harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

validate the security context

Browse Source
This commit is contained in:
zotlabs 2017-09-03 23:50:18 -07:00
parent 3d0a7f4fc5
commit fc62f07a08
3 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Zotlabs/Module/Magic.php
View File

@ -133,10 +133,10 @@ class Magic extends \Zotlabs\Web\Controller {
$channel = \App::get_channel(); $channel = \App::get_channel();
$token = random_string(); $token = random_string();
$token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey'])); // $token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey']));
$channel['token'] = $token; // $channel['token'] = $token;
$channel['token_sig'] = $token_sig; // $channel['token_sig'] = $token_sig;
\Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']); \Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']);

7
Zotlabs/Zot/Auth.php
View File

@ -43,6 +43,12 @@ class Auth {
$this->Finalise(); $this->Finalise();
} }
if(strpbrk($this->sec,'.:')) {
logger('illegal security context');
$this->Debug('illegal security context.');
$this->Finalise();
}
$x = $this->GetHublocs($this->address); $x = $this->GetHublocs($this->address);
if($x) { if($x) {
@ -153,6 +159,7 @@ class Auth {
dbesc($hubloc['hubloc_url']) dbesc($hubloc['hubloc_url'])
); );
// needs a nonce!!!!
$p = zot_build_packet($channel,$type = 'auth_check', $p = zot_build_packet($channel,$type = 'auth_check',
array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])), array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])),
$hubloc['hubloc_sitekey'], (($x) ? $x[0]['site_crypto'] : ''), $this->sec); $hubloc['hubloc_sitekey'], (($x) ? $x[0]['site_crypto'] : ''), $this->sec);

1
include/zot.php
View File

@ -4621,6 +4621,7 @@ function zot_reply_auth_check($data,$encrypted_packet) {
// First verify their signature. We will have obtained a zot-info packet from them as part of the sender // First verify their signature. We will have obtained a zot-info packet from them as part of the sender
// verification. // verification.
// needs a nonce!!!!
if ((! $y) || (! rsa_verify($data['secret'], base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) { if ((! $y) || (! rsa_verify($data['secret'], base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) {
logger('mod_zot: auth_check: sender not found or secret_sig invalid.'); logger('mod_zot: auth_check: sender not found or secret_sig invalid.');
$ret['message'] .= 'sender not found or sig invalid ' . print_r($y,true) . EOL; $ret['message'] .= 'sender not found or sig invalid ' . print_r($y,true) . EOL;