On 10/1/25 3:27 PM, Stuart Henderson wrote:
On 2025/10/01 12:47, Stuart Henderson wrote:On 2025/10/01 13:34, Renaud Allard wrote:On 10/1/25 1:23 PM, Stuart Henderson wrote:-CONFIGURE_ARGS = --disable-rpath +CONFIGURE_ARGS = --disable-rpath --enable-dnsseparate line for each CONFIGURE_ARGS entry pleaseI have done thatpcre dependency needs changing sniproxy-0.7.0(net/sniproxy): Missing lib: pcre2-8.0 (/usr/local/sbin/sniproxy) (NOT REACHABLE) Extra: pcre.3It seems that if you build on a system with both pcre and pcre2 installed, it does this. LIB_DEPENDS lists pcre, not pcre2. How can I restrict it to pcre and not pcre2?You can't do this via the port. You will either have to patch or pass the relevant info to autoconf. devel/pcre is EoL anyway though. "The older, but still widely deployed PCRE library, originally released in 1997, is at version 8.45. This version of PCRE is now at end of life, and is no longer being actively maintained. Version 8.45 is expected to be the final release of the older PCRE library, and new projects should use PCRE2 instead. However, it's still found in various legacy systems and some platforms, including certain services that continue to use the original PCRE for compatibility reasons."also noticed, there isn't really much difference between your fork and the original upstream developer's version, especially if we ignore the non-OpenBSD-related change (IP_TRANSPARENT).. it would feel a bit better to me if it used the original but with the changes required for OpenBSD added in port patches instead...
Yes, it used to be a little bit more different, but the original version has now merged most of the changes, except OpenBSD related ones.
diff -wur dlundquist-sniproxy-0.7.0/ChangeLog renaud-sniproxy-0.7.0/ChangeLog --- dlundquist-sniproxy-0.7.0/ChangeLog 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/ChangeLog 2025-09-25 10:50:11.000000000 +0100 @@ -1,20 +1,58 @@ -2025-09-04 Dustin Lundquist <[email protected]> +2025-09-04 Renaud Allard <[email protected]> 0.7.0 Release- * Deprecate project* Cleanup autoconf * Require autoconf 2.71 * Require explicit --enable-dns for DNS resolution functionality - * Add support for libpcre2 as an alternative to the older libpcre3 * Relax HTTP header parsing to accept CRLF or plain LF * Fix missing stdlib.h include * Fix various warnings reported by gcc 14 and clang 19 compilers-2023-03-16 Dustin Lundquist <[email protected]>- 0.6.1 Release +2023-01-31 Renaud Allard <[email protected]> + 0.6.8 Release* Fix buffer overflow in address module- * Fix tests + * Fix tests in Debian 11 + +2023-01-31 Renaud Allard <[email protected]> + 0.6.7 Release + + * Fix a warning with clang15 and update old functions + +2023-01-30 Renaud Allard <[email protected]> + 0.6.6 Release + + * Make proper error codes for unveil + +2021-03-11 Renaud Allard <[email protected]> + 0.6.5 Release + + * Add cpath and unix to plegde call for OpenBSD + * Add unveil protections for OpenBSD + * Remove -Wpedantic as it fails on OpenBSD base-gcc + +2021-03-01 Renaud Allard <[email protected]> + 0.6.4 Release + + * Add wpath and unix to plegde call for OpenBSD + * fix ipv6 transparent proxy + +2021-02-24 Renaud Allard <[email protected]> + 0.6.3 Release + + * Accept CRLF and LF in HTTP headers, fix buffer overflow error. + * Add plegde call for OpenBSD + +2021-02-20 Renaud Allard <[email protected]> + 0.6.2 Release + + * Change the default user/group + +2021-02-20 Renaud Allard <[email protected]> + 0.6.1 Release + + * Fixes for some security issues + * Fix for compilation with modern compilers2018-12-05 Dustin Lundquist <[email protected]>0.6.0 Release diff -wur dlundquist-sniproxy-0.7.0/README renaud-sniproxy-0.7.0/README --- dlundquist-sniproxy-0.7.0/README 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/README 2025-09-25 10:50:11.000000000 +0100 @@ -166,3 +166,12 @@ UDNS uses a single UDP socket for all queries, so it is recommended you use a local caching DNS resolver (with a single socket each DNS query is protected by spoofing by a single 16 bit query ID, which makes it relatively easy to spoof). + + +OpenBSD specific behaviour +-------------------------- + +On OpenBSD, sniproxy is protected by pledge(2) and unveil(2). +Therefore, the configuration file must be /etc/sniproxy.conf, unix sockets +must be in /var/www/sockets and logs must be in /var/log. Also, sniproxy PID +file must be /var/run/sniproxy.pid diff -wur dlundquist-sniproxy-0.7.0/README.md renaud-sniproxy-0.7.0/README.md --- dlundquist-sniproxy-0.7.0/README.md 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/README.md 2025-09-25 10:50:11.000000000 +0100 @@ -166,3 +166,12 @@ UDNS uses a single UDP socket for all queries, so it is recommended you use a local caching DNS resolver (with a single socket each DNS query is protected by spoofing by a single 16 bit query ID, which makes it relatively easy to spoof). + + +OpenBSD specific behaviour +-------------------------- + +On OpenBSD, sniproxy is protected by pledge(2) and unveil(2). +Therefore, the configuration file must be /etc/sniproxy.conf, unix sockets +must be in /var/www/sockets and logs must be in /var/log. Also, sniproxy PID +file must be /var/run/sniproxy.pid diff -wur dlundquist-sniproxy-0.7.0/configure.ac renaud-sniproxy-0.7.0/configure.ac --- dlundquist-sniproxy-0.7.0/configure.ac 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/configure.ac 2025-09-25 10:50:11.000000000 +0100 @@ -3,6 +3,8 @@AC_PREREQ([2.71])AC_INIT([sniproxy],[0.7.0]) +AC_CONFIG_SRCDIR([src/sniproxy.c]) +AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([subdir-objects]) AM_SILENT_RULES([yes]) AC_USE_SYSTEM_EXTENSIONS diff -wur dlundquist-sniproxy-0.7.0/debian/changelog renaud-sniproxy-0.7.0/debian/changelog --- dlundquist-sniproxy-0.7.0/debian/changelog 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/debian/changelog 2025-09-25 10:50:11.000000000 +0100 @@ -9,14 +9,55 @@ * Fix missing stdlib.h include * Fix various warnings reported by gcc 14 and clang 19 compilers- -- Dustin Lundquist <[email protected]> Thu, 04 Sep 2025 16:37:25 -0700+ -- Renaud Allard <[email protected]> Thu, 25 Sep 2025 11:48:00 +0200-sniproxy (0.6.1) unstable; urgency=high+sniproxy (0.6.8) unstable; urgency=high* Fix buffer overflow in address module- * Fix tests + * Fix tests in Debian 11- -- Dustin Lundquist <[email protected]> Thu, 16 Mar 2023 21:53:48 -0700+sniproxy (0.6.7) unstable; urgency=low + + * Fix a warning with clang15 and update old functions + +sniproxy (0.6.6) unstable; urgency=low + + * Print proper unveil errors (no influence for linux) + +sniproxy (0.6.5) unstable; urgency=medium + + * Add cpath and unix to plegde call for OpenBSD + * Add unveil protections for OpenBSD + * Remove -Wpedantic as it fails on OpenBSD base-gcc + + -- Renaud Allard <[email protected]> Wed, 11 Mar 2021 12:00:00 +0200 + +sniproxy (0.6.4) unstable; urgency=medium + + * Add wpath and unix to plegde call for OpenBSD + * fix ipv6 transparent proxy + + -- Renaud Allard <[email protected]> Wed, 01 Mar 2021 14:10:00 +0200 + +sniproxy (0.6.3) unstable; urgency=medium + + * Accept CRLF and LF in HTTP headers, fix buffer overflow error. + * Add plegde call for OpenBSD + + -- Renaud Allard <[email protected]> Wed, 24 Feb 2021 13:50:00 +0200 + +sniproxy (0.6.2) unstable; urgency=medium + + * Change the default user/group + + -- Renaud Allard <[email protected]> Sat, 22 Feb 2021 09:00:00 +0200 + +sniproxy (0.6.1) unstable; urgency=medium + + * Fixes for some security issues + * Fix for compilation with modern compilers + + -- Renaud Allard <[email protected]> Sat, 22 Feb 2021 09:00:00 +0200sniproxy (0.6.0) unstable; urgency=medium diff -wur dlundquist-sniproxy-0.7.0/redhat/sniproxy.spec renaud-sniproxy-0.7.0/redhat/sniproxy.spec--- dlundquist-sniproxy-0.7.0/redhat/sniproxy.spec 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/redhat/sniproxy.spec 2025-09-25 10:50:11.000000000 +0100 @@ -5,7 +5,7 @@Group: System Environment/DaemonsLicense: BSD -URL: https://github.com/dlundquist/sniproxy +URL: https://github.com/renaudallard/sniproxy Source0: %{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)@@ -43,22 +43,41 @@%{_mandir}/man8/sniproxy.8.gz %{_mandir}/man5/sniproxy.conf.5.gz-- %changelog -* Thu Sep 4 2024 Dustin Lundquist <[email protected]> 0.7.0-1 -- Deprecate project +* Thu Sep 25 2025 Renaud Allard <[email protected]> 0.7.0 - Cleanup autoconf - Require autoconf 2.71 - Require explicit --enable-dns for DNS resolution functionality -- Add support for libpcre2 as an alternative to the older libpcre3 - Relax HTTP header parsing to accept CRLF or plain LF - Fix missing stdlib.h include - Fix various warnings reported by gcc 14 and clang 19 compilers-* Thu Mar 16 2023 Dustin Lundquist <[email protected]> 0.6.1-1+* Tue, 31 Jan 2023 Renaud Allard <[email protected]> 0.6.8 - Fix buffer overflow in address module -- Fix tests +- Fix tests in Debian 11 +* Tue, 31 Jan 2023 Renaud Allard <[email protected]> 0.6.7 +- Fix a warning with clang15 and update old functions +* Mon, 30 Jan 2023 Renaud Allard <[email protected]> 0.6.6 +- Print proper unveil errors (no influence for linux) +* Mon, 11 Mar 2021 Renaud Allard <[email protected]> 0.6.5 +- Add cpath and unix to plegde call for OpenBSD +- Add unveil protections for OpenBSD +- Remove -Wpedantic as it fails on OpenBSD base-gcc + +* Mon, 01 Mar 2021 Renaud Allard <[email protected]> 0.6.4 +- Add wpath and unix to plegde call for OpenBSD +- fix ipv6 transparent proxy + +* Wed, 24 Feb 2021 Renaud Allard <[email protected]> 0.6.3 +- Accept CRLF and LF in HTTP headers, fix buffer overflow error +- Add plegde call for OpenBSD + +* Sat 22 Feb 2021 Renaud Allard <[email protected]> 0.6.2 +- Change the default user/group + +* Sat 22 Feb 2021 Renaud Allard <[email protected]> 0.6.1 +- Fixes for some security issues +- Fix for compilation with modern compilers* Wed Dec 5 2018 Dustin Lundquist <[email protected]> 0.6.0-1- PROXY v1 protocol support diff -wur dlundquist-sniproxy-0.7.0/sniproxy.conf renaud-sniproxy-0.7.0/sniproxy.conf --- dlundquist-sniproxy-0.7.0/sniproxy.conf 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/sniproxy.conf 2025-09-25 10:50:11.000000000 +0100 @@ -2,8 +2,8 @@ # lines that start with # are comments # lines with only white space are ignored-user nobody-group nogroup +user _sniproxy +group _sniproxy# PID file, needs to be placed in directory writable by userpidfile /var/run/sniproxy.pid @@ -47,7 +47,7 @@ # Global access log for all listeners access_log { # Same options as error_log - filename /tmp/sniproxy-access.log + filename /var/log/sniproxy-access.log }# blocks are delimited with {...}diff -wur dlundquist-sniproxy-0.7.0/src/Makefile.am renaud-sniproxy-0.7.0/src/Makefile.am --- dlundquist-sniproxy-0.7.0/src/Makefile.am 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/Makefile.am 2025-09-25 10:50:11.000000000 +0100 @@ -1,4 +1,5 @@ -AM_CFLAGS = -fno-strict-aliasing -Wall -Wextra -Wpedantic -Wwrite-strings +AM_CPPFLAGS = $(LIBEV_CFLAGS) $(LIBPCRE_CFLAGS) $(LIBUDNS_CFLAGS) +AM_CFLAGS = -fno-strict-aliasing -Wall -Wextra -Wwrite-stringssbin_PROGRAMS = sniproxy diff -wur dlundquist-sniproxy-0.7.0/src/cfg_tokenizer.c renaud-sniproxy-0.7.0/src/cfg_tokenizer.c--- dlundquist-sniproxy-0.7.0/src/cfg_tokenizer.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/cfg_tokenizer.c 2025-09-25 10:50:11.000000000 +0100 @@ -62,7 +62,7 @@ default: /* Rewind one byte, so next_word() can fetch from * the beginning of the word */ - fseek(config, -1, SEEK_CUR); + fseeko(config, -1, SEEK_CUR);token_len = next_word(config, buffer, buffer_len);if (token_len <= 0) @@ -116,7 +116,7 @@ if (quoted == 0) { /* rewind the file one character, so we don't eat * part of the next token */ - fseek(file, -1, SEEK_CUR); + fseeko(file, -1, SEEK_CUR);buffer[len] = '\0';len++; diff -wur dlundquist-sniproxy-0.7.0/src/config.c renaud-sniproxy-0.7.0/src/config.c --- dlundquist-sniproxy-0.7.0/src/config.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/config.c 2025-09-25 10:50:11.000000000 +0100 @@ -238,13 +238,13 @@ }if (parse_config(config, file, global_grammar) <= 0) {- intmax_t whence = ftell(file); + off_t whence = ftello(file); char line[256];- err("error parsing %s at %jd near:", filename, whence);- fseek(file, -20, SEEK_CUR); + err("error parsing %s at %jd near:", filename, (intmax_t)whence); + fseeko(file, -20, SEEK_CUR); for (int i = 0; i < 5; i++) - err(" %jd\t%s", ftell(file), fgets(line, sizeof(line), file)); + err(" %jd\t%s", (intmax_t)ftello(file), fgets(line, sizeof(line), file));free_config(config, loop);config = NULL; diff -wur dlundquist-sniproxy-0.7.0/src/connection.c renaud-sniproxy-0.7.0/src/connection.c --- dlundquist-sniproxy-0.7.0/src/connection.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/connection.c 2025-09-25 10:50:11.000000000 +0100 @@ -635,8 +635,45 @@ if (con->listener->transparent_proxy && con->client.addr.ss_family == con->server.addr.ss_family) { #ifdef IP_TRANSPARENT + int result; + /* Make an IPv6 socket if necessary and purge ::ffff: from the v6-mapped address + * We need to take out the ffff because otherwise it'll be IPv4 on the wire. + * The result is a connection from IPv6 address ::<ipv4>, + * The return traffic can be marked with nftables in ip6 mangle PREROUTING: + * socket transparent 1 mark set 0x1 + * and then routed to sniproxy using a separate routing table (e.g table 100): + * ip -6 rule add fwmark 0x1 lookup 100 + * ip -6 route add local ::/96 dev lo table 100 + */ + struct in6_addr *saddr = &((struct sockaddr_in6 *)&con->client.addr)->sin6_addr; + if (con->client.addr.ss_family == AF_INET6 && + con->server.addr.ss_family == AF_INET6) + if (saddr->s6_addr[0] == 0 && + saddr->s6_addr[1] == 0 && + saddr->s6_addr[2] == 0 && + saddr->s6_addr[3] == 0 && + saddr->s6_addr[4] == 0 && + saddr->s6_addr[5] == 0 && + saddr->s6_addr[6] == 0 && + saddr->s6_addr[7] == 0 && + saddr->s6_addr[8] == 0 && + saddr->s6_addr[9] == 0 && + saddr->s6_addr[10] == 0xff && + saddr->s6_addr[11] == 0xff) { + + /* Turn (e.g.) IPv4 ::ffff:192.0.2.1 into IPv6 ::192.0.2.1 */ + saddr->s6_addr[10] = 0; + saddr->s6_addr[11] = 0; + } + + /* We want an IPv6 transparent socket */ int on = 1; - int result = setsockopt(sockfd, SOL_IP, IP_TRANSPARENT, &on, sizeof(on)); + result = setsockopt(sockfd, SOL_IPV6, IPV6_TRANSPARENT, &on, sizeof(on)); + } else { + /* We want an IPv4 transparent socket */ + int on = 1; + result = setsockopt(sockfd, SOL_IP, IP_TRANSPARENT, &on, sizeof(on)); + } #else int result = -EPERM; /* XXX error: not implemented would be better, but this shouldn't be @@ -812,13 +849,13 @@ con->query_handle = NULL; con->use_proxy_header = 0;- con->client.buffer = new_buffer(4096, loop);+ con->client.buffer = new_buffer(16384, loop); if (con->client.buffer == NULL) { free_connection(con); return NULL; }- con->server.buffer = new_buffer(4096, loop);+ con->server.buffer = new_buffer(16384, loop); if (con->server.buffer == NULL) { free_connection(con); return NULL; diff -wur dlundquist-sniproxy-0.7.0/src/sniproxy.c renaud-sniproxy-0.7.0/src/sniproxy.c --- dlundquist-sniproxy-0.7.0/src/sniproxy.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/sniproxy.c 2025-09-25 10:50:11.000000000 +0100 @@ -71,6 +71,35 @@ rlim_t max_nofiles = 65536; int opt;+ #ifdef __OpenBSD__+ if (unveil("/etc/sniproxy.conf", "r") != 0) { + perror("unveil /etc/sniproxy.conf"); + exit(1); + } + if (unveil("/var/run/sniproxy.pid", "rwc") != 0) { + perror("unveil /var/run/sniproxy.pid"); + exit(1); + } + if (unveil("/var/log", "rwc") != 0) { + perror("unveil /var/log"); + exit(1); + } + if (unveil("/var/www/sockets", "rw") != 0) { + perror("unveil /var/www/sockets"); + exit(1); + } + if (unveil(NULL, NULL) != 0) { + perror("unveil"); + exit(1); + } + + if (pledge("stdio getpw inet dns rpath proc id" + " wpath cpath unix", NULL) == -1) { + fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno)); + exit(1); + } + #endif + while ((opt = getopt(argc, argv, "fc:n:V")) != -1) { switch (opt) { case 'c': diff -wur dlundquist-sniproxy-0.7.0/src/tls.c renaud-sniproxy-0.7.0/src/tls.c --- dlundquist-sniproxy-0.7.0/src/tls.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/tls.c 2025-09-25 10:50:11.000000000 +0100 @@ -201,7 +201,7 @@ /* Check if it's a server name extension */ if (data[pos] == 0x00 && data[pos + 1] == 0x00) { /* There can be only one extension of each type, so we break - our state and move p to beinnging of the extension here */ + our state and move p to beginning of the extension here */ if (pos + 4 + len > data_len) return -5; return parse_server_name_extension(data + pos + 4, len, hostname); diff -wur dlundquist-sniproxy-0.7.0/tests/bad_dns_request_test renaud-sniproxy-0.7.0/tests/bad_dns_request_test --- dlundquist-sniproxy-0.7.0/tests/bad_dns_request_test 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/bad_dns_request_test 2025-09-25 10:50:11.000000000 +0100 @@ -60,7 +60,7 @@ $socket->send($request);my $buffer;- $socket->recv($buffer, 4096); + $socket->recv($buffer, 16388);$socket->close(); diff -wur dlundquist-sniproxy-0.7.0/tests/bad_request_test renaud-sniproxy-0.7.0/tests/bad_request_test--- dlundquist-sniproxy-0.7.0/tests/bad_request_test 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/bad_request_test 2025-09-25 10:50:11.000000000 +0100 @@ -282,7 +282,7 @@ $socket->send($request);my $buffer;- $socket->recv($buffer, 4096); + $socket->recv($buffer, 16384);$socket->close(); diff -wur dlundquist-sniproxy-0.7.0/tests/buffer_test.c renaud-sniproxy-0.7.0/tests/buffer_test.c--- dlundquist-sniproxy-0.7.0/tests/buffer_test.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/buffer_test.c 2025-09-25 10:50:11.000000000 +0100 @@ -127,7 +127,7 @@ struct Buffer *buffer; int read_fd, write_fd;- buffer = new_buffer(4096, EV_DEFAULT);+ buffer = new_buffer(16384, EV_DEFAULT);read_fd = open("/dev/zero", O_RDONLY);if (read_fd < 0) { @@ -155,7 +155,7 @@ char output[sizeof(input)]; int len;- buffer = new_buffer(4096, EV_DEFAULT);+ buffer = new_buffer(16384, EV_DEFAULT); len = buffer_push(buffer, input, sizeof(input)); assert(len == sizeof(input));diff -wur dlundquist-sniproxy-0.7.0/tests/connection_reset_test renaud-sniproxy-0.7.0/tests/connection_reset_test--- dlundquist-sniproxy-0.7.0/tests/connection_reset_test 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/connection_reset_test 2025-09-25 10:50:11.000000000 +0100 @@ -42,8 +42,8 @@ "\r\n");# Send a bunch of data (more that will be buffered by the kernel- for (my $i = 0; $i < 4096; $i++) { - $client->send('x' x 4096); + for (my $i = 0; $i < 16384; $i++) { + $client->send('x' x 16384); } $client->close(); exit; @@ -76,9 +76,9 @@ "\r\n");my $buffer;- $socket->recv($buffer, 4096); - $socket->recv($buffer, 4096); - $socket->recv($buffer, 4096); + $socket->recv($buffer, 16384); + $socket->recv($buffer, 16384); + $socket->recv($buffer, 16384);$socket->close(); diff -wur dlundquist-sniproxy-0.7.0/tests/fallback_test renaud-sniproxy-0.7.0/tests/fallback_test--- dlundquist-sniproxy-0.7.0/tests/fallback_test 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/fallback_test 2025-09-25 10:50:11.000000000 +0100 @@ -56,7 +56,7 @@ $socket->send("GET /$path HTTP/1.0\r\n\r\n");my $buffer;- $socket->recv($buffer, 4096); + $socket->recv($buffer, 16384);$socket->close(); diff -wur dlundquist-sniproxy-0.7.0/tests/slow_client_test renaud-sniproxy-0.7.0/tests/slow_client_test--- dlundquist-sniproxy-0.7.0/tests/slow_client_test 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/slow_client_test 2025-09-25 10:50:11.000000000 +0100 @@ -46,7 +46,7 @@ }my $buffer;- $socket->recv($buffer, 4096); + $socket->recv($buffer, 16384);$socket->close();
smime.p7s
Description: S/MIME Cryptographic Signature
