Commit graph

56 commits

Author SHA1 Message Date
Daniel Kahn Gillmor
2b108728c4 crypto: Make _notmuch_crypto_decrypt take a GMimeObject
As we prepare to handle S/MIME-encrypted PKCS#7 EnvelopedData (which
is not multipart), we don't want to be limited to passing only
GMimeMultipartEncrypted MIME parts to _notmuch_crypto_decrypt.

There is no functional change here, just a matter of adjusting how we
pass arguments internally.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:33 -03:00
Daniel Kahn Gillmor
5f4aceee26 cli: include wrapped part of PKCS#7 SignedData in the MIME tree
Unwrap a PKCS#7 SignedData part unconditionally when the cli is
traversing the MIME tree, and return it as a "child" of what would
otherwise be a leaf in the tree.

Unfortunately, this also breaks the JSON output.  We will fix that
next.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:07 -03:00
Daniel Kahn Gillmor
4dccb99282 mime-node: Clean up unwrapped MIME parts correctly.
Avoid a memory leak in the notmuch command line.

gmime_multipart_encrypted_decrypt returns a GMimeObject marked by
GMime as "transfer full", so we are supposed to clean up after it.

When parsing a message, notmuch would leak one GMimeObject part per
multipart/encrypted MIME layer.  We clean it up by analogy with
cleaning up the signature list associated with a MIME node.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-03-22 22:21:03 -03:00
Daniel Kahn Gillmor
7de3d77d2d mime-node: rename decrypted_child to unwrapped_child
When walking the MIME tree, we might need to extract a new MIME
object.  Thus far, we've only done it when decrypting
multipart/encrypted messages, but PKCS#7 (RFC 8551, S/MIME) has
several other transformations that warrant a comparable form of
unwrapping.

Make this member re-usable for PKCS#7 unwrappings as well as
multipart/encrypted decryptions.

This change is just a naming change, it has no effect on function.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-03-22 22:20:52 -03:00
Daniel Kahn Gillmor
b27b23a7f9 mime-node: Pass the correct flags to g_mime_multipart_signed_verify
GMIME_ENCRYPT_NONE and GMIME_VERIFY_NONE have the same value, but they
are different enumerated types.  So in C, this is a cosmetic change,
but it is technically correct if we only had stricter typing.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-03-19 21:55:41 -03:00
Daniel Kahn Gillmor
23bcd00363 cli/{show,reply}: use repaired form of "Mixed Up" mangled messages
When showing or replying to a message that has been mangled in transit
by an MTA in the "Mixed up" way, notmuch should instead use the
repaired form of the message.

Tracking the repaired GMimeObject for the lifetime of the mime_node so
that it is cleaned up properly is probably the trickiest part of this
patch, but the choices here are based on the idea that the
mime_node_context is the memory manager for the whole mime_node tree
in the first place, so new GMimeObject tree created on-the-fly during
message parsing should be disposed of in the same place.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-15 19:07:06 -04:00
Daniel Kahn Gillmor
c61e22d5cb cli/{show,reply}: skip over legacy-display parts
Make use of the previous changes to fast-forward past any
legacy-display parts during "notmuch show" and "notmuch reply".

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:44:17 -03:00
Daniel Kahn Gillmor
ab0ae8b1c0 util/crypto: _n_m_crypto_potential_payload returns whether part is the payload
Our _notmuch_message_crypto_potential_payload implementation could
only return a failure if bad arguments were passed to it.  It is an
internal function, so if that happens it's an entirely internal bug
for notmuch.

It will be more useful for this function to return whether or not the
part is in fact a cryptographic payload, so we dispense with the
status return.

If some future change suggests adding a status return back, there are
only a handful of call sites, and no pressure to retain a stable API,
so it could be changed easily. But for now, go with the simpler
function.

We will use this return value in future patches, to make different
decisions based on whether a part is the cryptographic payload or not.
But for now, we just leave the places where it gets invoked marked
with (void) to show that the result is ignored.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:38:11 -03:00
Daniel Kahn Gillmor
dcfa2fc996 mime-node: split out _mime_node_set_up_part
This is a code reorganization that should have no functional effect,
but will make future changes simpler, because a future commit will
reuse the _mime_node_set_up_part functionality without touching
_mime_node_create.

In the course of splitting out this function, I noticed a comment in
the codebase that referred to an older name of _mime_node_create
(message_part_create), where this functionality originally resided.
I've fixed that comment to refer to the new function instead.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:17:00 -03:00
uncrustify
33382c2b5b cli: run uncrustify
This is the result of running

     $ uncrustify --replace --config devel/uncrustify.cfg *.c *.h

in the top level source directory
2019-06-14 07:41:27 -03:00
David Bremner
be8f0ba92a CLI: replace some constructs with more uncrustify friendly ones
In particular
   - use (bool) instead of !!
   - cuddle the opening parens of function calls
   - add parens in some ternery operators
2019-06-14 07:41:27 -03:00
Daniel Kahn Gillmor
d439e4b5d1 mime-node: be clearer about decryption
Part 0 of a multipart/encrypted object is
GMIME_MULTIPART_ENCRYPTED_VERSION; part 1 is
GMIME_MULTIPART_ENCRYPTED_CONTENT.  Using the name for what we want
describes our intent more clearly than using a magic number in the
code.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-31 07:55:46 -03:00
Daniel Kahn Gillmor
d187a6993e mime-node: track whole-message crypto state while walking the tree
Deliberately populate the message's cryptographic status while walking
the MIME tree from the CLI.

Note that the additional numchild argument added to _mime_node_create
is a passthrough needed to be able to adequately populate the crypto
state object.
2019-05-26 08:20:23 -03:00
Daniel Kahn Gillmor
2c08beb254 cli: expose message-wide crypto status from mime-node
The mime node context (a per-message context) gains a cryptographic
status object, and the mime_node_t object itself can return a view on
that status to an interested party.

The status is not yet populated, and for now we can keep that view
read-only, so that it can only be populated/modified during MIME tree
traversal.
2019-05-26 08:20:23 -03:00
David Bremner
103c11822e cli/notmuch-show: support gzipped files
This drops "file" from mime_node_context and just uses a local
variable. It also uses the new gzip aware utility routines recently
added to util/gmime-extra.c. The use of gzopen / gzfile in addition is
a bit icky, but the choice is between that, and providing yet another
readline implimentation that understands GMime streams.
2019-05-03 07:48:43 -03:00
Daniel Kahn Gillmor
e9b870b692 gmime-cleanup: pass NULL as default GMimeParserOptions
This is a functional change, not a straight translation, because we
are no longer directly invoking g_mime_parser_options_get_default(),
but the GMime source has indicated that the options parameter for
g_mime_parser_construct_message() is "nullable" since upstream commit
d0ebdd2ea3e6fa635a2a551c846e9bc8b6040353 (which itself precedes GMime
3.0).

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:58:00 -03:00
Daniel Kahn Gillmor
bbe3015b3e gmime-cleanup: pass NULL arguments explicitly where GMime 3.0 expects it
Several GMime 2.6 functions sprouted a change in the argument order in
GMime 3.0.  We had a compatibility layer here to be able to handle
compiling against both GMime 2.6 and 3.0.  Now that we're using 3.0
only, rip out the compatibility layer for those functions with changed
argument lists, and explicitly use the 3.0 argument lists.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:57:27 -03:00
Daniel Kahn Gillmor
b7ac4c05e1 gmime-cleanup: drop all arguments unused in GMime 3
This means dropping GMimeCryptoContext and notmuch_config arguments.

All the argument changes are to internal functions, so this is not an
API or ABI break.

We also get to drop the #define for g_mime_3_unused.

signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:56:38 -03:00
Daniel Kahn Gillmor
bb0b119358 gmime-cleanup: always support session keys
Our minimum version of GMime 3.0 always supports good session key
handling.

signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:55:32 -03:00
Daniel Kahn Gillmor
096d45a878 gmime-cleanup: remove obsolete gpg_path configuration option and crypto contexts
Note that we do keep ignoring the gpg_path configuration option,
though, to avoid breakage of existing installations.  It is ignored
like any other unknown configuration option, but we at least document
that it is ignored so that people who find it in their legacy configs
can know that it's safe to drop.

signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:55:04 -03:00
David Bremner
570349e132 build: drop support for gmime-2.6
GMime 3.0 is over 2 years old now, and 2.6 has been deprecated in
notmuch for about 1.5 years.

Comments and documentation no longer need to refer to GMime 2.6, so
clean them all up.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:49:49 -03:00
Daniel Kahn Gillmor
afb0b11dcd crypto: Avoid pretending to verify signatures on unsigned encrypted mail
Unsigned encrypted mail shows up with a weird empty signature list.
If we successfully decrypted and there was no signature in it, we
should just not show a sigstatus at all.

The documentation for g_mime_decrypt_result_get_signatures says:

    a GMimeSignatureList or NULL if the stream was not signed.
2019-04-26 08:03:15 -03:00
Daniel Kahn Gillmor
bc842bfff1 cli: write session keys to database, if asked to do so
If the decryption policy is NOTMUCH_DECRYPT_TRUE, that means we want
to stash session keys in the database.  Note that there is currently
no way from the command line to set it this way, though, so it is not
yet included in the test suite.
2018-05-26 07:33:01 -07:00
Daniel Kahn Gillmor
d137170b23 crypto: record whether an actual decryption attempt happened
In our consolidation of _notmuch_crypto_decrypt, the callers lost
track a little bit of whether any actual decryption was attempted.

Now that we have the more-subtle "auto" policy, it's possible that
_notmuch_crypto_decrypt could be called without having any actual
decryption take place.

This change lets the callers be a little bit smarter about whether or
not any decryption was actually attempted.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
e4890b5bf9 crypto: new decryption policy "auto"
This new automatic decryption policy should make it possible to
decrypt messages that we have stashed session keys for, without
incurring a call to the user's asymmetric keys.
2017-12-08 08:07:53 -04:00
Daniel Kahn Gillmor
798aa789b5 lib: convert notmuch decryption policy to an enum
Future patches in this series will introduce new policies; this merely
readies the way for them.

We also convert --try-decrypt to a keyword argument instead of a boolean.
2017-12-08 08:07:02 -04:00
Daniel Kahn Gillmor
a990585408 crypto: use stashed session-key properties for decryption, if available
When doing any decryption, if the notmuch database knows of any
session keys associated with the message in question, try them before
defaulting to using default symmetric crypto.

This changeset does the primary work in _notmuch_crypto_decrypt, which
grows some new parameters to handle it.

The primary advantage this patch offers is a significant speedup when
rendering large encrypted threads ("notmuch show") if session keys
happen to be cached.

Additionally, it permits message composition without access to
asymmetric secret keys ("notmuch reply"); and it permits recovering a
cleartext index when reindexing after a "notmuch restore" for those
messages that already have a session key stored.

Note that we may try multiple decryptions here (e.g. if there are
multiple session keys in the database), but we will ignore and throw
away all the GMime errors except for those that come from last
decryption attempt.  Since we don't necessarily know at the time of
the decryption that this *is* the last decryption attempt, we'll ask
for the errors each time anyway.

This does nothing if no session keys are stashed in the database,
which is fine.  Actually stashing session keys in the database will
come as a subsequent patch.
2017-12-04 21:48:31 -04:00
Daniel Kahn Gillmor
5f2832ae21 crypto: add _notmuch_crypto_decrypt wrapper function
We will use this centralized function to consolidate the awkward
behavior around different gmime versions.

It's only invoked from two places: mime-node.c's
node_decrypt_and_verify() and lib/index.cc's
_index_encrypted_mime_part().

However, those two places have some markedly distinct logic, so the
interface for this _notmuch_crypto_decrypt function is going to get a
little bit clunky.  It's worthwhile, though, for the sake of keeping
these #if directives reasonably well-contained.
2017-12-04 21:39:24 -04:00
Daniel Kahn Gillmor
9beda4b981 mime-node: handle decrypt_result more safely
If (for whatever reason) we don't get a decrypt_result back, or it's
not structured the way we expect it to be, we shouldn't choke on it.
2017-12-04 21:39:13 -04:00
David Bremner
7ac96b149f Merge branch 'release'
Changes from 0.25.2 release
2017-11-05 20:25:54 -04:00
Jani Nikula
cd3f5e1a93 cli/crypto: fix segfault on failed gmime2 crypto context creation
Commit 1fdc08d0ff ("cli/crypto: treat failure to create a crypto
context as fatal.") started treating crypto context creation failures
"as fatal", returning NULL from _mime_node_create().

Unfortunately, we do not have NULL checks for _mime_node_create()
failures. The only caller, mime_node_child(), could check and return
NULL (as it's documented to do on errors) but none of the several call
sites have NULL checks either. And none of them really have a trivial
but feasible and graceful way of recovery.

So while the right thing to do would be to handle NULL returns
properly all over the place, and we have other scenarios that do
return NULL from above mentioned functions, the crypto context
creation failure is something that does seem to show up regularly in
some scenarios, revert back to the functionality before commit
1fdc08d0ff as an interim fix.
2017-11-05 15:41:13 -04:00
Daniel Kahn Gillmor
a18bbf7f15 crypto: make shared crypto code behave library-like
If we're going to reuse the crypto code across both the library and
the client, then it needs to report error states properly and not
write to stderr.
2017-10-20 07:58:20 -03:00
Daniel Kahn Gillmor
bcd6229d26 gmime-extra: drop compat layer for g_mime_multipart_encrypted_decrypt
In practice, we're going to see this function invoked differently
depending on which gmime we build against.  The compatibility layer
forces our code into the lowest-common-denominator -- unable to make
use of new features even when built against a newer version.

Dropping the compatibility layer paves the way for clearer use of
features from GMime 3.0 in future commits.
2017-10-14 10:57:06 -03:00
Daniel Kahn Gillmor
3e9857a0b9 crypto: drop pretense of notmuch_crypto_context_t
notmuch_crypto_context_t was introduced (i think) as some sort of
abstraction layer to make notmuch somewhat independent of GMime.  But
it isn't even useful for GMime 3.0 or later -- we can drop the
pretense that it's some sort of abstraction in this case, and just
call it what it is, GMimeCryptoContext, which is useful for building
against older versions of GMime.

This also renames _notmuch_crypto_get_context() to
_notmuch_crypto_get_gmime_context().
2017-10-12 22:11:33 -03:00
Daniel Kahn Gillmor
88f2a72ef1 crypto: rename notmuch_crypto_t to _notmuch_crypto_t
The notmuch_crypto_t struct isn't used externally, and we have no
plans to explicitly export it.  Prefix its name (and associated
functions) with _ to make that intent clear.
2017-10-12 22:11:25 -03:00
Jani Nikula
0f314c0c99 cli: convert notmuch_bool_t to stdbool
C99 stdbool turned 18 this year. There really is no reason to use our
own, except in the library interface for backward
compatibility. Convert the cli and test binaries to stdbool.
2017-10-09 22:24:02 -03:00
Yuri Volchkov
09fa51303c show: workaround for the missing file problem
This patch fixes the 'Deleted first duplicate file does not stop
notmuch show from working' test.

If a message to be shown has several duplicated files, and for some
reason the first file in the list is not available anymore, notmuch
will exit with an error.

This is clearly a problem in the database, but we are not going to let
this problem be a show-stopper. Let's walk through the list, and show
the first existing file.

Signed-off-by: Yuri Volchkov <yuri.volchkov@gmail.com>
2017-08-22 18:48:29 -03:00
David Bremner
66c9b11bb0 crypto: Avoid explicit handling of GMimeCryptoContext in gmime 3
gmime 3.0 knows how to select the correct GMimeCryptoContext
automatically, so a bunch of the code in notmuch can be dropped in
that case.

The #ifdef removal of the crypto stuff is better than #define aliasing
in gmime-extra.h for this stuff.  When built against gmime 3.0:

    * it reduces compiled code, and
    * it avoids initializing unused gpgme contexts

(based on a patch from dkg)
2017-07-15 21:43:08 -03:00
David Bremner
606e320e47 cli/crypto: eliminated compiler warnings about unused arguments
These are due to (excessively?) fancy macro definitions in gmime-extra.h
2017-07-15 21:42:49 -03:00
David Bremner
1fdc08d0ff cli/crypto: treat failure to create a crypto context as fatal.
Silently ignoring signed/encrypted parts seems like the wrong idea,
and it also complicates future gmime-3.0 compatibility changes.
2017-07-15 21:39:37 -03:00
Jani Nikula
069362ee10 cli: simplify mime node walk
The function is more straighforward to read when it's clear that the
only non-NULL return is at one place. No functional changes.
2017-03-10 07:55:15 -04:00
Daniel Kahn Gillmor
6a833a6e83 Use https instead of http where possible
Many of the external links found in the notmuch source can be resolved
using https instead of http.  This changeset addresses as many as i
could find, without touching the e-mail corpus or expected outputs
found in tests.
2016-06-05 08:32:17 -03:00
David Bremner
005c2f0df1 cli/lib: remove support for GMime 2.4
It's becoming a maintenance burden to do anything things with the
crypto glue code twice, once for 2.4 and once for 2.6. I don't have
any 2.4 version available to test on my development machine anymore,
so the 2.4 specific code paths are likely not very well tested.
2015-08-26 20:01:45 -03:00
Jani Nikula
d2c881867e cli: mime node: fix compiler warning when building against gmime 2.4
commit d487ef9e58
Author: Jani Nikula <jani@nikula.org>
Date:   Sat Mar 30 15:53:16 2013 +0200

    cli: mime node: abstract decryption and signature verification

introduced a compiler warning, reported by Mark Walters, when building
against gmime 2.4:

mime-node.c:224:9: warning: assignment discards ‘const’ qualifier from
pointer target type [enabled by default]

Pass the non-const signature validity to the destructor to fix this.
2013-04-14 19:49:16 -03:00
Jani Nikula
d487ef9e58 cli: mime node: abstract decryption and signature verification
The code filled with #ifdef GMIME_ATLEAST_26 is difficult to
read. Abstract the decryption and signature verification into
functions, with separate implementations for GMime 2.4 and 2.6, to
clarify the code.

There should be no functional changes.
2013-04-01 15:39:33 -04:00
Justus Winter
b6b08e40b3 Avoid potentially dereferencing a NULL pointer
GMIME_IS_MULTIPART and GMIME_IS_MESSAGE both handle NULL pointers
gracefully, but the G_OBJECT_TYPE used in the error handling block
dereferences it without checking it first.

Fix this by checking whether parent->part is valid.

Found using the clang static analyzer.

Signed-off-by: Justus Winter <4winter@informatik.uni-hamburg.de>
2012-09-27 12:52:34 -03:00
Jameson Graef Rollins
e04b18cf36 cli: use new notmuch_crypto_get_context in mime-node.c
This has the affect of lazily creating the crypto contexts only when
needed.  This removes code duplication from notmuch-show and
notmuch-reply, and should speed up these functions considerably if the
crypto flags are provided but the messages don't have any
cryptographic parts.
2012-06-10 20:09:42 -03:00
Jameson Graef Rollins
b2c8fdee53 cli: new crypto verify flag to handle verification
Use this flag rather than depend on the existence of an initialized
gpgctx, to determine whether we should verify a multipart/signed.  We
will be moving to create the ctx lazily, so we don't want to depend on
it being previously initialized if it's not needed.
2012-06-10 20:09:09 -03:00
Jameson Graef Rollins
90822ffdb8 cli: modify mime_node_context to use the new crypto struct
This simplifies some more interfaces.
2012-06-10 20:08:56 -03:00
Jameson Graef Rollins
429ebf5d20 cli: modify mime_node_open to take new crypto struct as argument
This simplifies the interface considerably.
2012-06-10 20:06:48 -03:00