1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408 |
- <?php
-
- /**
- +-------------------------------------------------------------------------+
- | Engine of the Enigma Plugin |
- | |
- | Copyright (C) 2010-2016 The Roundcube Dev Team |
- | |
- | Licensed under the GNU General Public License version 3 or |
- | any later version with exceptions for skins & plugins. |
- | See the README file for a full license statement. |
- | |
- +-------------------------------------------------------------------------+
- | Author: Aleksander Machniak <alec@alec.pl> |
- +-------------------------------------------------------------------------+
- */
-
- /**
- * Enigma plugin engine.
- *
- * RFC2440: OpenPGP Message Format
- * RFC3156: MIME Security with OpenPGP
- * RFC3851: S/MIME
- */
- class enigma_engine
- {
- private $rc;
- private $enigma;
- private $pgp_driver;
- private $smime_driver;
- private $password_time;
- private $cache = array();
-
- public $decryptions = array();
- public $signatures = array();
- public $encrypted_parts = array();
-
- const ENCRYPTED_PARTIALLY = 100;
-
- const SIGN_MODE_BODY = 1;
- const SIGN_MODE_SEPARATE = 2;
- const SIGN_MODE_MIME = 4;
-
- const ENCRYPT_MODE_BODY = 1;
- const ENCRYPT_MODE_MIME = 2;
- const ENCRYPT_MODE_SIGN = 4;
-
-
- /**
- * Plugin initialization.
- */
- function __construct($enigma)
- {
- $this->rc = rcmail::get_instance();
- $this->enigma = $enigma;
-
- $this->password_time = $this->rc->config->get('enigma_password_time') * 60;
-
- // this will remove passwords from session after some time
- if ($this->password_time) {
- $this->get_passwords();
- }
- }
-
- /**
- * PGP driver initialization.
- */
- function load_pgp_driver()
- {
- if ($this->pgp_driver) {
- return;
- }
-
- $driver = 'enigma_driver_' . $this->rc->config->get('enigma_pgp_driver', 'gnupg');
- $username = $this->rc->user->get_username();
-
- // Load driver
- $this->pgp_driver = new $driver($username);
-
- if (!$this->pgp_driver) {
- rcube::raise_error(array(
- 'code' => 600, 'type' => 'php',
- 'file' => __FILE__, 'line' => __LINE__,
- 'message' => "Enigma plugin: Unable to load PGP driver: $driver"
- ), true, true);
- }
-
- // Initialise driver
- $result = $this->pgp_driver->init();
-
- if ($result instanceof enigma_error) {
- self::raise_error($result, __LINE__, true);
- }
- }
-
- /**
- * S/MIME driver initialization.
- */
- function load_smime_driver()
- {
- if ($this->smime_driver) {
- return;
- }
-
- $driver = 'enigma_driver_' . $this->rc->config->get('enigma_smime_driver', 'phpssl');
- $username = $this->rc->user->get_username();
-
- // Load driver
- $this->smime_driver = new $driver($username);
-
- if (!$this->smime_driver) {
- rcube::raise_error(array(
- 'code' => 600, 'type' => 'php',
- 'file' => __FILE__, 'line' => __LINE__,
- 'message' => "Enigma plugin: Unable to load S/MIME driver: $driver"
- ), true, true);
- }
-
- // Initialise driver
- $result = $this->smime_driver->init();
-
- if ($result instanceof enigma_error) {
- self::raise_error($result, __LINE__, true);
- }
- }
-
- /**
- * Handler for message signing
- *
- * @param Mail_mime Original message
- * @param int Encryption mode
- *
- * @return enigma_error On error returns error object
- */
- function sign_message(&$message, $mode = null)
- {
- $mime = new enigma_mime_message($message, enigma_mime_message::PGP_SIGNED);
- $from = $mime->getFromAddress();
-
- // find private key
- $key = $this->find_key($from, true);
-
- if (empty($key)) {
- return new enigma_error(enigma_error::KEYNOTFOUND);
- }
-
- // check if we have password for this key
- $passwords = $this->get_passwords();
- $pass = $passwords[$key->id];
-
- if ($pass === null) {
- // ask for password
- $error = array('missing' => array($key->id => $key->name));
- return new enigma_error(enigma_error::BADPASS, '', $error);
- }
-
- $key->password = $pass;
-
- // select mode
- switch ($mode) {
- case self::SIGN_MODE_BODY:
- $pgp_mode = Crypt_GPG::SIGN_MODE_CLEAR;
- break;
-
- case self::SIGN_MODE_MIME:
- $pgp_mode = Crypt_GPG::SIGN_MODE_DETACHED;
- break;
-
- default:
- if ($mime->isMultipart()) {
- $pgp_mode = Crypt_GPG::SIGN_MODE_DETACHED;
- }
- else {
- $pgp_mode = Crypt_GPG::SIGN_MODE_CLEAR;
- }
- }
-
- // get message body
- if ($pgp_mode == Crypt_GPG::SIGN_MODE_CLEAR) {
- // in this mode we'll replace text part
- // with the one containing signature
- $body = $message->getTXTBody();
-
- $text_charset = $message->getParam('text_charset');
- $line_length = $this->rc->config->get('line_length', 72);
-
- // We can't use format=flowed for signed messages
- if (strpos($text_charset, 'format=flowed')) {
- list($charset, $params) = explode(';', $text_charset);
- $body = rcube_mime::unfold_flowed($body);
- $body = rcube_mime::wordwrap($body, $line_length, "\r\n", false, $charset);
-
- $text_charset = str_replace(";\r\n format=flowed", '', $text_charset);
- }
- }
- else {
- // here we'll build PGP/MIME message
- $body = $mime->getOrigBody();
- }
-
- // sign the body
- $result = $this->pgp_sign($body, $key, $pgp_mode);
-
- if ($result !== true) {
- if ($result->getCode() == enigma_error::BADPASS) {
- // ask for password
- $error = array('bad' => array($key->id => $key->name));
- return new enigma_error(enigma_error::BADPASS, '', $error);
- }
-
- return $result;
- }
-
- // replace message body
- if ($pgp_mode == Crypt_GPG::SIGN_MODE_CLEAR) {
- $message->setTXTBody($body);
- $message->setParam('text_charset', $text_charset);
- }
- else {
- $mime->addPGPSignature($body, $this->pgp_driver->signature_algorithm());
- $message = $mime;
- }
- }
-
- /**
- * Handler for message encryption
- *
- * @param Mail_mime Original message
- * @param int Encryption mode
- * @param bool Is draft-save action - use only sender's key for encryption
- *
- * @return enigma_error On error returns error object
- */
- function encrypt_message(&$message, $mode = null, $is_draft = false)
- {
- $mime = new enigma_mime_message($message, enigma_mime_message::PGP_ENCRYPTED);
-
- // always use sender's key
- $from = $mime->getFromAddress();
-
- // check senders key for signing
- if ($mode & self::ENCRYPT_MODE_SIGN) {
- $sign_key = $this->find_key($from, true);
-
- if (empty($sign_key)) {
- return new enigma_error(enigma_error::KEYNOTFOUND);
- }
-
- // check if we have password for this key
- $passwords = $this->get_passwords();
- $sign_pass = $passwords[$sign_key->id];
-
- if ($sign_pass === null) {
- // ask for password
- $error = array('missing' => array($sign_key->id => $sign_key->name));
- return new enigma_error(enigma_error::BADPASS, '', $error);
- }
-
- $sign_key->password = $sign_pass;
- }
-
- $recipients = array($from);
-
- // if it's not a draft we add all recipients' keys
- if (!$is_draft) {
- $recipients = array_merge($recipients, $mime->getRecipients());
- }
-
- if (empty($recipients)) {
- return new enigma_error(enigma_error::KEYNOTFOUND);
- }
-
- $recipients = array_unique($recipients);
-
- // find recipient public keys
- foreach ((array) $recipients as $email) {
- if ($email == $from && $sign_key) {
- $key = $sign_key;
- }
- else {
- $key = $this->find_key($email);
- }
-
- if (empty($key)) {
- return new enigma_error(enigma_error::KEYNOTFOUND, '', array(
- 'missing' => $email
- ));
- }
-
- $keys[] = $key;
- }
-
- // select mode
- if ($mode & self::ENCRYPT_MODE_BODY) {
- $encrypt_mode = $mode;
- }
- else if ($mode & self::ENCRYPT_MODE_MIME) {
- $encrypt_mode = $mode;
- }
- else {
- $encrypt_mode = $mime->isMultipart() ? self::ENCRYPT_MODE_MIME : self::ENCRYPT_MODE_BODY;
- }
-
- // get message body
- if ($encrypt_mode == self::ENCRYPT_MODE_BODY) {
- // in this mode we'll replace text part
- // with the one containing encrypted message
- $body = $message->getTXTBody();
- }
- else {
- // here we'll build PGP/MIME message
- $body = $mime->getOrigBody();
- }
-
- // sign the body
- $result = $this->pgp_encrypt($body, $keys, $sign_key);
-
- if ($result !== true) {
- if ($result->getCode() == enigma_error::BADPASS) {
- // ask for password
- $error = array('bad' => array($sign_key->id => $sign_key->name));
- return new enigma_error(enigma_error::BADPASS, '', $error);
- }
-
- return $result;
- }
-
- // replace message body
- if ($encrypt_mode == self::ENCRYPT_MODE_BODY) {
- $message->setTXTBody($body);
- }
- else {
- $mime->setPGPEncryptedBody($body);
- $message = $mime;
- }
- }
-
- /**
- * Handler for attaching public key to a message
- *
- * @param Mail_mime Original message
- *
- * @return bool True on success, False on failure
- */
- function attach_public_key(&$message)
- {
- $headers = $message->headers();
- $from = rcube_mime::decode_address_list($headers['From'], 1, false, null, true);
- $from = $from[1];
-
- // find my key
- if ($from && ($key = $this->find_key($from, true))) {
- $pubkey_armor = $this->export_key($key->id);
-
- if (!$pubkey_armor instanceof enigma_error) {
- $pubkey_name = '0x' . enigma_key::format_id($key->id) . '.asc';
- $message->addAttachment($pubkey_armor, 'application/pgp-keys', $pubkey_name, false, '7bit');
- return true;
- }
- }
-
- return false;
- }
-
- /**
- * Handler for message_part_structure hook.
- * Called for every part of the message.
- *
- * @param array Original parameters
- * @param string Part body (will be set if used internally)
- *
- * @return array Modified parameters
- */
- function part_structure($p, $body = null)
- {
- if ($p['mimetype'] == 'text/plain' || $p['mimetype'] == 'application/pgp') {
- $this->parse_plain($p, $body);
- }
- else if ($p['mimetype'] == 'multipart/signed') {
- $this->parse_signed($p, $body);
- }
- else if ($p['mimetype'] == 'multipart/encrypted') {
- $this->parse_encrypted($p);
- }
- else if ($p['mimetype'] == 'application/pkcs7-mime') {
- $this->parse_encrypted($p);
- }
-
- return $p;
- }
-
- /**
- * Handler for message_part_body hook.
- *
- * @param array Original parameters
- *
- * @return array Modified parameters
- */
- function part_body($p)
- {
- // encrypted attachment, see parse_plain_encrypted()
- if ($p['part']->need_decryption && $p['part']->body === null) {
- $this->load_pgp_driver();
-
- $storage = $this->rc->get_storage();
- $body = $storage->get_message_part($p['object']->uid, $p['part']->mime_id, $p['part'], null, null, true, 0, false);
- $result = $this->pgp_decrypt($body);
-
- // @TODO: what to do on error?
- if ($result === true) {
- $p['part']->body = $body;
- $p['part']->size = strlen($body);
- $p['part']->body_modified = true;
- }
- }
-
- return $p;
- }
-
- /**
- * Handler for plain/text message.
- *
- * @param array Reference to hook's parameters
- * @param string Part body (will be set if used internally)
- */
- function parse_plain(&$p, $body = null)
- {
- $part = $p['structure'];
-
- // Get message body from IMAP server
- if ($body === null) {
- $body = $this->get_part_body($p['object'], $part);
- }
-
- // In this way we can use fgets on string as on file handle
- // Don't use php://temp for security (body may come from an encrypted part)
- $fd = fopen('php://memory', 'r+');
- if (!$fd) {
- return;
- }
-
- fwrite($fd, $body);
- rewind($fd);
-
- $body = '';
- $prefix = '';
- $mode = '';
- $tokens = array(
- 'BEGIN PGP SIGNED MESSAGE' => 'signed-start',
- 'END PGP SIGNATURE' => 'signed-end',
- 'BEGIN PGP MESSAGE' => 'encrypted-start',
- 'END PGP MESSAGE' => 'encrypted-end',
- );
- $regexp = '/^-----(' . implode('|', array_keys($tokens)) . ')-----[\r\n]*/';
-
- while (($line = fgets($fd)) !== false) {
- if ($line[0] === '-' && $line[4] === '-' && preg_match($regexp, $line, $m)) {
- switch ($tokens[$m[1]]) {
- case 'signed-start':
- $body = $line;
- $mode = 'signed';
- break;
-
- case 'signed-end':
- if ($mode === 'signed') {
- $body .= $line;
- }
- break 2; // ignore anything after this line
-
- case 'encrypted-start':
- $body = $line;
- $mode = 'encrypted';
- break;
-
- case 'encrypted-end':
- if ($mode === 'encrypted') {
- $body .= $line;
- }
- break 2; // ignore anything after this line
- }
-
- continue;
- }
-
- if ($mode === 'signed') {
- $body .= $line;
- }
- else if ($mode === 'encrypted') {
- $body .= $line;
- }
- else {
- $prefix .= $line;
- }
- }
-
- fclose($fd);
-
- if ($mode === 'signed') {
- $this->parse_plain_signed($p, $body, $prefix);
- }
- else if ($mode === 'encrypted') {
- $this->parse_plain_encrypted($p, $body, $prefix);
- }
- }
-
- /**
- * Handler for multipart/signed message.
- *
- * @param array Reference to hook's parameters
- * @param string Part body (will be set if used internally)
- */
- function parse_signed(&$p, $body = null)
- {
- $struct = $p['structure'];
-
- // S/MIME
- if ($struct->parts[1] && $struct->parts[1]->mimetype == 'application/pkcs7-signature') {
- $this->parse_smime_signed($p, $body);
- }
- // PGP/MIME: RFC3156
- // The multipart/signed body MUST consist of exactly two parts.
- // The first part contains the signed data in MIME canonical format,
- // including a set of appropriate content headers describing the data.
- // The second body MUST contain the PGP digital signature. It MUST be
- // labeled with a content type of "application/pgp-signature".
- else if (count($struct->parts) == 2
- && $struct->parts[1] && $struct->parts[1]->mimetype == 'application/pgp-signature'
- ) {
- $this->parse_pgp_signed($p, $body);
- }
- }
-
- /**
- * Handler for multipart/encrypted message.
- *
- * @param array Reference to hook's parameters
- */
- function parse_encrypted(&$p)
- {
- $struct = $p['structure'];
-
- // S/MIME
- if ($p['mimetype'] == 'application/pkcs7-mime') {
- $this->parse_smime_encrypted($p);
- }
- // PGP/MIME: RFC3156
- // The multipart/encrypted MUST consist of exactly two parts. The first
- // MIME body part must have a content type of "application/pgp-encrypted".
- // This body contains the control information.
- // The second MIME body part MUST contain the actual encrypted data. It
- // must be labeled with a content type of "application/octet-stream".
- else if (count($struct->parts) == 2
- && $struct->parts[0] && $struct->parts[0]->mimetype == 'application/pgp-encrypted'
- && $struct->parts[1] && $struct->parts[1]->mimetype == 'application/octet-stream'
- ) {
- $this->parse_pgp_encrypted($p);
- }
- }
-
- /**
- * Handler for plain signed message.
- * Excludes message and signature bodies and verifies signature.
- *
- * @param array Reference to hook's parameters
- * @param string Message (part) body
- * @param string Body prefix (additional text before the encrypted block)
- */
- private function parse_plain_signed(&$p, $body, $prefix = '')
- {
- if (!$this->rc->config->get('enigma_signatures', true)) {
- return;
- }
-
- $this->load_pgp_driver();
- $part = $p['structure'];
-
- // Verify signature
- if ($this->rc->action == 'show' || $this->rc->action == 'preview' || $this->rc->action == 'print') {
- $sig = $this->pgp_verify($body);
- }
-
- // In this way we can use fgets on string as on file handle
- // Don't use php://temp for security (body may come from an encrypted part)
- $fd = fopen('php://memory', 'r+');
- if (!$fd) {
- return;
- }
-
- fwrite($fd, $body);
- rewind($fd);
-
- $body = $part->body = null;
- $part->body_modified = true;
-
- // Extract body (and signature?)
- while (($line = fgets($fd, 1024)) !== false) {
- if ($part->body === null)
- $part->body = '';
- else if (preg_match('/^-----BEGIN PGP SIGNATURE-----/', $line))
- break;
- else
- $part->body .= $line;
- }
-
- fclose($fd);
-
- // Remove "Hash" Armor Headers
- $part->body = preg_replace('/^.*\r*\n\r*\n/', '', $part->body);
- // de-Dash-Escape (RFC2440)
- $part->body = preg_replace('/(^|\n)- -/', '\\1-', $part->body);
-
- if ($prefix) {
- $part->body = $prefix . $part->body;
- }
-
- // Store signature data for display
- if (!empty($sig)) {
- $sig->partial = !empty($prefix);
- $this->signatures[$part->mime_id] = $sig;
- }
- }
-
- /**
- * Handler for PGP/MIME signed message.
- * Verifies signature.
- *
- * @param array Reference to hook's parameters
- * @param string Part body (will be set if used internally)
- */
- private function parse_pgp_signed(&$p, $body = null)
- {
- if (!$this->rc->config->get('enigma_signatures', true)) {
- return;
- }
-
- if ($this->rc->action != 'show' && $this->rc->action != 'preview' && $this->rc->action != 'print') {
- return;
- }
-
- $this->load_pgp_driver();
- $struct = $p['structure'];
-
- $msg_part = $struct->parts[0];
- $sig_part = $struct->parts[1];
-
- // Get bodies
- if ($body === null) {
- if (!$struct->body_modified) {
- $body = $this->get_part_body($p['object'], $struct);
- }
- }
-
- $boundary = $struct->ctype_parameters['boundary'];
-
- // when it is a signed message forwarded as attachment
- // ctype_parameters property will not be set
- if (!$boundary && $struct->headers['content-type']
- && preg_match('/boundary="?([a-zA-Z0-9\'()+_,-.\/:=?]+)"?/', $struct->headers['content-type'], $m)
- ) {
- $boundary = $m[1];
- }
-
- // set signed part body
- list($msg_body, $sig_body) = $this->explode_signed_body($body, $boundary);
-
- // Verify
- if ($sig_body && $msg_body) {
- $sig = $this->pgp_verify($msg_body, $sig_body);
-
- // Store signature data for display
- $this->signatures[$struct->mime_id] = $sig;
- $this->signatures[$msg_part->mime_id] = $sig;
- }
- }
-
- /**
- * Handler for S/MIME signed message.
- * Verifies signature.
- *
- * @param array Reference to hook's parameters
- * @param string Part body (will be set if used internally)
- */
- private function parse_smime_signed(&$p, $body = null)
- {
- if (!$this->rc->config->get('enigma_signatures', true)) {
- return;
- }
-
- // @TODO
- }
-
- /**
- * Handler for plain encrypted message.
- *
- * @param array Reference to hook's parameters
- * @param string Message (part) body
- * @param string Body prefix (additional text before the encrypted block)
- */
- private function parse_plain_encrypted(&$p, $body, $prefix = '')
- {
- if (!$this->rc->config->get('enigma_decryption', true)) {
- return;
- }
-
- $this->load_pgp_driver();
- $part = $p['structure'];
-
- // Decrypt
- $result = $this->pgp_decrypt($body, $signature);
-
- // Store decryption status
- $this->decryptions[$part->mime_id] = $result;
-
- // Store signature data for display
- if ($signature) {
- $this->signatures[$part->mime_id] = $signature;
- }
-
- // find parent part ID
- if (strpos($part->mime_id, '.')) {
- $items = explode('.', $part->mime_id);
- array_pop($items);
- $parent = implode('.', $items);
- }
- else {
- $parent = 0;
- }
-
- // Parse decrypted message
- if ($result === true) {
- $part->body = $prefix . $body;
- $part->body_modified = true;
-
- // it maybe PGP signed inside, verify signature
- $this->parse_plain($p, $body);
-
- // Remember it was decrypted
- $this->encrypted_parts[] = $part->mime_id;
-
- // Inform the user that only a part of the body was encrypted
- if ($prefix) {
- $this->decryptions[$part->mime_id] = self::ENCRYPTED_PARTIALLY;
- }
-
- // Encrypted plain message may contain encrypted attachments
- // in such case attachments have .pgp extension and type application/octet-stream.
- // This is what happens when you select "Encrypt each attachment separately
- // and send the message using inline PGP" in Thunderbird's Enigmail.
-
- if ($p['object']->mime_parts[$parent]) {
- foreach ((array)$p['object']->mime_parts[$parent]->parts as $p) {
- if ($p->disposition == 'attachment' && $p->mimetype == 'application/octet-stream'
- && preg_match('/^(.*)\.pgp$/i', $p->filename, $m)
- ) {
- // modify filename
- $p->filename = $m[1];
- // flag the part, it will be decrypted when needed
- $p->need_decryption = true;
- // disable caching
- $p->body_modified = true;
- }
- }
- }
- }
- // decryption failed, but the message may have already
- // been cached with the modified parts (see above),
- // let's bring the original state back
- else if ($p['object']->mime_parts[$parent]) {
- foreach ((array)$p['object']->mime_parts[$parent]->parts as $p) {
- if ($p->need_decryption && !preg_match('/^(.*)\.pgp$/i', $p->filename, $m)) {
- // modify filename
- $p->filename .= '.pgp';
- // flag the part, it will be decrypted when needed
- unset($p->need_decryption);
- }
- }
- }
- }
-
- /**
- * Handler for PGP/MIME encrypted message.
- *
- * @param array Reference to hook's parameters
- */
- private function parse_pgp_encrypted(&$p)
- {
- if (!$this->rc->config->get('enigma_decryption', true)) {
- return;
- }
-
- $this->load_pgp_driver();
-
- $struct = $p['structure'];
- $part = $struct->parts[1];
-
- // Get body
- $body = $this->get_part_body($p['object'], $part);
-
- // Decrypt
- $result = $this->pgp_decrypt($body, $signature);
-
- if ($result === true) {
- // Parse decrypted message
- $struct = $this->parse_body($body);
-
- // Modify original message structure
- $this->modify_structure($p, $struct, strlen($body));
-
- // Parse the structure (there may be encrypted/signed parts inside
- $this->part_structure(array(
- 'object' => $p['object'],
- 'structure' => $struct,
- 'mimetype' => $struct->mimetype
- ), $body);
-
- // Attach the decryption message to all parts
- $this->decryptions[$struct->mime_id] = $result;
- foreach ((array) $struct->parts as $sp) {
- $this->decryptions[$sp->mime_id] = $result;
- if ($signature) {
- $this->signatures[$sp->mime_id] = $signature;
- }
- }
- }
- else {
- $this->decryptions[$part->mime_id] = $result;
-
- // Make sure decryption status message will be displayed
- $part->type = 'content';
- $p['object']->parts[] = $part;
-
- // don't show encrypted part on attachments list
- // don't show "cannot display encrypted message" text
- $p['abort'] = true;
- }
- }
-
- /**
- * Handler for S/MIME encrypted message.
- *
- * @param array Reference to hook's parameters
- */
- private function parse_smime_encrypted(&$p)
- {
- if (!$this->rc->config->get('enigma_decryption', true)) {
- return;
- }
-
- // @TODO
- }
-
- /**
- * PGP signature verification.
- *
- * @param mixed Message body
- * @param mixed Signature body (for MIME messages)
- *
- * @return mixed enigma_signature or enigma_error
- */
- private function pgp_verify(&$msg_body, $sig_body = null)
- {
- // @TODO: Handle big bodies using (temp) files
- $sig = $this->pgp_driver->verify($msg_body, $sig_body);
-
- if (($sig instanceof enigma_error) && $sig->getCode() != enigma_error::KEYNOTFOUND) {
- self::raise_error($sig, __LINE__);
- }
-
- return $sig;
- }
-
- /**
- * PGP message decryption.
- *
- * @param mixed &$msg_body Message body
- * @param enigma_signature &$signature Signature verification result
- *
- * @return mixed True or enigma_error
- */
- private function pgp_decrypt(&$msg_body, &$signature = null)
- {
- // @TODO: Handle big bodies using (temp) files
- $keys = $this->get_passwords();
- $result = $this->pgp_driver->decrypt($msg_body, $keys, $signature);
-
- if ($result instanceof enigma_error) {
- if ($result->getCode() != enigma_error::KEYNOTFOUND) {
- self::raise_error($result, __LINE__);
- }
-
- return $result;
- }
-
- $msg_body = $result;
-
- return true;
- }
-
- /**
- * PGP message signing
- *
- * @param mixed Message body
- * @param enigma_key The key (with passphrase)
- * @param int Signing mode
- *
- * @return mixed True or enigma_error
- */
- private function pgp_sign(&$msg_body, $key, $mode = null)
- {
- // @TODO: Handle big bodies using (temp) files
- $result = $this->pgp_driver->sign($msg_body, $key, $mode);
-
- if ($result instanceof enigma_error) {
- if ($result->getCode() != enigma_error::KEYNOTFOUND) {
- self::raise_error($result, __LINE__);
- }
-
- return $result;
- }
-
- $msg_body = $result;
-
- return true;
- }
-
- /**
- * PGP message encrypting
- *
- * @param mixed Message body
- * @param array Keys (array of enigma_key objects)
- * @param string Optional signing Key ID
- * @param string Optional signing Key password
- *
- * @return mixed True or enigma_error
- */
- private function pgp_encrypt(&$msg_body, $keys, $sign_key = null, $sign_pass = null)
- {
- // @TODO: Handle big bodies using (temp) files
- $result = $this->pgp_driver->encrypt($msg_body, $keys, $sign_key, $sign_pass);
-
- if ($result instanceof enigma_error) {
- if ($result->getCode() != enigma_error::KEYNOTFOUND) {
- self::raise_error($result, __LINE__);
- }
-
- return $result;
- }
-
- $msg_body = $result;
-
- return true;
- }
-
- /**
- * PGP keys listing.
- *
- * @param mixed Key ID/Name pattern
- *
- * @return mixed Array of keys or enigma_error
- */
- function list_keys($pattern = '')
- {
- $this->load_pgp_driver();
- $result = $this->pgp_driver->list_keys($pattern);
-
- if ($result instanceof enigma_error) {
- self::raise_error($result, __LINE__);
- }
-
- return $result;
- }
-
- /**
- * Find PGP private/public key
- *
- * @param string E-mail address
- * @param bool Need a key for signing?
- *
- * @return enigma_key The key
- */
- function find_key($email, $can_sign = false)
- {
- if ($can_sign && array_key_exists($email, $this->cache)) {
- return $this->cache[$email];
- }
-
- $this->load_pgp_driver();
- $result = $this->pgp_driver->list_keys($email);
-
- if ($result instanceof enigma_error) {
- self::raise_error($result, __LINE__);
- return;
- }
-
- $mode = $can_sign ? enigma_key::CAN_SIGN : enigma_key::CAN_ENCRYPT;
- $ret = null;
-
- // check key validity and type
- foreach ($result as $key) {
- if (($subkey = $key->find_subkey($email, $mode))
- && (!$can_sign || $key->get_type() == enigma_key::TYPE_KEYPAIR)
- ) {
- $ret = $key;
- break;
- }
- }
-
- // cache private key info for better performance
- // we can skip one list_keys() call when signing and attaching a key
- if ($can_sign) {
- $this->cache[$email] = $ret;
- }
-
- return $ret;
- }
-
- /**
- * PGP key details.
- *
- * @param mixed Key ID
- *
- * @return mixed enigma_key or enigma_error
- */
- function get_key($keyid)
- {
- $this->load_pgp_driver();
- $result = $this->pgp_driver->get_key($keyid);
-
- if ($result instanceof enigma_error) {
- self::raise_error($result, __LINE__);
- }
-
- return $result;
- }
-
- /**
- * PGP key delete.
- *
- * @param string Key ID
- *
- * @return enigma_error|bool True on success
- */
- function delete_key($keyid)
- {
- $this->load_pgp_driver();
- $result = $this->pgp_driver->delete_key($keyid);
-
- if ($result instanceof enigma_error) {
- self::raise_error($result, __LINE__);
- }
-
- return $result;
- }
-
- /**
- * PGP keys pair generation.
- *
- * @param array Key pair parameters
- *
- * @return mixed enigma_key or enigma_error
- */
- function generate_key($data)
- {
- $this->load_pgp_driver();
- $result = $this->pgp_driver->gen_key($data);
-
- if ($result instanceof enigma_error) {
- self::raise_error($result, __LINE__);
- }
-
- return $result;
- }
-
- /**
- * PGP keys/certs import.
- *
- * @param mixed Import file name or content
- * @param boolean True if first argument is a filename
- *
- * @return mixed Import status data array or enigma_error
- */
- function import_key($content, $isfile = false)
- {
- $this->load_pgp_driver();
- $result = $this->pgp_driver->import($content, $isfile, $this->get_passwords());
-
- if ($result instanceof enigma_error) {
- self::raise_error($result, __LINE__);
- }
- else {
- $result['imported'] = $result['public_imported'] + $result['private_imported'];
- $result['unchanged'] = $result['public_unchanged'] + $result['private_unchanged'];
- }
-
- return $result;
- }
-
- /**
- * PGP keys/certs export.
- *
- * @param string Key ID
- * @param resource Optional output stream
- * @param bool Include private key
- *
- * @return mixed Key content or enigma_error
- */
- function export_key($key, $fp = null, $include_private = false)
- {
- $this->load_pgp_driver();
- $result = $this->pgp_driver->export($key, $include_private, $this->get_passwords());
-
- if ($result instanceof enigma_error) {
- self::raise_error($result, __LINE__);
- return $result;
- }
-
- if ($fp) {
- fwrite($fp, $result);
- }
- else {
- return $result;
- }
- }
-
- /**
- * Registers password for specified key/cert sent by the password prompt.
- */
- function password_handler()
- {
- $keyid = rcube_utils::get_input_value('_keyid', rcube_utils::INPUT_POST);
- $passwd = rcube_utils::get_input_value('_passwd', rcube_utils::INPUT_POST, true);
-
- if ($keyid && $passwd !== null && strlen($passwd)) {
- $this->save_password(strtoupper($keyid), $passwd);
- }
- }
-
- /**
- * Saves key/cert password in user session
- */
- function save_password($keyid, $password)
- {
- // we store passwords in session for specified time
- if ($config = $_SESSION['enigma_pass']) {
- $config = $this->rc->decrypt($config);
- $config = @unserialize($config);
- }
-
- $config[$keyid] = array($password, time());
-
- $_SESSION['enigma_pass'] = $this->rc->encrypt(serialize($config));
- }
-
- /**
- * Returns currently stored passwords
- */
- function get_passwords()
- {
- if ($config = $_SESSION['enigma_pass']) {
- $config = $this->rc->decrypt($config);
- $config = @unserialize($config);
- }
-
- $threshold = $this->password_time ? time() - $this->password_time : 0;
- $keys = array();
-
- // delete expired passwords
- foreach ((array) $config as $key => $value) {
- if ($threshold && $value[1] < $threshold) {
- unset($config[$key]);
- $modified = true;
- }
- else {
- $keys[$key] = $value[0];
- }
- }
-
- if ($modified) {
- $_SESSION['enigma_pass'] = $this->rc->encrypt(serialize($config));
- }
-
- return $keys;
- }
-
- /**
- * Get message part body.
- *
- * @param rcube_message Message object
- * @param rcube_message_part Message part
- */
- private function get_part_body($msg, $part)
- {
- // @TODO: Handle big bodies using file handles
-
- // This is a special case when we want to get the whole body
- // using direct IMAP access, in other cases we prefer
- // rcube_message::get_part_body() as the body may be already in memory
- if (!$part->mime_id) {
- // fake the size which may be empty for multipart/* parts
- // otherwise get_message_part() below will fail
- if (!$part->size) {
- $reset = true;
- $part->size = 1;
- }
-
- $storage = $this->rc->get_storage();
- $body = $storage->get_message_part($msg->uid, $part->mime_id, $part,
- null, null, true, 0, false);
-
- if ($reset) {
- $part->size = 0;
- }
- }
- else {
- $body = $msg->get_part_body($part->mime_id, false);
-
- // Convert charset to get rid of possible non-ascii characters (#5962)
- if ($part->charset && stripos($part->charset, 'ASCII') === false) {
- $body = rcube_charset::convert($body, $part->charset, 'US-ASCII');
- }
- }
-
- return $body;
- }
-
- /**
- * Parse decrypted message body into structure
- *
- * @param string Message body
- *
- * @return array Message structure
- */
- private function parse_body(&$body)
- {
- // Mail_mimeDecode need \r\n end-line, but gpg may return \n
- $body = preg_replace('/\r?\n/', "\r\n", $body);
-
- // parse the body into structure
- $struct = rcube_mime::parse_message($body);
-
- return $struct;
- }
-
- /**
- * Replace message encrypted structure with decrypted message structure
- *
- * @param array Hook arguments
- * @param rcube_message_part Part structure
- * @param int Part size
- */
- private function modify_structure(&$p, $struct, $size = 0)
- {
- // modify mime_parts property of the message object
- $old_id = $p['structure']->mime_id;
-
- foreach (array_keys($p['object']->mime_parts) as $idx) {
- if (!$old_id || $idx == $old_id || strpos($idx, $old_id . '.') === 0) {
- unset($p['object']->mime_parts[$idx]);
- }
- }
-
- // set some part params used by Roundcube core
- $struct->headers = array_merge($p['structure']->headers, $struct->headers);
- $struct->size = $size;
- $struct->filename = $p['structure']->filename;
-
- // modify the new structure to be correctly handled by Roundcube
- $this->modify_structure_part($struct, $p['object'], $old_id);
-
- // replace old structure with the new one
- $p['structure'] = $struct;
- $p['mimetype'] = $struct->mimetype;
- }
-
- /**
- * Modify decrypted message part
- *
- * @param rcube_message_part
- * @param rcube_message
- */
- private function modify_structure_part($part, $msg, $old_id)
- {
- // never cache the body
- $part->body_modified = true;
- $part->encoding = 'stream';
-
- // modify part identifier
- if ($old_id) {
- $part->mime_id = !$part->mime_id ? $old_id : ($old_id . '.' . $part->mime_id);
- }
-
- // Cache the fact it was decrypted
- $this->encrypted_parts[] = $part->mime_id;
- $msg->mime_parts[$part->mime_id] = $part;
-
- // modify sub-parts
- foreach ((array) $part->parts as $p) {
- $this->modify_structure_part($p, $msg, $old_id);
- }
- }
-
- /**
- * Extracts body and signature of multipart/signed message body
- */
- private function explode_signed_body($body, $boundary)
- {
- if (!$body) {
- return array();
- }
-
- $boundary = '--' . $boundary;
- $boundary_len = strlen($boundary) + 2;
-
- // Find boundaries
- $start = strpos($body, $boundary) + $boundary_len;
- $end = strpos($body, $boundary, $start);
-
- // Get signed body and signature
- $sig = substr($body, $end + $boundary_len);
- $body = substr($body, $start, $end - $start - 2);
-
- // Cleanup signature
- $sig = substr($sig, strpos($sig, "\r\n\r\n") + 4);
- $sig = substr($sig, 0, strpos($sig, $boundary));
-
- return array($body, $sig);
- }
-
- /**
- * Checks if specified message part is a PGP-key or S/MIME cert data
- *
- * @param rcube_message_part Part object
- *
- * @return boolean True if part is a key/cert
- */
- public function is_keys_part($part)
- {
- // @TODO: S/MIME
- return (
- // Content-Type: application/pgp-keys
- $part->mimetype == 'application/pgp-keys'
- );
- }
-
- /**
- * Removes all user keys and assigned data
- *
- * @param string Username
- *
- * @return bool True on success, False on failure
- */
- public function delete_user_data($username)
- {
- $homedir = $this->rc->config->get('enigma_pgp_homedir', INSTALL_PATH . 'plugins/enigma/home');
- $homedir .= DIRECTORY_SEPARATOR . $username;
-
- return file_exists($homedir) ? self::delete_dir($homedir) : true;
- }
-
- /**
- * Recursive method to remove directory with its content
- *
- * @param string Directory
- */
- public static function delete_dir($dir)
- {
- // This code can be executed from command line, make sure
- // we have permissions to delete keys directory
- if (!is_writable($dir)) {
- rcube::raise_error("Unable to delete $dir", false, true);
- return false;
- }
-
- if ($content = scandir($dir)) {
- foreach ($content as $filename) {
- if ($filename != '.' && $filename != '..') {
- $filename = $dir . DIRECTORY_SEPARATOR . $filename;
-
- if (is_dir($filename)) {
- self::delete_dir($filename);
- }
- else {
- unlink($filename);
- }
- }
- }
-
- rmdir($dir);
- }
-
- return true;
- }
-
- /**
- * Raise/log (relevant) errors
- */
- protected static function raise_error($result, $line, $abort = false)
- {
- if ($result->getCode() != enigma_error::BADPASS) {
- rcube::raise_error(array(
- 'code' => 600,
- 'file' => __FILE__,
- 'line' => $line,
- 'message' => "Enigma plugin: " . $result->getMessage()
- ), true, $abort);
- }
- }
- }
|