Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enigma doesn't verified text/plain mailvelope signed message #5678

Closed
trippleflux opened this issue Mar 6, 2017 · 5 comments
Closed

enigma doesn't verified text/plain mailvelope signed message #5678

trippleflux opened this issue Mar 6, 2017 · 5 comments
Labels
bug C: Encryption C: Plugin API C: Plugins
Milestone
1.3-rc

Comments

@trippleflux
Copy link

Enigma plugin seems failed to verify any mailvelope signed messages, roundcube and enigma just treating it like normal message :( , example message :

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from smtp.example.com
	by prodigy (Dovecot) with LMTP id QtZOHwYlvVhCeAAAEZYBwA
	for <[email protected]>; Mon, 06 Mar 2017 15:59:50 +0700
Received: from localhost (localhost [127.0.0.1])
	by smtp.example.com (Postfix) with ESMTP id 7A53B176798
	for <[email protected]>; Mon,  6 Mar 2017 15:59:50 +0700 (WIB)
Authentication-Results: smtp.example.com;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com [email protected] header.b=EpeOzJgD;
	dkim-atps=neutral
X-Virus-Scanned: amavisd-new at example.com
X-Spam-Flag: NO
X-Spam-Score: -0.798
X-Spam-Level:
X-Spam-Status: No, score=-0.798 tagged_above=-9999 required=5
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7]
	autolearn=ham autolearn_force=no
Authentication-Results: mail.example.com (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp.example.com ([127.0.0.1])
	by localhost (mail.example.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Cq1lbOmZ0EC8 for <[email protected]>;
	Mon,  6 Mar 2017 15:59:49 +0700 (WIB)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4001:c0b::22e; helo=mail-it0-x22e.google.com; [email protected]; receiver=<UNKNOWN> 
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.example.com (Postfix) with ESMTPS id 9B76A176793
	for <[email protected]>; Mon,  6 Mar 2017 15:59:48 +0700 (WIB)
Received: by mail-it0-x22e.google.com with SMTP id w124so900978itb.0
        for <[email protected]>; Mon, 06 Mar 2017 00:59:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=L69GXj4KQkzziCIHAa4zZgBq66NG+k1OWV5v+D3bOaM=;
        b=EpeOzJgDrrGx3UDn7NI365E5kDBGviGVWum7b+Dz7OUeo2K77mw4JXR0NTSynr0O5Q
         dq3XQNssJFGtfk/nEbzgHFtzu+kYTzpANjpFNaulgUW/zA1IwxlnMH4ofexMetZxK8hU
         y0TSQPPIdKdmx/qdZguo7Ksh/ttHl4moT57ZmVuzsGQDyU6SRdXaBXQmAh/tEXxMVRLk
         4yNsOKuxRqwcz/o3t1GeMFm7wOtkNjBHbwO4W/pi08obv5v7iFJ0w4Oh19h8GYGPa/qS
         U4Vui/kAlUsUl2+tDPPas90rAhQkDgZ4ZHrw0k6NZIXhWEcIWmQffdKLYlnaGtWYICFK
         QKIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=L69GXj4KQkzziCIHAa4zZgBq66NG+k1OWV5v+D3bOaM=;
        b=m4WN6QFpIasqHRSo2L49XZ7qfivMHaU6Y7Q4PS2/jjnfrQznEUomDmsjy+Lsiq0B1/
         p7azpE+Y17seDy4Yywo5/9uNGNVe1jU+4S8bEM/3uq5Gx1jCemOdNCR+Dmhe/Ny41b0o
         T2EHO5NOq9EsUysFD2QmkA+q/6JQmnYskfpk87+o2qdWcP04QVTWjAjyTbo6S2/od1U0
         7jbghweu7cIoapgN1IPpQNAFBo+6SrylbbcS5x/O6Kj5ht/svvX4UTZy3wtpiNr2KE7L
         63VDs+eBhY0eW5BgmI6OELeYOnlgbM2kSkpqSLudXxHJaZY8Va6C1cp8SnerTTXFq/dW
         Dkbg==
X-Gm-Message-State: BBke39mmcsRRx/H34Rk8N4r3nbzMQ0Vt8bdidWcQmmMix3Eo7wiWc2izHghaV9s7oA1V8f36hO+ALsNa9jZ9eQ==
X-Received: by 10.36.115.145 with SMTP id y139mr13907719itb.123.1488790786985;
 Mon, 06 Mar 2017 00:59:46 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.0.227 with HTTP; Mon, 6 Mar 2017 00:59:46 -0800 (PST)
From: Michael Stellar <[email protected]>
Date: Mon, 6 Mar 2017 15:59:46 +0700
Message-ID: <DDDpKaKgCiDgupW6W1pKYWJgqDm1OoyhOG_Ptz=ipPiMxPGqwPA@mail.gmail.com>
Subject: test
To: [email protected]
Content-Type: multipart/alternative; boundary=001a114526cc00da3f054a0c1e9c

--001a114526cc00da3f054a0c1e9c
Content-Type: text/plain; charset=UTF-8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

testing
-----BEGIN PGP SIGNATURE-----
Version: Mailvelope v1.7.1 build: 2017-02-24T17:36:35
Comment: https://www.mailvelope.com

AAFcBAEBCAAQBQJYvST7CRBjaMqO7W5ZFQAAjYsP/jH+pV1XkYhnc3d1YR6n
aY0CYfdqWESeKbqKDnSBc1jua8S6s+v2Dqt06BrgFSox6/HB/HhQjnfsNBPq
Lz6e+71uDMQMV6U9eqbpVog9JS6q8vh+jZJlCudfNacE/cPeic6KSx9p/CT7
y7eXiGZ6rpF2phfJxXgmsPIPEz6Sb2+DUkTrKLR7ngio7weXkCebUpW705hH
2CzhS2e1v4cc5HuJEJphYSm1mTZ9BBDRFKe8CcziKkQVzu60sXi/4Cpo2SiY
qPosHCBRhOpp71jOr6eu2Imqy7mb270xRKAsdaU7q5eUGxqkzHi9jhu07PeW
iDL1n7Gb5JVbEEwfqATDQsdD25+F7sjaue0DTuKNuizqGnZSsaQkm3W9212R
cVKRSa2SyHp1l5UQyOuMJVSttIYyZQUC0ejzSuepDXhmn/ZjwQJyG7Py97qF
CUZewxpmdwhk6N7YF3zzPz83bVOQKVZgX0hZG3xPl+JJDCScYI0oN8n25vCS
T+jfA/QwIV/+jiClSXAMTAes/BjLpgZoNRMzPGlCKk0fifyU8u0dcvcBikrx
Ur942S1yOPkTt2FA/2VsUP2RRmpVdq1WG9YzG4ENBSrdVn/UwjzRSPnQPQcW
zPulG5PAB0RjJ6A+PEp3A8SPSHa69iauV8/RyrKvTMMq62q+/r8lNur5G4ZY
wZyr
=oh6b
-----END PGP SIGNATURE-----

--001a114526cc00da3f054a0c1e9c
Content-Type: text/html; charset=UTF-8

<div dir="ltr"><pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

testing
-----BEGIN PGP SIGNATURE-----
Version: Mailvelope v1.7.1 build: 2017-02-24T17:36:35
Comment: <a href="https://www.mailvelope.com">https://www.mailvelope.com</a>

AAFcBAEBCAAQBQJYvST7CRBjaMqO7W5ZFQAAjYsP/jH+pV1XkYhnc3d1YR6n
aY0CYfdqWESeKbqKDnSBc1jua8S6s+v2Dqt06BrgFSox6/HB/HhQjnfsNBPq
Lz6e+71uDMQMV6U9eqbpVog9JS6q8vh+jZJlCudfNacE/cPeic6KSx9p/CT7
y7eXiGZ6rpF2phfJxXgmsPIPEz6Sb2+DUkTrKLR7ngio7weXkCebUpW705hH
2CzhS2e1v4cc5HuJEJphYSm1mTZ9BBDRFKe8CcziKkQVzu60sXi/4Cpo2SiY
qPosHCBRhOpp71jOr6eu2Imqy7mb270xRKAsdaU7q5eUGxqkzHi9jhu07PeW
iDL1n7Gb5JVbEEwfqATDQsdD25+F7sjaue0DTuKNuizqGnZSsaQkm3W9212R
cVKRSa2SyHp1l5UQyOuMJVSttIYyZQUC0ejzSuepDXhmn/ZjwQJyG7Py97qF
CUZewxpmdwhk6N7YF3zzPz83bVOQKVZgX0hZG3xPl+JJDCScYI0oN8n25vCS
T+jfA/QwIV/+jiClSXAMTAes/BjLpgZoNRMzPGlCKk0fifyU8u0dcvcBikrx
Ur942S1yOPkTt2FA/2VsUP2RRmpVdq1WG9YzG4ENBSrdVn/UwjzRSPnQPQcW
zPulG5PAB0RjJ6A+PEp3A8SPSHa69iauV8/RyrKvTMMq62q+/r8lNur5G4ZY
wZyr
=oh6b
-----END PGP SIGNATURE-----
<pre></pre></pre></div>

--001a114526cc00da3f054a0c1e9c--
@alecpl
Copy link
Member

alecpl commented Mar 6, 2017

Confirmed. This is a generic plugin API issue in rcube_message. It does not call message_part_structure hook for parts inside of a multipart/alternative message.

@alecpl alecpl added this to the 1.3-rc milestone Mar 6, 2017
@trippleflux
Copy link
Author

Thanks a lot for taking a look at this report, also thanks for putting it in near milestone 👍 .

alecpl added a commit that referenced this issue Mar 6, 2017
@alecpl
Plugin API: Call message_part_structure hook for sub-parts of multipa…
fa32c2c 
…rt/alternative message (#5678)
@alecpl
Copy link
Member

alecpl commented Mar 6, 2017

Fixed. There are still two issues with this sample message:

  1. We do not support PGP content inside of HTML, you have to view the message in plain text mode.
  2. The signature cannot be verified:
ERROR: gpg: CRC error; 797235 - A21E9B
ERROR: gpg: [don't know]: invalid packet (ctb=00)
ERROR: gpg: no signature found
ERROR: gpg: the signature could not be verified.

@trippleflux
Copy link
Author

trippleflux commented Mar 6, 2017
edited
Loading

Cool!, thanks a lot 🥇.I haven't learn php but i think there is 2 possible solution for these remaining issues :

  1. Fetch it to an additional regex parser that check temporarily if the pgp signed message inside the html tags is indeed the same with the one on the text above and displaying the verified or not verified message on the html mode.
  2. If the signed message inside the html tags is different then fetch it to a parser, remove the html tags block using regex, verified the html tags cleaned message then fetch it to gpg, if verified then show as it is.

I hope it's not too complex ?.

ZiBiS added a commit to ZiBiS/roundcubemail that referenced this issue Mar 7, 2017
@ZiBiS
Merge branch 'master' of https://github.com/roundcube/roundcubemail
52f0107 
* 'master' of https://github.com/roundcube/roundcubemail: (46 commits)
  Plugin API: Call message_part_structure hook for sub-parts of multipart/alternative message (roundcube#5678)
  Enigma: Set micalg parameter to real hash algorithm used for signing
  Skip iconv for problematic ISO-2022-JP strings  (roundcube#5668)
  Lock phpunit to version 5.7.x
  Fix/rephrase "unsaved changes" warning when cancelling a draft (roundcube#5610)
  Use stable release of Crypt_GPG 1.6
  small fix for current group detection and add similar rules for group-delete
  Managesieve: Fix parser issue with empty lines between comments (roundcube#5657)
  Minimize unwanted message loading in preview frame on drag (roundcube#5616)
  Small code simplification
  Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (roundcube#5655)
  also fix source in group create function
  check group id matches current one before changing the title
  Add rewrite rule to disable access to /vendor/bin folder in .htaccess (roundcube#5630)
  Fix update of group name in the contacts list header on group rename (roundcube#5648)
  don't use env for group-rename action
  Add note about PinEntry issues with SELinux (roundcube#5620)
  Enigma: Fix handling of messages with nested PGP encrypted parts (roundcube#5634)
  Bring back lists buttons in TinyMCE toolbar
  Fix double http request regression (roundcube#5633)
  ...
@alecpl
Copy link
Member

alecpl commented Mar 17, 2017

In my opinion we should not support signed/encrypted content encapsulated in HTML. There's no standard that describes that. And I think it's a rare situation.

As for the other issue with CRC error, I have no idea. I'm going to close the ticket anyway as the main issue here has been resolved.

@alecpl alecpl closed this as completed Mar 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug C: Encryption C: Plugin API C: Plugins
Projects
None yet
Milestone
1.3-rc
Development

No branches or pull requests
2 participants
@alecpl @trippleflux