Received: (at 67931) by debbugs.gnu.org; 11 Jan 2024 21:05:52 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 11 16:05:52 2024 Received: from localhost ([127.0.0.1]:34136 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rO2FM-0000Ob-Ik for submit <at> debbugs.gnu.org; Thu, 11 Jan 2024 16:05:52 -0500 Received: from mail-lj1-x22e.google.com ([2a00:1450:4864:20::22e]:49496) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1rO2FK-0000OM-GD for 67931 <at> debbugs.gnu.org; Thu, 11 Jan 2024 16:05:52 -0500 Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2ccbc328744so69984621fa.3 for <67931 <at> debbugs.gnu.org>; Thu, 11 Jan 2024 13:05:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705007147; x=1705611947; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=6I2LW+qDHg9+f2iW16ddV+EQnIn2Voi5Lo3I1D3cKfw=; b=gSlIqcDJMS+9cJ2WczvkRhhD+cphjPRZ01Qh3/0k2QdSHGkb5+2uxyuDL7g0y0sj7G SR79Mu6JuEcIXx2D3vk9C4piIZJoHtC8oLsuq4DAVQZt4uY/Xu1WeHZqy82fLAkM/uhM EtxshvwaE5mY22bgjV7iTCpUBPY6r2y0figs0Jxs1VsaIQBQi/obhBUFg0pRHTM3wdhS P/6I3DmFRUOmuArCHF55ZMHpx7tYefJ2sRxYYwarU7YTnGIEzxJM8a7r3HVnmfkbO8XL Gm4Ev26Is7JCCPiaDrnx1kVEEIdvl7CeR4VoLEkLYvlG7wd0vEL+bAc2oLU5Gecd2d0L uPzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705007147; x=1705611947; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=6I2LW+qDHg9+f2iW16ddV+EQnIn2Voi5Lo3I1D3cKfw=; b=l38UqpMqOncMjYs3g/wVRsCFwO0MflExVuvZxJ+w6FD/qAJ4SiJl4CXcaRJJDiQvXL XvjDoa7/8BGoGCbgdyTf4nLBTT4hOqkEMK7QQdy875tsXOO2oWL7meoWN8ArxB5xDIQe ts1+XVVdfdF/65spIgTEDqtd/C8V5Rmu6sjylcfLvx9YIHuF0B39d1kw0NhwHk4zaPSc oCKKOYDMIQ/k5CJpI1Z7380pF/7fyluN9SUJ+tWainS+T9CPqKA2PmZ9ggJlPkJl8Roi vzcw2OlJZF8WSL4rQHuHmzlJ/pc7UswrsR8C29q/WuxETg9UJ/54Pj8FdXr8qt/4ul5+ erhA== X-Gm-Message-State: AOJu0YwUWkRRL93MNokFeJXqxvXJVncWgsb8NyZAWXlx8MsAhKOkiZYE WEtAW9DELrPn/YUSuzsML6+8FI2njENjVjPIYwVLroXQ1ZI= X-Google-Smtp-Source: AGHT+IE+juVNTEWBa7DXQS5kHikuDp1QztfM/cyZ/qEFU3pLl/6cCCX6PGwVVPMTdWKQ2Itv+BqEt69wFKEQvNWDZw4= X-Received: by 2002:a2e:9b91:0:b0:2cd:1ca6:87c0 with SMTP id z17-20020a2e9b91000000b002cd1ca687c0mr175128lji.23.1705007146671; Thu, 11 Jan 2024 13:05:46 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Thu, 11 Jan 2024 13:05:46 -0800 From: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <8734vx6mk7.fsf@HIDDEN> (Illia Ostapyshyn's message of "Wed, 20 Dec 2023 14:16:56 +0100") References: <8734vx6mk7.fsf@HIDDEN> MIME-Version: 1.0 Date: Thu, 11 Jan 2024 13:05:46 -0800 Message-ID: <CADwFkmnTan0CHsY7EEBD8XH4cuZa8OpXN6paSFzHg4q1stoGFg@HIDDEN> Subject: Re: bug#67931: [PATCH] Use S/MIME key from content for mail signing via OpenSSL To: Illia Ostapyshyn <illia@HIDDEN> Content-Type: text/plain; charset="UTF-8" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 67931 Cc: Lars Ingebrigtsen <larsi@HIDDEN>, 67931 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Illia Ostapyshyn <illia@HIDDEN> writes: > * Bug > > mml-smime-openssl-sign always takes the cdar of smime-keys, resulting in > keyfile parameter of the #secure tag being ignored. Hence, only the > first entry of smime-keys is used, regardless of the mail contents or > sender address. > > * Fix > > The relevant information (returned from mml-smime-openssl-sign-query) is > already in the cont alist passed to mml-smime-openssl-sign, just use > that instead. Thanks for the patch. Could you please provide a way to reproduce the issue that you're seeing? We don't have anyone onboard that is deeply familiar with this code, I think, and it is security-sensitive. Therefore, I'd like to be careful when making changes here. If we could have unit tests for this, it would be even better, of course.
bug-gnu-emacs@HIDDEN:bug#67931; Package emacs.
Full text available.
Received: (at submit) by debbugs.gnu.org; 20 Dec 2023 13:58:38 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Dec 20 08:58:38 2023
Received: from localhost ([127.0.0.1]:38938 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1rFx5p-00040P-9e
for submit <at> debbugs.gnu.org; Wed, 20 Dec 2023 08:58:38 -0500
Received: from lists.gnu.org ([2001:470:142::17]:60850)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <illia@HIDDEN>) id 1rFwSJ-0006Bl-Rw
for submit <at> debbugs.gnu.org; Wed, 20 Dec 2023 08:17:51 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <illia@HIDDEN>) id 1rFwRp-0007qk-R9
for bug-gnu-emacs@HIDDEN; Wed, 20 Dec 2023 08:17:18 -0500
Received: from mailout1n.rrzn.uni-hannover.de ([130.75.2.107])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.90_1) (envelope-from <illia@HIDDEN>) id 1rFwRn-0002MA-LP
for bug-gnu-emacs@HIDDEN; Wed, 20 Dec 2023 08:17:17 -0500
Received: from yowie (dyn-148141.mip.uni-hannover.de [10.172.148.141])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest
SHA256) (No client certificate requested)
by mailout1n.rrzn.uni-hannover.de (Postfix) with ESMTPSA id E98C71F4;
Wed, 20 Dec 2023 14:17:06 +0100 (CET)
From: Illia Ostapyshyn <illia@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: [PATCH] Use S/MIME key from content for mail signing via OpenSSL
Date: Wed, 20 Dec 2023 14:16:56 +0100
Message-ID: <8734vx6mk7.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Virus-Scanned: clamav-milter 0.103.9 at mailout1n
X-Virus-Status: Clean
Received-SPF: softfail client-ip=130.75.2.107; envelope-from=illia@HIDDEN;
helo=mailout1n.rrzn.uni-hannover.de
X-Spam_score_int: -26
X-Spam_score: -2.7
X-Spam_bar: --
X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, FROM_FMBLA_NEWDOM28=0.799,
RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665,
T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.8 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: * Bug mml-smime-openssl-sign always takes the cdar of
smime-keys,
resulting in keyfile parameter of the #secure tag being ignored. Hence, only
the first entry of smime-keys is used, regardless of the mail c [...]
Content analysis details: (1.8 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.8 FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28
days
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Wed, 20 Dec 2023 08:58:35 -0500
Cc: Lars Ingebrigtsen <larsi@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.8 (/)
--=-=-=
Content-Type: text/plain
* Bug
mml-smime-openssl-sign always takes the cdar of smime-keys, resulting in
keyfile parameter of the #secure tag being ignored. Hence, only the
first entry of smime-keys is used, regardless of the mail contents or
sender address.
* Fix
The relevant information (returned from mml-smime-openssl-sign-query) is
already in the cont alist passed to mml-smime-openssl-sign, just use
that instead.
--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
filename=0001-Use-S-MIME-key-from-content-for-mail-signing-via-Ope.patch
Content-Description: Patch
From 477badfc705c5dd59cfd8a577eab9eaf4a510e0f Mon Sep 17 00:00:00 2001
From: Illia Ostapyshyn <illia@HIDDEN>
Date: Wed, 20 Dec 2023 13:57:28 +0100
Subject: [PATCH] Use S/MIME key from content for mail signing via OpenSSL
* lisp/gnus/mml-smime.el (mml-smime-openssl-sign): Use the key
passed in the cont argument instead of the first smime-keys entry.
---
lisp/gnus/mml-smime.el | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/lisp/gnus/mml-smime.el b/lisp/gnus/mml-smime.el
index 896c95f8d3e..713b7fe5b68 100644
--- a/lisp/gnus/mml-smime.el
+++ b/lisp/gnus/mml-smime.el
@@ -130,10 +130,7 @@ mml-smime-verify-test
(funcall func handle ctl))))
(defun mml-smime-openssl-sign (_cont)
- (when (null smime-keys)
- (customize-variable 'smime-keys)
- (error "No S/MIME keys configured, use customize to add your key"))
- (smime-sign-buffer (cdar smime-keys))
+ (smime-sign-buffer (cdr (assq 'keyfile cont)))
(goto-char (point-min))
(while (search-forward "\r\n" nil t)
(replace-match "\n" t t))
--
2.43.0
--=-=-=--
Illia Ostapyshyn <illia@HIDDEN>:bug-gnu-emacs@HIDDEN.
Full text available.bug-gnu-emacs@HIDDEN:bug#67931; Package emacs.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.