Commit graph

56 commits

Author SHA1 Message Date
Daniel Kahn Gillmor
54982e520c fix typos 2018-01-04 20:35:58 -04:00
David Bremner
040c3236af Merge branch 'release'
Conflicts:
        NEWS

Add in NEWS from point release
2017-12-08 22:19:06 -04:00
Daniel Kahn Gillmor
cb855d8a9d crypto: signature verification reports valid User IDs
When i'm trying to understand a message signature, i care that i know
who it came from (the "validity" of the identity associated with the
key), *not* whether i'm willing to accept the keyholder's other
identity assertions (the "trust" associated with the certificate).

We've been reporting User ID information based on the "trust"
associated with the certificate, because GMime didn't clearly expose
the validity of the User IDs.

This change relies on fixes made in GMime 3.0.3 and later which
include https://github.com/jstedfast/gmime/pull/18.
2017-12-08 20:35:18 -04:00
Daniel Kahn Gillmor
fccebbaeef crypto: add --decrypt=nostash to avoid stashing session keys
Here's the configuration choice for people who want a cleartext index,
but don't want stashed session keys.

Interestingly, this "nostash" decryption policy is actually the same
policy that should be used by "notmuch show" and "notmuch reply",
since they never modify the index or database when they are invoked
with --decrypt.

We take advantage of this parallel to tune the behavior of those
programs so that we're not requesting session keys from GnuPG during
"show" and "reply" that we would then otherwise just throw away.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
29648a137c crypto: actually stash session keys when decrypt=true
If you're going to store the cleartext index of an encrypted message,
in most situations you might just as well store the session key.
Doing this storage has efficiency and recoverability advantages.

Combined with a schedule of regular OpenPGP subkey rotation and
destruction, this can also offer security benefits, like "deletable
e-mail", which is the store-and-forward analog to "forward secrecy".

But wait, i hear you saying, i have a special need to store cleartext
indexes but it's really bad for me to store session keys!  Maybe
(let's imagine) i get lots of e-mails with incriminating photos
attached, and i want to be able to search for them by the text in the
e-mail, but i don't want someone with access to the index to be
actually able to see the photos themselves.

Fret not, the next patch in this series will support your wacky
uncommon use case.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
d137170b23 crypto: record whether an actual decryption attempt happened
In our consolidation of _notmuch_crypto_decrypt, the callers lost
track a little bit of whether any actual decryption was attempted.

Now that we have the more-subtle "auto" policy, it's possible that
_notmuch_crypto_decrypt could be called without having any actual
decryption take place.

This change lets the callers be a little bit smarter about whether or
not any decryption was actually attempted.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
e4890b5bf9 crypto: new decryption policy "auto"
This new automatic decryption policy should make it possible to
decrypt messages that we have stashed session keys for, without
incurring a call to the user's asymmetric keys.
2017-12-08 08:07:53 -04:00
Daniel Kahn Gillmor
798aa789b5 lib: convert notmuch decryption policy to an enum
Future patches in this series will introduce new policies; this merely
readies the way for them.

We also convert --try-decrypt to a keyword argument instead of a boolean.
2017-12-08 08:07:02 -04:00
Daniel Kahn Gillmor
a990585408 crypto: use stashed session-key properties for decryption, if available
When doing any decryption, if the notmuch database knows of any
session keys associated with the message in question, try them before
defaulting to using default symmetric crypto.

This changeset does the primary work in _notmuch_crypto_decrypt, which
grows some new parameters to handle it.

The primary advantage this patch offers is a significant speedup when
rendering large encrypted threads ("notmuch show") if session keys
happen to be cached.

Additionally, it permits message composition without access to
asymmetric secret keys ("notmuch reply"); and it permits recovering a
cleartext index when reindexing after a "notmuch restore" for those
messages that already have a session key stored.

Note that we may try multiple decryptions here (e.g. if there are
multiple session keys in the database), but we will ignore and throw
away all the GMime errors except for those that come from last
decryption attempt.  Since we don't necessarily know at the time of
the decryption that this *is* the last decryption attempt, we'll ask
for the errors each time anyway.

This does nothing if no session keys are stashed in the database,
which is fine.  Actually stashing session keys in the database will
come as a subsequent patch.
2017-12-04 21:48:31 -04:00
Daniel Kahn Gillmor
5f2832ae21 crypto: add _notmuch_crypto_decrypt wrapper function
We will use this centralized function to consolidate the awkward
behavior around different gmime versions.

It's only invoked from two places: mime-node.c's
node_decrypt_and_verify() and lib/index.cc's
_index_encrypted_mime_part().

However, those two places have some markedly distinct logic, so the
interface for this _notmuch_crypto_decrypt function is going to get a
little bit clunky.  It's worthwhile, though, for the sake of keeping
these #if directives reasonably well-contained.
2017-12-04 21:39:24 -04:00
Daniel Kahn Gillmor
a18bbf7f15 crypto: make shared crypto code behave library-like
If we're going to reuse the crypto code across both the library and
the client, then it needs to report error states properly and not
write to stderr.
2017-10-20 07:58:20 -03:00
Daniel Kahn Gillmor
197d67959b crypto: move into libnotmuch_util
This prepares us for using the crypto object in both libnotmuch and
the client.
2017-10-20 07:58:10 -03:00
Daniel Kahn Gillmor
bcd6229d26 gmime-extra: drop compat layer for g_mime_multipart_encrypted_decrypt
In practice, we're going to see this function invoked differently
depending on which gmime we build against.  The compatibility layer
forces our code into the lowest-common-denominator -- unable to make
use of new features even when built against a newer version.

Dropping the compatibility layer paves the way for clearer use of
features from GMime 3.0 in future commits.
2017-10-14 10:57:06 -03:00
Daniel Kahn Gillmor
30e33dfdd1 gmime-extra: remove duplicate GMimeAddressType typedef
"typedef GMimeAddressType GMimeRecipientType" is already present
further down in the compatibility wrapper (with other typedefs).  We
don't need it twice.
2017-10-12 22:12:32 -03:00
David Bremner
10071f8b50 cppcheck: call va_end in _internal_error
fix for:
    util/error_util.c:38: error: va_list 'va_args' was opened but not
    closed by va_end()

This makes the code more copy-pastable, if nothing else
2017-08-30 07:12:13 -03:00
Yuri Volchkov
cec4a87539 database: move striping of trailing '/' into helper function
Stripping trailing character is not that uncommon
operation. Particularly, the next patch has to perform it as
well. Lets move it to the separate function to avoid code duplication.

Also the new function has a little improvement: if the character to
strip is repeated several times in the end of a string, function
strips them all.

Signed-off-by: Yuri Volchkov <yuri.volchkov@gmail.com>
2017-08-22 18:47:51 -03:00
David Bremner
d2c3a0a3a8 util: make g_mime_utils_header_decode_date_unix match prototype
The problem shows up on 32 bit architectures where sizeof(time_t) !=
sizeof(gint64).  Upcasting the 32 bit time_t to a 64 bit integer
should hopefully be safe.
2017-07-17 08:47:18 -03:00
David Bremner
606e320e47 cli/crypto: eliminated compiler warnings about unused arguments
These are due to (excessively?) fancy macro definitions in gmime-extra.h
2017-07-15 21:42:49 -03:00
Daniel Kahn Gillmor
f76a245009 clean up use of constants in g_mime_multipart_ wrappers
When compiling as C code (instead of C++) against gmime 3.0, gcc gives
errors like the following:

    error: invalid conversion from ‘int’ to ‘GMimeDecryptFlags’ [-fpermissive]

so use explicit *_NONE values instead.
2017-07-14 21:23:52 -03:00
David Bremner
cd853915ec cli: wrap getting uid
Apparently it moved from "name" to "key_id" in gmime-3.0
2017-07-14 21:23:52 -03:00
David Bremner
2b3224a6c4 cli: make keyid from fingerprint in gmime 3.0
The "key_id" field seems to used for userid in gmime-3.0, while the
keyid is dropped in the fingerprint field if the full fingerprint is
not available.
2017-07-14 21:23:52 -03:00
David Bremner
4ce7591610 lib: paper over allocation difference
In gmime 3.0 this function is "transfer none", so no deallocation is
needed (or permitted)
2017-07-14 21:23:52 -03:00
David Bremner
c040464a7c lib: wrap use of g_mime_utils_header_decode_date
This changes return type in gmime 3.0
2017-07-14 21:23:52 -03:00
David Bremner
fd6e4a9953 cli: hide rename of GMimeCertificateTrust
Both the enum and the values are renamed in GMime 3.0.
2017-07-14 21:23:52 -03:00
David Bremner
c7b9bdb81e cli: generalize use of GMIME_SIGNATURE_{ERROR,STATUS} to gmime-3
The ERROR enum is merged into to the STATUS enum, and the set of flags
is different.
2017-07-14 21:23:52 -03:00
David Bremner
f4a989484f util: fake gmime-2.6 compatible API for gmime-3.0
Several functions have added arguments which accept NULL and provide
hopefully sensible defaults. Use macros to minimize source changes.
2017-07-14 17:58:09 -03:00
David Bremner
32819f74d3 cli: replace use of g_mime_message_get_recipients
This function, and associated enum, have been renamed and generalized
in gmime-3.0.
2017-07-14 17:58:09 -03:00
David Bremner
cbb2d5608e lib/cli: replace use of g_mime_message_get_sender
This function changes semantics in gmime-3.0 so make a new function
that provides the same functionality in both
2017-07-14 17:58:09 -03:00
David Bremner
d7fea36916 cli: replace use of g_mime_message_get_reply_to
This function changes signature in gmime 3.0, so we provide two new
functions, one for each signature.
2017-07-14 17:58:09 -03:00
David Bremner
67dbd24ece cli: replace use of g_mime_message_get_date_as_string
This function goes away in gmime-3.0. Also, the memory management is
apparently error prone, witness the memory leak in notmuch-reply.
2017-07-14 17:58:09 -03:00
David Bremner
1e7dbf7abc util: convenience function to create gmime stream for stdout
It turns out that our use of GMimeStreamPipe has only succeeded
because gmime has been ignoring some seek failures; this will no
longer be the case in gmime 3.0, so we use a GMimeStreamPipe, which
does not assume seekability, wrapped in a buffering stream.
2017-05-30 09:01:46 -03:00
David Bremner
c39f6361d0 rename libutil.a to libnotmuch_util.a
Apparently some systems (MacOS?) have a system library called libutil
and the name conflict causes problems. Since this library is quite
notmuch specific, rename it to something less generic.
2017-03-18 21:37:43 -03:00
Jani Nikula
5a957c3f33 build & util: drop byte order configure check and endian util header
With the removal of the embedded libsha1, we lost the first and last
user of the platform byte order checks. Remove them from configure,
and remove the endian util header.
2017-01-08 10:50:49 -04:00
Daniel Kahn Gillmor
6a833a6e83 Use https instead of http where possible
Many of the external links found in the notmuch source can be resolved
using https instead of http.  This changeset addresses as many as i
could find, without touching the e-mail corpus or expected outputs
found in tests.
2016-06-05 08:32:17 -03:00
Jani Nikula
bcb695a716 util: add strcmp_null, a strcmp that handles NULL parameters
Add strcmp_null, a strcmp that handles NULL strings; in strcmp terms a
NULL string is considered to be less than a non-NULL string.
2015-09-26 07:37:35 -03:00
Jani Nikula
f460ad4e9a util: move strcase_equal and strcase_hash to util
For future use in both cli and lib.
2015-09-07 09:43:31 -03:00
Jani Nikula
ad5c017b69 hex-escape: remove unused variable default_buf_size
Found by clang:

CC  -O2 util/hex-escape.o
util/hex-escape.c:28:21: warning: unused variable 'default_buf_size'
      [-Wunused-const-variable]
static const size_t default_buf_size = 1024;
                    ^
1 warning generated.
2014-10-05 07:30:46 +02:00
Austin Clements
9f0f30f7de util: Const version of strtok_len
Because of limitations in the C type system, we can't a strtok_len
that can work on both const string and non-const strings.  The C
library solves this by taking a const char* and returning a char*
in functions like this (e.g., strchr), but that's not const-safe.
Solve it by introducing strtok_len_c, a version of strtok_len for
const strings.
2014-08-06 09:56:36 -03:00
Austin Clements
a5a47dab87 util: Make string-util.h C++-compatible 2014-07-31 07:11:25 -03:00
David Bremner
85d9219a62 util: add gz_readline
The idea is to provide a more or less drop in replacement for readline
to read from zlib/gzip streams.  Take the opportunity to replace
malloc with talloc.
2014-04-12 07:59:44 -03:00
Austin Clements
3fed6736a7 util: Fix two corner-cases in boolean term quoting function
Previously, make_boolean_term did not quote empty boolean terms or
boolean terms that started with '('.  These cases are incompatible
with Xapian: empty terms cannot be omitted, and boolean terms that
start with '(' trigger an alternate term quoting syntax.

Fix this by quoting empty terms and terms that contain '('.
2014-03-15 15:05:06 -03:00
Jani Nikula
029790d3ff util: make sanitize string available in string util for reuse
No functional changes.
2014-03-09 10:13:30 -03:00
David Bremner
b9f0e6923d util: detect byte order
Unfortunately old versions of GCC and clang do not provide byte order
macros, so we re-invent them.

If UTIL_BYTE_ORDER is not defined or defined to 0, we fall back to
macros supported by recent versions of GCC and clang
2013-11-27 07:43:29 -04:00
Austin Clements
b4b22d3714 string-util: Disallow empty prefixes in parse_boolean_term
Xapian doesn't consider ":abc" to be a prefixed term.  This makes
parse_boolean_term similarly reject queries with an empty prefix.
2013-01-07 20:55:21 -04:00
Austin Clements
7c3a995d6b util: Function to parse boolean term queries
This parses the subset of Xapian's boolean term quoting rules that are
used by make_boolean_term.  This is provided as a generic string
utility, but will be used shortly in notmuch restore to parse and
optimize for ID queries.
2013-01-06 22:39:51 -04:00
Austin Clements
25cf5f5dc4 util: Factor out boolean term quoting routine
This is now a generic boolean term quoting function.  It performs
minimal quoting to produce user-friendly queries.

This could live in tag-util as well, but it is really nothing specific
to tags (although the conventions are specific to Xapian).

The API is changed from "caller-allocates" to "readline-like".  The
scan for max tag length is pushed down into the quoting routine.
Furthermore, this now combines the term prefix with the quoted term;
arguably this is just as easy to do in the caller, but this will
nicely parallel the boolean term parsing function to be introduced
shortly.

This is an amalgamation of code written by David Bremner and myself.
2013-01-06 22:39:36 -04:00
David Bremner
0cfb8a24dc util: add talloc-extra.[ch]
These are intended to be simple wrappers to provide slightly better
debugging information than what talloc currently provides natively.
2012-12-30 21:12:11 -04:00
David Bremner
9ff72a83bd util: add string-util.[ch]
This is to give a home to strtok_len. It's a bit silly to add a header
for one routine, but it needs to be shared between several compilation
units (or at least that's the most natural design).
2012-12-08 10:56:11 -04:00
David Bremner
902f2e19bd hex-escape: (en|de)code strings to/from restricted character set
The character set is chosen to be suitable for pathnames, and the same
as that used by contrib/nmbug

[With additions by Jani Nikula]
2012-12-02 09:14:59 -04:00
Justus Winter
2f40ca28a4 Annotate internal_error with the attribute noreturn
Annotating functions that do not return with the noreturn attribute
(which is understood by both gcc and clang) prevents static analyzers
from generating false positives (internal_error is used to terminate
the process and is used extensively in error handling code paths).

Remove the return statement that was placed there to appease the
compiler. Functions annotated with noreturn are not supposed to return
any values.

Signed-off-by: Justus Winter <4winter@informatik.uni-hamburg.de>
2012-09-27 12:52:06 -03:00