Updated S/MIME Verification plugin (now correct mail)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Updated S/MIME Verification plugin (now correct mail)

Walter H.
Hello anybody,

This plugin v1.0 has a few critical bugs, which made the apache logs
endless growing;

$fd = fopen( ... )
while (!feof($fd))    // <-- there is the problem in downloadcert.php, {  
                  //    no error check, if the fopen failed or not ... ...
}

I fixed them and also did some error handling: now it is possible to see
the difference between the following:
- an unmodified mail
- an unmodified mail, but the signer's certificate can't be verified
    (self-signed or CA not in trusted certificate store)
- an modified mail
- an modifoed mail, and the signer's certificate can't be verified
    (self-signed or CA not in trusted certificate store)
- a mail with an invalid signature:
    in this case there is no difference if the mail itself is altered or not

the case when the signer's certificate gots invalid is handled the same as
when unable to be verified (self-signed or CA not in trusted certificate
store);

moved any call to openssl into one shell script: openssl-cmds.sh
(solved an "incompatiblity" issue with some linux distributions:
                                            trusted certificate store)

added a complete certificate view (certview-complete.php):
 displays 'openssl x509 -in certfile -noout -text';

the certificate fingerprint is not only MD5, also SHA1; I added/fixed this
to the certificate view page (certview.php)

I didn't add the possibility that the fingerprint could also be SHA256;
(this would be 1 line in openssl-cmds.sh and two lines in viewcert.php
each similar to the lines for the SHA1 fingerprint)
if wished I'll add this;

could anybody please test it with squirrelmail 1.5.0+ - just to sse if
everything works there as expected, too?

I'm using squirrelmail from a rpm from fedora epel-7 (1.4.22-15.el7) (I'm
running CentOS 6.x with PHP5.4 from remi repository)

would be great to publish my update as release 1.1 ...

my work is stored here
https://vhost01.mathemainzel.info/sqmailplugin/smime-1.1-1.1.1.tar.gz

Thanks.

Greetings from Austria,
Walter




------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
-----
squirrelmail-plugins mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins
Reply | Threaded
Open this post in threaded view
|

Re: Updated S/MIME Verification plugin (now correct mail)

Paul Lesniewski
On 6/22/15, Walter H. <[hidden email]> wrote:
> Hello anybody,
>
> This plugin v1.0 has a few critical bugs, which made the apache logs
> endless growing;

I think that's ONE bug...

> $fd = fopen( ... )
> while (!feof($fd))    // <-- there is the problem in downloadcert.php, {
>                   //    no error check, if the fopen failed or not ... ...

Indeed, that must be fixed, but the question this raises is how you
got there without having a valid cert?  Can you please share the full
message source of an example message that causes this?

> I fixed them and also did some error handling: now it is possible to see
> the difference between the following:

Thanks for your contributions.  I'll have a look.

- Paul

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
-----
squirrelmail-plugins mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins
Reply | Threaded
Open this post in threaded view
|

Re: Updated S/MIME Verification plugin

Walter H.
On 24.6.2015 23:46, Paul Lesniewski wrote:
> On 6/22/15, Walter H.<[hidden email]>  wrote:
>
>> $fd = fopen( ... )
>> while (!feof($fd))    //<-- there is the problem in downloadcert.php, {
>>                    //    no error check, if the fopen failed or not ... ...
> Indeed, that must be fixed, but the question this raises is how you
> got there without having a valid cert?  Can you please share the full
> message source of an example message that causes this?
>
yes,

for this testing purpose I took the functions.php of release 1.0 with my
release 1.1
added this few lines on top:

global $echo, $openssl, $cadir, $easycerts;

$echo = "/bin/echo";
$openssl = "/usr/bin/openssl";
$cadir = "/etc/ssl/certs";
$easycerts = "";

because the are not used any more in my release 1.1

sent me 2 messages, one that failes and one this is ok

https://vhost01.mathemainzel.info/sqmailplugin/msg-failed.eml
https://vhost01.mathemainzel.info/sqmailplugin/msg-ok.eml

the results in Squirrelmail

https://vhost01.mathemainzel.info/sqmailplugin/screen-failed.png
https://vhost01.mathemainzel.info/sqmailplugin/screen-ok.png

this failed mail shown in my thunderbird
https://vhost01.mathemainzel.info/sqmailplugin/screen-failed-tb.png
and shown with my plugin release 1.1 in  Squirrelmail
https://vhost01.mathemainzel.info/sqmailplugin/screen-failed-myrelease.png

the other critical bugs are in functions.php

$subjectmessage = escapeshellarg($message_in);
exec("$echo $subjectmessage | $openssl ... ");
// nowhere is said, that the message in variable $message_in comes to
pipe-in of '| openssl ...'
// in other words, escapeshellarg modifies the message, that is causing
the problems shown above,
// therefore the modifications in my release 1.1

>> I fixed them and also did some error handling: now it is possible to see
>> the difference between the following:
> Thanks for your contributions.  I'll have a look.
>
> - Paul
>
Thanks.

Greetings from Austria,
Walter



------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
-----
squirrelmail-plugins mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Updated S/MIME Verification plugin (now correct mail)

Walter H.
In reply to this post by Paul Lesniewski
On 24.06.2015 23:46, Paul Lesniewski wrote:
> On 6/22/15, Walter H.<[hidden email]>  wrote:
>> I fixed them and also did some error handling: now it is possible to see
>> the difference between the following:
> Thanks for your contributions.  I'll have a look.
>
>
Did you already have a look?

Walter


------------------------------------------------------------------------------

-----
squirrelmail-plugins mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins

smime.p7s (5K) Download Attachment