diff options
author | Mario <mario@mariovavti.com> | 2021-02-09 13:50:03 +0000 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2021-02-09 13:50:03 +0000 |
commit | b4693870ba647455e6bd0a3919a544130cee118b (patch) | |
tree | 97fe6de09c5ce3b5e6ed247c6a6105008631e79a | |
parent | 5aee2f172ecdf58e13dd328c787fd199c48d24c5 (diff) | |
download | volse-hubzilla-b4693870ba647455e6bd0a3919a544130cee118b.tar.gz volse-hubzilla-b4693870ba647455e6bd0a3919a544130cee118b.tar.bz2 volse-hubzilla-b4693870ba647455e6bd0a3919a544130cee118b.zip |
port Lib/Crypto from zap
32 files changed, 502 insertions, 262 deletions
diff --git a/Zotlabs/Lib/Crypto.php b/Zotlabs/Lib/Crypto.php new file mode 100644 index 000000000..3dba1bcf3 --- /dev/null +++ b/Zotlabs/Lib/Crypto.php @@ -0,0 +1,205 @@ +<?php + +namespace Zotlabs\Lib; +use Exception; + +class Crypto { + + public static $openssl_algorithms = [ + + // zot6 nickname, opensslname, keylength, ivlength + + [ 'aes256ctr', 'aes-256-ctr', 32, 16 ], + [ 'camellia256cfb', 'camellia-256-cfb', 32, 16 ], + [ 'cast5cfb', 'cast5-cfb', 16, 8 ] + + ]; + + public static function methods() { + $ret = []; + + foreach(self::$openssl_algorithms as $ossl) { + $ret[] = $ossl[0] . '.oaep'; + } + + call_hooks('crypto_methods',$ret); + return $ret; + } + + public static function signing_methods() { + + $ret = [ 'sha256' ]; + call_hooks('signing_methods',$ret); + return $ret; + + } + + public static function new_keypair($bits) { + + $openssl_options = [ + 'digest_alg' => 'sha1', + 'private_key_bits' => $bits, + 'encrypt_key' => false + ]; + + $conf = get_config('system','openssl_conf_file'); + + if ($conf) { + $openssl_options['config'] = $conf; + } + + $result = openssl_pkey_new($openssl_options); + + if (empty($result)) { + return false; + } + + // Get private key + + $response = [ 'prvkey' => '', 'pubkey' => '' ]; + + openssl_pkey_export($result, $response['prvkey']); + + // Get public key + $pkey = openssl_pkey_get_details($result); + $response['pubkey'] = $pkey["key"]; + + return $response; + + } + + public static function sign($data,$key,$alg = 'sha256') { + + if (! $key) { + return false; + } + + $sig = ''; + openssl_sign($data,$sig,$key,$alg); + return $sig; + } + + public static function verify($data,$sig,$key,$alg = 'sha256') { + + if (! $key) { + return false; + } + + try { + $verify = openssl_verify($data,$sig,$key,$alg); + } + catch (Exception $e) { + $verify = (-1); + } + + if ($verify === (-1)) { + while ($msg = openssl_error_string()) { + logger('openssl_verify: ' . $msg,LOGGER_NORMAL,LOG_ERR); + } + btlogger('openssl_verify: key: ' . $key, LOGGER_DEBUG, LOG_ERR); + } + + return (($verify > 0) ? true : false); + } + + public static function encapsulate($data,$pubkey,$alg) { + + if (! ($alg && $pubkey)) { + return $data; + } + + $alg_base = $alg; + $padding = OPENSSL_PKCS1_PADDING; + + $exts = explode('.',$alg); + if (count($exts) > 1) { + switch ($exts[1]) { + case 'oaep': + $padding = OPENSSL_PKCS1_OAEP_PADDING; + break; + default: + break; + } + $alg_base = $exts[0]; + } + + $method = null; + + foreach (self::$openssl_algorithms as $ossl) { + if ($ossl[0] === $alg_base) { + $method = $ossl; + break; + } + } + + if ($method) { + $result = [ 'encrypted' => true ]; + + $key = openssl_random_pseudo_bytes(256); + $iv = openssl_random_pseudo_bytes(256); + + $key1 = substr($key, 0, $method[2]); + $iv1 = substr($iv, 0, $method[3]); + + $result['data'] = base64url_encode(openssl_encrypt($data,$method[1],$key1,OPENSSL_RAW_DATA,$iv1),true); + + openssl_public_encrypt($key, $k, $pubkey, $padding); + openssl_public_encrypt($iv, $i, $pubkey, $padding); + + $result['alg'] = $alg; + $result['key'] = base64url_encode($k,true); + $result['iv'] = base64url_encode($i,true); + return $result; + + } + else { + $x = [ 'data' => $data, 'pubkey' => $pubkey, 'alg' => $alg, 'result' => $data ]; + call_hooks('crypto_encapsulate', $x); + return $x['result']; + } + } + + public static function unencapsulate($data,$prvkey) { + + if (! (is_array($data) && array_key_exists('encrypted',$data) && array_key_exists('alg',$data) && $data['alg'])) { + logger('not encrypted'); + + return $data; + } + + $alg_base = $data['alg']; + $padding = OPENSSL_PKCS1_PADDING; + + $exts = explode('.',$data['alg']); + if (count($exts) > 1) { + switch ($exts[1]) { + case 'oaep': + $padding = OPENSSL_PKCS1_OAEP_PADDING; + break; + default: + break; + } + $alg_base = $exts[0]; + } + + $method = null; + + foreach (self::$openssl_algorithms as $ossl) { + if ($ossl[0] === $alg_base) { + $method = $ossl; + break; + } + } + + if ($method) { + openssl_private_decrypt(base64url_decode($data['key']),$k,$prvkey,$padding); + openssl_private_decrypt(base64url_decode($data['iv']), $i,$prvkey,$padding); + return openssl_decrypt(base64url_decode($data['data']),$method[1],substr($k,0,$method[2]),OPENSSL_RAW_DATA,substr($i,0,$method[3])); + } + else { + $x = [ 'data' => $data, 'prvkey' => $prvkey, 'alg' => $data['alg'], 'result' => $data ]; + call_hooks('crypto_unencapsulate',$x); + return $x['result']; + } + } +} diff --git a/Zotlabs/Lib/JSalmon.php b/Zotlabs/Lib/JSalmon.php index 7f63cf914..f9fe99706 100644 --- a/Zotlabs/Lib/JSalmon.php +++ b/Zotlabs/Lib/JSalmon.php @@ -18,7 +18,7 @@ class JSalmon { $precomputed = '.' . base64url_encode($data_type,true) . '.YmFzZTY0dXJs.UlNBLVNIQTI1Ng'; - $signature = base64url_encode(rsa_sign($data . $precomputed, $key), true); + $signature = base64url_encode(Crypto::sign($data . $precomputed, $key), true); return ([ 'signed' => true, @@ -54,7 +54,7 @@ class JSalmon { $key = HTTPSig::get_key(EMPTY_STR,'zot6',base64url_decode($x['sigs']['key_id'])); logger('key: ' . print_r($key,true)); if($key['portable_id'] && $key['public_key']) { - if(rsa_verify($signed_data,base64url_decode($x['sigs']['value']),$key['public_key'])) { + if(Crypto::verify($signed_data,base64url_decode($x['sigs']['value']),$key['public_key'])) { logger('verified'); $ret = [ 'success' => true, 'signer' => $key['portable_id'], 'hubloc' => $key['hubloc'] ]; } diff --git a/Zotlabs/Lib/LDSignatures.php b/Zotlabs/Lib/LDSignatures.php index 2eba66ccf..1c2095f10 100644 --- a/Zotlabs/Lib/LDSignatures.php +++ b/Zotlabs/Lib/LDSignatures.php @@ -12,7 +12,7 @@ class LDSignatures { $ohash = self::hash(self::signable_options($data['signature'])); $dhash = self::hash(self::signable_data($data)); - $x = rsa_verify($ohash . $dhash,base64_decode($data['signature']['signatureValue']), $pubkey); + $x = Crypto::verify($ohash . $dhash,base64_decode($data['signature']['signatureValue']), $pubkey); logger('LD-verify: ' . intval($x)); return $x; @@ -35,11 +35,11 @@ class LDSignatures { $ohash = self::hash(self::signable_options($options)); $dhash = self::hash(self::signable_data($data)); - $options['signatureValue'] = base64_encode(rsa_sign($ohash . $dhash,$channel['channel_prvkey'])); + $options['signatureValue'] = base64_encode(Crypto::sign($ohash . $dhash,$channel['channel_prvkey'])); $signed = array_merge([ - '@context' => [ - ACTIVITYSTREAMS_JSONLD_REV, + '@context' => [ + ACTIVITYSTREAMS_JSONLD_REV, 'https://w3id.org/security/v1' ], ],$options); @@ -88,7 +88,7 @@ class LDSignatures { return ''; jsonld_set_document_loader('jsonld_document_loader'); - + try { $d = jsonld_normalize($data,[ 'algorithm' => 'URDNA2015', 'format' => 'application/nquads' ]); } @@ -117,7 +117,7 @@ class LDSignatures { $precomputed = '.' . base64url_encode($data_type,false) . '.YmFzZTY0dXJs.UlNBLVNIQTI1Ng=='; - $signature = base64url_encode(rsa_sign($data . $precomputed,$channel['channel_prvkey'])); + $signature = base64url_encode(Crypto::sign($data . $precomputed,$channel['channel_prvkey'])); return ([ 'id' => $arr['id'], diff --git a/Zotlabs/Lib/Libzot.php b/Zotlabs/Lib/Libzot.php index 0ead8402e..a615cee6e 100644 --- a/Zotlabs/Lib/Libzot.php +++ b/Zotlabs/Lib/Libzot.php @@ -130,7 +130,7 @@ class Libzot { if ($remote_key) { $algorithm = self::best_algorithm($methods); if ($algorithm) { - $data = crypto_encapsulate(json_encode($data), $remote_key, $algorithm); + $data = Crypto::encapsulate(json_encode($data), $remote_key, $algorithm); } } @@ -143,7 +143,7 @@ class Libzot { * * @param string $methods * Comma separated list of encryption methods - * @return string first match from our site method preferences crypto_methods() array + * @return string first match from our site method preferences Crypto::methods() array * of a method which is common to both sites; or 'aes256cbc' if no matches are found. */ static function best_algorithm($methods) { @@ -167,7 +167,7 @@ class Libzot { if ($methods) { $x = explode(',', $methods); if ($x) { - $y = crypto_methods(); + $y = Crypto::methods(); if ($y) { foreach ($y as $yv) { $yv = trim($yv); @@ -763,8 +763,8 @@ class Libzot { 'xchan_guid' => $arr['id'], 'xchan_guid_sig' => $arr['id_sig'], 'xchan_pubkey' => $arr['public_key'], - 'xchan_photo_mimetype' => $arr['photo']['type'], - 'xchan_photo_l' => $arr['photo']['url'], + 'xchan_photo_mimetype' => $arr['photo_mimetype'], + 'xchan_photo_l' => $arr['photo'], 'xchan_addr' => escape_tags($arr['primary_location']['address']), 'xchan_url' => escape_tags($arr['primary_location']['url']), 'xchan_connurl' => $arr['primary_location']['connections_url'], @@ -772,7 +772,7 @@ class Libzot { 'xchan_connpage' => $arr['connect_url'], 'xchan_name' => (($arr['name']) ? escape_tags($arr['name']) : '-'), 'xchan_network' => 'zot6', - 'xchan_photo_date' => $arr['photo']['updated'], + 'xchan_photo_date' => $arr['photo_updated'], 'xchan_name_date' => $arr['name_updated'], 'xchan_hidden' => intval(1 - intval($arr['searchable'])), 'xchan_selfcensored' => $arr['adult_content'], @@ -983,7 +983,7 @@ class Libzot { logger('Headers: ' . print_r($arr['header'], true), LOGGER_DATA, LOG_DEBUG); } - $x = crypto_unencapsulate($x, get_config('system', 'prvkey')); + $x = Crypto::unencapsulate($x, get_config('system', 'prvkey')); if (!is_array($x)) { $x = json_decode($x, true); @@ -3020,7 +3020,7 @@ class Libzot { $ret['site']['directory_url'] = z_root() . '/dirsearch'; - $ret['site']['encryption'] = crypto_methods(); + $ret['site']['encryption'] = Crypto::methods(); $ret['site']['zot'] = System::get_zot_revision(); // hide detailed site information if you're off the grid diff --git a/Zotlabs/Lib/Zotfinger.php b/Zotlabs/Lib/Zotfinger.php index faaf28f35..840d91403 100644 --- a/Zotlabs/Lib/Zotfinger.php +++ b/Zotlabs/Lib/Zotfinger.php @@ -18,8 +18,8 @@ class Zotfinger { if($channel && $m) { - $headers = [ - 'Accept' => 'application/x-zot+json', + $headers = [ + 'Accept' => 'application/x-zot+json', 'Content-Type' => 'application/x-zot+json', 'X-Zot-Token' => random_string(), 'Digest' => HTTPSig::generate_digest_header($data), @@ -29,9 +29,9 @@ class Zotfinger { $h = HTTPSig::create_sig($headers,$channel['channel_prvkey'],channel_url($channel),false); } else { - $h = [ 'Accept: application/x-zot+json' ]; + $h = [ 'Accept: application/x-zot+json' ]; } - + $result = []; $redirects = 0; @@ -43,11 +43,11 @@ class Zotfinger { if ($verify) { $result['signature'] = HTTPSig::verify($x, EMPTY_STR, 'zot6'); } - + $result['data'] = json_decode($x['body'],true); if($result['data'] && is_array($result['data']) && array_key_exists('encrypted',$result['data']) && $result['data']['encrypted']) { - $result['data'] = json_decode(crypto_unencapsulate($result['data'],get_config('system','prvkey')),true); + $result['data'] = json_decode(Crypto::unencapsulate($result['data'],get_config('system','prvkey')),true); } logger('decrypted: ' . print_r($result,true)); diff --git a/Zotlabs/Module/Channel.php b/Zotlabs/Module/Channel.php index 915e0ea60..a513523a7 100644 --- a/Zotlabs/Module/Channel.php +++ b/Zotlabs/Module/Channel.php @@ -6,6 +6,7 @@ namespace Zotlabs\Module; use App; use Zotlabs\Lib\Activity; use Zotlabs\Lib\ActivityStreams; +use Zotlabs\Lib\Crypto; use Zotlabs\Lib\Libzot; use Zotlabs\Lib\PermissionDescription; use Zotlabs\Web\Controller; @@ -70,7 +71,7 @@ class Channel extends Controller { ); if ($s) { - $data = json_encode(crypto_encapsulate($data, $s[0]['hubloc_sitekey'], Libzot::best_algorithm($s[0]['site_crypto']))); + $data = json_encode(Crypto::encapsulate($data, $s[0]['hubloc_sitekey'], Libzot::best_algorithm($s[0]['site_crypto']))); } } else { diff --git a/Zotlabs/Module/Connedit.php b/Zotlabs/Module/Connedit.php index 582563451..44211c8b9 100644 --- a/Zotlabs/Module/Connedit.php +++ b/Zotlabs/Module/Connedit.php @@ -9,6 +9,7 @@ namespace Zotlabs\Module; use App; use Zotlabs\Lib\Apps; +use Zotlabs\Lib\Crypto; use Zotlabs\Lib\Libzot; use Zotlabs\Lib\Libsync; use Zotlabs\Daemon\Master; @@ -178,7 +179,7 @@ class Connedit extends Controller { if(! $is_self) { $signed = $orig_record[0]['abook_xchan'] . '.' . $rating . '.' . $rating_text; - $sig = base64url_encode(rsa_sign($signed,$channel['channel_prvkey'])); + $sig = base64url_encode(Crypto::sign($signed,$channel['channel_prvkey'])); $rated = ((intval($rating) || strlen($rating_text)) ? true : false); diff --git a/Zotlabs/Module/Fhublocs.php b/Zotlabs/Module/Fhublocs.php index dcd399a1f..42dac5b12 100644 --- a/Zotlabs/Module/Fhublocs.php +++ b/Zotlabs/Module/Fhublocs.php @@ -15,12 +15,12 @@ class Fhublocs extends \Zotlabs\Web\Controller { if(! is_site_admin()) return; - + $o = ''; - + $r = q("select * from channel where channel_removed = 0"); $sitekey = get_config('system','pubkey'); - + if($r) { foreach($r as $rr) { @@ -38,14 +38,14 @@ class Fhublocs extends \Zotlabs\Web\Controller { if($found) { $o .= 'Hubloc exists for ' . $rr['channel_name'] . EOL; continue; - } + } } $y = q("select xchan_addr from xchan where xchan_hash = '%s' limit 1", dbesc($rr['channel_hash']) ); if($y) $primary_address = $y[0]['xchan_addr']; - + $hub_address = channel_reddress($rr); $primary = (($hub_address === $primary_address) ? 1 : 0); @@ -56,9 +56,9 @@ class Fhublocs extends \Zotlabs\Web\Controller { dbesc($rr['channel_hash']), dbesc(z_root()) ); - + // Create a verified hub location pointing to this site. - + /* $h = hubloc_store_lowlevel( [ @@ -69,7 +69,7 @@ class Fhublocs extends \Zotlabs\Web\Controller { 'hubloc_network' => 'zot', 'hubloc_primary' => $primary, 'hubloc_url' => z_root(), - 'hubloc_url_sig' => base64url_encode(rsa_sign(z_root(),$rr['channel_prvkey'])), + 'hubloc_url_sig' => base64url_encode(Crypto::sign(z_root(),$rr['channel_prvkey'])), 'hubloc_host' => \App::get_hostname(), 'hubloc_callback' => z_root() . '/post', 'hubloc_sitekey' => $sitekey @@ -99,11 +99,11 @@ class Fhublocs extends \Zotlabs\Web\Controller { $o . 'local hubloc created for ' . $rr['channel_name'] . EOL; else $o .= 'DB update failed for ' . $rr['channel_name'] . EOL; - + } - + return $o; - + } } } diff --git a/Zotlabs/Module/Getfile.php b/Zotlabs/Module/Getfile.php index 20cc23ac0..28d7eabb5 100644 --- a/Zotlabs/Module/Getfile.php +++ b/Zotlabs/Module/Getfile.php @@ -1,6 +1,7 @@ <?php namespace Zotlabs\Module; +use Zotlabs\Lib\Crypto; use Zotlabs\Web\HTTPSig; use Zotlabs\Lib\Libzot; @@ -106,7 +107,7 @@ class Getfile extends \Zotlabs\Web\Controller { killme(); } - if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) { + if(! Crypto::verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) { logger('verify failed.'); killme(); } diff --git a/Zotlabs/Module/Import.php b/Zotlabs/Module/Import.php index f8fc366e0..8ef24b232 100644 --- a/Zotlabs/Module/Import.php +++ b/Zotlabs/Module/Import.php @@ -8,6 +8,7 @@ require_once('include/import.php'); require_once('include/perm_upgrade.php'); require_once('library/urlify/URLify.php'); +use Zotlabs\Lib\Crypto; use Zotlabs\Lib\Libzot; @@ -227,7 +228,7 @@ class Import extends \Zotlabs\Web\Controller { 'hubloc_network' => 'zot', 'hubloc_primary' => (($seize) ? 1 : 0), 'hubloc_url' => z_root(), - 'hubloc_url_sig' => base64url_encode(rsa_sign(z_root(),$channel['channel_prvkey'])), + 'hubloc_url_sig' => base64url_encode(Crypto::sign(z_root(),$channel['channel_prvkey'])), 'hubloc_host' => \App::get_hostname(), 'hubloc_callback' => z_root() . '/post', 'hubloc_sitekey' => get_config('system','pubkey'), @@ -256,7 +257,7 @@ class Import extends \Zotlabs\Web\Controller { 'hubloc_network' => 'zot6', 'hubloc_primary' => (($seize) ? 1 : 0), 'hubloc_url' => z_root(), - 'hubloc_url_sig' => 'sha256.' . base64url_encode(rsa_sign(z_root(),$channel['channel_prvkey'])), + 'hubloc_url_sig' => 'sha256.' . base64url_encode(Crypto::sign(z_root(),$channel['channel_prvkey'])), 'hubloc_host' => \App::get_hostname(), 'hubloc_callback' => z_root() . '/zot', 'hubloc_sitekey' => get_config('system','pubkey'), diff --git a/Zotlabs/Module/Prate.php b/Zotlabs/Module/Prate.php index 2a8539ed0..8b71657b8 100644 --- a/Zotlabs/Module/Prate.php +++ b/Zotlabs/Module/Prate.php @@ -2,21 +2,23 @@ namespace Zotlabs\Module; +use Zotlabs\Lib\Crypto; + class Prate extends \Zotlabs\Web\Controller { function init() { if($_SERVER['REQUEST_METHOD'] === 'post') return; - + if(! local_channel()) return; - + $channel = \App::get_channel(); - + $target = argv(1); if(! $target) return; - + $r = q("select * from xlink where xlink_xchan = '%s' and xlink_link = '%s' and xlink_static = 1", dbesc($channel['channel_hash']), dbesc($target) @@ -25,34 +27,34 @@ class Prate extends \Zotlabs\Web\Controller { json_return_and_die(array('rating' => $r[0]['xlink_rating'],'rating_text' => $r[0]['xlink_rating_text'])); killme(); } - + function post() { - + if(! local_channel()) return; - + $channel = \App::get_channel(); - + $target = trim($_REQUEST['target']); if(! $target) return; - + if($target === $channel['channel_hash']) return; - + $rating = intval($_POST['rating']); if($rating < (-10)) $rating = (-10); if($rating > 10) $rating = 10; - + $rating_text = trim(escape_tags($_REQUEST['rating_text'])); - + $signed = $target . '.' . $rating . '.' . $rating_text; - - $sig = base64url_encode(rsa_sign($signed,$channel['channel_prvkey'])); - - + + $sig = base64url_encode(Crypto::sign($signed,$channel['channel_prvkey'])); + + $z = q("select * from xlink where xlink_xchan = '%s' and xlink_link = '%s' and xlink_static = 1 limit 1", dbesc($channel['channel_hash']), dbesc($target) @@ -87,19 +89,19 @@ class Prate extends \Zotlabs\Web\Controller { if($record) { \Zotlabs\Daemon\Master::Summon(array('Ratenotif','rating',$record)); } - + json_return_and_die(array('result' => true));; } - - - - - - - - - - - - + + + + + + + + + + + + } diff --git a/Zotlabs/Module/Probe.php b/Zotlabs/Module/Probe.php index d338b08ea..3bc4dac72 100644 --- a/Zotlabs/Module/Probe.php +++ b/Zotlabs/Module/Probe.php @@ -3,6 +3,7 @@ namespace Zotlabs\Module; use App; use Zotlabs\Lib\Apps; +use Zotlabs\Lib\Crypto; require_once('include/zot.php'); @@ -24,18 +25,18 @@ class Probe extends \Zotlabs\Web\Controller { nav_set_selected('Remote Diagnostics'); $o .= '<h3>Remote Diagnostics</h3>'; - + $o .= '<form action="probe" method="get">'; $o .= 'Lookup address: <input type="text" style="width: 250px;" name="addr" value="' . $_GET['addr'] .'" />'; - $o .= '<input type="submit" name="submit" value="Submit" /></form>'; - + $o .= '<input type="submit" name="submit" value="Submit" /></form>'; + $o .= '<br /><br />'; - + if(x($_GET,'addr')) { $channel = App::get_channel(); $addr = trim($_GET['addr']); $do_import = ((intval($_GET['import']) && is_site_admin()) ? true : false); - + $j = \Zotlabs\Zot\Finger::run($addr,$channel,false); $o .= '<pre>'; @@ -43,17 +44,17 @@ class Probe extends \Zotlabs\Web\Controller { $o .= "<strong>https connection failed. Trying again with auto failover to http.</strong>\r\n\r\n"; $j = \Zotlabs\Zot\Finger::run($addr,$channel,true); if(! $j['success']) { - return $o; + return $o; } } if($do_import && $j) $x = import_xchan($j); if($j && $j['permissions'] && $j['permissions']['iv']) - $j['permissions'] = json_decode(crypto_unencapsulate($j['permissions'],$channel['channel_prvkey']),true); + $j['permissions'] = json_decode(Crypto::unencapsulate($j['permissions'],$channel['channel_prvkey']),true); $o .= str_replace("\n",'<br />',print_r($j,true)); $o .= '</pre>'; } return $o; } - + } diff --git a/Zotlabs/Module/Rate.php b/Zotlabs/Module/Rate.php index c03aaa54f..d29c370fc 100644 --- a/Zotlabs/Module/Rate.php +++ b/Zotlabs/Module/Rate.php @@ -3,21 +3,23 @@ namespace Zotlabs\Module; +use Zotlabs\Lib\Crypto; + class Rate extends \Zotlabs\Web\Controller { function init() { - + if(! local_channel()) return; - + $channel = \App::get_channel(); - + $target = $_REQUEST['target']; if(! $target) return; - + \App::$data['target'] = $target; - + if($target) { $r = q("SELECT * FROM xchan where xchan_hash like '%s' LIMIT 1", dbesc($target) @@ -36,43 +38,43 @@ class Rate extends \Zotlabs\Web\Controller { } } } - - + + return; - + } - - + + function post() { - + if(! local_channel()) return; - + if(! \App::$data['target']) return; - + if(! $_REQUEST['execute']) return; - + $channel = \App::get_channel(); - + $rating = intval($_POST['rating']); if($rating < (-10)) $rating = (-10); if($rating > 10) $rating = 10; - + $rating_text = trim(escape_tags($_REQUEST['rating_text'])); - + $signed = \App::$data['target'] . '.' . $rating . '.' . $rating_text; - - $sig = base64url_encode(rsa_sign($signed,$channel['channel_prvkey'])); - + + $sig = base64url_encode(Crypto::sign($signed,$channel['channel_prvkey'])); + $z = q("select * from xlink where xlink_xchan = '%s' and xlink_link = '%s' and xlink_static = 1 limit 1", dbesc($channel['channel_hash']), dbesc(\App::$data['target']) ); - + if($z) { $record = $z[0]['xlink_id']; $w = q("update xlink set xlink_rating = '%d', xlink_rating_text = '%s', xlink_sig = '%s', xlink_updated = '%s' @@ -100,39 +102,39 @@ class Rate extends \Zotlabs\Web\Controller { if($z) $record = $z[0]['xlink_id']; } - + if($record) { \Zotlabs\Daemon\Master::Summon(array('Ratenotif','rating',$record)); } - + } - + function get() { - + if(! local_channel()) { notice( t('Permission denied.') . EOL); return; } - + // if(! \App::$data['target']) { // notice( t('No recipients.') . EOL); // return; // } - + $rating_enabled = get_config('system','rating_enabled'); if(! $rating_enabled) { notice('Ratings are disabled on this site.'); return; } - + $channel = \App::get_channel(); - + $r = q("select * from xlink where xlink_xchan = '%s' and xlink_link = '%s' and xlink_static = 1", dbesc($channel['channel_hash']), dbesc(\App::$data['target']) ); if($r) { - \App::$data['xlink'] = $r[0]; + \App::$data['xlink'] = $r[0]; $rating_val = $r[0]['xlink_rating']; $rating_text = $r[0]['xlink_rating_text']; } @@ -140,7 +142,7 @@ class Rate extends \Zotlabs\Web\Controller { $rating_val = 0; $rating_text = ''; } - + if($rating_enabled) { $rating = replace_macros(get_markup_template('rating_slider.tpl'),array( '$min' => -10, @@ -150,7 +152,7 @@ class Rate extends \Zotlabs\Web\Controller { else { $rating = false; } - + $o = replace_macros(get_markup_template('rating_form.tpl'),array( '$header' => t('Rating'), '$website' => t('Website:'), @@ -165,8 +167,8 @@ class Rate extends \Zotlabs\Web\Controller { '$slide' => $slide, '$submit' => t('Submit') )); - + return $o; - + } } diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php index 8dd999e59..2535c9016 100644 --- a/Zotlabs/Web/HTTPSig.php +++ b/Zotlabs/Web/HTTPSig.php @@ -3,6 +3,7 @@ namespace Zotlabs\Web; use Zotlabs\Lib\ActivityStreams; +use Zotlabs\Lib\Crypto; use Zotlabs\Lib\Keyutils; use Zotlabs\Lib\Webfinger; use Zotlabs\Lib\Libzot; @@ -157,7 +158,7 @@ class HTTPSig { return $result; } - $x = rsa_verify($signed_data,$sig_block['signature'],$cached_key['public_key'],$algorithm); + $x = Crypto::verify($signed_data,$sig_block['signature'],$cached_key['public_key'],$algorithm); logger('verified: ' . $x, LOGGER_DEBUG); @@ -171,7 +172,7 @@ class HTTPSig { $fetched_key = self::get_key($key,$keytype,$result['signer'],true); if ($fetched_key && $fetched_key['public_key']) { - $y = rsa_verify($signed_data,$sig_block['signature'],$fetched_key['public_key'],$algorithm); + $y = Crypto::verify($signed_data,$sig_block['signature'],$fetched_key['public_key'],$algorithm); logger('verified: (cache reload) ' . $x, LOGGER_DEBUG); } @@ -417,7 +418,7 @@ class HTTPSig { $headerval = 'keyId="' . $keyid . '",algorithm="' . $algorithm . '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"'; if($encryption) { - $x = crypto_encapsulate($headerval,$encryption['key'],$encryption['algorithm']); + $x = Crypto::encapsulate($headerval,$encryption['key'],$encryption['algorithm']); if(is_array($x)) { $headerval = 'iv="' . $x['iv'] . '",key="' . $x['key'] . '",alg="' . $x['alg'] . '",data="' . $x['data'] . '"'; } @@ -491,7 +492,7 @@ class HTTPSig { $headers = rtrim($headers,"\n"); } - $sig = base64_encode(rsa_sign($headers,$prvkey,$alg)); + $sig = base64_encode(Crypto::sign($headers,$prvkey,$alg)); $ret['headers'] = $fields; $ret['signature'] = $sig; @@ -567,7 +568,7 @@ class HTTPSig { $data = $matches[1]; if($iv && $key && $alg && $data) { - return crypto_unencapsulate([ 'encrypted' => true, 'iv' => $iv, 'key' => $key, 'alg' => $alg, 'data' => $data ] , $prvkey); + return Crypto::unencapsulate([ 'encrypted' => true, 'iv' => $iv, 'key' => $key, 'alg' => $alg, 'data' => $data ] , $prvkey); } return ''; diff --git a/Zotlabs/Zot/Auth.php b/Zotlabs/Zot/Auth.php index 8d198f506..6ce2174f7 100644 --- a/Zotlabs/Zot/Auth.php +++ b/Zotlabs/Zot/Auth.php @@ -2,6 +2,8 @@ namespace Zotlabs\Zot; +use Zotlabs\Lib\Crypto; + class Auth { protected $test; @@ -68,7 +70,7 @@ class Auth { if(strstr($this->desturl,z_root() . '/rmagic')) goaway(z_root()); - $this->Finalise(); + $this->Finalise(); } @@ -76,7 +78,7 @@ class Auth { // Try and find a hubloc for the person attempting to auth. // Since we're matching by address, we have to return all entries - // some of which may be from re-installed hubs; and we'll need to + // some of which may be from re-installed hubs; and we'll need to // try each sequentially to see if one can pass the test $x = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash @@ -130,9 +132,9 @@ class Auth { // Also check that they are coming from the same site as they authenticated with originally. - $already_authed = (((remote_channel()) && ($hubloc['hubloc_hash'] == remote_channel()) + $already_authed = (((remote_channel()) && ($hubloc['hubloc_hash'] == remote_channel()) && ($hubloc['hubloc_url'] === $_SESSION['remote_hub'])) ? true : false); - + if($this->delegate && $this->delegate !== $_SESSION['delegate_channel']) $already_authed = false; @@ -158,17 +160,17 @@ class Auth { return false; } - // Auth packets MUST use ultra top-secret hush-hush mode - e.g. the entire packet is encrypted using the + // Auth packets MUST use ultra top-secret hush-hush mode - e.g. the entire packet is encrypted using the // site private key - // The actual channel sending the packet ($c[0]) is not important, but this provides a + // The actual channel sending the packet ($c[0]) is not important, but this provides a // generic zot packet with a sender which can be verified $x = q("select site_crypto from site where site_url = '%s' limit 1", dbesc($hubloc['hubloc_url']) ); - $p = zot_build_packet($channel,$type = 'auth_check', - array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])), + $p = zot_build_packet($channel,$type = 'auth_check', + array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])), $hubloc['hubloc_sitekey'], (($x) ? $x[0]['site_crypto'] : ''), $this->sec); $this->Debug('auth check packet created using sitekey ' . $hubloc['hubloc_sitekey']); @@ -192,12 +194,12 @@ class Auth { $this->Debug('auth check request returned ' . print_r($j, true)); - if(! $j['success']) + if(! $j['success']) return false; // legit response, but we do need to check that this wasn't answered by a man-in-middle - if (! rsa_verify($this->sec . $hubloc['xchan_hash'],base64url_decode($j['confirm']),$hubloc['xchan_pubkey'])) { + if (! Crypto::verify($this->sec . $hubloc['xchan_hash'],base64url_decode($j['confirm']),$hubloc['xchan_pubkey'])) { logger('final confirmation failed.'); if($this->test) $this->Debug('final confirmation failed. ' . $sec . print_r($j,true) . print_r($hubloc,true)); @@ -290,7 +292,7 @@ class Auth { * Magic Auth * ========== * - * So-called "magic auth" takes place by a special exchange. On the site where the "channel to be authenticated" lives (e.g. $mysite), + * So-called "magic auth" takes place by a special exchange. On the site where the "channel to be authenticated" lives (e.g. $mysite), * a redirection is made via $mysite/magic to the zot endpoint of the remote site ($remotesite) with special GET parameters. * * The endpoint is typically https://$remotesite/post - or whatever was specified as the callback url in prior communications @@ -299,7 +301,7 @@ class Auth { * Five GET parameters are supplied: * * auth => the urlencoded webbie (channel@host.domain) of the channel requesting access * * dest => the desired destination URL (urlencoded) - * * sec => a random string which is also stored on $mysite for use during the verification phase. + * * sec => a random string which is also stored on $mysite for use during the verification phase. * * version => the zot revision * * delegate => optional urlencoded webbie of a local channel to invoke delegation rights for * @@ -336,8 +338,8 @@ class Auth { * } * \endcode * - * auth_check messages MUST use encapsulated encryption. This message is sent to the origination site, which checks the 'secret' to see - * if it is the same as the 'sec' which it passed originally. It also checks the secret_sig which is the secret signed by the + * auth_check messages MUST use encapsulated encryption. This message is sent to the origination site, which checks the 'secret' to see + * if it is the same as the 'sec' which it passed originally. It also checks the secret_sig which is the secret signed by the * destination channel's private key and base64url encoded. If everything checks out, a json packet is returned: * * \code{.json} @@ -351,10 +353,10 @@ class Auth { * \endcode * * 'confirm' in this case is the base64url encoded RSA signature of the concatenation of 'secret' with the - * base64url encoded whirlpool hash of the requestor's guid and guid_sig; signed with the source channel private key. - * This prevents a man-in-the-middle from inserting a rogue success packet. Upon receipt and successful - * verification of this packet, the destination site will redirect to the original destination URL and indicate a successful remote login. - * Service_class can be used by cooperating sites to provide different access rights based on account rights and subscription plans. It is + * base64url encoded whirlpool hash of the requestor's guid and guid_sig; signed with the source channel private key. + * This prevents a man-in-the-middle from inserting a rogue success packet. Upon receipt and successful + * verification of this packet, the destination site will redirect to the original destination URL and indicate a successful remote login. + * Service_class can be used by cooperating sites to provide different access rights based on account rights and subscription plans. It is * a string whose contents are not defined by protocol. Example: "basic" or "gold". * * @param[in,out] \App &$a diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php index 778b701cd..cadde5415 100644 --- a/Zotlabs/Zot/Finger.php +++ b/Zotlabs/Zot/Finger.php @@ -2,6 +2,7 @@ namespace Zotlabs\Zot; +use Zotlabs\Lib\Crypto; use Zotlabs\Web\HTTPSig; /** @@ -109,7 +110,7 @@ class Finger { $result = z_post_url('http://' . $host . $rhs,$postvars, $retries, [ 'headers' => $xhead ]); } } - } + } else { $rhs .= '?f=&address=' . urlencode($address) . '&token=' . self::$token; @@ -135,7 +136,7 @@ class Finger { if($x && (! $verify['header_valid'])) { $signed_token = ((is_array($x) && array_key_exists('signed_token', $x)) ? $x['signed_token'] : null); if($signed_token) { - $valid = rsa_verify('token.' . self::$token, base64url_decode($signed_token), $x['key']); + $valid = Crypto::verify('token.' . self::$token, base64url_decode($signed_token), $x['key']); if(! $valid) { logger('invalid signed token: ' . $url . $rhs, LOGGER_NORMAL, LOG_ERR); diff --git a/Zotlabs/Zot/Receiver.php b/Zotlabs/Zot/Receiver.php index c521c9d64..7fc445f66 100644 --- a/Zotlabs/Zot/Receiver.php +++ b/Zotlabs/Zot/Receiver.php @@ -2,6 +2,8 @@ namespace Zotlabs\Zot; +use Zotlabs\Lib\Crypto; + class Receiver { protected $data; @@ -30,7 +32,7 @@ class Receiver { $this->encrypted = ((array_key_exists('iv',$data)) ? true : false); if($this->encrypted) { - $this->data = @json_decode(@crypto_unencapsulate($data,$prvkey),true); + $this->data = @json_decode(@Crypto::unencapsulate($data,$prvkey),true); } if(! $this->data) $this->data = $data; @@ -72,7 +74,7 @@ class Receiver { $this->validated = true; } - + function Dispatch() { /* Handle tasks which don't require sender validation */ @@ -144,8 +146,8 @@ class Receiver { * $contents->iv and $contents->key are random strings encrypted with this site's RSA public key and then base64url encoded. * * Once decrypted, one will find the normal json_encoded zot message packet. - * - * Defined packet types are: notify, purge, refresh, force_refresh, auth_check, ping, and pickup + * + * Defined packet types are: notify, purge, refresh, force_refresh, auth_check, ping, and pickup * * Standard packet: (used by notify, purge, refresh, force_refresh, and auth_check) * \code{.json} @@ -167,7 +169,7 @@ class Receiver { * \endcode * * Signature fields are all signed with the sender channel private key and base64url encoded. - * Recipients are arrays of guid and guid_sig, which were previously signed with the recipients private + * Recipients are arrays of guid and guid_sig, which were previously signed with the recipients private * key and base64url encoded and later obtained via channel discovery. Absence of recipients indicates * a public message or visible to all potential listeners on this site. * @@ -186,7 +188,7 @@ class Receiver { * * In the pickup packet, the sig fields correspond to the respective data * element signed with this site's system private key and then base64url encoded. - * The "secret" is the same as the original secret from the notify packet. + * The "secret" is the same as the original secret from the notify packet. * * If verification is successful, a json structure is returned containing a * success indicator and an array of type 'pickup'. @@ -283,18 +285,18 @@ class Receiver { * } * \endcode * - * The ping packet can be used to verify that a site has not been re-installed, and to + * The ping packet can be used to verify that a site has not been re-installed, and to * initiate corrective action if it has. The url_sig is signed with the site private key * and base64url encoded - and this should verify with the enclosed sitekey. Failure to * verify indicates the site is corrupt or otherwise unable to communicate using zot. * This return packet is not otherwise verified, so should be compared with other * results obtained from this site which were verified prior to taking action. For instance - * if you have one verified result with this signature and key, and other records for this + * if you have one verified result with this signature and key, and other records for this * url which have different signatures and keys, it indicates that the site was re-installed * and corrective action may commence (remove or mark invalid any entries with different * signatures). * If you have no records which match this url_sig and key - no corrective action should - * be taken as this packet may have been returned by an imposter. + * be taken as this packet may have been returned by an imposter. * * @param[in,out] App &$a */ diff --git a/Zotlabs/Zot6/Receiver.php b/Zotlabs/Zot6/Receiver.php index a9a7ab0df..6440c5da5 100644 --- a/Zotlabs/Zot6/Receiver.php +++ b/Zotlabs/Zot6/Receiver.php @@ -3,6 +3,7 @@ namespace Zotlabs\Zot6; use Zotlabs\Lib\Config; +use Zotlabs\Lib\Crypto; use Zotlabs\Lib\Libzot; use Zotlabs\Web\HTTPSig; @@ -70,7 +71,7 @@ class Receiver { $this->encrypted = ((array_key_exists('encrypted',$this->data) && intval($this->data['encrypted'])) ? true : false); if ($this->encrypted && $this->prvkey) { - $uncrypted = crypto_unencapsulate($this->data,$this->prvkey); + $uncrypted = Crypto::unencapsulate($this->data,$this->prvkey); if ($uncrypted) { $this->data = json_decode($uncrypted,true); } @@ -88,7 +89,7 @@ class Receiver { if ($this->error) { // make timing attacks on the decryption engine a bit more difficult usleep(mt_rand(10000,100000)); - return($this->response); + return($this->response); } if ($this->data) { @@ -126,7 +127,7 @@ class Receiver { $x = Libzot::register_hub($this->sigdata['signer']); if($x['success']) { $hub = Libzot::valid_hub($this->sender,$this->site_id); - } + } if(! $hub) { $this->response['message'] = 'sender unknown'; return false; @@ -168,8 +169,8 @@ class Receiver { } } return $result; - } - + } + function Dispatch() { switch ($this->messagetype) { @@ -207,13 +208,13 @@ class Receiver { $this->EncryptResponse(); } - return($this->response); + return($this->response); } function EncryptResponse() { $algorithm = Libzot::best_algorithm($this->hub['site_crypto']); if ($algorithm) { - $this->response = crypto_encapsulate(json_encode($this->response),$this->hub['hubloc_sitekey'], $algorithm); + $this->response = Crypto::encapsulate(json_encode($this->response),$this->hub['hubloc_sitekey'], $algorithm); } } @@ -28,6 +28,8 @@ */ // composer autoloader for all namespaced Classes +use Zotlabs\Lib\Crypto; + require_once('vendor/autoload.php'); require_once('include/config.php'); @@ -1570,7 +1572,7 @@ function fix_system_urls($oldurl, $newurl) { dbesc($channel_address . '@' . $rhs), dbesc($newurl), dbesc(str_replace($oldurl,$newurl,$rv['hubloc_id_url'])), - dbesc(($rv['hubloc_network'] === 'zot6') ? \Zotlabs\Lib\Libzot::sign($newurl,$c[0]['channel_prvkey']) : base64url_encode(rsa_sign($newurl,$c[0]['channel_prvkey']))), + dbesc(($rv['hubloc_network'] === 'zot6') ? \Zotlabs\Lib\Libzot::sign($newurl,$c[0]['channel_prvkey']) : base64url_encode(Crypto::sign($newurl,$c[0]['channel_prvkey']))), dbesc($newhost), dbesc(($rv['hubloc_network'] === 'zot6') ? $newurl . '/zot' : $newurl . '/post'), dbesc($rv['xchan_hash']), diff --git a/include/account.php b/include/account.php index bea84cea7..34936c33f 100644 --- a/include/account.php +++ b/include/account.php @@ -4,6 +4,8 @@ * @brief Somme account related functions. */ +use Zotlabs\Lib\Crypto; + require_once('include/config.php'); require_once('include/network.php'); require_once('include/plugin.php'); @@ -26,8 +28,8 @@ function check_account_email($email) { $email = punify($email); $result = array('error' => false, 'message' => ''); - // Caution: empty email isn't counted as an error in this function. - // Check for empty value separately. + // Caution: empty email isn't counted as an error in this function. + // Check for empty value separately. if(! strlen($email)) return $result; @@ -36,7 +38,7 @@ function check_account_email($email) { $result['message'] .= t('Not a valid email address') . EOL; elseif(! allowed_email($email)) $result['message'] = t('Your email domain is not among those allowed on this site'); - else { + else { $r = q("select account_email from account where account_email = '%s' limit 1", dbesc($email) ); @@ -175,7 +177,7 @@ function create_account($arr) { // Ensure that there is a host keypair. if ((! get_config('system', 'pubkey')) && (! get_config('system', 'prvkey'))) { - $hostkey = new_keypair(4096); + $hostkey = Crypto::new_keypair(4096); set_config('system', 'pubkey', $hostkey['pubkey']); set_config('system', 'prvkey', $hostkey['prvkey']); } @@ -306,8 +308,8 @@ function verify_email_address($arr) { ); $res = z_mail( - [ - 'toEmail' => $arr['email'], + [ + 'toEmail' => $arr['email'], 'messageSubject' => sprintf( t('Registration confirmation for %s'), get_config('system','sitename')), 'textVersion' => $email_msg, ] @@ -375,8 +377,8 @@ function send_reg_approval_email($arr) { )); $res = z_mail( - [ - 'toEmail' => $admin['email'], + [ + 'toEmail' => $admin['email'], 'messageSubject' => sprintf( t('Registration request at %s'), get_config('system','sitename')), 'textVersion' => $email_msg, ] @@ -403,7 +405,7 @@ function send_register_success_email($email,$password) { )); $res = z_mail( - [ + [ 'toEmail' => $email, 'messageSubject' => sprintf( t('Registration details for %s'), get_config('system','sitename')), 'textVersion' => $email_msg, @@ -446,7 +448,7 @@ function account_allow($hash) { intval(ACCOUNT_BLOCKED), intval($register[0]['uid']) ); - + q("update account set account_flags = (account_flags & ~%d) where (account_flags & %d)>0 and account_id = %d", intval(ACCOUNT_PENDING), intval(ACCOUNT_PENDING), @@ -466,7 +468,7 @@ function account_allow($hash) { )); $res = z_mail( - [ + [ 'toEmail' => $account[0]['account_email'], 'messageSubject' => sprintf( t('Registration details for %s'), get_config('system','sitename')), 'textVersion' => $email_msg, @@ -556,13 +558,13 @@ function account_approve($hash) { intval(ACCOUNT_BLOCKED), intval($register[0]['uid']) ); - + q("update account set account_flags = (account_flags & ~%d) where (account_flags & %d)>0 and account_id = %d", intval(ACCOUNT_PENDING), intval(ACCOUNT_PENDING), intval($register[0]['uid']) ); - + q("update account set account_flags = (account_flags & ~%d) where (account_flags & %d)>0 and account_id = %d", intval(ACCOUNT_UNVERIFIED), intval(ACCOUNT_UNVERIFIED), @@ -583,7 +585,7 @@ function account_approve($hash) { else { $_SESSION['login_return_url'] = 'new_channel'; authenticate_success($account[0],null,true,true,false,true); - } + } return true; } @@ -592,14 +594,14 @@ function account_approve($hash) { /** * @brief Checks for accounts that have past their expiration date. * - * If the account has a service class which is not the site default, + * If the account has a service class which is not the site default, * the service class is reset to the site default and expiration reset to never. * If the account has no service class it is expired and subsequently disabled. * called from include/poller.php as a scheduled task. * * Reclaiming resources which are no longer within the service class limits is - * not the job of this function, but this can be implemented by plugin if desired. - * Default behaviour is to stop allowing additional resources to be consumed. + * not the job of this function, but this can be implemented by plugin if desired. + * Default behaviour is to stop allowing additional resources to be consumed. */ function downgrade_accounts() { diff --git a/include/channel.php b/include/channel.php index 2d79cd074..08b5ee889 100644 --- a/include/channel.php +++ b/include/channel.php @@ -9,6 +9,7 @@ use Zotlabs\Access\PermissionRoles; use Zotlabs\Access\PermissionLimits; use Zotlabs\Access\Permissions; use Zotlabs\Daemon\Master; +use Zotlabs\Lib\Crypto; use Zotlabs\Lib\System; use Zotlabs\Render\Comanche; use Zotlabs\Lib\Libzot; @@ -107,7 +108,7 @@ function create_sys_channel() { if ((! get_config('system', 'pubkey')) && (! get_config('system', 'prvkey'))) { require_once('include/crypto.php'); - $hostkey = new_keypair(4096); + $hostkey = Crypto::new_keypair(4096); set_config('system', 'pubkey', $hostkey['pubkey']); set_config('system', 'prvkey', $hostkey['prvkey']); } @@ -232,10 +233,10 @@ function create_identity($arr) { } $guid = Libzot::new_uid($nick); - $key = new_keypair(4096); + $key = Crypto::new_keypair(4096); // legacy zot - $zsig = base64url_encode(rsa_sign($guid,$key['prvkey'])); + $zsig = base64url_encode(Crypto::sign($guid,$key['prvkey'])); $zhash = make_xchan_hash($guid,$zsig); // zot6 @@ -345,7 +346,7 @@ function create_identity($arr) { 'hubloc_addr' => channel_reddress($ret['channel']), 'hubloc_primary' => intval($primary), 'hubloc_url' => z_root(), - 'hubloc_url_sig' => base64url_encode(rsa_sign(z_root(),$ret['channel']['channel_prvkey'])), + 'hubloc_url_sig' => base64url_encode(Crypto::sign(z_root(),$ret['channel']['channel_prvkey'])), 'hubloc_host' => App::get_hostname(), 'hubloc_callback' => z_root() . '/post', 'hubloc_sitekey' => get_config('system','pubkey'), @@ -603,9 +604,9 @@ function change_channel_keys($channel) { $stored = []; - $key = new_keypair(4096); + $key = Crypto::new_keypair(4096); - $sig = base64url_encode(rsa_sign($channel['channel_guid'],$key['prvkey'])); + $sig = base64url_encode(Crypto::sign($channel['channel_guid'],$key['prvkey'])); $hash = make_xchan_hash($channel['channel_guid'],$sig); $stored['old_guid'] = $channel['channel_guid']; @@ -614,7 +615,7 @@ function change_channel_keys($channel) { $stored['old_hash'] = $channel['channel_hash']; $stored['new_key'] = $key['pubkey']; - $stored['new_sig'] = base64url_encode(rsa_sign($key['pubkey'],$channel['channel_prvkey'])); + $stored['new_sig'] = base64url_encode(Crypto::sign($key['pubkey'],$channel['channel_prvkey'])); // Save this info for the notifier to collect @@ -651,7 +652,7 @@ function change_channel_keys($channel) { foreach($h as $hv) { $hv['hubloc_guid_sig'] = $sig; $hv['hubloc_hash'] = $hash; - $hv['hubloc_url_sig'] = base64url_encode(rsa_sign(z_root(),$modified['channel_prvkey'])); + $hv['hubloc_url_sig'] = base64url_encode(Crypto::sign(z_root(),$modified['channel_prvkey'])); hubloc_store_lowlevel($hv); } } diff --git a/include/crypto.php b/include/crypto.php index 84d639f3f..d91d3749c 100644 --- a/include/crypto.php +++ b/include/crypto.php @@ -1,5 +1,7 @@ <?php /** @file */ +use Zotlabs\Lib\Crypto; + require_once('library/ASNValue.class.php'); require_once('library/asn1.php'); @@ -192,7 +194,6 @@ function crypto_methods() { function signing_methods() { - $r = [ 'sha256' ]; call_hooks('signing_methods',$r); return $r; @@ -461,12 +462,12 @@ function convert_salmon_key($key) { function z_obscure($s) { - return json_encode(crypto_encapsulate($s,get_config('system','pubkey'))); + return json_encode(Crypto::encapsulate($s,get_config('system','pubkey'))); } function z_unobscure($s) { if(strpos($s,"{\"") !== 0) return $s; - return crypto_unencapsulate(json_decode($s,true),get_config('system','prvkey')); + return Crypto::unencapsulate(json_decode($s,true),get_config('system','prvkey')); } diff --git a/include/dir_fns.php b/include/dir_fns.php index 88a1bb74f..8326415ed 100644 --- a/include/dir_fns.php +++ b/include/dir_fns.php @@ -3,6 +3,7 @@ * @file include/dir_fns.php */ +use Zotlabs\Lib\Crypto; use Zotlabs\Lib\Libzot; use Zotlabs\Lib\Webfinger; use Zotlabs\Lib\Zotfinger; @@ -280,7 +281,7 @@ function sync_directories($dirmode) { logger('key unavailable on this site for ' . $rr['channel']); continue; } - if (! rsa_verify($rr['target'] . '.' . $rr['rating'] . '.' . $rr['rating_text'], base64url_decode($rr['signature']),$y[0]['xchan_pubkey'])) { + if (! Crypto::verify($rr['target'] . '.' . $rr['rating'] . '.' . $rr['rating_text'], base64url_decode($rr['signature']),$y[0]['xchan_pubkey'])) { logger('failed to verify rating'); continue; } diff --git a/include/follow.php b/include/follow.php index a4d382545..64ae8f7f1 100644 --- a/include/follow.php +++ b/include/follow.php @@ -9,6 +9,8 @@ // $return['abook'] Address book entry joined with xchan if successful // $return['message'] error text if success is false. +use Zotlabs\Lib\Crypto; + require_once('include/zot.php'); function new_contact($uid,$url,$channel,$interactive = false, $confirm = false) { @@ -19,7 +21,7 @@ function new_contact($uid,$url,$channel,$interactive = false, $confirm = false) $is_zot = false; $protocol = ''; - + if(substr($url,0,1) === '[') { $x = strpos($url,']'); if($x) { @@ -62,7 +64,7 @@ function new_contact($uid,$url,$channel,$interactive = false, $confirm = false) call_hooks('follow_init', $arr); - if($arr['channel']['success']) + if($arr['channel']['success']) $ret = $arr['channel']; elseif((! $is_http) && ((! $protocol) || (strtolower($protocol) === 'zot'))) $ret = Zotlabs\Zot\Finger::run($url,$channel); @@ -98,11 +100,11 @@ function new_contact($uid,$url,$channel,$interactive = false, $confirm = false) return $result; } } - - + + // do we have an xchan and hubloc? - // If not, create them. + // If not, create them. $x = import_xchan($j); @@ -111,13 +113,13 @@ function new_contact($uid,$url,$channel,$interactive = false, $confirm = false) return $result; } - if(! $x['success']) + if(! $x['success']) return $x; $xchan_hash = $x['hash']; if( array_key_exists('permissions',$j) && array_key_exists('data',$j['permissions'])) { - $permissions = crypto_unencapsulate(array( + $permissions = Crypto::unencapsulate(array( 'data' => $j['permissions']['data'], 'alg' => $j['permissions']['alg'], 'key' => $j['permissions']['key'], @@ -140,7 +142,7 @@ function new_contact($uid,$url,$channel,$interactive = false, $confirm = false) $xchan_hash = ''; $sql_options = (($protocol) ? " and xchan_network = '" . dbesc($protocol) . "' " : ''); - + $r = q("select * from xchan where (xchan_addr = '%s' or xchan_url = '%s') $sql_options ", dbesc($url), diff --git a/include/items.php b/include/items.php index 83108455f..223fba147 100644 --- a/include/items.php +++ b/include/items.php @@ -4,6 +4,7 @@ * @brief Items related functions. */ +use Zotlabs\Lib\Crypto; use Zotlabs\Lib\Enotify; use Zotlabs\Lib\MarkdownSoap; use Zotlabs\Lib\MessageFilter; @@ -1652,7 +1653,7 @@ function item_sign(&$item) { if(! $r) return; - $item['sig'] = base64url_encode(rsa_sign($item['body'], $r[0]['channel_prvkey'])); + $item['sig'] = base64url_encode(Crypto::sign($item['body'], $r[0]['channel_prvkey'])); $item['item_verified'] = 1; } @@ -2971,7 +2972,7 @@ function item_community_tag($channel,$item) { $pitem = $items[0]; $auth = get_iconfig($item,'system','communitytagauth'); if($auth) { - if(rsa_verify('tagauth.' . $item['mid'],base64url_decode($auth),$pitem['owner']['xchan_pubkey']) || rsa_verify('tagauth.' . $item['mid'],base64url_decode($auth),$pitem['author']['xchan_pubkey'])) { + if(Crypto::verify('tagauth.' . $item['mid'],base64url_decode($auth),$pitem['owner']['xchan_pubkey']) || Crypto::verify('tagauth.' . $item['mid'],base64url_decode($auth),$pitem['author']['xchan_pubkey'])) { logger('tag_deliver: tagging the post: ' . $channel['channel_name']); $tag_the_post = true; } @@ -2980,7 +2981,7 @@ function item_community_tag($channel,$item) { if(($pitem['owner_xchan'] === $channel['channel_hash']) && (! intval(get_pconfig($channel['channel_id'],'system','blocktags')))) { logger('tag_deliver: community tag recipient: ' . $channel['channel_name']); $tag_the_post = true; - $sig = rsa_sign('tagauth.' . $item['mid'],$channel['channel_prvkey']); + $sig = Crypto::sign('tagauth.' . $item['mid'],$channel['channel_prvkey']); logger('tag_deliver: setting iconfig for ' . $item['id']); set_iconfig($item['id'],'system','communitytagauth',base64url_encode($sig),1); } diff --git a/include/text.php b/include/text.php index 1e08d136c..b7cc0ba20 100644 --- a/include/text.php +++ b/include/text.php @@ -9,6 +9,7 @@ use Michelf\MarkdownExtra; use Ramsey\Uuid\Uuid; use Ramsey\Uuid\Exception\UnableToBuildUuidException; +use Zotlabs\Lib\Crypto; use Zotlabs\Lib\SvgSanitizer; require_once("include/bbcode.php"); @@ -3248,7 +3249,7 @@ function item_url_replace($channel,&$item,$old,$new,$oldnick = '') { $item['body'] = preg_replace("/(\[zrl=".preg_quote($old,'/')."\/(photo|photos|gallery)\/".$channel['channel_address'].".+\]\[zmg=\d+x\d+\])".preg_quote($old,'/')."\/(.+\[\/zmg\])/", '${1}'.$new.'/${3}', $item['body']); $item['body'] = preg_replace("/".preg_quote($old,'/')."\/(search|\w+\/".$channel['channel_address'].")/", $new.'/${1}', $item['body']); - $item['sig'] = base64url_encode(rsa_sign($item['body'],$channel['channel_prvkey'])); + $item['sig'] = base64url_encode(Crypto::sign($item['body'],$channel['channel_prvkey'])); $item['item_verified'] = 1; $item['plink'] = str_replace($old,$new,$item['plink']); @@ -3881,6 +3882,14 @@ function unserialise($x) { return ((is_array($y)) ? $y : $x); } +function obscurify($s) { + return str_rot47(base64url_encode($s)); +} + +function unobscurify($s) { + return base64url_decode(str_rot47($s)); +} + /** * @brief Remove new lines and tabs from strings. * diff --git a/include/xchan.php b/include/xchan.php index 5de828e7f..07fdb8b47 100644 --- a/include/xchan.php +++ b/include/xchan.php @@ -1,5 +1,6 @@ <?php +use Zotlabs\Lib\Crypto; use Zotlabs\Web\HTTPSig; use Zotlabs\Lib\Libzot; @@ -85,7 +86,7 @@ function xchan_store($arr) { } if($arr['network'] === 'zot') { - if((! $arr['key']) || (! rsa_verify($arr['guid'],base64url_decode($arr['guid_sig']),$arr['key']))) { + if((! $arr['key']) || (! Crypto::verify($arr['guid'],base64url_decode($arr['guid_sig']),$arr['key']))) { logger('Unable to verify signature for ' . $arr['hash']); return false; } @@ -102,7 +103,7 @@ function xchan_store($arr) { if($k === 'photo') { continue; } - + if(in_array($columns,'xchan_' . $k)) $x['xchan_' . $k] = escape_tags($v); } @@ -112,7 +113,7 @@ function xchan_store($arr) { $x['xchan_system'] = false; $result = xchan_store_lowlevel($x); - + if(! $result) return $result; } @@ -207,9 +208,9 @@ function xchan_keychange_acl($table,$column,$oldxchan,$newxchan) { if($r) { foreach($r as $rv) { $z = q("update $table set $allow = '%s', $deny = '%s' where $column = %d", - dbesc(str_replace('<' . $oldxchan['xchan_hash'] . '>', '<' . $newxchan['xchan_hash'] . '>', + dbesc(str_replace('<' . $oldxchan['xchan_hash'] . '>', '<' . $newxchan['xchan_hash'] . '>', $rv[$allow])), - dbesc(str_replace('<' . $oldxchan['xchan_hash'] . '>', '<' . $newxchan['xchan_hash'] . '>', + dbesc(str_replace('<' . $oldxchan['xchan_hash'] . '>', '<' . $newxchan['xchan_hash'] . '>', $rv[$deny])), intval($rv[$column]) ); @@ -243,7 +244,7 @@ function xchan_change_key($oldx,$newx,$data) { 'xprof' => 'xprof_hash', 'xtag' => 'xtag_hash' ]; - + $acls = [ 'channel' => 'channel_id', diff --git a/include/zot.php b/include/zot.php index d61873ba2..f96792656 100644 --- a/include/zot.php +++ b/include/zot.php @@ -8,6 +8,7 @@ * */ +use Zotlabs\Lib\Crypto; use Zotlabs\Lib\DReport; use Zotlabs\Lib\Libzot; use Zotlabs\Lib\Activity; @@ -123,15 +124,15 @@ function zot_build_packet($channel, $type = 'notify', $recipients = null, $remot 'type' => $type, 'sender' => [ 'guid' => $channel['channel_guid'], - 'guid_sig' => base64url_encode(rsa_sign($channel['channel_guid'],$channel['channel_prvkey'],$sig_method)), + 'guid_sig' => base64url_encode(Crypto::sign($channel['channel_guid'],$channel['channel_prvkey'],$sig_method)), 'url' => z_root(), - 'url_sig' => base64url_encode(rsa_sign(z_root(),$channel['channel_prvkey'],$sig_method)), + 'url_sig' => base64url_encode(Crypto::sign(z_root(),$channel['channel_prvkey'],$sig_method)), 'sitekey' => get_config('system','pubkey') ], 'callback' => '/post', 'version' => Zotlabs\Lib\System::get_zot_revision(), - 'encryption' => crypto_methods(), - 'signing' => signing_methods() + 'encryption' => Crypto::methods(), + 'signing' => Crypto::signing_methods() ]; if ($recipients) { @@ -143,7 +144,7 @@ function zot_build_packet($channel, $type = 'notify', $recipients = null, $remot if ($secret) { $data['secret'] = preg_replace('/[^0-9a-fA-F]/','',$secret); - $data['secret_sig'] = base64url_encode(rsa_sign($secret,$channel['channel_prvkey'],$sig_method)); + $data['secret_sig'] = base64url_encode(Crypto::sign($secret,$channel['channel_prvkey'],$sig_method)); } if ($extra) { @@ -157,7 +158,7 @@ function zot_build_packet($channel, $type = 'notify', $recipients = null, $remot if($remote_key) { $algorithm = zot_best_algorithm($methods); - $data = crypto_encapsulate(json_encode($data),$remote_key, $algorithm); + $data = Crypto::encapsulate(json_encode($data),$remote_key, $algorithm); } return json_encode($data); @@ -197,15 +198,15 @@ function zot6_build_packet($channel, $type = 'notify', $recipients = null, $msg 'type' => $type, 'sender' => [ 'guid' => $channel['channel_guid'], - 'guid_sig' => base64url_encode(rsa_sign($channel['channel_guid'],$channel['channel_prvkey'],$sig_method)), + 'guid_sig' => base64url_encode(Crypto::sign($channel['channel_guid'],$channel['channel_prvkey'],$sig_method)), 'url' => z_root(), - 'url_sig' => base64url_encode(rsa_sign(z_root(),$channel['channel_prvkey'],$sig_method)), + 'url_sig' => base64url_encode(Crypto::sign(z_root(),$channel['channel_prvkey'],$sig_method)), 'sitekey' => get_config('system','pubkey') ], 'callback' => '/post', 'version' => Zotlabs\Lib\System::get_zot_revision(), - 'encryption' => crypto_methods(), - 'signing' => signing_methods() + 'encryption' => Crypto::methods(), + 'signing' => Crypto::signing_methods() ]; if ($recipients) { @@ -221,7 +222,7 @@ function zot6_build_packet($channel, $type = 'notify', $recipients = null, $msg if ($secret) { $data['secret'] = preg_replace('/[^0-9a-fA-F]/','',$secret); - $data['secret_sig'] = base64url_encode(rsa_sign($secret,$channel['channel_prvkey'],$sig_method)); + $data['secret_sig'] = base64url_encode(Crypto::sign($secret,$channel['channel_prvkey'],$sig_method)); } if ($extra) { @@ -235,7 +236,7 @@ function zot6_build_packet($channel, $type = 'notify', $recipients = null, $msg if($remote_key) { $algorithm = zot_best_algorithm($methods); - $data = crypto_encapsulate(json_encode($data),$remote_key, $algorithm); + $data = Crypto::encapsulate(json_encode($data),$remote_key, $algorithm); } return json_encode($data); @@ -249,7 +250,7 @@ function zot6_build_packet($channel, $type = 'notify', $recipients = null, $msg * * @param string $methods * comma separated list of encryption methods - * @return string first match from our site method preferences crypto_methods() array + * @return string first match from our site method preferences Crypto::methods() array * of a method which is common to both sites; or 'aes256cbc' if no matches are found. */ function zot_best_algorithm($methods) { @@ -272,7 +273,7 @@ function zot_best_algorithm($methods) { if($methods) { $x = explode(',', $methods); if($x) { - $y = crypto_methods(); + $y = Crypto::methods(); if($y) { foreach($y as $yv) { $yv = trim($yv); @@ -443,7 +444,7 @@ function zot_refresh($them, $channel = null, $force = false) { $signed_token = ((is_array($j) && array_key_exists('signed_token',$j)) ? $j['signed_token'] : null); if($signed_token) { - $valid = rsa_verify('token.' . $token,base64url_decode($signed_token),$j['key']); + $valid = Crypto::verify('token.' . $token,base64url_decode($signed_token),$j['key']); if(! $valid) { logger('invalid signed token: ' . $url . $rhs, LOGGER_NORMAL, LOG_ERR); return false; @@ -461,7 +462,7 @@ function zot_refresh($them, $channel = null, $force = false) { if($channel) { if($j['permissions']['data']) { - $permissions = crypto_unencapsulate( + $permissions = Crypto::unencapsulate( [ 'data' => $j['permissions']['data'], 'key' => $j['permissions']['key'], @@ -719,8 +720,8 @@ function zot_register_hub($arr) { */ foreach($sig_methods as $method) { - if((rsa_verify($arr['guid'],base64url_decode($arr['guid_sig']),$record['key'],$method)) - && (rsa_verify($arr['url'],base64url_decode($arr['url_sig']),$record['key'],$method)) + if((Crypto::verify($arr['guid'],base64url_decode($arr['guid_sig']),$record['key'],$method)) + && (Crypto::verify($arr['url'],base64url_decode($arr['url_sig']),$record['key'],$method)) && ($arr['guid'] === $record['guid']) && ($arr['guid_sig'] === $record['guid_sig'])) { $c = import_xchan($record); @@ -790,7 +791,7 @@ function import_xchan($arr, $ud_flags = UPDATE_FLAGS_UPDATED, $ud_arr = null) { $verified = false; foreach($sig_methods as $method) { - if(! rsa_verify($arr['guid'],base64url_decode($arr['guid_sig']),$arr['key'],$method)) { + if(! Crypto::verify($arr['guid'],base64url_decode($arr['guid_sig']),$arr['key'],$method)) { logger('Unable to verify channel signature for ' . $arr['address'] . ' using ' . $method); continue; } @@ -925,28 +926,28 @@ function import_xchan($arr, $ud_flags = UPDATE_FLAGS_UPDATED, $ud_arr = null) { $local = q("select channel_account_id, channel_id from channel where channel_portable_id = '%s' limit 1", dbesc($xchan_hash) ); - + if($local) { - // @FIXME This should be removed in future when profile photo update by file sync procedure will be applied + // @FIXME This should be removed in future when profile photo update by file sync procedure will be applied // on most hubs in the network // <--- $ph = z_fetch_url($arr['photo'], true); - + if($ph['success']) { - + // Do not fetch already received thumbnails $x = q("SELECT resource_id FROM photo WHERE uid = %d AND imgscale = %d AND filesize = %d LIMIT 1", intval($local[0]['channel_id']), intval(PHOTO_RES_PROFILE_300), strlen($ph['body']) - ); + ); if($x) $hash = $x[0]['resource_id']; else $hash = import_channel_photo($ph['body'], $arr['photo_mimetype'], $local[0]['channel_account_id'], $local[0]['channel_id']); } - + if($hash) { // unless proven otherwise $is_default_profile = 1; @@ -972,7 +973,7 @@ function import_xchan($arr, $ud_flags = UPDATE_FLAGS_UPDATED, $ud_arr = null) { } } // ---> - + // reset the names in case they got messed up when we had a bug in this function $photos = array( z_root() . '/photo/profile/l/' . $local[0]['channel_id'], @@ -1128,7 +1129,7 @@ function zot_process_response($hub, $arr, $outq) { if(is_array($x) && array_key_exists('delivery_report',$x) && is_array($x['delivery_report'])) { if(array_key_exists('iv',$x['delivery_report'])) { - $j = crypto_unencapsulate($x['delivery_report'],get_config('system','prvkey')); + $j = Crypto::unencapsulate($x['delivery_report'],get_config('system','prvkey')); if($j) { $x['delivery_report'] = json_decode($j,true); } @@ -1253,14 +1254,14 @@ function zot_fetch($arr) { $data = [ 'type' => 'pickup', 'url' => z_root(), - 'callback_sig' => base64url_encode(rsa_sign(z_root() . '/post', get_config('system','prvkey'))), + 'callback_sig' => base64url_encode(Crypto::sign(z_root() . '/post', get_config('system','prvkey'))), 'callback' => z_root() . '/post', 'secret' => $secret, - 'secret_sig' => base64url_encode(rsa_sign($secret, get_config('system','prvkey'))) + 'secret_sig' => base64url_encode(Crypto::sign($secret, get_config('system','prvkey'))) ]; $algorithm = zot_best_algorithm($hub['site_crypto']); - $datatosend = json_encode(crypto_encapsulate(json_encode($data),$hub['hubloc_sitekey'], $algorithm)); + $datatosend = json_encode(Crypto::encapsulate(json_encode($data),$hub['hubloc_sitekey'], $algorithm)); $import = zot_zot($url,$datatosend); @@ -1272,7 +1273,7 @@ function zot_fetch($arr) { $result = zot_import($import, $arr['sender']['url']); if($result) { - $result = crypto_encapsulate(json_encode($result),$hub['hubloc_sitekey'], $algorithm); + $result = Crypto::encapsulate(json_encode($result),$hub['hubloc_sitekey'], $algorithm); return $result; } @@ -1314,7 +1315,7 @@ function zot_import($arr, $sender_url) { } if(array_key_exists('iv', $data)) { - $data = json_decode(crypto_unencapsulate($data,get_config('system','prvkey')),true); + $data = json_decode(Crypto::unencapsulate($data,get_config('system','prvkey')),true); } if(! is_array($data)) { @@ -1342,7 +1343,7 @@ function zot_import($arr, $sender_url) { $result = null; if(array_key_exists('iv',$i['notify'])) { - $i['notify'] = json_decode(crypto_unencapsulate($i['notify'],get_config('system','prvkey')),true); + $i['notify'] = json_decode(Crypto::unencapsulate($i['notify'],get_config('system','prvkey')),true); } logger('Notify: ' . print_r($i['notify'],true), LOGGER_DATA, LOG_DEBUG); @@ -2466,7 +2467,7 @@ function process_rating_delivery($sender, $arr) { dbesc($sender['hash']) ); - if((! $z) || (! rsa_verify($arr['target'] . '.' . $arr['rating'] . '.' . $arr['rating_text'], base64url_decode($arr['signature']),$z[0]['xchan_pubkey']))) { + if((! $z) || (! Crypto::verify($arr['target'] . '.' . $arr['rating'] . '.' . $arr['rating_text'], base64url_decode($arr['signature']),$z[0]['xchan_pubkey']))) { logger('failed to verify rating'); return; } @@ -2652,7 +2653,7 @@ function sync_locations($sender, $arr, $absolute = false) { $arr['locations'][0]['primary'] = true; foreach($arr['locations'] as $location) { - if(! rsa_verify($location['url'],base64url_decode($location['url_sig']),$sender['key'])) { + if(! Crypto::verify($location['url'],base64url_decode($location['url_sig']),$sender['key'])) { logger('Unable to verify site signature for ' . $location['url']); $ret['message'] .= sprintf( t('Unable to verify site signature for %s'), $location['url']) . EOL; continue; @@ -3126,7 +3127,7 @@ function import_site($arr, $pubkey) { if( (! is_array($arr)) || (! $arr['url']) || (! $arr['url_sig'])) return false; - if(! rsa_verify($arr['url'], base64url_decode($arr['url_sig']), $pubkey)) { + if(! Crypto::verify($arr['url'], base64url_decode($arr['url_sig']), $pubkey)) { logger('Bad url_sig'); return false; } @@ -3509,12 +3510,12 @@ function process_channel_sync_delivery($sender, $arr, $deliveries) { if($keychange) { // verify the keychange operation - if(! rsa_verify($arr['channel']['channel_pubkey'],base64url_decode($arr['keychange']['new_sig']),$channel['channel_prvkey'])) { + if(! Crypto::verify($arr['channel']['channel_pubkey'],base64url_decode($arr['keychange']['new_sig']),$channel['channel_prvkey'])) { logger('sync keychange: verification failed'); continue; } - $sig = base64url_encode(rsa_sign($channel['channel_guid'],$arr['channel']['channel_prvkey'])); + $sig = base64url_encode(Crypto::sign($channel['channel_guid'],$arr['channel']['channel_prvkey'])); $hash = make_xchan_hash($channel['channel_guid'],$sig); @@ -3551,7 +3552,7 @@ function process_channel_sync_delivery($sender, $arr, $deliveries) { foreach($h as $hv) { $hv['hubloc_guid_sig'] = $sig; $hv['hubloc_hash'] = $hash; - $hv['hubloc_url_sig'] = base64url_encode(rsa_sign(z_root(),$channel['channel_prvkey'])); + $hv['hubloc_url_sig'] = base64url_encode(Crypto::sign(z_root(),$channel['channel_prvkey'])); hubloc_store_lowlevel($hv); } } @@ -4329,7 +4330,7 @@ function zot_rekey_request($sender,$data) { $xchan = $r[0]; - if(! rsa_verify($data['new_key'],base64url_decode($data['new_sig']),$xchan['xchan_pubkey'])) { + if(! Crypto::verify($data['new_key'],base64url_decode($data['new_sig']),$xchan['xchan_pubkey'])) { json_return_and_die($ret); } @@ -4367,7 +4368,7 @@ function zotinfo($arr) { $feed = ((x($arr,'feed')) ? intval($arr['feed']) : 0); if($ztarget) { - if((! $zkey) || (! $zsig) || (! rsa_verify($ztarget,base64url_decode($zsig),$zkey))) { + if((! $zkey) || (! $zsig) || (! Crypto::verify($ztarget,base64url_decode($zsig),$zkey))) { logger('zfinger: invalid target signature'); $ret['message'] = t("invalid target signature"); return($ret); @@ -4531,7 +4532,7 @@ function zotinfo($arr) { // Communication details if($token) - $ret['signed_token'] = base64url_encode(rsa_sign('token.' . $token,$e['channel_prvkey'],$sig_method)); + $ret['signed_token'] = base64url_encode(Crypto::sign('token.' . $token,$e['channel_prvkey'],$sig_method)); $ret['guid'] = $e['xchan_guid']; @@ -4587,7 +4588,7 @@ function zotinfo($arr) { // because ztarget refers to an xchan and we don't necessarily know the origination // location. - $ret['permissions'] = (($ztarget && $zkey) ? crypto_encapsulate(json_encode($permissions),$zkey) : $permissions); + $ret['permissions'] = (($ztarget && $zkey) ? crypto_encapsulate(json_encode($permissions),$zkey,) : $permissions); if($permissions['view_profile']) $ret['profile'] = $profile; @@ -4622,9 +4623,9 @@ function zot_site_info($channel_key = '') { $ret['site'] = []; $ret['site']['url'] = z_root(); if($channel_key) { - $ret['site']['url_sig'] = base64url_encode(rsa_sign(z_root(),$channel_key,$sig_method)); + $ret['site']['url_sig'] = base64url_encode(Crypto::sign(z_root(),$channel_key,$sig_method)); } - $ret['site']['url_site_sig'] = base64url_encode(rsa_sign(z_root(),$signing_key,$sig_method)); + $ret['site']['url_site_sig'] = base64url_encode(Crypto::sign(z_root(),$signing_key,$sig_method)); $ret['site']['post'] = z_root() . '/post'; $ret['site']['openWebAuth'] = z_root() . '/owa'; $ret['site']['authRedirect'] = z_root() . '/magic'; @@ -4644,8 +4645,8 @@ function zot_site_info($channel_key = '') { $ret['site']['directory_url'] = z_root() . '/dirsearch'; - $ret['site']['encryption'] = crypto_methods(); - $ret['site']['signing'] = signing_methods(); + $ret['site']['encryption'] = Crypto::methods(); + $ret['site']['signing'] = Crypto::signing_methods(); $ret['site']['zot'] = Zotlabs\Lib\System::get_zot_revision(); // hide detailed site information if you're off the grid @@ -4724,7 +4725,7 @@ function check_zotinfo($channel, $locations, &$ret) { // the sys channel must have a location (hubloc) $valid_location = false; if((count($locations) === 1) && ($locations[0]['primary']) && (! $locations[0]['deleted'])) { - if((rsa_verify($locations[0]['url'],base64url_decode($locations[0]['url_sig']),$channel['channel_pubkey'])) + if((Crypto::verify($locations[0]['url'],base64url_decode($locations[0]['url_sig']),$channel['channel_pubkey'])) && ($locations[0]['sitekey'] === get_config('system','pubkey')) && ($locations[0]['url'] === z_root())) $valid_location = true; @@ -4752,7 +4753,7 @@ function check_zotinfo($channel, $locations, &$ret) { 'hubloc_network' => 'zot', 'hubloc_primary' => 1, 'hubloc_url' => z_root(), - 'hubloc_url_sig' => base64url_encode(rsa_sign(z_root(),$channel['channel_prvkey'])), + 'hubloc_url_sig' => base64url_encode(Crypto::sign(z_root(),$channel['channel_prvkey'])), 'hubloc_host' => App::get_hostname(), 'hubloc_callback' => z_root() . '/post', 'hubloc_sitekey' => get_config('system','pubkey'), @@ -4931,7 +4932,7 @@ function zot_reply_ping() { $ret['success'] = true; $ret['site'] = array(); $ret['site']['url'] = z_root(); - $ret['site']['url_sig'] = base64url_encode(rsa_sign(z_root(),get_config('system','prvkey'))); + $ret['site']['url_sig'] = base64url_encode(Crypto::sign(z_root(),get_config('system','prvkey'))); $ret['site']['sitekey'] = get_config('system','pubkey'); json_return_and_die($ret); @@ -4979,10 +4980,10 @@ function zot_reply_pickup($data) { logger('mod_zot: Checking sitekey: ' . $sitekey, LOGGER_DATA, LOG_DEBUG); - if(rsa_verify($data['callback'],base64url_decode($data['callback_sig']),$sitekey)) { + if(Crypto::verify($data['callback'],base64url_decode($data['callback_sig']),$sitekey)) { $forgery = false; } - if(rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$sitekey)) { + if(Crypto::verify($data['secret'],base64url_decode($data['secret_sig']),$sitekey)) { $secret_fail = false; } if((! $forgery) && (! $secret_fail)) @@ -5076,7 +5077,7 @@ function zot_reply_pickup($data) { ); $algorithm = zot_best_algorithm(($x) ? $x[0]['site_crypto'] : ''); - $encrypted = crypto_encapsulate(json_encode($ret),$sitekey,$algorithm); + $encrypted = Crypto::encapsulate(json_encode($ret),$sitekey,$algorithm); json_return_and_die($encrypted); // @FIXME: There is a possibility that the transmission will get interrupted @@ -5133,7 +5134,7 @@ function zot_reply_auth_check($data,$encrypted_packet) { // First verify their signature. We will have obtained a zot-info packet from them as part of the sender // verification. - if ((! $y) || (! rsa_verify($data['secret'], base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) { + if ((! $y) || (! Crypto::verify($data['secret'], base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) { logger('mod_zot: auth_check: sender not found or secret_sig invalid.'); $ret['message'] .= 'sender not found or sig invalid ' . print_r($y,true) . EOL; @@ -5158,7 +5159,7 @@ function zot_reply_auth_check($data,$encrypted_packet) { json_return_and_die($ret); } - $confirm = base64url_encode(rsa_sign($data['secret'] . $recip_hash,$c[0]['channel_prvkey'])); + $confirm = base64url_encode(Crypto::sign($data['secret'] . $recip_hash,$c[0]['channel_prvkey'])); // This additionally checks for forged sites since we already stored the expected result in meta // and we've already verified that this is them via zot_gethub() and that their key signed our token diff --git a/tests/unit/Lib/KeyutilsTest.php b/tests/unit/Lib/KeyutilsTest.php index bb5f84728..d1b0b5ab8 100644 --- a/tests/unit/Lib/KeyutilsTest.php +++ b/tests/unit/Lib/KeyutilsTest.php @@ -34,8 +34,6 @@ use Zotlabs\Lib\Keyutils; * @covers Zotlabs\Lib\Keyutils */ - - class KeyutilsTest extends UnitTestCase { protected function getPubPKCS1() { diff --git a/tests/unit/Web/HttpSigTest.php b/tests/unit/Web/HttpSigTest.php index bd11b96c8..5524e0510 100644 --- a/tests/unit/Web/HttpSigTest.php +++ b/tests/unit/Web/HttpSigTest.php @@ -71,7 +71,7 @@ class HttpSigTest extends UnitTestCase { } /** - * @uses ::crypto_unencapsulate + * @uses ::Crypto::unencapsulate */ function testDecrypt_sigheader() { $header = 'Header: iv="value_iv" key="value_key" alg="value_alg" data="value_data"'; @@ -86,7 +86,7 @@ class HttpSigTest extends UnitTestCase { $this->assertSame($result, HTTPSig::decrypt_sigheader($header, 'site private key')); } /** - * @uses ::crypto_unencapsulate + * @uses ::Crypto::unencapsulate */ function testDecrypt_sigheaderUseSitePrivateKey() { // Create a stub for global function get_config() with expectation @@ -95,7 +95,7 @@ class HttpSigTest extends UnitTestCase { $header = 'Header: iv="value_iv" key="value_key" alg="value_alg" data="value_data"'; $result = [ - 'encrypted' => true, + 'encrypted' => true, 'iv' => 'value_iv', 'key' => 'value_key', 'alg' => 'value_alg', diff --git a/vendor/composer/InstalledVersions.php b/vendor/composer/InstalledVersions.php index 4e4b8790a..875700f7a 100644 --- a/vendor/composer/InstalledVersions.php +++ b/vendor/composer/InstalledVersions.php @@ -29,7 +29,7 @@ private static $installed = array ( 'aliases' => array ( ), - 'reference' => '6b8b42fb211d488388044621d8cff9e6d85e2b0f', + 'reference' => '5aee2f172ecdf58e13dd328c787fd199c48d24c5', 'name' => 'zotlabs/hubzilla', ), 'versions' => @@ -271,7 +271,7 @@ private static $installed = array ( 'aliases' => array ( ), - 'reference' => '6b8b42fb211d488388044621d8cff9e6d85e2b0f', + 'reference' => '5aee2f172ecdf58e13dd328c787fd199c48d24c5', ), ), ); diff --git a/vendor/composer/installed.php b/vendor/composer/installed.php index f9d9d5f93..7c1ac62d8 100644 --- a/vendor/composer/installed.php +++ b/vendor/composer/installed.php @@ -6,7 +6,7 @@ 'aliases' => array ( ), - 'reference' => '6b8b42fb211d488388044621d8cff9e6d85e2b0f', + 'reference' => '5aee2f172ecdf58e13dd328c787fd199c48d24c5', 'name' => 'zotlabs/hubzilla', ), 'versions' => @@ -248,7 +248,7 @@ 'aliases' => array ( ), - 'reference' => '6b8b42fb211d488388044621d8cff9e6d85e2b0f', + 'reference' => '5aee2f172ecdf58e13dd328c787fd199c48d24c5', ), ), ); |