From 2965a981b7ec22866fbdf2d567d87e2d068d3617 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Fri, 31 Jul 2015 16:04:08 -0400
Subject: [PATCH] Allow to search and import missing PGP pubkeys from keyservers using Publickey.js
---
plugins/enigma/lib/enigma_engine.php | 389 +++++++++++++++++++++++++++++++++++++++++++++++++------
1 files changed, 345 insertions(+), 44 deletions(-)
diff --git a/plugins/enigma/lib/enigma_engine.php b/plugins/enigma/lib/enigma_engine.php
index c3a2e50..0111d93 100644
--- a/plugins/enigma/lib/enigma_engine.php
+++ b/plugins/enigma/lib/enigma_engine.php
@@ -3,23 +3,15 @@
+-------------------------------------------------------------------------+
| Engine of the Enigma Plugin |
| |
- | This program is free software; you can redistribute it and/or modify |
- | it under the terms of the GNU General Public License version 2 |
- | as published by the Free Software Foundation. |
+ | Copyright (C) 2010-2015 The Roundcube Dev Team |
| |
- | This program is distributed in the hope that it will be useful, |
- | but WITHOUT ANY WARRANTY; without even the implied warranty of |
- | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
- | GNU General Public License for more details. |
- | |
- | You should have received a copy of the GNU General Public License along |
- | with this program; if not, write to the Free Software Foundation, Inc., |
- | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
+ | Licensed under the GNU General Public License version 3 or |
+ | any later version with exceptions for skins & plugins. |
+ | See the README file for a full license statement. |
| |
+-------------------------------------------------------------------------+
| Author: Aleksander Machniak <alec@alec.pl> |
+-------------------------------------------------------------------------+
-
*/
/*
@@ -34,12 +26,19 @@
private $enigma;
private $pgp_driver;
private $smime_driver;
+ private $password_time;
- public $decryptions = array();
- public $signatures = array();
- public $signed_parts = array();
+ public $decryptions = array();
+ public $signatures = array();
+ public $signed_parts = array();
+ public $encrypted_parts = array();
- const PASSWORD_TIME = 120;
+ const SIGN_MODE_BODY = 1;
+ const SIGN_MODE_SEPARATE = 2;
+ const SIGN_MODE_MIME = 3;
+
+ const ENCRYPT_MODE_BODY = 1;
+ const ENCRYPT_MODE_MIME = 2;
/**
@@ -50,8 +49,12 @@
$this->rc = rcmail::get_instance();
$this->enigma = $enigma;
+ $this->password_time = $this->rc->config->get('enigma_password_time');
+
// this will remove passwords from session after some time
- $this->get_passwords();
+ if ($this->password_time) {
+ $this->get_passwords();
+ }
}
/**
@@ -125,6 +128,175 @@
}
/**
+ * Handler for message signing
+ *
+ * @param Mail_mime Original message
+ * @param int Encryption mode
+ *
+ * @return enigma_error On error returns error object
+ */
+ function sign_message(&$message, $mode = null)
+ {
+ $mime = new enigma_mime_message($message, enigma_mime_message::PGP_SIGNED);
+ $from = $mime->getFromAddress();
+
+ // find private key
+ $key = $this->find_key($from, true);
+
+ if (empty($key)) {
+ return new enigma_error(enigma_error::E_KEYNOTFOUND);
+ }
+
+ // check if we have password for this key
+ $passwords = $this->get_passwords();
+ $pass = $passwords[$key->id];
+
+ if ($pass === null) {
+ // ask for password
+ $error = array('missing' => array($key->id => $key->name));
+ return new enigma_error(enigma_error::E_BADPASS, '', $error);
+ }
+
+ // select mode
+ switch ($mode) {
+ case self::SIGN_MODE_BODY:
+ $pgp_mode = Crypt_GPG::SIGN_MODE_CLEAR;
+ break;
+
+ case self::SIGN_MODE_MIME:
+ $pgp_mode = Crypt_GPG::SIGN_MODE_DETACHED;
+ break;
+/*
+ case self::SIGN_MODE_SEPARATE:
+ $pgp_mode = Crypt_GPG::SIGN_MODE_NORMAL;
+ break;
+*/
+ default:
+ if ($mime->isMultipart()) {
+ $pgp_mode = Crypt_GPG::SIGN_MODE_DETACHED;
+ }
+ else {
+ $pgp_mode = Crypt_GPG::SIGN_MODE_CLEAR;
+ }
+ }
+
+ // get message body
+ if ($pgp_mode == Crypt_GPG::SIGN_MODE_CLEAR) {
+ // in this mode we'll replace text part
+ // with the one containing signature
+ $body = $message->getTXTBody();
+ }
+ else {
+ // here we'll build PGP/MIME message
+ $body = $mime->getOrigBody();
+ }
+
+ // sign the body
+ $result = $this->pgp_sign($body, $key->id, $pass, $pgp_mode);
+
+ if ($result !== true) {
+ if ($result->getCode() == enigma_error::E_BADPASS) {
+ // ask for password
+ $error = array('missing' => array($key->id => $key->name));
+ return new enigma_error(enigma_error::E_BADPASS, '', $error);
+ }
+
+ return $result;
+ }
+
+ // replace message body
+ if ($pgp_mode == Crypt_GPG::SIGN_MODE_CLEAR) {
+ $message->setTXTBody($body);
+ }
+ else {
+ $mime->addPGPSignature($body);
+ $message = $mime;
+ }
+ }
+
+ /**
+ * Handler for message encryption
+ *
+ * @param Mail_mime Original message
+ * @param int Encryption mode
+ * @param bool Is draft-save action - use only sender's key for encryption
+ *
+ * @return enigma_error On error returns error object
+ */
+ function encrypt_message(&$message, $mode = null, $is_draft = false)
+ {
+ $mime = new enigma_mime_message($message, enigma_mime_message::PGP_ENCRYPTED);
+
+ // always use sender's key
+ $recipients = array($mime->getFromAddress());
+
+ // if it's not a draft we add all recipients' keys
+ if (!$is_draft) {
+ $recipients = array_merge($recipients, $mime->getRecipients());
+ }
+
+ if (empty($recipients)) {
+ return new enigma_error(enigma_error::E_KEYNOTFOUND);
+ }
+
+ $recipients = array_unique($recipients);
+
+ // find recipient public keys
+ foreach ((array) $recipients as $email) {
+ $key = $this->find_key($email);
+
+ if (empty($key)) {
+ return new enigma_error(enigma_error::E_KEYNOTFOUND, '', array(
+ 'missing' => $email
+ ));
+ }
+
+ $keys[] = $key->id;
+ }
+
+ // select mode
+ switch ($mode) {
+ case self::ENCRYPT_MODE_BODY:
+ $encrypt_mode = $mode;
+ break;
+
+ case self::ENCRYPT_MODE_MIME:
+ $encrypt_mode = $mode;
+ break;
+
+ default:
+ $encrypt_mode = $mime->isMultipart() ? self::ENCRYPT_MODE_MIME : self::ENCRYPT_MODE_BODY;
+ }
+
+ // get message body
+ if ($encrypt_mode == self::ENCRYPT_MODE_BODY) {
+ // in this mode we'll replace text part
+ // with the one containing encrypted message
+ $body = $message->getTXTBody();
+ }
+ else {
+ // here we'll build PGP/MIME message
+ $body = $mime->getOrigBody();
+ }
+
+ // sign the body
+ $result = $this->pgp_encrypt($body, $keys);
+
+ if ($result !== true) {
+ return $result;
+ }
+
+ // replace message body
+ if ($encrypt_mode == self::ENCRYPT_MODE_BODY) {
+ $message->setTXTBody($body);
+ }
+ else {
+ $mime->setPGPEncryptedBody($body);
+ $message = $mime;
+ }
+ }
+
+ /**
* Handler for message_part_structure hook.
* Called for every part of the message.
*
@@ -161,6 +333,8 @@
{
// encrypted attachment, see parse_plain_encrypted()
if ($p['part']->need_decryption && $p['part']->body === null) {
+ $this->load_pgp_driver();
+
$storage = $this->rc->get_storage();
$body = $storage->get_message_part($p['object']->uid, $p['part']->mime_id, $p['part'], null, null, true, 0, false);
$result = $this->pgp_decrypt($body);
@@ -186,7 +360,7 @@
$part = $p['structure'];
// exit, if we're already inside a decrypted message
- if ($part->encrypted) {
+ if (in_array($part->mime_id, $this->encrypted_parts)) {
return;
}
@@ -273,7 +447,9 @@
// Verify signature
if ($this->rc->action == 'show' || $this->rc->action == 'preview') {
- $sig = $this->pgp_verify($body);
+ if ($this->rc->config->get('enigma_signatures', true)) {
+ $sig = $this->pgp_verify($body);
+ }
}
// @TODO: Handle big bodies using (temp) files
@@ -323,6 +499,10 @@
*/
private function parse_pgp_signed(&$p)
{
+ if (!$this->rc->config->get('enigma_signatures', true)) {
+ return;
+ }
+
// Verify signature
if ($this->rc->action == 'show' || $this->rc->action == 'preview') {
$this->load_pgp_driver();
@@ -351,9 +531,6 @@
else {
$this->signed_parts[$msg_part->mime_id] = $struct->mime_id;
}
-
- // Remove signature file from attachments list (?)
- unset($struct->parts[1]);
}
}
@@ -366,6 +543,10 @@
private function parse_smime_signed(&$p)
{
return; // @TODO
+
+ if (!$this->rc->config->get('enigma_signatures', true)) {
+ return;
+ }
// Verify signature
if ($this->rc->action == 'show' || $this->rc->action == 'preview') {
@@ -388,9 +569,6 @@
else {
$this->signed_parts[$msg_part->mime_id] = $struct->mime_id;
}
-
- // Remove signature file from attachments list
- unset($struct->parts[1]);
}
}
@@ -402,6 +580,10 @@
*/
private function parse_plain_encrypted(&$p, $body)
{
+ if (!$this->rc->config->get('enigma_decryption', true)) {
+ return;
+ }
+
$this->load_pgp_driver();
$part = $p['structure'];
@@ -411,26 +593,33 @@
// Store decryption status
$this->decryptions[$part->mime_id] = $result;
+ // find parent part ID
+ if (strpos($part->mime_id, '.')) {
+ $items = explode('.', $part->mime_id);
+ array_pop($items);
+ $parent = implode('.', $items);
+ }
+ else {
+ $parent = 0;
+ }
+
// Parse decrypted message
if ($result === true) {
$part->body = $body;
$part->body_modified = true;
- $part->encrypted = true;
+
+ // Remember it was decrypted
+ $this->encrypted_parts[] = $part->mime_id;
+
+ // PGP signed inside? verify signature
+ if (preg_match('/^-----BEGIN PGP SIGNED MESSAGE-----/', $body)) {
+ $this->parse_plain_signed($p, $body);
+ }
// Encrypted plain message may contain encrypted attachments
- // in such case attachments have .pgp extension and application/octet-stream.
+ // in such case attachments have .pgp extension and type application/octet-stream.
// This is what happens when you select "Encrypt each attachment separately
// and send the message using inline PGP" in Thunderbird's Enigmail.
-
- // find parent part ID
- if (strpos($part->mime_id, '.')) {
- $items = explode('.', $part->mime_id);
- array_pop($items);
- $parent = implode('.', $items);
- }
- else {
- $parent = 0;
- }
if ($p['object']->mime_parts[$parent]) {
foreach ((array)$p['object']->mime_parts[$parent]->parts as $p) {
@@ -447,6 +636,19 @@
}
}
}
+ // decryption failed, but the message may have already
+ // been cached with the modified parts (see above),
+ // let's bring the original state back
+ else if ($p['object']->mime_parts[$parent]) {
+ foreach ((array)$p['object']->mime_parts[$parent]->parts as $p) {
+ if ($p->need_decryption && !preg_match('/^(.*)\.pgp$/i', $p->filename, $m)) {
+ // modify filename
+ $p->filename .= '.pgp';
+ // flag the part, it will be decrypted when needed
+ unset($p->need_decryption);
+ }
+ }
+ }
}
/**
@@ -456,6 +658,10 @@
*/
private function parse_pgp_encrypted(&$p)
{
+ if (!$this->rc->config->get('enigma_decryption', true)) {
+ return;
+ }
+
$this->load_pgp_driver();
$struct = $p['structure'];
@@ -496,6 +702,10 @@
*/
private function parse_smime_encrypted(&$p)
{
+ if (!$this->rc->config->get('enigma_decryption', true)) {
+ return;
+ }
+
// $this->load_smime_driver();
}
@@ -510,7 +720,6 @@
private function pgp_verify(&$msg_body, $sig_body=null)
{
// @TODO: Handle big bodies using (temp) files
- // @TODO: caching of verification result
$sig = $this->pgp_driver->verify($msg_body, $sig_body);
if (($sig instanceof enigma_error) && $sig->getCode() != enigma_error::E_KEYNOTFOUND)
@@ -533,9 +742,68 @@
private function pgp_decrypt(&$msg_body)
{
// @TODO: Handle big bodies using (temp) files
- // @TODO: caching of verification result
$keys = $this->get_passwords();
$result = $this->pgp_driver->decrypt($msg_body, $keys);
+
+ if ($result instanceof enigma_error) {
+ $err_code = $result->getCode();
+ if (!in_array($err_code, array(enigma_error::E_KEYNOTFOUND, enigma_error::E_BADPASS)))
+ rcube::raise_error(array(
+ 'code' => 600, 'type' => 'php',
+ 'file' => __FILE__, 'line' => __LINE__,
+ 'message' => "Enigma plugin: " . $result->getMessage()
+ ), true, false);
+ return $result;
+ }
+
+ $msg_body = $result;
+
+ return true;
+ }
+
+ /**
+ * PGP message signing
+ *
+ * @param mixed Message body
+ * @param string Key ID
+ * @param string Key passphrase
+ * @param int Signing mode
+ *
+ * @return mixed True or enigma_error
+ */
+ private function pgp_sign(&$msg_body, $keyid, $password, $mode = null)
+ {
+ // @TODO: Handle big bodies using (temp) files
+ $result = $this->pgp_driver->sign($msg_body, $keyid, $password, $mode);
+
+ if ($result instanceof enigma_error) {
+ $err_code = $result->getCode();
+ if (!in_array($err_code, array(enigma_error::E_KEYNOTFOUND, enigma_error::E_BADPASS)))
+ rcube::raise_error(array(
+ 'code' => 600, 'type' => 'php',
+ 'file' => __FILE__, 'line' => __LINE__,
+ 'message' => "Enigma plugin: " . $result->getMessage()
+ ), true, false);
+ return $result;
+ }
+
+ $msg_body = $result;
+
+ return true;
+ }
+
+ /**
+ * PGP message encrypting
+ *
+ * @param mixed Message body
+ * @param array Keys
+ *
+ * @return mixed True or enigma_error
+ */
+ private function pgp_encrypt(&$msg_body, $keys)
+ {
+ // @TODO: Handle big bodies using (temp) files
+ $result = $this->pgp_driver->encrypt($msg_body, $keys);
if ($result instanceof enigma_error) {
$err_code = $result->getCode();
@@ -574,6 +842,39 @@
}
return $result;
+ }
+
+ /**
+ * Find PGP private/public key
+ *
+ * @param string E-mail address
+ * @param bool Need a key for signing?
+ *
+ * @return enigma_key The key
+ */
+ function find_key($email, $can_sign = false)
+ {
+ $this->load_pgp_driver();
+ $result = $this->pgp_driver->list_keys($email);
+
+ if ($result instanceof enigma_error) {
+ rcube::raise_error(array(
+ 'code' => 600, 'type' => 'php',
+ 'file' => __FILE__, 'line' => __LINE__,
+ 'message' => "Enigma plugin: " . $result->getMessage()
+ ), true, false);
+
+ return;
+ }
+
+ $mode = $can_sign ? enigma_key::CAN_SIGN : enigma_key::CAN_ENCRYPT;
+
+ // check key validity and type
+ foreach ($result as $key) {
+ if ($keyid = $key->find_subkey($email, $mode)) {
+ return $key;
+ }
+ }
}
/**
@@ -705,12 +1006,12 @@
$config = @unserialize($config);
}
- $threshold = time() - self::PASSWORD_TIME;
+ $threshold = time() - $this->password_time;
$keys = array();
// delete expired passwords
foreach ((array) $config as $key => $value) {
- if ($value[1] < $threshold) {
+ if ($pass_time && $value[1] < $threshold) {
unset($config[$key]);
$modified = true;
}
@@ -802,14 +1103,14 @@
$part->body_modified = true;
$part->encoding = 'stream';
- // Cache the fact it was decrypted
- $part->encrypted = true;
-
// modify part identifier
if ($old_id) {
$part->mime_id = !$part->mime_id ? $old_id : ($old_id . '.' . $part->mime_id);
}
+ // Cache the fact it was decrypted
+ $this->encrypted_parts[] = $part->mime_id;
+
$msg->mime_parts[$part->mime_id] = $part;
// modify sub-parts
--
Gitblit v1.9.1