schleuder 4.0.3 → 5.0.0

data/lib/schleuder/gpgme/key_extractor.rb

@@ -0,0 +1,30 @@
+module GPGME
+  class KeyExtractor
+    # This takes key material and returns those keys from it, that have a UID
+    # matching the given email address, stripped by all other UIDs.
+    def self.extract_by_email_address(email_address, keydata)
+      orig_gnupghome = ENV['GNUPGHOME']
+      ENV['GNUPGHOME'] = Dir.mktmpdir
+      gpg = GPGME::Ctx.new(armor: true)
+      gpg_arg = %{ --import-filter keep-uid='mbox = #{email_address}'}
+      gpg.import_filtered(keydata, gpg_arg)
+      # Return the fingerprint and the exported, filtered keydata, because
+      # passing the key objects around led to strange problems with some keys,
+      # which produced only a blank string as return value of export().
+      result = {}
+      gpg.keys.each do |tmp_key|
+        # Skip this key if it has
+        # * no UID – because none survived the import-filter,
+        # * more than one UID – which means the import-filtering failed or
+        #   something else went wrong during import.
+        if tmp_key.uids.size == 1
+          result[tmp_key.fingerprint] = tmp_key.armored
+        end
+      end
+      result
+    ensure
+      FileUtils.remove_entry(ENV['GNUPGHOME'])
+      ENV['GNUPGHOME'] = orig_gnupghome
+    end
+  end
+end

data/lib/schleuder/http.rb

@@ -0,0 +1,56 @@
+module Schleuder
+  class NetworkError < StandardError; end
+
+  class NotFoundError < StandardError; end
+
+  class Http
+    attr_reader :request, :response
+
+    def initialize(url, options={})
+      @request = Typhoeus::Request.new(url, default_options.merge(options))
+    end
+
+    def run
+      @response = @request.run
+      if @response.success?
+        @response.body
+      elsif @response.timed_out?
+        raise_network_error(response, 'HTTP Request timed out.')
+      elsif @response.code == 404
+        NotFoundError.new
+      elsif @response.code == 0
+        # This happens e.g. if no response could be received.
+        raise_network_error(@response, 'No HTTP response received.')
+      else
+        RuntimeError.new(@response.body.to_s.presence || @response.return_message)
+      end
+    end
+
+    def self.get(url)
+      nth_attempt ||= 1
+      new(url).run
+    rescue NetworkError => error
+      nth_attempt += 1
+      if nth_attempt < 4
+        retry
+      else
+        return error
+      end
+    end
+
+    private
+
+    def raise_network_error(response, fallback_msg)
+      raise NetworkError.new(
+        response.body.to_s.presence || response.return_message || fallback_msg
+      )
+    end
+
+    def default_options
+      {
+        followlocation: true,
+        proxy: Conf.http_proxy.presence
+      }
+    end
+  end
+end

data/lib/schleuder/key_fetcher.rb

@@ -0,0 +1,89 @@
+module Schleuder
+  class KeyFetcher
+    def initialize(list)
+      @list = list
+    end
+
+    def fetch(input, locale_key='key_fetched')
+      result = case input
+               when /^http/
+                 fetch_key_by_url(input)
+               when Conf::EMAIL_REGEXP
+                 fetch_key_from_keyserver('email', input)
+               when Conf::FINGERPRINT_REGEXP
+                 fetch_key_from_keyserver('fingerprint', input)
+               else
+                 return I18n.t('key_fetcher.invalid_input')
+               end
+      interpret_fetch_result(result, locale_key)
+    end
+
+    def fetch_key_by_url(url)
+      case result = Schleuder::Http.get(url)
+      when NotFoundError
+        NotFoundError.new(I18n.t('key_fetcher.url_not_found', url: url))
+      else
+        result
+      end
+    end
+
+    def fetch_key_from_keyserver(type, input)
+      if Conf.vks_keyserver.present?
+        result = Schleuder::VksClient.get(type, input)
+      end
+      if (result.blank? || ! result.is_a?(String)) && Conf.sks_keyserver.present?
+        result = Schleuder::SksClient.get(input)
+      end
+
+      case result
+      when nil
+        RuntimeError.new('No keyserver configured, cannot query anything')
+      when NotFoundError
+        NotFoundError.new(I18n.t('key_fetcher.not_found', input: input))
+      else
+        result
+      end
+    end
+
+    private
+
+    def interpret_fetch_result(result, locale_key)
+      case result
+      when ''
+        I18n.t('key_fetcher.general_error', error: 'Empty response from server')
+      when String
+        import(result, locale_key)
+      when NotFoundError
+        result.to_s
+      when StandardError
+        I18n.t('key_fetcher.general_error', error: result)
+      else
+        raise_unexpected_error(result)
+      end
+    end
+
+    def import(input, locale_key)
+      result = @list.gpg.import_filtered(input)
+      case result
+      when StandardError
+        I18n.t('key_fetcher.import_error', error: result)
+      when Hash
+        translate_output(locale_key, result).join("\n")
+      else
+        raise_unexpected_error(result)
+      end
+    end
+
+    def translate_output(locale_key, import_states)
+      import_states.map do |fingerprint, states|
+        key = @list.gpg.find_distinct_key(fingerprint)
+        I18n.t(locale_key, key_summary: key.summary,
+                           states: states.to_sentence)
+      end
+    end
+
+    def raise_unexpected_error(thing)
+      raise "Unexpected output => #{thing.inspect}"
+    end
+  end
+end

data/lib/schleuder/keyword_handlers/key_management.rb

@@ -15,7 +15,7 @@ module Schleuder
             import_key_from_body
           else
             @list.logger.debug 'Found no attachments and an empty body - sending error message'
-            I18n.t('keyword_handlers.key_management.no_content_found')
+            return I18n.t('keyword_handlers.key_management.no_content_found')
           end
 
         import_stati = results.compact.collect(&:imports).flatten
@@ -125,7 +125,7 @@ module Schleuder
 
       def import_keys_from_attachments
         @mail.attachments.map do |attachment|
-          import_from_string(attachment.body.raw_source)
+          import_from_string(attachment.body.decoded)
         end
       end
 

data/lib/schleuder/keyword_handlers/subscription_management.rb

@@ -22,9 +22,25 @@ module Schleuder
           while @arguments.first.present? && @arguments.first.match(/^(0x)?[a-f0-9]+$/i)
             fingerprint << @arguments.shift.downcase
           end
-          # Use possibly remaining args as flags.
-          adminflag = @arguments.shift.to_s.downcase.presence
-          deliveryflag = @arguments.shift.to_s.downcase.presence
+          # If the collected values aren't a valid fingerprint, then the input
+          # didn't conform with what this code expects, and then the other
+          # values shouldn't be used.
+          unless GPGME::Key.valid_fingerprint?(fingerprint)
+            return I18n.t('keyword_handlers.subscription_management.subscribe_requires_arguments')
+          end
+          if @arguments.present?
+            # Use possibly remaining args as flags.
+            adminflag = @arguments.shift.to_s.downcase.presence
+            unless ['true', 'false'].include?(adminflag)
+              return I18n.t('keyword_handlers.subscription_management.subscribe_requires_arguments')
+            end
+            if @arguments.present?
+              deliveryflag = @arguments.shift.to_s.downcase.presence
+              unless ['true', 'false'].include?(deliveryflag)
+                return I18n.t('keyword_handlers.subscription_management.subscribe_requires_arguments')
+              end
+            end
+          end
         end
 
         sub, _ = @list.subscribe(email, fingerprint, adminflag, deliveryflag)

data/lib/schleuder/list.rb

@@ -4,10 +4,10 @@ module Schleuder
     has_many :subscriptions, dependent: :destroy
     before_destroy :delete_listdirs
 
-    serialize :headers_to_meta, JSON
-    serialize :bounces_drop_on_headers, JSON
-    serialize :keywords_admin_only, JSON
-    serialize :keywords_admin_notify, JSON
+    serialize :headers_to_meta, coder: JSON
+    serialize :bounces_drop_on_headers, coder: JSON
+    serialize :keywords_admin_only, coder: JSON
+    serialize :keywords_admin_notify, coder: JSON
 
     validates :email, presence: true, uniqueness: true, email: true
     validates :fingerprint, presence: true, fingerprint: true
@@ -23,7 +23,8 @@ module Schleuder
         :bounces_notify_admins,
         :include_list_headers,
         :include_openpgp_header,
-        :forward_all_incoming_to_admins, boolean: true
+        :forward_all_incoming_to_admins,
+        :key_auto_import_from_email, boolean: true
     validates_each :headers_to_meta,
         :keywords_admin_only,
         :keywords_admin_notify do |record, attrib, value|
@@ -197,11 +198,26 @@ module Schleuder
     end
 
     def refresh_keys
-      gpg.refresh_keys(self.keys)
+      # reorder keys so the update pattern is random
+      output = self.keys.shuffle.map do |key|
+        # Sleep a short while to make traffic analysis less easy.
+        sleep rand(1.0..5.0)
+        key_fetcher.fetch(key.fingerprint, 'key_updated').presence
+      end
+      # Filter out some "noise" (if a key was unchanged, it wasn't really updated, was it?)
+      # It would be nice to prevent these "false" lines in the first place, but I don't know how.
+      output.reject! do |line|
+        line.match('updated \(unchanged\)')
+      end
+      output.compact.join("\n")
     end
 
     def fetch_keys(input)
-      gpg.fetch_key(input)
+      key_fetcher.fetch(input)
+    end
+
+    def key_fetcher
+      @key_fetcher ||= KeyFetcher.new(self)
     end
 
     def self.by_recipient(recipient)
@@ -350,7 +366,7 @@ module Schleuder
             next
           end
           
-          if ! self.deliver_selfsent && incoming_mail.was_validly_signed? && ( subscription == incoming_mail.signer )
+          if ! self.deliver_selfsent && incoming_mail&.was_validly_signed? && ( subscription == incoming_mail&.signer )
             logger.info "Not sending to #{subscription.email}: delivery of self sent is disabled."
             next
           end
@@ -373,14 +389,14 @@ module Schleuder
     end
 
     def delete_listdirs
-      if File.exists?(self.listdir)
+      if File.exist?(self.listdir)
         FileUtils.rm_rf(self.listdir, secure: true)
         Schleuder.logger.info "Deleted #{self.listdir}"
       end
       # If listlogs_dir is different from lists_dir, the logfile still exists
       # and needs to be deleted, too.
       logfile_dir = File.dirname(self.logfile)
-      if File.exists?(logfile_dir)
+      if File.exist?(logfile_dir)
         FileUtils.rm_rf(logfile_dir, secure: true)
         Schleuder.logger.info "Deleted #{logfile_dir}"
       end

data/lib/schleuder/list_builder.rb

@@ -122,7 +122,7 @@ module Schleuder
     end
 
     def create_or_test_dir(dir)
-      if File.exists?(dir)
+      if File.exist?(dir)
         if ! File.directory?(dir)
           raise Errors::ListdirProblem.new(dir, :not_a_directory)
         end

data/lib/schleuder/logger.rb

@@ -9,7 +9,7 @@ module Schleuder
     def initialize
       super('Schleuder', Syslog::LOG_MAIL)
       # We need some sender-address different from the superadmin-address.
-      @from = "#{Etc.getlogin}@#{Socket.gethostname}"
+      @from = "#{Etc.getlogin}@#{Addrinfo.getaddrinfo(Socket.gethostname, nil).first.getnameinfo.first}"
       @adminaddresses = Conf.superadmin
       @level = ::Logger.const_get(Conf.log_level.upcase)
     end

data/lib/schleuder/mail/gpg/decrypted_part.rb

@@ -0,0 +1,20 @@
+require 'schleuder/mail/gpg/verified_part'
+module Mail
+  module Gpg
+    class DecryptedPart < VerifiedPart
+
+      # options are:
+      #
+      # :verify: decrypt and verify
+      def initialize(cipher_part, options = {})
+        if cipher_part.mime_type != EncryptedPart::CONTENT_TYPE
+          raise EncodingError.new("RFC 3156 incorrect mime type for encrypted part '#{cipher_part.mime_type}'")
+        end
+
+        decrypted = GpgmeHelper.decrypt(cipher_part.body.decoded, options)
+        self.verify_result = decrypted.verify_result if options[:verify]
+        super(decrypted)
+      end
+    end
+  end
+end

data/lib/schleuder/mail/gpg/delivery_handler.rb

@@ -0,0 +1,38 @@
+module Mail
+  module Gpg
+    class DeliveryHandler
+
+      def self.deliver_mail(mail)
+        if mail.gpg
+          encrypted_mail = nil
+          begin
+            options = mail.gpg.is_a?(TrueClass) ? { encrypt: true } : mail.gpg
+            if options[:encrypt]
+              encrypted_mail = Mail::Gpg.encrypt(mail, options)
+            elsif options[:sign] || options[:sign_as]
+              encrypted_mail = Mail::Gpg.sign(mail, options)
+            else
+              # encrypt and sign are off -> do not encrypt or sign
+              yield
+            end
+          rescue StandardError
+            raise $! if mail.raise_encryption_errors
+          end
+          if encrypted_mail
+            if dm = mail.delivery_method
+              encrypted_mail.instance_variable_set :@delivery_method, dm
+            end
+            encrypted_mail.perform_deliveries = mail.perform_deliveries
+            encrypted_mail.raise_delivery_errors = mail.raise_delivery_errors
+            encrypted_mail.deliver
+          end
+        else
+          yield
+        end
+      rescue StandardError
+        raise $! if mail.raise_delivery_errors
+      end
+
+    end
+  end
+end

data/lib/schleuder/mail/gpg/encrypted_part.rb

@@ -1,13 +1,37 @@
-module Mail                                                                                                                                            
-  module Gpg                                                                                                                                           
-    class EncryptedPart < Mail::Part                                                                                                                   
-      alias_method :initialize_mailgpg, :initialize
+module Mail
+  module Gpg
+    class EncryptedPart < Mail::Part
 
+      CONTENT_TYPE = 'application/octet-stream'
+
+      # options are:
+      #
+      # :signers : sign using this key (give the corresponding email address)
+      # :password: passphrase for the signing key
+      # :recipients : array of receiver addresses
+      # :keys : A hash mapping recipient email addresses to public keys or public
+      # key ids. Imports any keys given here that are not already part of the
+      # local keychain before sending the mail. If this option is given, strictly
+      # only the key material from this hash is used, ignoring any keys for
+      # recipients that might have been added to the local key chain but are
+      # not mentioned here.
+      # :always_trust : send encrypted mail to untrusted receivers, true by default
+      # :filename : define a custom name for the encrypted file attachment
       def initialize(cleartext_mail, options = {})
         if cleartext_mail.protected_headers_subject
           cleartext_mail.content_type_parameters['protected-headers'] = 'v1'                                                                       
         end
-        initialize_mailgpg(cleartext_mail, options)
+
+        options = { always_trust: true }.merge options
+
+        encrypted = GpgmeHelper.encrypt(cleartext_mail.encoded, options)
+        super() do
+          body encrypted.to_s
+          filename = options[:filename] || 'encrypted.asc'
+          content_type "#{CONTENT_TYPE}; name=\"#{filename}\""
+          content_disposition "inline; filename=\"#{filename}\""
+          content_description 'OpenPGP encrypted message'
+        end
       end
     end
   end

data/lib/schleuder/mail/gpg/gpgme_ext.rb

@@ -0,0 +1,8 @@
+require 'schleuder/mail/gpg/verify_result_attribute'
+
+# extend GPGME::Data with an attribute to hold the result of signature
+# verifications
+class GPGME::Data
+  include Mail::Gpg::VerifyResultAttribute
+end
+

data/lib/schleuder/mail/gpg/gpgme_helper.rb

@@ -0,0 +1,155 @@
+require 'schleuder/mail/gpg/gpgme_ext'
+
+# GPGME methods for encryption/decryption/signing
+module Mail
+  module Gpg
+    class GpgmeHelper
+
+      def self.encrypt(plain, options = {})
+        options = options.merge({armor: true})
+
+        plain_data  = GPGME::Data.new(plain)
+        cipher_data = GPGME::Data.new(options[:output])
+
+        recipient_keys = keys_for_data options[:recipients], options.delete(:keys)
+
+        if recipient_keys.empty?
+          raise MissingKeysError.new('No keys to encrypt to!')
+        end
+
+        flags = 0
+        flags |= GPGME::ENCRYPT_ALWAYS_TRUST if options[:always_trust]
+
+        GPGME::Ctx.new(options) do |ctx|
+          begin
+            if options[:sign]
+              if options[:signers] && options[:signers].size > 0
+                signers = GPGME::Key.find(:secret, options[:signers], :sign)
+                ctx.add_signer(*signers)
+              end
+              ctx.encrypt_sign(recipient_keys, plain_data, cipher_data, flags)
+            else
+              ctx.encrypt(recipient_keys, plain_data, cipher_data, flags)
+            end
+          rescue GPGME::Error::UnusablePublicKey => exc
+            exc.keys = ctx.encrypt_result.invalid_recipients
+            raise exc
+          rescue GPGME::Error::UnusableSecretKey => exc
+            exc.keys = ctx.sign_result.invalid_signers
+            raise exc
+          end
+        end
+
+        cipher_data.seek(0)
+        cipher_data
+      end
+
+      def self.decrypt(cipher, options = {})
+        cipher_data = GPGME::Data.new(cipher)
+        plain_data  = GPGME::Data.new(options[:output])
+
+        GPGME::Ctx.new(options) do |ctx|
+          begin
+            if options[:verify]
+              ctx.decrypt_verify(cipher_data, plain_data)
+              plain_data.verify_result = ctx.verify_result
+            else
+              ctx.decrypt(cipher_data, plain_data)
+            end
+          rescue GPGME::Error::UnsupportedAlgorithm => exc
+            exc.algorithm = ctx.decrypt_result.unsupported_algorithm
+            raise exc
+          rescue GPGME::Error::WrongKeyUsage => exc
+            exc.key_usage = ctx.decrypt_result.wrong_key_usage
+            raise exc
+          end
+        end
+
+        plain_data.seek(0)
+        plain_data
+      end
+
+      def self.sign(plain, options = {})
+        options.merge!({
+          armor: true,
+          signer: options.delete(:sign_as),
+          mode: GPGME::SIG_MODE_DETACH
+        })
+        crypto = GPGME::Crypto.new
+        crypto.sign GPGME::Data.new(plain), options
+      end
+
+      # returns [success(bool), VerifyResult(from gpgme)]
+      # success will be true when there is at least one sig and no invalid sig
+      def self.sign_verify(plain, signature, options = {})
+        signed_data = GPGME::Data.new(plain)
+        signature = GPGME::Data.new(signature)
+
+        success = verify_result = nil
+        GPGME::Ctx.new(options) do |ctx|
+          ctx.verify signature, signed_data, nil
+          verify_result = ctx.verify_result
+          signatures = verify_result.signatures
+          success = signatures &&
+            signatures.size > 0 &&
+            signatures.detect{|s| !s.valid? }.nil?
+        end
+        return [success, verify_result]
+      end
+
+      def self.inline_verify(signed_text, options = {})
+        signed_data = GPGME::Data.new(signed_text)
+        success = verify_result = nil
+        GPGME::Ctx.new(options) do |ctx|
+          ctx.verify signed_data, nil
+          verify_result = ctx.verify_result
+          signatures = verify_result.signatures
+          success = signatures &&
+            signatures.size > 0 &&
+            signatures.detect{|s| !s.valid? }.nil?
+        end
+        return [success, verify_result]
+      end
+
+      # normalizes the list of recipients' emails, key ids and key data to a
+      # list of Key objects
+      #
+      # if key_data is given, _only_ key material from there is used,
+      # and eventually already imported keys in the keychain are ignored.
+      def self.keys_for_data(emails_or_shas_or_keys, key_data = nil)
+        if key_data
+          # in this case, emails_or_shas_or_keys is supposed to be the list of
+          # recipients, and key_data the key material to be used.
+          # We now map these to whatever we find in key_data for each of these
+          # addresses.
+          [emails_or_shas_or_keys].flatten.map do |r|
+            k = key_data[r]
+            key_id = case k
+                     when GPGME::Key
+                       # assuming this is already imported
+                       k.fingerprint
+                     when nil, ''
+                       # nothing
+                       nil
+                     when /-----BEGIN PGP/
+                       # ASCII key data
+                       GPGME::Key.import(k).imports.map(&:fpr)
+                     else
+                       # key id or fingerprint
+                       k
+                     end
+            unless key_id.nil? || key_id.empty?
+              GPGME::Key.find(:public, key_id, :encrypt)
+            end
+          end.flatten.compact
+        elsif emails_or_shas_or_keys && (emails_or_shas_or_keys.size > 0)
+          # key lookup in keychain for all receivers
+          GPGME::Key.find :public, emails_or_shas_or_keys, :encrypt
+        else
+          # empty array given
+          []
+        end
+      end
+    end
+  end
+end

data/lib/schleuder/mail/gpg/inline_decrypted_message.rb

@@ -0,0 +1,82 @@
+require 'schleuder/mail/gpg/verified_part'
+
+# decryption of the so called 'PGP-Inline' message types
+# this is not a standard, so the implementation is based on the notes
+# here http://binblog.info/2008/03/12/know-your-pgp-implementation/
+# and on test messages generated with the Mozilla Enigmail OpenPGP
+# plugin https://www.enigmail.net
+module Mail
+  module Gpg
+    class InlineDecryptedMessage < Mail::Message
+
+      # options are:
+      #
+      # :verify: decrypt and verify
+      def self.setup(cipher_mail, options = {})
+        if cipher_mail.multipart?
+          self.new do
+            Mail::Gpg.copy_headers cipher_mail, self
+
+            # Drop the HTML-part of a multipart/alternative-message if it is
+            # inline-encrypted: that ciphertext is probably wrapped in HTML,
+            # which GnuPG chokes upon, so we would have to parse the HTML to
+            # handle the message-part properly.
+            # Also it's not clear how to handle the resulting plain-text: is
+            # it HTML or simple text?  That depends on the sending MUA and
+            # the original input.
+            # In summary, that's too much complications.
+            if cipher_mail.mime_type == 'multipart/alternative' &&
+                cipher_mail.html_part.present? &&
+                cipher_mail.html_part.body.decoded.include?('-----BEGIN PGP MESSAGE-----')
+              cipher_mail.parts.delete_if do |part|
+                part[:content_type].content_type == 'text/html'
+              end
+              # Set the content-type of the newly generated message to
+              # something less confusing.
+              content_type 'multipart/mixed'
+              # Leave a marker for other code.
+              header['X-MailGpg-Deleted-Html-Part'] = 'true'
+            end
+
+            cipher_mail.parts.each do |part|
+              p = VerifiedPart.new do |p|
+                if part.has_content_type? && /application\/(?:octet-stream|pgp-encrypted)/ =~ part.mime_type
+                  # encrypted attachment, we set the content_type to the generic 'application/octet-stream'
+                  # and remove the .pgp/gpg/asc from name/filename in header fields
+                  decrypted = GpgmeHelper.decrypt(part.decoded, options)
+                  p.verify_result decrypted.verify_result if options[:verify]
+                  p.content_type part.content_type.sub(/application\/(?:octet-stream|pgp-encrypted)/, 'application/octet-stream')
+                                     .sub(/name=(?:"')?(.*)\.(?:pgp|gpg|asc)(?:"')?/, 'name="\1"')
+                  p.content_disposition part.content_disposition.sub(/filename=(?:"')?(.*)\.(?:pgp|gpg|asc)(?:"')?/, 'filename="\1"')
+                  p.content_transfer_encoding Mail::Encodings::Base64
+                  p.body Mail::Encodings::Base64.encode(decrypted.to_s)
+                else
+                  body = part.body.decoded
+                  if body.include?('-----BEGIN PGP MESSAGE-----')
+                    decrypted = GpgmeHelper.decrypt(body, options)
+                    p.verify_result decrypted.verify_result if options[:verify]
+                    p.body decrypted.to_s
+                  else
+                    p.content_type part.content_type
+                    p.content_transfer_encoding part.content_transfer_encoding
+                    p.body part.body.to_s
+                  end
+                end
+              end
+              add_part p
+            end
+          end
+        else
+          decrypted = cipher_mail.body.empty? ? '' : GpgmeHelper.decrypt(cipher_mail.body.decoded, options)
+          self.new do
+            cipher_mail.header.fields.each do |field|
+              header[field.name] = field.value
+            end
+            body decrypted.to_s
+            verify_result decrypted.verify_result if options[:verify] && decrypted != ''
+          end
+        end
+      end
+    end
+  end
+end