From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Notmuch Mail <notmuch@notmuchmail.org>
Subject: [PATCH 1/4] util/crypto: _notmuch_message_crypto: tracks message-wide crypto state
Date: Wed, 24 Apr 2019 14:31:10 -0400 [thread overview]
Message-ID: <20190424183113.29242-2-dkg@fifthhorseman.net> (raw)
In-Reply-To: <20190424183113.29242-1-dkg@fifthhorseman.net>
E-mail encryption and signatures reported by notmuch are at the MIME
part level. This makes sense in the dirty details, but for users we
need to have a per-message conception of the cryptographic state of
the e-mail. (see
https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html for more
discussion of why this is important).
The object created in this patch is a useful for tracking the
cryptographic state of the underlying message as a whole, based on a
depth-first search of the message's MIME structure.
This object stores a signature list of the message, but we don't
handle it yet. Further patches in this series will make use of the
signature list.
---
util/crypto.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++
util/crypto.h | 65 +++++++++++++++++++++++++++++++++++++
2 files changed, 154 insertions(+)
diff --git a/util/crypto.c b/util/crypto.c
index 9d3b6dad..9512fd67 100644
--- a/util/crypto.c
+++ b/util/crypto.c
@@ -219,3 +219,92 @@ _notmuch_crypto_decrypt (bool *attempted,
#endif
return ret;
}
+
+
+static int
+_notmuch_message_crypto_cleanup (_notmuch_message_crypto_t *msg_crypto)
+{
+ if (!msg_crypto)
+ return 0;
+ if (msg_crypto->sig_list)
+ g_object_unref (msg_crypto->sig_list);
+ return 0;
+}
+
+_notmuch_message_crypto_t *
+_notmuch_message_crypto_new (void *ctx)
+{
+ _notmuch_message_crypto_t *ret = talloc_zero (ctx, _notmuch_message_crypto_t);
+ talloc_set_destructor (ret, _notmuch_message_crypto_cleanup);
+ return ret;
+}
+
+
+notmuch_status_t
+_notmuch_message_crypto_potential_sig_list (_notmuch_message_crypto_t *msg_crypto, GMimeSignatureList *sigs)
+{
+ if (!msg_crypto)
+ return NOTMUCH_STATUS_NULL_POINTER;
+
+ /* Signatures that arrive after a payload part during DFS are not
+ * part of the cryptographic envelope: */
+ if (msg_crypto->payload_encountered)
+ return NOTMUCH_STATUS_SUCCESS;
+
+ if (msg_crypto->sig_list)
+ g_object_unref (msg_crypto->sig_list);
+
+ msg_crypto->sig_list = sigs;
+ if (sigs)
+ g_object_ref (sigs);
+
+ if (msg_crypto->decryption_status == NOTMUCH_MESSAGE_DECRYPTED_FULL)
+ msg_crypto->signature_encrypted = true;
+
+ return NOTMUCH_STATUS_SUCCESS;
+}
+
+
+notmuch_status_t
+_notmuch_message_crypto_potential_payload (_notmuch_message_crypto_t *msg_crypto, GMimeObject *payload, GMimeObject *parent, int childnum)
+{
+ if (!msg_crypto || !payload)
+ return NOTMUCH_STATUS_NULL_POINTER;
+
+ /* only fire on the first payload part encountered */
+ if (msg_crypto->payload_encountered)
+ return NOTMUCH_STATUS_SUCCESS;
+
+ /* the first child of multipart/encrypted that matches the
+ * encryption protocol should be "control information" metadata,
+ * not payload. So we skip it. (see
+ * https://tools.ietf.org/html/rfc1847#page-8) */
+ if (parent && GMIME_IS_MULTIPART_ENCRYPTED (parent) && childnum == GMIME_MULTIPART_ENCRYPTED_VERSION) {
+ const char *enc_type = g_mime_object_get_content_type_parameter (parent, "protocol");
+ GMimeContentType *ct = g_mime_object_get_content_type (payload);
+ if (ct && enc_type) {
+ const char *part_type = g_mime_content_type_to_string (ct);
+ if (part_type && strcmp (part_type, enc_type) == 0)
+ return NOTMUCH_STATUS_SUCCESS;
+ }
+ }
+
+ msg_crypto->payload_encountered = true;
+
+ return NOTMUCH_STATUS_SUCCESS;
+}
+
+
+notmuch_status_t
+_notmuch_message_crypto_successful_decryption (_notmuch_message_crypto_t *msg_crypto)
+{
+ if (!msg_crypto)
+ return NOTMUCH_STATUS_NULL_POINTER;
+
+ if (!msg_crypto->payload_encountered)
+ msg_crypto->decryption_status = NOTMUCH_MESSAGE_DECRYPTED_FULL;
+ else if (msg_crypto->decryption_status == NOTMUCH_MESSAGE_DECRYPTED_NONE)
+ msg_crypto->decryption_status = NOTMUCH_MESSAGE_DECRYPTED_PARTIAL;
+
+ return NOTMUCH_STATUS_SUCCESS;
+}
diff --git a/util/crypto.h b/util/crypto.h
index 1a90f0e0..c09c136e 100644
--- a/util/crypto.h
+++ b/util/crypto.h
@@ -38,6 +38,71 @@ _notmuch_crypto_get_gmime_ctx_for_protocol (_notmuch_crypto_t *crypto,
void
_notmuch_crypto_cleanup (_notmuch_crypto_t *crypto);
+/* The user probably wants to know if the entire message was in the
+ * clear. When replying, the MUA probably wants to know whether there
+ * was any part decrypted in the message. And when displaying to the
+ * user, we probably only want to display "encrypted message" if the
+ * entire message was covered by encryption. */
+typedef enum {
+ NOTMUCH_MESSAGE_DECRYPTED_NONE = 0,
+ NOTMUCH_MESSAGE_DECRYPTED_PARTIAL,
+ NOTMUCH_MESSAGE_DECRYPTED_FULL,
+} _notmuch_message_decryption_status_t;
+
+/* description of the cryptographic state of a given message overall;
+ * for use by simple user agents.
+ */
+typedef struct _notmuch_message_crypto {
+ /* encryption status: partial, full, none */
+ _notmuch_message_decryption_status_t decryption_status;
+ /* FIXME: can we show what key(s) a fully-encrypted message was
+ * encrypted to? This data is not necessarily cryptographically
+ * reliable; even when we decrypt, we might not know which public
+ * key was used (e.g. if we're using a session key). */
+
+ /* signature status of the whole message (either the whole message
+ * is signed, or it is not) -- this means that partially-signed
+ * messages will get no signature status. */
+ GMimeSignatureList * sig_list;
+ /* if part of the message was signed, and the MUA is clever, it
+ * can determine on its own exactly which part and try to make
+ * more sense of it. */
+
+ /* mark this flag once we encounter a payload (i.e. something that
+ * is not part of the cryptographic envelope) */
+ bool payload_encountered;
+
+ /* if both signed and encrypted, was the signature encrypted? */
+ bool signature_encrypted;
+} _notmuch_message_crypto_t;
+
+
+/* _notmuch_message_crypto_t objects should be released with
+ * talloc_free (), or they will be released along with their parent
+ * context.
+ */
+_notmuch_message_crypto_t *
+_notmuch_message_crypto_new (void *ctx);
+
+/* call potential_sig_list during a depth-first-search on a message to
+ * consider a particular signature as relevant for the message.
+ */
+notmuch_status_t
+_notmuch_message_crypto_potential_sig_list (_notmuch_message_crypto_t *msg_crypto, GMimeSignatureList *sigs);
+
+/* call successful_decryption during a depth-first-search on a message
+ * to indicate that a part was successfully decrypted.
+ */
+notmuch_status_t
+_notmuch_message_crypto_successful_decryption (_notmuch_message_crypto_t *msg_crypto);
+
+/* call potential_payload during a depth-first-search on a message
+ * when encountering a message part that is not part of the envelope.
+ */
+notmuch_status_t
+_notmuch_message_crypto_potential_payload (_notmuch_message_crypto_t *msg_crypto, GMimeObject *payload, GMimeObject *parent, int childnum);
+
+
#ifdef __cplusplus
}
#endif
--
2.20.1
next prev parent reply other threads:[~2019-04-24 18:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-24 18:31 Easing access to the cryptographic envelope Daniel Kahn Gillmor
2019-04-24 18:31 ` Daniel Kahn Gillmor [this message]
2019-04-24 18:31 ` [PATCH 2/4] cli: expose message-wide crypto status from mime-node Daniel Kahn Gillmor
2019-04-24 18:31 ` [PATCH 3/4] mime-node: track whole-message crypto state while walking the tree Daniel Kahn Gillmor
2019-04-24 18:31 ` [PATCH 4/4] cli/show: emit new whole-message crypto status output Daniel Kahn Gillmor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190424183113.29242-2-dkg@fifthhorseman.net \
--to=dkg@fifthhorseman.net \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).