notmuch/util/repair.c

159 lines
5.3 KiB
C
Raw Permalink Normal View History

/* notmuch - Not much of an email program, (just index and search)
*
* Copyright © 2019 Daniel Kahn Gillmor
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see https://www.gnu.org/licenses/ .
*
* Authors: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
*/
#include <stdbool.h>
#include "repair.h"
static bool
_notmuch_crypto_payload_has_legacy_display (GMimeObject *payload)
{
GMimeMultipart *mpayload;
const char *protected_header_parameter;
legacy-display: drop tests that try to match headers in a Legacy Display part These tests were an attempt to establish that the content of the "Legacy Display" part is the same as the actual protected headers of the message. But this is more conservative than we need to be. https://www.ietf.org/id/draft-autocrypt-lamps-protected-headers-02.html section 5.3 makes clear that the Legacy Display part is purely decorative, and section 5.2.1 clarifies that the detection can be done purely by MIME structure and Content-Type alone. Furthermore, now that we're accepting text/plain Legacy Display parts, it's not clear the lines in the Legacy Display part should be interpreted as needing an exact string match (e.g. "real" headers are likely to be RFC 2047 encoded, but the text/plain Legacy Display part probably should not be). The concerns that motivated this test in the past were twofold: that we might accidentally hide some information from the reader of the message that they should have available to them, or that we could introduce a covert channel that would be invisible to other clients. I no longer think these are significant concerns: a) There will be no accidental misidentification of a Legacy Display part. The identification of the Legacy Display part is unambiguous due to MIME structure and Content-Type. MIME structure MUST be the first child part of a two-part multipart/mixed Cryptographic Payload. And the protected-headers=v1 content-type parameter must be present on both the cryptographic payload and the legacy display part, so no one would accidentally generate this structure and have it be accidentally matched. b) As for creating a covert channel, many such channels already exist. For example, non-standard e-mail headers, custom MIME types, unusual MIME structures, etc, all make it possible to ship some content in a message that will be visible in some MUAs but not in others. This doesn't make the situation demonstrably worse. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-12-23 18:39:27 +01:00
GMimeObject *first;
if (! g_mime_content_type_is_type (g_mime_object_get_content_type (payload),
"multipart", "mixed"))
return false;
protected_header_parameter = g_mime_object_get_content_type_parameter (payload,
"protected-headers");
if ((! protected_header_parameter) || strcmp (protected_header_parameter, "v1"))
return false;
if (! GMIME_IS_MULTIPART (payload))
return false;
mpayload = GMIME_MULTIPART (payload);
if (mpayload == NULL)
return false;
if (g_mime_multipart_get_count (mpayload) != 2)
return false;
first = g_mime_multipart_get_part (mpayload, 0);
/* Early implementations that generated "Legacy Display" parts used
* Content-Type: text/rfc822-headers, but text/plain is more widely
* rendered, so it is now the standard choice. We accept either as a
* Legacy Display part. */
if (! (g_mime_content_type_is_type (g_mime_object_get_content_type (first),
"text", "plain") ||
g_mime_content_type_is_type (g_mime_object_get_content_type (first),
"text", "rfc822-headers")))
return false;
protected_header_parameter = g_mime_object_get_content_type_parameter (first,
"protected-headers");
if ((! protected_header_parameter) || strcmp (protected_header_parameter, "v1"))
return false;
if (! GMIME_IS_TEXT_PART (first))
return false;
legacy-display: drop tests that try to match headers in a Legacy Display part These tests were an attempt to establish that the content of the "Legacy Display" part is the same as the actual protected headers of the message. But this is more conservative than we need to be. https://www.ietf.org/id/draft-autocrypt-lamps-protected-headers-02.html section 5.3 makes clear that the Legacy Display part is purely decorative, and section 5.2.1 clarifies that the detection can be done purely by MIME structure and Content-Type alone. Furthermore, now that we're accepting text/plain Legacy Display parts, it's not clear the lines in the Legacy Display part should be interpreted as needing an exact string match (e.g. "real" headers are likely to be RFC 2047 encoded, but the text/plain Legacy Display part probably should not be). The concerns that motivated this test in the past were twofold: that we might accidentally hide some information from the reader of the message that they should have available to them, or that we could introduce a covert channel that would be invisible to other clients. I no longer think these are significant concerns: a) There will be no accidental misidentification of a Legacy Display part. The identification of the Legacy Display part is unambiguous due to MIME structure and Content-Type. MIME structure MUST be the first child part of a two-part multipart/mixed Cryptographic Payload. And the protected-headers=v1 content-type parameter must be present on both the cryptographic payload and the legacy display part, so no one would accidentally generate this structure and have it be accidentally matched. b) As for creating a covert channel, many such channels already exist. For example, non-standard e-mail headers, custom MIME types, unusual MIME structures, etc, all make it possible to ship some content in a message that will be visible in some MUAs but not in others. This doesn't make the situation demonstrably worse. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-12-23 18:39:27 +01:00
return true;
}
GMimeObject *
_notmuch_repair_crypto_payload_skip_legacy_display (GMimeObject *payload)
{
if (_notmuch_crypto_payload_has_legacy_display (payload)) {
return g_mime_multipart_get_part (GMIME_MULTIPART (payload), 1);
} else {
return payload;
}
}
/* see
* https://tools.ietf.org/html/draft-dkg-openpgp-pgpmime-message-mangling-00#section-4.1.1 */
static bool
_notmuch_is_mixed_up_mangled (GMimeObject *part)
{
GMimeMultipart *mpart = NULL;
GMimeObject *parts[3] = { NULL, NULL, NULL };
GMimeContentType *type = NULL;
char *prelude_string = NULL;
bool prelude_is_empty;
if (part == NULL)
return false;
type = g_mime_object_get_content_type (part);
if (type == NULL)
return false;
if (! g_mime_content_type_is_type (type, "multipart", "mixed"))
return false;
if (! GMIME_IS_MULTIPART (part)) /* probably impossible */
return false;
mpart = GMIME_MULTIPART (part);
if (mpart == NULL)
return false;
if (g_mime_multipart_get_count (mpart) != 3)
return false;
parts[0] = g_mime_multipart_get_part (mpart, 0);
if (! g_mime_content_type_is_type (g_mime_object_get_content_type (parts[0]),
"text", "plain"))
return false;
if (! GMIME_IS_TEXT_PART (parts[0]))
return false;
parts[1] = g_mime_multipart_get_part (mpart, 1);
if (! g_mime_content_type_is_type (g_mime_object_get_content_type (parts[1]),
"application", "pgp-encrypted"))
return false;
parts[2] = g_mime_multipart_get_part (mpart, 2);
if (! g_mime_content_type_is_type (g_mime_object_get_content_type (parts[2]),
"application", "octet-stream"))
return false;
/* Is parts[0] length 0? */
prelude_string = g_mime_text_part_get_text (GMIME_TEXT_PART (parts[0]));
prelude_is_empty = (prelude_string[0] == '\0');
g_free (prelude_string);
if (! prelude_is_empty)
return false;
/* FIXME: after decoding and stripping whitespace, is parts[1]
* subpart just "Version: 1" ? */
/* FIXME: can we determine that parts[2] subpart is *only* PGP
* encrypted data? I tried g_mime_part_get_openpgp_data () but
* found https://github.com/jstedfast/gmime/issues/60 */
return true;
}
/* see
* https://tools.ietf.org/html/draft-dkg-openpgp-pgpmime-message-mangling-00#section-4.1.2 */
GMimeObject *
_notmuch_repair_mixed_up_mangled (GMimeObject *part)
{
GMimeMultipart *mpart = NULL, *mpart_ret = NULL;
GMimeObject *ret = NULL;
if (! _notmuch_is_mixed_up_mangled (part))
return NULL;
mpart = GMIME_MULTIPART (part);
ret = GMIME_OBJECT (g_mime_multipart_encrypted_new ());
if (ret == NULL)
return NULL;
mpart_ret = GMIME_MULTIPART (ret);
if (mpart_ret == NULL) {
g_object_unref (ret);
return NULL;
}
g_mime_object_set_content_type_parameter (ret, "protocol", "application/pgp-encrypted");
g_mime_multipart_insert (mpart_ret, 0, g_mime_multipart_get_part (mpart, 1));
g_mime_multipart_insert (mpart_ret, 1, g_mime_multipart_get_part (mpart, 2));
return ret;
}