This new automatic decryption policy should make it possible to
decrypt messages that we have stashed session keys for, without
incurring a call to the user's asymmetric keys.
**[STORED IN DATABASE]**
When indexing an encrypted e-mail message, if this variable is
**[STORED IN DATABASE]**
When indexing an encrypted e-mail message, if this variable is
- set to true, notmuch will try to decrypt the message and index
- the cleartext. Be aware that the index is likely sufficient
- to reconstruct the cleartext of the message itself, so please
+ set to ``true``, notmuch will try to decrypt the message and
+ index the cleartext. If ``auto``, it will try to index the
+ cleartext if a stashed session key is already known for the message,
+ but will not try to access your secret keys. Use ``false`` to
+ avoid decrypting even when a session key is already known.
+
+ Be aware that the notmuch index is likely sufficient to
+ reconstruct the cleartext of the message itself, so please
ensure that the notmuch message index is adequately protected.
DO NOT USE ``index.decrypt=true`` without considering the
security of your index.
ensure that the notmuch message index is adequately protected.
DO NOT USE ``index.decrypt=true`` without considering the
security of your index.
- clear = _notmuch_crypto_decrypt (message, crypto_ctx, encrypted_data, NULL, &err);
+ clear = _notmuch_crypto_decrypt (notmuch_indexopts_get_decrypt_policy (indexopts),
+ message, crypto_ctx, encrypted_data, NULL, &err);
if (err) {
_notmuch_database_log (notmuch, "Failed to decrypt during indexing. (%d:%d) [%s]\n",
err->domain, err->code, err->message);
if (err) {
_notmuch_database_log (notmuch, "Failed to decrypt during indexing. (%d:%d) [%s]\n",
err->domain, err->code, err->message);
- if (decrypt_policy &&
- ((!(strcasecmp(decrypt_policy, "true"))) ||
- (!(strcasecmp(decrypt_policy, "yes"))) ||
- (!(strcasecmp(decrypt_policy, "1")))))
- notmuch_indexopts_set_decrypt_policy (ret, NOTMUCH_DECRYPT_TRUE);
+ if (decrypt_policy) {
+ if ((!(strcasecmp(decrypt_policy, "true"))) ||
+ (!(strcasecmp(decrypt_policy, "yes"))) ||
+ (!(strcasecmp(decrypt_policy, "1"))))
+ notmuch_indexopts_set_decrypt_policy (ret, NOTMUCH_DECRYPT_TRUE);
+ else if (!strcasecmp(decrypt_policy, "auto"))
+ notmuch_indexopts_set_decrypt_policy (ret, NOTMUCH_DECRYPT_AUTO);
+ }
free (decrypt_policy);
return ret;
free (decrypt_policy);
return ret;
typedef enum {
NOTMUCH_DECRYPT_FALSE,
NOTMUCH_DECRYPT_TRUE,
typedef enum {
NOTMUCH_DECRYPT_FALSE,
NOTMUCH_DECRYPT_TRUE,
} notmuch_decryption_policy_t;
/**
} notmuch_decryption_policy_t;
/**
break;
node->decrypt_attempted = true;
break;
node->decrypt_attempted = true;
- node->decrypted_child = _notmuch_crypto_decrypt (parent ? parent->envelope_file : NULL,
+ node->decrypted_child = _notmuch_crypto_decrypt (node->ctx->crypto->decrypt,
+ parent ? parent->envelope_file : NULL,
cryptoctx, encrypteddata, &decrypt_result, &err);
}
if (! node->decrypted_child) {
cryptoctx, encrypteddata, &decrypt_result, &err);
}
if (! node->decrypted_child) {
}
#if (GMIME_MAJOR_VERSION < 3)
}
#if (GMIME_MAJOR_VERSION < 3)
- if ((GMIME_IS_MULTIPART_ENCRYPTED (part) && (node->ctx->crypto->decrypt == NOTMUCH_DECRYPT_TRUE))
+ if ((GMIME_IS_MULTIPART_ENCRYPTED (part) && (node->ctx->crypto->decrypt != NOTMUCH_DECRYPT_FALSE))
|| (GMIME_IS_MULTIPART_SIGNED (part) && node->ctx->crypto->verify)) {
GMimeContentType *content_type = g_mime_object_get_content_type (part);
const char *protocol = g_mime_content_type_get_parameter (content_type, "protocol");
|| (GMIME_IS_MULTIPART_SIGNED (part) && node->ctx->crypto->verify)) {
GMimeContentType *content_type = g_mime_object_get_content_type (part);
const char *protocol = g_mime_content_type_get_parameter (content_type, "protocol");
#endif
/* Handle PGP/MIME parts */
#endif
/* Handle PGP/MIME parts */
- if (GMIME_IS_MULTIPART_ENCRYPTED (part) && (node->ctx->crypto->decrypt == NOTMUCH_DECRYPT_TRUE)) {
+ if (GMIME_IS_MULTIPART_ENCRYPTED (part) && (node->ctx->crypto->decrypt != NOTMUCH_DECRYPT_FALSE)) {
if (node->nchildren != 2) {
/* this violates RFC 3156 section 4, so we won't bother with it. */
fprintf (stderr, "Error: %d part(s) for a multipart/encrypted "
if (node->nchildren != 2) {
/* this violates RFC 3156 section 4, so we won't bother with it. */
fprintf (stderr, "Error: %d part(s) for a multipart/encrypted "
/* Construct a new MIME node pointing to the root message part of
* message. If crypto->verify is true, signed child parts will be
* verified. If crypto->decrypt is NOTMUCH_DECRYPT_TRUE, encrypted
/* Construct a new MIME node pointing to the root message part of
* message. If crypto->verify is true, signed child parts will be
* verified. If crypto->decrypt is NOTMUCH_DECRYPT_TRUE, encrypted
- * child parts will be decrypted. If the crypto contexts
+ * child parts will be decrypted using either stored session keys or
+ * asymmetric crypto. If crypto->decrypt is NOTMUCH_DECRYPT_AUTO,
+ * only session keys will be tried. If the crypto contexts
* (crypto->gpgctx or crypto->pkcs7) are NULL, they will be lazily
* initialized.
*
* (crypto->gpgctx or crypto->pkcs7) are NULL, they will be lazily
* initialized.
*
.present = &indexing_cli_choices.decrypt_policy_set, .keywords =
(notmuch_keyword_t []){ { "false", NOTMUCH_DECRYPT_FALSE },
{ "true", NOTMUCH_DECRYPT_TRUE },
.present = &indexing_cli_choices.decrypt_policy_set, .keywords =
(notmuch_keyword_t []){ { "false", NOTMUCH_DECRYPT_FALSE },
{ "true", NOTMUCH_DECRYPT_TRUE },
+ { "auto", NOTMUCH_DECRYPT_AUTO },
{ 0, 0 } },
.name = "decrypt" },
{ }
{ 0, 0 } },
.name = "decrypt" },
{ }
}
}
#if (GMIME_MAJOR_VERSION < 3)
}
}
#if (GMIME_MAJOR_VERSION < 3)
- if (indexing_cli_choices.opts && notmuch_indexopts_get_decrypt_policy (indexing_cli_choices.opts) == NOTMUCH_DECRYPT_TRUE) {
+ if (indexing_cli_choices.opts && notmuch_indexopts_get_decrypt_policy (indexing_cli_choices.opts) != NOTMUCH_DECRYPT_FALSE) {
const char* gpg_path = notmuch_config_get_crypto_gpg_path (config);
if (gpg_path && strcmp(gpg_path, "gpg"))
fprintf (stderr, "Warning: deprecated crypto.gpg_path is set to '%s'\n"
const char* gpg_path = notmuch_config_get_crypto_gpg_path (config);
if (gpg_path && strcmp(gpg_path, "gpg"))
fprintf (stderr, "Warning: deprecated crypto.gpg_path is set to '%s'\n"
+# ensure no session keys are present:
+test_begin_subtest 'reindex using only session keys'
+test_expect_success 'notmuch reindex --decrypt=auto tag:encrypted and property:index.decryption=success'
+test_begin_subtest "reindexed encrypted messages, decrypting only with session keys"
+output=$(notmuch search wumpus)
+expected=''
+test_expect_equal \
+ "$output" \
+ "$expected"
+
# and the same search, but by property ($expected is untouched):
test_begin_subtest "emacs search by property with both messages unindexed"
output=$(notmuch search property:index.decryption=success)
# and the same search, but by property ($expected is untouched):
test_begin_subtest "emacs search by property with both messages unindexed"
output=$(notmuch search property:index.decryption=success)
#notmuch-dump batch-tag:3 config,properties,tags
#= simple-encrypted@crypto.notmuchmail.org session-key=9%3AFC09987F5F927CC0CC0EE80A96E4C5BBF4A499818FB591207705DFDDD6112CF9
EOF
#notmuch-dump batch-tag:3 config,properties,tags
#= simple-encrypted@crypto.notmuchmail.org session-key=9%3AFC09987F5F927CC0CC0EE80A96E4C5BBF4A499818FB591207705DFDDD6112CF9
EOF
-notmuch reindex --decrypt=true id:simple-encrypted@crypto.notmuchmail.org
+notmuch reindex --decrypt=auto id:simple-encrypted@crypto.notmuchmail.org
output=$(notmuch search sekrit)
expected='thread:0000000000000001 2016-12-22 [1/1] Daniel Kahn Gillmor; encrypted message (encrypted inbox unread)'
if [ $NOTMUCH_HAVE_GMIME_SESSION_KEYS -eq 0 ]; then
output=$(notmuch search sekrit)
expected='thread:0000000000000001 2016-12-22 [1/1] Daniel Kahn Gillmor; encrypted message (encrypted inbox unread)'
if [ $NOTMUCH_HAVE_GMIME_SESSION_KEYS -eq 0 ]; then
-_notmuch_crypto_decrypt (notmuch_message_t *message,
+_notmuch_crypto_decrypt (notmuch_decryption_policy_t decrypt,
+ notmuch_message_t *message,
g_mime_3_unused(GMimeCryptoContext* crypto_ctx),
GMimeMultipartEncrypted *part,
GMimeDecryptResult **decrypt_result,
GError **err)
{
GMimeObject *ret = NULL;
g_mime_3_unused(GMimeCryptoContext* crypto_ctx),
GMimeMultipartEncrypted *part,
GMimeDecryptResult **decrypt_result,
GError **err)
{
GMimeObject *ret = NULL;
+ if (decrypt == NOTMUCH_DECRYPT_FALSE)
+ return NULL;
/* the versions of notmuch that can support session key decryption */
#if HAVE_GMIME_SESSION_KEYS
/* the versions of notmuch that can support session key decryption */
#if HAVE_GMIME_SESSION_KEYS
g_error_free (*err);
*err = NULL;
}
g_error_free (*err);
*err = NULL;
}
+
+ if (decrypt == NOTMUCH_DECRYPT_AUTO)
+ return ret;
+
#if (GMIME_MAJOR_VERSION < 3)
ret = g_mime_multipart_encrypted_decrypt(part, crypto_ctx,
decrypt_result, err);
#if (GMIME_MAJOR_VERSION < 3)
ret = g_mime_multipart_encrypted_decrypt(part, crypto_ctx,
decrypt_result, err);
} _notmuch_crypto_t;
GMimeObject *
} _notmuch_crypto_t;
GMimeObject *
-_notmuch_crypto_decrypt (notmuch_message_t *message,
+_notmuch_crypto_decrypt (notmuch_decryption_policy_t decrypt,
+ notmuch_message_t *message,
GMimeCryptoContext* crypto_ctx,
GMimeMultipartEncrypted *part,
GMimeDecryptResult **decrypt_result,
GMimeCryptoContext* crypto_ctx,
GMimeMultipartEncrypted *part,
GMimeDecryptResult **decrypt_result,
projects / notmuch / commitdiff