From 6a9626a2fdddf6115bcf97982fd10053bf48e942 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 8 Dec 2017 01:24:00 -0500 Subject: [PATCH] cli/reindex: destroy stashed session keys when --decrypt=false There are some situations where the user wants to get rid of the cleartext index of a message. For example, if they're indexing encrypted messages normally, but suddenly they run across a message that they really don't want any trace of in their index. In that case, the natural thing to do is: notmuch reindex --decrypt=false id:whatever@example.biz But of course, clearing the cleartext index without clearing the stashed session key is just silly. So we do the expected thing and also destroy any stashed session keys while we're destroying the index of the cleartext. Note that stashed session keys are stored in the xapian database, but xapian does not currently allow safe deletion (see https://trac.xapian.org/ticket/742). As a workaround, after removing session keys and cleartext material from the database, the user probably should do something like "notmuch compact" to try to purge whatever recoverable data is left in the xapian freelist. This problem really needs to be addressed within xapian, though, if we want it fixed right. --- doc/man1/notmuch-reindex.rst | 3 +++ lib/message.cc | 5 +++++ test/T357-index-decryption.sh | 17 +++++++++++++++++ 3 files changed, 25 insertions(+) diff --git a/doc/man1/notmuch-reindex.rst b/doc/man1/notmuch-reindex.rst index d87e9d85..e8174f39 100644 --- a/doc/man1/notmuch-reindex.rst +++ b/doc/man1/notmuch-reindex.rst @@ -30,6 +30,9 @@ Supported options for **reindex** include the user's secret keys. If decryption is successful, index the cleartext itself. + If ``false``, notmuch reindex will also delete any stashed + session keys for all messages matching the search terms. + Be aware that the index is likely sufficient to reconstruct the cleartext of the message itself, so please ensure that the notmuch message index is adequately protected. DO NOT USE diff --git a/lib/message.cc b/lib/message.cc index 12743460..d5db89b6 100644 --- a/lib/message.cc +++ b/lib/message.cc @@ -2002,6 +2002,11 @@ notmuch_message_reindex (notmuch_message_t *message, ret = notmuch_message_remove_all_properties_with_prefix (message, "index."); if (ret) goto DONE; /* XXX TODO: distinguish from other error returns above? */ + if (indexopts && notmuch_indexopts_get_decrypt_policy (indexopts) == NOTMUCH_DECRYPT_FALSE) { + ret = notmuch_message_remove_all_properties (message, "session-key"); + if (ret) + goto DONE; + } /* re-add the filenames with the associated indexopts */ for (; notmuch_filenames_valid (orig_filenames); diff --git a/test/T357-index-decryption.sh b/test/T357-index-decryption.sh index bd213415..9f46a01b 100755 --- a/test/T357-index-decryption.sh +++ b/test/T357-index-decryption.sh @@ -227,6 +227,23 @@ test_expect_equal \ "$output" \ "$expected" +test_begin_subtest "purging stashed session keys should lose access to the cleartext" +notmuch reindex --decrypt=false id:simple-encrypted@crypto.notmuchmail.org +output=$(notmuch search sekrit) +expected='' +test_expect_equal \ + "$output" \ + "$expected" + +test_begin_subtest "and cleartext should be unrecoverable now that there are no stashed session keys" +notmuch dump +notmuch reindex --decrypt=true id:simple-encrypted@crypto.notmuchmail.org +output=$(notmuch search sekrit) +expected='' +test_expect_equal \ + "$output" \ + "$expected" + # TODO: test removal of a message from the message store between # indexing and reindexing.