From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 7BF946DE100F for ; Thu, 30 Nov 2017 01:00:03 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.015 X-Spam-Level: X-Spam-Status: No, score=-0.015 tagged_above=-999 required=5 tests=[AWL=-0.015] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EOZB1xVx5iD9 for ; Thu, 30 Nov 2017 00:59:59 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTPS id 654046DE0318 for ; Thu, 30 Nov 2017 00:59:57 -0800 (PST) Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id A90C1F99B for ; Thu, 30 Nov 2017 03:59:56 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id E329F20C73; Thu, 30 Nov 2017 03:59:52 -0500 (EST) From: Daniel Kahn Gillmor To: Notmuch Mail Subject: [PATCH v2 04/21] crypto: use stashed session-key properties for decryption, if available Date: Thu, 30 Nov 2017 03:59:29 -0500 Message-Id: <20171130085946.11332-5-dkg@fifthhorseman.net> X-Mailer: git-send-email 2.15.0 In-Reply-To: <20171130085946.11332-1-dkg@fifthhorseman.net> References: <20171130085946.11332-1-dkg@fifthhorseman.net> X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2017 09:00:03 -0000 When doing any decryption, if the notmuch database knows of any session keys associated with the message in question, try them before defaulting to using default symmetric crypto. This changeset does the primary work in _notmuch_crypto_decrypt, which grows some new parameters to handle it. The primary advantage this patch offers is a significant speedup when rendering large encrypted threads ("notmuch show") if session keys happen to be cached. Additionally, it permits message composition without access to asymmetric secret keys ("notmuch reply"); and it permits recovering a cleartext index when reindexing after a "notmuch restore" for those messages that already have a session key stored. Note that we may try multiple decryptions here (e.g. if there are multiple session keys in the database), but we will ignore and throw away all the GMime errors except for those that come from last decryption attempt. Since we don't necessarily know at the time of the decryption that this *is* the last decryption attempt, we'll ask for the errors each time anyway. This does nothing if no session keys are stashed in the database, which is fine. Actually stashing session keys in the database will come as a subsequent patch. --- doc/man7/notmuch-properties.rst | 31 +++++++++++++++++++++++++++++++ lib/index.cc | 2 +- mime-node.c | 13 ++++++++++--- util/crypto.c | 39 ++++++++++++++++++++++++++++++++++++++- util/crypto.h | 3 ++- 5 files changed, 82 insertions(+), 6 deletions(-) diff --git a/doc/man7/notmuch-properties.rst b/doc/man7/notmuch-properties.rst index 68121359..49602b73 100644 --- a/doc/man7/notmuch-properties.rst +++ b/doc/man7/notmuch-properties.rst @@ -74,6 +74,35 @@ of its normal activity. **notmuch-config(1)**), then this property will not be set on that message. +**session-key** + + When **notmuch-show(1)** or **nomtuch-reply** encounters a message + with an encrypted part and ``--decrypt`` is set, if notmuch finds a + ``session-key`` property associated with the message, it will try + that stashed session key for decryption. + + Using a stashed session key with "notmuch show" will speed up + rendering of long encrypted threads. It also allows the user to + destroy the secret part of any expired encryption-capable subkey + while still being able to read any retained messages for which + they have stashed the session key. This enables truly deletable + e-mail, since (once the session key and asymmetric subkey are both + destroyed) there are no keys left that can be used to decrypt any + copy of the original message previously stored by an adversary. + + However, access to the stashed session key for an encrypted message + permits full byte-for-byte reconstruction of the cleartext + message. This includes attachments, cryptographic signatures, and + other material that cannot be reconstructed from the index alone. + + The session key should be in the ASCII text form produced by + GnuPG. For OpenPGP, that consists of a decimal representation of + the hash algorithm used (identified by number from RFC 4880, + e.g. 9 means AES-256) followed by a colon, followed by a + hexidecimal representation of the algorithm-specific key. For + example, an AES-128 key might be stashed in a notmuch property as: + ``session-key=7:14B16AF65536C28AF209828DFE34C9E0``. + SEE ALSO ======== @@ -83,5 +112,7 @@ SEE ALSO **notmuch-insert(1)**, **notmuch-new(1)**, **notmuch-reindex(1)**, +**notmuch-reply(1)**, **notmuch-restore(1)**, +**notmuch-show(1)**, ***notmuch-search-terms(7)** diff --git a/lib/index.cc b/lib/index.cc index 19d03456..6eb60f30 100644 --- a/lib/index.cc +++ b/lib/index.cc @@ -548,7 +548,7 @@ _index_encrypted_mime_part (notmuch_message_t *message, } } #endif - clear = _notmuch_crypto_decrypt (crypto_ctx, encrypted_data, NULL, &err); + clear = _notmuch_crypto_decrypt (message, crypto_ctx, encrypted_data, NULL, &err); if (err) { _notmuch_database_log (notmuch, "Failed to decrypt during indexing. (%d:%d) [%s]\n", err->domain, err->code, err->message); diff --git a/mime-node.c b/mime-node.c index ae3ebef6..daaae9f8 100644 --- a/mime-node.c +++ b/mime-node.c @@ -198,9 +198,16 @@ node_decrypt_and_verify (mime_node_t *node, GMimeObject *part, GMimeDecryptResult *decrypt_result = NULL; GMimeMultipartEncrypted *encrypteddata = GMIME_MULTIPART_ENCRYPTED (part); - node->decrypt_attempted = true; - if (! node->decrypted_child) - node->decrypted_child = _notmuch_crypto_decrypt (cryptoctx, encrypteddata, &decrypt_result, &err); + if (! node->decrypted_child) { + mime_node_t *parent; + for (parent = node; parent; parent = parent->parent) + if (parent->envelope_file) + break; + + node->decrypt_attempted = true; + node->decrypted_child = _notmuch_crypto_decrypt (parent ? parent->envelope_file : NULL, + cryptoctx, encrypteddata, &decrypt_result, &err); + } if (! node->decrypted_child) { fprintf (stderr, "Failed to decrypt part: %s\n", err ? err->message : "no error explanation given"); diff --git a/util/crypto.c b/util/crypto.c index 087536ec..476f1879 100644 --- a/util/crypto.c +++ b/util/crypto.c @@ -140,13 +140,50 @@ void _notmuch_crypto_cleanup (unused(_notmuch_crypto_t *crypto)) #endif GMimeObject * -_notmuch_crypto_decrypt (g_mime_3_unused(GMimeCryptoContext* crypto_ctx), +_notmuch_crypto_decrypt (notmuch_message_t *message, + g_mime_3_unused(GMimeCryptoContext* crypto_ctx), GMimeMultipartEncrypted *part, GMimeDecryptResult **decrypt_result, GError **err) { GMimeObject *ret = NULL; + /* the versions of notmuch that can support session key decryption */ +#if HAVE_GMIME_SESSION_KEYS + if (message) { + notmuch_message_properties_t *list = NULL; + + for (list = notmuch_message_get_properties (message, "session-key", TRUE); + notmuch_message_properties_valid (list); notmuch_message_properties_move_to_next (list)) { + if (err && *err) { + g_error_free (*err); + *err = NULL; + } +#if (GMIME_MAJOR_VERSION < 3) + ret = g_mime_multipart_encrypted_decrypt_session (part, + crypto_ctx, + notmuch_message_properties_value (list), + decrypt_result, err); +#else + ret = g_mime_multipart_encrypted_decrypt (part, + GMIME_DECRYPT_NONE, + notmuch_message_properties_value (list), + decrypt_result, err); +#endif + if (ret) + break; + } + if (list) + notmuch_message_properties_destroy (list); + if (ret) + return ret; + } +#endif + + if (err && *err) { + g_error_free (*err); + *err = NULL; + } #if (GMIME_MAJOR_VERSION < 3) ret = g_mime_multipart_encrypted_decrypt(part, crypto_ctx, decrypt_result, err); diff --git a/util/crypto.h b/util/crypto.h index d68634f3..0c62ac70 100644 --- a/util/crypto.h +++ b/util/crypto.h @@ -16,7 +16,8 @@ typedef struct _notmuch_crypto { } _notmuch_crypto_t; GMimeObject * -_notmuch_crypto_decrypt (GMimeCryptoContext* crypto_ctx, +_notmuch_crypto_decrypt (notmuch_message_t *message, + GMimeCryptoContext* crypto_ctx, GMimeMultipartEncrypted *part, GMimeDecryptResult **decrypt_result, GError **err); -- 2.15.0