1896918 - Re-enable LibrePGP AEAD/OCB decryption

Status: RESOLVED FIXED

(MailNews Core :: Security: OpenPGP, enhancement)

Description

[Kai Engert [:KaiE:]]

I suggest that we re-enable support for decrypting OpenPGP messages that use the AEAD/OCB mechanism as implemented by GnuPG.
See bug 1872833 for original background.

I think Thunderbird should not produce such messages. However, GnuPG has already released production versions that produce such messages. Worse, Thunderbird might have already distributed public keys that signal support for being able to decrypt this algorithm (because users had used GnuPG to create or edit their keys, and then imported them into Thunderbird, but Thunderbird didn't remove the feature advertisement flags).

As a result, no longer decrypting such messages in the next Thunderbird release would mean a functional regression.

(This change doesn't mean a general commitment to introduce support for LibrePGP. I think the Thunderbird project should continue to carefully evaluate which specifications it should implement and which protocol versions of key versions it should actively support. However, passively consuming data, where it's possible for us to do easily, seems reasonable.)

Comment 1

[betterbird.project+15@gmail.com]

From a newsgroup:

Aber gut, ich empfehle in diesem Zusammenhang GPG4Win 4.3.1 zu installieren. Dieses Paket enthält die "top-aktuelle" und offizielle Version 2.4.5 der "gpg.exe". Auch für Linux wird gpg in der Version 2.4.5 schon angeboten.

Erzeuge dir mit Kleopatra einen Testschlüssel, welchen du dann in TB/BB /extern/ einbindest:
https://www.barghahn-online.de/Pictures/tb_bb_openpgp_extern.png

Schreibe dir nun selbst eine verschlüsselte Mail. Zum Entschlüsseln dieser Mail benötigst du dann aber einen "top-aktuellen" MUA, der mit OpenPGP in der "top-aktuellen" Version auch umgehen kann.
Ich empfehle in dem Zusammenhang die kostenlosen und aktuellen MUA/NUA "SeaMonkey/2.53.18.2" und "Claws-Mail/4.2.0".

Comment 2

[Kai Engert [:KaiE:]]

Somehow I had missed to push the patch for this one to phabricator.

Comment 3

[Kai Engert [:KaiE:]]

Attachment: Bug 1896918 - Re-enable LibrePGP AEAD/OCB decryption. r=aleca

Comment 4

[Pulsebot]

Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/984db1c42a6f
Re-enable LibrePGP AEAD/OCB decryption. r=aleca

Comment 5

[Kai Engert [:KaiE:]]

Comment on attachment 9407008 [details]
Bug 1896918 - Re-enable LibrePGP AEAD/OCB decryption. r=aleca

[Approval Request Comment]
Regression caused by (bug #): 1872833
User impact if declined: Users cannot decrypt some messages.
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): Very little risk. It's enabling a library feature that was always enabled in stable 115.

Comment 6

[Corey Bryant]

Comment on attachment 9407008 [details]
Bug 1896918 - Re-enable LibrePGP AEAD/OCB decryption. r=aleca

[Triage Comment]
Approved for beta

Comment 7

[Rob Lemley [:rjl]]

Thunderbird 128.0b2:
https://hg.mozilla.org/releases/comm-beta/rev/170993e73ddb