From 74919c226eafad4de6b3a823f83a8be970e77e24 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 25 May 2019 14:04:03 -0400 Subject: [PATCH] util/crypto: _notmuch_message_crypto: tracks message-wide crypto state E-mail encryption and signatures reported by notmuch are at the MIME part level. This makes sense in the dirty details, but for users we need to have a per-message conception of the cryptographic state of the e-mail. (see https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html for more discussion of why this is important). The object created in this patch is a useful for tracking the cryptographic state of the underlying message as a whole, based on a depth-first search of the message's MIME structure. This object stores a signature list of the message, but we don't handle it yet. Further patches in this series will make use of the signature list. --- util/crypto.c | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++ util/crypto.h | 65 +++++++++++++++++++++++++++++++++++ 2 files changed, 158 insertions(+) diff --git a/util/crypto.c b/util/crypto.c index 99104e78..3f8ac25a 100644 --- a/util/crypto.c +++ b/util/crypto.c @@ -82,3 +82,96 @@ _notmuch_crypto_decrypt (bool *attempted, decrypt_result, err); return ret; } + +static int +_notmuch_message_crypto_destructor (_notmuch_message_crypto_t *msg_crypto) +{ + if (!msg_crypto) + return 0; + if (msg_crypto->sig_list) + g_object_unref (msg_crypto->sig_list); + return 0; +} + +_notmuch_message_crypto_t * +_notmuch_message_crypto_new (void *ctx) +{ + _notmuch_message_crypto_t *ret = talloc_zero (ctx, _notmuch_message_crypto_t); + talloc_set_destructor (ret, _notmuch_message_crypto_destructor); + return ret; +} + +notmuch_status_t +_notmuch_message_crypto_potential_sig_list (_notmuch_message_crypto_t *msg_crypto, GMimeSignatureList *sigs) +{ + if (!msg_crypto) + return NOTMUCH_STATUS_NULL_POINTER; + + /* Signatures that arrive after a payload part during DFS are not + * part of the cryptographic envelope: */ + if (msg_crypto->payload_encountered) + return NOTMUCH_STATUS_SUCCESS; + + if (msg_crypto->sig_list) + g_object_unref (msg_crypto->sig_list); + + /* This signature list needs to persist as long as the _n_m_crypto + * object survives. Increasing its reference counter prevents + * garbage-collection until after _n_m_crypto_destroy is + * called. */ + msg_crypto->sig_list = sigs; + if (sigs) + g_object_ref (sigs); + + if (msg_crypto->decryption_status == NOTMUCH_MESSAGE_DECRYPTED_FULL) + msg_crypto->signature_encrypted = true; + + return NOTMUCH_STATUS_SUCCESS; +} + + +notmuch_status_t +_notmuch_message_crypto_potential_payload (_notmuch_message_crypto_t *msg_crypto, GMimeObject *payload, GMimeObject *parent, int childnum) +{ + if (!msg_crypto || !payload) + return NOTMUCH_STATUS_NULL_POINTER; + + /* only fire on the first payload part encountered */ + if (msg_crypto->payload_encountered) + return NOTMUCH_STATUS_SUCCESS; + + /* the first child of multipart/encrypted that matches the + * encryption protocol should be "control information" metadata, + * not payload. So we skip it. (see + * https://tools.ietf.org/html/rfc1847#page-8) */ + if (parent && GMIME_IS_MULTIPART_ENCRYPTED (parent) && childnum == GMIME_MULTIPART_ENCRYPTED_VERSION) { + const char *enc_type = g_mime_object_get_content_type_parameter (parent, "protocol"); + GMimeContentType *ct = g_mime_object_get_content_type (payload); + if (ct && enc_type) { + const char *part_type = g_mime_content_type_get_mime_type (ct); + if (part_type && strcmp (part_type, enc_type) == 0) + return NOTMUCH_STATUS_SUCCESS; + } + } + + msg_crypto->payload_encountered = true; + + return NOTMUCH_STATUS_SUCCESS; +} + + +notmuch_status_t +_notmuch_message_crypto_successful_decryption (_notmuch_message_crypto_t *msg_crypto) +{ + if (!msg_crypto) + return NOTMUCH_STATUS_NULL_POINTER; + + /* see the rationale for different values of + * _notmuch_message_decryption_status_t in util/crypto.h */ + if (!msg_crypto->payload_encountered) + msg_crypto->decryption_status = NOTMUCH_MESSAGE_DECRYPTED_FULL; + else if (msg_crypto->decryption_status == NOTMUCH_MESSAGE_DECRYPTED_NONE) + msg_crypto->decryption_status = NOTMUCH_MESSAGE_DECRYPTED_PARTIAL; + + return NOTMUCH_STATUS_SUCCESS; +} diff --git a/util/crypto.h b/util/crypto.h index af3998e8..c6fa7f4b 100644 --- a/util/crypto.h +++ b/util/crypto.h @@ -25,6 +25,71 @@ _notmuch_crypto_decrypt (bool *attempted, void _notmuch_crypto_cleanup (_notmuch_crypto_t *crypto); +/* The user probably wants to know if the entire message was in the + * clear. When replying, the MUA probably wants to know whether there + * was any part decrypted in the message. And when displaying to the + * user, we probably only want to display "encrypted message" if the + * entire message was covered by encryption. */ +typedef enum { + NOTMUCH_MESSAGE_DECRYPTED_NONE = 0, + NOTMUCH_MESSAGE_DECRYPTED_PARTIAL, + NOTMUCH_MESSAGE_DECRYPTED_FULL, +} _notmuch_message_decryption_status_t; + +/* description of the cryptographic state of a given message overall; + * for use by simple user agents. + */ +typedef struct _notmuch_message_crypto { + /* encryption status: partial, full, none */ + _notmuch_message_decryption_status_t decryption_status; + /* FIXME: can we show what key(s) a fully-encrypted message was + * encrypted to? This data is not necessarily cryptographically + * reliable; even when we decrypt, we might not know which public + * key was used (e.g. if we're using a session key). */ + + /* signature status of the whole message (either the whole message + * is signed, or it is not) -- this means that partially-signed + * messages will get no signature status. */ + GMimeSignatureList * sig_list; + /* if part of the message was signed, and the MUA is clever, it + * can determine on its own exactly which part and try to make + * more sense of it. */ + + /* mark this flag once we encounter a payload (i.e. something that + * is not part of the cryptographic envelope) */ + bool payload_encountered; + + /* if both signed and encrypted, was the signature encrypted? */ + bool signature_encrypted; +} _notmuch_message_crypto_t; + + +/* _notmuch_message_crypto_t objects should be released with + * talloc_free (), or they will be released along with their parent + * context. + */ +_notmuch_message_crypto_t * +_notmuch_message_crypto_new (void *ctx); + +/* call potential_sig_list during a depth-first-search on a message to + * consider a particular signature as relevant for the message. + */ +notmuch_status_t +_notmuch_message_crypto_potential_sig_list (_notmuch_message_crypto_t *msg_crypto, GMimeSignatureList *sigs); + +/* call successful_decryption during a depth-first-search on a message + * to indicate that a part was successfully decrypted. + */ +notmuch_status_t +_notmuch_message_crypto_successful_decryption (_notmuch_message_crypto_t *msg_crypto); + +/* call potential_payload during a depth-first-search on a message + * when encountering a message part that is not part of the envelope. + */ +notmuch_status_t +_notmuch_message_crypto_potential_payload (_notmuch_message_crypto_t *msg_crypto, GMimeObject *payload, GMimeObject *parent, int childnum); + + #ifdef __cplusplus } #endif