From fc30aa959d2c3f284961e32cf13141ebc51c8316 Mon Sep 17 00:00:00 2001
From: iequidoo <dgreshilov@gmail.com>
Date: Sun, 26 Oct 2025 16:33:21 -0300
Subject: [PATCH 1/4] feat: Ignore unprotected headers if Content-Type has "hp"
 parameter (#7130)

This is a part of implementation of https://www.rfc-editor.org/rfc/rfc9788 "Header Protection for
Cryptographically Protected Email".
---
 src/mimeparser.rs | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/mimeparser.rs b/src/mimeparser.rs
index 5d103eef62..1891de91ea 100644
--- a/src/mimeparser.rs
+++ b/src/mimeparser.rs
@@ -271,7 +271,7 @@ impl MimeMessage {
             &mut from,
             &mut list_post,
             &mut chat_disposition_notification_to,
-            &mail.headers,
+            &mail,
         );
         headers.retain(|k, _| {
             !is_hidden(k) || {
@@ -299,7 +299,7 @@ impl MimeMessage {
                         &mut from,
                         &mut list_post,
                         &mut chat_disposition_notification_to,
-                        &part.headers,
+                        part,
                     );
                     (part, part.ctype.mimetype.parse::<Mime>()?)
                 } else {
@@ -536,7 +536,7 @@ impl MimeMessage {
                 &mut inner_from,
                 &mut list_post,
                 &mut chat_disposition_notification_to,
-                &mail.headers,
+                mail,
             );
 
             if !signatures.is_empty() {
@@ -1632,6 +1632,11 @@ impl MimeMessage {
         }
     }
 
+    /// Merges headers from the email `part` into `headers` respecting header protection.
+    /// Should only be called with nonempty `headers` if `part` is a root of the Cryptographic
+    /// Payload as defined in <https://www.rfc-editor.org/rfc/rfc9788.html> "Header Protection for
+    /// Cryptographically Protected Email", otherwise this may unnecessarily discard headers from
+    /// outer parts.
     #[allow(clippy::too_many_arguments)]
     fn merge_headers(
         context: &Context,
@@ -1642,10 +1647,14 @@ impl MimeMessage {
         from: &mut Option<SingleInfo>,
         list_post: &mut Option<String>,
         chat_disposition_notification_to: &mut Option<SingleInfo>,
-        fields: &[mailparse::MailHeader<'_>],
+        part: &mailparse::ParsedMail,
     ) {
+        let fields = &part.headers;
+        // See <https://www.rfc-editor.org/rfc/rfc9788.html>.
+        let has_header_protection = part.ctype.params.contains_key("hp");
+
         headers.retain(|k, _| {
-            !is_protected(k) || {
+            !(has_header_protection || is_protected(k)) || {
                 headers_removed.insert(k.to_string());
                 false
             }
@@ -2096,7 +2105,8 @@ pub(crate) fn parse_message_id(ids: &str) -> Result<String> {
 }
 
 /// Returns whether the outer header value must be ignored if the message contains a signed (and
-/// optionally encrypted) part.
+/// optionally encrypted) part. This is independent from the modern Header Protection defined in
+/// <https://www.rfc-editor.org/rfc/rfc9788.html>.
 ///
 /// NB: There are known cases when Subject and List-ID only appear in the outer headers of
 /// signed-only messages. Such messages are shown as unencrypted anyway.

From a6c8f8d8a98df3e4167aa4a5eb43da37bcd68355 Mon Sep 17 00:00:00 2001
From: iequidoo <dgreshilov@gmail.com>
Date: Tue, 28 Oct 2025 04:48:15 -0300
Subject: [PATCH 2/4] feat: mimeparser: Omit Legacy Display Elements (#7130)

Omit Legacy Display Elements from "text/plain" and "text/html" (implement 4.5.3.{2,3} of
https://www.rfc-editor.org/rfc/rfc9788 "Header Protection for Cryptographically Protected Email").
---
 src/config.rs                      |  5 ++++
 src/context.rs                     | 19 ++++++++++++
 src/dehtml.rs                      | 46 ++++++++++++++++++++++------
 src/mimefactory.rs                 |  6 ++++
 src/mimeparser.rs                  | 48 +++++++++++++++++++++++++-----
 src/mimeparser/mimeparser_tests.rs | 33 ++++++++++++++++++++
 src/test_utils.rs                  |  1 -
 7 files changed, 140 insertions(+), 18 deletions(-)

diff --git a/src/config.rs b/src/config.rs
index 7cb7617f1d..f8e3c8ed95 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -438,6 +438,11 @@ pub enum Config {
     /// storing the same token multiple times on the server.
     EncryptedDeviceToken,
 
+    /// Enables running test hooks, e.g. see `InnerContext::pre_encrypt_mime_hook`.
+    /// This way is better than conditional compilation, i.e. `#[cfg(test)]`, because tests not
+    /// using this still run unmodified code.
+    TestHooks,
+
     /// Return an error from `receive_imf_inner()` for a fully downloaded message. For tests.
     FailOnReceivingFullMsg,
 }
diff --git a/src/context.rs b/src/context.rs
index 9287777c96..8574ceb5c3 100644
--- a/src/context.rs
+++ b/src/context.rs
@@ -303,6 +303,17 @@ pub struct InnerContext {
     /// `Connectivity` values for mailboxes, unordered. Used to compute the aggregate connectivity,
     /// see [`Context::get_connectivity()`].
     pub(crate) connectivities: parking_lot::Mutex<Vec<ConnectivityStore>>,
+
+    #[expect(clippy::type_complexity)]
+    /// Transforms the root of the cryptographic payload before encryption.
+    pub(crate) pre_encrypt_mime_hook: parking_lot::Mutex<
+        Option<
+            for<'a> fn(
+                &Context,
+                mail_builder::mime::MimePart<'a>,
+            ) -> mail_builder::mime::MimePart<'a>,
+        >,
+    >,
 }
 
 /// The state of ongoing process.
@@ -467,6 +478,7 @@ impl Context {
             iroh: Arc::new(RwLock::new(None)),
             self_fingerprint: OnceLock::new(),
             connectivities: parking_lot::Mutex::new(Vec::new()),
+            pre_encrypt_mime_hook: None.into(),
         };
 
         let ctx = Context {
@@ -1051,6 +1063,13 @@ impl Context {
                 .await?
                 .to_string(),
         );
+        res.insert(
+            "test_hooks",
+            self.sql
+                .get_raw_config("test_hooks")
+                .await?
+                .unwrap_or_default(),
+        );
         res.insert(
             "fail_on_receiving_full_msg",
             self.sql
diff --git a/src/dehtml.rs b/src/dehtml.rs
index a6d70b1f7d..12cd4e6098 100644
--- a/src/dehtml.rs
+++ b/src/dehtml.rs
@@ -13,6 +13,7 @@ use quick_xml::{
 
 use crate::simplify::{SimplifiedText, simplify_quote};
 
+#[derive(Default)]
 struct Dehtml {
     strbuilder: String,
     quote: String,
@@ -25,6 +26,9 @@ struct Dehtml {
     /// Everything between `<div name="quote">` and `<div name="quoted-content">` is usually metadata
     /// If this is > `0`, then we are inside a `<div name="quoted-content">`.
     divs_since_quoted_content_div: u32,
+    /// `<div class="header-protection-legacy-display">` elements should be omitted, see
+    /// <https://www.rfc-editor.org/rfc/rfc9788.html#section-4.5.3.3>.
+    divs_since_hp_legacy_display: u32,
     /// All-Inkl just puts the quote into `<blockquote> </blockquote>`. This count is
     /// increased at each `<blockquote>` and decreased at each `</blockquote>`.
     blockquotes_since_blockquote: u32,
@@ -48,20 +52,25 @@ impl Dehtml {
     }
 
     fn get_add_text(&self) -> AddText {
-        if self.divs_since_quote_div > 0 && self.divs_since_quoted_content_div == 0 {
-            AddText::No // Everything between `<div name="quoted">` and `<div name="quoted_content">` is metadata which we don't want
+        // Everything between `<div name="quoted">` and `<div name="quoted_content">` is
+        // metadata which we don't want.
+        if self.divs_since_quote_div > 0 && self.divs_since_quoted_content_div == 0
+            || self.divs_since_hp_legacy_display > 0
+        {
+            AddText::No
         } else {
             self.add_text
         }
     }
 }
 
-#[derive(Debug, PartialEq, Clone, Copy)]
+#[derive(Debug, Default, PartialEq, Clone, Copy)]
 enum AddText {
     /// Inside `<script>`, `<style>` and similar tags
     /// which contents should not be displayed.
     No,
 
+    #[default]
     YesRemoveLineEnds,
 
     /// Inside `<pre>`.
@@ -121,12 +130,7 @@ fn dehtml_quick_xml(buf: &str) -> (String, String) {
 
     let mut dehtml = Dehtml {
         strbuilder: String::with_capacity(buf.len()),
-        quote: String::new(),
-        add_text: AddText::YesRemoveLineEnds,
-        last_href: None,
-        divs_since_quote_div: 0,
-        divs_since_quoted_content_div: 0,
-        blockquotes_since_blockquote: 0,
+        ..Default::default()
     };
 
     let mut reader = quick_xml::Reader::from_str(buf);
@@ -244,6 +248,7 @@ fn dehtml_endtag_cb(event: &BytesEnd, dehtml: &mut Dehtml) {
         "div" => {
             pop_tag(&mut dehtml.divs_since_quote_div);
             pop_tag(&mut dehtml.divs_since_quoted_content_div);
+            pop_tag(&mut dehtml.divs_since_hp_legacy_display);
 
             *dehtml.get_buf() += "\n\n";
             dehtml.add_text = AddText::YesRemoveLineEnds;
@@ -295,6 +300,8 @@ fn dehtml_starttag_cb<B: std::io::BufRead>(
         "div" => {
             maybe_push_tag(event, reader, "quote", &mut dehtml.divs_since_quote_div);
             maybe_push_tag(event, reader, "quoted-content", &mut dehtml.divs_since_quoted_content_div);
+            maybe_push_tag(event, reader, "header-protection-legacy-display",
+                &mut dehtml.divs_since_hp_legacy_display);
 
             *dehtml.get_buf() += "\n\n";
             dehtml.add_text = AddText::YesRemoveLineEnds;
@@ -539,6 +546,27 @@ mod tests {
         assert_eq!(txt.text.trim(), "two\nlines");
     }
 
+    #[test]
+    fn test_hp_legacy_display() {
+        let input = r#"
+<html><head><title></title></head><body>
+<div class="header-protection-legacy-display">
+<pre>Subject: Dinner plans</pre>
+</div>
+<p>
+Let's meet at Rama's Roti Shop at 8pm and go to the park
+from there.
+</p>
+</body>
+</html>
+        "#;
+        let txt = dehtml(input).unwrap();
+        assert_eq!(
+            txt.text.trim(),
+            "Let's meet at Rama's Roti Shop at 8pm and go to the park from there."
+        );
+    }
+
     #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
     async fn test_quote_div() {
         let input = include_str!("../test-data/message/gmx-quote-body.eml");
diff --git a/src/mimefactory.rs b/src/mimefactory.rs
index e9b76aa72d..3370959915 100644
--- a/src/mimefactory.rs
+++ b/src/mimefactory.rs
@@ -1232,6 +1232,12 @@ impl MimeFactory {
             // once new core versions are sufficiently deployed.
             let anonymous_recipients = false;
 
+            if context.get_config_bool(Config::TestHooks).await? {
+                if let Some(hook) = &*context.pre_encrypt_mime_hook.lock() {
+                    message = hook(context, message);
+                }
+            }
+
             let encrypted = if let Some(shared_secret) = shared_secret {
                 encrypt_helper
                     .encrypt_symmetrically(context, &shared_secret, message, compress)
diff --git a/src/mimeparser.rs b/src/mimeparser.rs
index 1891de91ea..703b16469e 100644
--- a/src/mimeparser.rs
+++ b/src/mimeparser.rs
@@ -1323,6 +1323,10 @@ impl MimeMessage {
                             let is_html = mime_type == mime::TEXT_HTML;
                             if is_html {
                                 self.is_mime_modified = true;
+                                // NB: This unconditionally removes Legacy Display Elements (see
+                                // <https://www.rfc-editor.org/rfc/rfc9788.html#section-4.5.3.3>). We
+                                // don't check for the "hp-legacy-display" Content-Type parameter
+                                // for simplicity.
                                 if let Some(text) = dehtml(&decoded_data) {
                                     text
                                 } else {
@@ -1350,16 +1354,30 @@ impl MimeMessage {
 
                         let (simplified_txt, simplified_quote) = if mime_type.type_() == mime::TEXT
                             && mime_type.subtype() == mime::PLAIN
-                            && is_format_flowed
                         {
-                            let delsp = if let Some(delsp) = mail.ctype.params.get("delsp") {
-                                delsp.as_str().eq_ignore_ascii_case("yes")
-                            } else {
-                                false
+                            // Don't check that we're inside an encrypted or signed part for
+                            // simplicity.
+                            let simplified_txt = match mail
+                                .ctype
+                                .params
+                                .get("hp-legacy-display")
+                                .is_some_and(|v| v == "1")
+                            {
+                                false => simplified_txt,
+                                true => rm_legacy_display_elements(&simplified_txt),
                             };
-                            let unflowed_text = unformat_flowed(&simplified_txt, delsp);
-                            let unflowed_quote = top_quote.map(|q| unformat_flowed(&q, delsp));
-                            (unflowed_text, unflowed_quote)
+                            if is_format_flowed {
+                                let delsp = if let Some(delsp) = mail.ctype.params.get("delsp") {
+                                    delsp.as_str().eq_ignore_ascii_case("yes")
+                                } else {
+                                    false
+                                };
+                                let unflowed_text = unformat_flowed(&simplified_txt, delsp);
+                                let unflowed_quote = top_quote.map(|q| unformat_flowed(&q, delsp));
+                                (unflowed_text, unflowed_quote)
+                            } else {
+                                (simplified_txt, top_quote)
+                            }
                         } else {
                             (simplified_txt, top_quote)
                         };
@@ -1981,6 +1999,20 @@ impl MimeMessage {
     }
 }
 
+fn rm_legacy_display_elements(text: &str) -> String {
+    let mut res = None;
+    for l in text.lines() {
+        res = res.map(|r: String| match r.is_empty() {
+            true => l.to_string(),
+            false => r + "\r\n" + l,
+        });
+        if l.is_empty() {
+            res = Some(String::new());
+        }
+    }
+    res.unwrap_or_default()
+}
+
 fn remove_header(
     headers: &mut HashMap<String, String>,
     key: &str,
diff --git a/src/mimeparser/mimeparser_tests.rs b/src/mimeparser/mimeparser_tests.rs
index 19060f37c4..101966c697 100644
--- a/src/mimeparser/mimeparser_tests.rs
+++ b/src/mimeparser/mimeparser_tests.rs
@@ -1751,6 +1751,39 @@ async fn test_time_in_future() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_hp_legacy_display() -> Result<()> {
+    let mut tcm = TestContextManager::new();
+    let alice = &tcm.alice().await;
+    let bob = &tcm.bob().await;
+
+    let mut msg = Message::new_text(
+        "Subject: Dinner plans\n\
+        \n\
+        Let's eat"
+            .to_string(),
+    );
+    msg.set_subject("Dinner plans".to_string());
+    let chat_id = alice.create_chat(bob).await.id;
+    alice.set_config_bool(Config::TestHooks, true).await?;
+    *alice.pre_encrypt_mime_hook.lock() = Some(|_, mut mime| {
+        for (h, v) in &mut mime.headers {
+            if h == "Content-Type" {
+                if let mail_builder::headers::HeaderType::ContentType(ct) = v {
+                    *ct = ct.clone().attribute("hp-legacy-display", "1");
+                }
+            }
+        }
+        mime
+    });
+    let sent_msg = alice.send_msg(chat_id, &mut msg).await;
+
+    let msg_bob = bob.recv_msg(&sent_msg).await;
+    assert_eq!(msg_bob.subject, "Dinner plans");
+    assert_eq!(msg_bob.text, "Let's eat");
+    Ok(())
+}
+
 /// Tests that subject is not prepended to the message
 /// when bot receives it.
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
diff --git a/src/test_utils.rs b/src/test_utils.rs
index 683e39e582..678b928046 100644
--- a/src/test_utils.rs
+++ b/src/test_utils.rs
@@ -1679,7 +1679,6 @@ Until the false-positive is fixed:
     }
 }
 
-#[cfg(test)]
 mod tests {
     use super::*;
 

From 46cf8a893a3e6243383a38e0b9238bccb9548289 Mon Sep 17 00:00:00 2001
From: iequidoo <dgreshilov@gmail.com>
Date: Tue, 28 Oct 2025 15:36:08 -0300
Subject: [PATCH 3/4] feat: Add Config::StdHeaderProtectionComposing (enables
 composing as defined in RFC 9788) (#7130)

And enable it by default as the standard Header Protection is backward-compatible.

Also this tests extra IMF header removal when a message has standard Header Protection since now we
can send such messages.
---
 src/config.rs                        |  6 +++++
 src/context.rs                       |  7 ++++++
 src/mimefactory.rs                   | 35 ++++++++++++++++++++++++++--
 src/mimefactory/mimefactory_tests.rs |  4 ++--
 src/mimeparser/mimeparser_tests.rs   | 30 ++++++++++++++----------
 5 files changed, 66 insertions(+), 16 deletions(-)

diff --git a/src/config.rs b/src/config.rs
index f8e3c8ed95..b4b504666e 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -445,6 +445,12 @@ pub enum Config {
 
     /// Return an error from `receive_imf_inner()` for a fully downloaded message. For tests.
     FailOnReceivingFullMsg,
+
+    /// Enable composing emails with Header Protection as defined in
+    /// <https://www.rfc-editor.org/rfc/rfc9788.html> "Header Protection for Cryptographically
+    /// Protected Email".
+    #[strum(props(default = "1"))]
+    StdHeaderProtectionComposing,
 }
 
 impl Config {
diff --git a/src/context.rs b/src/context.rs
index 8574ceb5c3..610b2887cb 100644
--- a/src/context.rs
+++ b/src/context.rs
@@ -1077,6 +1077,13 @@ impl Context {
                 .await?
                 .unwrap_or_default(),
         );
+        res.insert(
+            "std_header_protection_composing",
+            self.sql
+                .get_raw_config("std_header_protection_composing")
+                .await?
+                .unwrap_or_default(),
+        );
 
         let elapsed = time_elapsed(&self.creation_time);
         res.insert("uptime", duration_to_str(elapsed));
diff --git a/src/mimefactory.rs b/src/mimefactory.rs
index 3370959915..00e02fb371 100644
--- a/src/mimefactory.rs
+++ b/src/mimefactory.rs
@@ -1083,6 +1083,9 @@ impl MimeFactory {
             }
         }
 
+        let use_std_header_protection = context
+            .get_config_bool(Config::StdHeaderProtectionComposing)
+            .await?;
         let outer_message = if let Some(encryption_pubkeys) = self.encryption_pubkeys {
             // Store protected headers in the inner message.
             let message = protected_headers
@@ -1098,6 +1101,22 @@ impl MimeFactory {
                     message.header(header, value)
                 });
 
+            if use_std_header_protection {
+                message = unprotected_headers
+                    .iter()
+                    // Structural headers shouldn't be added as "HP-Outer". They are defined in
+                    // <https://www.rfc-editor.org/rfc/rfc9787.html#structural-header-fields>.
+                    .filter(|(name, _)| {
+                        !(name.eq_ignore_ascii_case("mime-version")
+                            || name.eq_ignore_ascii_case("content-type")
+                            || name.eq_ignore_ascii_case("content-transfer-encoding")
+                            || name.eq_ignore_ascii_case("content-disposition"))
+                    })
+                    .fold(message, |message, (name, value)| {
+                        message.header(format!("HP-Outer: {name}"), value.clone())
+                    });
+            }
+
             // Add gossip headers in chats with multiple recipients
             let multiple_recipients =
                 encryption_pubkeys.len() > 1 || context.get_config_bool(Config::BccSelf).await?;
@@ -1187,7 +1206,13 @@ impl MimeFactory {
             for (h, v) in &mut message.headers {
                 if h == "Content-Type" {
                     if let mail_builder::headers::HeaderType::ContentType(ct) = v {
-                        *ct = ct.clone().attribute("protected-headers", "v1");
+                        let mut ct_new = ct.clone();
+                        ct_new = ct_new.attribute("protected-headers", "v1");
+                        if use_std_header_protection {
+                            ct_new = ct_new.attribute("hp", "cipher");
+                        }
+                        *ct = ct_new;
+                        break;
                     }
                 }
             }
@@ -1325,7 +1350,13 @@ impl MimeFactory {
                 for (h, v) in &mut message.headers {
                     if h == "Content-Type" {
                         if let mail_builder::headers::HeaderType::ContentType(ct) = v {
-                            *ct = ct.clone().attribute("protected-headers", "v1");
+                            let mut ct_new = ct.clone();
+                            ct_new = ct_new.attribute("protected-headers", "v1");
+                            if use_std_header_protection {
+                                ct_new = ct_new.attribute("hp", "clear");
+                            }
+                            *ct = ct_new;
+                            break;
                         }
                     }
                 }
diff --git a/src/mimefactory/mimefactory_tests.rs b/src/mimefactory/mimefactory_tests.rs
index 61cf0fec1e..ce8b12c872 100644
--- a/src/mimefactory/mimefactory_tests.rs
+++ b/src/mimefactory/mimefactory_tests.rs
@@ -832,8 +832,8 @@ async fn test_protected_headers_directive() -> Result<()> {
             .count(),
         1
     );
-    assert_eq!(part.match_indices("Subject:").count(), 1);
-
+    assert_eq!(part.match_indices("Subject:").count(), 2);
+    assert_eq!(part.match_indices("HP-Outer: Subject:").count(), 1);
     Ok(())
 }
 
diff --git a/src/mimeparser/mimeparser_tests.rs b/src/mimeparser/mimeparser_tests.rs
index 101966c697..0059039b07 100644
--- a/src/mimeparser/mimeparser_tests.rs
+++ b/src/mimeparser/mimeparser_tests.rs
@@ -1401,22 +1401,28 @@ async fn test_x_microsoft_original_message_id_precedence() -> Result<()> {
 }
 
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_extra_imf_chat_header() -> Result<()> {
+async fn test_extra_imf_headers() -> Result<()> {
     let mut tcm = TestContextManager::new();
     let t = &tcm.alice().await;
     let chat_id = t.get_self_chat().await.id;
 
-    chat::send_text_msg(t, chat_id, "hi!".to_string()).await?;
-    let sent_msg = t.pop_sent_msg().await;
-    // Check removal of some nonexistent "Chat-*" header to protect the code from future breakages.
-    let payload = sent_msg
-        .payload
-        .replace("Message-ID:", "Chat-Forty-Two: 42\r\nMessage-ID:");
-    let msg = MimeMessage::from_bytes(t, payload.as_bytes(), None)
-        .await
-        .unwrap();
-    assert!(msg.headers.contains_key("chat-version"));
-    assert!(!msg.headers.contains_key("chat-forty-two"));
+    for std_hp_composing in [false, true] {
+        t.set_config_bool(Config::StdHeaderProtectionComposing, std_hp_composing)
+            .await?;
+        chat::send_text_msg(t, chat_id, "hi!".to_string()).await?;
+        let sent_msg = t.pop_sent_msg().await;
+        // Check removal of some nonexistent "Chat-*" header to protect the code from future
+        // breakages. But headers not prefixed with "Chat-" remain unless a message has standard
+        // Header Protection.
+        let payload = sent_msg.payload.replace(
+            "Message-ID:",
+            "Chat-Forty-Two: 42\r\nForty-Two: 42\r\nMessage-ID:",
+        );
+        let msg = MimeMessage::from_bytes(t, payload.as_bytes(), None).await?;
+        assert!(msg.headers.contains_key("chat-version"));
+        assert!(!msg.headers.contains_key("chat-forty-two"));
+        assert_ne!(msg.headers.contains_key("forty-two"), std_hp_composing);
+    }
     Ok(())
 }
 

From c9a7237fead5e31cd3e7bafce9041076bfdb7da7 Mon Sep 17 00:00:00 2001
From: iequidoo <dgreshilov@gmail.com>
Date: Mon, 3 Nov 2025 15:47:44 -0300
Subject: [PATCH 4/4] test: HP-Outer headers are added to messages with
 standard Header Protection (#7130)

---
 src/chat/chat_tests.rs               | 22 ++++++++--------------
 src/headerdef.rs                     |  3 +++
 src/mimefactory/mimefactory_tests.rs | 24 ++++++++++++++++++++++++
 src/mimeparser.rs                    |  8 ++++++++
 4 files changed, 43 insertions(+), 14 deletions(-)

diff --git a/src/chat/chat_tests.rs b/src/chat/chat_tests.rs
index a82cd6305a..57821f6a87 100644
--- a/src/chat/chat_tests.rs
+++ b/src/chat/chat_tests.rs
@@ -2632,12 +2632,6 @@ async fn test_can_send_group() -> Result<()> {
 /// the recipients can't see the identity of their fellow recipients.
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn test_broadcast_members_cant_see_each_other() -> Result<()> {
-    fn contains(parsed: &MimeMessage, s: &str) -> bool {
-        assert_eq!(parsed.decrypting_failed, false);
-        let decoded_str = std::str::from_utf8(&parsed.decoded_data).unwrap();
-        decoded_str.contains(s)
-    }
-
     let mut tcm = TestContextManager::new();
     let alice = &tcm.alice().await;
     let bob = &tcm.bob().await;
@@ -2669,8 +2663,8 @@ async fn test_broadcast_members_cant_see_each_other() -> Result<()> {
         );
         let parsed = charlie.parse_msg(&auth_required).await;
         assert!(parsed.get_header(HeaderDef::AutocryptGossip).is_some());
-        assert!(contains(&parsed, "charlie@example.net"));
-        assert_eq!(contains(&parsed, "bob@example.net"), false);
+        assert!(parsed.decoded_data_contains("charlie@example.net"));
+        assert_eq!(parsed.decoded_data_contains("bob@example.net"), false);
 
         let parsed_by_bob = bob.parse_msg(&auth_required).await;
         assert!(parsed_by_bob.decrypting_failed);
@@ -2698,8 +2692,8 @@ async fn test_broadcast_members_cant_see_each_other() -> Result<()> {
         );
         let parsed = charlie.parse_msg(&member_added).await;
         assert!(parsed.get_header(HeaderDef::AutocryptGossip).is_some());
-        assert!(contains(&parsed, "charlie@example.net"));
-        assert_eq!(contains(&parsed, "bob@example.net"), false);
+        assert!(parsed.decoded_data_contains("charlie@example.net"));
+        assert_eq!(parsed.decoded_data_contains("bob@example.net"), false);
 
         let parsed_by_bob = bob.parse_msg(&member_added).await;
         assert!(parsed_by_bob.decrypting_failed);
@@ -2713,8 +2707,8 @@ async fn test_broadcast_members_cant_see_each_other() -> Result<()> {
         let hi_msg = alice.send_text(alice_broadcast_id, "hi").await;
         let parsed = charlie.parse_msg(&hi_msg).await;
         assert_eq!(parsed.header_exists(HeaderDef::AutocryptGossip), false);
-        assert_eq!(contains(&parsed, "charlie@example.net"), false);
-        assert_eq!(contains(&parsed, "bob@example.net"), false);
+        assert_eq!(parsed.decoded_data_contains("charlie@example.net"), false);
+        assert_eq!(parsed.decoded_data_contains("bob@example.net"), false);
 
         let parsed_by_bob = bob.parse_msg(&hi_msg).await;
         assert_eq!(parsed_by_bob.decrypting_failed, false);
@@ -2730,8 +2724,8 @@ async fn test_broadcast_members_cant_see_each_other() -> Result<()> {
             "charlie@example.net alice@example.org"
         );
         let parsed = charlie.parse_msg(&member_removed).await;
-        assert!(contains(&parsed, "charlie@example.net"));
-        assert_eq!(contains(&parsed, "bob@example.net"), false);
+        assert!(parsed.decoded_data_contains("charlie@example.net"));
+        assert_eq!(parsed.decoded_data_contains("bob@example.net"), false);
 
         let parsed_by_bob = bob.parse_msg(&member_removed).await;
         assert!(parsed_by_bob.decrypting_failed);
diff --git a/src/headerdef.rs b/src/headerdef.rs
index 32c2281b58..c57f05033f 100644
--- a/src/headerdef.rs
+++ b/src/headerdef.rs
@@ -138,6 +138,9 @@ pub enum HeaderDef {
     /// Advertised gossip topic for one webxdc.
     IrohGossipTopic,
 
+    /// See <https://www.rfc-editor.org/rfc/rfc9788.html#name-hp-outer-header-field>.
+    HpOuter,
+
     #[cfg(test)]
     TestHeader,
 }
diff --git a/src/mimefactory/mimefactory_tests.rs b/src/mimefactory/mimefactory_tests.rs
index ce8b12c872..da49904da0 100644
--- a/src/mimefactory/mimefactory_tests.rs
+++ b/src/mimefactory/mimefactory_tests.rs
@@ -837,6 +837,30 @@ async fn test_protected_headers_directive() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_hp_outer_headers() -> Result<()> {
+    let mut tcm = TestContextManager::new();
+    let t = &tcm.alice().await;
+    let chat_id = t.get_self_chat().await.id;
+
+    for std_hp_composing in [false, true] {
+        t.set_config_bool(Config::StdHeaderProtectionComposing, std_hp_composing)
+            .await?;
+        chat::send_text_msg(t, chat_id, "hi!".to_string()).await?;
+        let sent_msg = t.pop_sent_msg().await;
+        let msg = MimeMessage::from_bytes(t, sent_msg.payload.as_bytes(), None).await?;
+        assert_eq!(msg.header_exists(HeaderDef::HpOuter), std_hp_composing);
+        for hdr in ["Date", "From", "Message-ID"] {
+            assert_eq!(
+                msg.decoded_data_contains(&format!("HP-Outer: {hdr}:")),
+                std_hp_composing,
+            );
+        }
+        assert!(!msg.decoded_data_contains("HP-Outer: Content-Type"));
+    }
+    Ok(())
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn test_dont_remove_self() -> Result<()> {
     let mut tcm = TestContextManager::new();
diff --git a/src/mimeparser.rs b/src/mimeparser.rs
index 703b16469e..4b50ca2e14 100644
--- a/src/mimeparser.rs
+++ b/src/mimeparser.rs
@@ -1007,6 +1007,14 @@ impl MimeMessage {
         self.headers.contains_key(hname) || self.headers_removed.contains(hname)
     }
 
+    #[cfg(test)]
+    /// Returns whether the decrypted data contains the given `&str`.
+    pub(crate) fn decoded_data_contains(&self, s: &str) -> bool {
+        assert!(!self.decrypting_failed);
+        let decoded_str = str::from_utf8(&self.decoded_data).unwrap();
+        decoded_str.contains(s)
+    }
+
     /// Returns `Chat-Group-ID` header value if it is a valid group ID.
     pub fn get_chat_group_id(&self) -> Option<&str> {
         self.get_header(HeaderDef::ChatGroupId)