diff options
author | Friendika <info@friendika.com> | 2011-08-27 18:09:43 -0700 |
---|---|---|
committer | Friendika <info@friendika.com> | 2011-08-27 18:09:43 -0700 |
commit | ada8bee70e89c34afa53eff9ad70315cfcd34c6d (patch) | |
tree | 048175af42a2738a4c42c34df9e4d75b0101c897 | |
parent | e3dbb6339386fce5cef2d22be6edd63b93a9b41d (diff) | |
download | volse-hubzilla-ada8bee70e89c34afa53eff9ad70315cfcd34c6d.tar.gz volse-hubzilla-ada8bee70e89c34afa53eff9ad70315cfcd34c6d.tar.bz2 volse-hubzilla-ada8bee70e89c34afa53eff9ad70315cfcd34c6d.zip |
remove public disclosure risk
-rw-r--r-- | boot.php | 2 | ||||
-rw-r--r-- | include/crypto.php | 65 | ||||
-rw-r--r-- | mod/network.php | 2 |
3 files changed, 67 insertions, 2 deletions
@@ -7,7 +7,7 @@ require_once('include/text.php'); require_once("include/pgettext.php"); -define ( 'FRIENDIKA_VERSION', '2.2.1084' ); +define ( 'FRIENDIKA_VERSION', '2.2.1085' ); define ( 'DFRN_PROTOCOL_VERSION', '2.21' ); define ( 'DB_UPDATE_VERSION', 1083 ); diff --git a/include/crypto.php b/include/crypto.php index a20606db5..88e05b9eb 100644 --- a/include/crypto.php +++ b/include/crypto.php @@ -225,3 +225,68 @@ function pkcs5_unpad($text) if (strspn($text, chr($pad), strlen($text) - $pad) != $pad) return false; return substr($text, 0, -1 * $pad); } + +function AES256CBC_encrypt($data,$key,$iv) { + return mcrypt_encrypt( + MCRYPT_RIJNDAEL_128, + str_pad($key,32,"\0"), + pkcs5_pad($data,16), + MCRYPT_MODE_CBC, + str_pad($iv,16,"\0")); +} + +function AES256CBC_decrypt($data,$key,$iv) { + return pkcs5_unpad(mcrypt_decrypt( + MCRYPT_RIJNDAEL_128, + str_pad($key,32,"\0"), + $data, + MCRYPT_MODE_CBC, + str_pad($iv,16,"\0"))); +} + +function aes_encapsulate($data,$pubkey) { + $key = random_string(32,RANDOM_STRING_TEXT); + $iv = random_string(16,RANDOM_STRING_TEXT); + $result['data'] = base64url_encode(AES256CBC_encrypt($data,$key,$iv),true); + openssl_public_encrypt($key,$k,$pubkey); + $result['key'] = base64url_encode($k,true); + openssl_public_encrypt($iv,$i,$pubkey); + $result['iv'] = base64url_encode($i,true); + return $result; +} + +function aes_unencapsulate($data,$prvkey) { + openssl_private_decrypt(base64url_decode($data['key']),$k,$prvkey); + openssl_private_decrypt(base64url_decode($data['iv']),$i,$prvkey); + return AES256CBC_decrypt(base64url_decode($data['data']),$k,$i); +} + + +function zot_encapsulate($data,$sender,$pubkey) { +$res = aes_encapsulate($data,$pubkey); +openssl_public_encrypt($sender,$s,$pubkey); +$s1 = base64url_encode($s,true); + +return <<< EOT +<?xml version='1.0' encoding='UTF-8'?> +<zot:env xmlns:zot='http://purl.org/zot/1.0'> + <zot:key>{$res['key']}</zot:key> + <zot:iv>{$res['iv']}</zot:iv> + <zot:sender>$s1</zot:sender> + <zot:alg>AES-256-CBC</zot:alg> + <zot:data type='application/magic-envelope+xml'>{$res['data']}</zot:data> +</zot:env> +EOT; + +} + +function zot_unencapsulate($data,$prvkey) { + $ret = array(); + $c = array(); + $x = parse_xml_string($data); + $c = array('key' => $x->key,'iv' => $x->iv,'data' => $x->data); + openssl_private_decrypt(base64url_decode($x->sender),$s,$prvkey); + $ret['sender'] = $s; + $ret['data'] = aes_unencapsulate($x,$prvkey); + return $ret; +}
\ No newline at end of file diff --git a/mod/network.php b/mod/network.php index 05b74b50a..54fb2a0a4 100644 --- a/mod/network.php +++ b/mod/network.php @@ -188,7 +188,7 @@ function network_content(&$a, $update = 0) { if(count($r)) { $sql_extra = " AND `item`.`parent` IN ( SELECT `parent` FROM `item` WHERE `id` = `parent` $star_sql AND `contact-id` IN ( " . intval($cid) . " )) "; $o = '<h2>' . t('Contact: ') . $r[0]['name'] . '</h2>' . $o; - if($r[0]['network'] !== NETWORK_MAIL && $r[0]['network'] !== NETWORK_DFRN && $r[0]['network'] !== NETWORK_FACEBOOK && $r[0]['writable'] && (! get_pconfig(local_user(),'system','nowarn_insecure'))) { + if($r[0]['network'] !== NETWORK_MAIL && $r[0]['network'] !== NETWORK_DFRN && $r[0]['network'] !== NETWORK_FACEBOOK && $r[0]['network'] !== NETWORK_DIASPORA && $r[0]['writable'] && (! get_pconfig(local_user(),'system','nowarn_insecure'))) { notice( t('Private messages to this person are at risk of public disclosure.') . EOL); } |