((equal subtype "signed") (unless (and (setq protocol (mm-handle-multipart-ctl-parameter ctl 'protocol)) diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el index 828ac633dc..34da9464ce 100644 --- a/lisp/gnus/mm-view.el +++ b/lisp/gnus/mm-view.el @@ -591,8 +591,15 @@ mm-view-pkcs7-verify (with-temp-buffer (insert-buffer-substring (mm-handle-buffer handle)) (goto-char (point-min)) - (let ((part (base64-decode-string (buffer-string)))) - (epg-verify-string (epg-make-context 'CMS) part)))) + (let* ((part (base64-decode-string (buffer-string))) + (context (epg-make-context 'CMS)) + (plain (epg-verify-string context part))) + (mm-sec-status + 'gnus-info + (epg-verify-result-to-string (epg-context-result-for context 'verify)) + 'gnus-details + nil) + plain))) (with-temp-buffer (insert "MIME-Version: 1.0\n") (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m") @@ -601,6 +608,10 @@ mm-view-pkcs7-verify (if verified (insert verified) (insert-buffer-substring smime-details-buffer))) + (goto-char (point-min)) + (while (search-forward "\r\n" nil t) + (replace-match "\n")) + (goto-char (point-min)) t)) (autoload 'epg-decrypt-string "epg") @@ -612,7 +623,15 @@ mm-view-pkcs7-decrypt ;; Use EPG/gpgsm (let ((part (base64-decode-string (buffer-string)))) (erase-buffer) - (insert (epg-decrypt-string (epg-make-context 'CMS) part))) + (insert + (let* ((context (epg-make-context 'CMS)) + (plain (epg-decrypt-string context part))) + (mm-sec-status + 'gnus-info + "OK" + 'gnus-details + nil) + plain))) ;; Use openssl (insert "MIME-Version: 1.0\n") (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m") -- 2.25.2 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 19 08:16:23 2020 Received: (at 40397) by debbugs.gnu.org; 19 Apr 2020 12:16:23 +0000 Received: from localhost ([127.0.0.1]:44204 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jQ8s3-0004Wb-AO for submit@debbugs.gnu.org; Sun, 19 Apr 2020 08:16:23 -0400 Received: from mail-qv1-f44.google.com ([209.85.219.44]:42669) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jQ8s1-0004WP-Df for 40397@debbugs.gnu.org; Sun, 19 Apr 2020 08:16:21 -0400 Received: by mail-qv1-f44.google.com with SMTP id v18so3273132qvx.9 for <40397@debbugs.gnu.org>; Sun, 19 Apr 2020 05:16:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:in-reply-to:references:user-agent:date :message-id:mime-version; bh=XbglJOAEdQJH/ueEuB478HdJ97dM+KKKoPcRiUd9SJo=; b=axtbh2twAQAGsnmVjWor+4b4XXOKuqaOX+TzdQPt+MI9vI5xUrQFI+2mVI2Ywy5mcL g/YlHCLt3cOJxnGhOCRsbL1YOgzFb2JbpzGV9wJfstmVWjV+veRJrns3VZinMJuT1z59 24kTvjmG6GgqM1xYG2PgXrU2h++Ja8SZsTigLu8WVVXobSRAE8Joi/v3ksOkBJKx5DuY FTiHkp4z+TkUEUo4PaxGYgwnUVNj9Eift/pV4Fhqmgx44V/ciSOV8vEHiyYBBweP+3+S L83pAjbg3q5PQnJgTqyfAZwGiaHh3g3Hq0cElTKUX2flXVjRzRf/2z5578YdejPsvGNK GTsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references :user-agent:date:message-id:mime-version; bh=XbglJOAEdQJH/ueEuB478HdJ97dM+KKKoPcRiUd9SJo=; b=jGqRnYe1hPev1nE6QKwsrvyGl4u4U43/KGVOZn9vIB2ae5BNbkxsbJ96G37mMPXKuC bHzzOlGph64l2MpMyZokxPva4oPzrYSkNUZyC/O59jEZxsTpLLD8UG6WjvpLUtqTUFDV 9/+ZQerbAlaceqix4mCEuR1ZpyYMbGumdZxyg7j5aoHuhJFRYMgHRWztvAGM6saTGNxV 7ffz3RmpPk3fD8+mHt64HKmMkErQufe9/8X0kRIRm3/TW3mIeaOij/AGwC24+qI7bzh4 4bZ97/vqTrvnMj47Y6HgYUu11VgJkz4yEPJMnMI56hiGO63eixRLAHj6J6ojS5X7BUDg BHxg== X-Gm-Message-State: AGi0PuYP6T862eF8RZXwnpp4rTCplmCRZwiaXApZTaWm/E9OVPQl8pym AWek5ZM7PqFM56TMvsH06HgrdadM X-Google-Smtp-Source: APiQypLZKpdJFVprSSqQsUTUTE6o2fT+S7Fx4UQd+4tFPny7Koef4VqK5x39JmCfeWWPbbzQdBH+WQ== X-Received: by 2002:ad4:4f0e:: with SMTP id fb14mr7915337qvb.160.1587298575789; Sun, 19 Apr 2020 05:16:15 -0700 (PDT) Received: from LAPTOP-5NDQIUP9 (cbl-45-2-119-47.yyz.frontiernetworks.ca. [45.2.119.47]) by smtp.gmail.com with ESMTPSA id u190sm8572257qkb.102.2020.04.19.05.16.14 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Sun, 19 Apr 2020 05:16:15 -0700 (PDT) From: Noam Postavsky To: Sebastian Fieber Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime In-Reply-To: <87h7xv9k3x.fsf@web.de> (Sebastian Fieber's message of "Tue, 07 Apr 2020 21:22:26 +0200") References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (windows-nt) Date: Sun, 19 Apr 2020 08:16:10 -0400 Message-ID: <86blnn8yd1.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) As I mentioned previously, I'm not really familiar enough with the code to give a proper review, but I have a couple of minor comments. Sebastian Fieber writes: > + (setq intermediate-result (cons (car ctl) (list intermediate-result)))) Or just (setq intermediate-result (list (car ctl) intermediate-result)) > @@ -1672,17 +1701,27 @@ mm-possibly-verify-or-decrypt > - (with-temp-buffer > - (when (and (cond > - ((eq mm-decrypt-option 'never) nil) > - ((eq mm-decrypt-option 'always) t) > - ((eq mm-decrypt-option 'known) t) > - (t (y-or-n-p > - (format "Decrypt (S/MIME) part? ")))) > - (mm-view-pkcs7 parts from)) > - (goto-char (point-min)) > - (insert "Content-type: text/plain\n\n") > - (setq parts (mm-dissect-buffer t))))) > + (add-text-properties 0 (length (car ctl)) > + (list 'buffer (car parts)) > + (car ctl)) > + (let* ((smime-type (cdr (assoc 'smime-type ctl))) > + (envelope-p (string= smime-type "enveloped-data")) > + (decrypt-or-sign-option (if envelope-p > + mm-decrypt-option > + mm-verify-option)) > + (question (if envelope-p > + "Decrypt (S/MIME) part? " > + "Verify signed (S/MIME) part? "))) > + (with-temp-buffer > + (when (and (cond > + ((eq decrypt-or-sign-option 'never) nil) > + ((eq decrypt-or-sign-option 'always) t) > + ((eq decrypt-or-sign-option 'known) t) > + (t (y-or-n-p > + (format question))))) > + (mm-view-pkcs7 parts from) > + (goto-char (point-min)) > + (setq parts (mm-dissect-buffer t)))))) You moved the 'mm-view-pkcs7' call out of the condition. If that was on purpose, then you should remove the 'and', since it's now redundant. From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 02 02:02:38 2020 Received: (at 40397) by debbugs.gnu.org; 2 Aug 2020 06:02:39 +0000 Received: from localhost ([127.0.0.1]:41455 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k274w-0006cH-H1 for submit@debbugs.gnu.org; Sun, 02 Aug 2020 02:02:38 -0400 Received: from quimby.gnus.org ([95.216.78.240]:58060) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k274u-0006Wo-77 for 40397@debbugs.gnu.org; Sun, 02 Aug 2020 02:02:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=35f+Kvx+bWIfNI4Jj4Nn1JSQLAYxHTII97YfzMlArNQ=; b=tPKtSOcE+WYvfgSqejv/Dcoc3Z tBUjgSRrLOySCUYAe/paLrIkNuVIKFFj7K1wtp6iz3cZHWpTm78N/1Rkc3ns4b9bh9Qr1B4Rdhx3J rHmwjj03e82jEBYPXxtZM2lFd0CmBtBdlx3wcf+QMRWvq4h6ZUXB4mm/25H4youiUH/s=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k274l-0005ZJ-9k; Sun, 02 Aug 2020 08:02:30 +0200 From: Lars Ingebrigtsen To: Sebastian Fieber Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> Date: Sun, 02 Aug 2020 08:02:26 +0200 In-Reply-To: <87h7xv9k3x.fsf@web.de> (Sebastian Fieber's message of "Tue, 07 Apr 2020 21:22:26 +0200") Message-ID: <873655oaa5.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Sebastian Fieber writes: > I have attached a new patch which fixes the problem Thanks; I didn't see this bug report before I fixed the text/plain thing in a different way. (So I think s/mime should basically work again now in Emacs 27.) Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org, Noam Postavsky X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Sebastian Fieber writes: > I have attached a new patch which fixes the problem Thanks; I didn't see this bug report before I fixed the text/plain thing in a different way. (So I think s/mime should basically work again now in Emacs 27.) > and also does > implement support for the security buttons for application/pkcs7-mime > parts. This is quite nice as application/pkcs7-mime parts are not > handled automatically by default in gnus. ATM you have to set > mm-decrypt-option and mm-verify-option at least to 'ask. So with this > supported it should now work out of the box even without setting > mm-decrypt-option and mm-verify-option because now gnus shows the > buttons properly and one can click on them and decrypt/verify the part > "manually". This sounds like a good addition to me, and would like to apply the patch to Emacs 28. It's a large patch, though, and you don't seem to have copyright FSF assignment on file -- is that correct? If it is, would you be willing to sign such paperwork, and we can then apply the patch? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 02 02:02:44 2020 Received: (at control) by debbugs.gnu.org; 2 Aug 2020 06:02:44 +0000 Received: from localhost ([127.0.0.1]:41458 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k2751-0006h9-Qx for submit@debbugs.gnu.org; Sun, 02 Aug 2020 02:02:43 -0400 Received: from quimby.gnus.org ([95.216.78.240]:58076) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k2750-0006bP-Bu for control@debbugs.gnu.org; Sun, 02 Aug 2020 02:02:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Subject:From:To:Message-Id:Date:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wfKmoNqCoDKCaZ4z2TAcEDA5BMNCNHlImoN7wh5qZo8=; b=PMLIpgJnSvhFICnQFuDUxWvCkT XYV6HthqkMNc2bo5kT0TIkk3x6Ki84ex7lNVsKfVh8vqlu942H9liP4o7eK4ZT1jUTkIDKt5U/Rvb PvdJqCRhSBUPsgJmFz6uBy5L9Uvil0LC+mVBd9SnJ1h0ZJFG8aP/GuKG5sIH2a0kmRqg=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k274s-0005ZS-IY for control@debbugs.gnu.org; Sun, 02 Aug 2020 08:02:36 +0200 Date: Sun, 02 Aug 2020 08:02:33 +0200 Message-Id: <871rkpoa9y.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #40397 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: tags 40397 + patch quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 40397 + patch quit From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 02 02:02:49 2020 Received: (at control) by debbugs.gnu.org; 2 Aug 2020 06:02:49 +0000 Received: from localhost ([127.0.0.1]:41461 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k2757-0006hg-0p for submit@debbugs.gnu.org; Sun, 02 Aug 2020 02:02:49 -0400 Received: from quimby.gnus.org ([95.216.78.240]:58088) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k2755-0006eO-FS for control@debbugs.gnu.org; Sun, 02 Aug 2020 02:02:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Subject:From:To:Message-Id:Date:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Gt78vYuzz97c6vaYnMSj3OZ7LsLJ6u8EsUaU/1Ilu6A=; b=PNLGFYGYNRJN9BfkdTXSH2W5ui E4Q48EdpmUi11jB/hLuDSZXJEKSZpxGZ+Yu1UN1h4AQ/QdSUhmrr+g0K0wSkO1esCspy2nzC7eX+U 5Yp44iGVEByDUcEUyTHCheEOp/EABWKymfjYQjBoNXmAqD0ZJ2bxzE2m32sc46wbWBp0=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k274x-0005ZY-N6 for control@debbugs.gnu.org; Sun, 02 Aug 2020 08:02:41 +0200 Date: Sun, 02 Aug 2020 08:02:38 +0200 Message-Id: <87zh7dmvpd.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #40397 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: tags 40397 + moreinfo quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 40397 + moreinfo quit From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 02 16:11:32 2020 Received: (at 40397) by debbugs.gnu.org; 2 Aug 2020 20:11:32 +0000 Received: from localhost ([127.0.0.1]:43552 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k2KKS-00029i-EG for submit@debbugs.gnu.org; Sun, 02 Aug 2020 16:11:32 -0400 Received: from mout.web.de ([212.227.17.11]:49613) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k2KKO-00029S-GH for 40397@debbugs.gnu.org; Sun, 02 Aug 2020 16:11:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1596399081; bh=F8ZKzFGz5WQKLKwWzgpikpok6mAhWVsg6yX6dRxqhd4=; h=X-UI-Sender-Class:From:To:Cc:Subject:References:Date:In-Reply-To; b=O0jRj8miG4HqFkX12bl7Fmos1WfnA5LA0o6Vwn2/POQ7v64ZMMyrI/O4FVeOgKRnv QOx1WjwMnjaZQDkobdgz4uCQzDviRNiz3EDcGJVBqDTCXleus0pe8hBC+ejFrBKi/E JwyLzn3lO/Z0BtL37jZsZiQ6OHm/pQgZ7uxEPaf8= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([80.187.110.190]) by smtp.web.de (mrweb105 [213.165.67.124]) with ESMTPSA (Nemesis) id 1N62uQ-1kr8aX2L72-016UpT; Sun, 02 Aug 2020 22:11:21 +0200 From: Sebastian Fieber To: Lars Ingebrigtsen Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> Date: Sun, 02 Aug 2020 22:11:20 +0200 In-Reply-To: <873655oaa5.fsf@gnus.org> (Lars Ingebrigtsen's message of "Sun, 02 Aug 2020 08:02:26 +0200") Message-ID: <87bljsajvb.fsf@web.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K1:RKGYAGkpekoJlYVx7ccxhZWNpR2vknkFpS7u5Xw8Jcnr9HswUB+ Vt7X85B3DiQykchNRk3XZ3G7QxdpV2pZvnNLMEqzadFhC2VmfzPzMipdOxbYzlmJDr++hFO zk+wTVi+wfBJ6p5Iyl4qSqjSBJo1E41NqkOx5XbKL1PciA8MUhSGyJ18Hohg+ont1Wq4qYc 1Zu/gaXEToBqvCOzg1erA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:4u3gXgoLdJs=:3I5Qx7eg36xgqOhwyZD6Uf tWJRB+tm/B8BTQ9AQiMABkvx6ErcTSYtLk/t9wHYXmt3trZ1T52Z0FiUlni2fdfzZ1lFAmmnG Uz9LmnAjHgNL+y8ya2ElxtQpvlK/4+09yiH8WEmhLNAnvIkzchJ3FYMJo/6QYbrVNR4vaYQ6q JO4xSIEdsSF+rqge38mZXnub80SKnG8VjfRu8j/bP+woyIZ+/pTnHjsBHzFlS8qy/wu0Z90PX GzI1ywFFBekM4X/uD8KRgSpOmjusKPOA0oDXH26wDsCUgqf0/F2MdTBvXWxAHFWlFpNr+EGtf wfl6b2/d34Su/ArxrzMOQnZ6OUcTJOKgzw5KEq6qKkqZZ/EGc0qrAslYCiGby3aZItcVKw7yW /xBAnnYGm3JJuk7bWdaxvT0pR8rk0EDyQ1jryfBxX0pSAt5g8FuQxjup0YcsqTrc6e35iicB5 hqKH6+Hm7vfrk9xKia3VU1ie06DEd6mCYx+GC6LqmIt7o9CHbt8bOH/IPqxqAL8wBukqAR6E5 wnSvNBkYHfpzZ7UNRrZjxCDLpSLy+j9NQsdpV3SIdPhta0ZyqLgA0GIbh5wugU7D4akjMoOtc /fDYFMdjvgo/uqqtlSBUaWcKY/f6b3JkyiMDUCnMSyFe8gRenkCveVjqsqIfJ+AQgo6rhz2mq i9TI5Ij0HiWsPUIKkCoTYg+1x8Rvo8P6rKcMKHClOPGxsCDPfCi7Np/pXirOl+tTnTLxNf2R/ zMW5z6iwy7yaY96UKbCFsCibGPgXhIV+ALg6jKAU2G+C482qok4vCLA0rCbWPuAXoE3wsTCBY m2pFlfu78duiFgLyDvNVih24XJ2zFX6VE4uuroUta40ULiW/PIhEXotSoJtEihiuWXqcnp5K/ ivfeeH9CP/qREZlMhuKfTgWTU+mJPKzqiDcalve5cCs3SuqRXgHkthef7xnR+v87OQAN1KF0b 4378XkQnleaiiuUfkpm5JTVWUg4C+7G8V+p6d5yYDd+FvNX5oOXPZtndMNmiHKd6KnYmbep9P z0KxnFU8T+LBTCu9DRQp5vxmbL5lVrwUYgWzN8Qx2MWGRoVgfGUFnDP51b+0QF8xJE1EqN5TX GlRtK0P2hnTbY+KxlgPOs8iAeNH1Aki6m1xlOaaeY9oR7fN2dBnjESqhoZ5Oyi9+VCezDgIVc f1iAMwOa0F5kcaQ71HLVm+fCW1MqjZs3R082PU5gljW5f11UwIjsqDOhvjYZXpWVhBDEzbozz rLzUbHx8CDlmpMOE2DtKIZCcGMojwXxt1yX1rOw== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On So, Aug 02 2020, Lars Ingebrigtsen wrote: >> and also does >> implement support for the security buttons for application/pkcs7-mime >> parts. This is quite nice as application/pkcs7-mime parts are not >> handled automatically by default in gnus. ATM you have to set >> mm-decrypt-option and mm-verify-option at least to 'ask. So with this >> supported it should now work out of the box even without setting >> mm-decrypt-option and mm-verify-option because now gnus shows the >> buttons properly and one can click on them and decrypt/verify the part >> "manually". > > This sounds like a good addition to me, and would like to apply the > patch to Emacs 28. It's a large patch, though, and you don't seem to > have copyright FSF assignment on file -- is that correct? If it is, > would you be willing to sign such paperwork, and we can then apply the > patch? Yes, I haven't done any copyright assignment yet but I'd be willing to do so if someone can guide me a bit or point me to where I can find info about what I have to do. There are some untested and unimplemented stuff in my implementation. If I remember correct there is no real handling of error cases which I wanted to add so it is on par with the other security buttons implementations. So I'd like to work on this a bit more and provide a more fully featured patch. But I'm pretty busy right now with real life, so this may take a few months as I'd need to find some time. Nontheless I will check if I have done any changes to my provided patch and resubmit it if I have any work pending - if you don't want to wait for me and want to apply the patch anyway even without proper error handling. From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 02 22:27:22 2020 Received: (at 40397) by debbugs.gnu.org; 3 Aug 2020 02:27:22 +0000 Received: from localhost ([127.0.0.1]:43755 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k2QCA-0002fR-3N for submit@debbugs.gnu.org; Sun, 02 Aug 2020 22:27:22 -0400 Received: from eggs.gnu.org ([209.51.188.92]:57522) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k2QC5-0002fA-0R for 40397@debbugs.gnu.org; Sun, 02 Aug 2020 22:27:20 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60500) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k2QBz-0005fI-Mx; Sun, 02 Aug 2020 22:27:11 -0400 Received: from [176.228.60.248] (port=2627 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1k2QBy-0007bu-GT; Sun, 02 Aug 2020 22:27:11 -0400 Date: Mon, 03 Aug 2020 05:26:56 +0300 Message-Id: <83h7tkbh1r.fsf@gnu.org> From: Eli Zaretskii To: Sebastian Fieber In-Reply-To: <87bljsajvb.fsf@web.de> (message from Sebastian Fieber on Sun, 02 Aug 2020 22:11:20 +0200) Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 40397 Cc: larsi@gnus.org, 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Sebastian Fieber > Date: Sun, 02 Aug 2020 22:11:20 +0200 > Cc: 40397@debbugs.gnu.org > > Yes, I haven't done any copyright assignment yet but I'd be willing to > do so if someone can guide me a bit or point me to where I can find info > about what I have to do. Thanks, form sent off-list. From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 03 02:06:31 2020 Received: (at 40397) by debbugs.gnu.org; 3 Aug 2020 06:06:31 +0000 Received: from localhost ([127.0.0.1]:43907 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k2TcE-0001tc-Sr for submit@debbugs.gnu.org; Mon, 03 Aug 2020 02:06:31 -0400 Received: from quimby.gnus.org ([95.216.78.240]:41010) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k2TcC-0001tO-B0 for 40397@debbugs.gnu.org; Mon, 03 Aug 2020 02:06:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qtRP5B0SuEANjFkqQqrtTTN4HSfrXQ84ip/NTCjJf7U=; b=XH22Wst8KFUt5BlEPRFijwpjJI dk5K5TjTRQqPcpnGb6CeGaSekr7BPQa0G4McSb+BqJVqOU8LmB7n+40evmvKPaJ2D60frbNCqj2DZ sEqByzhDm7BlvIYZEVpVFXLaOd3Hrymvi0w/25CwS28/QJjN3ux+Ztft+6LDrWy70kUU=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k2Tc3-0004tU-Ul; Mon, 03 Aug 2020 08:06:22 +0200 From: Lars Ingebrigtsen To: Sebastian Fieber Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> Date: Mon, 03 Aug 2020 08:06:18 +0200 In-Reply-To: <87bljsajvb.fsf@web.de> (Sebastian Fieber's message of "Sun, 02 Aug 2020 22:11:20 +0200") Message-ID: <87sgd4e011.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Sebastian Fieber writes: > There are some untested and unimplemented stuff in my implementation. > If I remember correct there is no real handling of error cases which I > wanted to add so it is on par with the other security [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Sebastian Fieber writes: > There are some untested and unimplemented stuff in my implementation. > If I remember correct there is no real handling of error cases which I > wanted to add so it is on par with the other security buttons > implementations. Sure, that sounds good. Error handling is something that's lacking in many parts of the Emacs handling of signing/encryption, unfortunately. > So I'd like to work on this a bit more and provide a > more fully featured patch. But I'm pretty busy right now with real > life, so this may take a few months as I'd need to find some time. Sure, no hurry. :-) -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 14 10:59:43 2020 Received: (at control) by debbugs.gnu.org; 14 Sep 2020 14:59:43 +0000 Received: from localhost ([127.0.0.1]:55780 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kHpxH-0008TU-Al for submit@debbugs.gnu.org; Mon, 14 Sep 2020 10:59:43 -0400 Received: from quimby.gnus.org ([95.216.78.240]:60198) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kHpxF-0008T1-RM for control@debbugs.gnu.org; Mon, 14 Sep 2020 10:59:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Subject:From:To:Message-Id:Date:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=hbkX3AMQNDqxjq0BjOVSoDuUAnAT9tS6y8kAhOD7hNg=; b=V5sVDphk3yslVrhOM5LDAe3GrK XeXo/mBtatVTmBnFvx1Rb8d/9co7fRuvjV0urOFAv/eK3eifDpjaywLwlP4pfRCxTQnLqTPALADNS LjnwNZOquzFJ3VfY8rqyh0F0BpHYXFvEznBFPrtQfKwU3V5bXhvsHmaE1YBFwlzTBfw0=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kHpx8-0002ln-2D for control@debbugs.gnu.org; Mon, 14 Sep 2020 16:59:36 +0200 Date: Mon, 14 Sep 2020 16:59:32 +0200 Message-Id: <87zh5s76az.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #40397 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: tags 40397 - moreinfo quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 40397 - moreinfo quit From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 21 11:42:01 2021 Received: (at 40397) by debbugs.gnu.org; 21 Jul 2021 15:42:01 +0000 Received: from localhost ([127.0.0.1]:38341 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m6EMD-0000U9-3E for submit@debbugs.gnu.org; Wed, 21 Jul 2021 11:42:01 -0400 Received: from quimby.gnus.org ([95.216.78.240]:44124) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m6EMB-0000Tt-Tw for 40397@debbugs.gnu.org; Wed, 21 Jul 2021 11:42:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=j6FltmmGEjRqNNLjNczzj+9NfAXGFk8csCqLn/8UHZI=; b=m5SKu+yhmNxi44HENK9h2WEuHz H2OeJRyeuvjr2RqnhzVggS1UQIhaJQOCzL675y4dwhyHuBpdb48zP/5EIlEAoQeNbiJTVo0i0kyWG 5/jPxLuCCcgFtPv3uDM6/H9epBi8omKSAI4UVIYDscIM2LBFaOiVXnGdjpi7kWRN0wXY=; Received: from cm-84.212.220.105.getinternet.no ([84.212.220.105] helo=elva) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1m6EM2-0007vB-NG; Wed, 21 Jul 2021 17:41:53 +0200 From: Lars Ingebrigtsen To: Sebastian Fieber Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime encrypted and signed message References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> <87sgd4e011.fsf@gnus.org> X-Now-Playing: Coil's _The Restitution of Decayed Intelligence_: "Broccoli (Live At The Ocean Club, London)" Date: Wed, 21 Jul 2021 17:41:50 +0200 In-Reply-To: <87sgd4e011.fsf@gnus.org> (Lars Ingebrigtsen's message of "Mon, 03 Aug 2020 08:06:18 +0200") Message-ID: <87fsw7ptc1.fsf_-_@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Lars Ingebrigtsen writes: >> So I'd like to work on this a bit more and provide a >> more fully featured patch. But I'm pretty busy right now with real >> life, so this may take a few months as I'd need to find some time. > > [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Lars Ingebrigtsen writes: >> So I'd like to work on this a bit more and provide a >> more fully featured patch. But I'm pretty busy right now with real >> life, so this may take a few months as I'd need to find some time. > > Sure, no hurry. :-) This was a year ago -- has there been any progress here? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 21 14:07:20 2021 Received: (at 40397) by debbugs.gnu.org; 21 Jul 2021 18:07:20 +0000 Received: from localhost ([127.0.0.1]:38518 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m6Gcq-0006SO-71 for submit@debbugs.gnu.org; Wed, 21 Jul 2021 14:07:20 -0400 Received: from mout.web.de ([212.227.17.12]:58489) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m6Gco-0006S7-CK for 40397@debbugs.gnu.org; Wed, 21 Jul 2021 14:07:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1626890832; bh=Kgaj4ta4ncWjj/dvmStocGbZy2HHQUQbeTq5syXMiqk=; h=X-UI-Sender-Class:From:To:Cc:Subject:In-Reply-To:References:Date; b=WcUv6iFN1lcPYRQKkzSzkuOFyIt6Re6+TLTH4MBwqfb4ekvYzQ+PgM4GUEwrFYEmD o66XC8q4bUsuYLrgJCSYssy1+kt6rtlvD27449Whx9/q/KwWT4+0eKVJbtweJ2p3G0 7+pK7pINSisMBvIRHQ6NafEdF0VgtJt/gOQ6Rch8= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([94.31.96.135]) by smtp.web.de (mrweb105 [213.165.67.124]) with ESMTPSA (Nemesis) id 1McIgY-1lW7Wm0hiu-00chok; Wed, 21 Jul 2021 20:07:12 +0200 From: Sebastian Fieber To: Lars Ingebrigtsen Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime encrypted and signed message In-Reply-To: <87fsw7ptc1.fsf_-_@gnus.org> (Lars Ingebrigtsen's message of "Wed, 21 Jul 2021 17:41:50 +0200") References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> <87sgd4e011.fsf@gnus.org> <87fsw7ptc1.fsf_-_@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Date: Wed, 21 Jul 2021 20:07:11 +0200 Message-ID: <87y29zo81c.fsf@web.de> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Provags-ID: V03:K1:PTu6Ve1Eon4/Dtdt0gidjYt/g1kSHZrCTYv5ZkwpYRKVtPnHFKk fe4hUBEd0qN/mlgy+nielh+GqgaMFIBIRbSC11jjEevWzUAKtmaNCzEJ9qfHxToTn8UVl3h b2bLvxinkNFcj/Y6qOB18TvYN5m6/dWr9tz65K+o0DKfj261KRedzSEMpkbJVNoZFDCMmEh l+HcfN2uzT1XtLAYO03Hg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:odqgS4gpewU=:Ydj9DNs2+GZOjGA4067wNX oaX8YDDUQEE32/xPo4a5bjwsyui57E0QSp3AgJk6v3+JC6Jj1Xo006DhM+sHzSW5iUOvSDnyv vVMauSs6UN/qt1QdGWkfPJSb9r28ifObllxFVTCsp5BPK4fZ7ezPqCQ3+5pTTKdki9VJTrkPf WmQko+JEhkY2C+1nZkdgVKK9bmhwoZoy5uPP+mqja7NFvne1gbUGuLwFDrxMzrEyKOmDvGu1/ GSzecz+0yZf1IjnJyPh8mpo8+ADnziEFW1iklMUZ5rsXmoTaoSvbJYIgBDK7Ut00jrfAFs4oP g/IUSjYf05I8FB0GeJgHf31f/b+LHrM0T3YMxVSsv7aTVERIx5niIKxPgHSm7pUNhS3chLnsh 99GCAg9sWX9BYOvKC/1uvp0cnlB7OaVkvs10NIDiXg67e31M0cscJL24Xul7hOOXPqCsE42h1 BWFsWxMnmtbZJ3KVakP2ZA+1wmA+kpgf0eh5Mwi4M/+yXvTsZIJU4EXfUEm29rI90eOCwjQxg QuTNjspnMpRslyIvbVL4eKjqxXP/mcNUs6QCqMvyIhQMJj+cwBGdL4yAKPVPpvtoMP9guLCC5 OxGCsXyPU1E6dTTKvaPfsHN3F6E8K6Wv2Lxc/D0YGUh6FdZ7o5XqfT4NWKQ4PUegknJLVIHTl zKF08Up9uo8gjSJEF/gd/OB2mNYZ3L+RJ8F6t9dNQf+5/YoaPZyxzVwX2nDKh3/sDRqM6gKTG 3QgDKoJLNzRLZTBI0iuOL5OY0QK0OFX9zwxePMbNxptv8xnVGAmzEryNhAFQdRKxrVfrPKzMd QR0vWLyfVe4AK2tRHRxeFnuhM1NGdIsf5/AB/3thqVbjrAvHR1nkYZ8aUj6hSsCtmAH1mZVFl 6dqW9EOKzGUeXf/Dz2z0lEUlb8QqNcvhBGbjnyEX0+OZ9CHjQey4y0aef5dqm+rdSx1KP/NwW bSef+wXNtjoeCYNOvqlQ41VQL0VKmzdLpGUsbjlVNIGC/rRrSwlHIThNS5TgCuDVqR7/nQ9p4 gzb/fxfgH94RQ6Ma5TVT8/3OZ5MjYsIsxWgtdD2q6xkV08rGUw7wWaDyfuXBBQloBkHEXvWUn W39X1AvzxbFLo/5TgazUHqhWZpH3iMqbP1g4Lwxe/8L6ylg7iKZZuAn0Q== X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain On Mi, Jul 21 2021, Lars Ingebrigtsen wrote: > Lars Ingebrigtsen writes: > >>> So I'd like to work on this a bit more and provide a >>> more fully featured patch. But I'm pretty busy right now with real >>> life, so this may take a few months as I'd need to find some time. >> >> Sure, no hurry. :-) > > This was a year ago -- has there been any progress here? Sorry, haven't got to it yet, but it's still on my TODO list. Also the paper work for the FSF from my employer is still not finished. I will try my best to get some traction at my employer so the paperwork gets done soon and the patch, as it is now, can at least be accepted. I'd still like to work on it, but maybe that would be better as another patch building upon this one? What do you think? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFMBAEBCAA2FiEExRi5b+8xM5Vpvu7L3jJw+EOyhogFAmD4Yk8YHHNlYmFzdGlh bi5maWViZXJAd2ViLmRlAAoJEN4ycPhDsoaILgcIAJTNN/dV8JsrIw9aVEA66JxM CVab7QNBZdTK0We5l7NJbR7Ui2iQqPRAFQ7sqSw21ieVtWbXWAPCaj6TP3ariAPn H04bUOROQHirwL2wLtPc8L50SyDkuqqiljDT4Ga5wmUsWBMxUzKKkFrL/CQ/0N0D fQiLDZXBaecaWHVUUOIc1aM2UjG8fAUSoH/PnEfpHUZ4ZKxDNB2x9BRdEY8cw90T bd5vvhRtJVOkiqZSlDXlvUDQ80mhbC5Et5rGkE10BLVw0SW9N6TlNzqNg9NB73j1 7XDZhDeUVtd9ZI3e85j4t3TsMM0yk53vCAQFwS1w5O9kYLYiBeYy1OaAgQjOBCo= =YIoz -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 21 18:02:35 2021 Received: (at 40397) by debbugs.gnu.org; 21 Jul 2021 22:02:35 +0000 Received: from localhost ([127.0.0.1]:38873 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m6KIV-00067a-ER for submit@debbugs.gnu.org; Wed, 21 Jul 2021 18:02:35 -0400 Received: from quimby.gnus.org ([95.216.78.240]:47544) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m6KIU-00063k-Dd for 40397@debbugs.gnu.org; Wed, 21 Jul 2021 18:02:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iAGYIjrFp0Tv9ZRfh5oUSe0jlnYONf31fq0Ob5Tdyk4=; b=pMsWvnTryAI/Zbd0BHuxkZyrsb QbrsgqDx0j5rUrRCVDPrl1PbST/JF5fS/yK7Y/HNgL75jz+ShpffvSsw1Aw7NB1VJSQFq8sxiVPVg aNfdpLqc+YpOvovLS3c2FMz8KKjtnsUBytehS8QwN5Zh/jeZs8JkHVDlRHzB6XNKq3h0=; Received: from cm-84.212.220.105.getinternet.no ([84.212.220.105] helo=elva) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1m6KIM-0002E5-6B; Thu, 22 Jul 2021 00:02:28 +0200 From: Lars Ingebrigtsen To: Sebastian Fieber Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime encrypted and signed message References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> <87sgd4e011.fsf@gnus.org> <87fsw7ptc1.fsf_-_@gnus.org> <87y29zo81c.fsf@web.de> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGPC/xhBQAAACBj SFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAG1BMVEX9/f3Qz82joJ9g XVzBvr1CPj2Cfn0aFxb////y4WnOAAAAAWJLR0QIht6VegAAAAd0SU1FB+UHFRUfBfhnwKYAAAGM SURBVDjLddPBTsMwDADQtuwD2mnaeThhZ1RjdmVZxJ1FVu5D8ANTld/HyaBN1+BDD36y47ppVWXR VuWod+U0Nl21WaZbtXvAo3rTVT2D5niu3l8eULvn5u4o8/G4fpS6p+UIbd3Vpl7t2uJ0nTUgkb9D F2cwgMwceCrquq6t6rWKefJ+hNoehTYp78iHCcBam/LIDimr0ADaIAkg9sRZRQSSNIAChTMAJf3B bqzd9yOstMwfG8kMxy57jwiGecBYCfsZ2FNIMcRHW4Dgc2hG4DCraKRzAhl4VrG6yLTpBIdIOXxf bsA9xZoJ8LJXQRbuwBHn8PoqgIN3qpflhrcR4kYGcuQQ5IgJ6hv0n+6yhNOAGtJMCyBZuA9FkC/i 56DBnK4Eh1unWYUW2B+YF2C3V+rpU923Mnbr+NybtJiwmyq02V75DAWwRhbyu+McwJoQZOfOF4HC sAAQGA7BfRWB5MqVQA7p4ZDD6hcC+7SUGdyuz8CLVn8XLtxXvP8HqgRpqvg3yc8Wr9wIi/gB4J+5 pIBYQnkAAAAldEVYdGRhdGU6Y3JlYXRlADIwMjEtMDctMjFUMjE6MzE6MDUrMDA6MDAzPrefAAAA JXRFWHRkYXRlOm1vZGlmeQAyMDIxLTA3LTIxVDIxOjMxOjA1KzAwOjAwQmMPIwAAAABJRU5ErkJg gg== X-Now-Playing: Severed Heads's _Clean_: "Somehow Pain" Date: Thu, 22 Jul 2021 00:02:25 +0200 In-Reply-To: <87y29zo81c.fsf@web.de> (Sebastian Fieber's message of "Wed, 21 Jul 2021 20:07:11 +0200") Message-ID: <874kcnnx5a.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Sebastian Fieber writes: > I will try my best to get some traction at my employer so the paperwork > gets done soon and the patch, as it is now, can at least be accepted. > I'd still like to work on it, but maybe that would b [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Sebastian Fieber writes: > I will try my best to get some traction at my employer so the paperwork > gets done soon and the patch, as it is now, can at least be accepted. > I'd still like to work on it, but maybe that would be better as another > patch building upon this one? What do you think? Sure; whatever is most convenient for you. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 21 14:39:50 2021 Received: (at 40397) by debbugs.gnu.org; 21 Dec 2021 19:39:50 +0000 Received: from localhost ([127.0.0.1]:55715 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzkzF-0007DQ-Tx for submit@debbugs.gnu.org; Tue, 21 Dec 2021 14:39:50 -0500 Received: from mout.web.de ([212.227.15.3]:33879) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzkzA-0007D3-KU for 40397@debbugs.gnu.org; Tue, 21 Dec 2021 14:39:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1640115578; bh=QViPuP4n3MlE2eKLgyhNBh2Y5nRDIADHO4P50i4lRsY=; h=X-UI-Sender-Class:From:To:Cc:Subject:In-Reply-To:References:Date; b=DiyD2HQr003V77IQxEErrThD5NAOQJYvZunSMZ96QayK3BtIqAfydPGFcFGk1iULg iQ8xWxfiOJzpN+GjGKztbX7UO7jwGV9eC58BZcfjIDb7VH7QlQd60nV3i6uGUpDm9Q Af7d5c1Hb0/1AEXBTyqSsQPO5bTYmzC2qXeaGOiQ= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([94.31.101.135]) by smtp.web.de (mrweb005 [213.165.67.108]) with ESMTPSA (Nemesis) id 1M4sbr-1n0Zvp0hkt-001iRV; Tue, 21 Dec 2021 20:39:38 +0100 From: Sebastian Fieber To: Lars Ingebrigtsen Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime encrypted and signed message In-Reply-To: <874kcnnx5a.fsf@gnus.org> (Lars Ingebrigtsen's message of "Thu, 22 Jul 2021 00:02:25 +0200") References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> <87sgd4e011.fsf@gnus.org> <87fsw7ptc1.fsf_-_@gnus.org> <87y29zo81c.fsf@web.de> <874kcnnx5a.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Date: Tue, 21 Dec 2021 20:39:36 +0100 Message-ID: <878rwd3fyf.fsf@web.de> MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K1:A8AZeQDyWwBUi0KeUr6OLd7omPncw91wXfYAQtHD2+XSiOVUpkV a9Y0UUlXFnFpkpQfCxLiuXtmWCaha/BPob17CPBsKdsgF1Obv025zy7qpSABeaalNNtJJDl q2EB+X+WoXxyXG4qiSP/AJGbv9jnhwYShMPWWP28p9zIKOdTr/CW2NKyloLFZNfaOtBQRQx 5qdtrQv/IBqR71u5U5yjA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:9XWom2LZWW0=:s9EEH9T6GT02fhTt7WLapK Rz9/aq9wSCyJDaaGlkFJYD80cKr9WJgAtt/A2XEegT7HeekeYYDwcxZwVYOoXp0bOP2PDQ5Jg q8MyE7bHTHaly31P0aPPFASeMhmzfpaSt4hQxErRKK5bf/KvIwXQzsUZcBvWa9SMa7m1wNqQH mNj86ymLY05KvdpZRag2JdNGheYfVVRpYToDZe1rmbjds4CFTlD7kVn4LRNJ2vkFpPdSx8wmM aERJpvyvJY2acVCE3M9sT+Z6DUasP2zE7fYgbShZzBfJ1wI6PNkMBMMBkxkj2eUMliQYTb1n5 zeAP7uw60ssyOggKqf/iy2YGGkpAjPSdyzklwbPjXtbFvNS2msa+ZNLqlOKlDrzLX3n08tP3I gE6aKgU4cOl5fIlVMn4Yqm6sMxxvF6J2DYPFd1EjuU4Pjn5EiRrx/Dy0sT6R8i1IjUgJAEpgi FWVQ7vOC6H9vYkxuwGmpBxbdPUFbyCdFVdyYV5miYuIyRzz2JXkvNSjdbObny5Rv+YinI10yw YAIY5TNqZV/7SA9319+6dlL8A7ZHLlfEeDibYG2fq9j7SzuPbt5P+6vL8Z3wsUWA5pWbpflPu bFFHbRMtrZwZjnj1xoofY4C7eX3pfKJh3vZfrVWauYYjdJ49chmdb+mm7IAugNxMQkob3KVey pruFmv1FxuioycXk9hMBFnEniXz1GeA7yBEsGQy8vM93GLqwMuxIZkZ6Qnfd2j1LwhTeF+8Kc RDuqQ/bk+O5utl9kBtMxMcr3eb/CwtDgy6tiJmAo8UUX6qBYm9S5v4JhjimDLEjzureoUR/0Q 84uG71xk+N6KtI1rkNb3KaXWm+QlcTCOPlW8ReHbLe8OsRDNG8dI/bFCQnDU8bra1qXxsqVdB k57prdo8gt49FqAhckem6AEH4bgfHzF+sBi3U0PaMnxVu02QcZlWIhUJdW2IHDWrNg+SBrLzj /AJaL39HePJq8J8eeAPUPwGkia4VM0NaBTP/kfPqkRXSMmBDsmBXnvg3TfxJ7oKKJC3YMfC9D e0QswhGoqnBzSPKlJ2WzOQpjZqz/ghAqkM/2n7r7naB1iYV525RInCX7G7f0w1SuYZ46GZ91t u5h9Z23RL+27uU= X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Do, Jul 22 2021, Lars Ingebrigtsen wrote: > Sebastian Fieber writes: > >> I will try my best to get some traction at my employer so the paperwork >> gets done soon and the patch, as it is now, can at least be accepted. >> I'd still like to work on it, but maybe that would be better as another >> patch building upon this one? What do you think? > > Sure; whatever is most convenient for you. And another half of a year later the paper work is done, yay! *sigh* You can now apply the patch, if it's still relevant. Please let me know if there are any problems or any help is needed. -----BEGIN PGP SIGNATURE----- iQFMBAEBCAA2FiEExRi5b+8xM5Vpvu7L3jJw+EOyhogFAmHCLXgYHHNlYmFzdGlh bi5maWViZXJAd2ViLmRlAAoJEN4ycPhDsoaIguYH/2JRFOUJRl7aXfQLtKDOEl4T O5eifGFE+95HcqUE9/zoL6vVZcSFAbCKW4sP/KmhLhtXgiiO5aTbwYmru9OcfjaC mzCe0z5mvfUNsK/87jdKWv4StfeoiGyZwyaRSqB9u1A+nCyqc/fxKQObpbSAlOPv Jh+5I6fhYRRe1GANaMpJkV/Zy2ijqwhDUFT+oGF79jtzj1HBw/0R2o7bhEx/a3f/ nueAMrkIDvVpsw2rlL0m6XqccVJH8rKlNh1gBnz3wWQMzUmi45hovtS3lWeiQLKl DCWoJcyZi/CCbiWpR22KdBXFz6Uj9UXaZTD0cyUlsWy1WTJS8bTU6MmAwG5A0CA= =MYNd -----END PGP SIGNATURE----- From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 22 07:44:46 2021 Received: (at 40397) by debbugs.gnu.org; 22 Dec 2021 12:44:46 +0000 Received: from localhost ([127.0.0.1]:57031 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n00z8-0007bm-4C for submit@debbugs.gnu.org; Wed, 22 Dec 2021 07:44:46 -0500 Received: from quimby.gnus.org ([95.216.78.240]:48852) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n00z5-0007bW-UR for 40397@debbugs.gnu.org; Wed, 22 Dec 2021 07:44:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID :In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dV9eK5f6oQqaLhvsMyFiF8IAYooNLeY1KZivQGqOI6Q=; b=K5kuUwrvbGXiG/tKrUzI2+a9Ih 5KTrKDzxy0r9zKjE7SVkqAKtIzgaISlSSJClUq5oAcwO/uYFBbVALCaKfLkSBHieD+cOZTRcCMyVz wEmlnneehScz+zE6e09sRi+ajxZJy+baAKnLL0cDZawuZTj6Z2IVSzNdyc+L24vI8ClQ=; Received: from [84.212.220.105] (helo=xo) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n00yx-0008Ty-J7; Wed, 22 Dec 2021 13:44:38 +0100 From: Lars Ingebrigtsen To: Sebastian Fieber Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime encrypted and signed message References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> <87sgd4e011.fsf@gnus.org> <87fsw7ptc1.fsf_-_@gnus.org> <87y29zo81c.fsf@web.de> <874kcnnx5a.fsf@gnus.org> <878rwd3fyf.fsf@web.de> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGPC/xhBQAAACBj SFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAElBMVEXZUEb9/f3XqaTj 09BVKyf////XUO5+AAAAAWJLR0QF+G/pxwAAAAd0SU1FB+UMFgwEOH+rQS0AAAG4SURBVDjLdZON ccMgDIVlzAAWdAB+PIAFHYA67D9Tn3AvIU2iS862PiGJJyDiVwsLM9HyBqwKVm8EHy6zvwNSYAp+ seT+Q+ny10ARQK3f9lsJ3Z7FAKSD1gs0/A0fljqenjeXaACroP84fSUKuQRRMNxk+2kb3G18VYoI 7cjQbC+94VWzUdrIXNGt2yxBYzSBCYVEI/QbWzquPJaMkxAV2JO0S2dqQLxtCx85aj8mbkOXxE47 VrCKAuEBPJQJqEc3PkxEPy2JU1BZ6wA0OWgZ7YmTP/mcdtVMQLvaSLwL7odEANezymMUly6XLXma EXLpHrMCkQm0AaAWjc09gOrWsDf4jxlcyduYoJd5xRioGRGzH2NEgR4HiJMfQx1A+F/tWjRXH8X8 E8ilU9zho8zxCTh7SoKepGN4WCl1N6XcFLg0teV8wsH0XcE2F3GYwH5WzA4nq84r2MUa8o4V3qwz EKn8ZcIeiWdt0Qk6Kk0PDsvTRhwSi4O8LzctpSRbxxRfL1rF0YW9AlXyPcB8P4DvAWqqucImsLW3 xVEEpxErnqPVvN5XLrmk/yvoU6pP7X4EG9n3qXYc01+TTl5+r2VD4gAAACV0RVh0ZGF0ZTpjcmVh dGUAMjAyMS0xMi0yMlQxMjowNDo1NiswMDowMIZzRTgAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjEt MTItMjJUMTI6MDQ6NTYrMDA6MDD3Lv2EAAAAAElFTkSuQmCC X-Now-Playing: Morgan Caney & Kamal Joory's _Magic Radios_: "Darling Remix (Bonus Track)" Date: Wed, 22 Dec 2021 13:44:34 +0100 In-Reply-To: <878rwd3fyf.fsf@web.de> (Sebastian Fieber's message of "Tue, 21 Dec 2021 20:39:36 +0100") Message-ID: <87lf0cerm5.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Sebastian Fieber writes: > And another half of a year later the paper work is done, yay! Yay. 😀 Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Sebastian Fieber writes: > And another half of a year later the paper work is done, yay! Yay. =F0=9F=98=80 > *sigh* > > You can now apply the patch, if it's still relevant. Please let me know > if there are any problems or any help is needed. Still seems relevant to me, but the patch no longer applies due to other changes in Gnus. Can you re-spin the patch for Emacs 29, and then I'll get it committed. --=20 (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 23 13:14:45 2021 Received: (at 40397) by debbugs.gnu.org; 23 Dec 2021 18:14:45 +0000 Received: from localhost ([127.0.0.1]:34889 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0Sc0-0000Jm-V2 for submit@debbugs.gnu.org; Thu, 23 Dec 2021 13:14:45 -0500 Received: from mout.web.de ([212.227.17.11]:52835) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0Sbx-0000JY-Qc for 40397@debbugs.gnu.org; Thu, 23 Dec 2021 13:14:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1640283275; bh=lCXFu4+jTbLpSiBqwc+wk+rPk8HePGzX5dCbWSJ3DqQ=; h=X-UI-Sender-Class:From:To:Cc:Subject:In-Reply-To:References:Date; b=BUtO/99kvhRN0ryiWkf/JceFLKixI/uZeoZ4TO4u0Xx8lastI+7+u794fstCe038B WnN+HQeYS9DBXLgbyrYmoqxGjMkzy0qYFRVA+b9OP6Qu/1dKZTVphNg5T5BDgCrcPb /vHTW3lGQO1pMsK5d4l6SP5SrVGtbsbuOYgz6sK0= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([94.31.101.135]) by smtp.web.de (mrweb106 [213.165.67.124]) with ESMTPSA (Nemesis) id 1MVJNd-1mrQ5M2Hg7-00SXpr; Thu, 23 Dec 2021 19:14:35 +0100 From: Sebastian Fieber To: Lars Ingebrigtsen Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime encrypted and signed message In-Reply-To: <87lf0cerm5.fsf@gnus.org> (Lars Ingebrigtsen's message of "Wed, 22 Dec 2021 13:44:34 +0100") References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> <87sgd4e011.fsf@gnus.org> <87fsw7ptc1.fsf_-_@gnus.org> <87y29zo81c.fsf@web.de> <874kcnnx5a.fsf@gnus.org> <878rwd3fyf.fsf@web.de> <87lf0cerm5.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Date: Thu, 23 Dec 2021 19:14:34 +0100 Message-ID: <87o8576ved.fsf@web.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Provags-ID: V03:K1:v4HmOlmFsjBGVRPldE4YDJI7X7xMe//3zgGQa/YrximcDjY5PHK kG/KaPIAZpcqCGsU/12rAAdS48AVvIX2dNN92DYKaQWC1JJi0oHsM38jJvB1BtOKZOG+8sC glgLQO4ndwmBQR17B8iokDCoOHYsMPWohLtMKEuZ4zGFd2/Wsw/HKAbgAxaWtQ3Wudl6Qb9 Pqfub8rPYcQN1ALslJC/A== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:mtZNdTrTkzU=:yoRvK4TMOlNRa52+kdgTXv hIqyn4w8c+vSkE3TUxwP2/p0Smu4Qg6FpGIHL+QARyntGeSYVOysiEt5UDjQF9Wk1hKtfevVv SBnGvQ21YFOwQUf5YjDrGXxTr0PWfmS37wKfjRFa34qiSDolGTk2d7C7J8SGD8BMdiM5iVrTo USZSWx8V1neQhjsbPu+A8jixB+Sn1DFzIFv8aA555wGMhVGevn7fPetUrjAgXdbJGwohIOika PN+XYvk3P8E2SuK4PzqVBI3wJWzyY4I3V70rvLWNQ7+UfobveR+rE76FDG3IK1kdBBaMV97EQ gLB2JYO2K1WGC/UCDZENtFqUp9bEa8xiVFMd8b6YYR9JXvk8O9fkdcBralr2JlutClILtjbeM zj40DoP0t5EAB+3EjVS2jwfPubL87fovKeEfJU2WMldIP+thkaI3esnif2sQZ843BTxwC9Ftu i1oPwVH5uhSHxu4nN+yB9IBSOOeCa7wVXp/3qKHaE1aGWkBfeAyB69Jom2VN6rnkaYyNO1BBo AC9uvi3wygM4eId6yfp+FA4tY/O+uADUHdVEVIQhqQzIcRJ9b1ErOcmeYpl9DkZRkXFp2tdJW pAAsOLgU+ZNiCsp02sHchcCKgsnZTN6r41+vdw+fehJG73uG+0XIM+GHAVlbgDSY1K/HeQfyO 4FjpWj5ROyxbsuhx2DaTyngb79Uy94YmKJ4UnFrHYq2lRv84m+XhhvLcWBoqTrY/KeHLkUabf PhxWAolSKJk0hJw1Jqw3cQXJKU8Ej0O4FpbyJXcQqZv25DtaSUIzhoCO/EHMH5fcVOHHdDtnm ZoenhDy9hy/x7gBiwZoJYmxrxk+L0eDjTzuG+pgxwk4r/trzfyIrZ8dW0qATlRHt8WyMs87BO bIivwyYyCrJ9hVQPEwsgSWzuAlG1aY55UDF5uGzYNBURaxmEM8nwYXl4Py8f6y2q1/iOR575x ZF1yHMmiafhsNnXzINlGT/uQlKG4xKCkMrnXrSU+8fiB0OxSVKzzb2IwOZjq45d65U+lSlvbB iPueruqgQ+zSy28sJJSnJt3Xpjd/J8SguR++y21tcZh7Z4ljmpc1+WDdXKmGKJG9c2CHGqTR8 3DzNjVZGicraJg= X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - --=-=-= Content-Type: text/plain On Mi, Dez 22 2021, Lars Ingebrigtsen wrote: > Still seems relevant to me, but the patch no longer applies due to other > changes in Gnus. Can you re-spin the patch for Emacs 29, and then I'll > get it committed. This one should apply :) - --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-fix-bug-40397.patch Content-Transfer-Encoding: quoted-printable From=203f85a1a72953f0877d2edcf56e872e7fe760b9f9 Mon Sep 17 00:00:00 2001 From: Sebastian Fieber Date: Mon, 6 Apr 2020 20:45:05 +0200 Subject: [PATCH] fix bug #40397 This fixes S/MIME encrypted AND signed mails where in the encrypted pkcs7 envelope is a signed pkcs7 structure. Also this patch enables proper security-buttons for pkcs7-mime encrypted and/or signed mails. Changes: =2D don't force Content-type header to text/plain in front of decrypted content for smime decryption using mm-view-pkcs7. This fixes the initial bug where the signed part was not verified due to the wrong content type header. =2D structure the result of mm-dissect-buffer of application/pkcs7-mime like a multipart mail so there is no loosing of information of verification and decryption results which can now be displayed by gnus-mime-display-security =2D adjust gnus-mime-display-part to handle application/pkcs7-mime like multipart/encrypted or multipart/signed =2D add dummy entries to mm-verify-function-alist and mm-decrypt-function-alist so gnus-mime-display-security correctly displays "S/MIME" and not "unknown protocol" =2D don't just check for multipart/signed in gnus-insert-mime-security-button but also for the pkcs7-mime mimetypes to print "Encrypted" or "Signed" accordingly in the security button =2D adjust mm-possibly-verify-or-decrypt to check for smime-type to ask wether to verify or decrypt the part and not to always ask to decrypt =2D adjust mm-view-pkcs7-decrypt and verify to call mm-sec-status so success information can be displayed by gnus-mime-display-security =2D in mm-view-pkcs7-verify also remove carriage returns like in mm-view-pkcs7-decrypt =2D adjust gnus-mime-security-verify-or-decrypt to handle pkcs7-mime right with the done changes TODO: mm-view-pkcs7-decrypt and verify error handling and reporting. ATM there is only the good case implemented - at least for reporting with gnus-mime-display-security. =2D-- lisp/gnus/gnus-art.el | 60 ++++++++++++++++++++++++++++--- lisp/gnus/mm-decode.el | 81 +++++++++++++++++++++++++++++++----------- lisp/gnus/mm-view.el | 25 +++++++++++-- 3 files changed, 138 insertions(+), 28 deletions(-) diff --git a/lisp/gnus/gnus-art.el b/lisp/gnus/gnus-art.el index 6b9610d312..b130650df6 100644 =2D-- a/lisp/gnus/gnus-art.el +++ b/lisp/gnus/gnus-art.el @@ -5986,6 +5986,34 @@ gnus-mime-display-part ((equal (car handle) "multipart/encrypted") (gnus-add-wash-type 'encrypted) (gnus-mime-display-security handle)) + ;; pkcs7-mime handling: + ;; + ;; although not really multipart these are structured internally by + ;; mm-dissect-buffer like multipart to not discard the decryption + ;; and verification results + ;; + ;; application/pkcs7-mime + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_signed-data")) + (gnus-add-wash-type 'signed) + (gnus-mime-display-security handle)) + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_enveloped-data")) + (gnus-add-wash-type 'encrypted) + (gnus-mime-display-security handle)) + ;; application/x-pkcs7-mime + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_signed-data")) + (gnus-add-wash-type 'signed) + (gnus-mime-display-security handle)) + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_enveloped-data")) + (gnus-add-wash-type 'encrypted) + (gnus-mime-display-security handle)) ;; Other multiparts are handled like multipart/mixed. (t (gnus-mime-display-mixed (cdr handle))))) @@ -8733,9 +8761,16 @@ gnus-mime-security-verify-or-decrypt (with-current-buffer (mm-handle-multipart-original-buffer handle) (let* ((mm-verify-option 'known) (mm-decrypt-option 'known) =2D (nparts (mm-possibly-verify-or-decrypt (cdr handle) handle))) + (pkcs7-mime-p (or (equal (car handle) "application/pkcs7-mime= ") + (equal (car handle) "application/x-pkcs7-mi= me"))) + (nparts (if pkcs7-mime-p + (list (mm-possibly-verify-or-decrypt (cadr handle= ) (cadadr handle))) + (mm-possibly-verify-or-decrypt (cdr handle) handle)= ))) (unless (eq nparts (cdr handle)) =2D (mm-destroy-parts (cdr handle)) + ;; if pkcs7-mime don't destroy the parts as the buffer in + ;; the cdr still needs to be accessible + (when (not pkcs7-mime-p) + (mm-destroy-parts (cdr handle))) (setcdr handle nparts)))) (gnus-mime-display-security handle) (when region @@ -8793,8 +8828,25 @@ gnus-insert-mime-security-button (or (nth 2 (assoc protocol mm-verify-function-alist)) (nth 2 (assoc protocol mm-decrypt-function-alist)) "Unknown") =2D (if (equal (car handle) "multipart/signed") =2D " Signed" " Encrypted") + (cond ((equal (car handle) "multipart/signed") " Signed") + ((equal (car handle) "multipart/encrypted") " Encrypted") + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'p= rotocol) + "application/pkcs7-mime_signed-data")) + " Signed") + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'p= rotocol) + "application/pkcs7-mime_enveloped-data")) + " Encrypted") + ;; application/x-pkcs7-mime + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'p= rotocol) + "application/x-pkcs7-mime_signed-data")) + " Signed") + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'p= rotocol) + "application/x-pkcs7-mime_enveloped-data")) + " Encrypted")) " Part")) (gnus-tmp-info (or (mm-handle-multipart-ctl-parameter handle 'gnus-info) diff --git a/lisp/gnus/mm-decode.el b/lisp/gnus/mm-decode.el index 96695aabfd..da1a7c36a5 100644 =2D-- a/lisp/gnus/mm-decode.el +++ b/lisp/gnus/mm-decode.el @@ -473,6 +473,7 @@ mm-dissect-default-type (autoload 'mml2015-verify-test "mml2015") (autoload 'mml-smime-verify "mml-smime") (autoload 'mml-smime-verify-test "mml-smime") +(autoload 'mm-view-pkcs7-verify "mm-view") (defvar mm-verify-function-alist '(("application/pgp-signature" mml2015-verify "PGP" mml2015-verify-test) @@ -481,7 +482,15 @@ mm-verify-function-alist ("application/pkcs7-signature" mml-smime-verify "S/MIME" mml-smime-verify-test) ("application/x-pkcs7-signature" mml-smime-verify "S/MIME" =2D mml-smime-verify-test))) + mml-smime-verify-test) + ("application/x-pkcs7-signature" mml-smime-verify "S/MIME" + mml-smime-verify-test) + ;; these are only used for security-buttons and contain the + ;; smime-type after the underscore + ("application/pkcs7-mime_signed-data" mm-view-pkcs7-verify "S/MIME" + nil) + ("application/x-pkcs7-mime_signed-data" mml-view-pkcs7-verify "S/MIME" + nil))) (defcustom mm-verify-option 'never "Option of verifying signed parts. @@ -500,11 +509,16 @@ mm-verify-option (autoload 'mml2015-decrypt "mml2015") (autoload 'mml2015-decrypt-test "mml2015") +(autoload 'mm-view-pkcs7-decrypt "mm-view") (defvar mm-decrypt-function-alist '(("application/pgp-encrypted" mml2015-decrypt "PGP" mml2015-decrypt-tes= t) ("application/x-gnus-pgp-encrypted" mm-uu-pgp-encrypted-extract-1 "PGP" =2D mm-uu-pgp-encrypted-test))) + mm-uu-pgp-encrypted-test) + ;; these are only used for security-buttons and contain the + ;; smime-type after the underscore + ("application/pkcs7-mime_enveloped-data" mm-view-pkcs7-decrypt "S/MIME= " nil) + ("application/x-pkcs7-mime_enveloped-data" mm-view-pkcs7-decrypt "S/MI= ME" nil))) (defcustom mm-decrypt-option nil "Option of decrypting encrypted parts. @@ -682,14 +696,29 @@ mm-dissect-buffer (car ctl)) (cons (car ctl) (mm-dissect-multipart ctl from)))) (t =2D (mm-possibly-verify-or-decrypt =2D (mm-dissect-singlepart =2D ctl =2D (and cte (intern (downcase (mail-header-strip-cte cte)))) =2D no-strict-mime =2D (and cd (mail-header-parse-content-disposition cd)) =2D description id) =2D ctl from)))) + (let* ((handle + (mm-dissect-singlepart + ctl + (and cte (intern (downcase (mail-header-strip-cte cte))= )) + no-strict-mime + (and cd (mail-header-parse-content-disposition cd)) + description id)) + (intermediate-result (mm-possibly-verify-or-decrypt hand= le ctl from))) + (when (and (equal type "application") + (or (equal subtype "pkcs7-mime") + (equal subtype "x-pkcs7-mime"))) + (add-text-properties 0 + (length (car ctl)) + (list 'protocol + (concat (substring-no-properties= (car ctl)) + "_" + (cdr (assoc 'smime-type = ctl)))) + (car ctl)) + ;; if this is a pkcs7-mime lets treat this special and + ;; more like multipart so the pkcs7-mime part does not + ;; get ignored + (setq intermediate-result (cons (car ctl) (list intermediat= e-result)))) + intermediate-result)))) (when id (when (string-match " *<\\(.*\\)> *" id) (setq id (match-string 1 id))) @@ -1672,17 +1701,27 @@ mm-possibly-verify-or-decrypt (cond ((or (equal type "application/x-pkcs7-mime") (equal type "application/pkcs7-mime")) =2D (with-temp-buffer =2D (when (and (cond =2D ((eq mm-decrypt-option 'never) nil) =2D ((eq mm-decrypt-option 'always) t) =2D ((eq mm-decrypt-option 'known) t) =2D (t (y-or-n-p =2D (format "Decrypt (S/MIME) part? ")))) =2D (mm-view-pkcs7 parts from)) =2D (goto-char (point-min)) =2D (insert "Content-type: text/plain\n\n") =2D (setq parts (mm-dissect-buffer t))))) + (add-text-properties 0 (length (car ctl)) + (list 'buffer (car parts)) + (car ctl)) + (let* ((smime-type (cdr (assoc 'smime-type ctl))) + (envelope-p (string=3D smime-type "enveloped-data")) + (decrypt-or-sign-option (if envelope-p + mm-decrypt-option + mm-verify-option)) + (question (if envelope-p + "Decrypt (S/MIME) part? " + "Verify signed (S/MIME) part? "))) + (with-temp-buffer + (when (and (cond + ((eq decrypt-or-sign-option 'never) nil) + ((eq decrypt-or-sign-option 'always) t) + ((eq decrypt-or-sign-option 'known) t) + (t (y-or-n-p + (format question))))) + (mm-view-pkcs7 parts from) + (goto-char (point-min)) + (setq parts (mm-dissect-buffer t)))))) ((equal subtype "signed") (unless (and (setq protocol (mm-handle-multipart-ctl-parameter ctl 'protocol)) diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el index 828ac633dc..34da9464ce 100644 =2D-- a/lisp/gnus/mm-view.el +++ b/lisp/gnus/mm-view.el @@ -591,8 +591,15 @@ mm-view-pkcs7-verify (with-temp-buffer (insert-buffer-substring (mm-handle-buffer handle)) (goto-char (point-min)) =2D (let ((part (base64-decode-string (buffer-string)))) =2D (epg-verify-string (epg-make-context 'CMS) part)))) + (let* ((part (base64-decode-string (buffer-string))) + (context (epg-make-context 'CMS)) + (plain (epg-verify-string context part))) + (mm-sec-status + 'gnus-info + (epg-verify-result-to-string (epg-context-result-for context= 'verify)) + 'gnus-details + nil) + plain))) (with-temp-buffer (insert "MIME-Version: 1.0\n") (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m") @@ -601,6 +608,10 @@ mm-view-pkcs7-verify (if verified (insert verified) (insert-buffer-substring smime-details-buffer))) + (goto-char (point-min)) + (while (search-forward "\r\n" nil t) + (replace-match "\n")) + (goto-char (point-min)) t)) (autoload 'epg-decrypt-string "epg") @@ -612,7 +623,15 @@ mm-view-pkcs7-decrypt ;; Use EPG/gpgsm (let ((part (base64-decode-string (buffer-string)))) (erase-buffer) =2D (insert (epg-decrypt-string (epg-make-context 'CMS) part))) + (insert + (let* ((context (epg-make-context 'CMS)) + (plain (epg-decrypt-string context part))) + (mm-sec-status + 'gnus-info + "OK" + 'gnus-details + nil) + plain))) ;; Use openssl (insert "MIME-Version: 1.0\n") (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m") =2D- 2.25.2 - --=-=-=-- -----BEGIN PGP SIGNATURE----- iQFMBAEBCAA2FiEExRi5b+8xM5Vpvu7L3jJw+EOyhogFAmHEvIoYHHNlYmFzdGlh bi5maWViZXJAd2ViLmRlAAoJEN4ycPhDsoaIkKkIAJ+tu42DlPifuSut5AlCdslt ecuVg2xg5xG5P64kxmLr7OcW0SnS+CaUEOj4tynxuVuMayUIKXNqmWJFHEpaQYUc rWbJ666P2IhyUIq1cb/hu7iJ3i7u2wHUns35WoqFC+bTI+O/zfmnpfVfBVvK6Xg0 W4TPePd6JiXyIrFGArusukQP6TZ6mn7vYNcETYWZ+UlBV/UgzQAc5LSx8eoFPXoi qkA6QLYI+TE2uGKbtzEBC7eqDF2HBnNbTOasrlJTVvEfIEd9IYBCXv6nEqvrITHg reYp75OTHSNop2ZI/fIQJLHWFb+KzOZBsrJ0rpnAOp8LYp7/p+iejigCNOmvEgA= =JY09 -----END PGP SIGNATURE----- From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 23 13:17:37 2021 Received: (at 40397) by debbugs.gnu.org; 23 Dec 2021 18:17:37 +0000 Received: from localhost ([127.0.0.1]:34894 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0Sem-0000OW-Uc for submit@debbugs.gnu.org; Thu, 23 Dec 2021 13:17:37 -0500 Received: from mout.web.de ([212.227.17.12]:36889) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0Sel-0000OJ-Bo for 40397@debbugs.gnu.org; Thu, 23 Dec 2021 13:17:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1640283449; bh=rFJz5i42qjsncQOQuyHWuiiAm+8bsGPjWzJ1yVXHKGM=; h=X-UI-Sender-Class:From:To:Cc:Subject:References:Date:In-Reply-To; b=GCSoKmy0iWp/YH3BIXify96SzEOlyiVM7RfUq+f8H6lR9oF3mkkjxW3+p8iAwB0AJ uiEYlAgEWEV3LmkelgewKdj1txeJ1Pzp9zNt9AP6qZeM2U+/tjByruJoSABDs85Kr/ 23a3H9vATb3966IezDu1Sc70ThR4OLqZg9oB3En8= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([94.31.101.135]) by smtp.web.de (mrweb105 [213.165.67.124]) with ESMTPSA (Nemesis) id 1MC0PP-1nAaSS1RiX-00C7k8; Thu, 23 Dec 2021 19:17:29 +0100 From: Sebastian Fieber To: Lars Ingebrigtsen Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime encrypted and signed message References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> <87sgd4e011.fsf@gnus.org> <87fsw7ptc1.fsf_-_@gnus.org> <87y29zo81c.fsf@web.de> <874kcnnx5a.fsf@gnus.org> <878rwd3fyf.fsf@web.de> <87lf0cerm5.fsf@gnus.org> <87o8576ved.fsf@web.de> Date: Thu, 23 Dec 2021 19:17:28 +0100 In-Reply-To: <87o8576ved.fsf@web.de> (Sebastian Fieber's message of "Thu, 23 Dec 2021 19:14:34 +0100") Message-ID: <87h7az6v9j.fsf@web.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K1:8/vrIfx1o9wXMpIAk0JSLqaAnlSoLIuUICK1R+thLLYnXkDh15t 2zoK9xUo2yZxI6OipuUqqEufabbh0SAg8/26ANZM+y2JZassIKGGTlUZYP8DUbgUOMVl+tl zOUNrYZUAfrDgEtFU173iE7HIoPKknEjpLPflzbPskrvBEK3xRyf7LPE0vnIRE3U9fj9HDf 0RJ+YKKnFv7N+g+UmXuaw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:k6/JtTrVS88=:EhiGG1JwYRH/yVudhDcyxy WVUzKkmss/SEgp3P9AXr/FxrLxsuyyBYui287V9H04pjsx1RlVwJfV+pumwuStKH2B8YHjI+j 2WvoC07Qevct0kQ4vw2dbgjjT5Wn0TSS7fpdaA0z9MwL4BFBpjYkltjVfZxYaVpZ8G1Be5cpO qmy3WoKiinKNvkM8VQC00gafNGqRS3CsecHoIhg48Q4ymSeL3EdLznyZXKS9UfzWRz0RpudJP CehxUWgbiJkEqm9FCxP0Yf/+c+PKWBK9tWOi6iR17Xa/so2UU/m8ycmJxlzrapVWbSWdOpWl6 Of4tKXvQLWjw5UxSYVOnfB7ItuisdunbVVw2IZJtEX6VRNPwVnrGXEVbWHwab7I3IK3kKF4W4 35lZ+MlYWkgqaWTfOLKiy/M9CjPNLtLT5FSB52wB6yrnCaMyHy8wPXzSf1e+hKLM0rb4IFpoz ptTuf1IyUZnOeSezWihVC13yHMnZgGQYrTXpQp7mMqe7cSIkpqTsNJNXPgkY+AwetTDKPibKM VgS0k5ERAbDMzMKDDpyKzNaDxQImneV8TIlZ4jDlTPW7iNRi90aC94vbWYzvnAUDv5asfkVma HmvVdg24R3a4R0KCsX6iWO/ciCC3q7vtQY/96MmMCIKH/tMgC70WRu/wCbMace9P9cwr0cuot ps7tNWcGpYLBJVlSjiz2sYcy3OsyxDTUSf8ZS88fkOHAlXHoSUwLgE0moX3256YNfDoM2DzTe p6hRDTLcJ8q86/7o7kMke3+9crDirZQUMOuDADtHtH3JBDHxYxOZUZeqY4gPn5rlQh4VaOkyE XqPjHYFrniSd13nDPCYvwOV3FHVTpolIYp9/VT/aQVjwg5zMh9IwFMl6HwypM9xpQlncGr3rQ qAvkUvztWZdqptuYR/XhFMKIf+4PR46zXabM95nYJq9GGF9b5Uf4gFP0tFY1Ss3c9JUczcrhM 6XrvV7BBnj6BXa9il/O+BA1xrupWsB0dPi5qBQHipaKJwC5TtgUYldCHS360yet1uh03wQ8Tz Kq79B5pbVwx5a6FVv3qwUEgNfOdw1xWXYmYDQdInMiQX12u7w1j7iaB8cx7cboxtUWhUJuCDz 7FjcG7hCTrr+JE= X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Do, Dez 23 2021, Sebastian Fieber wrote: > This one should apply :) Wait, this was the wrong one. I'll send the right one during the day! -----BEGIN PGP SIGNATURE----- iQFMBAEBCAA2FiEExRi5b+8xM5Vpvu7L3jJw+EOyhogFAmHEvTgYHHNlYmFzdGlh bi5maWViZXJAd2ViLmRlAAoJEN4ycPhDsoaI9YAIAKjmNi3mDtze0QwDU5vIA8AC vvtofx7euJu1cxzm8H8bRg4XbtXWUYWXJF9LSDApwQZHqDohDGCLL2AlplOvy3Y4 tdZ7kjGxd7u20CwPPUC9/ILK9h3u+S03svUZrHyQnVseaL83r/z1NjjdLvzD18jz MCa7j/knnsUnXmt/uWaXbudgh11L4FhdoJuttZmIdQ4UksnIKj0dJ5MflIDoIWEU 7dL3DOV6RYl+ntl8cdPyEdeY8r97uEW22NZawp5rVgXxrIz+kNuwgGAMcWNnytzw se7h2O/Q8jtura+tPz4A7T19dZOcOtKFnoQWBnQUpJtkevSCqPgmjvTc+B1H+mw= =43kN -----END PGP SIGNATURE----- From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 23 13:25:27 2021 Received: (at 40397) by debbugs.gnu.org; 23 Dec 2021 18:25:27 +0000 Received: from localhost ([127.0.0.1]:34908 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0SmM-0000aZ-WF for submit@debbugs.gnu.org; Thu, 23 Dec 2021 13:25:27 -0500 Received: from mout.web.de ([217.72.192.78]:36779) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0SmL-0000aL-1o for 40397@debbugs.gnu.org; Thu, 23 Dec 2021 13:25:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1640283918; bh=ztJqHuBpoOgg+45emTs8aCB67M54z5Wl6T4q+8QyggA=; h=X-UI-Sender-Class:From:To:Cc:Subject:References:Date:In-Reply-To; b=Asn/8fikJrVa5ZeZWKBslKCmeL0F73vP0gdTZLqPyGmU0+TKAcbxuAJBnDK6j7rw3 r3lSfso/muXt0oC10blwCQlYN95X4hK2wBWhIsg/+R9/H9wzd4+W3++bgq5XQi6LSU WfCbeRFjPzbVN3TqeUIj4falaO8rdvTiRQaKZaCg= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([94.31.101.135]) by smtp.web.de (mrweb105 [213.165.67.124]) with ESMTPSA (Nemesis) id 1MYcpt-1mwu2H1xhb-00VQ6t; Thu, 23 Dec 2021 19:25:18 +0100 From: Sebastian Fieber To: Lars Ingebrigtsen Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime encrypted and signed message References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> <87sgd4e011.fsf@gnus.org> <87fsw7ptc1.fsf_-_@gnus.org> <87y29zo81c.fsf@web.de> <874kcnnx5a.fsf@gnus.org> <878rwd3fyf.fsf@web.de> <87lf0cerm5.fsf@gnus.org> <87o8576ved.fsf@web.de> <87h7az6v9j.fsf@web.de> Date: Thu, 23 Dec 2021 19:25:17 +0100 In-Reply-To: <87h7az6v9j.fsf@web.de> (Sebastian Fieber's message of "Thu, 23 Dec 2021 19:17:28 +0100") Message-ID: <87czln6uwi.fsf@web.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Provags-ID: V03:K1:pLW4j8cRQmoDDIeOl4/TTQRATvPYhRWl1qPcczAoNjExJwk797S yAJwg4s5RPTjIPQyzBiyG+d7D2LVEsI6x+zwPCv+ovm8bZzcbbhrxgY0L3C6bcHdPeWDSzP GwKSulk4vbCGm2ASl758GfzfzlIx/nfcYIUyFTWhkTEJYqJ+OGLwUgs0F9ZqrUcatCHgdud avZUvxGmZHPCUYJnbJuOA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:6xDCjJnv12k=:I8sl3VWRA7eMVyDwoIuFRj E2xzOox75312YAknLGnYqAOY0uUF6KRzBJuaXnP734btbo4SDMlYF/3NoOB0qaW1ismnS1oR1 BH8q5hwpiocmRTa2Ukp7x7JK3Z23jxcf7mae0oGJhG2YQNEuDKu+g0lmbqYLxm3Byf6LuO4sq 5eJgj04OcT/DcT8t0tTsp7ksc5xdPUxI40JwY1fSKHQQthFraYyP5w8NlUXdfV0m4IW5cT0ls JmebUOOwX9Y7S1wjlc2/7zfxkiBB0xsRYsmgic8pBgCsBaoRIOfm8caoxk7KG2ZGLNCEwtMbk yeDH0v7tdngqEKCYUF1SAmNjzMRQ8KIN1tuyzNvgT+fGCa/C7o9/RSlVGZt5ITXp35G+V0K9n I0KDawlNgej5ypFgcZ4jSHSJzurq9wmpOT/PZnJT68cg2KiEjyFVT3yviWAB73gO217QBT54Y eCm1eDjWsl4vgpsDz+LZhjk/nncCm9Unz7eaegyX+PMEkWKL2MCeGn/1j0+Gw7dUcPLj90fIL fUuKLy9rNVkH+tvsNByFHlA5U59FS1WJ/U1kfIllwQ8bh/Go6Ke7UxLuTCNyqRDWQ26SpKmzq 2LwdyUXWwl2GSMwhCUlInqYZv4hivj/VzSheDBQQOfdlJSwDobta2PEDRc367pwniQk9Bwrns GN2UQ8nQlGIRYdOh9hm4j6sQL2KpXxlQj1qmlVYj1ALO0mDHnEArH7s0fxSgHjU/BU1ZdChY2 uT6MQ4WdxCAIugYHLQGCFzpfsAhfq4DkBW5Fypth+fKWm+2vytjqVPWkNHbvF8ONlfWjKYXGk 7x9QUbjiSu6DOFAHhlqoZwopn+dyFeDmPWJ+V+FfH018S7lU9m40qKCjdjYa/GYHHZR7huKFW ct8yZKiNlAnsI0Bz9YzLvMr+xt7/V6F/bV271GgA3JMF/UjYXf5P46ZrNorV/XhVrOjgLPtl6 v3XsDdbiE7ogtb+omhc08F7hncAdm0pcj7MqCMzF2wFvfXrkE0vWXRKstTg2ccUQi6MOVAPTO GqoPWKTekVDUWNsgTVW+1W/6jVTF9eU3A9JuKs8MkEqaUfdn0X1EgFkatoZ3loi9Rey0aUJGO HIrFMwVm6STEV0= X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - --=-=-= Content-Type: text/plain On Do, Dez 23 2021, Sebastian Fieber wrote: > On Do, Dez 23 2021, Sebastian Fieber wrote: > >> This one should apply :) > > Wait, this was the wrong one. I'll send the right one during the day! And here is the right one. - --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-PATCH-fix-bug-40397.patch Content-Transfer-Encoding: quoted-printable From=2084ebb0331a0e16b1b767483c9d0bd1c140d73f09 Mon Sep 17 00:00:00 2001 From: Sebastian Fieber Date: Thu, 23 Dec 2021 15:38:09 +0100 Subject: [PATCH] [PATCH] fix bug #40397 This fixes S/MIME encrypted AND signed mails where in the encrypted pkcs7 envelope is a signed pkcs7 structure. Also this patch enables proper security-buttons for pkcs7-mime encrypted and/or signed mails. Changes: =2D structure the result of mm-dissect-buffer of application/pkcs7-mime like a multipart mail so there is no loosing of information of verification and decryption results which can now be displayed by gnus-mime-display-security =2D adjust gnus-mime-display-part to handle application/pkcs7-mime like multipart/encrypted or multipart/signed =2D add dummy entries to mm-verify-function-alist and mm-decrypt-function-alist so gnus-mime-display-security correctly displays "S/MIME" and not "unknown protocol" =2D don't just check for multipart/signed in gnus-insert-mime-security-button but also for the pkcs7-mime mimetypes to print "Encrypted" or "Signed" accordingly in the security button =2D adjust mm-possibly-verify-or-decrypt to check for smime-type to ask wether to verify or decrypt the part and not to always ask to decrypt =2D adjust mm-view-pkcs7-decrypt and verify to call mm-sec-status so success information can be displayed by gnus-mime-display-security =2D adjust gnus-mime-security-verify-or-decrypt to handle pkcs7-mime right with the done changes =2D-- lisp/gnus/gnus-art.el | 78 ++++++++++++++++++++----- lisp/gnus/mm-decode.el | 128 +++++++++++++++++++++++++---------------- lisp/gnus/mm-view.el | 13 +++-- 3 files changed, 149 insertions(+), 70 deletions(-) diff --git a/lisp/gnus/gnus-art.el b/lisp/gnus/gnus-art.el index b7701f10a5..a83f4b7d59 100644 =2D-- a/lisp/gnus/gnus-art.el +++ b/lisp/gnus/gnus-art.el @@ -6084,6 +6084,34 @@ gnus-mime-display-part ((equal (car handle) "multipart/encrypted") (gnus-add-wash-type 'encrypted) (gnus-mime-display-security handle)) + ;; pkcs7-mime handling: + ;; + ;; although not really multipart these are structured internally by + ;; mm-dissect-buffer like multipart to not discard the decryption + ;; and verification results + ;; + ;; application/pkcs7-mime + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_signed-data")) + (gnus-add-wash-type 'signed) + (gnus-mime-display-security handle)) + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_enveloped-data")) + (gnus-add-wash-type 'encrypted) + (gnus-mime-display-security handle)) + ;; application/x-pkcs7-mime + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_signed-data")) + (gnus-add-wash-type 'signed) + (gnus-mime-display-security handle)) + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_enveloped-data")) + (gnus-add-wash-type 'encrypted) + (gnus-mime-display-security handle)) ;; Other multiparts are handled like multipart/mixed. (t (gnus-mime-display-mixed (cdr handle))))) @@ -8833,11 +8861,18 @@ gnus-mime-security-verify-or-decrypt (setq point (point)) (with-current-buffer (mm-handle-multipart-original-buffer handle) (let* ((mm-verify-option 'known) =2D (mm-decrypt-option 'known) =2D (nparts (mm-possibly-verify-or-decrypt (cdr handle) handle))) =2D (unless (eq nparts (cdr handle)) =2D (mm-destroy-parts (cdr handle)) =2D (setcdr handle nparts)))) + (mm-decrypt-option 'known) + (pkcs7-mime-p (or (equal (car handle) "application/pkcs7-mime= ") + (equal (car handle) "application/x-pkcs7-mi= me"))) + (nparts (if pkcs7-mime-p + (list (mm-possibly-verify-or-decrypt (cadr handle= ) (cadadr handle))) + (mm-possibly-verify-or-decrypt (cdr handle) handle)= ))) + (unless (eq nparts (cdr handle)) + ;; if pkcs7-mime don't destroy the parts as the buffer in + ;; the cdr still needs to be accessible + (when (not pkcs7-mime-p) + (mm-destroy-parts (cdr handle))) + (setcdr handle nparts)))) (gnus-mime-display-security handle) (when region (delete-region (point) (cdr region)) @@ -8891,14 +8926,31 @@ gnus-insert-mime-security-button (let* ((protocol (mm-handle-multipart-ctl-parameter handle 'protocol)) (gnus-tmp-type (concat =2D (or (nth 2 (assoc protocol mm-verify-function-alist)) =2D (nth 2 (assoc protocol mm-decrypt-function-alist)) =2D "Unknown") =2D (if (equal (car handle) "multipart/signed") =2D " Signed" " Encrypted") =2D " Part")) =2D (gnus-tmp-info =2D (or (mm-handle-multipart-ctl-parameter handle 'gnus-info) + (or (nth 2 (assoc protocol mm-verify-function-alist)) + (nth 2 (assoc protocol mm-decrypt-function-alist)) + "Unknown") + (cond ((equal (car handle) "multipart/signed") " Signed") + ((equal (car handle) "multipart/encrypted") " Encrypted") + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'p= rotocol) + "application/pkcs7-mime_signed-data")) + " Signed") + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'p= rotocol) + "application/pkcs7-mime_enveloped-data")) + " Encrypted") + ;; application/x-pkcs7-mime + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'p= rotocol) + "application/x-pkcs7-mime_signed-data")) + " Signed") + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'p= rotocol) + "application/x-pkcs7-mime_enveloped-data")) + " Encrypted")) + " Part")) + (gnus-tmp-info + (or (mm-handle-multipart-ctl-parameter handle 'gnus-info) "Undecided")) (gnus-tmp-details (mm-handle-multipart-ctl-parameter handle 'gnus-details)) diff --git a/lisp/gnus/mm-decode.el b/lisp/gnus/mm-decode.el index d781407cdc..8d63c8552f 100644 =2D-- a/lisp/gnus/mm-decode.el +++ b/lisp/gnus/mm-decode.el @@ -474,6 +474,7 @@ mm-dissect-default-type (autoload 'mml2015-verify-test "mml2015") (autoload 'mml-smime-verify "mml-smime") (autoload 'mml-smime-verify-test "mml-smime") +(autoload 'mm-view-pkcs7-verify "mm-view") =20 (defvar mm-verify-function-alist '(("application/pgp-signature" mml2015-verify "PGP" mml2015-verify-test) @@ -482,7 +483,15 @@ mm-verify-function-alist ("application/pkcs7-signature" mml-smime-verify "S/MIME" mml-smime-verify-test) ("application/x-pkcs7-signature" mml-smime-verify "S/MIME" =2D mml-smime-verify-test))) + mml-smime-verify-test) + ("application/x-pkcs7-signature" mml-smime-verify "S/MIME" + mml-smime-verify-test) + ;; these are only used for security-buttons and contain the + ;; smime-type after the underscore + ("application/pkcs7-mime_signed-data" mm-view-pkcs7-verify "S/MIME" + nil) + ("application/x-pkcs7-mime_signed-data" mml-view-pkcs7-verify "S/MIME" + nil))) =20 (defcustom mm-verify-option 'never "Option of verifying signed parts. @@ -501,11 +510,16 @@ mm-verify-option =20 (autoload 'mml2015-decrypt "mml2015") (autoload 'mml2015-decrypt-test "mml2015") +(autoload 'mm-view-pkcs7-decrypt "mm-view") =20 (defvar mm-decrypt-function-alist '(("application/pgp-encrypted" mml2015-decrypt "PGP" mml2015-decrypt-tes= t) ("application/x-gnus-pgp-encrypted" mm-uu-pgp-encrypted-extract-1 "PGP" =2D mm-uu-pgp-encrypted-test))) + mm-uu-pgp-encrypted-test) + ;; these are only used for security-buttons and contain the + ;; smime-type after the underscore + ("application/pkcs7-mime_enveloped-data" mm-view-pkcs7-decrypt "S/MIME= " nil) + ("application/x-pkcs7-mime_enveloped-data" mm-view-pkcs7-decrypt "S/MI= ME" nil))) =20 (defcustom mm-decrypt-option nil "Option of decrypting encrypted parts. @@ -682,18 +696,33 @@ mm-dissect-buffer 'start start) (car ctl)) (cons (car ctl) (mm-dissect-multipart ctl from)))) =2D (t =2D (mm-possibly-verify-or-decrypt =2D (mm-dissect-singlepart =2D ctl =2D (and cte (intern (downcase (mail-header-strip-cte cte)))) =2D no-strict-mime =2D (and cd (mail-header-parse-content-disposition cd)) =2D description id) =2D ctl from)))) =2D (when id =2D (when (string-match " *<\\(.*\\)> *" id) =2D (setq id (match-string 1 id))) + (t + (let* ((handle + (mm-dissect-singlepart + ctl + (and cte (intern (downcase (mail-header-strip-cte cte)= ))) + no-strict-mime + (and cd (mail-header-parse-content-disposition cd)) + description id)) + (intermediate-result (mm-possibly-verify-or-decrypt hand= le ctl from))) + (when (and (equal type "application") + (or (equal subtype "pkcs7-mime") + (equal subtype "x-pkcs7-mime"))) + (add-text-properties 0 + (length (car ctl)) + (list 'protocol + (concat (substring-no-properties= (car ctl)) + "_" + (cdr (assoc 'smime-type = ctl)))) + (car ctl)) + ;; if this is a pkcs7-mime lets treat this special and + ;; more like multipart so the pkcs7-mime part does not + ;; get ignored + (setq intermediate-result (cons (car ctl) (list intermediat= e-result)))) + intermediate-result)))) + (when id + (when (string-match " *<\\(.*\\)> *" id) + (setq id (match-string 1 id))) (push (cons id result) mm-content-id-alist)) result)))) =20 @@ -1677,43 +1706,40 @@ mm-possibly-verify-or-decrypt (cond ((or (equal type "application/x-pkcs7-mime") (equal type "application/pkcs7-mime")) =2D (with-temp-buffer =2D (when (and (cond =2D ((equal smime-type "signed-data") t) =2D ((eq mm-decrypt-option 'never) nil) =2D ((eq mm-decrypt-option 'always) t) =2D ((eq mm-decrypt-option 'known) t) =2D (t (y-or-n-p "Decrypt (S/MIME) part? "))) =2D (mm-view-pkcs7 parts from)) =2D (goto-char (point-min)) =2D ;; The encrypted document is a MIME part, and may use either =2D ;; CRLF (Outlook and the like) or newlines for end-of-line =2D ;; markers. Translate from CRLF. =2D (while (search-forward "\r\n" nil t) =2D (replace-match "\n")) =2D ;; Normally there will be a Content-type header here, but =2D ;; some mailers don't add that to the encrypted part, which =2D ;; makes the subsequent re-dissection fail here. =2D (save-restriction =2D (mail-narrow-to-head) =2D (unless (mail-fetch-field "content-type") =2D (goto-char (point-max)) =2D (insert "Content-type: text/plain\n\n"))) =2D (setq parts =2D (if (equal smime-type "signed-data") =2D (list (propertize =2D "multipart/signed" =2D 'protocol "application/pkcs7-signature" =2D 'gnus-info =2D (format =2D "%s:%s" =2D (get-text-property 0 'gnus-info =2D (car mm-security-handle)) =2D (get-text-property 0 'gnus-details =2D (car mm-security-handle)))) =2D (mm-dissect-buffer t) =2D parts) =2D (mm-dissect-buffer t)))))) + (add-text-properties 0 (length (car ctl)) + (list 'buffer (car parts)) + (car ctl)) + (let* ((envelope-p (string=3D smime-type "enveloped-data")) + (decrypt-or-verify-option (if envelope-p + mm-decrypt-option + mm-verify-option)) + (question (if envelope-p + "Decrypt (S/MIME) part? " + "Verify signed (S/MIME) part? "))) + (with-temp-buffer + (when (and (cond + ((equal smime-type "signed-data") t) + ((eq decrypt-or-verify-option 'never) nil) + ((eq decrypt-or-verify-option 'always) t) + ((eq decrypt-or-verify-option 'known) t) + (t (y-or-n-p (format question)))) + (mm-view-pkcs7 parts from)) + + (goto-char (point-min)) + ;; The encrypted document is a MIME part, and may use either + ;; CRLF (Outlook and the like) or newlines for end-of-line + ;; markers. Translate from CRLF. + (while (search-forward "\r\n" nil t) + (replace-match "\n")) + ;; Normally there will be a Content-type header here, but + ;; some mailers don't add that to the encrypted part, which + ;; makes the subsequent re-dissection fail here. + (save-restriction + (mail-narrow-to-head) + (unless (mail-fetch-field "content-type") + (goto-char (point-max)) + (insert "Content-type: text/plain\n\n"))) + (setq parts (mm-dissect-buffer t)))))) ((equal subtype "signed") (unless (and (setq protocol (mm-handle-multipart-ctl-parameter ctl 'protocol)) diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el index d2a6d2cf5d..319bc745ff 100644 =2D-- a/lisp/gnus/mm-view.el +++ b/lisp/gnus/mm-view.el @@ -634,12 +634,9 @@ mm-view-pkcs7-verify (context (epg-make-context 'CMS))) (prog1 (epg-verify-string context part) =2D (let ((result (car (epg-context-result-for context 'verify)))) + (let ((result (epg-context-result-for context 'verify))) (mm-sec-status =2D 'gnus-info (epg-signature-status result) =2D 'gnus-details =2D (format "%s:%s" (epg-signature-validity result) =2D (epg-signature-key-id result)))))))) + 'gnus-info (epg-verify-result-to-string result))))))) (with-temp-buffer (insert "MIME-Version: 1.0\n") (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m") @@ -659,7 +656,11 @@ mm-view-pkcs7-decrypt ;; Use EPG/gpgsm (let ((part (base64-decode-string (buffer-string)))) (erase-buffer) =2D (insert (epg-decrypt-string (epg-make-context 'CMS) part))) + (insert + (let ((context (epg-make-context 'CMS))) + (prog1 + (epg-decrypt-string context part) + (mm-sec-status 'gnus-info "OK"))))) ;; Use openssl (insert "MIME-Version: 1.0\n") (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m") =2D-=20 2.20.1 - --=-=-=-- -----BEGIN PGP SIGNATURE----- iQFMBAEBCAA2FiEExRi5b+8xM5Vpvu7L3jJw+EOyhogFAmHEvw0YHHNlYmFzdGlh bi5maWViZXJAd2ViLmRlAAoJEN4ycPhDsoaI06wIAK8rjUKQBCWdwEdAlFzrIOym mwjjFmSlrKefWJskVdcAO/Ve5EL905kR58LrlIUnZL0jzdqmN6NbLuDWJysDKRua OX+oMIPEWzfH0NKiiefMHBPSnEJb75xhICZQcye4F7YsSN9gp0SzZqolCkG6RG2g y8N7AALsconk17JH+FpJyZ+J5lg3CQbz6kSAcnW1gKM79OkGkDXi5K1IusZ7b7MR fQfOD1EKGNiFo4mQsix6NLrdpvRM2MyO0J2YRaemyiEJOmaViP2JAIYOwdd6P9kA HdQ41YmGXqWTvvDv6l7AYIjIZftlXKOg1xoeJzb3ARRFChbok72SgEDu4ffD0C8= =q7aE -----END PGP SIGNATURE----- From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 23 16:06:41 2021 Received: (at 40397) by debbugs.gnu.org; 23 Dec 2021 21:06:41 +0000 Received: from localhost ([127.0.0.1]:35042 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0VIO-0006kZ-KN for submit@debbugs.gnu.org; Thu, 23 Dec 2021 16:06:41 -0500 Received: from mout.web.de ([212.227.15.14]:44243) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0VIM-0006kL-8Z for 40397@debbugs.gnu.org; Thu, 23 Dec 2021 16:06:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1640293592; bh=gAeFeYaaBZnPy3MGFBM1wN0p+pyb5g0RRXIjJyuXGH8=; h=X-UI-Sender-Class:From:To:Cc:Subject:References:Date:In-Reply-To; b=Bcy6NC5GbAgwAhGIVWDqu339TzOH1CAuPp1ZkUPnM27Fc00A+ZtGGGGDchkgfeHXt Z/6zsZBRf/kdP2L2mVyt/f9M+LKZJVzmT5zW38GvxA1y8j/y3GpR9C6omEoAVAM3hX ulf8MBW8msd20cui0orEym8SQQ3ZmOEGLw75zXO0= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from comedian ([94.31.101.135]) by smtp.web.de (mrweb006 [213.165.67.108]) with ESMTPSA (Nemesis) id 1N6sBv-1mOcA444Kt-017tUL; Thu, 23 Dec 2021 22:06:32 +0100 From: Sebastian Fieber To: Lars Ingebrigtsen Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime encrypted and signed message References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> <87sgd4e011.fsf@gnus.org> <87fsw7ptc1.fsf_-_@gnus.org> <87y29zo81c.fsf@web.de> <874kcnnx5a.fsf@gnus.org> <878rwd3fyf.fsf@web.de> <87lf0cerm5.fsf@gnus.org> <87o8576ved.fsf@web.de> <87h7az6v9j.fsf@web.de> Date: Thu, 23 Dec 2021 22:06:29 +0100 In-Reply-To: <87h7az6v9j.fsf@web.de> (Sebastian Fieber's message of "Thu, 23 Dec 2021 19:17:28 +0100") Message-ID: <87zgor2fqi.fsf@web.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Provags-ID: V03:K1:BBhSoLg1HtsAAmsVmBSTgsxfE/slfMqRUnx+J4BUOWt2FnRRmrq pdk34grFxJMZmW3a5GfTuiyg/MRy0avLMtBwhO7/nEK3gYNBvTh8a9dr2vt4FZIYwR41tbf +aWLtC0IhnjBBBI3uLrM7PIrAO2t6hFxcmU10N8/Hg6kQrVCayQTw2mU2KzewT1dpdDH4NW AQjwlOUmcZPBv5+xjZQLw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:BuHK9S0sj9s=:BmGTvZOU49S1jc2NjGlzgk OpJNNDDNXVX6SfjA9d+9NgO4xqLJYsNXK+XxZQSlQGPiJfgRBVD9vw5u31D4cTN8kB6C54Uwt 6gwQKz8ZGPRLkeiE0+IoCxYpwHb7O/sHhOLNED6aPqG8gPK29oLEf1ac6Tlb/AObHrMzf2sdc Xn2S1yp7gKAWzgaMKlY146wGtmhOSGQ/eBakOh+ITstxeForD4ZikKmNrNoC6NsYq951mYTfJ DVIcfPOpTPOzOA9TOs+YuvY7hf0XGUG3OF757YVYus3ms58ZT32hFvVw0kbt18YHeSOape5dx 9y6hyMzGPpwOBB6p/9AbBb+aovdvyn6f8Se8736+mCLwcn6MMNMXf5AX7CNX6ALTO5CssKM9G IjBw/Zlt7lBX7nRS1yUzN9I1ij/u4q3LsRfRdxm1EW/hK9kZPCx/zh4Must7D1MDvEfyhdbLZ 1194csrwnOg0UBRDdkm5rqAmRX/TeKCogl14kqpPzL7d9bBVpumvH6uMMa1927LYsjOllfRsU Im1WVrtxX9h29UCMkp7m1/WlnRar2vSPfcTvaxDA/C+h+hcTggt0SWqXyHFk89bYxZWfAUWnH LV358CcFc6sWQrvba9qt5VUzLDaAxR6IX7xMxj+vwK/84GbFpMJ1NLQSI0mWC6d0a+nBnjn3M B2BYg8B0xEvFVO83Br9Im87MwBfvL89EK2682IrM22hUfAr0uZuhyT7t1MDH/1JKdBvPIOZtc mxdFAY9/gaXSb3EL+9Muek41dlT0Aw8RNUntQvMiZ9S3sJk6M81aRtQMVksvJvVdOt22jOeZ8 2paeL4yfwjznMIRx2Ubyc8jDOsh0mNCFaWmV5oQeEANVknkhcJDVZKx3ZF6QUvdtCLr/pqTGM bKpGww/vI+HHTofjf9OShTWWutURnfcb00uM4rM7nUcAHoqSpxl5UGyqAh5aa3APFKXnA0Z0q VQbuxSOnTZ/T3hl2UUUyG2b8BYwrrz/LidoMRnXdO+HF/XSDTO1QMpsZYAdKlwD8SlHHyVpzB rnz+ZZlwfXHwxI0xl/5OyxyoBMT6v+AA3PYHD8HvbTgAIvE6lsjklh1F+qV7uWUaspM9LtX4J tReYsEM9wqa5u8= X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain On Do, Dez 23 2021, Sebastian Fieber wrote: > On Do, Dez 23 2021, Sebastian Fieber wrote: > >> This one should apply :) > > Wait, this was the wrong one. I'll send the right one during the day! Last mail seems to be broken. Here is the correct patch again. --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-PATCH-fix-bug-40397.patch Content-Transfer-Encoding: quoted-printable =46rom 84ebb0331a0e16b1b767483c9d0bd1c140d73f09 Mon Sep 17 00:00:00 2001 From: Sebastian Fieber Date: Thu, 23 Dec 2021 15:38:09 +0100 Subject: [PATCH] [PATCH] fix bug #40397 This fixes S/MIME encrypted AND signed mails where in the encrypted pkcs7 envelope is a signed pkcs7 structure. Also this patch enables proper security-buttons for pkcs7-mime encrypted and/or signed mails. Changes: - structure the result of mm-dissect-buffer of application/pkcs7-mime like a multipart mail so there is no loosing of information of verification and decryption results which can now be displayed by gnus-mime-display-security - adjust gnus-mime-display-part to handle application/pkcs7-mime like multipart/encrypted or multipart/signed - add dummy entries to mm-verify-function-alist and mm-decrypt-function-alist so gnus-mime-display-security correctly displays "S/MIME" and not "unknown protocol" - don't just check for multipart/signed in gnus-insert-mime-security-button but also for the pkcs7-mime mimetypes to print "Encrypted" or "Signed" accordingly in the security button - adjust mm-possibly-verify-or-decrypt to check for smime-type to ask wether to verify or decrypt the part and not to always ask to decrypt - adjust mm-view-pkcs7-decrypt and verify to call mm-sec-status so success information can be displayed by gnus-mime-display-security - adjust gnus-mime-security-verify-or-decrypt to handle pkcs7-mime right with the done changes =2D-- lisp/gnus/gnus-art.el | 78 ++++++++++++++++++++----- lisp/gnus/mm-decode.el | 128 +++++++++++++++++++++++++---------------- lisp/gnus/mm-view.el | 13 +++-- 3 files changed, 149 insertions(+), 70 deletions(-) diff --git a/lisp/gnus/gnus-art.el b/lisp/gnus/gnus-art.el index b7701f10a5..a83f4b7d59 100644 =2D-- a/lisp/gnus/gnus-art.el +++ b/lisp/gnus/gnus-art.el @@ -6084,6 +6084,34 @@ gnus-mime-display-part ((equal (car handle) "multipart/encrypted") (gnus-add-wash-type 'encrypted) (gnus-mime-display-security handle)) + ;; pkcs7-mime handling: + ;; + ;; although not really multipart these are structured internally by + ;; mm-dissect-buffer like multipart to not discard the decryption + ;; and verification results + ;; + ;; application/pkcs7-mime + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_signed-data")) + (gnus-add-wash-type 'signed) + (gnus-mime-display-security handle)) + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/pkcs7-mime_enveloped-data")) + (gnus-add-wash-type 'encrypted) + (gnus-mime-display-security handle)) + ;; application/x-pkcs7-mime + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_signed-data")) + (gnus-add-wash-type 'signed) + (gnus-mime-display-security handle)) + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle 'protocol) + "application/x-pkcs7-mime_enveloped-data")) + (gnus-add-wash-type 'encrypted) + (gnus-mime-display-security handle)) ;; Other multiparts are handled like multipart/mixed. (t (gnus-mime-display-mixed (cdr handle))))) @@ -8833,11 +8861,18 @@ gnus-mime-security-verify-or-decrypt (setq point (point)) (with-current-buffer (mm-handle-multipart-original-buffer handle) (let* ((mm-verify-option 'known) - (mm-decrypt-option 'known) - (nparts (mm-possibly-verify-or-decrypt (cdr handle) handle))) - (unless (eq nparts (cdr handle)) - (mm-destroy-parts (cdr handle)) - (setcdr handle nparts)))) + (mm-decrypt-option 'known) + (pkcs7-mime-p (or (equal (car handle) "application/pkcs7-mim= e") + (equal (car handle) "application/x-pkcs7-m= ime"))) + (nparts (if pkcs7-mime-p + (list (mm-possibly-verify-or-decrypt (cadr handl= e) (cadadr handle))) + (mm-possibly-verify-or-decrypt (cdr handle) handle= )))) + (unless (eq nparts (cdr handle)) + ;; if pkcs7-mime don't destroy the parts as the buffer in + ;; the cdr still needs to be accessible + (when (not pkcs7-mime-p) + (mm-destroy-parts (cdr handle))) + (setcdr handle nparts)))) (gnus-mime-display-security handle) (when region (delete-region (point) (cdr region)) @@ -8891,14 +8926,31 @@ gnus-insert-mime-security-button (let* ((protocol (mm-handle-multipart-ctl-parameter handle 'protocol)) (gnus-tmp-type (concat - (or (nth 2 (assoc protocol mm-verify-function-alist)) - (nth 2 (assoc protocol mm-decrypt-function-alist)) - "Unknown") - (if (equal (car handle) "multipart/signed") - " Signed" " Encrypted") - " Part")) - (gnus-tmp-info - (or (mm-handle-multipart-ctl-parameter handle 'gnus-info) + (or (nth 2 (assoc protocol mm-verify-function-alist)) + (nth 2 (assoc protocol mm-decrypt-function-alist)) + "Unknown") + (cond ((equal (car handle) "multipart/signed") " Signed") + ((equal (car handle) "multipart/encrypted") " Encrypted") + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle '= protocol) + "application/pkcs7-mime_signed-data")) + " Signed") + ((and (equal (car handle) "application/pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle '= protocol) + "application/pkcs7-mime_enveloped-data")) + " Encrypted") + ;; application/x-pkcs7-mime + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle '= protocol) + "application/x-pkcs7-mime_signed-data")) + " Signed") + ((and (equal (car handle) "application/x-pkcs7-mime") + (equal (mm-handle-multipart-ctl-parameter handle '= protocol) + "application/x-pkcs7-mime_enveloped-data")) + " Encrypted")) + " Part")) + (gnus-tmp-info + (or (mm-handle-multipart-ctl-parameter handle 'gnus-info) "Undecided")) (gnus-tmp-details (mm-handle-multipart-ctl-parameter handle 'gnus-details)) diff --git a/lisp/gnus/mm-decode.el b/lisp/gnus/mm-decode.el index d781407cdc..8d63c8552f 100644 =2D-- a/lisp/gnus/mm-decode.el +++ b/lisp/gnus/mm-decode.el @@ -474,6 +474,7 @@ mm-dissect-default-type (autoload 'mml2015-verify-test "mml2015") (autoload 'mml-smime-verify "mml-smime") (autoload 'mml-smime-verify-test "mml-smime") +(autoload 'mm-view-pkcs7-verify "mm-view") (defvar mm-verify-function-alist '(("application/pgp-signature" mml2015-verify "PGP" mml2015-verify-test= ) @@ -482,7 +483,15 @@ mm-verify-function-alist ("application/pkcs7-signature" mml-smime-verify "S/MIME" mml-smime-verify-test) ("application/x-pkcs7-signature" mml-smime-verify "S/MIME" - mml-smime-verify-test))) + mml-smime-verify-test) + ("application/x-pkcs7-signature" mml-smime-verify "S/MIME" + mml-smime-verify-test) + ;; these are only used for security-buttons and contain the + ;; smime-type after the underscore + ("application/pkcs7-mime_signed-data" mm-view-pkcs7-verify "S/MIME" + nil) + ("application/x-pkcs7-mime_signed-data" mml-view-pkcs7-verify "S/MIME= " + nil))) (defcustom mm-verify-option 'never "Option of verifying signed parts. @@ -501,11 +510,16 @@ mm-verify-option (autoload 'mml2015-decrypt "mml2015") (autoload 'mml2015-decrypt-test "mml2015") +(autoload 'mm-view-pkcs7-decrypt "mm-view") (defvar mm-decrypt-function-alist '(("application/pgp-encrypted" mml2015-decrypt "PGP" mml2015-decrypt-te= st) ("application/x-gnus-pgp-encrypted" mm-uu-pgp-encrypted-extract-1 "PG= P" - mm-uu-pgp-encrypted-test))) + mm-uu-pgp-encrypted-test) + ;; these are only used for security-buttons and contain the + ;; smime-type after the underscore + ("application/pkcs7-mime_enveloped-data" mm-view-pkcs7-decrypt "S/MIM= E" nil) + ("application/x-pkcs7-mime_enveloped-data" mm-view-pkcs7-decrypt "S/M= IME" nil))) (defcustom mm-decrypt-option nil "Option of decrypting encrypted parts. @@ -682,18 +696,33 @@ mm-dissect-buffer 'start start) (car ctl)) (cons (car ctl) (mm-dissect-multipart ctl from)))) - (t - (mm-possibly-verify-or-decrypt - (mm-dissect-singlepart - ctl - (and cte (intern (downcase (mail-header-strip-cte cte)))) - no-strict-mime - (and cd (mail-header-parse-content-disposition cd)) - description id) - ctl from)))) - (when id - (when (string-match " *<\\(.*\\)> *" id) - (setq id (match-string 1 id))) + (t + (let* ((handle + (mm-dissect-singlepart + ctl + (and cte (intern (downcase (mail-header-strip-cte cte= )))) + no-strict-mime + (and cd (mail-header-parse-content-disposition cd)) + description id)) + (intermediate-result (mm-possibly-verify-or-decrypt han= dle ctl from))) + (when (and (equal type "application") + (or (equal subtype "pkcs7-mime") + (equal subtype "x-pkcs7-mime"))) + (add-text-properties 0 + (length (car ctl)) + (list 'protocol + (concat (substring-no-propertie= s (car ctl)) + "_" + (cdr (assoc 'smime-type= ctl)))) + (car ctl)) + ;; if this is a pkcs7-mime lets treat this special and + ;; more like multipart so the pkcs7-mime part does not + ;; get ignored + (setq intermediate-result (cons (car ctl) (list intermedia= te-result)))) + intermediate-result)))) + (when id + (when (string-match " *<\\(.*\\)> *" id) + (setq id (match-string 1 id))) (push (cons id result) mm-content-id-alist)) result)))) @@ -1677,43 +1706,40 @@ mm-possibly-verify-or-decrypt (cond ((or (equal type "application/x-pkcs7-mime") (equal type "application/pkcs7-mime")) - (with-temp-buffer - (when (and (cond - ((equal smime-type "signed-data") t) - ((eq mm-decrypt-option 'never) nil) - ((eq mm-decrypt-option 'always) t) - ((eq mm-decrypt-option 'known) t) - (t (y-or-n-p "Decrypt (S/MIME) part? "))) - (mm-view-pkcs7 parts from)) - (goto-char (point-min)) - ;; The encrypted document is a MIME part, and may use either - ;; CRLF (Outlook and the like) or newlines for end-of-line - ;; markers. Translate from CRLF. - (while (search-forward "\r\n" nil t) - (replace-match "\n")) - ;; Normally there will be a Content-type header here, but - ;; some mailers don't add that to the encrypted part, which - ;; makes the subsequent re-dissection fail here. - (save-restriction - (mail-narrow-to-head) - (unless (mail-fetch-field "content-type") - (goto-char (point-max)) - (insert "Content-type: text/plain\n\n"))) - (setq parts - (if (equal smime-type "signed-data") - (list (propertize - "multipart/signed" - 'protocol "application/pkcs7-signature" - 'gnus-info - (format - "%s:%s" - (get-text-property 0 'gnus-info - (car mm-security-handle)) - (get-text-property 0 'gnus-details - (car mm-security-handle)))) - (mm-dissect-buffer t) - parts) - (mm-dissect-buffer t)))))) + (add-text-properties 0 (length (car ctl)) + (list 'buffer (car parts)) + (car ctl)) + (let* ((envelope-p (string=3D smime-type "enveloped-data")) + (decrypt-or-verify-option (if envelope-p + mm-decrypt-option + mm-verify-option)) + (question (if envelope-p + "Decrypt (S/MIME) part? " + "Verify signed (S/MIME) part? "))) + (with-temp-buffer + (when (and (cond + ((equal smime-type "signed-data") t) + ((eq decrypt-or-verify-option 'never) nil) + ((eq decrypt-or-verify-option 'always) t) + ((eq decrypt-or-verify-option 'known) t) + (t (y-or-n-p (format question)))) + (mm-view-pkcs7 parts from)) + + (goto-char (point-min)) + ;; The encrypted document is a MIME part, and may use either + ;; CRLF (Outlook and the like) or newlines for end-of-line + ;; markers. Translate from CRLF. + (while (search-forward "\r\n" nil t) + (replace-match "\n")) + ;; Normally there will be a Content-type header here, but + ;; some mailers don't add that to the encrypted part, which + ;; makes the subsequent re-dissection fail here. + (save-restriction + (mail-narrow-to-head) + (unless (mail-fetch-field "content-type") + (goto-char (point-max)) + (insert "Content-type: text/plain\n\n"))) + (setq parts (mm-dissect-buffer t)))))) ((equal subtype "signed") (unless (and (setq protocol (mm-handle-multipart-ctl-parameter ctl 'protocol)) diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el index d2a6d2cf5d..319bc745ff 100644 =2D-- a/lisp/gnus/mm-view.el +++ b/lisp/gnus/mm-view.el @@ -634,12 +634,9 @@ mm-view-pkcs7-verify (context (epg-make-context 'CMS))) (prog1 (epg-verify-string context part) - (let ((result (car (epg-context-result-for context 'verify)))) + (let ((result (epg-context-result-for context 'verify))) (mm-sec-status - 'gnus-info (epg-signature-status result) - 'gnus-details - (format "%s:%s" (epg-signature-validity result) - (epg-signature-key-id result)))))))) + 'gnus-info (epg-verify-result-to-string result))))))) (with-temp-buffer (insert "MIME-Version: 1.0\n") (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m") @@ -659,7 +656,11 @@ mm-view-pkcs7-decrypt ;; Use EPG/gpgsm (let ((part (base64-decode-string (buffer-string)))) (erase-buffer) - (insert (epg-decrypt-string (epg-make-context 'CMS) part))) + (insert + (let ((context (epg-make-context 'CMS))) + (prog1 + (epg-decrypt-string context part) + (mm-sec-status 'gnus-info "OK"))))) ;; Use openssl (insert "MIME-Version: 1.0\n") (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m") =2D- 2.20.1 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 24 04:44:18 2021 Received: (at 40397) by debbugs.gnu.org; 24 Dec 2021 09:44:18 +0000 Received: from localhost ([127.0.0.1]:35703 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0h7a-0000iE-8p for submit@debbugs.gnu.org; Fri, 24 Dec 2021 04:44:18 -0500 Received: from quimby.gnus.org ([95.216.78.240]:40594) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0h7Y-0000hw-4P for 40397@debbugs.gnu.org; Fri, 24 Dec 2021 04:44:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QopqCa87M12nVOFiTXfngmf0LyvC78fANABkTauTZOw=; b=mrOd6jfWrT7GfGiZPggJHZN454 5hNqFNe4hSBbOOKeqh20cYN04SH+DeXEhHtYGEBGaC66taTvJZGs8aCzutPXtwPFzN5P+KtjHy6u+ lrBMbAzBawnADOYoggm+0ptbINOVJNs+UN/aKJj9R/b02CHxtQBz4PGcDxKqx8LMOUZ4=; Received: from [84.212.220.105] (helo=xo) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n0h7O-0002DS-Ur; Fri, 24 Dec 2021 10:44:09 +0100 From: Lars Ingebrigtsen To: Sebastian Fieber Subject: Re: bug#40397: 28.0.50; epg decrypt does not verify signed content in smime encrypted and signed message References: <87imih5am2.fsf@web.de> <87r1x4dujl.fsf@web.de> <87lfna22eh.fsf@web.de> <874ktxtr6d.fsf@web.de> <87d08lh0qa.fsf@gmail.com> <87wo6tayhy.fsf@web.de> <85r1x0mv6q.fsf@gmail.com> <87h7xv9k3x.fsf@web.de> <873655oaa5.fsf@gnus.org> <87bljsajvb.fsf@web.de> <87sgd4e011.fsf@gnus.org> <87fsw7ptc1.fsf_-_@gnus.org> <87y29zo81c.fsf@web.de> <874kcnnx5a.fsf@gnus.org> <878rwd3fyf.fsf@web.de> <87lf0cerm5.fsf@gnus.org> <87o8576ved.fsf@web.de> <87h7az6v9j.fsf@web.de> <87zgor2fqi.fsf@web.de> X-Now-Playing: Carole King's _Tapestry_: "Home Again" Date: Fri, 24 Dec 2021 10:44:04 +0100 In-Reply-To: <87zgor2fqi.fsf@web.de> (Sebastian Fieber's message of "Thu, 23 Dec 2021 22:06:29 +0100") Message-ID: <87v8ze2v8b.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Sebastian Fieber writes: > Last mail seems to be broken. Here is the correct patch again. Thanks; applied to Emacs 29. Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 40397 Cc: 40397@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Sebastian Fieber writes: > Last mail seems to be broken. Here is the correct patch again. Thanks; applied to Emacs 29. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 24 04:44:34 2021 Received: (at control) by debbugs.gnu.org; 24 Dec 2021 09:44:34 +0000 Received: from localhost ([127.0.0.1]:35706 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0h7q-0000in-FD for submit@debbugs.gnu.org; Fri, 24 Dec 2021 04:44:34 -0500 Received: from quimby.gnus.org ([95.216.78.240]:40608) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n0h7o-0000iV-3Q for control@debbugs.gnu.org; Fri, 24 Dec 2021 04:44:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Subject:From:To:Message-Id:Date:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=0AQWdhPgufc4/2kpBtIX2uVVos9SkN5PTNxCwpO4530=; b=IFwoaw5FfIaevbdPrpcQrnpk1x 2hKVIhm4D/YrWcpcEyGl5/Oxlhk9LinQ88pPElBZkhBeRlzuhDV332vTwEKYDv9OIIoUvPnGVUe9+ suA3EINJV6VakFvgdpJA7f/qxEJFgbg1kW9fxVzT1dmBaew5HCcWBB0BjkX6XLtn8+UY=; Received: from [84.212.220.105] (helo=xo) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n0h7g-0002Db-75 for control@debbugs.gnu.org; Fri, 24 Dec 2021 10:44:26 +0100 Date: Fri, 24 Dec 2021 10:44:17 +0100 Message-Id: <87tuey2v7y.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #40397 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: close 40397 29.1 quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) close 40397 29.1 quit From unknown Sun Aug 17 04:18:55 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 21 Jan 2022 12:24:10 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator