notmuch/util/crypto.h

#ifndef _CRYPTO_H
#define _CRYPTO_H

#include <stdbool.h>
#include "gmime-extra.h"
#include "notmuch.h"

#ifdef __cplusplus
extern "C" {
#endif

typedef struct _notmuch_crypto {
    bool verify;
    notmuch_decryption_policy_t decrypt;
} _notmuch_crypto_t;

GMimeObject *
_notmuch_crypto_decrypt (bool *attempted,
			 notmuch_decryption_policy_t decrypt,
			 notmuch_message_t *message,
			 GMimeMultipartEncrypted *part,
			 GMimeDecryptResult **decrypt_result,
			 GError **err);

void
_notmuch_crypto_cleanup (_notmuch_crypto_t *crypto);

/* The user probably wants to know if the entire message was in the
 * clear.  When replying, the MUA probably wants to know whether there
 * was any part decrypted in the message.  And when displaying to the
 * user, we probably only want to display "encrypted message" if the
 * entire message was covered by encryption. */
typedef enum {
    NOTMUCH_MESSAGE_DECRYPTED_NONE = 0,
    NOTMUCH_MESSAGE_DECRYPTED_PARTIAL,
    NOTMUCH_MESSAGE_DECRYPTED_FULL,
} _notmuch_message_decryption_status_t;

/* description of the cryptographic state of a given message overall;
 * for use by simple user agents.
 */
typedef struct _notmuch_message_crypto {
    /* encryption status: partial, full, none */
    _notmuch_message_decryption_status_t decryption_status;
    /* FIXME: can we show what key(s) a fully-encrypted message was
     * encrypted to? This data is not necessarily cryptographically
     * reliable; even when we decrypt, we might not know which public
     * key was used (e.g. if we're using a session key). */

    /* signature status of the whole message (either the whole message
     * is signed, or it is not) -- this means that partially-signed
     * messages will get no signature status. */
    GMimeSignatureList * sig_list;
    /* if part of the message was signed, and the MUA is clever, it
     * can determine on its own exactly which part and try to make
     * more sense of it. */

    /* mark this flag once we encounter a payload (i.e. something that
     * is not part of the cryptographic envelope) */
    bool payload_encountered;

    /* if both signed and encrypted, was the signature encrypted? */
    bool signature_encrypted;
} _notmuch_message_crypto_t;


/* _notmuch_message_crypto_t objects should be released with
 * talloc_free (), or they will be released along with their parent
 * context.
 */
_notmuch_message_crypto_t *
_notmuch_message_crypto_new (void *ctx);

/* call potential_sig_list during a depth-first-search on a message to
 * consider a particular signature as relevant for the message.
 */
notmuch_status_t
_notmuch_message_crypto_potential_sig_list (_notmuch_message_crypto_t *msg_crypto, GMimeSignatureList *sigs);

/* call successful_decryption during a depth-first-search on a message
 * to indicate that a part was successfully decrypted.
 */
notmuch_status_t
_notmuch_message_crypto_successful_decryption (_notmuch_message_crypto_t *msg_crypto);

/* call potential_payload during a depth-first-search on a message
 * when encountering a message part that is not part of the envelope.
 */
notmuch_status_t
_notmuch_message_crypto_potential_payload (_notmuch_message_crypto_t *msg_crypto, GMimeObject *payload, GMimeObject *parent, int childnum);


#ifdef __cplusplus
}
#endif
#endif
crypto: move into libnotmuch_util This prepares us for using the crypto object in both libnotmuch and the client. 2017-10-17 21:09:55 +02:00			`#ifndef _CRYPTO_H`
			`#define _CRYPTO_H`

			`#include <stdbool.h>`
			`#include "gmime-extra.h"`
crypto: make shared crypto code behave library-like If we're going to reuse the crypto code across both the library and the client, then it needs to report error states properly and not write to stderr. 2017-10-17 21:09:56 +02:00			`#include "notmuch.h"`
crypto: move into libnotmuch_util This prepares us for using the crypto object in both libnotmuch and the client. 2017-10-17 21:09:55 +02:00
util: make remaining headers includable from C++ libnotmuch_util.a is supposed to be usable from the library and the CLI, but much the library is compiled as C++. Add in appropriate wrapping to prevent symbol mangling. These wrappers already existed in string-util.h; it seems better to be consistent. 2019-03-02 21:26:06 +01:00			`#ifdef __cplusplus`
			`extern "C" {`
			`#endif`

crypto: move into libnotmuch_util This prepares us for using the crypto object in both libnotmuch and the client. 2017-10-17 21:09:55 +02:00			`typedef struct _notmuch_crypto {`
			`bool verify;`
lib: convert notmuch decryption policy to an enum Future patches in this series will introduce new policies; this merely readies the way for them. We also convert --try-decrypt to a keyword argument instead of a boolean. 2017-12-08 07:23:52 +01:00			`notmuch_decryption_policy_t decrypt;`
crypto: move into libnotmuch_util This prepares us for using the crypto object in both libnotmuch and the client. 2017-10-17 21:09:55 +02:00			`} _notmuch_crypto_t;`

crypto: add _notmuch_crypto_decrypt wrapper function We will use this centralized function to consolidate the awkward behavior around different gmime versions. It's only invoked from two places: mime-node.c's node_decrypt_and_verify() and lib/index.cc's _index_encrypted_mime_part(). However, those two places have some markedly distinct logic, so the interface for this _notmuch_crypto_decrypt function is going to get a little bit clunky. It's worthwhile, though, for the sake of keeping these #if directives reasonably well-contained. 2017-11-30 09:59:27 +01:00			`GMimeObject *`
crypto: record whether an actual decryption attempt happened In our consolidation of _notmuch_crypto_decrypt, the callers lost track a little bit of whether any actual decryption was attempted. Now that we have the more-subtle "auto" policy, it's possible that _notmuch_crypto_decrypt could be called without having any actual decryption take place. This change lets the callers be a little bit smarter about whether or not any decryption was actually attempted. 2017-12-08 07:23:58 +01:00			`_notmuch_crypto_decrypt (bool *attempted,`
			`notmuch_decryption_policy_t decrypt,`
crypto: new decryption policy "auto" This new automatic decryption policy should make it possible to decrypt messages that we have stashed session keys for, without incurring a call to the user's asymmetric keys. 2017-12-08 07:23:53 +01:00			`notmuch_message_t *message,`
crypto: add _notmuch_crypto_decrypt wrapper function We will use this centralized function to consolidate the awkward behavior around different gmime versions. It's only invoked from two places: mime-node.c's node_decrypt_and_verify() and lib/index.cc's _index_encrypted_mime_part(). However, those two places have some markedly distinct logic, so the interface for this _notmuch_crypto_decrypt function is going to get a little bit clunky. It's worthwhile, though, for the sake of keeping these #if directives reasonably well-contained. 2017-11-30 09:59:27 +01:00			`GMimeMultipartEncrypted *part,`
			`GMimeDecryptResult **decrypt_result,`
			`GError **err);`
crypto: move into libnotmuch_util This prepares us for using the crypto object in both libnotmuch and the client. 2017-10-17 21:09:55 +02:00
			`void`
			`_notmuch_crypto_cleanup (_notmuch_crypto_t *crypto);`

util/crypto: _notmuch_message_crypto: tracks message-wide crypto state E-mail encryption and signatures reported by notmuch are at the MIME part level. This makes sense in the dirty details, but for users we need to have a per-message conception of the cryptographic state of the e-mail. (see https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html for more discussion of why this is important). The object created in this patch is a useful for tracking the cryptographic state of the underlying message as a whole, based on a depth-first search of the message's MIME structure. This object stores a signature list of the message, but we don't handle it yet. Further patches in this series will make use of the signature list. 2019-05-25 20:04:03 +02:00			`/* The user probably wants to know if the entire message was in the`
			`* clear. When replying, the MUA probably wants to know whether there`
			`* was any part decrypted in the message. And when displaying to the`
			`* user, we probably only want to display "encrypted message" if the`
			`* entire message was covered by encryption. */`
			`typedef enum {`
			`NOTMUCH_MESSAGE_DECRYPTED_NONE = 0,`
			`NOTMUCH_MESSAGE_DECRYPTED_PARTIAL,`
			`NOTMUCH_MESSAGE_DECRYPTED_FULL,`
			`} _notmuch_message_decryption_status_t;`

			`/* description of the cryptographic state of a given message overall;`
			`* for use by simple user agents.`
			`*/`
			`typedef struct _notmuch_message_crypto {`
			`/* encryption status: partial, full, none */`
			`_notmuch_message_decryption_status_t decryption_status;`
			`/* FIXME: can we show what key(s) a fully-encrypted message was`
			`* encrypted to? This data is not necessarily cryptographically`
			`* reliable; even when we decrypt, we might not know which public`
			`* key was used (e.g. if we're using a session key). */`

			`/* signature status of the whole message (either the whole message`
			`* is signed, or it is not) -- this means that partially-signed`
			`* messages will get no signature status. */`
			`GMimeSignatureList * sig_list;`
			`/* if part of the message was signed, and the MUA is clever, it`
			`* can determine on its own exactly which part and try to make`
			`* more sense of it. */`

			`/* mark this flag once we encounter a payload (i.e. something that`
			`* is not part of the cryptographic envelope) */`
			`bool payload_encountered;`

			`/* if both signed and encrypted, was the signature encrypted? */`
			`bool signature_encrypted;`
			`} _notmuch_message_crypto_t;`


			`/* _notmuch_message_crypto_t objects should be released with`
			`* talloc_free (), or they will be released along with their parent`
			`* context.`
			`*/`
			`_notmuch_message_crypto_t *`
			`_notmuch_message_crypto_new (void *ctx);`

			`/* call potential_sig_list during a depth-first-search on a message to`
			`* consider a particular signature as relevant for the message.`
			`*/`
			`notmuch_status_t`
			`_notmuch_message_crypto_potential_sig_list (_notmuch_message_crypto_t msg_crypto, GMimeSignatureList sigs);`

			`/* call successful_decryption during a depth-first-search on a message`
			`* to indicate that a part was successfully decrypted.`
			`*/`
			`notmuch_status_t`
			`_notmuch_message_crypto_successful_decryption (_notmuch_message_crypto_t *msg_crypto);`

			`/* call potential_payload during a depth-first-search on a message`
			`* when encountering a message part that is not part of the envelope.`
			`*/`
			`notmuch_status_t`
			`_notmuch_message_crypto_potential_payload (_notmuch_message_crypto_t msg_crypto, GMimeObject payload, GMimeObject *parent, int childnum);`


util: make remaining headers includable from C++ libnotmuch_util.a is supposed to be usable from the library and the CLI, but much the library is compiled as C++. Add in appropriate wrapping to prevent symbol mangling. These wrappers already existed in string-util.h; it seems better to be consistent. 2019-03-02 21:26:06 +01:00			`#ifdef __cplusplus`
			`}`
			`#endif`
crypto: move into libnotmuch_util This prepares us for using the crypto object in both libnotmuch and the client. 2017-10-17 21:09:55 +02:00			`#endif`