chatmail-core/src/e2ee.rs

//! End-to-end encryption support.

use std::collections::HashSet;

use num_traits::FromPrimitive;

use crate::aheader::*;
use crate::config::Config;
use crate::context::Context;
use crate::error::*;
use crate::key::*;
use crate::keyring::*;
use crate::peerstate::*;
use crate::pgp;
use crate::securejoin::handle_degrade_event;
use crate::wrapmime;

#[derive(Debug)]
pub struct EncryptHelper {
    pub prefer_encrypt: EncryptPreference,
    pub addr: String,
    pub public_key: Key,
}

impl EncryptHelper {
    pub fn new(context: &Context) -> Result<EncryptHelper> {
        let prefer_encrypt =
            EncryptPreference::from_i32(context.get_config_int(Config::E2eeEnabled))
                .unwrap_or_default();
        let addr = match context.get_config(Config::ConfiguredAddr) {
            None => {
                bail!("addr not configured!");
            }
            Some(addr) => addr,
        };

        let public_key = load_or_generate_self_public_key(context, &addr)?;

        Ok(EncryptHelper {
            prefer_encrypt,
            addr,
            public_key,
        })
    }

    pub fn get_aheader(&self) -> Aheader {
        let pk = self.public_key.clone();
        let addr = self.addr.to_string();
        Aheader::new(addr, pk, self.prefer_encrypt)
    }

    /// Determines if we can and should encrypt.
    pub fn should_encrypt(
        &self,
        context: &Context,
        e2ee_guaranteed: bool,
        peerstates: &[(Option<Peerstate>, &str)],
    ) -> Result<bool> {
        if !(self.prefer_encrypt == EncryptPreference::Mutual || e2ee_guaranteed) {
            return Ok(false);
        }

        for (peerstate, addr) in peerstates {
            match peerstate {
                Some(peerstate) => {
                    if peerstate.prefer_encrypt != EncryptPreference::Mutual && !e2ee_guaranteed {
                        info!(context, "peerstate for {:?} is no-encrypt", addr);
                        return Ok(false);
                    }
                }
                None => {
                    let msg = format!("peerstate for {:?} missing, cannot encrypt", addr);
                    if e2ee_guaranteed {
                        return Err(format_err!("{}", msg));
                    } else {
                        info!(context, "{}", msg);
                        return Ok(false);
                    }
                }
            }
        }

        Ok(true)
    }

    /// Tries to encrypt the passed in `mail`.
    pub fn encrypt(
        &mut self,
        context: &Context,
        min_verified: PeerstateVerifiedStatus,
        do_gossip: bool,
        mut mail_to_encrypt: lettre_email::PartBuilder,
        peerstates: &[(Option<Peerstate>, &str)],
    ) -> Result<String> {
        let mut keyring = Keyring::default();
        let mut gossip_headers: Vec<String> = Vec::with_capacity(peerstates.len());

        for (peerstate, addr) in peerstates
            .iter()
            .filter_map(|(state, addr)| state.as_ref().map(|s| (s, addr)))
        {
            if let Some(key) = peerstate.peek_key(min_verified) {
                keyring.add_owned(key.clone());
                if do_gossip {
                    if let Some(header) = peerstate.render_gossip_header(min_verified) {
                        gossip_headers.push(header.to_string());
                    }
                }
            } else {
                bail!("proper enc-key for {} missing, cannot encrypt", addr);
            }
        }

        // libEtPan's pgp_encrypt_mime() takes the parent as the new root.
        // We just expect the root as being given to this function.
        let sign_key = {
            keyring.add_ref(&self.public_key);
            let key = Key::from_self_private(context, self.addr.clone(), &context.sql);
            ensure!(key.is_some(), "no own private key found");

            key
        };

        // Add gossip headers
        for header in &gossip_headers {
            mail_to_encrypt = mail_to_encrypt.header(("Autocrypt-Gossip", header));
        }

        let raw_message = mail_to_encrypt.build().as_string().into_bytes();

        let ctext = pgp::pk_encrypt(&raw_message, &keyring, sign_key.as_ref())?;

        Ok(ctext)
    }
}

pub fn try_decrypt(
    context: &Context,
    mail: &mailparse::ParsedMail<'_>,
) -> Result<(Option<Vec<u8>>, HashSet<String>, i64)> {
    use mailparse::MailHeaderMap;

    let from = mail.headers.get_first_value("From")?.unwrap_or_default();
    let message_time = mail
        .headers
        .get_first_value("Date")?
        .and_then(|v| mailparse::dateparse(&v).ok())
        .unwrap_or_default();

    let mut peerstate = None;
    let autocryptheader = Aheader::from_imffields(&from, &mail.headers);

    if message_time > 0 {
        peerstate = Peerstate::from_addr(context, &context.sql, &from);

        if let Some(ref mut peerstate) = peerstate {
            if let Some(ref header) = autocryptheader {
                peerstate.apply_header(&header, message_time);
                peerstate.save_to_db(&context.sql, false)?;
            } else if message_time > peerstate.last_seen_autocrypt && !contains_report(mail) {
                peerstate.degrade_encryption(message_time);
                peerstate.save_to_db(&context.sql, false)?;
            }
        } else if let Some(ref header) = autocryptheader {
            let p = Peerstate::from_header(context, header, message_time);
            p.save_to_db(&context.sql, true)?;
            peerstate = Some(p);
        }
    }
    /* possibly perform decryption */
    let mut private_keyring = Keyring::default();
    let mut public_keyring_for_validate = Keyring::default();
    let mut out_mail = None;
    let mut signatures = HashSet::default();
    let self_addr = context.get_config(Config::ConfiguredAddr);

    if let Some(self_addr) = self_addr {
        if private_keyring.load_self_private_for_decrypting(context, self_addr, &context.sql) {
            if peerstate.as_ref().map(|p| p.last_seen).unwrap_or_else(|| 0) == 0 {
                peerstate = Peerstate::from_addr(&context, &context.sql, &from);
            }
            if let Some(ref peerstate) = peerstate {
                if peerstate.degrade_event.is_some() {
                    handle_degrade_event(context, &peerstate)?;
                }
                if let Some(ref key) = peerstate.gossip_key {
                    public_keyring_for_validate.add_ref(key);
                }
                if let Some(ref key) = peerstate.public_key {
                    public_keyring_for_validate.add_ref(key);
                }
            }

            out_mail = decrypt_if_autocrypt_message(
                context,
                mail,
                &private_keyring,
                &public_keyring_for_validate,
                &mut signatures,
            )?;
        }
    }
    Ok((out_mail, signatures, message_time))
}

/// Load public key from database or generate a new one.
///
/// This will load a public key from the database, generating and
/// storing a new one when one doesn't exist yet.  Care is taken to
/// only generate one key per context even when multiple threads call
/// this function concurrently.
fn load_or_generate_self_public_key(context: &Context, self_addr: impl AsRef<str>) -> Result<Key> {
    if let Some(key) = Key::from_self_public(context, &self_addr, &context.sql) {
        return Ok(key);
    }
    let _guard = context.generating_key_mutex.lock().unwrap();

    // Check again in case the key was generated while we were waiting for the lock.
    if let Some(key) = Key::from_self_public(context, &self_addr, &context.sql) {
        return Ok(key);
    }

    let start = std::time::Instant::now();
    info!(
        context,
        "Generating keypair with {} bits, e={} ...", 2048, 65537,
    );
    match pgp::create_keypair(&self_addr) {
        Some((public_key, private_key)) => {
            match dc_key_save_self_keypair(
                context,
                &public_key,
                &private_key,
                &self_addr,
                true,
                &context.sql,
            ) {
                true => {
                    info!(
                        context,
                        "Keypair generated in {:.3}s.",
                        start.elapsed().as_secs()
                    );
                    Ok(public_key)
                }
                false => Err(format_err!("Failed to save keypair")),
            }
        }
        None => Err(format_err!("Failed to generate keypair")),
    }
}

fn decrypt_if_autocrypt_message<'a>(
    context: &Context,
    mail: &mailparse::ParsedMail<'a>,
    private_keyring: &Keyring,
    public_keyring_for_validate: &Keyring,
    ret_valid_signatures: &mut HashSet<String>,
) -> Result<Option<Vec<u8>>> {
    //  The returned bool is true if we detected an Autocrypt-encrypted
    // message and successfully decrypted it. Decryption then modifies the
    // passed in mime structure in place. The returned bool is false
    // if it was not an Autocrypt message.
    //
    // Errors are returned for failures related to decryption of AC-messages.

    let encrypted_data_part = match wrapmime::get_autocrypt_mime(mail) {
        Err(_) => {
            // not a proper autocrypt message, abort and ignore
            return Ok(None);
        }
        Ok(res) => res,
    };

    decrypt_part(
        context,
        encrypted_data_part,
        private_keyring,
        public_keyring_for_validate,
        ret_valid_signatures,
    )
}

/// Returns Ok(None) if nothing encrypted was found.
fn decrypt_part(
    _context: &Context,
    mail: &mailparse::ParsedMail<'_>,
    private_keyring: &Keyring,
    public_keyring_for_validate: &Keyring,
    ret_valid_signatures: &mut HashSet<String>,
) -> Result<Option<Vec<u8>>> {
    let data = mail.get_body_raw()?;

    if has_decrypted_pgp_armor(&data) {
        // we should only have one decryption happening
        ensure!(ret_valid_signatures.is_empty(), "corrupt signatures");

        let plain = pgp::pk_decrypt(
            &data,
            &private_keyring,
            &public_keyring_for_validate,
            Some(ret_valid_signatures),
        )?;

        ensure!(!ret_valid_signatures.is_empty(), "no valid signatures");
        return Ok(Some(plain));
    }

    Ok(None)
}

fn has_decrypted_pgp_armor(input: &[u8]) -> bool {
    if let Some(index) = input.iter().position(|b| *b > b' ') {
        if input.len() - index > 26 {
            let start = index;
            let end = start + 27;

            return &input[start..end] == b"-----BEGIN PGP MESSAGE-----";
        }
    }

    false
}

/// Check if a MIME structure contains a multipart/report part.
///
/// As reports are often unencrypted, we do not reset the Autocrypt header in
/// this case.
///
/// However, Delta Chat itself has no problem with encrypted multipart/report
/// parts and MUAs should be encouraged to encrpyt multipart/reports as well so
/// that we could use the normal Autocrypt processing.
fn contains_report(mail: &mailparse::ParsedMail<'_>) -> bool {
    mail.ctype.mimetype == "multipart/report"
}

/// Ensures a private key exists for the configured user.
///
/// Normally the private key is generated when the first message is
/// sent but in a few locations there are no such guarantees,
/// e.g. when exporting keys, and calling this function ensures a
/// private key will be present.
///
/// If this succeeds you are also guaranteed that the
/// [Config::ConfiguredAddr] is configured, this address is returned.
pub fn ensure_secret_key_exists(context: &Context) -> Result<String> {
    let self_addr = context.get_config(Config::ConfiguredAddr).ok_or_else(|| {
        format_err!(concat!(
            "Failed to get self address, ",
            "cannot ensure secret key if not configured."
        ))
    })?;
    load_or_generate_self_public_key(context, &self_addr)?;
    Ok(self_addr)
}

#[cfg(test)]
mod tests {
    use super::*;

    use crate::test_utils::*;

    mod ensure_secret_key_exists {
        use super::*;

        #[test]
        fn test_prexisting() {
            let t = dummy_context();
            let test_addr = configure_alice_keypair(&t.ctx);
            assert_eq!(ensure_secret_key_exists(&t.ctx).unwrap(), test_addr);
        }

        #[test]
        fn test_not_configured() {
            let t = dummy_context();
            assert!(ensure_secret_key_exists(&t.ctx).is_err());
        }
    }

    //     #[test]
    //     fn test_mailmime_parse() {
    //         let plain = b"Chat-Disposition-Notification-To: holger@deltachat.de
    // Chat-Group-ID: CovhGgau8M-
    // Chat-Group-Name: Delta Chat Dev
    // Subject: =?utf-8?Q?Chat=3A?= Delta Chat =?utf-8?Q?Dev=3A?= sidenote for
    //  =?utf-8?Q?all=3A?= rust core master ...
    // Content-Type: text/plain; charset=\"utf-8\"; protected-headers=\"v1\"
    // Content-Transfer-Encoding: quoted-printable

    // sidenote for all: rust core master is broken currently ... so dont recomm=
    // end to try to run with desktop or ios unless you are ready to hunt bugs

    // -- =20
    // Sent with my Delta Chat Messenger: https://delta.chat";
    //         let plain_bytes = plain.len();
    //         let plain_buf = plain.as_ptr() as *const libc::c_char;

    //         let mut index = 0;
    //         let mut decrypted_mime = std::ptr::null_mut();

    //         let res =  {
    //             mailmime_parse(
    //                 plain_buf as *const _,
    //                 plain_bytes,
    //                 &mut index,
    //                 &mut decrypted_mime,
    //             )
    //         };
    //          {
    //             let msg1 = (*decrypted_mime).mm_data.mm_message.mm_msg_mime;
    //             let data = mailmime_transfer_decode(msg1).unwrap();
    //             println!("{:?}", String::from_utf8_lossy(&data));
    //         }

    //         assert_eq!(res, 0);
    //         assert!(!decrypted_mime.is_null());

    //          { free(decrypted_mime as *mut _) };
    //     }

    mod load_or_generate_self_public_key {
        use super::*;

        #[test]
        fn test_existing() {
            let t = dummy_context();
            let addr = configure_alice_keypair(&t.ctx);
            let key = load_or_generate_self_public_key(&t.ctx, addr);
            assert!(key.is_ok());
        }

        #[test]
        #[ignore] // generating keys is expensive
        fn test_generate() {
            let t = dummy_context();
            let addr = "alice@example.org";
            let key0 = load_or_generate_self_public_key(&t.ctx, addr);
            assert!(key0.is_ok());
            let key1 = load_or_generate_self_public_key(&t.ctx, addr);
            assert!(key1.is_ok());
            assert_eq!(key0.unwrap(), key1.unwrap());
        }

        #[test]
        #[ignore]
        fn test_generate_concurrent() {
            use std::sync::Arc;
            use std::thread;

            let t = dummy_context();
            let ctx = Arc::new(t.ctx);
            let ctx0 = Arc::clone(&ctx);
            let thr0 =
                thread::spawn(move || load_or_generate_self_public_key(&ctx0, "alice@example.org"));
            let ctx1 = Arc::clone(&ctx);
            let thr1 =
                thread::spawn(move || load_or_generate_self_public_key(&ctx1, "alice@example.org"));
            let res0 = thr0.join().unwrap();
            let res1 = thr1.join().unwrap();
            assert_eq!(res0.unwrap(), res1.unwrap());
        }
    }

    #[test]
    fn test_has_decrypted_pgp_armor() {
        let data = b" -----BEGIN PGP MESSAGE-----";
        assert_eq!(has_decrypted_pgp_armor(data), true);

        let data = b"    \n-----BEGIN PGP MESSAGE-----";
        assert_eq!(has_decrypted_pgp_armor(data), true);

        let data = b"    -----BEGIN PGP MESSAGE---";
        assert_eq!(has_decrypted_pgp_armor(data), false);

        let data = b" -----BEGIN PGP MESSAGE-----";
        assert_eq!(has_decrypted_pgp_armor(data), true);

        let data = b"blas";
        assert_eq!(has_decrypted_pgp_armor(data), false);
    }
}