Re: claws-mail: stop using encrypt()

Sun, 11 Jan 2015 14:08:02 -0800 

Benjamin Baier <[email protected]> writes:

> On Tue, 30 Dec 2014 21:35:06 +0100
> Daniel Jakots <[email protected]> wrote:
>
>> On Wed, 17 Dec 2014 13:56:18 +0000, Stuart Henderson
>> <[email protected]> wrote:
>> 
>> > So an alternative diff below. It isn't particularly nice but does
>> > unbreak the port... Does anyone have a better idea?
>> 
>> Hi,
>> 
>> I'm a claws-mail user. Would the test of the diff help?
>> (looking for a way to unblock the situation :))
>> 
>> Cheers,
>> Daniel
>> 
>
> Hi, this replaces the self-rolled code with LibreSSL DES.
> This was done in a hurry, but then this could just use rot13,
> which would be equally secure, but not backwards compatible.

Your diff does not apply cleanly, I guess that's why nobody replied
(boo!).  Did you test that the resulting format is actually backwards
compatible?

I guess this is the way to go, if the diff actually is correct.  I'd
like to point out that the claws-mail port is lagging behind upstream;
it seems that no one has talked to the claws-mail developers about this
issue either.

Here's a diff that applies.

Index: patches/patch-configure_ac
===================================================================
RCS file: /cvs/ports/mail/claws-mail/patches/patch-configure_ac,v
retrieving revision 1.9
diff -u -p -r1.9 patch-configure_ac
--- patches/patch-configure_ac  21 Apr 2014 17:40:19 -0000      1.9
+++ patches/patch-configure_ac  11 Jan 2015 21:43:05 -0000
@@ -1,6 +1,6 @@
 $OpenBSD: patch-configure_ac,v 1.9 2014/04/21 17:40:19 sthen Exp $
---- configure.ac.orig  Sat Dec 14 10:14:50 2013
-+++ configure.ac       Mon Apr 21 18:40:04 2014
+--- configure.ac.orig  Sat Dec 14 11:14:50 2013
++++ configure.ac       Sun Jan 11 22:42:57 2015
 @@ -152,7 +152,7 @@ AM_CONDITIONAL(CYGWIN, test x"$env_cygwin" = x"yes")
  
  if test "$GCC" = "yes"
@@ -10,7 +10,16 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/
        #CFLAGS="-g -Wall -Wno-unused-function"
  fi
  
-@@ -737,6 +737,7 @@ if test x"$enable_new_addrbook" = xno; then
+@@ -494,6 +494,8 @@ dnl password encryption
+ OLDLIBS=$LIBS
+ LIBS=
+ case $host_os in
++      *openbsd*)
++      ;;
+       *dragonfly*)
+               AC_SEARCH_LIBS(encrypt, cipher, [], 
AC_MSG_ERROR(['encrypt'-function not found.]))
+       ;;
+@@ -737,6 +739,7 @@ if test x"$enable_new_addrbook" = xno; then
                AC_CHECK_LIB(resolv, res_query, LDAP_LIBS="$LDAP_LIBS -lresolv")
                AC_CHECK_LIB(socket, bind, LDAP_LIBS="$LDAP_LIBS -lsocket")
                AC_CHECK_LIB(nsl, gethostbyaddr, LDAP_LIBS="$LDAP_LIBS -lnsl")
@@ -18,7 +27,7 @@ $OpenBSD: patch-configure_ac,v 1.9 2014/
                AC_CHECK_LIB(lber, ber_get_tag, LDAP_LIBS="$LDAP_LIBS -llber",,
                                 $LDAP_LIBS)
  
-@@ -809,7 +810,7 @@ if test x"$enable_new_addrbook" = xno; then
+@@ -809,7 +812,7 @@ if test x"$enable_new_addrbook" = xno; then
                                           AC_DEFINE(USE_JPILOT, 1, Define if 
you want JPilot support in addressbook.) ])
                fi
  
Index: patches/patch-src_common_passcrypt_c
===================================================================
RCS file: patches/patch-src_common_passcrypt_c
diff -N patches/patch-src_common_passcrypt_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_common_passcrypt_c        11 Jan 2015 21:58:57 -0000
@@ -0,0 +1,131 @@
+$OpenBSD$
+--- src/common/passcrypt.c.orig        Sat Dec 14 11:15:06 2013
++++ src/common/passcrypt.c     Sun Jan 11 22:32:43 2015
+@@ -35,6 +35,7 @@
+ #endif
+ 
+ #include <glib.h>
++#include <openssl/des.h>
+ 
+ #include "passcrypt.h"
+ 
+@@ -72,100 +73,30 @@ crypt_cfb_buf(const char key[8], unsigned char *buf, u
+               ecb_crypt(des_key, buf, len, DES_ENCRYPT);
+ }
+ #else
+-static void crypt_cfb_shift(unsigned char *to,
+-                          const unsigned char *from, unsigned len);
+-static void crypt_cfb_xor(unsigned char *to, const unsigned char *from,
+-                        unsigned len);
+-static void crypt_unpack(unsigned char *a);
+-
+ static void
+ crypt_cfb_buf(const char key[8], unsigned char *buf, unsigned len,
+             unsigned chunksize, int decrypt)
+ {
+-      unsigned char temp[64];
++      unsigned char *out;
++      char des_key[8];
++      DES_key_schedule keysched;
+ 
+-      memcpy(temp, key, 8);
+-      crypt_unpack(temp);
+-      setkey((const char *) temp);
+-      memset(temp, 0, sizeof(temp));
++      out = malloc(len);
++      if(out == NULL)
++              return;
++      strncpy(des_key, PASSCRYPT_KEY, 8);
++      memset(&crypt_cfb_iv, 0, sizeof(crypt_cfb_iv));
++      
++      DES_set_odd_parity(&des_key);
++      DES_set_key_unchecked(&des_key, &keysched);
++      if (decrypt)
++              DES_cfb_encrypt(buf, out, crypt_cfb_blocksize,\
++                  len, &keysched, &crypt_cfb_iv, DES_DECRYPT);
++      else
++              DES_cfb_encrypt(buf, out, crypt_cfb_blocksize,\
++                  len, &keysched, &crypt_cfb_iv, DES_ENCRYPT);
+ 
+-      memset(crypt_cfb_iv, 0, sizeof(crypt_cfb_iv));
+-
+-      if (chunksize > crypt_cfb_blocksize)
+-              chunksize = crypt_cfb_blocksize;
+-
+-      while (len) {
+-              memcpy(temp, crypt_cfb_iv, sizeof(temp));
+-              encrypt((char *) temp, 0);
+-              if (chunksize > len)
+-                      chunksize = len;
+-              if (decrypt)
+-                      crypt_cfb_shift(crypt_cfb_iv, buf, chunksize);
+-              crypt_cfb_xor((unsigned char *) buf, temp, chunksize);
+-              if (!decrypt)
+-                      crypt_cfb_shift(crypt_cfb_iv, buf, chunksize);
+-              len -= chunksize;
+-              buf += chunksize;
+-      }
+-}
+-
+-/*
+-* Shift len bytes from end of to buffer to beginning, then put len
+-* bytes from from at the end.  Caution: the to buffer is unpacked,
+-* but the from buffer is not.
+-*/
+-static void
+-crypt_cfb_shift(unsigned char *to, const unsigned char *from, unsigned len)
+-{
+-      unsigned i;
+-      unsigned j;
+-      unsigned k;
+-
+-      if (len < crypt_cfb_blocksize) {
+-              i = len * 8;
+-              j = crypt_cfb_blocksize * 8;
+-              for (k = i; k < j; k++) {
+-                      to[0] = to[i];
+-                      ++to;
+-              }
+-      }
+-
+-      for (i = 0; i < len; i++) {
+-              j = *from++;
+-              for (k = 0x80; k; k >>= 1)
+-                      *to++ = ((j & k) != 0);
+-      }
+-}
+-
+-/*
+-* XOR len bytes from from into the data at to.  Caution: the from buffer
+-* is unpacked, but the to buffer is not.
+-*/
+-static void
+-crypt_cfb_xor(unsigned char *to, const unsigned char *from, unsigned len)
+-{
+-      unsigned i;
+-      unsigned j;
+-      unsigned char c;
+-
+-      for (i = 0; i < len; i++) {
+-              c = 0;
+-              for (j = 0; j < 8; j++)
+-                      c = (c << 1) | *from++;
+-              *to++ ^= c;
+-      }
+-}
+-
+-/*
+-* Take the 8-byte array at *a (must be able to hold 64 bytes!) and unpack
+-* each bit into its own byte.
+-*/
+-static void crypt_unpack(unsigned char *a)
+-{
+-      int i, j;
+-
+-      for (i = 7; i >= 0; --i)
+-              for (j = 7; j >= 0; --j)
+-                      a[(i << 3) + j] = (a[i] & (0x80 >> j)) != 0;
++      strncpy(buf, out, len);
++      free(out);
+ }
+ #endif

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply via email to