feat: Symmetric encryption. No decryption, no sharing of the secret, not tested.

2026-05-16 21:36:30 +03:00 · 2025-07-07 16:31:49 +02:00
parent 1991e01641
commit ec2056f5e2
4 changed files with 94 additions and 9 deletions
--- a/src/mimefactory.rs
+++ b/src/mimefactory.rs
@@ -1143,18 +1143,42 @@ impl MimeFactory {
                Loaded::Mdn { .. } => true,
            };

-            // Encrypt to self unconditionally,
-            // even for a single-device setup.
-            let mut encryption_keyring = vec![encrypt_helper.public_key.clone()];
-            encryption_keyring.extend(encryption_keys.iter().map(|(_addr, key)| (*key).clone()));
+            let symmetric_key = match &self.loaded {
+                Loaded::Message { chat, .. } if chat.typ == Chattype::OutBroadcast => {
+                    // If there is no symmetric key yet
+                    // (because this is an old broadcast channel,
+                    // created before we had symmetric encryption),
+                    // we just encrypt asymmetrically.
+                    // Symmetric encryption exists since 2025-08;
+                    // some time after that, we can think about requiring everyone
+                    // to switch to symmetrically-encrypted broadcast lists.
+                    chat.param.get(Param::SymmetricKey)
+                }
+                _ => None,
+            };
+
+            let encrypted = if let Some(symmetric_key) = symmetric_key {
+                encrypt_helper
+                    .encrypt_for_broadcast(context, symmetric_key, message, compress)
+                    .await?
+            } else {
+                // Asymmetric encryption
+
+                // Encrypt to self unconditionally,
+                // even for a single-device setup.
+                let mut encryption_keyring = vec![encrypt_helper.public_key.clone()];
+                encryption_keyring
+                    .extend(encryption_keys.iter().map(|(_addr, key)| (*key).clone()));
+
+                encrypt_helper
+                    .encrypt(context, encryption_keyring, message, compress)
+                    .await?
+            };

            // XXX: additional newline is needed
            // to pass filtermail at
-            // <https://github.com/deltachat/chatmail/blob/4d915f9800435bf13057d41af8d708abd34dbfa8/chatmaild/src/chatmaild/filtermail.py#L84-L86>
-            let encrypted = encrypt_helper
-                .encrypt(context, encryption_keyring, message, compress)
-                .await?
-                + "\n";
+            // <https://github.com/deltachat/chatmail/blob/4d915f9800435bf13057d41af8d708abd34dbfa8/chatmaild/src/chatmaild/filtermail.py#L84-L86>:
+            let encrypted = encrypted + "\n";

            // Set the appropriate Content-Type for the outer message
            MimePart::new(