Debian Bug report logs - #611743
openssl smime -verify can't verify binary messages without CRLF

version graph

Package: openssl; Maintainer for openssl is Debian OpenSSL Team <[email protected]>; Source for openssl is src:openssl (PTS, buildd, popcon).

Reported by: John Hughes <[email protected]>

Date: Tue, 1 Feb 2011 16:27:06 UTC

Severity: normal

Found in version openssl/0.9.8o-4

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Debian OpenSSL Team <[email protected]>:
Bug#611743; Package openssl. (Tue, 01 Feb 2011 16:27:09 GMT) (full text, mbox, link).

Acknowledgement sent to John Hughes <[email protected]>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <[email protected]>. (Tue, 01 Feb 2011 16:27:10 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: John Hughes <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: openssl smime -verify can't verify binary messages without CRLF
Date: Tue, 01 Feb 2011 17:21:30 +0100
Package: openssl
Version: 0.9.8o-4
Severity: normal


If I make a simple message:

---cut here 8><---
Content-Type: application/octet-stream
Content-Transfer-Encoding: 8bit

BINARY DATA

---cut here 8><---

(note lines end in LF, not CRLF)

and sign it as so:

openssl smime -sign -binary -in zz-in -out zz-out \
	-signer as2.crt -inkey as2.key

(note I asked for -binary)

Then it is impossible to verify the message:

openssl smime -verify -binary -in zz-out -noverify \
	-certfile as2.crt -inform smime  | cat -vet
Verification failure
21148:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:948:
21148:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:312:
Content-Type: application/octet-stream^M$
Content-Transfer-Encoding: 8bit^M$
^M$
BINARY DATA^M$
^M$

It seems that the -verify code doesn't know how to do -binary.

If I sign without -binary and verify with or without -binary then the
verification works, but my binary data is corrupted by replacing all
LF's with CRLF.

-- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6                   2.11.2-10        Embedded GNU C Library: Shared lib
ii  libssl0.9.8             0.9.8o-4         SSL shared libraries
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates            20090814+nmu2 Common CA certificates

-- no debconf information

Information forwarded to [email protected], Debian OpenSSL Team <[email protected]>:
Bug#611743; Package openssl. (Tue, 01 Feb 2011 17:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to John Hughes <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <[email protected]>. (Tue, 01 Feb 2011 17:03:03 GMT) (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

From: John Hughes <[email protected]>
To: [email protected]
Subject: Re: Bug#611743: Acknowledgement (openssl smime -verify can't verify binary messages without CRLF)
Date: Tue, 01 Feb 2011 17:54:51 +0100
OpenSSL tickets:

http://rt.openssl.org/Ticket/Display.html?id=828

and

http://rt.openssl.org/Ticket/Display.html?id=1261

seem relevant.

Information forwarded to [email protected], Debian OpenSSL Team <[email protected]> (openssl for {611743}):
Bug#611743; Package openssl. (Mon, 22 Dec 2025 13:37:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ulrich Buchgraber <[email protected]>:
Extra info received and forwarded to list. Copy sent to [email protected]. (Mon, 22 Dec 2025 13:37:02 GMT) (full text, mbox, link).

Message #15 received at [email protected] (full text, mbox, reply):

From: Ulrich Buchgraber <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Re: Bug#611743: Acknowledgement (openssl smime -verify can't verify binary messages without CRLF)
Date: Mon, 22 Dec 2025 13:35:41 +0000
[Message part 1 (text/plain, inline)]
On Tue, 01 Feb 2011 17:54:51 +0100 John Hughes <[email protected]> wrote:
> OpenSSL tickets:
>
> http://rt.openssl.org/Ticket/Display.html?id=828
>
> and
>
> http://rt.openssl.org/Ticket/Display.html?id=1261
>
> seem relevant.
>
>


I'm seeing the same issue (with current OpenSSL versions), but these RT links are offline. Do you maybe have new ticket links?

[Message part 2 (text/html, inline)]

Information forwarded to [email protected], Debian OpenSSL Team <[email protected]> (openssl for {611743}):
Bug#611743; Package openssl. (Tue, 23 Dec 2025 10:02:01 GMT) (full text, mbox, link).

Acknowledgement sent to Sebastian Andrzej Siewior <[email protected]>:
Extra info received and forwarded to list. Copy sent to [email protected]. (Tue, 23 Dec 2025 10:02:01 GMT) (full text, mbox, link).

Message #20 received at [email protected] (full text, mbox, reply):

From: Sebastian Andrzej Siewior <[email protected]>
To: Ulrich Buchgraber <[email protected]>, [email protected]
Subject: Re: [Pkg-openssl-devel] Bug#611743: Acknowledgement (openssl smime -verify can't verify binary messages without CRLF)
Date: Tue, 23 Dec 2025 10:41:58 +0100
On 2025-12-22 13:35:41 [+0000], Ulrich Buchgraber wrote:
> On Tue, 01 Feb 2011 17:54:51 +0100 John Hughes <[email protected]> wrote:
> > OpenSSL tickets:
> >
> > http://rt.openssl.org/Ticket/Display.html?id=828

https://groups.google.com/g/mailing.openssl.dev/c/FOX9Ss2aaJw/m/AfS76a44lXAJ
https://groups.google.com/g/mailing.openssl.dev/c/LF1RYgvRUQE/m/oSJXkswhDQAJ

> > and
> >
> > http://rt.openssl.org/Ticket/Display.html?id=1261

https://groups.google.com/g/mailing.openssl.dev/c/9pB2Iqhttb4/m/W67FfElyVQUJ
https://groups.google.com/g/mailing.openssl.dev/c/m37jiHpC7NA/m/MGwdXzdOkSwJ
https://groups.google.com/g/mailing.openssl.dev/c/-zQ_jTdjinc/m/K9ipQoLEX88J
https://groups.google.com/g/mailing.openssl.dev/c/cXB0VXJxjlc/m/1Uls-YCYDAAJ

> >
> > seem relevant.
> >
> >
> 
> 
> I'm seeing the same issue (with current OpenSSL versions), but these
> RT links are offline. Do you maybe have new ticket links?

I restored some of the mails since the RT tracker is gone. Would you
mind forward this to openssl upstream on github?

Sebastian

Information forwarded to [email protected], Debian OpenSSL Team <[email protected]> (openssl for {611743}):
Bug#611743; Package openssl. (Tue, 23 Dec 2025 10:59:01 GMT) (full text, mbox, link).

Acknowledgement sent to Ulrich Buchgraber <[email protected]>:
Extra info received and forwarded to list. Copy sent to [email protected]. (Tue, 23 Dec 2025 10:59:01 GMT) (full text, mbox, link).

Message #25 received at [email protected] (full text, mbox, reply):

From: Ulrich Buchgraber <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Re: [Pkg-openssl-devel] Bug#611743: Acknowledgement (openssl smime -verify can't verify binary messages without CRLF)
Date: Tue, 23 Dec 2025 10:56:49 +0000
[Message part 1 (text/plain, inline)]
> > > OpenSSL tickets:
> > >
> > > http://rt.openssl.org/Ticket/Display.html?id=828
>
> https://groups.google.com/g/mailing.openssl.dev/c/FOX9Ss2aaJw/m/AfS76a44lXAJ
> https://groups.google.com/g/mailing.openssl.dev/c/LF1RYgvRUQE/m/oSJXkswhDQAJ
>
> > > and
> > >
> > > http://rt.openssl.org/Ticket/Display.html?id=1261
>
> https://groups.google.com/g/mailing.openssl.dev/c/9pB2Iqhttb4/m/W67FfElyVQUJ
> https://groups.google.com/g/mailing.openssl.dev/c/m37jiHpC7NA/m/MGwdXzdOkSwJ
> https://groups.google.com/g/mailing.openssl.dev/c/-zQ_jTdjinc/m/K9ipQoLEX88J
> https://groups.google.com/g/mailing.openssl.dev/c/cXB0VXJxjlc/m/1Uls-YCYDAAJ
>
[...]
> I restored some of the mails since the RT tracker is gone.

Many thanks for links Sebastian.

If understood correctly, they point to a patch which does more: support a "Content-Transfer-Encoding: binary|base64" header (and add a new -transferencoding param).



> Would you mind forward this to openssl upstream on github?

For the original issue ("openssl smime -verify -binary" has issues with non-CRLF line endings), I've created https://github.com/openssl/openssl/issues/29492.


Many thanks again!

Greetings,
Ulrich

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Sun Dec 28 01:19:11 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.