cli/reindex: destroy stashed session keys when --decrypt=false

There are some situations where the user wants to get rid of the
cleartext index of a message.  For example, if they're indexing
encrypted messages normally, but suddenly they run across a message
that they really don't want any trace of in their index.

In that case, the natural thing to do is:

   notmuch reindex --decrypt=false id:whatever@example.biz

But of course, clearing the cleartext index without clearing the
stashed session key is just silly.  So we do the expected thing and
also destroy any stashed session keys while we're destroying the index
of the cleartext.

Note that stashed session keys are stored in the xapian database, but
xapian does not currently allow safe deletion (see
https://trac.xapian.org/ticket/742).

As a workaround, after removing session keys and cleartext material
from the database, the user probably should do something like "notmuch
compact" to try to purge whatever recoverable data is left in the
xapian freelist.  This problem really needs to be addressed within
xapian, though, if we want it fixed right.
This commit is contained in:
Daniel Kahn Gillmor 2017-12-08 01:24:00 -05:00 committed by David Bremner
parent 076f86025d
commit 6a9626a2fd
3 changed files with 25 additions and 0 deletions

View file

@ -30,6 +30,9 @@ Supported options for **reindex** include
the user's secret keys. If decryption is successful, index the user's secret keys. If decryption is successful, index
the cleartext itself. the cleartext itself.
If ``false``, notmuch reindex will also delete any stashed
session keys for all messages matching the search terms.
Be aware that the index is likely sufficient to reconstruct Be aware that the index is likely sufficient to reconstruct
the cleartext of the message itself, so please ensure that the the cleartext of the message itself, so please ensure that the
notmuch message index is adequately protected. DO NOT USE notmuch message index is adequately protected. DO NOT USE

View file

@ -2002,6 +2002,11 @@ notmuch_message_reindex (notmuch_message_t *message,
ret = notmuch_message_remove_all_properties_with_prefix (message, "index."); ret = notmuch_message_remove_all_properties_with_prefix (message, "index.");
if (ret) if (ret)
goto DONE; /* XXX TODO: distinguish from other error returns above? */ goto DONE; /* XXX TODO: distinguish from other error returns above? */
if (indexopts && notmuch_indexopts_get_decrypt_policy (indexopts) == NOTMUCH_DECRYPT_FALSE) {
ret = notmuch_message_remove_all_properties (message, "session-key");
if (ret)
goto DONE;
}
/* re-add the filenames with the associated indexopts */ /* re-add the filenames with the associated indexopts */
for (; notmuch_filenames_valid (orig_filenames); for (; notmuch_filenames_valid (orig_filenames);

View file

@ -227,6 +227,23 @@ test_expect_equal \
"$output" \ "$output" \
"$expected" "$expected"
test_begin_subtest "purging stashed session keys should lose access to the cleartext"
notmuch reindex --decrypt=false id:simple-encrypted@crypto.notmuchmail.org
output=$(notmuch search sekrit)
expected=''
test_expect_equal \
"$output" \
"$expected"
test_begin_subtest "and cleartext should be unrecoverable now that there are no stashed session keys"
notmuch dump
notmuch reindex --decrypt=true id:simple-encrypted@crypto.notmuchmail.org
output=$(notmuch search sekrit)
expected=''
test_expect_equal \
"$output" \
"$expected"
# TODO: test removal of a message from the message store between # TODO: test removal of a message from the message store between
# indexing and reindexing. # indexing and reindexing.