aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Zot
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2021-02-09 13:50:03 +0000
committerMario <mario@mariovavti.com>2021-02-09 13:50:03 +0000
commitb4693870ba647455e6bd0a3919a544130cee118b (patch)
tree97fe6de09c5ce3b5e6ed247c6a6105008631e79a /Zotlabs/Zot
parent5aee2f172ecdf58e13dd328c787fd199c48d24c5 (diff)
downloadvolse-hubzilla-b4693870ba647455e6bd0a3919a544130cee118b.tar.gz
volse-hubzilla-b4693870ba647455e6bd0a3919a544130cee118b.tar.bz2
volse-hubzilla-b4693870ba647455e6bd0a3919a544130cee118b.zip
port Lib/Crypto from zap
Diffstat (limited to 'Zotlabs/Zot')
-rw-r--r--Zotlabs/Zot/Auth.php38
-rw-r--r--Zotlabs/Zot/Finger.php5
-rw-r--r--Zotlabs/Zot/Receiver.php20
3 files changed, 34 insertions, 29 deletions
diff --git a/Zotlabs/Zot/Auth.php b/Zotlabs/Zot/Auth.php
index 8d198f506..6ce2174f7 100644
--- a/Zotlabs/Zot/Auth.php
+++ b/Zotlabs/Zot/Auth.php
@@ -2,6 +2,8 @@
namespace Zotlabs\Zot;
+use Zotlabs\Lib\Crypto;
+
class Auth {
protected $test;
@@ -68,7 +70,7 @@ class Auth {
if(strstr($this->desturl,z_root() . '/rmagic'))
goaway(z_root());
- $this->Finalise();
+ $this->Finalise();
}
@@ -76,7 +78,7 @@ class Auth {
// Try and find a hubloc for the person attempting to auth.
// Since we're matching by address, we have to return all entries
- // some of which may be from re-installed hubs; and we'll need to
+ // some of which may be from re-installed hubs; and we'll need to
// try each sequentially to see if one can pass the test
$x = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash
@@ -130,9 +132,9 @@ class Auth {
// Also check that they are coming from the same site as they authenticated with originally.
- $already_authed = (((remote_channel()) && ($hubloc['hubloc_hash'] == remote_channel())
+ $already_authed = (((remote_channel()) && ($hubloc['hubloc_hash'] == remote_channel())
&& ($hubloc['hubloc_url'] === $_SESSION['remote_hub'])) ? true : false);
-
+
if($this->delegate && $this->delegate !== $_SESSION['delegate_channel'])
$already_authed = false;
@@ -158,17 +160,17 @@ class Auth {
return false;
}
- // Auth packets MUST use ultra top-secret hush-hush mode - e.g. the entire packet is encrypted using the
+ // Auth packets MUST use ultra top-secret hush-hush mode - e.g. the entire packet is encrypted using the
// site private key
- // The actual channel sending the packet ($c[0]) is not important, but this provides a
+ // The actual channel sending the packet ($c[0]) is not important, but this provides a
// generic zot packet with a sender which can be verified
$x = q("select site_crypto from site where site_url = '%s' limit 1",
dbesc($hubloc['hubloc_url'])
);
- $p = zot_build_packet($channel,$type = 'auth_check',
- array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])),
+ $p = zot_build_packet($channel,$type = 'auth_check',
+ array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])),
$hubloc['hubloc_sitekey'], (($x) ? $x[0]['site_crypto'] : ''), $this->sec);
$this->Debug('auth check packet created using sitekey ' . $hubloc['hubloc_sitekey']);
@@ -192,12 +194,12 @@ class Auth {
$this->Debug('auth check request returned ' . print_r($j, true));
- if(! $j['success'])
+ if(! $j['success'])
return false;
// legit response, but we do need to check that this wasn't answered by a man-in-middle
- if (! rsa_verify($this->sec . $hubloc['xchan_hash'],base64url_decode($j['confirm']),$hubloc['xchan_pubkey'])) {
+ if (! Crypto::verify($this->sec . $hubloc['xchan_hash'],base64url_decode($j['confirm']),$hubloc['xchan_pubkey'])) {
logger('final confirmation failed.');
if($this->test)
$this->Debug('final confirmation failed. ' . $sec . print_r($j,true) . print_r($hubloc,true));
@@ -290,7 +292,7 @@ class Auth {
* Magic Auth
* ==========
*
- * So-called "magic auth" takes place by a special exchange. On the site where the "channel to be authenticated" lives (e.g. $mysite),
+ * So-called "magic auth" takes place by a special exchange. On the site where the "channel to be authenticated" lives (e.g. $mysite),
* a redirection is made via $mysite/magic to the zot endpoint of the remote site ($remotesite) with special GET parameters.
*
* The endpoint is typically https://$remotesite/post - or whatever was specified as the callback url in prior communications
@@ -299,7 +301,7 @@ class Auth {
* Five GET parameters are supplied:
* * auth => the urlencoded webbie (channel@host.domain) of the channel requesting access
* * dest => the desired destination URL (urlencoded)
- * * sec => a random string which is also stored on $mysite for use during the verification phase.
+ * * sec => a random string which is also stored on $mysite for use during the verification phase.
* * version => the zot revision
* * delegate => optional urlencoded webbie of a local channel to invoke delegation rights for
*
@@ -336,8 +338,8 @@ class Auth {
* }
* \endcode
*
- * auth_check messages MUST use encapsulated encryption. This message is sent to the origination site, which checks the 'secret' to see
- * if it is the same as the 'sec' which it passed originally. It also checks the secret_sig which is the secret signed by the
+ * auth_check messages MUST use encapsulated encryption. This message is sent to the origination site, which checks the 'secret' to see
+ * if it is the same as the 'sec' which it passed originally. It also checks the secret_sig which is the secret signed by the
* destination channel's private key and base64url encoded. If everything checks out, a json packet is returned:
*
* \code{.json}
@@ -351,10 +353,10 @@ class Auth {
* \endcode
*
* 'confirm' in this case is the base64url encoded RSA signature of the concatenation of 'secret' with the
- * base64url encoded whirlpool hash of the requestor's guid and guid_sig; signed with the source channel private key.
- * This prevents a man-in-the-middle from inserting a rogue success packet. Upon receipt and successful
- * verification of this packet, the destination site will redirect to the original destination URL and indicate a successful remote login.
- * Service_class can be used by cooperating sites to provide different access rights based on account rights and subscription plans. It is
+ * base64url encoded whirlpool hash of the requestor's guid and guid_sig; signed with the source channel private key.
+ * This prevents a man-in-the-middle from inserting a rogue success packet. Upon receipt and successful
+ * verification of this packet, the destination site will redirect to the original destination URL and indicate a successful remote login.
+ * Service_class can be used by cooperating sites to provide different access rights based on account rights and subscription plans. It is
* a string whose contents are not defined by protocol. Example: "basic" or "gold".
*
* @param[in,out] \App &$a
diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php
index 778b701cd..cadde5415 100644
--- a/Zotlabs/Zot/Finger.php
+++ b/Zotlabs/Zot/Finger.php
@@ -2,6 +2,7 @@
namespace Zotlabs\Zot;
+use Zotlabs\Lib\Crypto;
use Zotlabs\Web\HTTPSig;
/**
@@ -109,7 +110,7 @@ class Finger {
$result = z_post_url('http://' . $host . $rhs,$postvars, $retries, [ 'headers' => $xhead ]);
}
}
- }
+ }
else {
$rhs .= '?f=&address=' . urlencode($address) . '&token=' . self::$token;
@@ -135,7 +136,7 @@ class Finger {
if($x && (! $verify['header_valid'])) {
$signed_token = ((is_array($x) && array_key_exists('signed_token', $x)) ? $x['signed_token'] : null);
if($signed_token) {
- $valid = rsa_verify('token.' . self::$token, base64url_decode($signed_token), $x['key']);
+ $valid = Crypto::verify('token.' . self::$token, base64url_decode($signed_token), $x['key']);
if(! $valid) {
logger('invalid signed token: ' . $url . $rhs, LOGGER_NORMAL, LOG_ERR);
diff --git a/Zotlabs/Zot/Receiver.php b/Zotlabs/Zot/Receiver.php
index c521c9d64..7fc445f66 100644
--- a/Zotlabs/Zot/Receiver.php
+++ b/Zotlabs/Zot/Receiver.php
@@ -2,6 +2,8 @@
namespace Zotlabs\Zot;
+use Zotlabs\Lib\Crypto;
+
class Receiver {
protected $data;
@@ -30,7 +32,7 @@ class Receiver {
$this->encrypted = ((array_key_exists('iv',$data)) ? true : false);
if($this->encrypted) {
- $this->data = @json_decode(@crypto_unencapsulate($data,$prvkey),true);
+ $this->data = @json_decode(@Crypto::unencapsulate($data,$prvkey),true);
}
if(! $this->data)
$this->data = $data;
@@ -72,7 +74,7 @@ class Receiver {
$this->validated = true;
}
-
+
function Dispatch() {
/* Handle tasks which don't require sender validation */
@@ -144,8 +146,8 @@ class Receiver {
* $contents->iv and $contents->key are random strings encrypted with this site's RSA public key and then base64url encoded.
*
* Once decrypted, one will find the normal json_encoded zot message packet.
- *
- * Defined packet types are: notify, purge, refresh, force_refresh, auth_check, ping, and pickup
+ *
+ * Defined packet types are: notify, purge, refresh, force_refresh, auth_check, ping, and pickup
*
* Standard packet: (used by notify, purge, refresh, force_refresh, and auth_check)
* \code{.json}
@@ -167,7 +169,7 @@ class Receiver {
* \endcode
*
* Signature fields are all signed with the sender channel private key and base64url encoded.
- * Recipients are arrays of guid and guid_sig, which were previously signed with the recipients private
+ * Recipients are arrays of guid and guid_sig, which were previously signed with the recipients private
* key and base64url encoded and later obtained via channel discovery. Absence of recipients indicates
* a public message or visible to all potential listeners on this site.
*
@@ -186,7 +188,7 @@ class Receiver {
*
* In the pickup packet, the sig fields correspond to the respective data
* element signed with this site's system private key and then base64url encoded.
- * The "secret" is the same as the original secret from the notify packet.
+ * The "secret" is the same as the original secret from the notify packet.
*
* If verification is successful, a json structure is returned containing a
* success indicator and an array of type 'pickup'.
@@ -283,18 +285,18 @@ class Receiver {
* }
* \endcode
*
- * The ping packet can be used to verify that a site has not been re-installed, and to
+ * The ping packet can be used to verify that a site has not been re-installed, and to
* initiate corrective action if it has. The url_sig is signed with the site private key
* and base64url encoded - and this should verify with the enclosed sitekey. Failure to
* verify indicates the site is corrupt or otherwise unable to communicate using zot.
* This return packet is not otherwise verified, so should be compared with other
* results obtained from this site which were verified prior to taking action. For instance
- * if you have one verified result with this signature and key, and other records for this
+ * if you have one verified result with this signature and key, and other records for this
* url which have different signatures and keys, it indicates that the site was re-installed
* and corrective action may commence (remove or mark invalid any entries with different
* signatures).
* If you have no records which match this url_sig and key - no corrective action should
- * be taken as this packet may have been returned by an imposter.
+ * be taken as this packet may have been returned by an imposter.
*
* @param[in,out] App &$a
*/