diff options
-rw-r--r-- | boot.php | 24 | ||||
-rw-r--r-- | include/items.php | 32 | ||||
-rw-r--r-- | mod/dfrn_notify.php | 29 |
3 files changed, 78 insertions, 7 deletions
@@ -1544,3 +1544,27 @@ function gravatar_img($email) { return $url; }} +if(! function_exists('aes_decrypt')) { +function aes_decrypt($val,$ky) +{ + $key="\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; + for($a=0;$a<strlen($ky);$a++) + $key[$a%16]=chr(ord($key[$a%16]) ^ ord($ky[$a])); + $mode = MCRYPT_MODE_ECB; + $enc = MCRYPT_RIJNDAEL_128; + $dec = @mcrypt_decrypt($enc, $key, $val, $mode, @mcrypt_create_iv( @mcrypt_get_iv_size($enc, $mode), MCRYPT_DEV_URANDOM ) ); + return rtrim($dec,(( ord(substr($dec,strlen($dec)-1,1))>=0 and ord(substr($dec, strlen($dec)-1,1))<=16)? chr(ord( substr($dec,strlen($dec)-1,1))):null)); +}} + + +if(! function_exists('aes_encrypt')) { +function aes_encrypt($val,$ky) +{ + $key="\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; + for($a=0;$a<strlen($ky);$a++) + $key[$a%16]=chr(ord($key[$a%16]) ^ ord($ky[$a])); + $mode=MCRYPT_MODE_ECB; + $enc=MCRYPT_RIJNDAEL_128; + $val=str_pad($val, (16*(floor(strlen($val) / 16)+(strlen($val) % 16==0?2:1))), chr(16-(strlen($val) % 16))); + return mcrypt_encrypt($enc, $key, $val, $mode, mcrypt_create_iv( mcrypt_get_iv_size($enc, $mode), MCRYPT_DEV_URANDOM)); +}}
\ No newline at end of file diff --git a/include/items.php b/include/items.php index cca9e0401..4bd46b427 100644 --- a/include/items.php +++ b/include/items.php @@ -658,7 +658,14 @@ function dfrn_deliver($owner,$contact,$atom) { if($contact['duplex'] && $contact['issued-id']) $idtosend = '1:' . $orig_id; - $url = $contact['notify'] . '?dfrn_id=' . $idtosend . '&dfrn_version=' . DFRN_PROTOCOL_VERSION ; + $rino = ((function_exists('mcrypt_encrypt')) ? 1 : 0); + + $rino_enable = get_config('system','rino_encrypt'); + + if(! $rino_enable) + $rino = 0; + + $url = $contact['notify'] . '?dfrn_id=' . $idtosend . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . (($rino) ? '&rino=1' : ''); logger('dfrn_deliver: ' . $url); @@ -681,6 +688,7 @@ function dfrn_deliver($owner,$contact,$atom) { $postvars = array(); $sent_dfrn_id = hex2bin($res->dfrn_id); $challenge = hex2bin($res->challenge); + $rino_allowed = ((intval($res->rino) === 1) ? 1 : 0); $final_dfrn_id = ''; @@ -718,9 +726,29 @@ function dfrn_deliver($owner,$contact,$atom) { $postvars['data'] = str_replace('<dfrn:comment-allow>1','<dfrn:comment-allow>0',$atom); } + if($rino && rino_allowed) { + $key = substr(random_string(),0,16); + $data = bin2hex(aes_encrypt($postvars['data'],$key)); + $postvars['data'] = $data; + logger('rino: sent key = ' . $key); + + if(($contact['duplex'] && strlen($contact['prvkey'])) || ($owner['page-flags'] == PAGE_COMMUNITY)) { + openssl_private_encrypt($key,$postvars['key'],$contact['prvkey']); + } + else { + openssl_public_encrypt($key,$postvars['key'],$contact['pubkey']); + } + + logger('md5 rawkey ' . md5($postvars['key'])); + + $postvars['key'] = bin2hex($postvars['key']); + } + + logger('dfrn_deliver: ' . "SENDING: " . print_r($postvars,true), LOGGER_DATA); + $xml = post_url($contact['notify'],$postvars); - logger('dfrn_deliver: ' . "SENDING: " . print_r($postvars,true) . "\n" . "RECEIVING: " . $xml, LOGGER_DATA); + logger('dfrn_deliver: ' . "RECEIVED: " . $xml, LOGGER_DATA); $curl_stat = $a->get_curl_code(); if((! $curl_stat) || (! strlen($xml))) diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php index 54fa9b97d..830a2d255 100644 --- a/mod/dfrn_notify.php +++ b/mod/dfrn_notify.php @@ -6,10 +6,11 @@ require_once('include/items.php'); function dfrn_notify_post(&$a) { - $dfrn_id = notags(trim($_POST['dfrn_id'])); - $dfrn_version = (float) $_POST['dfrn_version']; - $challenge = notags(trim($_POST['challenge'])); - $data = $_POST['data']; + $dfrn_id = ((x($_POST,'dfrn_id')) ? notags(trim($_POST['dfrn_id'])) : ''); + $dfrn_version = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version'] : 2.0); + $challenge = ((x($_POST,'challenge')) ? notags(trim($_POST['challenge'])) : ''); + $data = ((x($_POST,'data')) ? $_POST['data'] : ''); + $key = ((x($_POST,'key')) ? $_POST['key'] : ''); $direction = (-1); if(strpos($dfrn_id,':') == 1) { @@ -50,7 +51,8 @@ function dfrn_notify_post(&$a) { } - $r = q("SELECT `contact`.*, `contact`.`uid` AS `importer_uid`, `user`.* FROM `contact` + $r = q("SELECT `contact`.*, `contact`.`uid` AS `importer_uid`, + `contact`.`pubkey` AS `cpubkey`, `contact`.`prvkey` AS `cprvkey`, `user`.* FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid` WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0 AND `user`.`nickname` = '%s' $sql_extra LIMIT 1", @@ -76,6 +78,23 @@ function dfrn_notify_post(&$a) { //NOTREACHED } + if(strlen($key)) { + $rawkey = hex2bin(trim($key)); + logger('rino: md5 raw key: ' . md5($rawkey)); + $final_key = ''; + + if((($importer['duplex']) && strlen($importer['cpubkey'])) || (! strlen($importer['cprvkey']))) { + openssl_public_decrypt($rawkey,$final_key,$importer['cpubkey']); + } + else { + openssl_private_decrypt($rawkey,$final_key,$importer['cprvkey']); + } + + logger('rino: received key : ' . $final_key); + $data = aes_decrypt(hex2bin($data),$final_key); + logger('rino: decrypted data: ' . $data, LOGGER_DATA); + } + // Consume notification feed. This may differ from consuming a public feed in several ways // - might contain email // - might contain remote followup to our message |