1use std::collections::HashSet;
5use std::io::Cursor;
6
7use anyhow::{Context as _, Result, bail};
8use mailparse::ParsedMail;
9use pgp::composed::DecryptionOptions;
10use pgp::composed::Esk;
11use pgp::composed::Message;
12use pgp::composed::PlainSessionKey;
13use pgp::composed::SignedSecretKey;
14use pgp::composed::TheRing;
15use pgp::composed::decrypt_session_key_with_password;
16use pgp::packet::SymKeyEncryptedSessionKey;
17use pgp::types::Password;
18use pgp::types::Seipdv1ReadMode;
19use pgp::types::StringToKey;
20
21use crate::chat::ChatId;
22use crate::constants::Chattype;
23use crate::contact::ContactId;
24use crate::context::Context;
25use crate::key::self_fingerprint;
26use crate::key::{Fingerprint, SignedPublicKey, load_self_secret_keyring};
27use crate::token::Namespace;
28
29pub(crate) async fn decrypt(
45 context: &Context,
46 mail: &mailparse::ParsedMail<'_>,
47) -> Result<Option<(Message<'static>, Option<String>)>> {
48 let Some(msg) = get_encrypted_pgp_message_boxed(mail)? else {
50 return Ok(None);
51 };
52 let expected_sender_fingerprint: Option<String>;
53
54 let abort_early = true;
55
56 let decrypt_options =
61 DecryptionOptions::new().set_seipdv1_read_mode(Seipdv1ReadMode::Streaming);
62
63 let plain = if let Message::Encrypted { esk, .. } = &*msg
64 && let [Esk::SymKeyEncryptedSessionKey(esk)] = &esk[..]
68 {
69 check_symmetric_encryption(esk)?;
70 let (psk, fingerprint) = decrypt_session_key_symmetrically(context, esk)
71 .await
72 .context("decrypt_session_key_symmetrically")?;
73 expected_sender_fingerprint = fingerprint;
74
75 tokio::task::spawn_blocking(move || -> Result<Message<'_>> {
76 let ring = TheRing {
77 session_keys: vec![psk],
78 decrypt_options,
79 ..Default::default()
80 };
81
82 let (plain, _ring_result) = msg
83 .decrypt_the_ring(ring, abort_early)
84 .context("decrypt_the_ring")?;
85
86 let plain: Message<'static> = plain.decompress()?;
87 Ok(plain)
88 })
89 .await??
90 } else {
91 let secret_keys: Vec<SignedSecretKey> = load_self_secret_keyring(context).await?;
93 expected_sender_fingerprint = None;
94
95 tokio::task::spawn_blocking(move || -> Result<Message<'_>> {
96 let secret_keys: Vec<&SignedSecretKey> = secret_keys.iter().collect();
97 let ring = TheRing {
98 secret_keys,
99 decrypt_options,
100 ..Default::default()
101 };
102 let (plain, _ring_result) = msg
103 .decrypt_the_ring(ring, abort_early)
104 .context("decrypt_the_ring")?;
105
106 let plain: Message<'static> = plain.decompress()?;
107 Ok(plain)
108 })
109 .await??
110 };
111
112 Ok(Some((plain, expected_sender_fingerprint)))
113}
114
115async fn decrypt_session_key_symmetrically(
116 context: &Context,
117 esk: &SymKeyEncryptedSessionKey,
118) -> Result<(PlainSessionKey, Option<String>)> {
119 let self_fp = self_fingerprint(context).await?;
120 let query_only = true;
121 context
122 .sql
123 .call(query_only, |conn| {
124 let res: Option<(PlainSessionKey, String)> = try_decrypt_with_bobstate(esk, conn)?;
127 if let Some((plain_session_key, fingerprint)) = res {
128 return Ok((plain_session_key, Some(fingerprint)));
129 }
130
131 let res: Option<(PlainSessionKey, Option<String>)> =
133 try_decrypt_with_broadcast_secret(esk, conn)?;
134 if let Some((plain_session_key, fingerprint)) = res {
135 return Ok((plain_session_key, fingerprint));
136 }
137
138 let res: Option<PlainSessionKey> = try_decrypt_with_auth_token(esk, conn, self_fp)?;
142 if let Some(plain_session_key) = res {
143 return Ok((plain_session_key, None));
144 }
145
146 bail!("Could not find symmetric secret for session key")
147 })
148 .await
149}
150
151fn try_decrypt_with_bobstate(
152 esk: &SymKeyEncryptedSessionKey,
153 conn: &mut rusqlite::Connection,
154) -> Result<Option<(PlainSessionKey, String)>> {
155 let mut stmt = conn.prepare("SELECT invite FROM bobstate")?;
156 let mut rows = stmt.query(())?;
157 while let Some(row) = rows.next()? {
158 let invite: crate::securejoin::QrInvite = row.get(0)?;
159 let authcode = invite.authcode().to_string();
160 let alice_fp = invite.fingerprint().hex();
161 let shared_secret = format!("securejoin/{alice_fp}/{authcode}");
162 if let Ok(psk) = decrypt_session_key_with_password(esk, &Password::from(shared_secret)) {
163 let fingerprint = invite.fingerprint().hex();
164 return Ok(Some((psk, fingerprint)));
165 }
166 }
167 Ok(None)
168}
169
170fn try_decrypt_with_broadcast_secret(
171 esk: &SymKeyEncryptedSessionKey,
172 conn: &mut rusqlite::Connection,
173) -> Result<Option<(PlainSessionKey, Option<String>)>> {
174 let Some((psk, chat_id)) = try_decrypt_with_broadcast_secret_inner(esk, conn)? else {
175 return Ok(None);
176 };
177 let chat_type: Chattype =
178 conn.query_one("SELECT type FROM chats WHERE id=?", (chat_id,), |row| {
179 row.get(0)
180 })?;
181 let fp: Option<String> = if chat_type == Chattype::OutBroadcast {
182 None
186 } else if chat_type == Chattype::InBroadcast {
187 let contact_id: ContactId = conn
188 .query_one(
189 "SELECT contact_id FROM chats_contacts WHERE chat_id=? AND contact_id>9",
190 (chat_id,),
191 |row| row.get(0),
192 )
193 .context("Find InBroadcast owner")?;
194 let fp = conn
195 .query_one(
196 "SELECT fingerprint FROM contacts WHERE id=?",
197 (contact_id,),
198 |row| row.get(0),
199 )
200 .context("Find owner fingerprint")?;
201 Some(fp)
202 } else {
203 bail!("Chat {chat_id} is not a broadcast but {chat_type}")
204 };
205 Ok(Some((psk, fp)))
206}
207
208fn try_decrypt_with_broadcast_secret_inner(
209 esk: &SymKeyEncryptedSessionKey,
210 conn: &mut rusqlite::Connection,
211) -> Result<Option<(PlainSessionKey, ChatId)>> {
212 let mut stmt = conn.prepare("SELECT secret, chat_id FROM broadcast_secrets")?;
213 let mut rows = stmt.query(())?;
214 while let Some(row) = rows.next()? {
215 let secret: String = row.get(0)?;
216 if let Ok(psk) = decrypt_session_key_with_password(esk, &Password::from(secret)) {
217 let chat_id: ChatId = row.get(1)?;
218 return Ok(Some((psk, chat_id)));
219 }
220 }
221 Ok(None)
222}
223
224fn try_decrypt_with_auth_token(
225 esk: &SymKeyEncryptedSessionKey,
226 conn: &mut rusqlite::Connection,
227 self_fingerprint: &str,
228) -> Result<Option<PlainSessionKey>> {
229 let mut stmt = conn.prepare("SELECT token FROM tokens WHERE namespc=? ORDER BY id DESC")?;
232 let mut rows = stmt.query((Namespace::Auth,))?;
233 while let Some(row) = rows.next()? {
234 let token: String = row.get(0)?;
235 let shared_secret = format!("securejoin/{self_fingerprint}/{token}");
236 if let Ok(psk) = decrypt_session_key_with_password(esk, &Password::from(shared_secret)) {
237 return Ok(Some(psk));
238 }
239 }
240 Ok(None)
241}
242
243pub(crate) fn check_symmetric_encryption(esk: &SymKeyEncryptedSessionKey) -> Result<()> {
253 match esk.s2k() {
254 Some(StringToKey::Salted { .. }) => Ok(()),
255 _ => bail!("unsupported string2key algorithm"),
256 }
257}
258
259pub fn get_encrypted_pgp_message_boxed<'a>(
263 mail: &'a ParsedMail<'a>,
264) -> Result<Option<Box<Message<'static>>>> {
265 let Some(encrypted_data_part) = get_encrypted_mime(mail) else {
266 return Ok(None);
267 };
268 let data = encrypted_data_part.get_body_raw()?;
269 let cursor = Cursor::new(data);
270 let (msg, _headers) = Message::from_armor(cursor)?;
271 Ok(Some(Box::new(msg)))
272}
273
274pub fn get_encrypted_mime<'a, 'b>(mail: &'a ParsedMail<'b>) -> Option<&'a ParsedMail<'b>> {
276 get_autocrypt_mime(mail)
277 .or_else(|| get_mixed_up_mime(mail))
278 .or_else(|| get_attachment_mime(mail))
279}
280
281fn get_mixed_up_mime<'a, 'b>(mail: &'a ParsedMail<'b>) -> Option<&'a ParsedMail<'b>> {
299 if mail.ctype.mimetype != "multipart/mixed" {
300 return None;
301 }
302 if let [first_part, second_part, third_part] = &mail.subparts[..] {
303 if first_part.ctype.mimetype == "text/plain"
304 && second_part.ctype.mimetype == "application/pgp-encrypted"
305 && third_part.ctype.mimetype == "application/octet-stream"
306 {
307 Some(third_part)
308 } else {
309 None
310 }
311 } else {
312 None
313 }
314}
315
316fn get_attachment_mime<'a, 'b>(mail: &'a ParsedMail<'b>) -> Option<&'a ParsedMail<'b>> {
324 if mail.ctype.mimetype != "multipart/mixed" {
325 return None;
326 }
327 if let [first_part, second_part] = &mail.subparts[..] {
328 if first_part.ctype.mimetype == "text/plain"
329 && second_part.ctype.mimetype == "multipart/encrypted"
330 {
331 get_autocrypt_mime(second_part)
332 } else {
333 None
334 }
335 } else {
336 None
337 }
338}
339
340fn get_autocrypt_mime<'a, 'b>(mail: &'a ParsedMail<'b>) -> Option<&'a ParsedMail<'b>> {
344 if mail.ctype.mimetype != "multipart/encrypted" {
345 return None;
346 }
347 if let [first_part, second_part] = &mail.subparts[..] {
348 if first_part.ctype.mimetype == "application/pgp-encrypted"
349 && second_part.ctype.mimetype == "application/octet-stream"
350 {
351 Some(second_part)
352 } else {
353 None
354 }
355 } else {
356 None
357 }
358}
359
360pub(crate) fn validate_detached_signature<'a, 'b>(
367 mail: &'a ParsedMail<'b>,
368 public_keyring_for_validate: &[SignedPublicKey],
369) -> Option<(&'a ParsedMail<'b>, HashSet<Fingerprint>)> {
370 if mail.ctype.mimetype != "multipart/signed" {
371 return None;
372 }
373
374 if let [first_part, second_part] = &mail.subparts[..] {
375 let content = first_part.raw_bytes;
377 let ret_valid_signatures = match second_part.get_body_raw() {
378 Ok(signature) => {
379 crate::pgp::pk_validate(content, &signature, public_keyring_for_validate)
380 .unwrap_or_default()
381 }
382 Err(_) => Default::default(),
383 };
384 Some((first_part, ret_valid_signatures))
385 } else {
386 None
387 }
388}
389
390#[cfg(test)]
391mod tests {
392 use super::*;
393 use crate::receive_imf::receive_imf;
394 use crate::test_utils::TestContext;
395
396 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
397 async fn test_mixed_up_mime() -> Result<()> {
398 let mixed_up_mime = include_bytes!("../test-data/message/protonmail-mixed-up.eml");
402 let mail = mailparse::parse_mail(mixed_up_mime)?;
403 assert!(get_autocrypt_mime(&mail).is_none());
404 assert!(get_mixed_up_mime(&mail).is_some());
405 assert!(get_attachment_mime(&mail).is_none());
406
407 let repaired_mime = include_bytes!("../test-data/message/protonmail-repaired.eml");
413 let mail = mailparse::parse_mail(repaired_mime)?;
414 assert!(get_autocrypt_mime(&mail).is_some());
415 assert!(get_mixed_up_mime(&mail).is_none());
416 assert!(get_attachment_mime(&mail).is_none());
417
418 let attachment_mime = include_bytes!("../test-data/message/google-workspace-mixed-up.eml");
421 let mail = mailparse::parse_mail(attachment_mime)?;
422 assert!(get_autocrypt_mime(&mail).is_none());
423 assert!(get_mixed_up_mime(&mail).is_none());
424 assert!(get_attachment_mime(&mail).is_some());
425
426 let bob = TestContext::new_bob().await;
427 bob.allow_unencrypted().await?;
428 receive_imf(&bob, attachment_mime, false).await?;
429 let msg = bob.get_last_msg().await;
430 assert_eq!(msg.text, "Hello, Bob! – Hello from Thunderbird!");
432
433 Ok(())
434 }
435
436 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
437 async fn test_mixed_up_mime_long() -> Result<()> {
438 let mixed_up_mime = include_bytes!("../test-data/message/mixed-up-long.eml");
441 let bob = TestContext::new_bob().await;
442 bob.allow_unencrypted().await?;
443 receive_imf(&bob, mixed_up_mime, false).await?;
444 let msg = bob.get_last_msg().await;
445 assert!(!msg.get_text().is_empty());
446 assert!(msg.has_html());
447 assert!(msg.id.get_html(&bob).await?.unwrap().len() > 40000);
448 Ok(())
449 }
450}