fix: do not URL-encode proxy hostnames

Cargo.lock

@@ -827,9 +827,9 @@ dependencies = [
 
 [[package]]
 name = "chrono"
-version = "0.4.44"
+version = "0.4.43"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c673075a2e0e5f4a1dde27ce9dee1ea4558c7ffe648f576438a20ca1d2acc4b0"
+checksum = "fac4744fb15ae8337dc853fee7fb3f4e48c0fbaa23d0afe49c447b4fab126118"
 dependencies = [
  "iana-time-zone",
  "num-traits",
@@ -2654,7 +2654,7 @@ dependencies = [
  "hyper",
  "libc",
  "pin-project-lite",
- "socket2 0.5.9",
+ "socket2 0.6.0",
  "tokio",
  "tower-service",
  "tracing",
@@ -3260,9 +3260,9 @@ dependencies = [
 
 [[package]]
 name = "libc"
-version = "0.2.184"
+version = "0.2.182"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "48f5d2a454e16a5ea0f4ced81bd44e4cfc7bd3a507b61887c99fd3538b28e4af"
+checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"
 
 [[package]]
 name = "libm"
@@ -4235,18 +4235,18 @@ dependencies = [
 
 [[package]]
 name = "pin-project"
-version = "1.1.11"
+version = "1.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1749c7ed4bcaf4c3d0a3efc28538844fb29bcdd7d2b67b2be7e20ba861ff517"
+checksum = "677f1add503faace112b9f1373e43e9e054bfdd22ff1a63c1bc485eaec6a6a8a"
 dependencies = [
  "pin-project-internal",
 ]
 
 [[package]]
 name = "pin-project-internal"
-version = "1.1.11"
+version = "1.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9b20ed30f105399776b9c883e68e536ef602a16ae6f596d2c473591d6ad64c6"
+checksum = "6e918e4ff8c4549eb882f14b3a4bc8c8bc93de829416eacf579f1207a8fbf861"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -4729,9 +4729,9 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.45"
+version = "1.0.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
+checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4"
 dependencies = [
  "proc-macro2",
 ]
@@ -5988,9 +5988,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
 
 [[package]]
 name = "tempfile"
-version = "3.27.0"
+version = "3.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
+checksum = "82a72c767771b47409d2345987fda8628641887d5466101319899796367354a0"
 dependencies = [
  "fastrand",
  "getrandom 0.3.3",
@@ -6144,9 +6144,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.50.0"
+version = "1.49.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
+checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86"
 dependencies = [
  "bytes",
  "libc",
@@ -6403,9 +6403,9 @@ dependencies = [
 
 [[package]]
 name = "tracing-subscriber"
-version = "0.3.23"
+version = "0.3.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cb7f578e5945fb242538965c2d0b04418d38ec25c79d160cd279bf0731c8d319"
+checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
 dependencies = [
  "matchers",
  "nu-ansi-term",

Cargo.toml

@@ -181,7 +181,7 @@ harness = false
 anyhow = "1"
 async-channel = "2.5.0"
 base64 = "0.22"
-chrono = { version = "0.4.44", default-features = false }
+chrono = { version = "0.4.43", default-features = false }
 deltachat-contact-tools = { path = "deltachat-contact-tools" }
 deltachat-jsonrpc = { path = "deltachat-jsonrpc", default-features = false }
 deltachat = { path = ".", default-features = false }
@@ -198,7 +198,7 @@ rusqlite = "0.37"
 sanitize-filename = "0.6"
 serde = "1.0"
 serde_json = "1"
-tempfile = "3.27.0"
+tempfile = "3.25.0"
 thiserror = "2"
 tokio = "1"
 tokio-util = "0.7.18"

deltachat-ffi/deltachat.h

@@ -364,14 +364,18 @@ uint32_t        dc_get_id                    (dc_context_t* context);
  * To get these events, you have to create an event emitter using this function
  * and call dc_get_next_event() on the emitter.
  *
- * Events are broadcasted to all existing event emitters.
- * Events emitted before creation of event emitter
- * are not available to event emitter.
- *
  * @memberof dc_context_t
  * @param context The context object as created by dc_context_new().
  * @return Returns the event emitter, NULL on errors.
  *     Must be freed using dc_event_emitter_unref() after usage.
+ *
+ * Note: Use only one event emitter per context.
+ * The result of having multiple event emitters is unspecified.
+ * Currently events are broadcasted to all existing event emitters,
+ * but previous versions delivered events to only one event emitter
+ * and this behavior may change again in the future.
+ * Events emitted before creation of event emitter
+ * may or may not be available to event emitter.
  */
 dc_event_emitter_t* dc_get_event_emitter(dc_context_t* context);
 
@@ -3319,14 +3323,18 @@ void           dc_accounts_set_push_device_token (dc_accounts_t* accounts, const
  * This is similar to dc_get_event_emitter(), which, however,
  * must not be called for accounts handled by the account manager.
  *
- * Events are broadcasted to all existing event emitters.
- * Events emitted before creation of event emitter
- * are not available to event emitter.
- *
  * @memberof dc_accounts_t
  * @param accounts The account manager as created by dc_accounts_new().
  * @return Returns the event emitter, NULL on errors.
  *     Must be freed using dc_event_emitter_unref() after usage.
+ *
+ * Note: Use only one event emitter per account manager.
+ * The result of having multiple event emitters is unspecified.
+ * Currently events are broadcasted to all existing event emitters,
+ * but previous versions delivered events to only one event emitter
+ * and this behavior may change again in the future.
+ * Events emitted before creation of event emitter
+ * are not available to event emitter.
  */
 dc_event_emitter_t* dc_accounts_get_event_emitter (dc_accounts_t* accounts);
 
@@ -5971,14 +5979,21 @@ void dc_event_channel_unref(dc_event_channel_t* event_channel);
  * To get these events, you have to create an event emitter using this function
  * and call dc_get_next_event() on the emitter.
  *
- * Events are broadcasted to all existing event emitters.
- * Events emitted before creation of event emitter
- * are not available to event emitter.
+ * This is similar to dc_get_event_emitter(), which, however,
+ * must not be called for accounts handled by the account manager.
  * 
  * @memberof dc_event_channel_t
  * @param The event channel.
  * @return Returns the event emitter, NULL on errors.
  *     Must be freed using dc_event_emitter_unref() after usage.
+ * 
+ * Note: Use only one event emitter per account manager / event channel.
+ * The result of having multiple event emitters is unspecified.
+ * Currently events are broadcasted to all existing event emitters,
+ * but previous versions delivered events to only one event emitter
+ * and this behavior may change again in the future.
+ * Events emitted before creation of event emitter
+ * are not available to event emitter.
  */
 dc_event_emitter_t* dc_event_channel_get_event_emitter(dc_event_channel_t* event_channel);
 

src/context.rs

@@ -25,7 +25,7 @@ use crate::key::self_fingerprint;
 use crate::log::warn;
 use crate::logged_debug_assert;
 use crate::message::{self, MessageState, MsgId};
-use crate::net::tls::{SpkiHashStore, TlsSessionStore};
+use crate::net::tls::TlsSessionStore;
 use crate::peer_channels::Iroh;
 use crate::push::PushSubscriber;
 use crate::quota::QuotaInfo;
@@ -308,13 +308,6 @@ pub struct InnerContext {
     /// TLS session resumption cache.
     pub(crate) tls_session_store: TlsSessionStore,
 
-    /// Store for TLS SPKI hashes.
-    ///
-    /// Used to remember public keys
-    /// of TLS certificates to accept them
-    /// even after they expire.
-    pub(crate) spki_hash_store: SpkiHashStore,
-
     /// Iroh for realtime peer channels.
     pub(crate) iroh: Arc<RwLock<Option<Iroh>>>,
 
@@ -518,7 +511,6 @@ impl Context {
             push_subscriber,
             push_subscribed: AtomicBool::new(false),
             tls_session_store: TlsSessionStore::new(),
-            spki_hash_store: SpkiHashStore::new(),
             iroh: Arc::new(RwLock::new(None)),
             self_fingerprint: OnceLock::new(),
             self_public_key: Mutex::new(None),

src/imap/client.rs

@@ -220,8 +220,6 @@ impl Client {
             alpn(addr.port()),
             logging_stream,
             &context.tls_session_store,
-            &context.spki_hash_store,
-            &context.sql,
         )
         .await?;
         let buffered_stream = BufWriter::new(tls_stream);
@@ -284,8 +282,6 @@ impl Client {
             "",
             tcp_stream,
             &context.tls_session_store,
-            &context.spki_hash_store,
-            &context.sql,
         )
         .await
         .context("STARTTLS upgrade failed")?;
@@ -314,8 +310,6 @@ impl Client {
             alpn(port),
             proxy_stream,
             &context.tls_session_store,
-            &context.spki_hash_store,
-            &context.sql,
         )
         .await?;
         let buffered_stream = BufWriter::new(tls_stream);
@@ -379,8 +373,6 @@ impl Client {
             "",
             proxy_stream,
             &context.tls_session_store,
-            &context.spki_hash_store,
-            &context.sql,
         )
         .await
         .context("STARTTLS upgrade failed")?;

src/mimeparser.rs

@@ -373,7 +373,7 @@ impl MimeMessage {
         hop_info += "\n\n";
         hop_info += &dkim_results.to_string();
 
-        let from_is_not_self_addr = !context.is_self_addr(&from.addr).await?;
+        let incoming = !context.is_self_addr(&from.addr).await?;
 
         let mut aheader_values = mail.headers.get_all_values(HeaderDef::Autocrypt.into());
 
@@ -438,7 +438,7 @@ impl MimeMessage {
         };
 
         let mut autocrypt_header = None;
-        if from_is_not_self_addr {
+        if incoming {
             // See `get_all_addresses_from_header()` for why we take the last valid header.
             for val in aheader_values.iter().rev() {
                 autocrypt_header = match Aheader::from_str(val) {
@@ -469,7 +469,7 @@ impl MimeMessage {
             None
         };
 
-        let mut public_keyring = if from_is_not_self_addr {
+        let mut public_keyring = if incoming {
             if let Some(autocrypt_header) = autocrypt_header {
                 vec![autocrypt_header.public_key]
             } else {
@@ -654,15 +654,6 @@ impl MimeMessage {
             .into_iter()
             .last()
             .map(|(fp, recipient_fps)| (fp, recipient_fps.into_iter().collect::<HashSet<_>>()));
-
-        let incoming = if let Some((ref sig_fp, _)) = signature {
-            sig_fp.hex() != key::self_fingerprint(context).await?
-        } else {
-            // rare case of getting a cleartext message
-            // so we determine 'incoming' flag by From-address
-            from_is_not_self_addr
-        };
-
         let mut parser = MimeMessage {
             parts: Vec::new(),
             headers,

src/net.rs

@@ -12,7 +12,7 @@ use tokio_io_timeout::TimeoutStream;
 
 use crate::context::Context;
 use crate::net::session::SessionStream;
-use crate::net::tls::{SpkiHashStore, TlsSessionStore};
+use crate::net::tls::TlsSessionStore;
 use crate::sql::Sql;
 use crate::tools::time;
 
@@ -130,8 +130,6 @@ pub(crate) async fn connect_tls_inner(
     strict_tls: bool,
     alpn: &str,
     tls_session_store: &TlsSessionStore,
-    spki_hash_store: &SpkiHashStore,
-    sql: &Sql,
 ) -> Result<impl SessionStream + 'static> {
     let use_sni = true;
     let tcp_stream = connect_tcp_inner(addr).await?;
@@ -143,8 +141,6 @@ pub(crate) async fn connect_tls_inner(
         alpn,
         tcp_stream,
         tls_session_store,
-        spki_hash_store,
-        sql,
     )
     .await?;
     Ok(tls_stream)

src/net/http.rs

@@ -87,8 +87,6 @@ where
                     "",
                     proxy_stream,
                     &context.tls_session_store,
-                    &context.spki_hash_store,
-                    &context.sql,
                 )
                 .await?;
                 Box::new(tls_stream)
@@ -101,8 +99,6 @@ where
                     "",
                     tcp_stream,
                     &context.tls_session_store,
-                    &context.spki_hash_store,
-                    &context.sql,
                 )
                 .await?;
                 Box::new(tls_stream)

src/net/proxy.rs

@@ -19,7 +19,6 @@ use tokio_io_timeout::TimeoutStream;
 use url::Url;
 
 use crate::config::Config;
-use crate::constants::NON_ALPHANUMERIC_WITHOUT_DOT;
 use crate::context::Context;
 use crate::net::connect_tcp;
 use crate::net::session::SessionStream;
@@ -93,13 +92,12 @@ impl HttpConfig {
     }
 
     fn to_url(&self, scheme: &str) -> String {
-        let host = utf8_percent_encode(&self.host, NON_ALPHANUMERIC_WITHOUT_DOT);
         if let Some((user, password)) = &self.user_password {
             let user = utf8_percent_encode(user, NON_ALPHANUMERIC);
             let password = utf8_percent_encode(password, NON_ALPHANUMERIC);
-            format!("{scheme}://{user}:{password}@{host}:{}", self.port)
+            format!("{scheme}://{user}:{password}@{}:{}", self.host, self.port)
         } else {
-            format!("{scheme}://{host}:{}", self.port)
+            format!("{scheme}://{}:{}", self.host, self.port)
         }
     }
 }
@@ -143,13 +141,12 @@ impl Socks5Config {
     }
 
     fn to_url(&self) -> String {
-        let host = utf8_percent_encode(&self.host, NON_ALPHANUMERIC_WITHOUT_DOT);
         if let Some((user, password)) = &self.user_password {
             let user = utf8_percent_encode(user, NON_ALPHANUMERIC);
             let password = utf8_percent_encode(password, NON_ALPHANUMERIC);
-            format!("socks5://{user}:{password}@{host}:{}", self.port)
+            format!("socks5://{user}:{password}@{}:{}", self.host, self.port)
         } else {
-            format!("socks5://{host}:{}", self.port)
+            format!("socks5://{}:{}", self.host, self.port)
         }
     }
 }
@@ -439,8 +436,6 @@ impl ProxyConfig {
                     "",
                     tcp_stream,
                     &context.tls_session_store,
-                    &context.spki_hash_store,
-                    &context.sql,
                 )
                 .await?;
                 let auth = if let Some((username, password)) = &https_config.user_password {
@@ -567,6 +562,20 @@ mod tests {
                 user_password: None
             })
         );
+
+        let proxy_config = ProxyConfig::from_url("socks5://my-proxy.example.org").unwrap();
+        assert_eq!(
+            proxy_config,
+            ProxyConfig::Socks5(Socks5Config {
+                host: "my-proxy.example.org".to_string(),
+                port: 1080,
+                user_password: None
+            })
+        );
+        assert_eq!(
+            proxy_config.to_url(),
+            "socks5://my-proxy.example.org:1080".to_string()
+        );
     }
 
     #[test]
@@ -600,6 +609,20 @@ mod tests {
                 user_password: None
             })
         );
+
+        let proxy_config = ProxyConfig::from_url("http://my-proxy.example.org").unwrap();
+        assert_eq!(
+            proxy_config,
+            ProxyConfig::Http(HttpConfig {
+                host: "my-proxy.example.org".to_string(),
+                port: 80,
+                user_password: None
+            })
+        );
+        assert_eq!(
+            proxy_config.to_url(),
+            "http://my-proxy.example.org:80".to_string()
+        );
     }
 
     #[test]
@@ -633,6 +656,20 @@ mod tests {
                 user_password: None
             })
         );
+
+        let proxy_config = ProxyConfig::from_url("https://my-proxy.example.org").unwrap();
+        assert_eq!(
+            proxy_config,
+            ProxyConfig::Https(HttpConfig {
+                host: "my-proxy.example.org".to_string(),
+                port: 443,
+                user_password: None
+            })
+        );
+        assert_eq!(
+            proxy_config.to_url(),
+            "https://my-proxy.example.org:443".to_string()
+        );
     }
 
     #[test]

src/net/tls.rs

@@ -6,19 +6,13 @@ use std::sync::Arc;
 use anyhow::Result;
 
 use crate::net::session::SessionStream;
-use crate::sql::Sql;
 
 use tokio_rustls::rustls;
 use tokio_rustls::rustls::client::ClientSessionStore;
-use tokio_rustls::rustls::server::ParsedCertificate;
 
 mod danger;
-use danger::CustomCertificateVerifier;
+use danger::NoCertificateVerification;
 
-mod spki;
-pub use spki::SpkiHashStore;
-
-#[expect(clippy::too_many_arguments)]
 pub async fn wrap_tls<'a>(
     strict_tls: bool,
     hostname: &str,
@@ -27,21 +21,10 @@ pub async fn wrap_tls<'a>(
     alpn: &str,
     stream: impl SessionStream + 'static,
     tls_session_store: &TlsSessionStore,
-    spki_hash_store: &SpkiHashStore,
-    sql: &Sql,
 ) -> Result<impl SessionStream + 'a> {
     if strict_tls {
-        let tls_stream = wrap_rustls(
-            hostname,
-            port,
-            use_sni,
-            alpn,
-            stream,
-            tls_session_store,
-            spki_hash_store,
-            sql,
-        )
-        .await?;
+        let tls_stream =
+            wrap_rustls(hostname, port, use_sni, alpn, stream, tls_session_store).await?;
         let boxed_stream: Box<dyn SessionStream> = Box::new(tls_stream);
         Ok(boxed_stream)
     } else {
@@ -111,7 +94,6 @@ impl TlsSessionStore {
     }
 }
 
-#[expect(clippy::too_many_arguments)]
 pub async fn wrap_rustls<'a>(
     hostname: &str,
     port: u16,
@@ -119,8 +101,6 @@ pub async fn wrap_rustls<'a>(
     alpn: &str,
     stream: impl SessionStream + 'a,
     tls_session_store: &TlsSessionStore,
-    spki_hash_store: &SpkiHashStore,
-    sql: &Sql,
 ) -> Result<impl SessionStream + 'a> {
     let mut root_cert_store = rustls::RootCertStore::empty();
     root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
@@ -147,27 +127,20 @@ pub async fn wrap_rustls<'a>(
     config.resumption = resumption;
     config.enable_sni = use_sni;
 
-    config
-        .dangerous()
-        .set_certificate_verifier(Arc::new(CustomCertificateVerifier::new(
-            spki_hash_store.get_spki_hash(hostname, sql).await?,
-        )));
+    // Do not verify certificates for hostnames starting with `_`.
+    // They are used for servers with self-signed certificates, e.g. for local testing.
+    // Hostnames starting with `_` can have only self-signed TLS certificates or wildcard certificates.
+    // It is not possible to get valid non-wildcard TLS certificates because CA/Browser Forum requirements
+    // explicitly state that domains should start with a letter, digit or hyphen:
+    // https://github.com/cabforum/servercert/blob/24f38fd4765e019db8bb1a8c56bf63c7115ce0b0/docs/BR.md
+    if hostname.starts_with("_") {
+        config
+            .dangerous()
+            .set_certificate_verifier(Arc::new(NoCertificateVerification::new()));
+    }
 
     let tls = tokio_rustls::TlsConnector::from(Arc::new(config));
     let name = tokio_rustls::rustls::pki_types::ServerName::try_from(hostname)?.to_owned();
     let tls_stream = tls.connect(name, stream).await?;
-
-    // Successfully connected.
-    // Remember SPKI hash to accept it later if certificate expires.
-    let (_io, client_connection) = tls_stream.get_ref();
-    if let Some(end_entity) = client_connection
-        .peer_certificates()
-        .and_then(|certs| certs.first())
-    {
-        let parsed_certificate = ParsedCertificate::try_from(end_entity)?;
-        let spki = parsed_certificate.subject_public_key_info();
-        spki_hash_store.save_spki(hostname, &spki, sql).await?;
-    }
-
     Ok(tls_stream)
 }

src/net/tls/danger.rs

@@ -1,85 +1,26 @@
-//! Custom TLS verification.
-//!
-//! We want to accept expired certificates.
+//! Dangerous TLS implementation of accepting invalid certificates for Rustls.
 
-use rustls::RootCertStore;
-use rustls::client::{verify_server_cert_signed_by_trust_anchor, verify_server_name};
 use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
-use rustls::server::ParsedCertificate;
 use tokio_rustls::rustls;
 
-use crate::net::tls::spki::spki_hash;
-
 #[derive(Debug)]
-pub(super) struct CustomCertificateVerifier {
-    /// Root certificates.
-    root_cert_store: RootCertStore,
+pub(super) struct NoCertificateVerification();
 
-    /// Expected SPKI hash as a base64 of SHA-256.
-    spki_hash: Option<String>,
-}
-
-impl CustomCertificateVerifier {
-    pub(super) fn new(spki_hash: Option<String>) -> Self {
-        let mut root_cert_store = rustls::RootCertStore::empty();
-        root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
-        Self {
-            root_cert_store,
-            spki_hash,
-        }
+impl NoCertificateVerification {
+    pub(super) fn new() -> Self {
+        Self()
     }
 }
 
-impl rustls::client::danger::ServerCertVerifier for CustomCertificateVerifier {
+impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
     fn verify_server_cert(
         &self,
-        end_entity: &CertificateDer<'_>,
-        intermediates: &[CertificateDer<'_>],
-        server_name: &ServerName<'_>,
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _server_name: &ServerName<'_>,
         _ocsp_response: &[u8],
-        now: UnixTime,
+        _now: UnixTime,
     ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
-        let parsed_certificate = ParsedCertificate::try_from(end_entity)?;
-
-        let spki = parsed_certificate.subject_public_key_info();
-
-        let provider = rustls::crypto::ring::default_provider();
-
-        if let ServerName::DnsName(dns_name) = server_name
-            && dns_name.as_ref().starts_with("_")
-        {
-            // Do not verify certificates for hostnames starting with `_`.
-            // They are used for servers with self-signed certificates, e.g. for local testing.
-            // Hostnames starting with `_` can have only self-signed TLS certificates or wildcard certificates.
-            // It is not possible to get valid non-wildcard TLS certificates because CA/Browser Forum requirements
-            // explicitly state that domains should start with a letter, digit or hyphen:
-            // https://github.com/cabforum/servercert/blob/24f38fd4765e019db8bb1a8c56bf63c7115ce0b0/docs/BR.md
-        } else if let Some(hash) = &self.spki_hash
-            && spki_hash(&spki) == *hash
-        {
-            // Last time we successfully connected to this hostname with TLS checks,
-            // SPKI had this hash.
-            // It does not matter if certificate has now expired.
-        } else {
-            // verify_server_cert_signed_by_trust_anchor does no revocation checking:
-            // <https://docs.rs/rustls/0.23.37/rustls/client/fn.verify_server_cert_signed_by_trust_anchor.html>
-            // We don't do it either.
-            verify_server_cert_signed_by_trust_anchor(
-                &parsed_certificate,
-                &self.root_cert_store,
-                intermediates,
-                now,
-                provider.signature_verification_algorithms.all,
-            )?;
-        }
-
-        // Verify server name unconditionally.
-        //
-        // We do this even for self-signed certificates when hostname starts with `_`
-        // so we don't try to connect to captive portals
-        // and fail on MITM certificates if they are generated once
-        // and reused for all hostnames.
-        verify_server_name(&parsed_certificate, server_name)?;
         Ok(rustls::client::danger::ServerCertVerified::assertion())
     }
 

src/net/tls/spki.rs

@@ -1,92 +0,0 @@
-//! SPKI hash storage.
-//!
-//! We store hashes of Subject Public Key Info from TLS certificates
-//! after successful connection to allow connecting when
-//! server certificate expires as long as the key is not changed.
-
-use std::collections::BTreeMap;
-
-use anyhow::Result;
-use base64::Engine as _;
-use parking_lot::RwLock;
-use sha2::{Digest, Sha256};
-use tokio_rustls::rustls::pki_types::SubjectPublicKeyInfoDer;
-
-use crate::sql::Sql;
-
-/// Calculates Subject Public Key Info SHA-256 hash and returns it as base64.
-///
-/// This is the same format as used in <https://www.rfc-editor.org/rfc/rfc7469>.
-/// You can calculate the same hash for any remote host with
-/// ```sh
-/// openssl s_client -connect "$HOST:993" -servername "$HOST" </dev/null 2>/dev/null |
-/// openssl x509 -pubkey -noout |
-/// openssl pkey -pubin -outform der |
-/// openssl dgst -sha256 -binary |
-/// openssl enc -base64
-/// ```
-pub fn spki_hash(spki: &SubjectPublicKeyInfoDer) -> String {
-    let spki_hash = Sha256::digest(spki);
-    base64::engine::general_purpose::STANDARD.encode(spki_hash)
-}
-
-/// Write-through cache for SPKI hashes.
-#[derive(Debug)]
-pub struct SpkiHashStore {
-    /// Map from hostnames to base64 of SHA-256 hashes.
-    pub hash_store: RwLock<BTreeMap<String, String>>,
-}
-
-impl SpkiHashStore {
-    pub fn new() -> Self {
-        Self {
-            hash_store: RwLock::new(BTreeMap::new()),
-        }
-    }
-
-    /// Returns base64 of SPKI hash if we have previously successfully connected to given hostname.
-    pub async fn get_spki_hash(&self, hostname: &str, sql: &Sql) -> Result<Option<String>> {
-        if let Some(hash) = self.hash_store.read().get(hostname).cloned() {
-            return Ok(Some(hash));
-        }
-
-        match sql
-            .query_row_optional(
-                "SELECT spki_hash FROM tls_spki WHERE host=?",
-                (hostname,),
-                |row| {
-                    let spki_hash: String = row.get(0)?;
-                    Ok(spki_hash)
-                },
-            )
-            .await?
-        {
-            Some(hash) => {
-                self.hash_store
-                    .write()
-                    .insert(hostname.to_string(), hash.clone());
-                Ok(Some(hash))
-            }
-            None => Ok(None),
-        }
-    }
-
-    /// Saves SPKI hash after successful connection.
-    pub async fn save_spki(
-        &self,
-        hostname: &str,
-        spki: &SubjectPublicKeyInfoDer<'_>,
-        sql: &Sql,
-    ) -> Result<()> {
-        let hash = spki_hash(spki);
-        self.hash_store
-            .write()
-            .insert(hostname.to_string(), hash.clone());
-        sql.execute(
-            "INSERT OR REPLACE INTO tls_spki (host, spki_hash) VALUES (?, ?)",
-            (hostname, hash),
-        )
-        .await?;
-        Ok(())
-    }
-}

src/qr/qr_tests.rs

@@ -892,6 +892,32 @@ async fn test_set_proxy_config_from_qr() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_dont_encode_hyphen_in_proxy_hostnames() -> Result<()> {
+    let mut tcm = TestContextManager::new();
+    let t = &tcm.alice().await;
+
+    let qr_text = "socks5://my-proxy.example.org";
+
+    let qr = check_qr(t, qr_text).await?;
+    assert_eq!(
+        qr,
+        Qr::Proxy {
+            url: "socks5://my-proxy.example.org".to_string(),
+            host: "my-proxy.example.org".to_string(),
+            port: 1080,
+        }
+    );
+
+    set_config_from_qr(t, "socks5://my-proxy.example.org").await?;
+    assert_eq!(
+        t.get_config(Config::ProxyUrl).await?,
+        Some("socks5://my-proxy.example.org:1080".to_string())
+    );
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn test_decode_shadowsocks() -> Result<()> {
     let ctx = TestContext::new().await;

src/receive_imf.rs

@@ -45,7 +45,6 @@ use crate::securejoin::{
     self, get_secure_join_step, handle_securejoin_handshake, observe_securejoin_on_other_device,
 };
 use crate::simplify;
-use crate::smtp::msg_has_pending_smtp_job;
 use crate::stats::STATISTICS_BOT_EMAIL;
 use crate::stock_str;
 use crate::sync::Sync::*;
@@ -583,7 +582,14 @@ pub(crate) async fn receive_imf_inner(
                 (rfc724_mid_orig, &self_addr),
             )
             .await?;
-        if !msg_has_pending_smtp_job(context, msg_id).await? {
+        if !context
+            .sql
+            .exists(
+                "SELECT COUNT(*) FROM smtp WHERE rfc724_mid=?",
+                (rfc724_mid_orig,),
+            )
+            .await?
+        {
             msg_id.set_delivered(context).await?;
         }
         return Ok(None);

src/receive_imf/receive_imf_tests.rs

@@ -13,10 +13,9 @@ use crate::constants::DC_GCL_FOR_FORWARDING;
 use crate::contact;
 use crate::imap::prefetch_should_download;
 use crate::imex::{ImexMode, imex};
-use crate::key;
 use crate::securejoin::get_securejoin_qr;
 use crate::test_utils::{
-    E2EE_INFO_MSGS, TestContext, TestContextManager, alice_keypair, get_chat_msg, mark_as_verified,
+    E2EE_INFO_MSGS, TestContext, TestContextManager, get_chat_msg, mark_as_verified,
 };
 use crate::tools::{SystemTime, time};
 
@@ -5562,31 +5561,3 @@ async fn test_calendar_alternative() -> Result<()> {
 
     Ok(())
 }
-
-/// Tests that outgoing encrypted messages are detected
-/// by verifying own signature, completely ignoring From address.
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_outgoing_determined_by_signature() -> Result<()> {
-    let mut tcm = TestContextManager::new();
-    let alice = &tcm.alice().await;
-    let bob = &tcm.bob().await;
-
-    // alice_dev2: same key, different address.
-    let different_from = "very@different.from";
-    assert!(!alice.is_self_addr(different_from).await?);
-    let alice_dev2 = &tcm.unconfigured().await;
-    alice_dev2.configure_addr(different_from).await;
-    key::store_self_keypair(alice_dev2, &alice_keypair()).await?;
-    assert_ne!(
-        alice.get_config(Config::Addr).await?.unwrap(),
-        different_from
-    );
-
-    // Send message from alice_dev2 and check alice sees it as outgoing
-    let chat_id = alice_dev2.create_chat_id(bob).await;
-    let sent_msg = alice_dev2.send_text(chat_id, "hello from new device").await;
-    let msg = alice.recv_msg(&sent_msg).await;
-    assert_eq!(msg.state, MessageState::OutDelivered);
-
-    Ok(())
-}

src/smtp.rs

@@ -465,7 +465,11 @@ pub(crate) async fn send_msg_to_smtp(
     match status {
         SendResult::Retry => Err(format_err!("Retry")),
         SendResult::Success => {
-            if !msg_has_pending_smtp_job(context, msg_id).await? {
+            if !context
+                .sql
+                .exists("SELECT COUNT(*) FROM smtp WHERE msg_id=?", (msg_id,))
+                .await?
+            {
                 msg_id.set_delivered(context).await?;
             }
             Ok(())
@@ -474,16 +478,6 @@ pub(crate) async fn send_msg_to_smtp(
     }
 }
 
-pub(crate) async fn msg_has_pending_smtp_job(
-    context: &Context,
-    msg_id: MsgId,
-) -> Result<bool, Error> {
-    context
-        .sql
-        .exists("SELECT COUNT(*) FROM smtp WHERE msg_id=?", (msg_id,))
-        .await
-}
-
 /// Attempts to send queued MDNs.
 async fn send_mdns(context: &Context, connection: &mut Smtp) -> Result<()> {
     loop {

src/smtp/connect.rs

@@ -11,12 +11,11 @@ use crate::log::warn;
 use crate::net::dns::{lookup_host_with_cache, update_connect_timestamp};
 use crate::net::proxy::ProxyConfig;
 use crate::net::session::SessionBufStream;
-use crate::net::tls::{SpkiHashStore, TlsSessionStore, wrap_tls};
+use crate::net::tls::{TlsSessionStore, wrap_tls};
 use crate::net::{
     connect_tcp_inner, connect_tls_inner, run_connection_attempts, update_connection_history,
 };
 use crate::oauth2::get_oauth2_access_token;
-use crate::sql::Sql;
 use crate::tools::time;
 use crate::transport::ConnectionCandidate;
 use crate::transport::ConnectionSecurity;
@@ -112,26 +111,10 @@ async fn connection_attempt(
     );
     let res = match security {
         ConnectionSecurity::Tls => {
-            connect_secure(
-                resolved_addr,
-                host,
-                strict_tls,
-                &context.tls_session_store,
-                &context.spki_hash_store,
-                &context.sql,
-            )
-            .await
+            connect_secure(resolved_addr, host, strict_tls, &context.tls_session_store).await
         }
         ConnectionSecurity::Starttls => {
-            connect_starttls(
-                resolved_addr,
-                host,
-                strict_tls,
-                &context.tls_session_store,
-                &context.spki_hash_store,
-                &context.sql,
-            )
-            .await
+            connect_starttls(resolved_addr, host, strict_tls, &context.tls_session_store).await
         }
         ConnectionSecurity::Plain => connect_insecure(resolved_addr).await,
     };
@@ -257,8 +240,6 @@ async fn connect_secure_proxy(
         alpn(port),
         proxy_stream,
         &context.tls_session_store,
-        &context.spki_hash_store,
-        &context.sql,
     )
     .await?;
     let mut buffered_stream = BufStream::new(tls_stream);
@@ -292,8 +273,6 @@ async fn connect_starttls_proxy(
         "",
         tcp_stream,
         &context.tls_session_store,
-        &context.spki_hash_store,
-        &context.sql,
     )
     .await
     .context("STARTTLS upgrade failed")?;
@@ -320,8 +299,6 @@ async fn connect_secure(
     hostname: &str,
     strict_tls: bool,
     tls_session_store: &TlsSessionStore,
-    spki_hash_store: &SpkiHashStore,
-    sql: &Sql,
 ) -> Result<Box<dyn SessionBufStream>> {
     let tls_stream = connect_tls_inner(
         addr,
@@ -329,8 +306,6 @@ async fn connect_secure(
         strict_tls,
         alpn(addr.port()),
         tls_session_store,
-        spki_hash_store,
-        sql,
     )
     .await?;
     let mut buffered_stream = BufStream::new(tls_stream);
@@ -344,8 +319,6 @@ async fn connect_starttls(
     host: &str,
     strict_tls: bool,
     tls_session_store: &TlsSessionStore,
-    spki_hash_store: &SpkiHashStore,
-    sql: &Sql,
 ) -> Result<Box<dyn SessionBufStream>> {
     let use_sni = false;
     let tcp_stream = connect_tcp_inner(addr).await?;
@@ -363,8 +336,6 @@ async fn connect_starttls(
         "",
         tcp_stream,
         tls_session_store,
-        spki_hash_store,
-        sql,
     )
     .await
     .context("STARTTLS upgrade failed")?;

src/sql/migrations.rs

@@ -2316,18 +2316,6 @@ ALTER TABLE contacts ADD COLUMN name_normalized TEXT;
         .await?;
     }
 
-    inc_and_check(&mut migration_version, 150)?;
-    if dbversion < migration_version {
-        sql.execute_migration(
-            "CREATE TABLE tls_spki (
-               host TEXT NOT NULL UNIQUE,
-               spki_hash TEXT NOT NULL -- base64 of SPKI SHA-256 hash
-             ) STRICT",
-            migration_version,
-        )
-        .await?;
-    }
-
     let new_version = sql
         .get_raw_config_int(VERSION_CFG)
         .await?

src/test_utils.rs

@@ -40,7 +40,6 @@ use crate::message::{Message, MessageState, MsgId, update_msg_state};
 use crate::mimeparser::{MimeMessage, SystemMessage};
 use crate::receive_imf::receive_imf;
 use crate::securejoin::{get_securejoin_qr, join_securejoin};
-use crate::smtp::msg_has_pending_smtp_job;
 use crate::stock_str::StockStrings;
 use crate::tools::time;
 
@@ -659,7 +658,10 @@ impl TestContext {
             .execute("DELETE FROM smtp WHERE id=?;", (rowid,))
             .await
             .expect("failed to remove job");
-        if !msg_has_pending_smtp_job(self, msg_id)
+        if !self
+            .ctx
+            .sql
+            .exists("SELECT COUNT(*) FROM smtp WHERE msg_id=?", (msg_id,))
             .await
             .expect("Failed to check for more jobs")
         {