Closed Bug 1898832 Opened 1 year ago Closed 10 months ago

TB with external GnuPG may send corrupted signed+encrypted messages, for example if GnuPG is configured to use "armor" by default

Categories

(MailNews Core :: Security: OpenPGP, defect, P1)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 115
Type:
defect

Tracking

(thunderbird_esr115 fixed, thunderbird_esr128 fixed, thunderbird128 affected, thunderbird129 fixed)

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
thunderbird_esr115 --- fixed
thunderbird_esr128 --- fixed
thunderbird128 --- affected
thunderbird129 --- fixed

People

(Reporter: KaiE, Assigned: KaiE)

References

(Regression)

Details

(Keywords: regression)

Attachments

(4 files, 2 obsolete files)

Bug 1898832 - With external GnuPG config, never use inner ASCII armor for signature, and fall back to GPGME decoding when seeing BAD_FORMAT error. r=mkmelin [already in tb-128]
48 bytes, text/x-phabricator-request
corey
: approval-comm-beta+
Details | Review
1898832-backport-esr115.patch
2.72 KB, patch
corey
: approval-comm-esr115+
Details | Diff | Splinter Review
Bug 1898832 - Convert GPGME signing output from ASCII armor to binary, if necessary. r=mkmelin
48 bytes, text/x-phabricator-request
corey
: approval-comm-beta+
wsmwk
: approval-comm-esr128+
Details | Review
1898832-part2-version2-backport-esr115.patch
4.83 KB, patch
corey
: approval-comm-esr115+
Details | Diff | Splinter Review

Using TB 115.x
External GnuPG allowed, and account configured to use a personal key that is externally managed by GnuPG.
Sending an email that is both signed and encrypted.

For some users, this always creates corrupted messages.
Corrupted means: The copy stored in the Sent folder cannot be processed by Thunderbird.
Other OpenPGP software fails to process it, too.

On my system, with the equivalent configuration, I get good messages.

I have been given test messages and I have a theory what happens.

In the given scenario, we call GPGME to create a signed message, and then we use a RNP API to create the encrypted message.

In the broken test messages I've been given:
With gpg --decrypt or --list-packets, it beings to decrypt, but then reports a series of invalid packets.
Looking carefully at the packet identifiers, I see that the packet versions match the ASCII codes of the string ---- BEGIN PGP MESSAGE

Using gpg --unwrap I get an ASCII armored message that gpg can successfully decode and verify.

So apparently, Thunderbird (sometimes) obtains an ASCII armored message when asking GPGME to create a signed message (gpgme_op_sign).

I believe the reason for the unpredictable behavior is that a difference in behavior between GPGME versions. I recall having seen that in the past. I suspect some versions may default to generating armored, other versions might generate binary signed messages.

This would explain why I cannot reproduce the generation of the corrupted messages on my system, assuming that I have a version that produces binary messages by default, while on the system that produces the corrupted messages, a GPGME version is used that produces armored messages by default.

(It is a theory that it depends on the GPGME version. Maybe there are other factors that influence the behavior.)

In Thunderbird, when using GPGME, we currently don't call gpgme_set_armor to explicitly disable armoring.
I can produce the seen corrupted format when calling gpgme_set_armor(ctx, 1);

It seems the issue could be fixed by always calling gpgme_set_armor(ctx, 0); in this scenario.

While the above already suggests a fix, I'd like to describe another surprising effect, which makes it confusing to reproduce and test the issue with Thunderbird.

On my system, if Thunderbird HAS an internal copy of the related secret key, then RNP's initial attempt to decrypt the message will result in error code BAD_FORMAT. When TB sees this code, it stops processing, and shows the broken padlock error icon. I'm guessing, if RNP has the secret key available, it starts by decrypting, but then is surprised by the inner armored data, and fails to process it, and returns the error.

However, if Thunderbird does NOT have an internal copy of the related secret key, then RNP's processing will complain that it cannot decrypt, and in that scenario, we currently route the message to GPGME, which can decrypt the message. In this scenario, I see that Thunderbird will continue to process the message and display it.

So in order to be able to process past broken messages, it might be useful to fall back to GPGME also when seeing the BAD_FORMAT error when trying to decrypt. I'm not sure we should always do that, because in the past, when trying a similar approach in bug 1679768, we saw some regressions when handling the BAD_FORMAT error in this way.

Attached patch 1898832-backport-esr115.patch (obsolete) — Splinter Review
Assignee: nobody → kaie
Attachment #9403917 - Attachment is obsolete: true
Attachment #9403916 - Attachment description: WIP: Bug 1898832 - With external GnuPG config, never use inner ASCII armor for signature, and fall back to GPGME decoding when seeing BAD_FORMAT error. → Bug 1898832 - With external GnuPG config, never use inner ASCII armor for signature, and fall back to GPGME decoding when seeing BAD_FORMAT error. r=mkmelin
Keywords: checkin-needed-tb

Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/a743748c3628
With external GnuPG config, never use inner ASCII armor for signature, and fall back to GPGME decoding when seeing BAD_FORMAT error. r=mkmelin

Status: NEW → RESOLVED
Closed: 11 months ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch

Comment on attachment 9403916 [details]
Bug 1898832 - With external GnuPG config, never use inner ASCII armor for signature, and fall back to GPGME decoding when seeing BAD_FORMAT error. r=mkmelin [already in tb-128]

[Approval Request Comment]
Regression caused by (bug #): no
User impact if declined: some users of optional gnupg configuration may send corrupted messages, or may have received corrupted messages
Testing completed (on c-c, etc.): only manually, because I couldn't reproduce the bug
Risk to taking this patch (and alternatives if risky): very low, the patch tries to explicitly avoid the specific corruption by explicitly requesting a specific gnupg mode (which was previously only assumed implicitly, and which some configurations might not have used), and the change is restricted to users who have deliberately enabled the external gnupg configuration

Attachment #9403916 - Flags: approval-comm-beta?

Comment on attachment 9403916 [details]
Bug 1898832 - With external GnuPG config, never use inner ASCII armor for signature, and fall back to GPGME decoding when seeing BAD_FORMAT error. r=mkmelin [already in tb-128]

[Triage Comment]
Approved for beta

Attachment #9403916 - Flags: approval-comm-beta? → approval-comm-beta+

Because the issue isn't fixed yet, and I have a new idea, and because we're still in the same release cycle, I'm reopening this bug.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

So despite the earlier patch to explicitly request binary output, people still claim we have this bug.
And the only reason for the bug (that I can think of) is that GnuPG still returns us ASCII armored data in some circumstances.

I have a patch that will add more defensive logic.
Let's check the data that we receive from GPGME signing, and if it's ASCII armored, then decode it, prior to processing it further.

(In reply to Kai Engert (:KaiE:) from comment #10)

So despite the earlier patch to explicitly request binary output, people still claim we have this bug.
And the only reason for the bug (that I can think of) is that GnuPG still returns us ASCII armored data in some circumstances.

I have a patch that will add more defensive logic.
Let's check the data that we receive from GPGME signing, and if it's ASCII armored, then decode it, prior to processing it further.

I believe in my case setting the armor keyword in gpg.conf took precedence. Unsure why gpg ignores explicit instructions, but it would make sense to account for this. I'm running TBv115.12.0 (64-bit).

Thanks for confirming.

This means the additional proposed patch should fix the issue.

Attachment #9410215 - Attachment description: WIP: Bug 1898832 - Convert GPGME signing output from ASCII armor to binary, if necessary. → Bug 1898832 - Convert GPGME signing output from ASCII armor to binary, if necessary. r=mkmelin
Attachment #9410215 - Attachment description: WIP: Bug 1898832 - Convert GPGME signing output from ASCII armor to binary, if necessary. → Bug 1898832 - Convert GPGME signing output from ASCII armor to binary, if necessary. r=mkmelin

(In reply to Kai Engert (:KaiE:) from comment #14)

This means the additional proposed patch should fix the issue.

Confirmed also using the 115 test build by the original reporter of this issue.

Magnus, can you please review the additional patch?

Flags: needinfo?(mkmelin+mozilla)
status-thunderbird129: --- → affected

We're getting reports of this issue repeatedly. Also bug 1906903.

While we have a fix in hand to avoid creating this broken encoding, we might unfortunately have plenty of emails out there are people have already received and that are unreadable.

The workaround for decrypting, which I had added with the first patch from this bug, only works if the recipient has external GnuPG configured. This doesn't help the majority of Thunderbird users, who are not using GnuPG themselves, but who received an encrypted message from another Thunderbird+GnuPG user.

Severity: -- → S2
Priority: -- → P1

Because of comment 18, I think it's a high priority to try to implement a way to process this broken encoding with our internal RNP engine.

Flags: needinfo?(mkmelin+mozilla)
Keywords: checkin-needed-tb

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/163c80476e09
Convert GPGME signing output from ASCII armor to binary, if necessary. r=mkmelin

Status: REOPENED → RESOLVED
Closed: 11 months ago10 months ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

(In reply to Kai Engert (:KaiE:) from comment #19)

Because of comment 18, I think it's a high priority to try to implement a way to process this broken encoding with our internal RNP engine.

I've been thinking about this more, and also made experiments.

I found no way to use RNP code as is to process these corrupted (badly encoded) messages.
Processing them would require modifications to the RNP code, and I think a mistake made at the Thunderbird code level cannot justify an RNP change to process badly, nonstandard-encoded data.

However, I'm able to process the bad messages using GnuPG, because it offers an "unwrap" API, and I have a working patch for that.

I think it can be argued, that offering a repair with GnuPG is useful and sufficient. Users who used the TB+GnuPG configuration will have broken messages in their Sent folder. Potentially, this might be the only place where those users have recorded the information that was sent out. Offering those affected users a way to access that data is useful.

However, for everyone else, who has received such messages, it seems acceptable to simply reject (and not be able to decrypt) those messages. The sender has produced bad data, and the recipients shouldn't be obliged to handle them. The recipient can immediately complain to the sender about the inability to decrypt. And future versions of Thunderbird will no longer produce such messages.

If there are recipients who really need to access the received broken messages, there is a manual workaround available. The message can be saved to disk, and then the user shall use the "gpg --unwrap" command and save the result to a file. Afterwards, the user can use "gpg --decrypt > msg.eml" to decode the message. The file msg.eml can then be opened with Thunderbird and viewed, allowing to view complex MIME message with their attachments and formatting.

So, I'll attach an additional patch, which allows TB+GnuPG users to decrypt those broken messages.
I'll do that in a separate bug.

Comment on attachment 9410747 [details] [diff] [review]
1898832-part2-backport-esr115.patch

I'll have to create an updated backported patch for 115.

Attachment #9410747 - Attachment is obsolete: true

Comment on attachment 9410215 [details]
Bug 1898832 - Convert GPGME signing output from ASCII armor to binary, if necessary. r=mkmelin

[Approval Request Comment]
Regression caused by (bug #): 1688863
User impact if declined: users of external gnupg may produce corrupted email messages that recipients cannot open
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): low, risk is limited to users of a non-standard configuration

Attachment #9410215 - Flags: approval-comm-beta?

BTW, this bug was introduced in bug 1688863 in version 115.

Keywords: regression
Regressed by: 1688863
See Also: → 1906903
Summary: TB with external GnuPG may send corrupted signed+encrypted messages → TB with external GnuPG may send corrupted signed+encrypted messages if GnuPG is configured to use "armor" by default
Summary: TB with external GnuPG may send corrupted signed+encrypted messages if GnuPG is configured to use "armor" by default → TB with external GnuPG may send corrupted signed+encrypted messages if GnuPG, for example if it is configured to use "armor" by default
Summary: TB with external GnuPG may send corrupted signed+encrypted messages if GnuPG, for example if it is configured to use "armor" by default → TB with external GnuPG may send corrupted signed+encrypted messages, for example if GnuPG is configured to use "armor" by default

Comment on attachment 9410215 [details]
Bug 1898832 - Convert GPGME signing output from ASCII armor to binary, if necessary. r=mkmelin

[Triage Comment]
Approved for beta
Note: There are two patches for this bug and the former was picked up in 128.0b3.

Attachment #9410215 - Flags: approval-comm-beta? → approval-comm-beta+

Daniel, Rob, can you please keep this bug on your radar?
We'll eventually want to uplift this bug to esr128, which already have the first patch.

Your automated lists might not show this bug, even when it gets an approval for esr128.

Flags: needinfo?(daniel)
Flags: needinfo?(rob)

Update version of second patch, backported to esr115

It would be good if we used a shortened test period.
I'd like to see this pushed out to 128.x soon, to avoid that more bad emails are produced.

Shortly after 128.x is out with that fix, I'd appreciate shipping in 115.

Given that this change is limited to users of the nonstandard gnupg configuration, I think the risk of a shorter test period is acceptable.

Flags: needinfo?(corey)

While bug 1906903 is less urgent, it would be confusing if we delivered the fixes at different times.
I'd suggest to ship both at the same time.

It sounds reasonable to me to pick this up in 128 soon and 115 after.

Kai, do you want to add the corresponding uplift flags and details?

Flags: needinfo?(corey)
Flags: needinfo?(corey)
Attachment #9403916 - Attachment description: Bug 1898832 - With external GnuPG config, never use inner ASCII armor for signature, and fall back to GPGME decoding when seeing BAD_FORMAT error. r=mkmelin → Bug 1898832 - With external GnuPG config, never use inner ASCII armor for signature, and fall back to GPGME decoding when seeing BAD_FORMAT error. r=mkmelin [already in tb-128]

Comment on attachment 9410215 [details]
Bug 1898832 - Convert GPGME signing output from ASCII armor to binary, if necessary. r=mkmelin

[Approval Request Comment]
Regression caused by (bug #): 1688863
User impact if declined: users of external gnupg may produce corrupted email messages that recipients cannot open
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): low, risk is limited to users of a non-standard configuration

Attachment #9410215 - Flags: approval-comm-esr128?
Attachment #9403944 - Flags: approval-comm-esr115?
Attachment #9414194 - Flags: approval-comm-esr115?

Comment on attachment 9410215 [details]
Bug 1898832 - Convert GPGME signing output from ASCII armor to binary, if necessary. r=mkmelin

[Triage Comment]
Approved for esr128

Attachment #9410215 - Flags: approval-comm-esr128? → approval-comm-esr128+
Flags: needinfo?(rob)
Flags: needinfo?(daniel)

Kai, is the README.md update needed in 1898832-backport-esr115.patch?

Flags: needinfo?(corey) → needinfo?(kaie)

(In reply to Corey Bryant from comment #35)

Kai, is the README.md update needed in 1898832-backport-esr115.patch?

no sorry, please remove.

I had added this when I needed to force a rebuild on treeherder

Flags: needinfo?(kaie)

Comment on attachment 9403944 [details] [diff] [review]
1898832-backport-esr115.patch

[Triage Comment]
Approved for esr115

Rob, There are 2 patches here. And can you revert the README.md change when you uplift? Thanks!

Attachment #9403944 - Flags: approval-comm-esr115? → approval-comm-esr115+

Comment on attachment 9414194 [details] [diff] [review]
1898832-part2-version2-backport-esr115.patch

[Triage Comment]
Approved for esr115

Attachment #9414194 - Flags: approval-comm-esr115? → approval-comm-esr115+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: