[Bug 1994165] Re: CMS_final: do not ignore CMS_dataFinal result

Wed Jan 24 21:30:36 UTC 2024

As expected, it wasn't very easy to create a reproducer since the
openssl tool couldn't be used and it required introducing errors in
lower layers. Moreover the CMS_dataFinal symbol cannot be overriden in a
meaningful way, probably either due to LTO or symbol visibility.
Fortunately it was still possible to do it through GDB even though it
couldn't locate the symbol at first (hence the message "Function
"CMS_dataFinal" not defined.")

# apt-get install -y gdb

# cat > gdb_commands << EOF
> set breakpoint pending on
break CMS_dataFinal
r
return (int) 0
c
q
EOF

# echo foo > mail.txt

# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 30
# echo use "1234" as password and press enter for each subsequent question

# gdb --return-child-result --batch-silent --command=gdb_commands --args openssl cms -sign -in mail.txt -out mail.msg -signer cert.pem -inkey key.pem -noindef -nodetach -passin pass:1234; echo $?
Function "CMS_dataFinal" not defined.
0

# echo edit sources.list and apt install -t jammy-proposed libssl3

# # gdb --return-child-result --batch-silent --command=gdb_commands --args openssl cms -sign -in mail.txt -out mail.msg -signer cert.pem -inkey key.pem -noindef -nodetach -passin pass:1234; echo $?
Function "CMS_dataFinal" not defined.
80FBF0F7FF7F0000:error:17000067:CMS routines:CMS_final:cms datafinal error:../crypto/cms/cms_smime.c:890:
3

As can be seen, after the update, the return code is non-0, indicating
the error was properly bubbled up.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1994165

Title:
  CMS_final: do not ignore CMS_dataFinal result

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Jammy:
  Fix Committed
Status in openssl source package in Kinetic:
  Won't Fix
Status in openssl source package in Lunar:
  Fix Released

Bug description:
  === SRU information ===
  [Meta]
  This bug is part of a series of three bugs for a single SRU.
  The "central" bug with the global information and debdiff is http://pad.lv/2033422

  [Impact]
  S/MIME signature can fail silently
  The commit by upstream propagates the return code of some functions rather than ignore it.

  [Test plan]
  This issue is not very simple to reproduce because "openssl cms" cannot be used to do so. This has to be done with the openssl API instead.
  At least the bug reportere here and the one on openssl's bug tracker have confirmed the patch solves the issue. Additionally, the bug reporter here has tested the PPA that contains the patche and validated it. Finally, I read through the patch attentively.

  [Where problems could occur]
  At this point it is unlikely an error would appear. The openssl bug tracker mentions nothing related to this patch which landed more than a year ago. The patch is simple and doesn't change the code logic.

  [Patches]
  The patches come directly from upstream and apply cleanly.

  https://github.com/openssl/openssl/pull/18876

  * https://git.launchpad.net/~adrien-n/ubuntu/+source/openssl/tree/debian/patches/jammy-sru-0001-REGRESSION-CMS_final-do-not-ignore-CMS_dataFinal-res.patch?h=jammy-sru&id=04ef023920ab08fba214817523fba897527dfff0
  * https://git.launchpad.net/~adrien-n/ubuntu/+source/openssl/tree/debian/patches/jammy-sru-0002-Handle-SMIME_crlf_copy-return-code.patch?h=jammy-sru&id=04ef023920ab08fba214817523fba897527dfff0

  === Original description ===

  https://github.com/openssl/openssl/pull/18876

  The CMS_dataFinal result is important as signature may fail, however, it
  is ignored while returning success from CMS_final.

  Please add this fix to The openssl 3.0.2 "Jammy Jellyfish (supported)"

  Thanks

  Upstream commit:

  ```
  commit 67c0460b89cc1b0644a1a59af78284dfd8d720af
  Author: Alon Bar-Lev <alon.barlev at gmail.com>
  Date:   Tue Jul 26 15:17:06 2022 +0300

      Handle SMIME_crlf_copy return code

      Currently the SMIME_crlf_copy result is ignored in all usages. It does
      return failure when memory allocation fails.

      This patch handles the SMIME_crlf_copy return code in all
  occurrences.

      Signed-off-by: Alon Bar-Lev <alon.barlev at gmail.com>

      Reviewed-by: Tomas Mraz <tomas at openssl.org>
      Reviewed-by: Paul Dale <pauli at openssl.org>
      Reviewed-by: Hugo Landau <hlandau at openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/18876)
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1994165/+subscriptions