Skip to content

fix: receive_imf: Look up key contact by intended recipient fingerprint (#7661) #7786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
iequidoo merged 6 commits into from
Jan 30, 2026
Merged

fix: receive_imf: Look up key contact by intended recipient fingerprint (#7661) #7786

iequidoo merged 6 commits into from
Jan 30, 2026

Conversation

@iequidoo
Copy link
Collaborator

@iequidoo iequidoo commented Jan 28, 2026
edited
Loading

For now, do this only for OneOneChat and MailingListOrBroadcast, this is enough to correctly
support messages from modern Delta Chat versions sending Intended Recipient Fingerprint subpackets
and single-recipient messages from modern versions of other MUAs.

Close #7661

test: Message in blocked chat arrives as InSeen -- unrelated, but just a one-line test improvement.

@iequidoo iequidoo marked this pull request as draft January 28, 2026 12:09
iequidoo
iequidoo commented Jan 28, 2026
View reviewed changes
@iequidoo iequidoo changed the title fix: receive_imf: Lookup key contact by intended recipient fingerprint (#7661) fix: receive_imf: Look up key contact by intended recipient fingerprint (#7661) Jan 28, 2026
@iequidoo iequidoo force-pushed the iequidoo/intended-recipient-fps branch from ff3406a to 52a8a4d Compare January 29, 2026 14:52
@iequidoo iequidoo marked this pull request as ready for review January 29, 2026 14:52
@iequidoo iequidoo mentioned this pull request Jan 29, 2026
Closed
iequidoo
iequidoo commented Jan 29, 2026
View reviewed changes
@iequidoo iequidoo requested review from Hocuri and link2xt January 29, 2026 14:57
link2xt
link2xt reviewed Jan 29, 2026
View reviewed changes
link2xt
link2xt approved these changes Jan 29, 2026
View reviewed changes
src/pgp.rs Outdated
chrono::Utc::now().trunc_subsecs(0),
))?);
for key in &public_keys_for_encryption {
if private_key_for_signing.dc_fingerprint().hex()
Copy link
Collaborator

@link2xt link2xt Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm really not fan of having custom logic that is only intended for tests outside the tests. Would rather have test_recv_outgoing_msg_before_securejoin testing only the happy path of everyone using the new client. And if regressions happens, store encrypted messages as blobs in the test data and replay them instead of maintaining the code to regenerate messages as if they are generated by old core.

Copy link
Collaborator

@link2xt link2xt Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not blocking, but if we in the future change the code around here e.g. because this subpacket generation is moved to something like rpgpie or separate crate, will have to change the tests. And it allocates fingerprint string every time message is sent for each recipient just to evaluate to false.

Copy link
Collaborator Author

@iequidoo iequidoo Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And it allocates fingerprint string every time message is sent for each recipient just to evaluate to false.

Thanks, fixed this.

Overall the idea is not even to test compatibility with older versions, but to have the fallback code assigning messages to non-replyable ad hoc groups, if key-contacts can't be looked up for whatever reason, tested, to not offer unencrypted replies forbidden by the standard. Maybe we could just trash messages if so, and add some device message, this depends on how interoperability is important currently.

@link2xt
Copy link
Collaborator

link2xt commented Jan 29, 2026

#7057 is not closed because there is no test?

@iequidoo
test: Encrypted incoming message goes to encrypted 1:1 chat even if r…
fe75dbd 
…eferences messages in ad-hoc group

This is an important thing forgotten to be checked in 3325270.

Also there's another test which currently doesn't work as we want: outgoing encrypted messages
continue to arrive to ad-hoc group even if we already have contact's key. This should be fixed by
sending and receiving Intended Recipient Fingerprint subpackets.

The good thing is that apparently there are no scenarios requiring the contact to update their
software, the user should just update own devices.
@iequidoo
test: Message in blocked chat arrives as InSeen
ff93a43 
It's strange that this wasn't covered by any test.
@iequidoo
refactor: Rename lookup_key_contacts_by_address_list() to lookup_key_…
a23eb8e 
…contacts_fallback_to_chat()

It only looks up contacts by address in the given chat, so `_fallback_to_chat` suffix is more
informative. It's obvious that such a lookup is done by address, there are no other reasonable
options.
@iequidoo
fix: add_or_lookup_key_contacts*(): Advance fingerprint_iter on inval…
8b4b1ee 
…id address
@iequidoo
feat: Trash messages with intended recipient fingerprints, but w/o ou…
8834b4c 
…r one included
@iequidoo iequidoo force-pushed the iequidoo/intended-recipient-fps branch from 52a8a4d to 48467fb Compare January 30, 2026 09:54
@iequidoo
Copy link
Collaborator Author

iequidoo commented Jan 30, 2026
edited
Loading

#7057 is not closed because there is no test?

I just forgot about that issue. It tells that a message not intended to us should appear as an unencrypted message assigned to the outer From. But feat: Trash messages with intended recipient fingerprints, but w/o our one included just trashes such messages. If we decide to keep this logic, despite it's trivial, it's still better to be tested. Probably need to generate such a message using a modified code and put it into test-data.

The standard says

If one or more subpackets of this type are included in a signature, it SHOULD be considered valid only in an encrypted context, where the key it was encrypted to is one of the indicated primary keys or one of their subkeys.

So we can consider such a message as "not valid" and trash it, IMU. EDIT: "it" refers to the signature, so it's signature who is invalid, not the message, so probably indeed we should assign such a message to the outer From and show it as unencrypted.

Otherwise everything important is tested it seems.

EDIT: However, we can already merge this and handle such broken signatures in the right way later. This doesn't look very important. Trashing such messages is also acceptable, basically we can say that we just don't support them.

EDIT: Another option is to treat such messages as forwarded, but still add them as unencrypted. Not going to implement anything of this for now however.

@iequidoo
fix: receive_imf: Look up key contact by intended recipient fingerpri…
1664be5 
…nt (#7661)

For now, do this only for `OneOneChat` and `MailingListOrBroadcast`, this is enough to correctly
support messages from modern Delta Chat versions sending Intended Recipient Fingerprint subpackets
and single-recipient messages from modern versions of other MUAs.
@iequidoo iequidoo force-pushed the iequidoo/intended-recipient-fps branch from 48467fb to 1664be5 Compare January 30, 2026 10:53
@iequidoo iequidoo merged commit 61a8eff into main Jan 30, 2026
18 checks passed
@iequidoo iequidoo deleted the iequidoo/intended-recipient-fps branch January 30, 2026 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@link2xt link2xt link2xt approved these changes

@Hocuri Hocuri Awaiting requested review from Hocuri

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Outgoing message got assigned to "Saved messages" instead of 1:1 chat

3 participants

@iequidoo @link2xt