Mercurial > hg > rc1
diff plugins/enigma/lib/enigma_engine.php @ 0:1e000243b222
vanilla 1.3.3 distro, I hope
| author | Charlie Root |
|---|---|
| date | Thu, 04 Jan 2018 15:50:29 -0500 |
| parents | |
| children |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/plugins/enigma/lib/enigma_engine.php Thu Jan 04 15:50:29 2018 -0500 @@ -0,0 +1,1391 @@ +<?php + +/** + +-------------------------------------------------------------------------+ + | Engine of the Enigma Plugin | + | | + | Copyright (C) 2010-2016 The Roundcube Dev Team | + | | + | Licensed under the GNU General Public License version 3 or | + | any later version with exceptions for skins & plugins. | + | See the README file for a full license statement. | + | | + +-------------------------------------------------------------------------+ + | Author: Aleksander Machniak <alec@alec.pl> | + +-------------------------------------------------------------------------+ +*/ + +/** + * Enigma plugin engine. + * + * RFC2440: OpenPGP Message Format + * RFC3156: MIME Security with OpenPGP + * RFC3851: S/MIME + */ +class enigma_engine +{ + private $rc; + private $enigma; + private $pgp_driver; + private $smime_driver; + private $password_time; + + public $decryptions = array(); + public $signatures = array(); + public $encrypted_parts = array(); + + const ENCRYPTED_PARTIALLY = 100; + + const SIGN_MODE_BODY = 1; + const SIGN_MODE_SEPARATE = 2; + const SIGN_MODE_MIME = 4; + + const ENCRYPT_MODE_BODY = 1; + const ENCRYPT_MODE_MIME = 2; + const ENCRYPT_MODE_SIGN = 4; + + + /** + * Plugin initialization. + */ + function __construct($enigma) + { + $this->rc = rcmail::get_instance(); + $this->enigma = $enigma; + + $this->password_time = $this->rc->config->get('enigma_password_time') * 60; + + // this will remove passwords from session after some time + if ($this->password_time) { + $this->get_passwords(); + } + } + + /** + * PGP driver initialization. + */ + function load_pgp_driver() + { + if ($this->pgp_driver) { + return; + } + + $driver = 'enigma_driver_' . $this->rc->config->get('enigma_pgp_driver', 'gnupg'); + $username = $this->rc->user->get_username(); + + // Load driver + $this->pgp_driver = new $driver($username); + + if (!$this->pgp_driver) { + rcube::raise_error(array( + 'code' => 600, 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Enigma plugin: Unable to load PGP driver: $driver" + ), true, true); + } + + // Initialise driver + $result = $this->pgp_driver->init(); + + if ($result instanceof enigma_error) { + self::raise_error($result, __LINE__, true); + } + } + + /** + * S/MIME driver initialization. + */ + function load_smime_driver() + { + if ($this->smime_driver) { + return; + } + + $driver = 'enigma_driver_' . $this->rc->config->get('enigma_smime_driver', 'phpssl'); + $username = $this->rc->user->get_username(); + + // Load driver + $this->smime_driver = new $driver($username); + + if (!$this->smime_driver) { + rcube::raise_error(array( + 'code' => 600, 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Enigma plugin: Unable to load S/MIME driver: $driver" + ), true, true); + } + + // Initialise driver + $result = $this->smime_driver->init(); + + if ($result instanceof enigma_error) { + self::raise_error($result, __LINE__, true); + } + } + + /** + * Handler for message signing + * + * @param Mail_mime Original message + * @param int Encryption mode + * + * @return enigma_error On error returns error object + */ + function sign_message(&$message, $mode = null) + { + $mime = new enigma_mime_message($message, enigma_mime_message::PGP_SIGNED); + $from = $mime->getFromAddress(); + + // find private key + $key = $this->find_key($from, true); + + if (empty($key)) { + return new enigma_error(enigma_error::KEYNOTFOUND); + } + + // check if we have password for this key + $passwords = $this->get_passwords(); + $pass = $passwords[$key->id]; + + if ($pass === null) { + // ask for password + $error = array('missing' => array($key->id => $key->name)); + return new enigma_error(enigma_error::BADPASS, '', $error); + } + + $key->password = $pass; + + // select mode + switch ($mode) { + case self::SIGN_MODE_BODY: + $pgp_mode = Crypt_GPG::SIGN_MODE_CLEAR; + break; + + case self::SIGN_MODE_MIME: + $pgp_mode = Crypt_GPG::SIGN_MODE_DETACHED; + break; + + default: + if ($mime->isMultipart()) { + $pgp_mode = Crypt_GPG::SIGN_MODE_DETACHED; + } + else { + $pgp_mode = Crypt_GPG::SIGN_MODE_CLEAR; + } + } + + // get message body + if ($pgp_mode == Crypt_GPG::SIGN_MODE_CLEAR) { + // in this mode we'll replace text part + // with the one containing signature + $body = $message->getTXTBody(); + + $text_charset = $message->getParam('text_charset'); + $line_length = $this->rc->config->get('line_length', 72); + + // We can't use format=flowed for signed messages + if (strpos($text_charset, 'format=flowed')) { + list($charset, $params) = explode(';', $text_charset); + $body = rcube_mime::unfold_flowed($body); + $body = rcube_mime::wordwrap($body, $line_length, "\r\n", false, $charset); + + $text_charset = str_replace(";\r\n format=flowed", '', $text_charset); + } + } + else { + // here we'll build PGP/MIME message + $body = $mime->getOrigBody(); + } + + // sign the body + $result = $this->pgp_sign($body, $key, $pgp_mode); + + if ($result !== true) { + if ($result->getCode() == enigma_error::BADPASS) { + // ask for password + $error = array('bad' => array($key->id => $key->name)); + return new enigma_error(enigma_error::BADPASS, '', $error); + } + + return $result; + } + + // replace message body + if ($pgp_mode == Crypt_GPG::SIGN_MODE_CLEAR) { + $message->setTXTBody($body); + $message->setParam('text_charset', $text_charset); + } + else { + $mime->addPGPSignature($body, $this->pgp_driver->signature_algorithm()); + $message = $mime; + } + } + + /** + * Handler for message encryption + * + * @param Mail_mime Original message + * @param int Encryption mode + * @param bool Is draft-save action - use only sender's key for encryption + * + * @return enigma_error On error returns error object + */ + function encrypt_message(&$message, $mode = null, $is_draft = false) + { + $mime = new enigma_mime_message($message, enigma_mime_message::PGP_ENCRYPTED); + + // always use sender's key + $from = $mime->getFromAddress(); + + // check senders key for signing + if ($mode & self::ENCRYPT_MODE_SIGN) { + $sign_key = $this->find_key($from, true); + + if (empty($sign_key)) { + return new enigma_error(enigma_error::KEYNOTFOUND); + } + + // check if we have password for this key + $passwords = $this->get_passwords(); + $sign_pass = $passwords[$sign_key->id]; + + if ($sign_pass === null) { + // ask for password + $error = array('missing' => array($sign_key->id => $sign_key->name)); + return new enigma_error(enigma_error::BADPASS, '', $error); + } + + $sign_key->password = $sign_pass; + } + + $recipients = array($from); + + // if it's not a draft we add all recipients' keys + if (!$is_draft) { + $recipients = array_merge($recipients, $mime->getRecipients()); + } + + if (empty($recipients)) { + return new enigma_error(enigma_error::KEYNOTFOUND); + } + + $recipients = array_unique($recipients); + + // find recipient public keys + foreach ((array) $recipients as $email) { + if ($email == $from && $sign_key) { + $key = $sign_key; + } + else { + $key = $this->find_key($email); + } + + if (empty($key)) { + return new enigma_error(enigma_error::KEYNOTFOUND, '', array( + 'missing' => $email + )); + } + + $keys[] = $key; + } + + // select mode + if ($mode & self::ENCRYPT_MODE_BODY) { + $encrypt_mode = $mode; + } + else if ($mode & self::ENCRYPT_MODE_MIME) { + $encrypt_mode = $mode; + } + else { + $encrypt_mode = $mime->isMultipart() ? self::ENCRYPT_MODE_MIME : self::ENCRYPT_MODE_BODY; + } + + // get message body + if ($encrypt_mode == self::ENCRYPT_MODE_BODY) { + // in this mode we'll replace text part + // with the one containing encrypted message + $body = $message->getTXTBody(); + } + else { + // here we'll build PGP/MIME message + $body = $mime->getOrigBody(); + } + + // sign the body + $result = $this->pgp_encrypt($body, $keys, $sign_key); + + if ($result !== true) { + if ($result->getCode() == enigma_error::BADPASS) { + // ask for password + $error = array('bad' => array($sign_key->id => $sign_key->name)); + return new enigma_error(enigma_error::BADPASS, '', $error); + } + + return $result; + } + + // replace message body + if ($encrypt_mode == self::ENCRYPT_MODE_BODY) { + $message->setTXTBody($body); + } + else { + $mime->setPGPEncryptedBody($body); + $message = $mime; + } + } + + /** + * Handler for attaching public key to a message + * + * @param Mail_mime Original message + * + * @return bool True on success, False on failure + */ + function attach_public_key(&$message) + { + $headers = $message->headers(); + $from = rcube_mime::decode_address_list($headers['From'], 1, false, null, true); + $from = $from[1]; + + // find my key + if ($from && ($key = $this->find_key($from))) { + $pubkey_armor = $this->export_key($key->id); + + if (!$pubkey_armor instanceof enigma_error) { + $pubkey_name = '0x' . enigma_key::format_id($key->id) . '.asc'; + $message->addAttachment($pubkey_armor, 'application/pgp-keys', $pubkey_name, false, '7bit'); + return true; + } + } + + return false; + } + + /** + * Handler for message_part_structure hook. + * Called for every part of the message. + * + * @param array Original parameters + * @param string Part body (will be set if used internally) + * + * @return array Modified parameters + */ + function part_structure($p, $body = null) + { + if ($p['mimetype'] == 'text/plain' || $p['mimetype'] == 'application/pgp') { + $this->parse_plain($p, $body); + } + else if ($p['mimetype'] == 'multipart/signed') { + $this->parse_signed($p, $body); + } + else if ($p['mimetype'] == 'multipart/encrypted') { + $this->parse_encrypted($p); + } + else if ($p['mimetype'] == 'application/pkcs7-mime') { + $this->parse_encrypted($p); + } + + return $p; + } + + /** + * Handler for message_part_body hook. + * + * @param array Original parameters + * + * @return array Modified parameters + */ + function part_body($p) + { + // encrypted attachment, see parse_plain_encrypted() + if ($p['part']->need_decryption && $p['part']->body === null) { + $this->load_pgp_driver(); + + $storage = $this->rc->get_storage(); + $body = $storage->get_message_part($p['object']->uid, $p['part']->mime_id, $p['part'], null, null, true, 0, false); + $result = $this->pgp_decrypt($body); + + // @TODO: what to do on error? + if ($result === true) { + $p['part']->body = $body; + $p['part']->size = strlen($body); + $p['part']->body_modified = true; + } + } + + return $p; + } + + /** + * Handler for plain/text message. + * + * @param array Reference to hook's parameters + * @param string Part body (will be set if used internally) + */ + function parse_plain(&$p, $body = null) + { + $part = $p['structure']; + + // Get message body from IMAP server + if ($body === null) { + $body = $this->get_part_body($p['object'], $part); + } + + // In this way we can use fgets on string as on file handle + // Don't use php://temp for security (body may come from an encrypted part) + $fd = fopen('php://memory', 'r+'); + if (!$fd) { + return; + } + + fwrite($fd, $body); + rewind($fd); + + $body = ''; + $prefix = ''; + $mode = ''; + $tokens = array( + 'BEGIN PGP SIGNED MESSAGE' => 'signed-start', + 'END PGP SIGNATURE' => 'signed-end', + 'BEGIN PGP MESSAGE' => 'encrypted-start', + 'END PGP MESSAGE' => 'encrypted-end', + ); + $regexp = '/^-----(' . implode('|', array_keys($tokens)) . ')-----[\r\n]*/'; + + while (($line = fgets($fd)) !== false) { + if ($line[0] === '-' && $line[4] === '-' && preg_match($regexp, $line, $m)) { + switch ($tokens[$m[1]]) { + case 'signed-start': + $body = $line; + $mode = 'signed'; + break; + + case 'signed-end': + if ($mode === 'signed') { + $body .= $line; + } + break 2; // ignore anything after this line + + case 'encrypted-start': + $body = $line; + $mode = 'encrypted'; + break; + + case 'encrypted-end': + if ($mode === 'encrypted') { + $body .= $line; + } + break 2; // ignore anything after this line + } + + continue; + } + + if ($mode === 'signed') { + $body .= $line; + } + else if ($mode === 'encrypted') { + $body .= $line; + } + else { + $prefix .= $line; + } + } + + fclose($fd); + + if ($mode === 'signed') { + $this->parse_plain_signed($p, $body, $prefix); + } + else if ($mode === 'encrypted') { + $this->parse_plain_encrypted($p, $body, $prefix); + } + } + + /** + * Handler for multipart/signed message. + * + * @param array Reference to hook's parameters + * @param string Part body (will be set if used internally) + */ + function parse_signed(&$p, $body = null) + { + $struct = $p['structure']; + + // S/MIME + if ($struct->parts[1] && $struct->parts[1]->mimetype == 'application/pkcs7-signature') { + $this->parse_smime_signed($p, $body); + } + // PGP/MIME: RFC3156 + // The multipart/signed body MUST consist of exactly two parts. + // The first part contains the signed data in MIME canonical format, + // including a set of appropriate content headers describing the data. + // The second body MUST contain the PGP digital signature. It MUST be + // labeled with a content type of "application/pgp-signature". + else if (count($struct->parts) == 2 + && $struct->parts[1] && $struct->parts[1]->mimetype == 'application/pgp-signature' + ) { + $this->parse_pgp_signed($p, $body); + } + } + + /** + * Handler for multipart/encrypted message. + * + * @param array Reference to hook's parameters + */ + function parse_encrypted(&$p) + { + $struct = $p['structure']; + + // S/MIME + if ($p['mimetype'] == 'application/pkcs7-mime') { + $this->parse_smime_encrypted($p); + } + // PGP/MIME: RFC3156 + // The multipart/encrypted MUST consist of exactly two parts. The first + // MIME body part must have a content type of "application/pgp-encrypted". + // This body contains the control information. + // The second MIME body part MUST contain the actual encrypted data. It + // must be labeled with a content type of "application/octet-stream". + else if (count($struct->parts) == 2 + && $struct->parts[0] && $struct->parts[0]->mimetype == 'application/pgp-encrypted' + && $struct->parts[1] && $struct->parts[1]->mimetype == 'application/octet-stream' + ) { + $this->parse_pgp_encrypted($p); + } + } + + /** + * Handler for plain signed message. + * Excludes message and signature bodies and verifies signature. + * + * @param array Reference to hook's parameters + * @param string Message (part) body + * @param string Body prefix (additional text before the encrypted block) + */ + private function parse_plain_signed(&$p, $body, $prefix = '') + { + if (!$this->rc->config->get('enigma_signatures', true)) { + return; + } + + $this->load_pgp_driver(); + $part = $p['structure']; + + // Verify signature + if ($this->rc->action == 'show' || $this->rc->action == 'preview' || $this->rc->action == 'print') { + $sig = $this->pgp_verify($body); + } + + // In this way we can use fgets on string as on file handle + // Don't use php://temp for security (body may come from an encrypted part) + $fd = fopen('php://memory', 'r+'); + if (!$fd) { + return; + } + + fwrite($fd, $body); + rewind($fd); + + $body = $part->body = null; + $part->body_modified = true; + + // Extract body (and signature?) + while (($line = fgets($fd, 1024)) !== false) { + if ($part->body === null) + $part->body = ''; + else if (preg_match('/^-----BEGIN PGP SIGNATURE-----/', $line)) + break; + else + $part->body .= $line; + } + + fclose($fd); + + // Remove "Hash" Armor Headers + $part->body = preg_replace('/^.*\r*\n\r*\n/', '', $part->body); + // de-Dash-Escape (RFC2440) + $part->body = preg_replace('/(^|\n)- -/', '\\1-', $part->body); + + if ($prefix) { + $part->body = $prefix . $part->body; + } + + // Store signature data for display + if (!empty($sig)) { + $sig->partial = !empty($prefix); + $this->signatures[$part->mime_id] = $sig; + } + } + + /** + * Handler for PGP/MIME signed message. + * Verifies signature. + * + * @param array Reference to hook's parameters + * @param string Part body (will be set if used internally) + */ + private function parse_pgp_signed(&$p, $body = null) + { + if (!$this->rc->config->get('enigma_signatures', true)) { + return; + } + + if ($this->rc->action != 'show' && $this->rc->action != 'preview' && $this->rc->action != 'print') { + return; + } + + $this->load_pgp_driver(); + $struct = $p['structure']; + + $msg_part = $struct->parts[0]; + $sig_part = $struct->parts[1]; + + // Get bodies + if ($body === null) { + if (!$struct->body_modified) { + $body = $this->get_part_body($p['object'], $struct); + } + } + + $boundary = $struct->ctype_parameters['boundary']; + + // when it is a signed message forwarded as attachment + // ctype_parameters property will not be set + if (!$boundary && $struct->headers['content-type'] + && preg_match('/boundary="?([a-zA-Z0-9\'()+_,-.\/:=?]+)"?/', $struct->headers['content-type'], $m) + ) { + $boundary = $m[1]; + } + + // set signed part body + list($msg_body, $sig_body) = $this->explode_signed_body($body, $boundary); + + // Verify + if ($sig_body && $msg_body) { + $sig = $this->pgp_verify($msg_body, $sig_body); + + // Store signature data for display + $this->signatures[$struct->mime_id] = $sig; + $this->signatures[$msg_part->mime_id] = $sig; + } + } + + /** + * Handler for S/MIME signed message. + * Verifies signature. + * + * @param array Reference to hook's parameters + * @param string Part body (will be set if used internally) + */ + private function parse_smime_signed(&$p, $body = null) + { + if (!$this->rc->config->get('enigma_signatures', true)) { + return; + } + + // @TODO + } + + /** + * Handler for plain encrypted message. + * + * @param array Reference to hook's parameters + * @param string Message (part) body + * @param string Body prefix (additional text before the encrypted block) + */ + private function parse_plain_encrypted(&$p, $body, $prefix = '') + { + if (!$this->rc->config->get('enigma_decryption', true)) { + return; + } + + $this->load_pgp_driver(); + $part = $p['structure']; + + // Decrypt + $result = $this->pgp_decrypt($body, $signature); + + // Store decryption status + $this->decryptions[$part->mime_id] = $result; + + // Store signature data for display + if ($signature) { + $this->signatures[$part->mime_id] = $signature; + } + + // find parent part ID + if (strpos($part->mime_id, '.')) { + $items = explode('.', $part->mime_id); + array_pop($items); + $parent = implode('.', $items); + } + else { + $parent = 0; + } + + // Parse decrypted message + if ($result === true) { + $part->body = $prefix . $body; + $part->body_modified = true; + + // it maybe PGP signed inside, verify signature + $this->parse_plain($p, $body); + + // Remember it was decrypted + $this->encrypted_parts[] = $part->mime_id; + + // Inform the user that only a part of the body was encrypted + if ($prefix) { + $this->decryptions[$part->mime_id] = self::ENCRYPTED_PARTIALLY; + } + + // Encrypted plain message may contain encrypted attachments + // in such case attachments have .pgp extension and type application/octet-stream. + // This is what happens when you select "Encrypt each attachment separately + // and send the message using inline PGP" in Thunderbird's Enigmail. + + if ($p['object']->mime_parts[$parent]) { + foreach ((array)$p['object']->mime_parts[$parent]->parts as $p) { + if ($p->disposition == 'attachment' && $p->mimetype == 'application/octet-stream' + && preg_match('/^(.*)\.pgp$/i', $p->filename, $m) + ) { + // modify filename + $p->filename = $m[1]; + // flag the part, it will be decrypted when needed + $p->need_decryption = true; + // disable caching + $p->body_modified = true; + } + } + } + } + // decryption failed, but the message may have already + // been cached with the modified parts (see above), + // let's bring the original state back + else if ($p['object']->mime_parts[$parent]) { + foreach ((array)$p['object']->mime_parts[$parent]->parts as $p) { + if ($p->need_decryption && !preg_match('/^(.*)\.pgp$/i', $p->filename, $m)) { + // modify filename + $p->filename .= '.pgp'; + // flag the part, it will be decrypted when needed + unset($p->need_decryption); + } + } + } + } + + /** + * Handler for PGP/MIME encrypted message. + * + * @param array Reference to hook's parameters + */ + private function parse_pgp_encrypted(&$p) + { + if (!$this->rc->config->get('enigma_decryption', true)) { + return; + } + + $this->load_pgp_driver(); + + $struct = $p['structure']; + $part = $struct->parts[1]; + + // Get body + $body = $this->get_part_body($p['object'], $part); + + // Decrypt + $result = $this->pgp_decrypt($body, $signature); + + if ($result === true) { + // Parse decrypted message + $struct = $this->parse_body($body); + + // Modify original message structure + $this->modify_structure($p, $struct, strlen($body)); + + // Parse the structure (there may be encrypted/signed parts inside + $this->part_structure(array( + 'object' => $p['object'], + 'structure' => $struct, + 'mimetype' => $struct->mimetype + ), $body); + + // Attach the decryption message to all parts + $this->decryptions[$struct->mime_id] = $result; + foreach ((array) $struct->parts as $sp) { + $this->decryptions[$sp->mime_id] = $result; + if ($signature) { + $this->signatures[$sp->mime_id] = $signature; + } + } + } + else { + $this->decryptions[$part->mime_id] = $result; + + // Make sure decryption status message will be displayed + $part->type = 'content'; + $p['object']->parts[] = $part; + + // don't show encrypted part on attachments list + // don't show "cannot display encrypted message" text + $p['abort'] = true; + } + } + + /** + * Handler for S/MIME encrypted message. + * + * @param array Reference to hook's parameters + */ + private function parse_smime_encrypted(&$p) + { + if (!$this->rc->config->get('enigma_decryption', true)) { + return; + } + + // @TODO + } + + /** + * PGP signature verification. + * + * @param mixed Message body + * @param mixed Signature body (for MIME messages) + * + * @return mixed enigma_signature or enigma_error + */ + private function pgp_verify(&$msg_body, $sig_body = null) + { + // @TODO: Handle big bodies using (temp) files + $sig = $this->pgp_driver->verify($msg_body, $sig_body); + + if (($sig instanceof enigma_error) && $sig->getCode() != enigma_error::KEYNOTFOUND) { + self::raise_error($sig, __LINE__); + } + + return $sig; + } + + /** + * PGP message decryption. + * + * @param mixed &$msg_body Message body + * @param enigma_signature &$signature Signature verification result + * + * @return mixed True or enigma_error + */ + private function pgp_decrypt(&$msg_body, &$signature = null) + { + // @TODO: Handle big bodies using (temp) files + $keys = $this->get_passwords(); + $result = $this->pgp_driver->decrypt($msg_body, $keys, $signature); + + if ($result instanceof enigma_error) { + if ($result->getCode() != enigma_error::KEYNOTFOUND) { + self::raise_error($result, __LINE__); + } + + return $result; + } + + $msg_body = $result; + + return true; + } + + /** + * PGP message signing + * + * @param mixed Message body + * @param enigma_key The key (with passphrase) + * @param int Signing mode + * + * @return mixed True or enigma_error + */ + private function pgp_sign(&$msg_body, $key, $mode = null) + { + // @TODO: Handle big bodies using (temp) files + $result = $this->pgp_driver->sign($msg_body, $key, $mode); + + if ($result instanceof enigma_error) { + if ($result->getCode() != enigma_error::KEYNOTFOUND) { + self::raise_error($result, __LINE__); + } + + return $result; + } + + $msg_body = $result; + + return true; + } + + /** + * PGP message encrypting + * + * @param mixed Message body + * @param array Keys (array of enigma_key objects) + * @param string Optional signing Key ID + * @param string Optional signing Key password + * + * @return mixed True or enigma_error + */ + private function pgp_encrypt(&$msg_body, $keys, $sign_key = null, $sign_pass = null) + { + // @TODO: Handle big bodies using (temp) files + $result = $this->pgp_driver->encrypt($msg_body, $keys, $sign_key, $sign_pass); + + if ($result instanceof enigma_error) { + if ($result->getCode() != enigma_error::KEYNOTFOUND) { + self::raise_error($result, __LINE__); + } + + return $result; + } + + $msg_body = $result; + + return true; + } + + /** + * PGP keys listing. + * + * @param mixed Key ID/Name pattern + * + * @return mixed Array of keys or enigma_error + */ + function list_keys($pattern = '') + { + $this->load_pgp_driver(); + $result = $this->pgp_driver->list_keys($pattern); + + if ($result instanceof enigma_error) { + self::raise_error($result, __LINE__); + } + + return $result; + } + + /** + * Find PGP private/public key + * + * @param string E-mail address + * @param bool Need a key for signing? + * + * @return enigma_key The key + */ + function find_key($email, $can_sign = false) + { + $this->load_pgp_driver(); + $result = $this->pgp_driver->list_keys($email); + + if ($result instanceof enigma_error) { + self::raise_error($result, __LINE__); + return; + } + + $mode = $can_sign ? enigma_key::CAN_SIGN : enigma_key::CAN_ENCRYPT; + + // check key validity and type + foreach ($result as $key) { + if ($subkey = $key->find_subkey($email, $mode)) { + return $key; + } + } + } + + /** + * PGP key details. + * + * @param mixed Key ID + * + * @return mixed enigma_key or enigma_error + */ + function get_key($keyid) + { + $this->load_pgp_driver(); + $result = $this->pgp_driver->get_key($keyid); + + if ($result instanceof enigma_error) { + self::raise_error($result, __LINE__); + } + + return $result; + } + + /** + * PGP key delete. + * + * @param string Key ID + * + * @return enigma_error|bool True on success + */ + function delete_key($keyid) + { + $this->load_pgp_driver(); + $result = $this->pgp_driver->delete_key($keyid); + + if ($result instanceof enigma_error) { + self::raise_error($result, __LINE__); + } + + return $result; + } + + /** + * PGP keys pair generation. + * + * @param array Key pair parameters + * + * @return mixed enigma_key or enigma_error + */ + function generate_key($data) + { + $this->load_pgp_driver(); + $result = $this->pgp_driver->gen_key($data); + + if ($result instanceof enigma_error) { + self::raise_error($result, __LINE__); + } + + return $result; + } + + /** + * PGP keys/certs import. + * + * @param mixed Import file name or content + * @param boolean True if first argument is a filename + * + * @return mixed Import status data array or enigma_error + */ + function import_key($content, $isfile = false) + { + $this->load_pgp_driver(); + $result = $this->pgp_driver->import($content, $isfile, $this->get_passwords()); + + if ($result instanceof enigma_error) { + self::raise_error($result, __LINE__); + } + else { + $result['imported'] = $result['public_imported'] + $result['private_imported']; + $result['unchanged'] = $result['public_unchanged'] + $result['private_unchanged']; + } + + return $result; + } + + /** + * PGP keys/certs export. + * + * @param string Key ID + * @param resource Optional output stream + * @param bool Include private key + * + * @return mixed Key content or enigma_error + */ + function export_key($key, $fp = null, $include_private = false) + { + $this->load_pgp_driver(); + $result = $this->pgp_driver->export($key, $include_private, $this->get_passwords()); + + if ($result instanceof enigma_error) { + self::raise_error($result, __LINE__); + return $result; + } + + if ($fp) { + fwrite($fp, $result); + } + else { + return $result; + } + } + + /** + * Registers password for specified key/cert sent by the password prompt. + */ + function password_handler() + { + $keyid = rcube_utils::get_input_value('_keyid', rcube_utils::INPUT_POST); + $passwd = rcube_utils::get_input_value('_passwd', rcube_utils::INPUT_POST, true); + + if ($keyid && $passwd !== null && strlen($passwd)) { + $this->save_password(strtoupper($keyid), $passwd); + } + } + + /** + * Saves key/cert password in user session + */ + function save_password($keyid, $password) + { + // we store passwords in session for specified time + if ($config = $_SESSION['enigma_pass']) { + $config = $this->rc->decrypt($config); + $config = @unserialize($config); + } + + $config[$keyid] = array($password, time()); + + $_SESSION['enigma_pass'] = $this->rc->encrypt(serialize($config)); + } + + /** + * Returns currently stored passwords + */ + function get_passwords() + { + if ($config = $_SESSION['enigma_pass']) { + $config = $this->rc->decrypt($config); + $config = @unserialize($config); + } + + $threshold = $this->password_time ? time() - $this->password_time : 0; + $keys = array(); + + // delete expired passwords + foreach ((array) $config as $key => $value) { + if ($threshold && $value[1] < $threshold) { + unset($config[$key]); + $modified = true; + } + else { + $keys[$key] = $value[0]; + } + } + + if ($modified) { + $_SESSION['enigma_pass'] = $this->rc->encrypt(serialize($config)); + } + + return $keys; + } + + /** + * Get message part body. + * + * @param rcube_message Message object + * @param rcube_message_part Message part + */ + private function get_part_body($msg, $part) + { + // @TODO: Handle big bodies using file handles + + // This is a special case when we want to get the whole body + // using direct IMAP access, in other cases we prefer + // rcube_message::get_part_body() as the body may be already in memory + if (!$part->mime_id) { + // fake the size which may be empty for multipart/* parts + // otherwise get_message_part() below will fail + if (!$part->size) { + $reset = true; + $part->size = 1; + } + + $storage = $this->rc->get_storage(); + $body = $storage->get_message_part($msg->uid, $part->mime_id, $part, + null, null, true, 0, false); + + if ($reset) { + $part->size = 0; + } + } + else { + $body = $msg->get_part_body($part->mime_id, false); + + // Convert charset to get rid of possible non-ascii characters (#5962) + if ($part->charset && stripos($part->charset, 'ASCII') === false) { + $body = rcube_charset::convert($body, $part->charset, 'US-ASCII'); + } + } + + return $body; + } + + /** + * Parse decrypted message body into structure + * + * @param string Message body + * + * @return array Message structure + */ + private function parse_body(&$body) + { + // Mail_mimeDecode need \r\n end-line, but gpg may return \n + $body = preg_replace('/\r?\n/', "\r\n", $body); + + // parse the body into structure + $struct = rcube_mime::parse_message($body); + + return $struct; + } + + /** + * Replace message encrypted structure with decrypted message structure + * + * @param array Hook arguments + * @param rcube_message_part Part structure + * @param int Part size + */ + private function modify_structure(&$p, $struct, $size = 0) + { + // modify mime_parts property of the message object + $old_id = $p['structure']->mime_id; + + foreach (array_keys($p['object']->mime_parts) as $idx) { + if (!$old_id || $idx == $old_id || strpos($idx, $old_id . '.') === 0) { + unset($p['object']->mime_parts[$idx]); + } + } + + // set some part params used by Roundcube core + $struct->headers = array_merge($p['structure']->headers, $struct->headers); + $struct->size = $size; + $struct->filename = $p['structure']->filename; + + // modify the new structure to be correctly handled by Roundcube + $this->modify_structure_part($struct, $p['object'], $old_id); + + // replace old structure with the new one + $p['structure'] = $struct; + $p['mimetype'] = $struct->mimetype; + } + + /** + * Modify decrypted message part + * + * @param rcube_message_part + * @param rcube_message + */ + private function modify_structure_part($part, $msg, $old_id) + { + // never cache the body + $part->body_modified = true; + $part->encoding = 'stream'; + + // modify part identifier + if ($old_id) { + $part->mime_id = !$part->mime_id ? $old_id : ($old_id . '.' . $part->mime_id); + } + + // Cache the fact it was decrypted + $this->encrypted_parts[] = $part->mime_id; + $msg->mime_parts[$part->mime_id] = $part; + + // modify sub-parts + foreach ((array) $part->parts as $p) { + $this->modify_structure_part($p, $msg, $old_id); + } + } + + /** + * Extracts body and signature of multipart/signed message body + */ + private function explode_signed_body($body, $boundary) + { + if (!$body) { + return array(); + } + + $boundary = '--' . $boundary; + $boundary_len = strlen($boundary) + 2; + + // Find boundaries + $start = strpos($body, $boundary) + $boundary_len; + $end = strpos($body, $boundary, $start); + + // Get signed body and signature + $sig = substr($body, $end + $boundary_len); + $body = substr($body, $start, $end - $start - 2); + + // Cleanup signature + $sig = substr($sig, strpos($sig, "\r\n\r\n") + 4); + $sig = substr($sig, 0, strpos($sig, $boundary)); + + return array($body, $sig); + } + + /** + * Checks if specified message part is a PGP-key or S/MIME cert data + * + * @param rcube_message_part Part object + * + * @return boolean True if part is a key/cert + */ + public function is_keys_part($part) + { + // @TODO: S/MIME + return ( + // Content-Type: application/pgp-keys + $part->mimetype == 'application/pgp-keys' + ); + } + + /** + * Removes all user keys and assigned data + * + * @param string Username + * + * @return bool True on success, False on failure + */ + public function delete_user_data($username) + { + $homedir = $this->rc->config->get('enigma_pgp_homedir', INSTALL_PATH . 'plugins/enigma/home'); + $homedir .= DIRECTORY_SEPARATOR . $username; + + return file_exists($homedir) ? self::delete_dir($homedir) : true; + } + + /** + * Recursive method to remove directory with its content + * + * @param string Directory + */ + public static function delete_dir($dir) + { + // This code can be executed from command line, make sure + // we have permissions to delete keys directory + if (!is_writable($dir)) { + rcube::raise_error("Unable to delete $dir", false, true); + return false; + } + + if ($content = scandir($dir)) { + foreach ($content as $filename) { + if ($filename != '.' && $filename != '..') { + $filename = $dir . DIRECTORY_SEPARATOR . $filename; + + if (is_dir($filename)) { + self::delete_dir($filename); + } + else { + unlink($filename); + } + } + } + + rmdir($dir); + } + + return true; + } + + /** + * Raise/log (relevant) errors + */ + protected static function raise_error($result, $line, $abort = false) + { + if ($result->getCode() != enigma_error::BADPASS) { + rcube::raise_error(array( + 'code' => 600, + 'file' => __FILE__, + 'line' => $line, + 'message' => "Enigma plugin: " . $result->getMessage() + ), true, $abort); + } + } +}