thread-based email index, search, and tagging https://git.notmuchmail.org/git/notmuch/atom?h=0.29_rc0 2019-05-29T11:17:33Z 2019-05-29T11:17:33Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-26T22:16:10Z urn:sha1:1c704dd22d81b2d6307125d47cc895127f8e34c9 Protected subject lines were being emitted in reply when the cleartext of documents was indexed. create_reply_message() was pulling the subject line from the index, rather than pulling it from the GMimeMessage object that it already has on hand. This one-line fix to notmuch-reply.c solves that problem, and doesn't cause any additional tests to fail. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-29T11:17:20Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-26T22:16:09Z urn:sha1:06dedd0a8365ee4b71f730651e00b1098369f9b9 These tests are currently broken! When a protected subject is indexed in the clear, it leaks in the reply headers :( For emacs, we set up separate tests for when the protected header is indexed in the clear and when it is unindexed. neither case should leak, but the former wasn't tested yet. We will fix the two broken tests in a subsequent patch. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-29T11:15:28Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-26T22:16:06Z urn:sha1:809a34a8708706728e4f1f00367e1dae98cd0d2d We want to make sure that internally-forwarded messages don't end up "bubbling up" when they aren't actually the cryptographic payload. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-29T11:15:18Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-26T22:16:05Z urn:sha1:bfed02bb0b2ce5cb8303a6ef6a1a927f99356696 This test scans for all the possible protected headers (including bogus/broken ones) that are present in the protected-headers corpus, trying to make sure that only the ones that are not broken or malformed show up in a search after re-indexing. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-29T11:14:57Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-26T22:16:04Z urn:sha1:b36248a26eb54fe8c162c7f54d34c343a94265f1 Up to this point, we've tested protected headers on messages that have either been encrypted or signed, but not both. This adds a couple tests of signed+encrypted messages, one where the subject line is masked (outside subject line is "Subject Unavailable") and another where it is not (outside Subject: matches inner Subject:) See the discussion at https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#protected-headers for more details about the nuances between signed, stripped, and stubbed headers. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-29T11:14:44Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-27T22:40:28Z urn:sha1:5c3a44681f2fffbd3a7d76e424c134a82470ddd2 When indexing the cleartext of an encrypted message, record any protected subject in the database, which should make it findable and visible in search. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-29T11:14:32Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-26T22:16:02Z urn:sha1:b7b553e732baed620f6688570829a4d46dd5f6e5 Now that we can decrypt headers, we want to make sure that clients using "notmuch reply" to prepare a reply don't leak cleartext in their subject lines. In particular, the ["reply-headers"]["Subject"] should by default show the external Subject. A replying MUA that intends to protect the Subject line should show the user the Subject from ["original"]["headers"]["Subject"] instead of using ["reply-headers"]["Subject"]. This minor asymmetry with "notmuch show" is intentional. While both tools always render the cleartext subject line when they know it (in ["headers"]["Subject"] for "notmuch show" and in ["original"]["headers"]["Subject"] for "notmuch reply"), "notmuch reply" should never leak something that should stay under encrypted cover in "reply-headers". Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-29T11:13:06Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-26T22:16:01Z urn:sha1:996ef5710cd5b9a5de6394018f21955a775f7511 Make sure that we emit the correct cryptographic envelope status for cleartext signed messages. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-29T11:12:49Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-26T22:16:00Z urn:sha1:1c879f39391b1144bfb2328fe778ab7d7e582100 Adding another test to ensure that we handle protected headers gracefully when no external subject is present. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-29T11:11:50Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-27T22:14:16Z urn:sha1:56416a54702669a23b7aa8f085a388d0c842e297 The header-mask member of the per-message crypto object allows a clever UI frontend to mark whether a header was protected (or not). And if it was protected, it contains enough information to show useful detail to an interested user. For example, an MUA could offer a "show what this message's Subject looked like on the wire" feature in expert mode. As before, we only handle Subject for now, but we might be able to handle other headers in the future. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Amended by db: tweaked schemata notation.