Commit graph

45 commits

Author SHA1 Message Date
Daniel Kahn Gillmor
d439e4b5d1 mime-node: be clearer about decryption
Part 0 of a multipart/encrypted object is
GMIME_MULTIPART_ENCRYPTED_VERSION; part 1 is
GMIME_MULTIPART_ENCRYPTED_CONTENT.  Using the name for what we want
describes our intent more clearly than using a magic number in the
code.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-31 07:55:46 -03:00
Daniel Kahn Gillmor
d187a6993e mime-node: track whole-message crypto state while walking the tree
Deliberately populate the message's cryptographic status while walking
the MIME tree from the CLI.

Note that the additional numchild argument added to _mime_node_create
is a passthrough needed to be able to adequately populate the crypto
state object.
2019-05-26 08:20:23 -03:00
Daniel Kahn Gillmor
2c08beb254 cli: expose message-wide crypto status from mime-node
The mime node context (a per-message context) gains a cryptographic
status object, and the mime_node_t object itself can return a view on
that status to an interested party.

The status is not yet populated, and for now we can keep that view
read-only, so that it can only be populated/modified during MIME tree
traversal.
2019-05-26 08:20:23 -03:00
David Bremner
103c11822e cli/notmuch-show: support gzipped files
This drops "file" from mime_node_context and just uses a local
variable. It also uses the new gzip aware utility routines recently
added to util/gmime-extra.c. The use of gzopen / gzfile in addition is
a bit icky, but the choice is between that, and providing yet another
readline implimentation that understands GMime streams.
2019-05-03 07:48:43 -03:00
Daniel Kahn Gillmor
e9b870b692 gmime-cleanup: pass NULL as default GMimeParserOptions
This is a functional change, not a straight translation, because we
are no longer directly invoking g_mime_parser_options_get_default(),
but the GMime source has indicated that the options parameter for
g_mime_parser_construct_message() is "nullable" since upstream commit
d0ebdd2ea3e6fa635a2a551c846e9bc8b6040353 (which itself precedes GMime
3.0).

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:58:00 -03:00
Daniel Kahn Gillmor
bbe3015b3e gmime-cleanup: pass NULL arguments explicitly where GMime 3.0 expects it
Several GMime 2.6 functions sprouted a change in the argument order in
GMime 3.0.  We had a compatibility layer here to be able to handle
compiling against both GMime 2.6 and 3.0.  Now that we're using 3.0
only, rip out the compatibility layer for those functions with changed
argument lists, and explicitly use the 3.0 argument lists.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:57:27 -03:00
Daniel Kahn Gillmor
b7ac4c05e1 gmime-cleanup: drop all arguments unused in GMime 3
This means dropping GMimeCryptoContext and notmuch_config arguments.

All the argument changes are to internal functions, so this is not an
API or ABI break.

We also get to drop the #define for g_mime_3_unused.

signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:56:38 -03:00
Daniel Kahn Gillmor
bb0b119358 gmime-cleanup: always support session keys
Our minimum version of GMime 3.0 always supports good session key
handling.

signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:55:32 -03:00
Daniel Kahn Gillmor
096d45a878 gmime-cleanup: remove obsolete gpg_path configuration option and crypto contexts
Note that we do keep ignoring the gpg_path configuration option,
though, to avoid breakage of existing installations.  It is ignored
like any other unknown configuration option, but we at least document
that it is ignored so that people who find it in their legacy configs
can know that it's safe to drop.

signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:55:04 -03:00
David Bremner
570349e132 build: drop support for gmime-2.6
GMime 3.0 is over 2 years old now, and 2.6 has been deprecated in
notmuch for about 1.5 years.

Comments and documentation no longer need to refer to GMime 2.6, so
clean them all up.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:49:49 -03:00
Daniel Kahn Gillmor
afb0b11dcd crypto: Avoid pretending to verify signatures on unsigned encrypted mail
Unsigned encrypted mail shows up with a weird empty signature list.
If we successfully decrypted and there was no signature in it, we
should just not show a sigstatus at all.

The documentation for g_mime_decrypt_result_get_signatures says:

    a GMimeSignatureList or NULL if the stream was not signed.
2019-04-26 08:03:15 -03:00
Daniel Kahn Gillmor
bc842bfff1 cli: write session keys to database, if asked to do so
If the decryption policy is NOTMUCH_DECRYPT_TRUE, that means we want
to stash session keys in the database.  Note that there is currently
no way from the command line to set it this way, though, so it is not
yet included in the test suite.
2018-05-26 07:33:01 -07:00
Daniel Kahn Gillmor
d137170b23 crypto: record whether an actual decryption attempt happened
In our consolidation of _notmuch_crypto_decrypt, the callers lost
track a little bit of whether any actual decryption was attempted.

Now that we have the more-subtle "auto" policy, it's possible that
_notmuch_crypto_decrypt could be called without having any actual
decryption take place.

This change lets the callers be a little bit smarter about whether or
not any decryption was actually attempted.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
e4890b5bf9 crypto: new decryption policy "auto"
This new automatic decryption policy should make it possible to
decrypt messages that we have stashed session keys for, without
incurring a call to the user's asymmetric keys.
2017-12-08 08:07:53 -04:00
Daniel Kahn Gillmor
798aa789b5 lib: convert notmuch decryption policy to an enum
Future patches in this series will introduce new policies; this merely
readies the way for them.

We also convert --try-decrypt to a keyword argument instead of a boolean.
2017-12-08 08:07:02 -04:00
Daniel Kahn Gillmor
a990585408 crypto: use stashed session-key properties for decryption, if available
When doing any decryption, if the notmuch database knows of any
session keys associated with the message in question, try them before
defaulting to using default symmetric crypto.

This changeset does the primary work in _notmuch_crypto_decrypt, which
grows some new parameters to handle it.

The primary advantage this patch offers is a significant speedup when
rendering large encrypted threads ("notmuch show") if session keys
happen to be cached.

Additionally, it permits message composition without access to
asymmetric secret keys ("notmuch reply"); and it permits recovering a
cleartext index when reindexing after a "notmuch restore" for those
messages that already have a session key stored.

Note that we may try multiple decryptions here (e.g. if there are
multiple session keys in the database), but we will ignore and throw
away all the GMime errors except for those that come from last
decryption attempt.  Since we don't necessarily know at the time of
the decryption that this *is* the last decryption attempt, we'll ask
for the errors each time anyway.

This does nothing if no session keys are stashed in the database,
which is fine.  Actually stashing session keys in the database will
come as a subsequent patch.
2017-12-04 21:48:31 -04:00
Daniel Kahn Gillmor
5f2832ae21 crypto: add _notmuch_crypto_decrypt wrapper function
We will use this centralized function to consolidate the awkward
behavior around different gmime versions.

It's only invoked from two places: mime-node.c's
node_decrypt_and_verify() and lib/index.cc's
_index_encrypted_mime_part().

However, those two places have some markedly distinct logic, so the
interface for this _notmuch_crypto_decrypt function is going to get a
little bit clunky.  It's worthwhile, though, for the sake of keeping
these #if directives reasonably well-contained.
2017-12-04 21:39:24 -04:00
Daniel Kahn Gillmor
9beda4b981 mime-node: handle decrypt_result more safely
If (for whatever reason) we don't get a decrypt_result back, or it's
not structured the way we expect it to be, we shouldn't choke on it.
2017-12-04 21:39:13 -04:00
David Bremner
7ac96b149f Merge branch 'release'
Changes from 0.25.2 release
2017-11-05 20:25:54 -04:00
Jani Nikula
cd3f5e1a93 cli/crypto: fix segfault on failed gmime2 crypto context creation
Commit 1fdc08d0ff ("cli/crypto: treat failure to create a crypto
context as fatal.") started treating crypto context creation failures
"as fatal", returning NULL from _mime_node_create().

Unfortunately, we do not have NULL checks for _mime_node_create()
failures. The only caller, mime_node_child(), could check and return
NULL (as it's documented to do on errors) but none of the several call
sites have NULL checks either. And none of them really have a trivial
but feasible and graceful way of recovery.

So while the right thing to do would be to handle NULL returns
properly all over the place, and we have other scenarios that do
return NULL from above mentioned functions, the crypto context
creation failure is something that does seem to show up regularly in
some scenarios, revert back to the functionality before commit
1fdc08d0ff as an interim fix.
2017-11-05 15:41:13 -04:00
Daniel Kahn Gillmor
a18bbf7f15 crypto: make shared crypto code behave library-like
If we're going to reuse the crypto code across both the library and
the client, then it needs to report error states properly and not
write to stderr.
2017-10-20 07:58:20 -03:00
Daniel Kahn Gillmor
bcd6229d26 gmime-extra: drop compat layer for g_mime_multipart_encrypted_decrypt
In practice, we're going to see this function invoked differently
depending on which gmime we build against.  The compatibility layer
forces our code into the lowest-common-denominator -- unable to make
use of new features even when built against a newer version.

Dropping the compatibility layer paves the way for clearer use of
features from GMime 3.0 in future commits.
2017-10-14 10:57:06 -03:00
Daniel Kahn Gillmor
3e9857a0b9 crypto: drop pretense of notmuch_crypto_context_t
notmuch_crypto_context_t was introduced (i think) as some sort of
abstraction layer to make notmuch somewhat independent of GMime.  But
it isn't even useful for GMime 3.0 or later -- we can drop the
pretense that it's some sort of abstraction in this case, and just
call it what it is, GMimeCryptoContext, which is useful for building
against older versions of GMime.

This also renames _notmuch_crypto_get_context() to
_notmuch_crypto_get_gmime_context().
2017-10-12 22:11:33 -03:00
Daniel Kahn Gillmor
88f2a72ef1 crypto: rename notmuch_crypto_t to _notmuch_crypto_t
The notmuch_crypto_t struct isn't used externally, and we have no
plans to explicitly export it.  Prefix its name (and associated
functions) with _ to make that intent clear.
2017-10-12 22:11:25 -03:00
Jani Nikula
0f314c0c99 cli: convert notmuch_bool_t to stdbool
C99 stdbool turned 18 this year. There really is no reason to use our
own, except in the library interface for backward
compatibility. Convert the cli and test binaries to stdbool.
2017-10-09 22:24:02 -03:00
Yuri Volchkov
09fa51303c show: workaround for the missing file problem
This patch fixes the 'Deleted first duplicate file does not stop
notmuch show from working' test.

If a message to be shown has several duplicated files, and for some
reason the first file in the list is not available anymore, notmuch
will exit with an error.

This is clearly a problem in the database, but we are not going to let
this problem be a show-stopper. Let's walk through the list, and show
the first existing file.

Signed-off-by: Yuri Volchkov <yuri.volchkov@gmail.com>
2017-08-22 18:48:29 -03:00
David Bremner
66c9b11bb0 crypto: Avoid explicit handling of GMimeCryptoContext in gmime 3
gmime 3.0 knows how to select the correct GMimeCryptoContext
automatically, so a bunch of the code in notmuch can be dropped in
that case.

The #ifdef removal of the crypto stuff is better than #define aliasing
in gmime-extra.h for this stuff.  When built against gmime 3.0:

    * it reduces compiled code, and
    * it avoids initializing unused gpgme contexts

(based on a patch from dkg)
2017-07-15 21:43:08 -03:00
David Bremner
606e320e47 cli/crypto: eliminated compiler warnings about unused arguments
These are due to (excessively?) fancy macro definitions in gmime-extra.h
2017-07-15 21:42:49 -03:00
David Bremner
1fdc08d0ff cli/crypto: treat failure to create a crypto context as fatal.
Silently ignoring signed/encrypted parts seems like the wrong idea,
and it also complicates future gmime-3.0 compatibility changes.
2017-07-15 21:39:37 -03:00
Jani Nikula
069362ee10 cli: simplify mime node walk
The function is more straighforward to read when it's clear that the
only non-NULL return is at one place. No functional changes.
2017-03-10 07:55:15 -04:00
Daniel Kahn Gillmor
6a833a6e83 Use https instead of http where possible
Many of the external links found in the notmuch source can be resolved
using https instead of http.  This changeset addresses as many as i
could find, without touching the e-mail corpus or expected outputs
found in tests.
2016-06-05 08:32:17 -03:00
David Bremner
005c2f0df1 cli/lib: remove support for GMime 2.4
It's becoming a maintenance burden to do anything things with the
crypto glue code twice, once for 2.4 and once for 2.6. I don't have
any 2.4 version available to test on my development machine anymore,
so the 2.4 specific code paths are likely not very well tested.
2015-08-26 20:01:45 -03:00
Jani Nikula
d2c881867e cli: mime node: fix compiler warning when building against gmime 2.4
commit d487ef9e58
Author: Jani Nikula <jani@nikula.org>
Date:   Sat Mar 30 15:53:16 2013 +0200

    cli: mime node: abstract decryption and signature verification

introduced a compiler warning, reported by Mark Walters, when building
against gmime 2.4:

mime-node.c:224:9: warning: assignment discards ‘const’ qualifier from
pointer target type [enabled by default]

Pass the non-const signature validity to the destructor to fix this.
2013-04-14 19:49:16 -03:00
Jani Nikula
d487ef9e58 cli: mime node: abstract decryption and signature verification
The code filled with #ifdef GMIME_ATLEAST_26 is difficult to
read. Abstract the decryption and signature verification into
functions, with separate implementations for GMime 2.4 and 2.6, to
clarify the code.

There should be no functional changes.
2013-04-01 15:39:33 -04:00
Justus Winter
b6b08e40b3 Avoid potentially dereferencing a NULL pointer
GMIME_IS_MULTIPART and GMIME_IS_MESSAGE both handle NULL pointers
gracefully, but the G_OBJECT_TYPE used in the error handling block
dereferences it without checking it first.

Fix this by checking whether parent->part is valid.

Found using the clang static analyzer.

Signed-off-by: Justus Winter <4winter@informatik.uni-hamburg.de>
2012-09-27 12:52:34 -03:00
Jameson Graef Rollins
e04b18cf36 cli: use new notmuch_crypto_get_context in mime-node.c
This has the affect of lazily creating the crypto contexts only when
needed.  This removes code duplication from notmuch-show and
notmuch-reply, and should speed up these functions considerably if the
crypto flags are provided but the messages don't have any
cryptographic parts.
2012-06-10 20:09:42 -03:00
Jameson Graef Rollins
b2c8fdee53 cli: new crypto verify flag to handle verification
Use this flag rather than depend on the existence of an initialized
gpgctx, to determine whether we should verify a multipart/signed.  We
will be moving to create the ctx lazily, so we don't want to depend on
it being previously initialized if it's not needed.
2012-06-10 20:09:09 -03:00
Jameson Graef Rollins
90822ffdb8 cli: modify mime_node_context to use the new crypto struct
This simplifies some more interfaces.
2012-06-10 20:08:56 -03:00
Jameson Graef Rollins
429ebf5d20 cli: modify mime_node_open to take new crypto struct as argument
This simplifies the interface considerably.
2012-06-10 20:06:48 -03:00
Jameson Graef Rollins
25c3140e13 cli: use new typedef to deal with gmime 2.4/2.6 context incompatibility
gmime 2.4 defines GMimeCipherContext, while 2.6 defines
GMimeCryptoContext.  typedef them both to notmuch_crypto_context_t to
cover this discrepancy and remove a bunch of #ifdefs.
2012-06-10 20:04:50 -03:00
Austin Clements
353577ad57 Handle errors in mime_node_open 2012-03-10 21:25:19 -04:00
Austin Clements
a66e65d604 mime node: Record depth-first part numbers
This makes the part numbers readily accessible to formatters.
Hierarchical part numbering would be a more natural and efficient fit
for MIME and may be the way to go in the future, but depth-first
numbering maintains compatibility with what we currently do.
2012-01-25 07:19:22 -04:00
Thomas Jost
00b5623d1a Add compatibility with gmime 2.6
There are lots of API changes in gmime 2.6 crypto handling. By adding
preprocessor directives, it is however possible to add gmime 2.6 compatibility
while preserving compatibility with gmime 2.4 too.

This is mostly based on id:"8762i8hrb9.fsf@bookbinder.fernseed.info".

This was tested against both gmime 2.6.4 and 2.4.31. With gmime 2.4.31, the
crypto tests all work fine (as expected). With gmime 2.6.4, one crypto test is
currently broken (signature verification with signer key unavailable), most
likely because of a bug in gmime which will hopefully be fixed in a future
version.
2012-01-21 08:52:34 -04:00
Austin Clements
5d1ac7d1d3 Utility function to seek in MIME trees in depth-first order.
This function matches how we number parts for the --part argument to
show.  It will allow us to jump directly to the desired part, rather
than traversing the entire tree and carefully tracking whether or not
we're "in the zone".
2011-12-25 22:21:04 -04:00
Austin Clements
bb189220a3 Introduce a generic tree-like abstraction for MIME traversal.
This wraps all of the complex MIME part handling in a single, simple
function that gets part N from *any* MIME object, so traversing a MIME
part tree becomes a two-line for loop.  Furthermore, the MIME node
structure provides easy access to envelopes for message parts as well
as cryptographic information.

This code is directly derived from the current show_message_body code
(much of it is identical), but the control relation is inverted:
instead of show_message_body controlling the traversal of the MIME
structure and invoking callbacks, the caller controls the traversal of
the MIME structure.
2011-12-25 22:19:12 -04:00