aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2021-02-09 13:50:03 +0000
committerMario <mario@mariovavti.com>2021-02-09 13:50:03 +0000
commitb4693870ba647455e6bd0a3919a544130cee118b (patch)
tree97fe6de09c5ce3b5e6ed247c6a6105008631e79a /Zotlabs
parent5aee2f172ecdf58e13dd328c787fd199c48d24c5 (diff)
downloadvolse-hubzilla-b4693870ba647455e6bd0a3919a544130cee118b.tar.gz
volse-hubzilla-b4693870ba647455e6bd0a3919a544130cee118b.tar.bz2
volse-hubzilla-b4693870ba647455e6bd0a3919a544130cee118b.zip
port Lib/Crypto from zap
Diffstat (limited to 'Zotlabs')
-rw-r--r--Zotlabs/Lib/Crypto.php205
-rw-r--r--Zotlabs/Lib/JSalmon.php4
-rw-r--r--Zotlabs/Lib/LDSignatures.php12
-rw-r--r--Zotlabs/Lib/Libzot.php16
-rw-r--r--Zotlabs/Lib/Zotfinger.php12
-rw-r--r--Zotlabs/Module/Channel.php3
-rw-r--r--Zotlabs/Module/Connedit.php3
-rw-r--r--Zotlabs/Module/Fhublocs.php22
-rw-r--r--Zotlabs/Module/Getfile.php3
-rw-r--r--Zotlabs/Module/Import.php5
-rw-r--r--Zotlabs/Module/Prate.php60
-rw-r--r--Zotlabs/Module/Probe.php17
-rw-r--r--Zotlabs/Module/Rate.php70
-rw-r--r--Zotlabs/Web/HTTPSig.php11
-rw-r--r--Zotlabs/Zot/Auth.php38
-rw-r--r--Zotlabs/Zot/Finger.php5
-rw-r--r--Zotlabs/Zot/Receiver.php20
-rw-r--r--Zotlabs/Zot6/Receiver.php15
18 files changed, 371 insertions, 150 deletions
diff --git a/Zotlabs/Lib/Crypto.php b/Zotlabs/Lib/Crypto.php
new file mode 100644
index 000000000..3dba1bcf3
--- /dev/null
+++ b/Zotlabs/Lib/Crypto.php
@@ -0,0 +1,205 @@
+<?php
+
+namespace Zotlabs\Lib;
+use Exception;
+
+class Crypto {
+
+ public static $openssl_algorithms = [
+
+ // zot6 nickname, opensslname, keylength, ivlength
+
+ [ 'aes256ctr', 'aes-256-ctr', 32, 16 ],
+ [ 'camellia256cfb', 'camellia-256-cfb', 32, 16 ],
+ [ 'cast5cfb', 'cast5-cfb', 16, 8 ]
+
+ ];
+
+ public static function methods() {
+ $ret = [];
+
+ foreach(self::$openssl_algorithms as $ossl) {
+ $ret[] = $ossl[0] . '.oaep';
+ }
+
+ call_hooks('crypto_methods',$ret);
+ return $ret;
+ }
+
+ public static function signing_methods() {
+
+ $ret = [ 'sha256' ];
+ call_hooks('signing_methods',$ret);
+ return $ret;
+
+ }
+
+ public static function new_keypair($bits) {
+
+ $openssl_options = [
+ 'digest_alg' => 'sha1',
+ 'private_key_bits' => $bits,
+ 'encrypt_key' => false
+ ];
+
+ $conf = get_config('system','openssl_conf_file');
+
+ if ($conf) {
+ $openssl_options['config'] = $conf;
+ }
+
+ $result = openssl_pkey_new($openssl_options);
+
+ if (empty($result)) {
+ return false;
+ }
+
+ // Get private key
+
+ $response = [ 'prvkey' => '', 'pubkey' => '' ];
+
+ openssl_pkey_export($result, $response['prvkey']);
+
+ // Get public key
+ $pkey = openssl_pkey_get_details($result);
+ $response['pubkey'] = $pkey["key"];
+
+ return $response;
+
+ }
+
+ public static function sign($data,$key,$alg = 'sha256') {
+
+ if (! $key) {
+ return false;
+ }
+
+ $sig = '';
+ openssl_sign($data,$sig,$key,$alg);
+ return $sig;
+ }
+
+ public static function verify($data,$sig,$key,$alg = 'sha256') {
+
+ if (! $key) {
+ return false;
+ }
+
+ try {
+ $verify = openssl_verify($data,$sig,$key,$alg);
+ }
+ catch (Exception $e) {
+ $verify = (-1);
+ }
+
+ if ($verify === (-1)) {
+ while ($msg = openssl_error_string()) {
+ logger('openssl_verify: ' . $msg,LOGGER_NORMAL,LOG_ERR);
+ }
+ btlogger('openssl_verify: key: ' . $key, LOGGER_DEBUG, LOG_ERR);
+ }
+
+ return (($verify > 0) ? true : false);
+ }
+
+ public static function encapsulate($data,$pubkey,$alg) {
+
+ if (! ($alg && $pubkey)) {
+ return $data;
+ }
+
+ $alg_base = $alg;
+ $padding = OPENSSL_PKCS1_PADDING;
+
+ $exts = explode('.',$alg);
+ if (count($exts) > 1) {
+ switch ($exts[1]) {
+ case 'oaep':
+ $padding = OPENSSL_PKCS1_OAEP_PADDING;
+ break;
+ default:
+ break;
+ }
+ $alg_base = $exts[0];
+ }
+
+ $method = null;
+
+ foreach (self::$openssl_algorithms as $ossl) {
+ if ($ossl[0] === $alg_base) {
+ $method = $ossl;
+ break;
+ }
+ }
+
+ if ($method) {
+ $result = [ 'encrypted' => true ];
+
+ $key = openssl_random_pseudo_bytes(256);
+ $iv = openssl_random_pseudo_bytes(256);
+
+ $key1 = substr($key, 0, $method[2]);
+ $iv1 = substr($iv, 0, $method[3]);
+
+ $result['data'] = base64url_encode(openssl_encrypt($data,$method[1],$key1,OPENSSL_RAW_DATA,$iv1),true);
+
+ openssl_public_encrypt($key, $k, $pubkey, $padding);
+ openssl_public_encrypt($iv, $i, $pubkey, $padding);
+
+ $result['alg'] = $alg;
+ $result['key'] = base64url_encode($k,true);
+ $result['iv'] = base64url_encode($i,true);
+ return $result;
+
+ }
+ else {
+ $x = [ 'data' => $data, 'pubkey' => $pubkey, 'alg' => $alg, 'result' => $data ];
+ call_hooks('crypto_encapsulate', $x);
+ return $x['result'];
+ }
+ }
+
+ public static function unencapsulate($data,$prvkey) {
+
+ if (! (is_array($data) && array_key_exists('encrypted',$data) && array_key_exists('alg',$data) && $data['alg'])) {
+ logger('not encrypted');
+
+ return $data;
+ }
+
+ $alg_base = $data['alg'];
+ $padding = OPENSSL_PKCS1_PADDING;
+
+ $exts = explode('.',$data['alg']);
+ if (count($exts) > 1) {
+ switch ($exts[1]) {
+ case 'oaep':
+ $padding = OPENSSL_PKCS1_OAEP_PADDING;
+ break;
+ default:
+ break;
+ }
+ $alg_base = $exts[0];
+ }
+
+ $method = null;
+
+ foreach (self::$openssl_algorithms as $ossl) {
+ if ($ossl[0] === $alg_base) {
+ $method = $ossl;
+ break;
+ }
+ }
+
+ if ($method) {
+ openssl_private_decrypt(base64url_decode($data['key']),$k,$prvkey,$padding);
+ openssl_private_decrypt(base64url_decode($data['iv']), $i,$prvkey,$padding);
+ return openssl_decrypt(base64url_decode($data['data']),$method[1],substr($k,0,$method[2]),OPENSSL_RAW_DATA,substr($i,0,$method[3]));
+ }
+ else {
+ $x = [ 'data' => $data, 'prvkey' => $prvkey, 'alg' => $data['alg'], 'result' => $data ];
+ call_hooks('crypto_unencapsulate',$x);
+ return $x['result'];
+ }
+ }
+}
diff --git a/Zotlabs/Lib/JSalmon.php b/Zotlabs/Lib/JSalmon.php
index 7f63cf914..f9fe99706 100644
--- a/Zotlabs/Lib/JSalmon.php
+++ b/Zotlabs/Lib/JSalmon.php
@@ -18,7 +18,7 @@ class JSalmon {
$precomputed = '.' . base64url_encode($data_type,true) . '.YmFzZTY0dXJs.UlNBLVNIQTI1Ng';
- $signature = base64url_encode(rsa_sign($data . $precomputed, $key), true);
+ $signature = base64url_encode(Crypto::sign($data . $precomputed, $key), true);
return ([
'signed' => true,
@@ -54,7 +54,7 @@ class JSalmon {
$key = HTTPSig::get_key(EMPTY_STR,'zot6',base64url_decode($x['sigs']['key_id']));
logger('key: ' . print_r($key,true));
if($key['portable_id'] && $key['public_key']) {
- if(rsa_verify($signed_data,base64url_decode($x['sigs']['value']),$key['public_key'])) {
+ if(Crypto::verify($signed_data,base64url_decode($x['sigs']['value']),$key['public_key'])) {
logger('verified');
$ret = [ 'success' => true, 'signer' => $key['portable_id'], 'hubloc' => $key['hubloc'] ];
}
diff --git a/Zotlabs/Lib/LDSignatures.php b/Zotlabs/Lib/LDSignatures.php
index 2eba66ccf..1c2095f10 100644
--- a/Zotlabs/Lib/LDSignatures.php
+++ b/Zotlabs/Lib/LDSignatures.php
@@ -12,7 +12,7 @@ class LDSignatures {
$ohash = self::hash(self::signable_options($data['signature']));
$dhash = self::hash(self::signable_data($data));
- $x = rsa_verify($ohash . $dhash,base64_decode($data['signature']['signatureValue']), $pubkey);
+ $x = Crypto::verify($ohash . $dhash,base64_decode($data['signature']['signatureValue']), $pubkey);
logger('LD-verify: ' . intval($x));
return $x;
@@ -35,11 +35,11 @@ class LDSignatures {
$ohash = self::hash(self::signable_options($options));
$dhash = self::hash(self::signable_data($data));
- $options['signatureValue'] = base64_encode(rsa_sign($ohash . $dhash,$channel['channel_prvkey']));
+ $options['signatureValue'] = base64_encode(Crypto::sign($ohash . $dhash,$channel['channel_prvkey']));
$signed = array_merge([
- '@context' => [
- ACTIVITYSTREAMS_JSONLD_REV,
+ '@context' => [
+ ACTIVITYSTREAMS_JSONLD_REV,
'https://w3id.org/security/v1' ],
],$options);
@@ -88,7 +88,7 @@ class LDSignatures {
return '';
jsonld_set_document_loader('jsonld_document_loader');
-
+
try {
$d = jsonld_normalize($data,[ 'algorithm' => 'URDNA2015', 'format' => 'application/nquads' ]);
}
@@ -117,7 +117,7 @@ class LDSignatures {
$precomputed = '.' . base64url_encode($data_type,false) . '.YmFzZTY0dXJs.UlNBLVNIQTI1Ng==';
- $signature = base64url_encode(rsa_sign($data . $precomputed,$channel['channel_prvkey']));
+ $signature = base64url_encode(Crypto::sign($data . $precomputed,$channel['channel_prvkey']));
return ([
'id' => $arr['id'],
diff --git a/Zotlabs/Lib/Libzot.php b/Zotlabs/Lib/Libzot.php
index 0ead8402e..a615cee6e 100644
--- a/Zotlabs/Lib/Libzot.php
+++ b/Zotlabs/Lib/Libzot.php
@@ -130,7 +130,7 @@ class Libzot {
if ($remote_key) {
$algorithm = self::best_algorithm($methods);
if ($algorithm) {
- $data = crypto_encapsulate(json_encode($data), $remote_key, $algorithm);
+ $data = Crypto::encapsulate(json_encode($data), $remote_key, $algorithm);
}
}
@@ -143,7 +143,7 @@ class Libzot {
*
* @param string $methods
* Comma separated list of encryption methods
- * @return string first match from our site method preferences crypto_methods() array
+ * @return string first match from our site method preferences Crypto::methods() array
* of a method which is common to both sites; or 'aes256cbc' if no matches are found.
*/
static function best_algorithm($methods) {
@@ -167,7 +167,7 @@ class Libzot {
if ($methods) {
$x = explode(',', $methods);
if ($x) {
- $y = crypto_methods();
+ $y = Crypto::methods();
if ($y) {
foreach ($y as $yv) {
$yv = trim($yv);
@@ -763,8 +763,8 @@ class Libzot {
'xchan_guid' => $arr['id'],
'xchan_guid_sig' => $arr['id_sig'],
'xchan_pubkey' => $arr['public_key'],
- 'xchan_photo_mimetype' => $arr['photo']['type'],
- 'xchan_photo_l' => $arr['photo']['url'],
+ 'xchan_photo_mimetype' => $arr['photo_mimetype'],
+ 'xchan_photo_l' => $arr['photo'],
'xchan_addr' => escape_tags($arr['primary_location']['address']),
'xchan_url' => escape_tags($arr['primary_location']['url']),
'xchan_connurl' => $arr['primary_location']['connections_url'],
@@ -772,7 +772,7 @@ class Libzot {
'xchan_connpage' => $arr['connect_url'],
'xchan_name' => (($arr['name']) ? escape_tags($arr['name']) : '-'),
'xchan_network' => 'zot6',
- 'xchan_photo_date' => $arr['photo']['updated'],
+ 'xchan_photo_date' => $arr['photo_updated'],
'xchan_name_date' => $arr['name_updated'],
'xchan_hidden' => intval(1 - intval($arr['searchable'])),
'xchan_selfcensored' => $arr['adult_content'],
@@ -983,7 +983,7 @@ class Libzot {
logger('Headers: ' . print_r($arr['header'], true), LOGGER_DATA, LOG_DEBUG);
}
- $x = crypto_unencapsulate($x, get_config('system', 'prvkey'));
+ $x = Crypto::unencapsulate($x, get_config('system', 'prvkey'));
if (!is_array($x)) {
$x = json_decode($x, true);
@@ -3020,7 +3020,7 @@ class Libzot {
$ret['site']['directory_url'] = z_root() . '/dirsearch';
- $ret['site']['encryption'] = crypto_methods();
+ $ret['site']['encryption'] = Crypto::methods();
$ret['site']['zot'] = System::get_zot_revision();
// hide detailed site information if you're off the grid
diff --git a/Zotlabs/Lib/Zotfinger.php b/Zotlabs/Lib/Zotfinger.php
index faaf28f35..840d91403 100644
--- a/Zotlabs/Lib/Zotfinger.php
+++ b/Zotlabs/Lib/Zotfinger.php
@@ -18,8 +18,8 @@ class Zotfinger {
if($channel && $m) {
- $headers = [
- 'Accept' => 'application/x-zot+json',
+ $headers = [
+ 'Accept' => 'application/x-zot+json',
'Content-Type' => 'application/x-zot+json',
'X-Zot-Token' => random_string(),
'Digest' => HTTPSig::generate_digest_header($data),
@@ -29,9 +29,9 @@ class Zotfinger {
$h = HTTPSig::create_sig($headers,$channel['channel_prvkey'],channel_url($channel),false);
}
else {
- $h = [ 'Accept: application/x-zot+json' ];
+ $h = [ 'Accept: application/x-zot+json' ];
}
-
+
$result = [];
$redirects = 0;
@@ -43,11 +43,11 @@ class Zotfinger {
if ($verify) {
$result['signature'] = HTTPSig::verify($x, EMPTY_STR, 'zot6');
}
-
+
$result['data'] = json_decode($x['body'],true);
if($result['data'] && is_array($result['data']) && array_key_exists('encrypted',$result['data']) && $result['data']['encrypted']) {
- $result['data'] = json_decode(crypto_unencapsulate($result['data'],get_config('system','prvkey')),true);
+ $result['data'] = json_decode(Crypto::unencapsulate($result['data'],get_config('system','prvkey')),true);
}
logger('decrypted: ' . print_r($result,true));
diff --git a/Zotlabs/Module/Channel.php b/Zotlabs/Module/Channel.php
index 915e0ea60..a513523a7 100644
--- a/Zotlabs/Module/Channel.php
+++ b/Zotlabs/Module/Channel.php
@@ -6,6 +6,7 @@ namespace Zotlabs\Module;
use App;
use Zotlabs\Lib\Activity;
use Zotlabs\Lib\ActivityStreams;
+use Zotlabs\Lib\Crypto;
use Zotlabs\Lib\Libzot;
use Zotlabs\Lib\PermissionDescription;
use Zotlabs\Web\Controller;
@@ -70,7 +71,7 @@ class Channel extends Controller {
);
if ($s) {
- $data = json_encode(crypto_encapsulate($data, $s[0]['hubloc_sitekey'], Libzot::best_algorithm($s[0]['site_crypto'])));
+ $data = json_encode(Crypto::encapsulate($data, $s[0]['hubloc_sitekey'], Libzot::best_algorithm($s[0]['site_crypto'])));
}
}
else {
diff --git a/Zotlabs/Module/Connedit.php b/Zotlabs/Module/Connedit.php
index 582563451..44211c8b9 100644
--- a/Zotlabs/Module/Connedit.php
+++ b/Zotlabs/Module/Connedit.php
@@ -9,6 +9,7 @@ namespace Zotlabs\Module;
use App;
use Zotlabs\Lib\Apps;
+use Zotlabs\Lib\Crypto;
use Zotlabs\Lib\Libzot;
use Zotlabs\Lib\Libsync;
use Zotlabs\Daemon\Master;
@@ -178,7 +179,7 @@ class Connedit extends Controller {
if(! $is_self) {
$signed = $orig_record[0]['abook_xchan'] . '.' . $rating . '.' . $rating_text;
- $sig = base64url_encode(rsa_sign($signed,$channel['channel_prvkey']));
+ $sig = base64url_encode(Crypto::sign($signed,$channel['channel_prvkey']));
$rated = ((intval($rating) || strlen($rating_text)) ? true : false);
diff --git a/Zotlabs/Module/Fhublocs.php b/Zotlabs/Module/Fhublocs.php
index dcd399a1f..42dac5b12 100644
--- a/Zotlabs/Module/Fhublocs.php
+++ b/Zotlabs/Module/Fhublocs.php
@@ -15,12 +15,12 @@ class Fhublocs extends \Zotlabs\Web\Controller {
if(! is_site_admin())
return;
-
+
$o = '';
-
+
$r = q("select * from channel where channel_removed = 0");
$sitekey = get_config('system','pubkey');
-
+
if($r) {
foreach($r as $rr) {
@@ -38,14 +38,14 @@ class Fhublocs extends \Zotlabs\Web\Controller {
if($found) {
$o .= 'Hubloc exists for ' . $rr['channel_name'] . EOL;
continue;
- }
+ }
}
$y = q("select xchan_addr from xchan where xchan_hash = '%s' limit 1",
dbesc($rr['channel_hash'])
);
if($y)
$primary_address = $y[0]['xchan_addr'];
-
+
$hub_address = channel_reddress($rr);
$primary = (($hub_address === $primary_address) ? 1 : 0);
@@ -56,9 +56,9 @@ class Fhublocs extends \Zotlabs\Web\Controller {
dbesc($rr['channel_hash']),
dbesc(z_root())
);
-
+
// Create a verified hub location pointing to this site.
-
+
/*
$h = hubloc_store_lowlevel(
[
@@ -69,7 +69,7 @@ class Fhublocs extends \Zotlabs\Web\Controller {
'hubloc_network' => 'zot',
'hubloc_primary' => $primary,
'hubloc_url' => z_root(),
- 'hubloc_url_sig' => base64url_encode(rsa_sign(z_root(),$rr['channel_prvkey'])),
+ 'hubloc_url_sig' => base64url_encode(Crypto::sign(z_root(),$rr['channel_prvkey'])),
'hubloc_host' => \App::get_hostname(),
'hubloc_callback' => z_root() . '/post',
'hubloc_sitekey' => $sitekey
@@ -99,11 +99,11 @@ class Fhublocs extends \Zotlabs\Web\Controller {
$o . 'local hubloc created for ' . $rr['channel_name'] . EOL;
else
$o .= 'DB update failed for ' . $rr['channel_name'] . EOL;
-
+
}
-
+
return $o;
-
+
}
}
}
diff --git a/Zotlabs/Module/Getfile.php b/Zotlabs/Module/Getfile.php
index 20cc23ac0..28d7eabb5 100644
--- a/Zotlabs/Module/Getfile.php
+++ b/Zotlabs/Module/Getfile.php
@@ -1,6 +1,7 @@
<?php
namespace Zotlabs\Module;
+use Zotlabs\Lib\Crypto;
use Zotlabs\Web\HTTPSig;
use Zotlabs\Lib\Libzot;
@@ -106,7 +107,7 @@ class Getfile extends \Zotlabs\Web\Controller {
killme();
}
- if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
+ if(! Crypto::verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
logger('verify failed.');
killme();
}
diff --git a/Zotlabs/Module/Import.php b/Zotlabs/Module/Import.php
index f8fc366e0..8ef24b232 100644
--- a/Zotlabs/Module/Import.php
+++ b/Zotlabs/Module/Import.php
@@ -8,6 +8,7 @@ require_once('include/import.php');
require_once('include/perm_upgrade.php');
require_once('library/urlify/URLify.php');
+use Zotlabs\Lib\Crypto;
use Zotlabs\Lib\Libzot;
@@ -227,7 +228,7 @@ class Import extends \Zotlabs\Web\Controller {
'hubloc_network' => 'zot',
'hubloc_primary' => (($seize) ? 1 : 0),
'hubloc_url' => z_root(),
- 'hubloc_url_sig' => base64url_encode(rsa_sign(z_root(),$channel['channel_prvkey'])),
+ 'hubloc_url_sig' => base64url_encode(Crypto::sign(z_root(),$channel['channel_prvkey'])),
'hubloc_host' => \App::get_hostname(),
'hubloc_callback' => z_root() . '/post',
'hubloc_sitekey' => get_config('system','pubkey'),
@@ -256,7 +257,7 @@ class Import extends \Zotlabs\Web\Controller {
'hubloc_network' => 'zot6',
'hubloc_primary' => (($seize) ? 1 : 0),
'hubloc_url' => z_root(),
- 'hubloc_url_sig' => 'sha256.' . base64url_encode(rsa_sign(z_root(),$channel['channel_prvkey'])),
+ 'hubloc_url_sig' => 'sha256.' . base64url_encode(Crypto::sign(z_root(),$channel['channel_prvkey'])),
'hubloc_host' => \App::get_hostname(),
'hubloc_callback' => z_root() . '/zot',
'hubloc_sitekey' => get_config('system','pubkey'),
diff --git a/Zotlabs/Module/Prate.php b/Zotlabs/Module/Prate.php
index 2a8539ed0..8b71657b8 100644
--- a/Zotlabs/Module/Prate.php
+++ b/Zotlabs/Module/Prate.php
@@ -2,21 +2,23 @@
namespace Zotlabs\Module;
+use Zotlabs\Lib\Crypto;
+
class Prate extends \Zotlabs\Web\Controller {
function init() {
if($_SERVER['REQUEST_METHOD'] === 'post')
return;
-
+
if(! local_channel())
return;
-
+
$channel = \App::get_channel();
-
+
$target = argv(1);
if(! $target)
return;
-
+
$r = q("select * from xlink where xlink_xchan = '%s' and xlink_link = '%s' and xlink_static = 1",
dbesc($channel['channel_hash']),
dbesc($target)
@@ -25,34 +27,34 @@ class Prate extends \Zotlabs\Web\Controller {
json_return_and_die(array('rating' => $r[0]['xlink_rating'],'rating_text' => $r[0]['xlink_rating_text']));
killme();
}
-
+
function post() {
-
+
if(! local_channel())
return;
-
+
$channel = \App::get_channel();
-
+
$target = trim($_REQUEST['target']);
if(! $target)
return;
-
+
if($target === $channel['channel_hash'])
return;
-
+
$rating = intval($_POST['rating']);
if($rating < (-10))
$rating = (-10);
if($rating > 10)
$rating = 10;
-
+
$rating_text = trim(escape_tags($_REQUEST['rating_text']));
-
+
$signed = $target . '.' . $rating . '.' . $rating_text;
-
- $sig = base64url_encode(rsa_sign($signed,$channel['channel_prvkey']));
-
-
+
+ $sig = base64url_encode(Crypto::sign($signed,$channel['channel_prvkey']));
+
+
$z = q("select * from xlink where xlink_xchan = '%s' and xlink_link = '%s' and xlink_static = 1 limit 1",
dbesc($channel['channel_hash']),
dbesc($target)
@@ -87,19 +89,19 @@ class Prate extends \Zotlabs\Web\Controller {
if($record) {
\Zotlabs\Daemon\Master::Summon(array('Ratenotif','rating',$record));
}
-
+
json_return_and_die(array('result' => true));;
}
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
}
diff --git a/Zotlabs/Module/Probe.php b/Zotlabs/Module/Probe.php
index d338b08ea..3bc4dac72 100644
--- a/Zotlabs/Module/Probe.php
+++ b/Zotlabs/Module/Probe.php
@@ -3,6 +3,7 @@ namespace Zotlabs\Module;
use App;
use Zotlabs\Lib\Apps;
+use Zotlabs\Lib\Crypto;
require_once('include/zot.php');
@@ -24,18 +25,18 @@ class Probe extends \Zotlabs\Web\Controller {
nav_set_selected('Remote Diagnostics');
$o .= '<h3>Remote Diagnostics</h3>';
-
+
$o .= '<form action="probe" method="get">';
$o .= 'Lookup address: <input type="text" style="width: 250px;" name="addr" value="' . $_GET['addr'] .'" />';
- $o .= '<input type="submit" name="submit" value="Submit" /></form>';
-
+ $o .= '<input type="submit" name="submit" value="Submit" /></form>';
+
$o .= '<br /><br />';
-
+
if(x($_GET,'addr')) {
$channel = App::get_channel();
$addr = trim($_GET['addr']);
$do_import = ((intval($_GET['import']) && is_site_admin()) ? true : false);
-
+
$j = \Zotlabs\Zot\Finger::run($addr,$channel,false);
$o .= '<pre>';
@@ -43,17 +44,17 @@ class Probe extends \Zotlabs\Web\Controller {
$o .= "<strong>https connection failed. Trying again with auto failover to http.</strong>\r\n\r\n";
$j = \Zotlabs\Zot\Finger::run($addr,$channel,true);
if(! $j['success']) {
- return $o;
+ return $o;
}
}
if($do_import && $j)
$x = import_xchan($j);
if($j && $j['permissions'] && $j['permissions']['iv'])
- $j['permissions'] = json_decode(crypto_unencapsulate($j['permissions'],$channel['channel_prvkey']),true);
+ $j['permissions'] = json_decode(Crypto::unencapsulate($j['permissions'],$channel['channel_prvkey']),true);
$o .= str_replace("\n",'<br />',print_r($j,true));
$o .= '</pre>';
}
return $o;
}
-
+
}
diff --git a/Zotlabs/Module/Rate.php b/Zotlabs/Module/Rate.php
index c03aaa54f..d29c370fc 100644
--- a/Zotlabs/Module/Rate.php
+++ b/Zotlabs/Module/Rate.php
@@ -3,21 +3,23 @@ namespace Zotlabs\Module;
+use Zotlabs\Lib\Crypto;
+
class Rate extends \Zotlabs\Web\Controller {
function init() {
-
+
if(! local_channel())
return;
-
+
$channel = \App::get_channel();
-
+
$target = $_REQUEST['target'];
if(! $target)
return;
-
+
\App::$data['target'] = $target;
-
+
if($target) {
$r = q("SELECT * FROM xchan where xchan_hash like '%s' LIMIT 1",
dbesc($target)
@@ -36,43 +38,43 @@ class Rate extends \Zotlabs\Web\Controller {
}
}
}
-
-
+
+
return;
-
+
}
-
-
+
+
function post() {
-
+
if(! local_channel())
return;
-
+
if(! \App::$data['target'])
return;
-
+
if(! $_REQUEST['execute'])
return;
-
+
$channel = \App::get_channel();
-
+
$rating = intval($_POST['rating']);
if($rating < (-10))
$rating = (-10);
if($rating > 10)
$rating = 10;
-
+
$rating_text = trim(escape_tags($_REQUEST['rating_text']));
-
+
$signed = \App::$data['target'] . '.' . $rating . '.' . $rating_text;
-
- $sig = base64url_encode(rsa_sign($signed,$channel['channel_prvkey']));
-
+
+ $sig = base64url_encode(Crypto::sign($signed,$channel['channel_prvkey']));
+
$z = q("select * from xlink where xlink_xchan = '%s' and xlink_link = '%s' and xlink_static = 1 limit 1",
dbesc($channel['channel_hash']),
dbesc(\App::$data['target'])
);
-
+
if($z) {
$record = $z[0]['xlink_id'];
$w = q("update xlink set xlink_rating = '%d', xlink_rating_text = '%s', xlink_sig = '%s', xlink_updated = '%s'
@@ -100,39 +102,39 @@ class Rate extends \Zotlabs\Web\Controller {
if($z)
$record = $z[0]['xlink_id'];
}
-
+
if($record) {
\Zotlabs\Daemon\Master::Summon(array('Ratenotif','rating',$record));
}
-
+
}
-
+
function get() {
-
+
if(! local_channel()) {
notice( t('Permission denied.') . EOL);
return;
}
-
+
// if(! \App::$data['target']) {
// notice( t('No recipients.') . EOL);
// return;
// }
-
+
$rating_enabled = get_config('system','rating_enabled');
if(! $rating_enabled) {
notice('Ratings are disabled on this site.');
return;
}
-
+
$channel = \App::get_channel();
-
+
$r = q("select * from xlink where xlink_xchan = '%s' and xlink_link = '%s' and xlink_static = 1",
dbesc($channel['channel_hash']),
dbesc(\App::$data['target'])
);
if($r) {
- \App::$data['xlink'] = $r[0];
+ \App::$data['xlink'] = $r[0];
$rating_val = $r[0]['xlink_rating'];
$rating_text = $r[0]['xlink_rating_text'];
}
@@ -140,7 +142,7 @@ class Rate extends \Zotlabs\Web\Controller {
$rating_val = 0;
$rating_text = '';
}
-
+
if($rating_enabled) {
$rating = replace_macros(get_markup_template('rating_slider.tpl'),array(
'$min' => -10,
@@ -150,7 +152,7 @@ class Rate extends \Zotlabs\Web\Controller {
else {
$rating = false;
}
-
+
$o = replace_macros(get_markup_template('rating_form.tpl'),array(
'$header' => t('Rating'),
'$website' => t('Website:'),
@@ -165,8 +167,8 @@ class Rate extends \Zotlabs\Web\Controller {
'$slide' => $slide,
'$submit' => t('Submit')
));
-
+
return $o;
-
+
}
}
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php
index 8dd999e59..2535c9016 100644
--- a/Zotlabs/Web/HTTPSig.php
+++ b/Zotlabs/Web/HTTPSig.php
@@ -3,6 +3,7 @@
namespace Zotlabs\Web;
use Zotlabs\Lib\ActivityStreams;
+use Zotlabs\Lib\Crypto;
use Zotlabs\Lib\Keyutils;
use Zotlabs\Lib\Webfinger;
use Zotlabs\Lib\Libzot;
@@ -157,7 +158,7 @@ class HTTPSig {
return $result;
}
- $x = rsa_verify($signed_data,$sig_block['signature'],$cached_key['public_key'],$algorithm);
+ $x = Crypto::verify($signed_data,$sig_block['signature'],$cached_key['public_key'],$algorithm);
logger('verified: ' . $x, LOGGER_DEBUG);
@@ -171,7 +172,7 @@ class HTTPSig {
$fetched_key = self::get_key($key,$keytype,$result['signer'],true);
if ($fetched_key && $fetched_key['public_key']) {
- $y = rsa_verify($signed_data,$sig_block['signature'],$fetched_key['public_key'],$algorithm);
+ $y = Crypto::verify($signed_data,$sig_block['signature'],$fetched_key['public_key'],$algorithm);
logger('verified: (cache reload) ' . $x, LOGGER_DEBUG);
}
@@ -417,7 +418,7 @@ class HTTPSig {
$headerval = 'keyId="' . $keyid . '",algorithm="' . $algorithm . '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"';
if($encryption) {
- $x = crypto_encapsulate($headerval,$encryption['key'],$encryption['algorithm']);
+ $x = Crypto::encapsulate($headerval,$encryption['key'],$encryption['algorithm']);
if(is_array($x)) {
$headerval = 'iv="' . $x['iv'] . '",key="' . $x['key'] . '",alg="' . $x['alg'] . '",data="' . $x['data'] . '"';
}
@@ -491,7 +492,7 @@ class HTTPSig {
$headers = rtrim($headers,"\n");
}
- $sig = base64_encode(rsa_sign($headers,$prvkey,$alg));
+ $sig = base64_encode(Crypto::sign($headers,$prvkey,$alg));
$ret['headers'] = $fields;
$ret['signature'] = $sig;
@@ -567,7 +568,7 @@ class HTTPSig {
$data = $matches[1];
if($iv && $key && $alg && $data) {
- return crypto_unencapsulate([ 'encrypted' => true, 'iv' => $iv, 'key' => $key, 'alg' => $alg, 'data' => $data ] , $prvkey);
+ return Crypto::unencapsulate([ 'encrypted' => true, 'iv' => $iv, 'key' => $key, 'alg' => $alg, 'data' => $data ] , $prvkey);
}
return '';
diff --git a/Zotlabs/Zot/Auth.php b/Zotlabs/Zot/Auth.php
index 8d198f506..6ce2174f7 100644
--- a/Zotlabs/Zot/Auth.php
+++ b/Zotlabs/Zot/Auth.php
@@ -2,6 +2,8 @@
namespace Zotlabs\Zot;
+use Zotlabs\Lib\Crypto;
+
class Auth {
protected $test;
@@ -68,7 +70,7 @@ class Auth {
if(strstr($this->desturl,z_root() . '/rmagic'))
goaway(z_root());
- $this->Finalise();
+ $this->Finalise();
}
@@ -76,7 +78,7 @@ class Auth {
// Try and find a hubloc for the person attempting to auth.
// Since we're matching by address, we have to return all entries
- // some of which may be from re-installed hubs; and we'll need to
+ // some of which may be from re-installed hubs; and we'll need to
// try each sequentially to see if one can pass the test
$x = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash
@@ -130,9 +132,9 @@ class Auth {
// Also check that they are coming from the same site as they authenticated with originally.
- $already_authed = (((remote_channel()) && ($hubloc['hubloc_hash'] == remote_channel())
+ $already_authed = (((remote_channel()) && ($hubloc['hubloc_hash'] == remote_channel())
&& ($hubloc['hubloc_url'] === $_SESSION['remote_hub'])) ? true : false);
-
+
if($this->delegate && $this->delegate !== $_SESSION['delegate_channel'])
$already_authed = false;
@@ -158,17 +160,17 @@ class Auth {
return false;
}
- // Auth packets MUST use ultra top-secret hush-hush mode - e.g. the entire packet is encrypted using the
+ // Auth packets MUST use ultra top-secret hush-hush mode - e.g. the entire packet is encrypted using the
// site private key
- // The actual channel sending the packet ($c[0]) is not important, but this provides a
+ // The actual channel sending the packet ($c[0]) is not important, but this provides a
// generic zot packet with a sender which can be verified
$x = q("select site_crypto from site where site_url = '%s' limit 1",
dbesc($hubloc['hubloc_url'])
);
- $p = zot_build_packet($channel,$type = 'auth_check',
- array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])),
+ $p = zot_build_packet($channel,$type = 'auth_check',
+ array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])),
$hubloc['hubloc_sitekey'], (($x) ? $x[0]['site_crypto'] : ''), $this->sec);
$this->Debug('auth check packet created using sitekey ' . $hubloc['hubloc_sitekey']);
@@ -192,12 +194,12 @@ class Auth {
$this->Debug('auth check request returned ' . print_r($j, true));
- if(! $j['success'])
+ if(! $j['success'])
return false;
// legit response, but we do need to check that this wasn't answered by a man-in-middle
- if (! rsa_verify($this->sec . $hubloc['xchan_hash'],base64url_decode($j['confirm']),$hubloc['xchan_pubkey'])) {
+ if (! Crypto::verify($this->sec . $hubloc['xchan_hash'],base64url_decode($j['confirm']),$hubloc['xchan_pubkey'])) {
logger('final confirmation failed.');
if($this->test)
$this->Debug('final confirmation failed. ' . $sec . print_r($j,true) . print_r($hubloc,true));
@@ -290,7 +292,7 @@ class Auth {
* Magic Auth
* ==========
*
- * So-called "magic auth" takes place by a special exchange. On the site where the "channel to be authenticated" lives (e.g. $mysite),
+ * So-called "magic auth" takes place by a special exchange. On the site where the "channel to be authenticated" lives (e.g. $mysite),
* a redirection is made via $mysite/magic to the zot endpoint of the remote site ($remotesite) with special GET parameters.
*
* The endpoint is typically https://$remotesite/post - or whatever was specified as the callback url in prior communications
@@ -299,7 +301,7 @@ class Auth {
* Five GET parameters are supplied:
* * auth => the urlencoded webbie (channel@host.domain) of the channel requesting access
* * dest => the desired destination URL (urlencoded)
- * * sec => a random string which is also stored on $mysite for use during the verification phase.
+ * * sec => a random string which is also stored on $mysite for use during the verification phase.
* * version => the zot revision
* * delegate => optional urlencoded webbie of a local channel to invoke delegation rights for
*
@@ -336,8 +338,8 @@ class Auth {
* }
* \endcode
*
- * auth_check messages MUST use encapsulated encryption. This message is sent to the origination site, which checks the 'secret' to see
- * if it is the same as the 'sec' which it passed originally. It also checks the secret_sig which is the secret signed by the
+ * auth_check messages MUST use encapsulated encryption. This message is sent to the origination site, which checks the 'secret' to see
+ * if it is the same as the 'sec' which it passed originally. It also checks the secret_sig which is the secret signed by the
* destination channel's private key and base64url encoded. If everything checks out, a json packet is returned:
*
* \code{.json}
@@ -351,10 +353,10 @@ class Auth {
* \endcode
*
* 'confirm' in this case is the base64url encoded RSA signature of the concatenation of 'secret' with the
- * base64url encoded whirlpool hash of the requestor's guid and guid_sig; signed with the source channel private key.
- * This prevents a man-in-the-middle from inserting a rogue success packet. Upon receipt and successful
- * verification of this packet, the destination site will redirect to the original destination URL and indicate a successful remote login.
- * Service_class can be used by cooperating sites to provide different access rights based on account rights and subscription plans. It is
+ * base64url encoded whirlpool hash of the requestor's guid and guid_sig; signed with the source channel private key.
+ * This prevents a man-in-the-middle from inserting a rogue success packet. Upon receipt and successful
+ * verification of this packet, the destination site will redirect to the original destination URL and indicate a successful remote login.
+ * Service_class can be used by cooperating sites to provide different access rights based on account rights and subscription plans. It is
* a string whose contents are not defined by protocol. Example: "basic" or "gold".
*
* @param[in,out] \App &$a
diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php
index 778b701cd..cadde5415 100644
--- a/Zotlabs/Zot/Finger.php
+++ b/Zotlabs/Zot/Finger.php
@@ -2,6 +2,7 @@
namespace Zotlabs\Zot;
+use Zotlabs\Lib\Crypto;
use Zotlabs\Web\HTTPSig;
/**
@@ -109,7 +110,7 @@ class Finger {
$result = z_post_url('http://' . $host . $rhs,$postvars, $retries, [ 'headers' => $xhead ]);
}
}
- }
+ }
else {
$rhs .= '?f=&address=' . urlencode($address) . '&token=' . self::$token;
@@ -135,7 +136,7 @@ class Finger {
if($x && (! $verify['header_valid'])) {
$signed_token = ((is_array($x) && array_key_exists('signed_token', $x)) ? $x['signed_token'] : null);
if($signed_token) {
- $valid = rsa_verify('token.' . self::$token, base64url_decode($signed_token), $x['key']);
+ $valid = Crypto::verify('token.' . self::$token, base64url_decode($signed_token), $x['key']);
if(! $valid) {
logger('invalid signed token: ' . $url . $rhs, LOGGER_NORMAL, LOG_ERR);
diff --git a/Zotlabs/Zot/Receiver.php b/Zotlabs/Zot/Receiver.php
index c521c9d64..7fc445f66 100644
--- a/Zotlabs/Zot/Receiver.php
+++ b/Zotlabs/Zot/Receiver.php
@@ -2,6 +2,8 @@
namespace Zotlabs\Zot;
+use Zotlabs\Lib\Crypto;
+
class Receiver {
protected $data;
@@ -30,7 +32,7 @@ class Receiver {
$this->encrypted = ((array_key_exists('iv',$data)) ? true : false);
if($this->encrypted) {
- $this->data = @json_decode(@crypto_unencapsulate($data,$prvkey),true);
+ $this->data = @json_decode(@Crypto::unencapsulate($data,$prvkey),true);
}
if(! $this->data)
$this->data = $data;
@@ -72,7 +74,7 @@ class Receiver {
$this->validated = true;
}
-
+
function Dispatch() {
/* Handle tasks which don't require sender validation */
@@ -144,8 +146,8 @@ class Receiver {
* $contents->iv and $contents->key are random strings encrypted with this site's RSA public key and then base64url encoded.
*
* Once decrypted, one will find the normal json_encoded zot message packet.
- *
- * Defined packet types are: notify, purge, refresh, force_refresh, auth_check, ping, and pickup
+ *
+ * Defined packet types are: notify, purge, refresh, force_refresh, auth_check, ping, and pickup
*
* Standard packet: (used by notify, purge, refresh, force_refresh, and auth_check)
* \code{.json}
@@ -167,7 +169,7 @@ class Receiver {
* \endcode
*
* Signature fields are all signed with the sender channel private key and base64url encoded.
- * Recipients are arrays of guid and guid_sig, which were previously signed with the recipients private
+ * Recipients are arrays of guid and guid_sig, which were previously signed with the recipients private
* key and base64url encoded and later obtained via channel discovery. Absence of recipients indicates
* a public message or visible to all potential listeners on this site.
*
@@ -186,7 +188,7 @@ class Receiver {
*
* In the pickup packet, the sig fields correspond to the respective data
* element signed with this site's system private key and then base64url encoded.
- * The "secret" is the same as the original secret from the notify packet.
+ * The "secret" is the same as the original secret from the notify packet.
*
* If verification is successful, a json structure is returned containing a
* success indicator and an array of type 'pickup'.
@@ -283,18 +285,18 @@ class Receiver {
* }
* \endcode
*
- * The ping packet can be used to verify that a site has not been re-installed, and to
+ * The ping packet can be used to verify that a site has not been re-installed, and to
* initiate corrective action if it has. The url_sig is signed with the site private key
* and base64url encoded - and this should verify with the enclosed sitekey. Failure to
* verify indicates the site is corrupt or otherwise unable to communicate using zot.
* This return packet is not otherwise verified, so should be compared with other
* results obtained from this site which were verified prior to taking action. For instance
- * if you have one verified result with this signature and key, and other records for this
+ * if you have one verified result with this signature and key, and other records for this
* url which have different signatures and keys, it indicates that the site was re-installed
* and corrective action may commence (remove or mark invalid any entries with different
* signatures).
* If you have no records which match this url_sig and key - no corrective action should
- * be taken as this packet may have been returned by an imposter.
+ * be taken as this packet may have been returned by an imposter.
*
* @param[in,out] App &$a
*/
diff --git a/Zotlabs/Zot6/Receiver.php b/Zotlabs/Zot6/Receiver.php
index a9a7ab0df..6440c5da5 100644
--- a/Zotlabs/Zot6/Receiver.php
+++ b/Zotlabs/Zot6/Receiver.php
@@ -3,6 +3,7 @@
namespace Zotlabs\Zot6;
use Zotlabs\Lib\Config;
+use Zotlabs\Lib\Crypto;
use Zotlabs\Lib\Libzot;
use Zotlabs\Web\HTTPSig;
@@ -70,7 +71,7 @@ class Receiver {
$this->encrypted = ((array_key_exists('encrypted',$this->data) && intval($this->data['encrypted'])) ? true : false);
if ($this->encrypted && $this->prvkey) {
- $uncrypted = crypto_unencapsulate($this->data,$this->prvkey);
+ $uncrypted = Crypto::unencapsulate($this->data,$this->prvkey);
if ($uncrypted) {
$this->data = json_decode($uncrypted,true);
}
@@ -88,7 +89,7 @@ class Receiver {
if ($this->error) {
// make timing attacks on the decryption engine a bit more difficult
usleep(mt_rand(10000,100000));
- return($this->response);
+ return($this->response);
}
if ($this->data) {
@@ -126,7 +127,7 @@ class Receiver {
$x = Libzot::register_hub($this->sigdata['signer']);
if($x['success']) {
$hub = Libzot::valid_hub($this->sender,$this->site_id);
- }
+ }
if(! $hub) {
$this->response['message'] = 'sender unknown';
return false;
@@ -168,8 +169,8 @@ class Receiver {
}
}
return $result;
- }
-
+ }
+
function Dispatch() {
switch ($this->messagetype) {
@@ -207,13 +208,13 @@ class Receiver {
$this->EncryptResponse();
}
- return($this->response);
+ return($this->response);
}
function EncryptResponse() {
$algorithm = Libzot::best_algorithm($this->hub['site_crypto']);
if ($algorithm) {
- $this->response = crypto_encapsulate(json_encode($this->response),$this->hub['hubloc_sitekey'], $algorithm);
+ $this->response = Crypto::encapsulate(json_encode($this->response),$this->hub['hubloc_sitekey'], $algorithm);
}
}