From 8ae77d2984771992fe34e76893ac933b1f433812 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Fri, 2 Nov 2012 01:44:27 -0700
Subject: verify all the signatures before adding contact

---
 include/follow.php |  3 +++
 include/zot.php    | 19 +++++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

(limited to 'include')

diff --git a/include/follow.php b/include/follow.php
index 9cf501ef4..2b65e389e 100644
--- a/include/follow.php
+++ b/include/follow.php
@@ -70,6 +70,9 @@ function new_contact($uid,$url,$channel,$interactive = false) {
 
 	$x = import_xchan_from_json($j);
 
+	if(! $x['success']) 
+		return $x;
+
 	// Do we already have an abook entry?
 	// go directly to the abook edit page.
 
diff --git a/include/zot.php b/include/zot.php
index 2f11eb299..b577493b3 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -188,10 +188,16 @@ function zot_register_hub($arr) {
 
 function import_xchan_from_json($j) {
 
+	$ret = array('success' => false);
+
 	$xchan_hash = base64url_encode(hash('whirlpool',$j->guid . $j->guid_sig, true));
 	$import_photos = false;
 
-// FIXME - verify the signature
+	if(! rsa_verify($j->guid,base64url_decode($j->guid_sig),$j->key)) {
+		logger('import_xchan_from_json: Unable to verify channel signature for ' . $j->address);
+		$ret['message'] = t('Unable to verify channel signature');
+		return $ret;
+	}
 
 	$r = q("select * from xchan where xchan_hash = '%s' limit 1",
 		dbesc($xchan_hash)
@@ -248,6 +254,12 @@ function import_xchan_from_json($j) {
 
 	if($j->locations) {
 		foreach($j->locations as $location) {
+			if(! rsa_verify($location->url,base64url_decode($location->url_sig),$j->key)) {
+				logger('import_xchan_from_json: Unable to verify site signature for ' . $location->url);
+				$ret['message'] .= sprintf( t('Unable to verify site signature for %s'), $location->url) . EOL;
+				continue;
+			}
+
 			$r = q("select * from hubloc where hubloc_hash = '%s' and hubloc_url = '%s' limit 1",
 				dbesc($xchan_hash),
 				dbesc($location->url)
@@ -261,7 +273,6 @@ function import_xchan_from_json($j) {
 				}
 				continue;
 			}
-// FIXME verify the signature
 
 			$r = q("insert into hubloc ( hubloc_guid, hubloc_guid_sig, hubloc_hash, hubloc_addr, hubloc_flags, hubloc_url, hubloc_url_sig, hubloc_host, hubloc_callback, hubloc_sitekey)
 					values ( '%s','%s','%s','%s', %d ,'%s','%s','%s','%s','%s')",
@@ -281,4 +292,8 @@ function import_xchan_from_json($j) {
 
 	}
 
+	if(! x($ret,'message')) {
+		$ret['success'] = true;
+	}
+	return $ret;
 }
\ No newline at end of file
-- 
cgit v1.2.3