<ul id="results" class="update"></ul>
<input type="submit" value="Compose">
<input type="submit" value="Get Fingerprint" class="search_button" alt="Select an email above and check with the person to ensure it matches their fingerprint."/>
</form><br /><br />
<?php
// Close DB connection for recipients info query
mysql_close($connection);
// Create DB connection
$connection = connection();
// Sender's ID
$id = $_SESSION['s_id'];
// Retrieve messages for the logged in user
$msg_sql = mressf("SELECT * FROM msg WHERE recip = '%d' ORDER BY id DESC", $id);
// Execute query
$msg_sql_result = mysql_query($msg_sql, $connection) or die("Unable to execute query." . mysql_error());
// If there are messages, display those there.
if (mysql_num_rows($msg_sql_result) != "0") {
// TODO: Add and option to remove access for an individual.
// In case they were sent a message by accident.
// Alternating row colors
$rowclass = 1 - $rowclass;
$rowclass = 0;
echo "<table><tr><th align=left>Date</th><th align=left>From</th><th align=left>Subject</th></tr>";
while ($row = mysql_fetch_array($msg_sql_result)) {
// Email info
$msg_id = $row['id'];
$sender = $row['sender'];
$email = $row['email'];
// Delete temporary key files
unlink($no_pass_temp);
unlink($has_pass_temp);
// salted hash to store into the db for authentication.
$hashed = generateHash($password, $hashed_up);
// Updated to encrypt the phone number and SMS gateway of the user.
$phone_no = $_SESSION['s_phone'];
// This is already in the format user@smsgateway so it is just appended here since the @ sign is the delimiter.
$sms_gateway = $_SESSION['s_sms_gateway'];
/** Encrypt the private key and base64_encode it to store in the database. With the new passphrase hash */
$sealed_priv = trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $password, $new_password . "@" . $privateContents . "@" . $sms_gateway, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))));
// DB connection
$connection = connection();
// Update user account information
$id = $_SESSION['s_id'];
$pass_sql = mressf("UPDATE users SET upass = '******', priv_key = '%s' WHERE id = '%d'", $hashed, $sealed_priv, $id);
$pass_sql_result = mysql_query($pass_sql, $connection) or die("Unable to execute mysql query." . mysql_error());
if ($pass_sql_result) {
echo "Your password has been changed.<br />";
echo "Click <a href=\"logout.php\">here</a> to login.";
// Want to be sure these are set to null
$upassword = "";
$new_password = "";
$_SESSION['s_priv_tmp'] = "";
$_SESSION['s_pass'] = "";
//remove all the variables in the session
session_unset();
$_SESSION = array();
exit;
} else {
echo "Error changing your password. <a href=\"change_pass.php\">Try again</a>. 1";
<?php
include 'includes/function.php';
loggedIn();
if ($_POST['to_email'] != "") {
// Passed variable
$user = trim($_POST['to_email']);
// Numeric value is passed so check to be sure that is it.
if (!preg_match("/^[0-9]{1,10}\$/", $user)) {
die("User not found.");
}
$pub_connection = mysql_connect("localhost", $db_user_public, $db_user_pass) or die("Error with database connection. Please try again.");
mysql_select_db($db_name, $pub_connection) or die("Error selecting database.");
/** Be sure the ID exists. */
$check_sql = mressf("SELECT email,pub_key FROM users WHERE id = '%d'", $user);
// Execute query
$sql_result = mysql_query($check_sql, $pub_connection) or die("Error retrieving user." . mysql_error());
$i = mysql_fetch_object($sql_result);
// Pub certificate
$pub_print = "{$i->pub_key}";
// Check for results
if (mysql_num_rows($sql_result) == "0") {
echo "User not found.";
exit;
} else {
echo "<b>Fingerprint for the above user is:</b> <br />";
// Split into readable chunks of four
print chunk_split(sha1_thumbprint($pub_print), 4);
exit;
}
} else {
$_SESSION['s_recip_pub'] = "";
openssl_free_key($key);
} else {
/** Form to send message */
// Passed variables
$from = $_SESSION['s_from'];
$recip = $_SESSION['s_from'];
$subject = $_SESSION['s_subject'];
$msg = $_SESSION['s_message'];
$sender = $_SESSION['s_sender'];
// Message date
$t_date = $_SESSION['s_time'];
// DB connection
$connection = connection();
$sender_id = $_SESSION['s_id'];
$sql = mressf("SELECT up.upub_key FROM uprofile up, users u WHERE u.id = up.user AND up.upub_key = (SELECT id FROM users WHERE email = '%s') AND up.user = '******'", $recip, $sender_id);
$sql_query = mysql_query($sql) or die("Unable to check to determine if public key exists in your keyring.");
if (mysql_num_rows($sql_query) == "0") {
die("The repient's key is not in your keyring, please add it before sending a message.");
}
?>
<form method="POST" action="<?php
$_SERVER['PHP_SELF'];
?>
">
<br />To: <?php
echo "{$recip}";
?>
<br /><br />
<?php
include 'includes/function.php';
$username = trim($_POST['username']);
$upassword = escapeshellcmd($_POST['password']);
$request_IP = $_SERVER['REMOTE_ADDR'];
if ($username == "" || $upassword == "") {
die("Error: Please supply both a user name and a password!");
}
// Database connection
$connection = connection();
// Check to see if the user exists and provides the right password.
$sql = mressf("SELECT id,delivery,upass,pub_key,priv_key FROM users WHERE email = '%s'", $username);
// Execute the query
$sql_result = mysql_query($sql, $connection) or die("Unable to execute mysql query." . mysql_error());
// Check to see if the source IP of the request has been rate-limited, if so, throw and error and die.
// Look for the Source IP of the request in our DB, and calculate the timestamp returned + 15 minutes ( the default ban duration).
$login_attempts = mysql_query("SELECT *,TIMESTAMPDIFF(MINUTE,NOW(),ADDTIME(timestamp,'00:15:00')) AS timeleft FROM failed_logins WHERE IP_address = '" . $request_IP . "'", $connection);
if (mysql_num_rows($login_attempts) != 0) {
// Fetch failed_login value
$obj = mysql_fetch_object($login_attempts);
if ($obj->attempts >= $failed_count) {
echo "<b>Error: Too many login attempts have been made, please try again in " . $obj->timeleft . " minutes.</b>";
exit;
}
}
if (mysql_num_rows($sql_result) != 0) {
// Retrieved saltine and other data from the db
$i = mysql_fetch_object($sql_result);
// hashed and salted pass
$pass = $i->upass;
} else {
/** Form to send message */
// Passed userid
$to_email = $_POST['to_email'];
// Check passed ID
if (!preg_match("/^[0-9]{1,10}\$/", $to_email)) {
die("Please enter a valid email address.");
}
$_SESSION['s_to_email'] = "";
$_SESSION['s_to_email'] = $to_email;
// Prepare MySQL connection
$connection = connection();
// Retrieve the ID for the user
/** TODO: WHEN WORKING WITH MULTIPLE USERS UPDATE THIS TO CHECK TO ENSURE THE USER
HAS THE USER'S PUBLIC KEY BEFORE PRESENTING THE FORM. IF I DECIDE TO SUPPORT MULTIPLE USERS*/
$sql = mressf("SELECT id,email,pub_key FROM users WHERE id = '%d'", $to_email);
// Execute the query
$sql_result = mysql_query($sql, $connection) or die("Unable to execute query." . mysql_error());
// Retrieve public key for user to send email to
$i = mysql_fetch_object($sql_result);
$_SESSION['s_recip_pub'] = "{$i->pub_key}";
if ($_SESSION['s_recip_pub'] == "") {
die("Something went wrong. Please select the receipient again. <a href=\"main_msg.php\">Back</a>");
}
// Retrieve the respective user's email and id in order to send the message.
$t_email = "{$i->email}";
$_SESSION['s_recip_email'] = "{$i->email}";
$t_id = "{$i->id}";
$_SESSION['s_recip_id'] = "{$i->id}";
?>
$sealed = base64_decode($split_msg[0]);
// Sealed key for the recipient
$seal_key = "{$split_msg['1']}";
$keys_crypt = explode("|", $seal_key);
// decode the rc4 key
$d_seal_keys1 = base64_decode($keys_crypt[1]);
// unseal the rc4 key
$d_seal_keys1 = d_seal($d_seal_keys1, $key, $pass);
// Prepare the receipient's private key to unseal the encrypted message.
$pkeyid = openssl_get_privatekey($key, $pass);
// unseal the message
if (openssl_open($sealed, $unseal, $d_seal_keys1, $pkeyid)) {
// Unset the read flag
$connection = connection();
// Unset the message as being read
$unset_sql = mressf("UPDATE msg SET iread = '0' WHERE id = '%d'", $msg_id);
$unset_sql_result = mysql_query($unset_sql, $connection);
// Format the message to display
echo "<br />From: {$from_sender} on {$t_time}<br />";
echo "Subject: {$t_subject}<br />";
// Session variables for sender and subject info
// Need the sender's id for the reply message.
$_SESSION['s_sender_id'] = "";
$_SESSION['s_sender_id'] = $t_sender;
// Sender Email
$_SESSION['s_from'] = "";
$_SESSION['s_from'] = $from_sender;
// Email subject
$_SESSION['s_subject'] = "";
$_SESSION['s_subject'] = $t_subject;
// Sender Public Key
loggedIn();
menu();
$msg_id = trim($_GET['msg']);
// Check passed ID
if (!preg_match("/^[0-9]{1,10}\$/", $msg_id)) {
die("Invalid message ID1.");
}
// Create db connection
$connection = connection();
// Ensure the user is authorized to delete the email.
$id = $_SESSION['s_id'];
// Ensure the user is authorized to delete the message.
$sql = mressf("SELECT id FROM msg WHERE id = '%d' AND recip = '%d'", $msg_id, $id);
// Execute the query
$sql_result = mysql_query($sql) or die("Unable to execute query." . mysql_error());
// Stop executing if the user isn't authorized to this msg.
if (mysql_num_rows($sql_result) == "0") {
die("Invalid message ID.");
}
// Delete access to the message
// Note that the recipient's value is changed to "0".
$delete_sql = mressf("UPDATE msg SET recip = '0' WHERE id = '%d' AND recip = '%d'", $msg_id, $id);
// Execute the query
$delete_sql_result = mysql_query($delete_sql) or die("Unable to delete access to this message." . mysql_error());
if ($delete_sql_result) {
header('Location: msg_main.php');
exit;
} else {
echo "<b>Fatal error! Unable to delete access to this message.</b>";
exit;
}
}
}
} elseif ($_POST['submit'] == "Search") {
// Alternating row colors
$rowclass = 1 - $rowclass;
$rowclass = 0;
$user = trim(htmlentities($_POST['user']));
if ($user == "") {
die("Please enter a search term.");
}
// Create db connection
$connection = connection();
// Select all users
$id = $_SESSION['s_id'];
$user = "******" . $user . "%";
$sql = mressf("SELECT id,email,pub_key FROM users WHERE id != '%d' AND email LIKE '%s'", $id, $user);
// Execute the query
$sql_result = mysql_query($sql, $connection) or die("Unable to execute query." . mysql_error());
if (mysql_num_rows($sql_result) == "0") {
die("No results for that user.");
}
echo "<table><tr><th>Name</th><th>Email</th><th>Action</th></tr>";
while ($row = mysql_fetch_array($sql_result)) {
$id = $row['id'];
$email = $row['email'];
$pubkey = $row['pub_key'];
// Sender name from Public Certificate
$name = openssl_x509_parse($pubkey);
$name = preg_grep("/CN/", $name);
$name = implode("/", $name);
$name = explode("/", $name);
// Ensure the user fills out all the appropriate fields.
if ($email1 == "" || $password == "" || $confirm_pass == "") {
die("<b>Please fill out all required fields!</b>");
}
// Validate the email address.
include 'includes/EmailAddressValidator.php';
$validator = new EmailAddressValidator();
if ($validator->check_email_address($email1)) {
} else {
// Email not valid
die("Invalid email address. <strong>{$email1}</strong>");
}
/* ################### PREVENT Duplicate accounts ############################ */
$connection = connection();
// Query to check if email already exists
$sql = mressf("SELECT email FROM users WHERE email = '%s'", $email1);
// Execute query
$sql_result = mysql_query($sql, $connection) or die("Error validating account.");
// See if there are any results
if (mysql_num_rows($sql_result) == "0") {
} else {
echo "<b>This email address already exists. <strong>{$email1}</strong>";
exit;
}
// Check password requirements
$test_pass = check_pass($password, $confirm_pass);
if ($test_pass == "Strong.") {
} else {
echo "Your password doesn't meet all security requirements.<br />";
echo "{$test_pass}";
exit;