Add $include_encrypted config to prevent reply-decryption attack.

@jensvoid, in cooperation with Ruhr-Uni Bochum and FH Münster,
Germany, reported a possible "Oracle decryption" attack on various
mail clients.  An attacker could include previously encrypted contents
they obtained access to, and include it in a message.  Replying
without trimming would include the decrypted contents.

This attack relies on several "ifs", and is more dangerous for clients
that compose HTML mail.  However, it is still an issue that an
unwary/busy Mutt user could fall for.

Add a new config $include_encrytped, defaulting off, to reduce the
possibility of the user being unaware of previously encrypted parts in
the reply.  Only the main initial encrypted part will be included in
the reply.

diff --git a/handler.c b/handler.c
index 948b75a1ce4bfb542d6eaca1dae1447e4f6f0a8d..2c7016ce1e3edfcb5b50875d33fc7590531bced8 100644 (file)
--- a/handler.c
+++ b/handler.c
@@ -1750,7 +1750,7 @@ static int malformed_pgp_encrypted_handler (BODY *b, STATE *s)
 int mutt_body_handler (BODY *b, STATE *s)
 {
   int plaintext = 0;
-  handler_t handler = NULL;
+  handler_t handler = NULL, encrypted_handler = NULL;
   int rc = 0;
 
   int oflags = s->flags;
@@ -1770,7 +1770,7 @@ int mutt_body_handler (BODY *b, STATE *s)
        * the only operation needed.
        */
       if ((WithCrypto & APPLICATION_PGP) && mutt_is_application_pgp (b))
-       handler = crypt_pgp_application_pgp_handler;
+       encrypted_handler = handler = crypt_pgp_application_pgp_handler;
       else if (option(OPTREFLOWTEXT) && ascii_strcasecmp ("flowed", mutt_get_parameter ("format", b->parameter)) == 0)
        handler = rfc3676_handler;
       else
@@ -1806,9 +1806,9 @@ int mutt_body_handler (BODY *b, STATE *s)
        handler = mutt_signed_handler;
     }
     else if (mutt_is_valid_multipart_pgp_encrypted (b))
-      handler = valid_pgp_encrypted_handler;
+      encrypted_handler = handler = valid_pgp_encrypted_handler;
     else if (mutt_is_malformed_multipart_pgp_encrypted (b))
-      handler = malformed_pgp_encrypted_handler;
+      encrypted_handler = handler = malformed_pgp_encrypted_handler;
 
     if (!handler)
       handler = multipart_handler;
@@ -1830,9 +1830,9 @@ int mutt_body_handler (BODY *b, STATE *s)
       plaintext = 1;
     }
     else if ((WithCrypto & APPLICATION_PGP) && mutt_is_application_pgp (b))
-      handler = crypt_pgp_application_pgp_handler;
+      encrypted_handler = handler = crypt_pgp_application_pgp_handler;
     else if ((WithCrypto & APPLICATION_SMIME) && mutt_is_application_smime(b))
-      handler = crypt_smime_application_smime_handler;
+      encrypted_handler = handler = crypt_smime_application_smime_handler;
   }
 
   /* only respect disposition == attachment if we're not
@@ -1841,6 +1841,14 @@ int mutt_body_handler (BODY *b, STATE *s)
                                  option(OPTVIEWATTACH))) &&
       (plaintext || handler))
   {
+    /* Prevent encrypted attachments from being included in replies
+     * unless $include_encrypted is set. */
+    if ((s->flags & MUTT_REPLYING) &&
+        (s->flags & MUTT_FIRSTDONE) &&
+        encrypted_handler &&
+        !option (OPTINCLUDEENCRYPTED))
+      goto cleanup;
+
     rc = run_decode_and_handler (b, s, handler, plaintext);
   }
   /* print hint to use attachment menu for disposition == attachment
@@ -1868,6 +1876,7 @@ int mutt_body_handler (BODY *b, STATE *s)
     fputs (" --]\n", s->fpout);
   }
 
+cleanup:
   s->flags = oflags | (s->flags & MUTT_FIRSTDONE);
   if (rc)
   {

diff --git a/init.h b/init.h
index 4d20154ace2eecb4fbb4027e5d7771da7e7f304a..280b167fb8244af931d42bbb2496ba0036f71f55 100644 (file)
--- a/init.h
+++ b/init.h
@@ -1507,6 +1507,17 @@ struct option_t MuttVars[] = {
   ** Controls whether or not a copy of the message(s) you are replying to
   ** is included in your reply.
   */
+  { "include_encrypted",       DT_BOOL, R_NONE, OPTINCLUDEENCRYPTED, 0},
+  /*
+  ** .pp
+  ** Controls whether or not Mutt includes separately encrypted attachment
+  ** contents when replying.
+  ** .pp
+  ** This variable was added to prevent accidental exposure of encrypted
+  ** contents when replying to an attacker.  If a previously encrypted message
+  ** were attached by the attacker, they could trick an unwary recipient into
+  ** decrypting and including the message in their reply.
+  */
   { "include_onlyfirst",       DT_BOOL, R_NONE, OPTINCLUDEONLYFIRST, 0},
   /*
   ** .pp

diff --git a/mutt.h b/mutt.h
index 08933c0556de61b0424026467a5ae999da283758..e507ea5e86467c0e8431be037a2a19520da2a1ae 100644 (file)
--- a/mutt.h
+++ b/mutt.h
@@ -445,6 +445,7 @@ enum
 # endif /* USE_SSL_OPENSSL */
 #endif /* defined(USE_SSL) */
   OPTIMPLICITAUTOVIEW,
+  OPTINCLUDEENCRYPTED,
   OPTINCLUDEONLYFIRST,
   OPTKEEPFLAGGED,
   OPTMAILCAPSANITIZE,