feat: protect Autocrypt header

link2xt · link2xt · commit 64ece5cf8f6c · 2025-08-12T22:25:35.000Z
diff --git a/src/config.rs b/src/config.rs
@@ -396,12 +396,6 @@ pub enum Config {
     /// Make all outgoing messages with Autocrypt header "multipart/signed".
     SignUnencrypted,
 
-    /// Enable header protection for `Autocrypt` header.
-    ///
-    /// This is an experimental setting not compatible to other MUAs
-    /// and older Delta Chat versions (core version <= v1.149.0).
-    ProtectAutocrypt,
-
     /// Let the core save all events to the database.
     /// This value is used internally to remember the MsgId of the logging xdc
     #[strum(props(default = "0"))]
diff --git a/src/context.rs b/src/context.rs
@@ -1033,12 +1033,6 @@ impl Context {
                 .await?
                 .to_string(),
         );
-        res.insert(
-            "protect_autocrypt",
-            self.get_config_int(Config::ProtectAutocrypt)
-                .await?
-                .to_string(),
-        );
         res.insert(
             "debug_logging",
             self.get_config_int(Config::DebugLogging).await?.to_string(),
diff --git a/src/mimefactory.rs b/src/mimefactory.rs
@@ -967,10 +967,6 @@ impl MimeFactory {
                 hidden_headers.push(header.clone());
             } else if is_hidden(&header_name) {
                 hidden_headers.push(header.clone());
-            } else if header_name == "autocrypt"
-                && !context.get_config_bool(Config::ProtectAutocrypt).await?
-            {
-                unprotected_headers.push(header.clone());
             } else if header_name == "from" {
                 // Unencrypted securejoin messages should _not_ include the display name:
                 if is_encrypted || !is_securejoin_message {
diff --git a/src/mimefactory/mimefactory_tests.rs b/src/mimefactory/mimefactory_tests.rs
@@ -663,7 +663,7 @@ async fn test_selfavatar_unencrypted_signed() {
     assert_eq!(part.match_indices("From:").count(), 1);
     assert_eq!(part.match_indices("Message-ID:").count(), 0);
     assert_eq!(part.match_indices("Subject:").count(), 1);
-    assert_eq!(part.match_indices("Autocrypt:").count(), 0);
+    assert_eq!(part.match_indices("Autocrypt:").count(), 1);
     assert_eq!(part.match_indices("Chat-User-Avatar:").count(), 0);
 
     let part = payload.next().unwrap();
@@ -714,7 +714,7 @@ async fn test_selfavatar_unencrypted_signed() {
     assert_eq!(part.match_indices("From:").count(), 1);
     assert_eq!(part.match_indices("Message-ID:").count(), 0);
     assert_eq!(part.match_indices("Subject:").count(), 1);
-    assert_eq!(part.match_indices("Autocrypt:").count(), 0);
+    assert_eq!(part.match_indices("Autocrypt:").count(), 1);
     assert_eq!(part.match_indices("Chat-User-Avatar:").count(), 0);
 
     let part = payload.next().unwrap();
diff --git a/src/mimeparser/mimeparser_tests.rs b/src/mimeparser/mimeparser_tests.rs
@@ -1819,39 +1819,6 @@ async fn test_take_last_header() {
     );
 }
 
-async fn test_protect_autocrypt(enabled: bool) -> Result<()> {
-    let mut tcm = TestContextManager::new();
-    let alice = &tcm.alice().await;
-    let bob = &tcm.bob().await;
-
-    let chat = alice.create_chat(bob).await;
-    alice
-        .set_config_bool(Config::ProtectAutocrypt, enabled)
-        .await?;
-    let sent = alice.send_text(chat.id, "Hello!").await;
-    assert_eq!(sent.payload().contains("Autocrypt: "), !enabled);
-    let msg = bob.recv_msg(&sent).await;
-    assert_eq!(msg.get_showpadlock(), true);
-
-    Ok(())
-}
-
-/// Tests that if `protect_autocrypt` is enabled,
-/// `Autocrypt` header does not appear in the outer headers
-/// of encrypted messages.
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_protect_autocrypt_enabled() -> Result<()> {
-    test_protect_autocrypt(true).await
-}
-
-/// Tests that if `protect_autocrypt` is disabled,
-/// `Autocrypt` header appears in the outer headers
-/// of encrypted messages.
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_protect_autocrypt_false() -> Result<()> {
-    test_protect_autocrypt(false).await
-}
-
 /// Tests that CRLF before MIME boundary
 /// is not treated as the part body.
 ///
diff --git a/src/tests/aeap.rs b/src/tests/aeap.rs
@@ -217,10 +217,12 @@ async fn test_aeap_replay_attack() -> Result<()> {
     // Fiona gets the message, replaces the From addr...
     let sent = sent
         .payload()
-        .replace("From: <alice@example.org>", "From: <fiona@example.net>")
-        .replace("addr=alice@example.org;", "addr=fiona@example.net;");
+        .replace("From: <alice@example.org>", "From: <fiona@example.net>");
     sent.find("From: <fiona@example.net>").unwrap(); // Assert that it worked
-    sent.find("addr=fiona@example.net;").unwrap(); // Assert that it worked
+
+    // Autocrypt header is protected, nothing to replace outside.
+    // In the signed part we cannot replace it without breaking the signature.
+    assert!(!sent.contains("addr=alice@example.org;"));
 
     tcm.section("Fiona replaced the From addr and forwards the message to Bob");
     receive_imf(&bob, sent.as_bytes(), false).await?.unwrap();

-Original file line number
+Diff line change
     // Fiona gets the message, replaces the From addr...
     let sent = sent
         .payload()
 -        .replace("From: <[email protected]>", "From: <[email protected]>")
 -        .replace("[email protected];", "[email protected];");
 +        .replace("From: <[email protected]>", "From: <[email protected]>");
     sent.find("From: <[email protected]>").unwrap(); // Assert that it worked
 -    sent.find("[email protected];").unwrap(); // Assert that it worked
++
 +    // Autocrypt header is protected, nothing to replace outside.
 +    // In the signed part we cannot replace it without breaking the signature.
 +    assert!(!sent.contains("[email protected];"));
     tcm.section("Fiona replaced the From addr and forwards the message to Bob");
     receive_imf(&bob, sent.as_bytes(), false).await?.unwrap();