[PATCH 15/18] crypto: actually stash session keys when try-decrypt=true

David Bremner david at tethera.net
Thu Nov 16 04:53:14 PST 2017 

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> +        Be aware that the index is likely sufficient to reconstruct
> +        the cleartext of the message itself, so please ensure that the
> +        notmuch message index is adequately protected.  DO NOT USE
> +        ``--try-decrypt=true`` without considering the security of
> +        your index.
>  

This is probably just my ignorance, but doesn't stashing session keys
change this from likely to certain? Is it possible we decrypt thing and
don't get session keys.

> +test_begin_subtest "show the message body of the encrypted message"
> +notmuch dump wumpus
> +output=$(notmuch show wumpus | awk '/^\014part}/{ f=0 }; { if (f) { print $0 } } /^\014part{ ID: 3/{ f=1 }')
> +expected='This is a test encrypted message with a wumpus.'
> +test_expect_equal \
> +    "$output" \
> +    "$expected"

I'd be happier if we didn't further entrench the text format in the test
suite. How hard would it be to use json output (+maybe python?) here? 

>  	*attempted = true;
>  #if (GMIME_MAJOR_VERSION < 3)
> +#if (GMIME_MAJOR_VERSION == 2 && GMIME_MINOR_VERSION == 6 && GMIME_MICRO_VERSION >= 21)
> +    gboolean oldgetsk = g_mime_crypto_context_get_retrieve_session_key (crypto_ctx);
> +    gboolean newgetsk = (decrypt_result);
> +    if (newgetsk != oldgetsk)
> +	/* This could return an error, but we can't do anything about it, so ignore it */
> +	g_mime_crypto_context_set_retrieve_session_key (crypto_ctx, newgetsk, NULL);
> +#endif
>      ret = g_mime_multipart_encrypted_decrypt(part, crypto_ctx,
>  					     decrypt_result, err);
> +#if (GMIME_MAJOR_VERSION == 2 && GMIME_MINOR_VERSION == 6 && GMIME_MICRO_VERSION >= 21)
> +    if (newgetsk != oldgetsk)
> +	g_mime_crypto_context_set_retrieve_session_key (crypto_ctx, oldgetsk, NULL);

I lost track a bit, but now there's at least 2 (maybe 3) repetitions of
this somewhat complicated test, and one more needed for
built_with.session_keys. HAVE_GMIME_SESSION_KEYS is looking better and
better.

More information about the notmuch mailing list