Commit graph

1014 commits

Author SHA1 Message Date
Daniel Kahn Gillmor
fccebbaeef crypto: add --decrypt=nostash to avoid stashing session keys
Here's the configuration choice for people who want a cleartext index,
but don't want stashed session keys.

Interestingly, this "nostash" decryption policy is actually the same
policy that should be used by "notmuch show" and "notmuch reply",
since they never modify the index or database when they are invoked
with --decrypt.

We take advantage of this parallel to tune the behavior of those
programs so that we're not requesting session keys from GnuPG during
"show" and "reply" that we would then otherwise just throw away.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
29648a137c crypto: actually stash session keys when decrypt=true
If you're going to store the cleartext index of an encrypted message,
in most situations you might just as well store the session key.
Doing this storage has efficiency and recoverability advantages.

Combined with a schedule of regular OpenPGP subkey rotation and
destruction, this can also offer security benefits, like "deletable
e-mail", which is the store-and-forward analog to "forward secrecy".

But wait, i hear you saying, i have a special need to store cleartext
indexes but it's really bad for me to store session keys!  Maybe
(let's imagine) i get lots of e-mails with incriminating photos
attached, and i want to be able to search for them by the text in the
e-mail, but i don't want someone with access to the index to be
actually able to see the photos themselves.

Fret not, the next patch in this series will support your wacky
uncommon use case.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
6a9626a2fd cli/reindex: destroy stashed session keys when --decrypt=false
There are some situations where the user wants to get rid of the
cleartext index of a message.  For example, if they're indexing
encrypted messages normally, but suddenly they run across a message
that they really don't want any trace of in their index.

In that case, the natural thing to do is:

   notmuch reindex --decrypt=false id:whatever@example.biz

But of course, clearing the cleartext index without clearing the
stashed session key is just silly.  So we do the expected thing and
also destroy any stashed session keys while we're destroying the index
of the cleartext.

Note that stashed session keys are stored in the xapian database, but
xapian does not currently allow safe deletion (see
https://trac.xapian.org/ticket/742).

As a workaround, after removing session keys and cleartext material
from the database, the user probably should do something like "notmuch
compact" to try to purge whatever recoverable data is left in the
xapian freelist.  This problem really needs to be addressed within
xapian, though, if we want it fixed right.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
076f86025d cli/new, insert, reindex: change index.decrypt to "auto" by default
The new "auto" decryption policy is not only good for "notmuch show"
and "notmuch reindex".  It's also useful for indexing messages --
there's no good reason to not try to go ahead and index the cleartext
of a message that we have a stashed session key for.

This change updates the defaults and tunes the test suite to make sure
that they have taken effect.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
a1260896f6 cli/show: use decryption policy "auto" by default.
When showing a message, if the user doesn't specify --decrypt= at all,
but a stashed session key is known to notmuch, notmuch should just go
ahead and try to decrypt the message with the session key (without
bothering the user for access to their asymmetric secret key).

The user can disable this at the command line with --decrypt=false if
they really don't want to look at the e-mail that they've asked
notmuch to show them.

and of course, "notmuch show --decrypt" still works for accessing the
user's secret keys if necessary.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
6802b333eb cli/reply: use decryption policy "auto" by default.
If the user doesn't specify --decrypt= at all, but a stashed session
key is known to notmuch, when replying to an encrypted message,
notmuch should just go ahead and decrypt.

The user can disable this at the command line with --decrypt=false,
though it's not clear why they would ever want to do that.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
e4890b5bf9 crypto: new decryption policy "auto"
This new automatic decryption policy should make it possible to
decrypt messages that we have stashed session keys for, without
incurring a call to the user's asymmetric keys.
2017-12-08 08:07:53 -04:00
Daniel Kahn Gillmor
798aa789b5 lib: convert notmuch decryption policy to an enum
Future patches in this series will introduce new policies; this merely
readies the way for them.

We also convert --try-decrypt to a keyword argument instead of a boolean.
2017-12-08 08:07:02 -04:00
Daniel Kahn Gillmor
d3964e81ac indexing: Change from try_decrypt to decrypt
the command-line interface for indexing (reindex, new, insert) used
--try-decrypt; and the configuration records used index.try_decrypt.
But by comparison with "show" and "reply", there doesn't seem to be
any reason for the "try" prefix.

This changeset adjusts the command-line interface and the
configuration interface.

For the moment, i've left indexopts_{set,get}_try_decrypt alone.  The
subsequent changeset will address those.
2017-12-08 08:05:53 -04:00
Daniel Kahn Gillmor
9d23ebfcc3 test: session keys are known broken without session key support
If the version of GMime we're building against doesn't support session
key extraction or re-use, mark the tests that rely on session key
capabilities as known-broken.

This should resolve test suite failures on ubuntu trusty and debian
jessie and earlier, which have GMime 2.6.20 -- session key support was
introduced in GMime 2.6.21.
2017-12-05 20:09:25 -04:00
Daniel Kahn Gillmor
6d7249fec9 crypto: Test restore of cleartext index from stashed session keys
If you've got a notmuch dump that includes stashed session keys for
every decrypted message, and you've got your message archive, you
should be able to get back to the same index that you had before.

Here we add a simple test that give some flavor of how that works.
2017-12-04 21:53:05 -04:00
Daniel Kahn Gillmor
836ec85b0c test/corpora: add an encrypted message for index decryption tests 2017-12-04 21:53:05 -04:00
David Bremner
1e4e8e3bf5 test: unbreak performance tests
In 8e7fb88237 Jani replaced the use of $(pwd -P) to find the
TEST_DIRECTORY in order to better support out of tree
builds. Unfortunately the performance-tests need a different value for
the variable and were thus broken.

This commit splits out the setting of this variable for the two sets
of tests.  Performance tests still don't work out of tree, because
the handling of the downloaded corpus needs to be updated.
2017-12-04 21:04:38 -04:00
Jani Nikula
cf08295c50 test: test notmuch insert --folder=""
Test insert into top level folder.
2017-11-08 09:47:14 -05:00
Jani Nikula
1b91884296 test: fix test database backup/restore location
backup_database() and restore_database() used to store the backups in
the test specific temporary directory, through the current working
directory being there. Commit 8e7fb88237 ("test: use source and
build paths in test-lib-common.sh") started using a test specific
backup directories under the build tree test directory. This was in
error. Switch back to the old location, but using paths to the
location instead of relying on current working directory.

Reported by Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
2017-10-29 09:30:30 -07:00
Daniel Kahn Gillmor
8116891744 cli/reindex: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting on a per-run basis
when invoking "notmuch reindex".  This allows the possibility of (for
example) an emacs keybinding that adds the cleartext of the currently
shown decrypted message to the index, making it searchable in the
future.

It also enables one-time indexing of all messages matching some query,
like so:

    notmuch reindex tag:encrypted and\
       not property:index.decryption=success and\
       from:alice@example.org

We also update the documentation and tab completion, and add a few
more tests.
2017-10-21 19:58:52 -03:00
Daniel Kahn Gillmor
c5356b9ed5 cli/insert: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting on a per-message
basis when invoking "notmuch insert".

We also update the documentation and tab completion, and add more tests.
2017-10-21 19:58:43 -03:00
Daniel Kahn Gillmor
35456d4b0c cli/new: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting during "notmuch new"
on a per-invocation basis.

We update the documentation and tab completion, and also add a test.
2017-10-21 19:58:32 -03:00
Daniel Kahn Gillmor
92f318abe4 tests: emacs_fcc_message: allow passing --arguments to notmuch new
Subsequent patches may want to send GNU-style --long-arguments to
notmuch new in the test suite, in particular when invoking
emacs_fcc_message.  This changeset makes that possible.
2017-10-21 19:58:23 -03:00
Jani Nikula
d7929d61a2 test: use source path in add_gnupg_home
Make a distinction between source and build directories.
2017-10-21 16:34:04 -03:00
Jani Nikula
d455c8b74a test: remove --root option and fix TMP_DIRECTORY cleanup
The primary motivation here is to fix TMP_DIRECTORY cleanup prior to
running each test when the current working directory is not the test
subdirectory. Tests with failures would leave their TMP_DIRECTORY
directory behind for debugging, and repeated out-of-tree test runs
would have old temp directories. (This lead to e.g. T310-emacs.sh
hanging because emacs would prompt for overwriting files.)

We remove the likely anyway defunct --root test option while at it,
just to be on the safe side when doing 'rm -rf' on the TMP_DIRECTORY.
2017-10-21 11:32:20 -03:00
Jani Nikula
409d877364 test: use source and build paths in T590-thread-breakage.sh
Make a distinction between source and build directories.
2017-10-20 20:50:17 -03:00
Jani Nikula
3c23780396 test: use source and build paths in T480-hex-escaping.sh
Make a distinction between source and build directories.
2017-10-20 20:50:03 -03:00
Jani Nikula
1ab72b13cd test: use source and build paths in T4?0-emacs-*.sh
Make a distinction between source and build directories.
2017-10-20 20:49:50 -03:00
Jani Nikula
e216d9b7ab test: use source and build paths in T380-atomicity.sh
Make a distinction between source and build directories.
2017-10-20 20:49:37 -03:00
Jani Nikula
0364a6d74b test: use source and build paths in T360-symbol-hiding.sh
Make a distinction between source and build directories.
2017-10-20 20:49:26 -03:00
Jani Nikula
bc349ad316 test: use source and build paths in T355-smime.sh
Make a distinction between source and build directories.
2017-10-20 20:49:18 -03:00
Jani Nikula
f6b098b1a6 test: use source and build paths in T310-emacs.sh
Make a distinction between source and build directories.
2017-10-20 19:56:13 -03:00
Jani Nikula
b079133ca8 test: use source and build paths in T260-thread-order.sh
Make a distinction between source and build directories.
2017-10-20 19:55:57 -03:00
Jani Nikula
32c088b524 test: use source and build paths in T160-json.sh and T170-sexp.sh
Make a distinction between source and build directories.
2017-10-20 19:55:49 -03:00
Jani Nikula
fc12f6f07b test: use source and build paths in T000-basic.sh
Make a distinction between source and build directories.
2017-10-20 19:55:41 -03:00
Jani Nikula
a8cd1ec26b test: use source and build paths in notmuch-test
Make a distinction between source and build directories.
2017-10-20 19:55:31 -03:00
Jani Nikula
8dfa116010 test: mkdir and cd to $TMP_DIRECTORY instead of $test for testing
$TMP_DIRECTORY is a full path, while $test is not.
2017-10-20 19:55:10 -03:00
Jani Nikula
8e7fb88237 test: use source and build paths in test-lib-common.sh
Make a distinction between source and build directories.

The expectation is that anyone sourcing test-lib-common.sh has sourced
export-dirs.sh.
2017-10-20 19:54:43 -03:00
Jani Nikula
a9894fce06 test: use source and build paths in test-lib.sh
Make a distinction between source and build directories.
2017-10-20 19:54:08 -03:00
Jani Nikula
1f3c114f08 test: add a script to figure out source and build directories
Expect the tests to be run somewhere in the build directory
hierarchy. Allow for source and build directories to be passed through
the environment.
2017-10-20 19:53:55 -03:00
Jani Nikula
e1bd4f2363 test: check for notmuch binary in test-lib.sh
Move notmuch executable check into common code. Redundant for
notmuch-test runs, but works also for individual tests.
2017-10-20 19:53:31 -03:00
Jani Nikula
a863de1e43 test: use $(dirname "$0") for sourcing test-lib.sh
Don't assume the tests are always run from within the source tree.
2017-10-20 19:52:49 -03:00
Jani Nikula
0dd58ea7e7 build: use NOTMUCH_SRCDIR for referencing notmuch-test
Don't assume the tests are always run from within the source tree.
2017-10-20 19:52:24 -03:00
Jani Nikula
1c2152ce73 test: use corpora/default not corpus in T480-hex-escaping.sh
Turns out round trip tests didn't really round trip anything. Broken
by yours truly in 971cdc72cd ("test: make it possible to have
multiple corpora"). Ooops.
2017-10-20 19:52:14 -03:00
Daniel Kahn Gillmor
ee5df7d7db tests: prepare for more crypto tests (using add_gnupg_home)
Move add_gnupg_home to test-lib.sh to prepare it for reuse.
2017-10-14 10:53:42 -03:00
Jani Nikula
0f314c0c99 cli: convert notmuch_bool_t to stdbool
C99 stdbool turned 18 this year. There really is no reason to use our
own, except in the library interface for backward
compatibility. Convert the cli and test binaries to stdbool.
2017-10-09 22:24:02 -03:00
Jani Nikula
816097f05b hex-xcode: use notmuch_bool_t for boolean arguments
Pedantically correct, although they're the same underlying type.
2017-10-04 22:02:45 -03:00
Jani Nikula
9165df2135 test: expand argument parsing tests
Test and use the new .present field, only output the parameters
given. Test space between parameter name and value.
2017-10-04 22:01:50 -03:00
Jani Nikula
25960b5ecd test: add opt_inherit to arg-test
Just split the arguments to two opt desc arrays.
2017-10-04 22:01:15 -03:00
Jani Nikula
e8cba9da18 test: add boolean argument to arg-test
Surprisingly it's not there.
2017-10-04 22:00:54 -03:00
Jani Nikula
4a6721970a cli: use designated initializers for opt desc
Several changes at once, just to not have to change the same lines
several times over:

- Use designated initializers to initialize opt desc arrays.

- Only initialize the needed fields.

- Remove arg_id (short options) as unused.

- Replace opt_type and output_var with several type safe output
  variables, where the output variable being non-NULL determines the
  type. Introduce checks to ensure only one is set. The downside is
  some waste of const space per argument; this could be saved by
  retaining opt_type and using a union, but that's still pretty
  verbose.

- Fix some variables due to the type safety. Mostly a good thing, but
  leads to some enums being changed to ints. This is pedantically
  correct, but somewhat annoying. We could also cast, but that defeats
  the purpose a bit.

- Terminate the opt desc arrays using {}.

The output variable type safety and the ability to add new fields for
just some output types or arguments are the big wins. For example, if
we wanted to add a variable to set when the argument is present, we
could do so for just the arguments that need it.

Beauty is in the eye of the beholder, but I think this looks nice when
defining the arguments, and reduces some of the verbosity we have
there.
2017-10-04 22:00:42 -03:00
Florian Klink
073d05eec3 T390-python: add test for get_message_parts and special characters
This imports a message with ISO-8859-2 encoded characters, then opens
the database using the python bindings. We peek through all mesage
parts, afterwards print the message id.

Signed-off-by: Florian Klink <flokli@flokli.de>
Signed-off-by: Andreas Rammhold <andreas@rammhold.de>
2017-10-02 07:21:41 -03:00
Jani Nikula
b2b65b4e6d emacs: sanitize subject in replies
Commit a7964c86d1 ("emacs: Sanitize authors and subjects in search
and show") added sanitization of header information for display. Do
the same for reply subjects.

This fixes the long-standing annoying artefact of certain versions of
mailman using tab as folding whitespace, leading to tabs in reply
subjects.
2017-09-27 08:15:02 -03:00
Jani Nikula
77eb76d9df test: add emacs reply test for subjects with TAB
Expect TABs to be sanitized from the subject line. Known broken.
2017-09-27 08:10:31 -03:00