FS#68335 - [opensmtpd] smtlctl encrypt does not properly encrypt passwords

Attached to Project: Community Packages
Opened by Duy Truong (jimreynold2nd) - Monday, 19 October 2020, 16:45 GMT
Last edited by Bruno Pagani (ArchangeGabriel) - Sunday, 07 February 2021, 18:19 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Lukas Fleischer (lfleischer)
Bruno Pagani (ArchangeGabriel)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
`smtpctl encrypt` has an upstream bug, where it encrypts the string "--" instead of whatever passwords given to it.
This seems to have been fixed in their github mirror (https://github.com/OpenSMTPD/OpenSMTPD), but not yet incorporated into a release on opensmtpd.org.
The patch to fix this (https://github.com/OpenSMTPD/OpenSMTPD/commit/0f8098518af277a62aa2658a0af7aa3fa5ac2120.patch) should probably be incorporated into Arch release until it is available in upstream release.

As of right now, creds file authentication will not work in Arch, and so are basic authentication setup instructions in https://wiki.archlinux.org/index.php/OpenSMTPD, which I imagine will confuse quite a bit of people.

Additional info:
* package version(s): 6.7.1p1-6
* config and/or log files etc.
* link to upstream bug report: https://github.com/OpenSMTPD/OpenSMTPD/issues/1069

Steps to reproduce:

Case 1: trying to use just `smtpctl encrypt` to enter password interactively:
1. run `smtpctl encrypt`
Expect: Password prompt
Actual: no prompt; smtpctl outputs a sha-512 encrypted password for the string "--".

Case 2: trying to encrypt a password as argument
1. run `smtpctl encrypt mypassword`
Expect: encrypted string for "mypassword" is printed out
Actual: encrypted string for "--" is printed out

Case 3: trying to encrypt a password from stdin
1. run `echo -n "mypassword" | smtpctl encrypt`
Expect: encrypted string for "mypassword" is printed out
Actual: encrypted string for "--" is printed out
This task depends upon

Closed by  Bruno Pagani (ArchangeGabriel)
Sunday, 07 February 2021, 18:19 GMT
Reason for closing:  Fixed
Additional comments about closing:  Upstream bug, fixed in 6.8 that we have been packaging for a while now.

Loading...