secure permission discovery

include/follow.php

@@ -80,7 +80,20 @@ function new_contact($uid,$url,$channel,$interactive = false) {
 
 	$global_perms = get_perms();
 
-	foreach($j->permissions as $k => $v) {
+	if($j->permissions->data) {
+		$permissions = aes_unencapsulate(array(
+			'data' => $j->permissions->data,
+			'key'  => $j->permissions->key,
+			'iv'   => $j->permissions->iv),
+			$channel['channel_prvkey']);
+		if($permissions)
+			$permissions = json_decode($permissions);
+		logger('decrypted permissions: ' . print_r($permissions,true), LOGGER_DATA);
+	}
+	else
+		$permissions = $j->permissions;
+
+	foreach($permissions as $k => $v) {
 		if($v) {
 			$their_perms = $their_perms | intval($global_perms[$k][1]);
 		}

mod/zfinger.php

@@ -78,10 +78,12 @@ function zfinger_init(&$a) {
 
 // FIXME encrypt permissions when targeted so that only the target can view them, requires sending the pubkey and also checking that the target_sig is signed with that pubkey and isn't a forgery. 
 
-	$ret['permissions']   = get_all_perms($e['channel_id'],(($ztarget && $zsig) 
+
+	$permissions = get_all_perms($e['channel_id'],(($ztarget && $zsig) 
 			? base64url_encode(hash('whirlpool',$ztarget . $zsig,true)) 
 			: '' ),false);
 
+	$ret['permissions'] = (($ztarget) ? aes_encapsulate(json_encode($permissions),$zkey) : $permissions);
 
 
 //	$ret['profile']  = $profile;