harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Protocol: now set data['alg'] on all encapsulated encrypted packets, so that we can more easily retire 'aes256cbc' once it is no longer viable.

Browse Source
This commit is contained in:
friendica 2013-11-20 15:20:12 -08:00
parent f6c41e61ac
commit d7ee552c57
12 changed files with 62 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
boot.php
View File

@ -803,12 +803,6 @@ class App {
$scheme = $this->scheme; $scheme = $this->scheme;
// if((x($this->config,'system')) && (x($this->config['system'],'ssl_policy'))) {
// if(intval($this->config['system']['ssl_policy']) === intval(SSL_POLICY_FULL)) {
// $scheme = 'https';
// }
// }
$this->baseurl = $scheme . "://" . $this->hostname . ((isset($this->path) && strlen($this->path)) ? '/' . $this->path : '' ); $this->baseurl = $scheme . "://" . $this->hostname . ((isset($this->path) && strlen($this->path)) ? '/' . $this->path : '' );
return $this->baseurl; return $this->baseurl;
} }
@ -995,6 +989,9 @@ class App {
)) . $this->page['htmlhead']; )) . $this->page['htmlhead'];
} }
// The following curl functions will go away once we've converted
// all instances of (fetch|post)_url() to z_(fetch|post)_url()
function set_curl_code($code) { function set_curl_code($code) {
$this->curl_code = $code; $this->curl_code = $code;
} }
@ -1186,7 +1183,6 @@ function is_ajax() {
// $_SERVER variables, and synchronising the state of installed plugins. // $_SERVER variables, and synchronising the state of installed plugins.
function check_config(&$a) { function check_config(&$a) {
$build = get_config('system','db_version'); $build = get_config('system','db_version');

16
include/crypto.php
View File

@ -49,6 +49,13 @@ function AES256CBC_decrypt($data,$key,$iv) {
str_pad($iv,16,"\0"))); str_pad($iv,16,"\0")));
} }
function crypto_encapsulate($data,$pubkey,$alg='aes256cbc') {
if($alg === 'aes256cbc')
return aes_encapsulate($data,$pubkey);
}
function aes_encapsulate($data,$pubkey) { function aes_encapsulate($data,$pubkey) {
if(! $pubkey) if(! $pubkey)
logger('aes_encapsulate: no key. data: ' . $data); logger('aes_encapsulate: no key. data: ' . $data);
@ -60,12 +67,21 @@ function aes_encapsulate($data,$pubkey) {
$x = debug_backtrace(); $x = debug_backtrace();
logger('aes_encapsulate: RSA failed. ' . print_r($x[0],true)); logger('aes_encapsulate: RSA failed. ' . print_r($x[0],true));
} }
$result['alg'] = 'aes256cbc';
$result['key'] = base64url_encode($k,true); $result['key'] = base64url_encode($k,true);
openssl_public_encrypt($iv,$i,$pubkey); openssl_public_encrypt($iv,$i,$pubkey);
$result['iv'] = base64url_encode($i,true); $result['iv'] = base64url_encode($i,true);
return $result; return $result;
} }
function crypto_unencapsulate($data,$prvkey) {
$alg = ((array_key_exists('alg',$data)) ? $data['alg'] : 'aes256cbc');
if($alg === 'aes256cbc')
return aes_unencapsulate($data,$prvkey);
}
function aes_unencapsulate($data,$prvkey) { function aes_unencapsulate($data,$prvkey) {
openssl_private_decrypt(base64url_decode($data['key']),$k,$prvkey); openssl_private_decrypt(base64url_decode($data['key']),$k,$prvkey);
openssl_private_decrypt(base64url_decode($data['iv']),$i,$prvkey); openssl_private_decrypt(base64url_decode($data['iv']),$i,$prvkey);

2
include/follow.php
View File

@ -96,7 +96,7 @@ function new_contact($uid,$url,$channel,$interactive = false, $confirm = false)
$global_perms = get_perms(); $global_perms = get_perms();
if( array_key_exists('permissions',$j) && array_key_exists('data',$j['permissions'])) { if( array_key_exists('permissions',$j) && array_key_exists('data',$j['permissions'])) {
$permissions = aes_unencapsulate(array( $permissions = crypto_unencapsulate(array(
'data' => $j['permissions']['data'], 'data' => $j['permissions']['data'],
'key' => $j['permissions']['key'], 'key' => $j['permissions']['key'],
'iv' => $j['permissions']['iv']), 'iv' => $j['permissions']['iv']),

26
include/items.php
View File

@ -644,9 +644,9 @@ function get_item_elements($x) {
$arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED; $arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED;
$key = get_config('system','pubkey'); $key = get_config('system','pubkey');
if($arr['title']) if($arr['title'])
$arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); $arr['title'] = json_encode(crypto_encapsulate($arr['title'],$key));
if($arr['body']) if($arr['body'])
$arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); $arr['body'] = json_encode(crypto_encapsulate($arr['body'],$key));
} }
@ -699,9 +699,9 @@ function encode_item($item) {
if(array_key_exists('item_flags',$item) && ($item['item_flags'] & ITEM_OBSCURED)) { if(array_key_exists('item_flags',$item) && ($item['item_flags'] & ITEM_OBSCURED)) {
$key = get_config('system','prvkey'); $key = get_config('system','prvkey');
if($item['title']) if($item['title'])
$item['title'] = aes_unencapsulate(json_decode_plus($item['title']),$key); $item['title'] = crypto_unencapsulate(json_decode_plus($item['title']),$key);
if($item['body']) if($item['body'])
$item['body'] = aes_unencapsulate(json_decode_plus($item['body']),$key); $item['body'] = crypto_unencapsulate(json_decode_plus($item['body']),$key);
} }
if($item['item_restrict'] & ITEM_DELETED) { if($item['item_restrict'] & ITEM_DELETED) {
@ -908,9 +908,9 @@ function encode_mail($item) {
if(array_key_exists('mail_flags',$item) && ($item['mail_flags'] & MAIL_OBSCURED)) { if(array_key_exists('mail_flags',$item) && ($item['mail_flags'] & MAIL_OBSCURED)) {
$key = get_config('system','prvkey'); $key = get_config('system','prvkey');
if($item['title']) if($item['title'])
$item['title'] = aes_unencapsulate(json_decode_plus($item['title']),$key); $item['title'] = crypto_unencapsulate(json_decode_plus($item['title']),$key);
if($item['body']) if($item['body'])
$item['body'] = aes_unencapsulate(json_decode_plus($item['body']),$key); $item['body'] = crypto_unencapsulate(json_decode_plus($item['body']),$key);
} }
$x['message_id'] = $item['mid']; $x['message_id'] = $item['mid'];
@ -963,10 +963,10 @@ function get_mail_elements($x) {
$arr['mail_flags'] |= MAIL_OBSCURED; $arr['mail_flags'] |= MAIL_OBSCURED;
$arr['body'] = htmlentities($arr['body'],ENT_COMPAT,'UTF-8',false); $arr['body'] = htmlentities($arr['body'],ENT_COMPAT,'UTF-8',false);
if($arr['body']) if($arr['body'])
$arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); $arr['body'] = json_encode(crypto_encapsulate($arr['body'],$key));
$arr['title'] = htmlentities($arr['title'],ENT_COMPAT,'UTF-8',false); $arr['title'] = htmlentities($arr['title'],ENT_COMPAT,'UTF-8',false);
if($arr['title']) if($arr['title'])
$arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); $arr['title'] = json_encode(crypto_encapsulate($arr['title'],$key));
if($arr['created'] > datetime_convert()) if($arr['created'] > datetime_convert())
$arr['created'] = datetime_convert(); $arr['created'] = datetime_convert();
@ -1516,9 +1516,9 @@ function item_store($arr,$allow_exec = false) {
$key = get_config('system','pubkey'); $key = get_config('system','pubkey');
$arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED; $arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED;
if($arr['title']) if($arr['title'])
$arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); $arr['title'] = json_encode(crypto_encapsulate($arr['title'],$key));
if($arr['body']) if($arr['body'])
$arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); $arr['body'] = json_encode(crypto_encapsulate($arr['body'],$key));
} }
} }
@ -1887,9 +1887,9 @@ function item_store_update($arr,$allow_exec = false) {
$key = get_config('system','pubkey'); $key = get_config('system','pubkey');
$arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED; $arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED;
if($arr['title']) if($arr['title'])
$arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); $arr['title'] = json_encode(crypto_encapsulate($arr['title'],$key));
if($arr['body']) if($arr['body'])
$arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); $arr['body'] = json_encode(crypto_encapsulate($arr['body'],$key));
} }
} }
@ -2243,7 +2243,7 @@ function tag_deliver($uid,$item_id) {
if($item['item_flags'] & ITEM_OBSCURED) { if($item['item_flags'] & ITEM_OBSCURED) {
$key = get_config('system','prvkey'); $key = get_config('system','prvkey');
if($item['body']) if($item['body'])
$body = aes_unencapsulate(json_decode_plus($item['body']),$key); $body = crypto_unencapsulate(json_decode_plus($item['body']),$key);
} }
else else
$body = $item['body']; $body = $item['body'];

16
include/message.php
View File

@ -109,9 +109,9 @@ function send_message($uid = 0, $recipient='', $body='', $subject='', $replyto='
$key = get_config('system','pubkey'); $key = get_config('system','pubkey');
if($subject) if($subject)
$subject = json_encode(aes_encapsulate($subject,$key)); $subject = json_encode(crypto_encapsulate($subject,$key));
if($body) if($body)
$body = json_encode(aes_encapsulate($body,$key)); $body = json_encode(crypto_encapsulate($body,$key));
@ -231,9 +231,9 @@ function private_messages_list($uid, $mailbox = '', $start = 0, $numitems = 0) {
$key = get_config('system','prvkey'); $key = get_config('system','prvkey');
if($r[$k]['title']) if($r[$k]['title'])
$r[$k]['title'] = aes_unencapsulate(json_decode_plus($r[$k]['title']),$key); $r[$k]['title'] = crypto_unencapsulate(json_decode_plus($r[$k]['title']),$key);
if($r[$k]['body']) if($r[$k]['body'])
$r[$k]['body'] = aes_unencapsulate(json_decode_plus($r[$k]['body']),$key); $r[$k]['body'] = crypto_unencapsulate(json_decode_plus($r[$k]['body']),$key);
} }
} }
@ -270,9 +270,9 @@ function private_messages_fetch_message($channel_id, $messageitem_id, $updatesee
if($messages[$k]['mail_flags'] & MAIL_OBSCURED) { if($messages[$k]['mail_flags'] & MAIL_OBSCURED) {
$key = get_config('system','prvkey'); $key = get_config('system','prvkey');
if($messages[$k]['title']) if($messages[$k]['title'])
$messages[$k]['title'] = aes_unencapsulate(json_decode_plus($messages[$k]['title']),$key); $messages[$k]['title'] = crypto_unencapsulate(json_decode_plus($messages[$k]['title']),$key);
if($messages[$k]['body']) if($messages[$k]['body'])
$messages[$k]['body'] = aes_unencapsulate(json_decode_plus($messages[$k]['body']),$key); $messages[$k]['body'] = crypto_unencapsulate(json_decode_plus($messages[$k]['body']),$key);
} }
} }
@ -358,9 +358,9 @@ function private_messages_fetch_conversation($channel_id, $messageitem_id, $upda
if($messages[$k]['mail_flags'] & MAIL_OBSCURED) { if($messages[$k]['mail_flags'] & MAIL_OBSCURED) {
$key = get_config('system','prvkey'); $key = get_config('system','prvkey');
if($messages[$k]['title']) if($messages[$k]['title'])
$messages[$k]['title'] = aes_unencapsulate(json_decode_plus($messages[$k]['title']),$key); $messages[$k]['title'] = crypto_unencapsulate(json_decode_plus($messages[$k]['title']),$key);
if($messages[$k]['body']) if($messages[$k]['body'])
$messages[$k]['body'] = aes_unencapsulate(json_decode_plus($messages[$k]['body']),$key); $messages[$k]['body'] = crypto_unencapsulate(json_decode_plus($messages[$k]['body']),$key);
} }
} }

4
include/text.php
View File

@ -1010,9 +1010,9 @@ function unobscure(&$item) {
if(array_key_exists('item_flags',$item) && ($item['item_flags'] & ITEM_OBSCURED)) { if(array_key_exists('item_flags',$item) && ($item['item_flags'] & ITEM_OBSCURED)) {
$key = get_config('system','prvkey'); $key = get_config('system','prvkey');
if($item['title']) if($item['title'])
$item['title'] = aes_unencapsulate(json_decode_plus($item['title']),$key); $item['title'] = crypto_unencapsulate(json_decode_plus($item['title']),$key);
if($item['body']) if($item['body'])
$item['body'] = aes_unencapsulate(json_decode_plus($item['body']),$key); $item['body'] = crypto_unencapsulate(json_decode_plus($item['body']),$key);
} }
} }

10
include/zot.php
View File

@ -82,7 +82,7 @@ function zot_build_packet($channel,$type = 'notify',$recipients = null, $remote_
// Hush-hush ultra top-secret mode // Hush-hush ultra top-secret mode
if($remote_key) { if($remote_key) {
$data = aes_encapsulate(json_encode($data),$remote_key); $data = crypto_encapsulate(json_encode($data),$remote_key);
} }
return json_encode($data); return json_encode($data);
@ -269,7 +269,7 @@ function zot_refresh($them,$channel = null) {
if($channel) { if($channel) {
$global_perms = get_perms(); $global_perms = get_perms();
if($j['permissions']['data']) { if($j['permissions']['data']) {
$permissions = aes_unencapsulate(array( $permissions = crypto_unencapsulate(array(
'data' => $j['permissions']['data'], 'data' => $j['permissions']['data'],
'key' => $j['permissions']['key'], 'key' => $j['permissions']['key'],
'iv' => $j['permissions']['iv']), 'iv' => $j['permissions']['iv']),
@ -823,7 +823,7 @@ function zot_fetch($arr) {
'secret_sig' => base64url_encode(rsa_sign($arr['secret'],get_config('system','prvkey'))) 'secret_sig' => base64url_encode(rsa_sign($arr['secret'],get_config('system','prvkey')))
); );
$datatosend = json_encode(aes_encapsulate(json_encode($data),$ret_hub['hubloc_sitekey'])); $datatosend = json_encode(crypto_encapsulate(json_encode($data),$ret_hub['hubloc_sitekey']));
$fetch = zot_zot($url,$datatosend); $fetch = zot_zot($url,$datatosend);
$result = zot_import($fetch, $arr['sender']['url']); $result = zot_import($fetch, $arr['sender']['url']);
@ -849,7 +849,7 @@ function zot_import($arr, $sender_url) {
} }
if(array_key_exists('iv',$data)) { if(array_key_exists('iv',$data)) {
$data = json_decode(aes_unencapsulate($data,get_config('system','prvkey')),true); $data = json_decode(crypto_unencapsulate($data,get_config('system','prvkey')),true);
} }
$incoming = $data['pickup']; $incoming = $data['pickup'];
@ -861,7 +861,7 @@ function zot_import($arr, $sender_url) {
$result = null; $result = null;
if(array_key_exists('iv',$i['notify'])) { if(array_key_exists('iv',$i['notify'])) {
$i['notify'] = json_decode(aes_unencapsulate($i['notify'],get_config('system','prvkey')),true); $i['notify'] = json_decode(crypto_unencapsulate($i['notify'],get_config('system','prvkey')),true);
} }
logger('zot_import: notify: ' . print_r($i['notify'],true), LOGGER_DATA); logger('zot_import: notify: ' . print_r($i['notify'],true), LOGGER_DATA);

4
mod/editpost.php
View File

@ -57,9 +57,9 @@ function editpost_content(&$a) {
if($itm[0]['item_flags'] & ITEM_OBSCURED) { if($itm[0]['item_flags'] & ITEM_OBSCURED) {
$key = get_config('system','prvkey'); $key = get_config('system','prvkey');
if($itm[0]['title']) if($itm[0]['title'])
$itm[0]['title'] = aes_unencapsulate(json_decode_plus($itm[0]['title']),$key); $itm[0]['title'] = crypto_unencapsulate(json_decode_plus($itm[0]['title']),$key);
if($itm[0]['body']) if($itm[0]['body'])
$itm[0]['body'] = aes_unencapsulate(json_decode_plus($itm[0]['body']),$key); $itm[0]['body'] = crypto_unencapsulate(json_decode_plus($itm[0]['body']),$key);
} }
$tpl = get_markup_template("jot.tpl"); $tpl = get_markup_template("jot.tpl");

2
mod/message.php
View File

@ -79,7 +79,7 @@ function message_post(&$a) {
$global_perms = get_perms(); $global_perms = get_perms();
if($j['permissions']['data']) { if($j['permissions']['data']) {
$permissions = aes_unencapsulate($j['permissions'],$channel['channel_prvkey']); $permissions = crypto_unencapsulate($j['permissions'],$channel['channel_prvkey']);
if($permissions) if($permissions)
$permissions = json_decode($permissions); $permissions = json_decode($permissions);
logger('decrypted permissions: ' . print_r($permissions,true), LOGGER_DATA); logger('decrypted permissions: ' . print_r($permissions,true), LOGGER_DATA);

4
mod/post.php
View File

@ -172,7 +172,7 @@ function post_post(&$a) {
*/ */
if(array_key_exists('iv',$data)) { if(array_key_exists('iv',$data)) {
$data = aes_unencapsulate($data,get_config('system','prvkey')); $data = crypto_unencapsulate($data,get_config('system','prvkey'));
logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA); logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA);
// susceptible to Bleichenbacher's attack // susceptible to Bleichenbacher's attack
@ -312,7 +312,7 @@ function post_post(&$a) {
); );
} }
} }
$encrypted = aes_encapsulate(json_encode($ret),$sitekey); $encrypted = crypto_encapsulate(json_encode($ret),$sitekey);
json_return_and_die($encrypted); json_return_and_die($encrypted);
/** pickup: end */ /** pickup: end */

2
mod/probe.php
View File

@ -26,7 +26,7 @@ function probe_content(&$a) {
$j = json_decode($res['body'],true); $j = json_decode($res['body'],true);
} }
if($j && $j['permissions'] && $j['permissions']['iv']) if($j && $j['permissions'] && $j['permissions']['iv'])
$j['permissions'] = json_decode(aes_unencapsulate($j['permissions'],$channel['channel_prvkey']),true); $j['permissions'] = json_decode(crypto_unencapsulate($j['permissions'],$channel['channel_prvkey']),true);
$o .= str_replace("\n",'<br />',print_r($j,true)); $o .= str_replace("\n",'<br />',print_r($j,true));
$o .= '</pre>'; $o .= '</pre>';
} }

8
mod/register.php
View File

@ -7,6 +7,14 @@ function register_init(&$a) {
$result = null; $result = null;
$cmd = ((argc() > 1) ? argv(1) : ''); $cmd = ((argc() > 1) ? argv(1) : '');
// Provide a stored request for somebody desiring a connection
// when they first need to register someplace. Once they've
// created a channel, we'll try to revive the connection request
// and process it.
if($_REQUEST['connect'])
$_SESSION['connect'] = $_REQUEST['connect'];
switch($cmd) { switch($cmd) {
case 'invite_check.json': case 'invite_check.json':
$result = check_account_invite($_REQUEST['invite_code']); $result = check_account_invite($_REQUEST['invite_code']);