Disroot
/
gpg-lacre
9
15
Fork 4
Code Issues 29 Pull Requests 1 Releases 2 Wiki Activity
Page: SourceCodeAnalysis
Pages
Home Ideas SourceCodeAnalysis
3 SourceCodeAnalysis
pfm edited this page 2021-04-30 19:14:21 +00:00
Table of Contents

This page is a collection of information relevant or useful during porting GPG Lacre to Python 3.x.

General remarks

  • There are no unit tests. We'll need them more than anything to be confident we aren't breaking anything while modernising the software.
  • Code isn't documented very well.
  • Installation is a manual process. This is error-prone and not very user-friendly, so we should consider providing tools to automate or semi-automate the process.
  • According to README, a workaround is necessary: gpg-mailgate is expected to be owned by nobody:nogroup. A dedicated user would be a better option.
  • Installation instructions (section about GPG Mailgate installation) recommend adding following lines to master.cf, but the manual suggests the first line should start with the word filter:
        gpg-mailgate    unix    -   n   n   -   -   pipe
            flags= user=nobody argv=/usr/local/bin/gpg-mailgate.py ${recipient}

gpg-mailgate.py

The core of this Postfix content filter, performing actual encryption of incoming messages.

  • It's a large, non-compiled Python script. Compiling it could improve overall performance, so we should at least consider it.
  • Most (if not all) functions defined here could be moved to a dedicated module and imported.
  • Custom log function could (and probably should) be replaced with the built-in logging module.

GnuPG

A Python module wrapping calls to /usr/bin/gpg binary.

  • Creates a new operating system process each time an operation needs to be performed.
  • Using an external package could be an option, e.g. gnupg.

gpg-mailgate-web

A web interface to upload public keys and optionally a keyserver.

  • Each failed update of an existing key ends with all valid keys being deleted, which seems like an opportunity for an attacker to disable a person's mailbox encryption.
  • There might be a vulnerability in key-confirmation code: $email and $confirm are not sanitised before being passed to the database.
  • Key upload protocol is very simple:
    1. An email address and a key is uploaded with HTTP POST.
    2. Email asking for confirmation is sent to the email address given.
    3. Confirmation is performed by sending a request with that email and a random string generated in the first step.