diff options
Diffstat (limited to 'Zotlabs/Zot')
| -rw-r--r-- | Zotlabs/Zot/Auth.php | 16 | ||||
| -rw-r--r-- | Zotlabs/Zot/Finger.php | 27 | ||||
| -rw-r--r-- | Zotlabs/Zot/IHandler.php | 2 | ||||
| -rw-r--r-- | Zotlabs/Zot/Receiver.php | 8 | ||||
| -rw-r--r-- | Zotlabs/Zot/Verify.php | 16 | ||||
| -rw-r--r-- | Zotlabs/Zot/ZotHandler.php | 4 |
6 files changed, 62 insertions, 11 deletions
diff --git a/Zotlabs/Zot/Auth.php b/Zotlabs/Zot/Auth.php index d4d3bee1d..8d198f506 100644 --- a/Zotlabs/Zot/Auth.php +++ b/Zotlabs/Zot/Auth.php @@ -43,6 +43,12 @@ class Auth { $this->Finalise(); } + if(strpbrk($this->sec,'.:')) { + logger('illegal security context'); + $this->Debug('illegal security context.'); + $this->Finalise(); + } + $x = $this->GetHublocs($this->address); if($x) { @@ -109,6 +115,14 @@ class Auth { $this->remote_hub = $hubloc['hubloc_url']; $this->dnt = 0; + if(! $this->sec) { + logger('missing security context.'); + if($this->test) + $this->Debug('missing security context.'); + return false; + } + + // check credentials and access // If they are already authenticated and haven't changed credentials, @@ -176,7 +190,7 @@ class Auth { return false; } - $this->Debug('auth check request returned .' . print_r($j, true)); + $this->Debug('auth check request returned ' . print_r($j, true)); if(! $j['success']) return false; diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php index 7e0f5fb7c..348171bdc 100644 --- a/Zotlabs/Zot/Finger.php +++ b/Zotlabs/Zot/Finger.php @@ -22,6 +22,7 @@ class Finger { * * @return zotinfo array (with 'success' => true) or array('success' => false); */ + static public function run($webbie, $channel = null, $autofallback = true) { $ret = array('success' => false); @@ -84,18 +85,27 @@ class Finger { 'token' => self::$token ); - $result = z_post_url($url . $rhs,$postvars); + $headers = []; + $headers['X-Zot-Channel'] = $channel['channel_address'] . '@' . \App::get_hostname(); + $headers['X-Zot-Nonce'] = random_string(); + $xhead = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], + 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false); + + $retries = 0; + + $result = z_post_url($url . $rhs,$postvars,$retries, [ 'headers' => $xhead ]); if ((! $result['success']) && ($autofallback)) { if ($https) { logger('zot_finger: https failed. falling back to http'); - $result = z_post_url('http://' . $host . $rhs,$postvars); + $result = z_post_url('http://' . $host . $rhs,$postvars, $retries, [ 'headers' => $xhead ]); } } - } else { + } + else { $rhs .= '?f=&address=' . urlencode($address) . '&token=' . self::$token; - $result = z_fetch_url($url . $rhs); + $result = z_fetch_url($url . $rhs); if((! $result['success']) && ($autofallback)) { if($https) { logger('zot_finger: https failed. falling back to http'); @@ -111,7 +121,10 @@ class Finger { } $x = json_decode($result['body'], true); - if($x) { + + $verify = \Zotlabs\Web\HTTPSig::verify($result,(($x) ? $x['key'] : '')); + + if($x && (! $verify['header_valid'])) { $signed_token = ((is_array($x) && array_key_exists('signed_token', $x)) ? $x['signed_token'] : null); if($signed_token) { $valid = rsa_verify('token.' . self::$token, base64url_decode($signed_token), $x['key']); @@ -123,9 +136,7 @@ class Finger { } else { logger('No signed token from ' . $url . $rhs, LOGGER_NORMAL, LOG_WARNING); - // after 2017-01-01 this will be a hard error unless you over-ride it. - if((time() > 1483228800) && (! get_config('system', 'allow_unsigned_zotfinger'))) - return $ret; + return $ret; } } diff --git a/Zotlabs/Zot/IHandler.php b/Zotlabs/Zot/IHandler.php index eeca1555c..dd82f5be6 100644 --- a/Zotlabs/Zot/IHandler.php +++ b/Zotlabs/Zot/IHandler.php @@ -12,6 +12,8 @@ interface IHandler { function Request($data); + function Rekey($sender,$data); + function AuthCheck($data,$encrypted); function Purge($sender,$recipients); diff --git a/Zotlabs/Zot/Receiver.php b/Zotlabs/Zot/Receiver.php index 71d57eb35..c521c9d64 100644 --- a/Zotlabs/Zot/Receiver.php +++ b/Zotlabs/Zot/Receiver.php @@ -120,6 +120,10 @@ class Receiver { $this->handler->Notify($this->data); break; + case 'rekey': + $this->handler->Rekey($this->sender, $this->data); + break; + default: $this->response['message'] = 'Not implemented'; json_return_and_die($this->response); @@ -138,7 +142,6 @@ class Receiver { * This packet is optionally encrypted, which we will discover if the json has an 'iv' element. * $contents => array( 'alg' => 'aes256cbc', 'iv' => initialisation vector, 'key' => decryption key, 'data' => encrypted data); * $contents->iv and $contents->key are random strings encrypted with this site's RSA public key and then base64url encoded. - * Currently only 'aes256cbc' is used, but this is extensible should that algorithm prove inadequate. * * Once decrypted, one will find the normal json_encoded zot message packet. * @@ -156,7 +159,8 @@ class Receiver { * }, * "recipients": { optional recipient array }, * "callback":"\/post", - * "version":1, + * "version":"1.2", + * "encryption":["aes256cbc"], * "secret":"1eaa...", * "secret_sig": "df89025470fac8..." * } diff --git a/Zotlabs/Zot/Verify.php b/Zotlabs/Zot/Verify.php index 06bd3188c..1d9e6de3f 100644 --- a/Zotlabs/Zot/Verify.php +++ b/Zotlabs/Zot/Verify.php @@ -31,6 +31,22 @@ class Verify { return false; } + + function get_meta($type,$channel_id,$token) { + $r = q("select id, meta from verify where vtype = '%s' and channel = %d and token = '%s' limit 1", + dbesc($type), + intval($channel_id), + dbesc($token) + ); + if($r) { + q("delete from verify where id = %d", + intval($r[0]['id']) + ); + return $r[0]['meta']; + } + return false; + } + function purge($type,$interval) { q("delete from verify where vtype = '%s' and created < %s - INTERVAL %s", dbesc($type), diff --git a/Zotlabs/Zot/ZotHandler.php b/Zotlabs/Zot/ZotHandler.php index aab336545..ab8815b3d 100644 --- a/Zotlabs/Zot/ZotHandler.php +++ b/Zotlabs/Zot/ZotHandler.php @@ -20,6 +20,10 @@ class ZotHandler implements IHandler { zot_reply_message_request($data); } + function Rekey($sender,$data) { + zot_rekey_request($sender,$data); + } + function AuthCheck($data,$encrypted) { zot_reply_auth_check($data,$encrypted); } |