From aca2e3b52ae44b5abe2681bc03351feb150e47ef Mon Sep 17 00:00:00 2001 From: friendica Date: Fri, 2 Nov 2012 15:34:35 -0700 Subject: add key passing and verification to targeted discovery --- include/zot.php | 8 ++++---- mod/zfinger.php | 18 +++++++++++++----- version.inc | 2 +- 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/include/zot.php b/include/zot.php index b577493b3..46400f597 100644 --- a/include/zot.php +++ b/include/zot.php @@ -75,7 +75,6 @@ function zot_notify($channel,$url) { function zot_finger($webbie,$channel) { - logger('zot_finger:' . print_r($channel,true)); if(strpos($webbie,'@') === false) { $address = $webbie; $host = get_app()->get_hostname(); @@ -105,9 +104,10 @@ function zot_finger($webbie,$channel) { if($channel) { $postvars = array( - 'address' => $address, - 'target' => $channel['channel_guid'], - 'target_sig' => $channel['channel_guid_sig'] + 'address' => $address, + 'target' => $channel['channel_guid'], + 'target_sig' => $channel['channel_guid_sig'], + 'key' => $channel['channel_pubkey'] ); $result = z_post_url($url . $rhs,$postvars); if(! $result['success']) diff --git a/mod/zfinger.php b/mod/zfinger.php index ea8da0c23..5567f85cf 100644 --- a/mod/zfinger.php +++ b/mod/zfinger.php @@ -7,11 +7,19 @@ function zfinger_init(&$a) { $ret = array('success' => false); - $zguid = ((x($_REQUEST,'guid')) ? $_REQUEST['guid'] : ''); - $zaddr = ((x($_REQUEST,'address')) ? $_REQUEST['address'] : ''); - $ztarget = ((x($_REQUEST,'target')) ? trim($_REQUEST['target']) : ''); - $zsig = ((x($_REQUEST,'target_sig')) ? trim($_REQUEST['target_sig']) : ''); - + $zguid = ((x($_REQUEST,'guid')) ? $_REQUEST['guid'] : ''); + $zaddr = ((x($_REQUEST,'address')) ? $_REQUEST['address'] : ''); + $ztarget = ((x($_REQUEST,'target')) ? $_REQUEST['target'] : ''); + $zsig = ((x($_REQUEST,'target_sig')) ? $_REQUEST['target_sig'] : ''); + $zkey = ((x($_REQUEST,'key')) ? $_REQUEST['key'] : ''); + + if($ztarget) { + if((! $zkey) || (! $zsig) || (! rsa_verify($ztarget,base64url_decode($zsig),$zkey))) { + logger('zfinger: invalid target signature'); + $ret['message'] = t("invalid target signature"); + json_return_and_die($ret); + } + } $r = null; diff --git a/version.inc b/version.inc index da315233a..951e4f480 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2012-11-01.125 +2012-11-02.126 -- cgit v1.2.3