From db84317be0d5ec56eb5f1187f607aec4669e574e Mon Sep 17 00:00:00 2001 From: Hocuri Date: Fri, 4 Nov 2022 11:57:49 +0100 Subject: [PATCH 1/4] DKIM-Checking: Don't disallowing keychanges for now To get back to a releaseable state - the info stays accessible in the Message-info. We can re-enable it as soon as it has been tested thoroughly. --- src/decrypt.rs | 3 ++- src/mimeparser.rs | 11 ++++++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/src/decrypt.rs b/src/decrypt.rs index c2c67a4f8..af4c18adb 100644 --- a/src/decrypt.rs +++ b/src/decrypt.rs @@ -79,7 +79,8 @@ pub async fn prepare_decryption( from, autocrypt_header.as_ref(), message_time, - dkim_results.allow_keychange, + // Disallowing keychanges is disabled for now: + true, // dkim_results.allow_keychange, ) .await?; diff --git a/src/mimeparser.rs b/src/mimeparser.rs index c87c627e2..9d00c51d7 100644 --- a/src/mimeparser.rs +++ b/src/mimeparser.rs @@ -372,11 +372,12 @@ impl MimeMessage { parser.heuristically_parse_ndn(context).await; parser.parse_headers(context).await?; - if !decryption_info.dkim_results.allow_keychange { - for part in parser.parts.iter_mut() { - part.error = Some("Seems like DKIM failed, this either is an attack or (more likely) a bug in Authentication-Results checking. Please tell us about this at https://support.delta.chat.".to_string()); - } - } + // Disallowing keychanges is disabled for now + // if !decryption_info.dkim_results.allow_keychange { + // for part in parser.parts.iter_mut() { + // part.error = Some("Seems like DKIM failed, this either is an attack or (more likely) a bug in Authentication-Results checking. Please tell us about this at https://support.delta.chat.".to_string()); + // } + // } if warn_empty_signature && parser.signatures.is_empty() { for part in parser.parts.iter_mut() { part.error = Some("No valid signature".to_string()); From f8da264e2b7d49148bc46d6c7eb9c0704089db8a Mon Sep 17 00:00:00 2001 From: Hocuri Date: Fri, 4 Nov 2022 12:04:35 +0100 Subject: [PATCH 2/4] changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f440d5549..2f0b0cafc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,8 @@ ### Changes - allow sender timestamp to be in the future, but not too much +- Disable the new "Authentication-Results/DKIM checking" security feature + until we have tested it a bit #3728 - refactorings #3706 ### Fixes From 659bb0838903afa85167c381779ce5cefa1c58c7 Mon Sep 17 00:00:00 2001 From: Hocuri Date: Sat, 5 Nov 2022 10:10:35 +0100 Subject: [PATCH 3/4] Also don't disallow going back to cleartext --- src/mimeparser.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/mimeparser.rs b/src/mimeparser.rs index 9d00c51d7..1a3490ad1 100644 --- a/src/mimeparser.rs +++ b/src/mimeparser.rs @@ -298,7 +298,8 @@ impl MimeMessage { if let Some(peerstate) = &mut decryption_info.peerstate { if message_time > peerstate.last_seen_autocrypt && mail.ctype.mimetype != "multipart/report" - && decryption_info.dkim_results.allow_keychange + // Disallowing keychanges is disabled for now: + // && decryption_info.dkim_results.allow_keychange { peerstate.degrade_encryption(message_time); peerstate.save_to_db(&context.sql, false).await?; From e21ea739d9bc998b6b6065c3c1f5dfc17fe2aeef Mon Sep 17 00:00:00 2001 From: Hocuri Date: Sat, 5 Nov 2022 10:10:50 +0100 Subject: [PATCH 4/4] Ignore now-failing test --- src/authres.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/authres.rs b/src/authres.rs index d1a31636f..12345526b 100644 --- a/src/authres.rs +++ b/src/authres.rs @@ -644,6 +644,7 @@ Authentication-Results: box.hispanilandia.net; spf=pass smtp.mailfrom=adbenitez@ .unwrap(); } + #[ignore = "Disallowing keychanges is disabled for now"] #[tokio::test(flavor = "multi_thread", worker_threads = 2)] async fn test_handle_authres_fails() -> Result<()> { let mut tcm = TestContextManager::new();