Re: claws-mail: stop using encrypt()
On Mon, 12 Jan 2015 22:49:00 +0100 Landry Breuil wrote: Sorry for that. And yes I'm running claws with this diff and it reads and writes my old config file just fine, since Jan 4 now. Thanks, commited! Since I updated to the Jan 18th snapshot I have had the password field of the first used account (maybe last used before close) get overwritten with As in accountrc but it only happens occasionally. password=!b+lVQCP/ I've uchg accountrc as a workaround
Re: claws-mail: stop using encrypt()
On Sun, 11 Jan 2015 23:00:15 +0100 j...@wxcvbn.org (Jérémie Courrèges-Anglas) wrote: Your diff does not apply cleanly, I guess that's why nobody replied (boo!). Did you test that the resulting format is actually backwards compatible? Sorry for that. And yes I'm running claws with this diff and it reads and writes my old config file just fine, since Jan 4 now. I guess this is the way to go, if the diff actually is correct. I'd like to point out that the claws-mail port is lagging behind upstream; it seems that no one has talked to the claws-mail developers about this issue either. It's on my list to send a patch upstream, but seeing them swap out openssl code in favour of gnutls, it's just luck that it still links against openssl. So this is not the final solution. Here's a diff that applies. Index: patches/patch-configure_ac === RCS file: /cvs/ports/mail/claws-mail/patches/patch-configure_ac,v retrieving revision 1.9 diff -u -p -r1.9 patch-configure_ac --- patches/patch-configure_ac21 Apr 2014 17:40:19 - 1.9 +++ patches/patch-configure_ac11 Jan 2015 21:43:05 - @@ -1,6 +1,6 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/04/21 17:40:19 sthen Exp $ configure.ac.origSat Dec 14 10:14:50 2013 -+++ configure.ac Mon Apr 21 18:40:04 2014 +--- configure.ac.origSat Dec 14 11:14:50 2013 configure.ac Sun Jan 11 22:42:57 2015 @@ -152,7 +152,7 @@ AM_CONDITIONAL(CYGWIN, test x$env_cygwin = xyes) if test $GCC = yes @@ -10,7 +10,16 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/ #CFLAGS=-g -Wall -Wno-unused-function fi -@@ -737,6 +737,7 @@ if test x$enable_new_addrbook = xno; then +@@ -494,6 +494,8 @@ dnl password encryption + OLDLIBS=$LIBS + LIBS= + case $host_os in ++*openbsd*) ++;; + *dragonfly*) + AC_SEARCH_LIBS(encrypt, cipher, [], AC_MSG_ERROR(['encrypt'-function not found.])) + ;; +@@ -737,6 +739,7 @@ if test x$enable_new_addrbook = xno; then AC_CHECK_LIB(resolv, res_query, LDAP_LIBS=$LDAP_LIBS -lresolv) AC_CHECK_LIB(socket, bind, LDAP_LIBS=$LDAP_LIBS -lsocket) AC_CHECK_LIB(nsl, gethostbyaddr, LDAP_LIBS=$LDAP_LIBS -lnsl) @@ -18,7 +27,7 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/ AC_CHECK_LIB(lber, ber_get_tag, LDAP_LIBS=$LDAP_LIBS -llber,, $LDAP_LIBS) -@@ -809,7 +810,7 @@ if test x$enable_new_addrbook = xno; then +@@ -809,7 +812,7 @@ if test x$enable_new_addrbook = xno; then AC_DEFINE(USE_JPILOT, 1, Define if you want JPilot support in addressbook.) ]) fi Index: patches/patch-src_common_passcrypt_c === RCS file: patches/patch-src_common_passcrypt_c diff -N patches/patch-src_common_passcrypt_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-src_common_passcrypt_c 11 Jan 2015 21:58:57 - @@ -0,0 +1,131 @@ +$OpenBSD$ +--- src/common/passcrypt.c.orig Sat Dec 14 11:15:06 2013 src/common/passcrypt.c Sun Jan 11 22:32:43 2015 +@@ -35,6 +35,7 @@ + #endif + + #include glib.h ++#include openssl/des.h + + #include passcrypt.h + +@@ -72,100 +73,30 @@ crypt_cfb_buf(const char key[8], unsigned char *buf, u + ecb_crypt(des_key, buf, len, DES_ENCRYPT); + } + #else +-static void crypt_cfb_shift(unsigned char *to, +-const unsigned char *from, unsigned len); +-static void crypt_cfb_xor(unsigned char *to, const unsigned char *from, +- unsigned len); +-static void crypt_unpack(unsigned char *a); +- + static void + crypt_cfb_buf(const char key[8], unsigned char *buf, unsigned len, + unsigned chunksize, int decrypt) + { +-unsigned char temp[64]; ++unsigned char *out; ++char des_key[8]; ++DES_key_schedule keysched; + +-memcpy(temp, key, 8); +-crypt_unpack(temp); +-setkey((const char *) temp); +-memset(temp, 0, sizeof(temp)); ++out = malloc(len); ++if(out == NULL) ++return; ++strncpy(des_key, PASSCRYPT_KEY, 8); ++memset(crypt_cfb_iv, 0, sizeof(crypt_cfb_iv)); ++ ++DES_set_odd_parity(des_key); ++DES_set_key_unchecked(des_key, keysched); ++if (decrypt) ++DES_cfb_encrypt(buf, out, crypt_cfb_blocksize,\ ++len, keysched, crypt_cfb_iv, DES_DECRYPT); ++else ++DES_cfb_encrypt(buf, out, crypt_cfb_blocksize,\ ++len, keysched, crypt_cfb_iv, DES_ENCRYPT); + +-memset(crypt_cfb_iv, 0, sizeof(crypt_cfb_iv)); +- +-if (chunksize crypt_cfb_blocksize) +-chunksize = crypt_cfb_blocksize; +- +-while (len) { +-memcpy(temp, crypt_cfb_iv, sizeof(temp)); +-encrypt((char *) temp, 0); +-if (chunksize len) +-chunksize
Re: claws-mail: stop using encrypt()
On Mon, Jan 12, 2015 at 10:31:09PM +0100, Benjamin Baier wrote: On Sun, 11 Jan 2015 23:00:15 +0100 j...@wxcvbn.org (Jérémie Courrèges-Anglas) wrote: Your diff does not apply cleanly, I guess that's why nobody replied (boo!). Did you test that the resulting format is actually backwards compatible? Sorry for that. And yes I'm running claws with this diff and it reads and writes my old config file just fine, since Jan 4 now. Thanks, commited!
Re: claws-mail: stop using encrypt()
On 2015/01/11 23:00, Jérémie Courrèges-Anglas wrote: Benjamin Baier program...@netzbasis.de writes: On Tue, 30 Dec 2014 21:35:06 +0100 Daniel Jakots vigdis+o...@chown.me wrote: On Wed, 17 Dec 2014 13:56:18 +, Stuart Henderson st...@openbsd.org wrote: So an alternative diff below. It isn't particularly nice but does unbreak the port... Does anyone have a better idea? Hi, I'm a claws-mail user. Would the test of the diff help? (looking for a way to unblock the situation :)) Cheers, Daniel Hi, this replaces the self-rolled code with LibreSSL DES. This was done in a hurry, but then this could just use rot13, which would be equally secure, but not backwards compatible. Your diff does not apply cleanly, I guess that's why nobody replied (boo!). Either that, or people didn't notice it ;) Did you test that the resulting format is actually backwards compatible? I guess this is the way to go, if the diff actually is correct. I'd like to point out that the claws-mail port is lagging behind upstream; it seems that no one has talked to the claws-mail developers about this issue either. No big surprise, the port doesn't have anybody interested enough in it to be listed as maintainer .. Here's a diff that applies. If this can read a password stored with claws-mail from 5.6 then it's ok with me. Index: patches/patch-configure_ac === RCS file: /cvs/ports/mail/claws-mail/patches/patch-configure_ac,v retrieving revision 1.9 diff -u -p -r1.9 patch-configure_ac --- patches/patch-configure_ac21 Apr 2014 17:40:19 - 1.9 +++ patches/patch-configure_ac11 Jan 2015 21:43:05 - @@ -1,6 +1,6 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/04/21 17:40:19 sthen Exp $ configure.ac.origSat Dec 14 10:14:50 2013 -+++ configure.ac Mon Apr 21 18:40:04 2014 +--- configure.ac.origSat Dec 14 11:14:50 2013 configure.ac Sun Jan 11 22:42:57 2015 @@ -152,7 +152,7 @@ AM_CONDITIONAL(CYGWIN, test x$env_cygwin = xyes) if test $GCC = yes @@ -10,7 +10,16 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/ #CFLAGS=-g -Wall -Wno-unused-function fi -@@ -737,6 +737,7 @@ if test x$enable_new_addrbook = xno; then +@@ -494,6 +494,8 @@ dnl password encryption + OLDLIBS=$LIBS + LIBS= + case $host_os in ++*openbsd*) ++;; + *dragonfly*) + AC_SEARCH_LIBS(encrypt, cipher, [], AC_MSG_ERROR(['encrypt'-function not found.])) + ;; +@@ -737,6 +739,7 @@ if test x$enable_new_addrbook = xno; then AC_CHECK_LIB(resolv, res_query, LDAP_LIBS=$LDAP_LIBS -lresolv) AC_CHECK_LIB(socket, bind, LDAP_LIBS=$LDAP_LIBS -lsocket) AC_CHECK_LIB(nsl, gethostbyaddr, LDAP_LIBS=$LDAP_LIBS -lnsl) @@ -18,7 +27,7 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/ AC_CHECK_LIB(lber, ber_get_tag, LDAP_LIBS=$LDAP_LIBS -llber,, $LDAP_LIBS) -@@ -809,7 +810,7 @@ if test x$enable_new_addrbook = xno; then +@@ -809,7 +812,7 @@ if test x$enable_new_addrbook = xno; then AC_DEFINE(USE_JPILOT, 1, Define if you want JPilot support in addressbook.) ]) fi Index: patches/patch-src_common_passcrypt_c === RCS file: patches/patch-src_common_passcrypt_c diff -N patches/patch-src_common_passcrypt_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-src_common_passcrypt_c 11 Jan 2015 21:58:57 - @@ -0,0 +1,131 @@ +$OpenBSD$ +--- src/common/passcrypt.c.orig Sat Dec 14 11:15:06 2013 src/common/passcrypt.c Sun Jan 11 22:32:43 2015 +@@ -35,6 +35,7 @@ + #endif + + #include glib.h ++#include openssl/des.h + + #include passcrypt.h + +@@ -72,100 +73,30 @@ crypt_cfb_buf(const char key[8], unsigned char *buf, u + ecb_crypt(des_key, buf, len, DES_ENCRYPT); + } + #else +-static void crypt_cfb_shift(unsigned char *to, +-const unsigned char *from, unsigned len); +-static void crypt_cfb_xor(unsigned char *to, const unsigned char *from, +- unsigned len); +-static void crypt_unpack(unsigned char *a); +- + static void + crypt_cfb_buf(const char key[8], unsigned char *buf, unsigned len, + unsigned chunksize, int decrypt) + { +-unsigned char temp[64]; ++unsigned char *out; ++char des_key[8]; ++DES_key_schedule keysched; + +-memcpy(temp, key, 8); +-crypt_unpack(temp); +-setkey((const char *) temp); +-memset(temp, 0, sizeof(temp)); ++out = malloc(len); ++if(out == NULL) ++return; ++strncpy(des_key, PASSCRYPT_KEY, 8); ++memset(crypt_cfb_iv, 0, sizeof(crypt_cfb_iv)); ++ ++DES_set_odd_parity(des_key); ++DES_set_key_unchecked(des_key, keysched); ++
Re: claws-mail: stop using encrypt()
Benjamin Baier program...@netzbasis.de writes: On Tue, 30 Dec 2014 21:35:06 +0100 Daniel Jakots vigdis+o...@chown.me wrote: On Wed, 17 Dec 2014 13:56:18 +, Stuart Henderson st...@openbsd.org wrote: So an alternative diff below. It isn't particularly nice but does unbreak the port... Does anyone have a better idea? Hi, I'm a claws-mail user. Would the test of the diff help? (looking for a way to unblock the situation :)) Cheers, Daniel Hi, this replaces the self-rolled code with LibreSSL DES. This was done in a hurry, but then this could just use rot13, which would be equally secure, but not backwards compatible. Your diff does not apply cleanly, I guess that's why nobody replied (boo!). Did you test that the resulting format is actually backwards compatible? I guess this is the way to go, if the diff actually is correct. I'd like to point out that the claws-mail port is lagging behind upstream; it seems that no one has talked to the claws-mail developers about this issue either. Here's a diff that applies. Index: patches/patch-configure_ac === RCS file: /cvs/ports/mail/claws-mail/patches/patch-configure_ac,v retrieving revision 1.9 diff -u -p -r1.9 patch-configure_ac --- patches/patch-configure_ac 21 Apr 2014 17:40:19 - 1.9 +++ patches/patch-configure_ac 11 Jan 2015 21:43:05 - @@ -1,6 +1,6 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/04/21 17:40:19 sthen Exp $ configure.ac.orig Sat Dec 14 10:14:50 2013 -+++ configure.ac Mon Apr 21 18:40:04 2014 +--- configure.ac.orig Sat Dec 14 11:14:50 2013 configure.ac Sun Jan 11 22:42:57 2015 @@ -152,7 +152,7 @@ AM_CONDITIONAL(CYGWIN, test x$env_cygwin = xyes) if test $GCC = yes @@ -10,7 +10,16 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/ #CFLAGS=-g -Wall -Wno-unused-function fi -@@ -737,6 +737,7 @@ if test x$enable_new_addrbook = xno; then +@@ -494,6 +494,8 @@ dnl password encryption + OLDLIBS=$LIBS + LIBS= + case $host_os in ++ *openbsd*) ++ ;; + *dragonfly*) + AC_SEARCH_LIBS(encrypt, cipher, [], AC_MSG_ERROR(['encrypt'-function not found.])) + ;; +@@ -737,6 +739,7 @@ if test x$enable_new_addrbook = xno; then AC_CHECK_LIB(resolv, res_query, LDAP_LIBS=$LDAP_LIBS -lresolv) AC_CHECK_LIB(socket, bind, LDAP_LIBS=$LDAP_LIBS -lsocket) AC_CHECK_LIB(nsl, gethostbyaddr, LDAP_LIBS=$LDAP_LIBS -lnsl) @@ -18,7 +27,7 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/ AC_CHECK_LIB(lber, ber_get_tag, LDAP_LIBS=$LDAP_LIBS -llber,, $LDAP_LIBS) -@@ -809,7 +810,7 @@ if test x$enable_new_addrbook = xno; then +@@ -809,7 +812,7 @@ if test x$enable_new_addrbook = xno; then AC_DEFINE(USE_JPILOT, 1, Define if you want JPilot support in addressbook.) ]) fi Index: patches/patch-src_common_passcrypt_c === RCS file: patches/patch-src_common_passcrypt_c diff -N patches/patch-src_common_passcrypt_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-src_common_passcrypt_c11 Jan 2015 21:58:57 - @@ -0,0 +1,131 @@ +$OpenBSD$ +--- src/common/passcrypt.c.origSat Dec 14 11:15:06 2013 src/common/passcrypt.c Sun Jan 11 22:32:43 2015 +@@ -35,6 +35,7 @@ + #endif + + #include glib.h ++#include openssl/des.h + + #include passcrypt.h + +@@ -72,100 +73,30 @@ crypt_cfb_buf(const char key[8], unsigned char *buf, u + ecb_crypt(des_key, buf, len, DES_ENCRYPT); + } + #else +-static void crypt_cfb_shift(unsigned char *to, +- const unsigned char *from, unsigned len); +-static void crypt_cfb_xor(unsigned char *to, const unsigned char *from, +-unsigned len); +-static void crypt_unpack(unsigned char *a); +- + static void + crypt_cfb_buf(const char key[8], unsigned char *buf, unsigned len, + unsigned chunksize, int decrypt) + { +- unsigned char temp[64]; ++ unsigned char *out; ++ char des_key[8]; ++ DES_key_schedule keysched; + +- memcpy(temp, key, 8); +- crypt_unpack(temp); +- setkey((const char *) temp); +- memset(temp, 0, sizeof(temp)); ++ out = malloc(len); ++ if(out == NULL) ++ return; ++ strncpy(des_key, PASSCRYPT_KEY, 8); ++ memset(crypt_cfb_iv, 0, sizeof(crypt_cfb_iv)); ++ ++ DES_set_odd_parity(des_key); ++ DES_set_key_unchecked(des_key, keysched); ++ if (decrypt) ++ DES_cfb_encrypt(buf, out, crypt_cfb_blocksize,\ ++ len, keysched, crypt_cfb_iv, DES_DECRYPT); ++ else ++ DES_cfb_encrypt(buf, out, crypt_cfb_blocksize,\ ++ len, keysched, crypt_cfb_iv, DES_ENCRYPT); + +- memset(crypt_cfb_iv, 0, sizeof(crypt_cfb_iv)); +- +- if
Re: claws-mail: stop using encrypt()
On Tue, 30 Dec 2014 21:35:06 +0100 Daniel Jakots vigdis+o...@chown.me wrote: On Wed, 17 Dec 2014 13:56:18 +, Stuart Henderson st...@openbsd.org wrote: So an alternative diff below. It isn't particularly nice but does unbreak the port... Does anyone have a better idea? Hi, I'm a claws-mail user. Would the test of the diff help? (looking for a way to unblock the situation :)) Cheers, Daniel Hi, this replaces the self-rolled code with LibreSSL DES. This was done in a hurry, but then this could just use rot13, which would be equally secure, but not backwards compatible. Greetings ben Index: patch-configure_ac === RCS file: /cvs/ports/mail/claws-mail/patches/patch-configure_ac,v retrieving revision 1.9 diff -u -p -r1.9 patch-configure_ac --- patch-configure_ac 21 Apr 2014 17:40:19 - 1.9 +++ patch-configure_ac 4 Jan 2015 17:50:33 - @@ -1,6 +1,6 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/04/21 17:40:19 sthen Exp $ --- configure.ac.orig Sat Dec 14 10:14:50 2013 -+++ configure.ac Mon Apr 21 18:40:04 2014 configure.ac Wed Dec 17 12:00:37 2014 @@ -152,7 +152,7 @@ AM_CONDITIONAL(CYGWIN, test x$env_cygwin = xyes) if test $GCC = yes @@ -10,7 +10,16 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/ #CFLAGS=-g -Wall -Wno-unused-function fi -@@ -737,6 +737,7 @@ if test x$enable_new_addrbook = xno; then +@@ -494,6 +494,8 @@ dnl password encryption + OLDLIBS=$LIBS + LIBS= + case $host_os in ++ *openbsd*) ++ ;; + *dragonfly*) + AC_SEARCH_LIBS(encrypt, cipher, [], AC_MSG_ERROR(['encrypt'-function not found.])) + ;; +@@ -737,6 +739,7 @@ if test x$enable_new_addrbook = xno; then AC_CHECK_LIB(resolv, res_query, LDAP_LIBS=$LDAP_LIBS -lresolv) AC_CHECK_LIB(socket, bind, LDAP_LIBS=$LDAP_LIBS -lsocket) AC_CHECK_LIB(nsl, gethostbyaddr, LDAP_LIBS=$LDAP_LIBS -lnsl) @@ -18,7 +27,7 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/ AC_CHECK_LIB(lber, ber_get_tag, LDAP_LIBS=$LDAP_LIBS -llber,, $LDAP_LIBS) -@@ -809,7 +810,7 @@ if test x$enable_new_addrbook = xno; then +@@ -809,7 +812,7 @@ if test x$enable_new_addrbook = xno; then AC_DEFINE(USE_JPILOT, 1, Define if you want JPilot support in addressbook.) ]) fi Index: patch-src_common_passcrypt_c === RCS file: patch-src_common_passcrypt_c diff -N patch-src_common_passcrypt_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patch-src_common_passcrypt_c4 Jan 2015 17:53:56 - @@ -0,0 +1,131 @@ +--- src/common/passcrypt.c.origSat Dec 14 11:15:06 2013 src/common/passcrypt.c Sun Jan 4 17:47:05 2015 +@@ -35,6 +35,7 @@ + #endif + + #include glib.h ++#include openssl/des.h + + #include passcrypt.h + +@@ -72,100 +73,30 @@ crypt_cfb_buf(const char key[8], unsigned char *buf, u + ecb_crypt(des_key, buf, len, DES_ENCRYPT); + } + #else +-static void crypt_cfb_shift(unsigned char *to, +- const unsigned char *from, unsigned len); +-static void crypt_cfb_xor(unsigned char *to, const unsigned char *from, +-unsigned len); +-static void crypt_unpack(unsigned char *a); +- + static void + crypt_cfb_buf(const char key[8], unsigned char *buf, unsigned len, + unsigned chunksize, int decrypt) + { +- unsigned char temp[64]; ++ unsigned char *out; ++ char des_key[8]; ++ DES_key_schedule keysched; ++ ++ out = malloc(len); ++ if(out == NULL) ++ return; ++ strncpy(des_key, PASSCRYPT_KEY, 8); ++ memset(crypt_cfb_iv, 0, sizeof(crypt_cfb_iv)); ++ ++ DES_set_odd_parity(des_key); ++ DES_set_key_unchecked(des_key, keysched); ++ if (decrypt) ++ DES_cfb_encrypt(buf, out, crypt_cfb_blocksize,\ ++ len, keysched, crypt_cfb_iv, DES_DECRYPT); ++ else ++ DES_cfb_encrypt(buf, out, crypt_cfb_blocksize,\ ++ len, keysched, crypt_cfb_iv, DES_ENCRYPT); + +- memcpy(temp, key, 8); +- crypt_unpack(temp); +- setkey((const char *) temp); +- memset(temp, 0, sizeof(temp)); +- +- memset(crypt_cfb_iv, 0, sizeof(crypt_cfb_iv)); +- +- if (chunksize crypt_cfb_blocksize) +- chunksize = crypt_cfb_blocksize; +- +- while (len) { +- memcpy(temp, crypt_cfb_iv, sizeof(temp)); +- encrypt((char *) temp, 0); +- if (chunksize len) +- chunksize = len; +- if (decrypt) +- crypt_cfb_shift(crypt_cfb_iv, buf, chunksize); +- crypt_cfb_xor((unsigned char *) buf, temp, chunksize); +- if (!decrypt) +- crypt_cfb_shift(crypt_cfb_iv, buf, chunksize); +- len -= chunksize; +- buf += chunksize; +-
Re: claws-mail: stop using encrypt()
On Wed, 17 Dec 2014 13:56:18 +, Stuart Henderson st...@openbsd.org wrote: So an alternative diff below. It isn't particularly nice but does unbreak the port... Does anyone have a better idea? Hi, I'm a claws-mail user. Would the test of the diff help? (looking for a way to unblock the situation :)) Cheers, Daniel
Re: claws-mail: stop using encrypt()
On 2014-12-17, Stuart Henderson st...@openbsd.org wrote: claws-mail uses encrypt() for password obfuscation in the saved config file (.claws-mail/accountrc), which was removed from libc. So an alternative diff below. It isn't particularly nice but does unbreak the port... Does anyone have a better idea? Doesn't changing the obfuscation, including removing it, mean that a user's saved passwords are now lost? -- Christian naddy Weisgerber na...@mips.inka.de
Re: claws-mail: stop using encrypt()
On 2014/12/18 12:38, Christian Weisgerber wrote: On 2014-12-17, Stuart Henderson st...@openbsd.org wrote: claws-mail uses encrypt() for password obfuscation in the saved config file (.claws-mail/accountrc), which was removed from libc. So an alternative diff below. It isn't particularly nice but does unbreak the port... Does anyone have a better idea? Doesn't changing the obfuscation, including removing it, mean that a user's saved passwords are now lost? Yes. I suppose the other option would be to add the removed DES code as a patch in the port..
Re: claws-mail: stop using encrypt()
On Thu, Dec 18, 2014 at 01:30:23PM +, Stuart Henderson wrote: On 2014/12/18 12:38, Christian Weisgerber wrote: On 2014-12-17, Stuart Henderson st...@openbsd.org wrote: claws-mail uses encrypt() for password obfuscation in the saved config file (.claws-mail/accountrc), which was removed from libc. So an alternative diff below. It isn't particularly nice but does unbreak the port... Does anyone have a better idea? Doesn't changing the obfuscation, including removing it, mean that a user's saved passwords are now lost? Yes. This could be very problematical since Claws doesn't offer the user a way to view the password they saved and there is no warning when you type one in that it's a one-way deal. I know of at least one person who didn't save his email account passwords elsewhere, figuring Claws would surely allow him to view/edit them later. He had to patch the code to spit out all the decrypted passwords big stupid grin I suppose the other option would be to add the removed DES code as a patch in the port.. I see no valid reason for encrypting them in the first place and would be happy for this feature to go away transparently. But if you fixup accountrc that would break Claws on other platforms when trying to import an accountrc from OpenBSD with unencrypted passwords. That would be A Bad Thing. /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
Re: claws-mail: stop using encrypt()
On 2014/12/18 13:40, John Long wrote: On Thu, Dec 18, 2014 at 01:30:23PM +, Stuart Henderson wrote: On 2014/12/18 12:38, Christian Weisgerber wrote: On 2014-12-17, Stuart Henderson st...@openbsd.org wrote: claws-mail uses encrypt() for password obfuscation in the saved config file (.claws-mail/accountrc), which was removed from libc. So an alternative diff below. It isn't particularly nice but does unbreak the port... Does anyone have a better idea? Doesn't changing the obfuscation, including removing it, mean that a user's saved passwords are now lost? Yes. This could be very problematical since Claws doesn't offer the user a way to view the password they saved and there is no warning when you type one in that it's a one-way deal. I know of at least one person who didn't save his email account passwords elsewhere, figuring Claws would surely allow him to view/edit them later. He had to patch the code to spit out all the decrypted passwords big stupid grin https://github.com/b4n/clawsmail-password-decrypter I suppose the other option would be to add the removed DES code as a patch in the port.. I see no valid reason for encrypting them in the first place and would be happy for this feature to go away transparently. But if you fixup accountrc that would break Claws on other platforms when trying to import an accountrc from OpenBSD with unencrypted passwords. That would be A Bad Thing. That's already the case with FreeBSD.
Re: claws-mail: stop using encrypt()
On 2014-12-18, Stuart Henderson st...@openbsd.org wrote: Doesn't changing the obfuscation, including removing it, mean that a user's saved passwords are now lost? Yes. I suppose the other option would be to add the removed DES code as a patch in the port.. Isn't this stuff available in libcrypto? -- Christian naddy Weisgerber na...@mips.inka.de
Re: claws-mail: stop using encrypt()
On 2014-12-18, Stuart Henderson st...@openbsd.org wrote: https://github.com/b4n/clawsmail-password-decrypter Should we bundle this with claws-mail? Would people who need it find the bundled script? -- Christian naddy Weisgerber na...@mips.inka.de
Re: claws-mail: stop using encrypt()
On Thu, Dec 18, 2014 at 02:09:24PM +, Stuart Henderson wrote: On 2014/12/18 13:40, John Long wrote: On Thu, Dec 18, 2014 at 01:30:23PM +, Stuart Henderson wrote: On 2014/12/18 12:38, Christian Weisgerber wrote: On 2014-12-17, Stuart Henderson st...@openbsd.org wrote: claws-mail uses encrypt() for password obfuscation in the saved config file (.claws-mail/accountrc), which was removed from libc. So an alternative diff below. It isn't particularly nice but does unbreak the port... Does anyone have a better idea? Doesn't changing the obfuscation, including removing it, mean that a user's saved passwords are now lost? Yes. This could be very problematical since Claws doesn't offer the user a way to view the password they saved and there is no warning when you type one in that it's a one-way deal. I know of at least one person who didn't save his email account passwords elsewhere, figuring Claws would surely allow him to view/edit them later. He had to patch the code to spit out all the decrypted passwords big stupid grin https://github.com/b4n/clawsmail-password-decrypter I patched my copy to write out a file of userids and passwords but that would have been nice if it existed at the time. I suppose the other option would be to add the removed DES code as a patch in the port.. I see no valid reason for encrypting them in the first place and would be happy for this feature to go away transparently. But if you fixup accountrc that would break Claws on other platforms when trying to import an accountrc from OpenBSD with unencrypted passwords. That would be A Bad Thing. That's already the case with FreeBSD. No further objections, Your Honor ;-) /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
claws-mail: stop using encrypt()
claws-mail uses encrypt() for password obfuscation in the saved config file (.claws-mail/accountrc), which was removed from libc. I attempted switching to blowfish-ebc, along similar lines to their existing FreeBSD code for des-ebc, and had it working for some passwords, but it needs 8-byte blocks and I didn't manage to change things enough to handle padding (the encrypted password is returned in the same buffer as the original password so it's fiddly). Actually I believe the FreeBSD des-ebc code is also supposed to use 8-byte blocks but apparently it works anyway...? So an alternative diff below. It isn't particularly nice but does unbreak the port... Does anyone have a better idea? Index: Makefile === RCS file: /cvs/ports/mail/claws-mail/Makefile,v retrieving revision 1.73 diff -u -p -r1.73 Makefile --- Makefile25 Oct 2014 14:53:04 - 1.73 +++ Makefile17 Dec 2014 13:53:36 - @@ -13,6 +13,7 @@ COMMENT-gdata=gdata plugin V= 3.9.3 REVISION= 1 REVISION-htmlviewer= 2 +REVISION-main= 2 DISTNAME= claws-mail-${V} PKGNAME-main= ${DISTNAME} PKGNAME-bogofilter=claws-mail-bogofilter-${V} Index: patches/patch-configure_ac === RCS file: /cvs/ports/mail/claws-mail/patches/patch-configure_ac,v retrieving revision 1.9 diff -u -p -r1.9 patch-configure_ac --- patches/patch-configure_ac 21 Apr 2014 17:40:19 - 1.9 +++ patches/patch-configure_ac 17 Dec 2014 13:53:36 - @@ -1,6 +1,6 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/04/21 17:40:19 sthen Exp $ --- configure.ac.orig Sat Dec 14 10:14:50 2013 -+++ configure.ac Mon Apr 21 18:40:04 2014 configure.ac Wed Dec 17 12:00:37 2014 @@ -152,7 +152,7 @@ AM_CONDITIONAL(CYGWIN, test x$env_cygwin = xyes) if test $GCC = yes @@ -10,7 +10,16 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/ #CFLAGS=-g -Wall -Wno-unused-function fi -@@ -737,6 +737,7 @@ if test x$enable_new_addrbook = xno; then +@@ -494,6 +494,8 @@ dnl password encryption + OLDLIBS=$LIBS + LIBS= + case $host_os in ++ *openbsd*) ++ ;; + *dragonfly*) + AC_SEARCH_LIBS(encrypt, cipher, [], AC_MSG_ERROR(['encrypt'-function not found.])) + ;; +@@ -737,6 +739,7 @@ if test x$enable_new_addrbook = xno; then AC_CHECK_LIB(resolv, res_query, LDAP_LIBS=$LDAP_LIBS -lresolv) AC_CHECK_LIB(socket, bind, LDAP_LIBS=$LDAP_LIBS -lsocket) AC_CHECK_LIB(nsl, gethostbyaddr, LDAP_LIBS=$LDAP_LIBS -lnsl) @@ -18,7 +27,7 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/ AC_CHECK_LIB(lber, ber_get_tag, LDAP_LIBS=$LDAP_LIBS -llber,, $LDAP_LIBS) -@@ -809,7 +810,7 @@ if test x$enable_new_addrbook = xno; then +@@ -809,7 +812,7 @@ if test x$enable_new_addrbook = xno; then AC_DEFINE(USE_JPILOT, 1, Define if you want JPilot support in addressbook.) ]) fi Index: patches/patch-src_common_passcrypt_c === RCS file: patches/patch-src_common_passcrypt_c diff -N patches/patch-src_common_passcrypt_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-src_common_passcrypt_c17 Dec 2014 13:53:36 - @@ -0,0 +1,26 @@ +$OpenBSD$ + +encrypt(), as used for password obfuscation, was removed from libc. +Switch to storing unencrypted instead. + +--- src/common/passcrypt.c.origSat Dec 14 10:15:06 2013 src/common/passcrypt.c Wed Dec 17 13:04:03 2014 +@@ -57,7 +57,19 @@ void passcrypt_decrypt(gchar *password, guint len) + unsigned char crypt_cfb_iv[64]; + int crypt_cfb_blocksize = 8; /* 8 for DES */ + +-#if defined (__FreeBSD__) ++#if defined (__OpenBSD__) ++static void ++crypt_cfb_buf(const char key[8], unsigned char *buf, unsigned len, ++unsigned chunksize, int decrypt) ++{ ++ /* ++ * XXX do nothing, just store it unencrypted ++ */ ++ ; ++} ++#elif defined (__FreeBSD__) + static void + crypt_cfb_buf(const char key[8], unsigned char *buf, unsigned len, + unsigned chunksize, int decrypt) ... for completeness, here's the semi-working blf code. #include blf.h static void crypt_cfb_buf(const char key[8], unsigned char *buf, unsigned len, unsigned chunksize, int decrypt) { blf_ctx state; blf_key(state, PASSCRYPT_KEY, 8); if (decrypt) blf_ecb_decrypt(state, buf, len); else blf_ecb_encrypt(state, buf, len); }