Skip to main content

deltachat/
decrypt.rs

1//! Helper functions for decryption.
2//! The actual decryption is done in the [`crate::pgp`] module.
3
4use std::collections::HashSet;
5use std::io::Cursor;
6
7use anyhow::{Context as _, Result, bail};
8use mailparse::ParsedMail;
9use pgp::composed::DecryptionOptions;
10use pgp::composed::Esk;
11use pgp::composed::Message;
12use pgp::composed::PlainSessionKey;
13use pgp::composed::SignedSecretKey;
14use pgp::composed::TheRing;
15use pgp::composed::decrypt_session_key_with_password;
16use pgp::packet::SymKeyEncryptedSessionKey;
17use pgp::types::Password;
18use pgp::types::Seipdv1ReadMode;
19use pgp::types::StringToKey;
20
21use crate::chat::ChatId;
22use crate::constants::Chattype;
23use crate::contact::ContactId;
24use crate::context::Context;
25use crate::key::self_fingerprint;
26use crate::key::{Fingerprint, SignedPublicKey, load_self_secret_keyring};
27use crate::token::Namespace;
28
29/// Tries to decrypt the message,
30/// returning a tuple of `(decrypted message, fingerprint)`.
31///
32/// If the message wasn't encrypted, returns `Ok(None)`.
33///
34/// If the message was asymmetrically encrypted, returns `Ok((decrypted message, None))`.
35///
36/// If the message was symmetrically encrypted, returns `Ok((decrypted message, Some(fingerprint)))`,
37/// where `fingerprint` denotes which contact is allowed to send encrypted with this symmetric secret.
38/// If the message is not signed by `fingerprint`, it must be dropped.
39///
40/// Otherwise, Eve could send a message to Alice
41/// encrypted with the symmetric secret of someone else's broadcast channel.
42/// If Alice sends an answer (or read receipt),
43/// then Eve would know that Alice is in the broadcast channel.
44pub(crate) async fn decrypt(
45    context: &Context,
46    mail: &mailparse::ParsedMail<'_>,
47) -> Result<Option<(Message<'static>, Option<String>)>> {
48    // `pgp::composed::Message` is huge (>4kb), so, make sure that it is in a Box when held over an await point
49    let Some(msg) = get_encrypted_pgp_message_boxed(mail)? else {
50        return Ok(None);
51    };
52    let expected_sender_fingerprint: Option<String>;
53
54    let abort_early = true;
55
56    // Use streaming mode for SEIPDv1 decryption to save memory.
57    // This was the default in rPGP 0.19.0
58    // and requires explicitly changing the mode in rPGP 0.20.0.
59    // SEPIDv2 is decrypted in streaming mode in any case.
60    let decrypt_options =
61        DecryptionOptions::new().set_seipdv1_read_mode(Seipdv1ReadMode::Streaming);
62
63    let plain = if let Message::Encrypted { esk, .. } = &*msg
64        // We only allow one ESK for symmetrically encrypted messages
65        // to avoid dealing with messages that are encrypted to multiple symmetric keys
66        // or a mix of symmetric and asymmetric keys:
67        && let [Esk::SymKeyEncryptedSessionKey(esk)] = &esk[..]
68    {
69        check_symmetric_encryption(esk)?;
70        let (psk, fingerprint) = decrypt_session_key_symmetrically(context, esk)
71            .await
72            .context("decrypt_session_key_symmetrically")?;
73        expected_sender_fingerprint = fingerprint;
74
75        tokio::task::spawn_blocking(move || -> Result<Message<'_>> {
76            let ring = TheRing {
77                session_keys: vec![psk],
78                decrypt_options,
79                ..Default::default()
80            };
81
82            let (plain, _ring_result) = msg
83                .decrypt_the_ring(ring, abort_early)
84                .context("decrypt_the_ring")?;
85
86            let plain: Message<'static> = plain.decompress()?;
87            Ok(plain)
88        })
89        .await??
90    } else {
91        // Message is asymmetrically encrypted
92        let secret_keys: Vec<SignedSecretKey> = load_self_secret_keyring(context).await?;
93        expected_sender_fingerprint = None;
94
95        tokio::task::spawn_blocking(move || -> Result<Message<'_>> {
96            let secret_keys: Vec<&SignedSecretKey> = secret_keys.iter().collect();
97            let ring = TheRing {
98                secret_keys,
99                decrypt_options,
100                ..Default::default()
101            };
102            let (plain, _ring_result) = msg
103                .decrypt_the_ring(ring, abort_early)
104                .context("decrypt_the_ring")?;
105
106            let plain: Message<'static> = plain.decompress()?;
107            Ok(plain)
108        })
109        .await??
110    };
111
112    Ok(Some((plain, expected_sender_fingerprint)))
113}
114
115async fn decrypt_session_key_symmetrically(
116    context: &Context,
117    esk: &SymKeyEncryptedSessionKey,
118) -> Result<(PlainSessionKey, Option<String>)> {
119    let self_fp = self_fingerprint(context).await?;
120    let query_only = true;
121    context
122        .sql
123        .call(query_only, |conn| {
124            // First, try decrypting using AUTH tokens from scanned QR codes, stored in the bobstate,
125            // because usually there will only be 1 or 2 of it, so, it should be fast
126            let res: Option<(PlainSessionKey, String)> = try_decrypt_with_bobstate(esk, conn)?;
127            if let Some((plain_session_key, fingerprint)) = res {
128                return Ok((plain_session_key, Some(fingerprint)));
129            }
130
131            // Then, try decrypting using broadcast secrets
132            let res: Option<(PlainSessionKey, Option<String>)> =
133                try_decrypt_with_broadcast_secret(esk, conn)?;
134            if let Some((plain_session_key, fingerprint)) = res {
135                return Ok((plain_session_key, fingerprint));
136            }
137
138            // Finally, try decrypting using own AUTH tokens
139            // There can be a lot of AUTH tokens,
140            // because a new one is generated every time a QR code is shown
141            let res: Option<PlainSessionKey> = try_decrypt_with_auth_token(esk, conn, self_fp)?;
142            if let Some(plain_session_key) = res {
143                return Ok((plain_session_key, None));
144            }
145
146            bail!("Could not find symmetric secret for session key")
147        })
148        .await
149}
150
151fn try_decrypt_with_bobstate(
152    esk: &SymKeyEncryptedSessionKey,
153    conn: &mut rusqlite::Connection,
154) -> Result<Option<(PlainSessionKey, String)>> {
155    let mut stmt = conn.prepare("SELECT invite FROM bobstate")?;
156    let mut rows = stmt.query(())?;
157    while let Some(row) = rows.next()? {
158        let invite: crate::securejoin::QrInvite = row.get(0)?;
159        let authcode = invite.authcode().to_string();
160        let alice_fp = invite.fingerprint().hex();
161        let shared_secret = format!("securejoin/{alice_fp}/{authcode}");
162        if let Ok(psk) = decrypt_session_key_with_password(esk, &Password::from(shared_secret)) {
163            let fingerprint = invite.fingerprint().hex();
164            return Ok(Some((psk, fingerprint)));
165        }
166    }
167    Ok(None)
168}
169
170fn try_decrypt_with_broadcast_secret(
171    esk: &SymKeyEncryptedSessionKey,
172    conn: &mut rusqlite::Connection,
173) -> Result<Option<(PlainSessionKey, Option<String>)>> {
174    let Some((psk, chat_id)) = try_decrypt_with_broadcast_secret_inner(esk, conn)? else {
175        return Ok(None);
176    };
177    let chat_type: Chattype =
178        conn.query_one("SELECT type FROM chats WHERE id=?", (chat_id,), |row| {
179            row.get(0)
180        })?;
181    let fp: Option<String> = if chat_type == Chattype::OutBroadcast {
182        // An attacker who knows the secret will also know who owns it,
183        // and it's easiest code-wise to just return None here.
184        // But we could alternatively return the self fingerprint here
185        None
186    } else if chat_type == Chattype::InBroadcast {
187        let contact_id: ContactId = conn
188            .query_one(
189                "SELECT contact_id FROM chats_contacts WHERE chat_id=? AND contact_id>9",
190                (chat_id,),
191                |row| row.get(0),
192            )
193            .context("Find InBroadcast owner")?;
194        let fp = conn
195            .query_one(
196                "SELECT fingerprint FROM contacts WHERE id=?",
197                (contact_id,),
198                |row| row.get(0),
199            )
200            .context("Find owner fingerprint")?;
201        Some(fp)
202    } else {
203        bail!("Chat {chat_id} is not a broadcast but {chat_type}")
204    };
205    Ok(Some((psk, fp)))
206}
207
208fn try_decrypt_with_broadcast_secret_inner(
209    esk: &SymKeyEncryptedSessionKey,
210    conn: &mut rusqlite::Connection,
211) -> Result<Option<(PlainSessionKey, ChatId)>> {
212    let mut stmt = conn.prepare("SELECT secret, chat_id FROM broadcast_secrets")?;
213    let mut rows = stmt.query(())?;
214    while let Some(row) = rows.next()? {
215        let secret: String = row.get(0)?;
216        if let Ok(psk) = decrypt_session_key_with_password(esk, &Password::from(secret)) {
217            let chat_id: ChatId = row.get(1)?;
218            return Ok(Some((psk, chat_id)));
219        }
220    }
221    Ok(None)
222}
223
224fn try_decrypt_with_auth_token(
225    esk: &SymKeyEncryptedSessionKey,
226    conn: &mut rusqlite::Connection,
227    self_fingerprint: &str,
228) -> Result<Option<PlainSessionKey>> {
229    // ORDER BY id DESC to query the most-recently saved tokens are returned first.
230    // This improves performance when Bob scans a QR code that was just created.
231    let mut stmt = conn.prepare("SELECT token FROM tokens WHERE namespc=? ORDER BY id DESC")?;
232    let mut rows = stmt.query((Namespace::Auth,))?;
233    while let Some(row) = rows.next()? {
234        let token: String = row.get(0)?;
235        let shared_secret = format!("securejoin/{self_fingerprint}/{token}");
236        if let Ok(psk) = decrypt_session_key_with_password(esk, &Password::from(shared_secret)) {
237            return Ok(Some(psk));
238        }
239    }
240    Ok(None)
241}
242
243/// Returns Ok(()) if we want to try symmetrically decrypting the message,
244/// and Err with a reason if symmetric decryption should not be tried.
245///
246/// A DoS attacker could send a message with a lot of encrypted session keys,
247/// all of which use a very hard-to-compute string2key algorithm.
248/// We would then try to decrypt all of the encrypted session keys
249/// with all of the known shared secrets.
250/// In order to prevent this, we do not try to symmetrically decrypt messages
251/// that use a string2key algorithm other than 'Salted'.
252pub(crate) fn check_symmetric_encryption(esk: &SymKeyEncryptedSessionKey) -> Result<()> {
253    match esk.s2k() {
254        Some(StringToKey::Salted { .. }) => Ok(()),
255        _ => bail!("unsupported string2key algorithm"),
256    }
257}
258
259/// Turns a [`ParsedMail`] into [`pgp::composed::Message`].
260/// [`pgp::composed::Message`] is huge (over 4kb),
261/// so, it is put on the heap using [`Box`].
262pub fn get_encrypted_pgp_message_boxed<'a>(
263    mail: &'a ParsedMail<'a>,
264) -> Result<Option<Box<Message<'static>>>> {
265    let Some(encrypted_data_part) = get_encrypted_mime(mail) else {
266        return Ok(None);
267    };
268    let data = encrypted_data_part.get_body_raw()?;
269    let cursor = Cursor::new(data);
270    let (msg, _headers) = Message::from_armor(cursor)?;
271    Ok(Some(Box::new(msg)))
272}
273
274/// Returns a reference to the encrypted payload of a message.
275pub fn get_encrypted_mime<'a, 'b>(mail: &'a ParsedMail<'b>) -> Option<&'a ParsedMail<'b>> {
276    get_autocrypt_mime(mail)
277        .or_else(|| get_mixed_up_mime(mail))
278        .or_else(|| get_attachment_mime(mail))
279}
280
281/// Returns a reference to the encrypted payload of a ["Mixed
282/// Up"][pgpmime-message-mangling] message.
283///
284/// According to [RFC 3156] encrypted messages should have
285/// `multipart/encrypted` MIME type and two parts, but Microsoft
286/// Exchange and ProtonMail IMAP/SMTP Bridge are known to mangle this
287/// structure by changing the type to `multipart/mixed` and prepending
288/// an empty part at the start.
289///
290/// ProtonMail IMAP/SMTP Bridge prepends a part literally saying
291/// "Empty Message", so we don't check its contents at all, checking
292/// only for `text/plain` type.
293///
294/// Returns `None` if the message is not a "Mixed Up" message.
295///
296/// [RFC 3156]: https://www.rfc-editor.org/info/rfc3156
297/// [pgpmime-message-mangling]: https://tools.ietf.org/id/draft-dkg-openpgp-pgpmime-message-mangling-00.html
298fn get_mixed_up_mime<'a, 'b>(mail: &'a ParsedMail<'b>) -> Option<&'a ParsedMail<'b>> {
299    if mail.ctype.mimetype != "multipart/mixed" {
300        return None;
301    }
302    if let [first_part, second_part, third_part] = &mail.subparts[..] {
303        if first_part.ctype.mimetype == "text/plain"
304            && second_part.ctype.mimetype == "application/pgp-encrypted"
305            && third_part.ctype.mimetype == "application/octet-stream"
306        {
307            Some(third_part)
308        } else {
309            None
310        }
311    } else {
312        None
313    }
314}
315
316/// Returns a reference to the encrypted payload of a message turned into attachment.
317///
318/// Google Workspace has an option "Append footer" which appends standard footer defined
319/// by administrator to all outgoing messages. However, there is no plain text part in
320/// encrypted messages sent by Delta Chat, so Google Workspace turns the message into
321/// multipart/mixed MIME, where the first part is an empty plaintext part with a footer
322/// and the second part is the original encrypted message.
323fn get_attachment_mime<'a, 'b>(mail: &'a ParsedMail<'b>) -> Option<&'a ParsedMail<'b>> {
324    if mail.ctype.mimetype != "multipart/mixed" {
325        return None;
326    }
327    if let [first_part, second_part] = &mail.subparts[..] {
328        if first_part.ctype.mimetype == "text/plain"
329            && second_part.ctype.mimetype == "multipart/encrypted"
330        {
331            get_autocrypt_mime(second_part)
332        } else {
333            None
334        }
335    } else {
336        None
337    }
338}
339
340/// Returns a reference to the encrypted payload of a valid PGP/MIME message.
341///
342/// Returns `None` if the message is not a valid PGP/MIME message.
343fn get_autocrypt_mime<'a, 'b>(mail: &'a ParsedMail<'b>) -> Option<&'a ParsedMail<'b>> {
344    if mail.ctype.mimetype != "multipart/encrypted" {
345        return None;
346    }
347    if let [first_part, second_part] = &mail.subparts[..] {
348        if first_part.ctype.mimetype == "application/pgp-encrypted"
349            && second_part.ctype.mimetype == "application/octet-stream"
350        {
351            Some(second_part)
352        } else {
353            None
354        }
355    } else {
356        None
357    }
358}
359
360/// Validates signatures of Multipart/Signed message part, as defined in RFC 1847.
361///
362/// Returns the signed part and the set of key
363/// fingerprints for which there is a valid signature.
364///
365/// Returns None if the message is not Multipart/Signed or doesn't contain necessary parts.
366pub(crate) fn validate_detached_signature<'a, 'b>(
367    mail: &'a ParsedMail<'b>,
368    public_keyring_for_validate: &[SignedPublicKey],
369) -> Option<(&'a ParsedMail<'b>, HashSet<Fingerprint>)> {
370    if mail.ctype.mimetype != "multipart/signed" {
371        return None;
372    }
373
374    if let [first_part, second_part] = &mail.subparts[..] {
375        // First part is the content, second part is the signature.
376        let content = first_part.raw_bytes;
377        let ret_valid_signatures = match second_part.get_body_raw() {
378            Ok(signature) => {
379                crate::pgp::pk_validate(content, &signature, public_keyring_for_validate)
380                    .unwrap_or_default()
381            }
382            Err(_) => Default::default(),
383        };
384        Some((first_part, ret_valid_signatures))
385    } else {
386        None
387    }
388}
389
390#[cfg(test)]
391mod tests {
392    use super::*;
393    use crate::receive_imf::receive_imf;
394    use crate::test_utils::TestContext;
395
396    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
397    async fn test_mixed_up_mime() -> Result<()> {
398        // "Mixed Up" mail as received when sending an encrypted
399        // message using Delta Chat Desktop via ProtonMail IMAP/SMTP
400        // Bridge.
401        let mixed_up_mime = include_bytes!("../test-data/message/protonmail-mixed-up.eml");
402        let mail = mailparse::parse_mail(mixed_up_mime)?;
403        assert!(get_autocrypt_mime(&mail).is_none());
404        assert!(get_mixed_up_mime(&mail).is_some());
405        assert!(get_attachment_mime(&mail).is_none());
406
407        // Same "Mixed Up" mail repaired by Thunderbird 78.9.0.
408        //
409        // It added `X-Enigmail-Info: Fixed broken PGP/MIME message`
410        // header although the repairing is done by the built-in
411        // OpenPGP support, not Enigmail.
412        let repaired_mime = include_bytes!("../test-data/message/protonmail-repaired.eml");
413        let mail = mailparse::parse_mail(repaired_mime)?;
414        assert!(get_autocrypt_mime(&mail).is_some());
415        assert!(get_mixed_up_mime(&mail).is_none());
416        assert!(get_attachment_mime(&mail).is_none());
417
418        // Another form of "Mixed Up" mail created by Google Workspace,
419        // where original message is turned into attachment to empty plaintext message.
420        let attachment_mime = include_bytes!("../test-data/message/google-workspace-mixed-up.eml");
421        let mail = mailparse::parse_mail(attachment_mime)?;
422        assert!(get_autocrypt_mime(&mail).is_none());
423        assert!(get_mixed_up_mime(&mail).is_none());
424        assert!(get_attachment_mime(&mail).is_some());
425
426        let bob = TestContext::new_bob().await;
427        bob.allow_unencrypted().await?;
428        receive_imf(&bob, attachment_mime, false).await?;
429        let msg = bob.get_last_msg().await;
430        // Subject should be prepended because the attachment doesn't have "Chat-Version".
431        assert_eq!(msg.text, "Hello, Bob! – Hello from Thunderbird!");
432
433        Ok(())
434    }
435
436    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
437    async fn test_mixed_up_mime_long() -> Result<()> {
438        // Long "mixed-up" mail as received when sending an encrypted message using Delta Chat
439        // Desktop via MS Exchange (actually made with TB though).
440        let mixed_up_mime = include_bytes!("../test-data/message/mixed-up-long.eml");
441        let bob = TestContext::new_bob().await;
442        bob.allow_unencrypted().await?;
443        receive_imf(&bob, mixed_up_mime, false).await?;
444        let msg = bob.get_last_msg().await;
445        assert!(!msg.get_text().is_empty());
446        assert!(msg.has_html());
447        assert!(msg.id.get_html(&bob).await?.unwrap().len() > 40000);
448        Ok(())
449    }
450}