until algorithm is sorted, ignore D* verification failures so we can debug the rest

This commit is contained in:
Friendika 2011-08-20 15:09:09 -07:00
parent 0d9d576aa6
commit 8fa6f49242
3 changed files with 25 additions and 26 deletions

View file

@ -7,7 +7,7 @@ require_once('include/text.php');
require_once("include/pgettext.php"); require_once("include/pgettext.php");
define ( 'FRIENDIKA_VERSION', '2.2.1077' ); define ( 'FRIENDIKA_VERSION', '2.2.1078' );
define ( 'DFRN_PROTOCOL_VERSION', '2.21' ); define ( 'DFRN_PROTOCOL_VERSION', '2.21' );
define ( 'DB_UPDATE_VERSION', 1081 ); define ( 'DB_UPDATE_VERSION', 1081 );

View file

@ -3,19 +3,20 @@
require_once('library/ASNValue.class.php'); require_once('library/ASNValue.class.php');
require_once('library/asn1.php'); require_once('library/asn1.php');
// supported algorithms are 'sha256', 'sha1'
function rsa_sign($data,$key) { function rsa_sign($data,$key,$alg = 'sha256') {
$sig = ''; $sig = '';
if (version_compare(PHP_VERSION, '5.3.0', '>=')) { if (version_compare(PHP_VERSION, '5.3.0', '>=') || $alg === 'sha1') {
openssl_sign($data,$sig,$key,'sha256'); openssl_sign($data,$sig,$key,(($alg == 'sha1') ? OPENSSL_ALGO_SHA1 : 'sha256'));
} }
else { else {
if(strlen($key) < 1024 || extension_loaded('gmp')) { if(strlen($key) < 1024 || extension_loaded('gmp')) {
require_once('library/phpsec/Crypt/RSA.php'); require_once('library/phpsec/Crypt/RSA.php');
$rsa = new CRYPT_RSA(); $rsa = new CRYPT_RSA();
$rsa->signatureMode = CRYPT_RSA_SIGNATURE_PKCS1; $rsa->signatureMode = CRYPT_RSA_SIGNATURE_PKCS1;
$rsa->setHash('sha256'); $rsa->setHash($alg);
$rsa->loadKey($key); $rsa->loadKey($key);
$sig = $rsa->sign($data); $sig = $rsa->sign($data);
} }
@ -27,17 +28,17 @@ function rsa_sign($data,$key) {
return $sig; return $sig;
} }
function rsa_verify($data,$sig,$key) { function rsa_verify($data,$sig,$key,$alg = 'sha256') {
if (version_compare(PHP_VERSION, '5.3.0', '>=')) { if (version_compare(PHP_VERSION, '5.3.0', '>=') || $alg === 'sha1') {
$verify = openssl_verify($data,$sig,$key,'sha256'); $verify = openssl_verify($data,$sig,$key,(($alg == 'sha1') ? OPENSSL_ALGO_SHA1 : 'sha256'));
} }
else { else {
if(strlen($key) <= 300 || extension_loaded('gmp')) { if(strlen($key) <= 300 || extension_loaded('gmp')) {
require_once('library/phpsec/Crypt/RSA.php'); require_once('library/phpsec/Crypt/RSA.php');
$rsa = new CRYPT_RSA(); $rsa = new CRYPT_RSA();
$rsa->signatureMode = CRYPT_RSA_SIGNATURE_PKCS1; $rsa->signatureMode = CRYPT_RSA_SIGNATURE_PKCS1;
$rsa->setHash('sha256'); $rsa->setHash($alg);
$rsa->loadKey($key); $rsa->loadKey($key);
$verify = $rsa->verify($data,$sig); $verify = $rsa->verify($data,$sig);
} }

View file

@ -192,7 +192,7 @@ function diaspora_decode($importer,$xml) {
// Add back the 60 char linefeeds // Add back the 60 char linefeeds
// Diaspora devs: This completely violates the entire principle of salmon magic signatures, // This completely violates the entire principle of salmon magic signatures,
// which was to have a message signing format that was completely ambivalent to linefeeds // which was to have a message signing format that was completely ambivalent to linefeeds
// and transport whitespace mangling, and base64 wrapping rules. Guess what? PHP and Ruby // and transport whitespace mangling, and base64 wrapping rules. Guess what? PHP and Ruby
// use different linelengths for base64 output. // use different linelengths for base64 output.
@ -208,7 +208,7 @@ function diaspora_decode($importer,$xml) {
$encoding = $base->encoding; $encoding = $base->encoding;
$alg = $base->alg; $alg = $base->alg;
// Diaspora devs: I can't even begin to tell you how sucky this is. Please read the spec. // I can't even begin to tell you how sucky this is. Please read the spec.
$signed_data = $data . (($data[-1] != "\n") ? "\n" : '') . '.' . base64url_encode($type) . "\n" . '.' . base64url_encode($encoding) . "\n" . '.' . base64url_encode($alg) . "\n"; $signed_data = $data . (($data[-1] != "\n") ? "\n" : '') . '.' . base64url_encode($type) . "\n" . '.' . base64url_encode($encoding) . "\n" . '.' . base64url_encode($alg) . "\n";
@ -231,12 +231,10 @@ function diaspora_decode($importer,$xml) {
} }
// Once we have the author URI, go to the web and try to find their public key // Once we have the author URI, go to the web and try to find their public key
// *** or look it up locally *** // (first this will look it up locally if it is in the fcontact cache)
// This will also convert diaspora public key from pkcs#1 to pkcs#8
logger('mod-diaspora: Fetching key for ' . $author_link ); logger('mod-diaspora: Fetching key for ' . $author_link );
// Get diaspora public key (pkcs#1) and convert to pkcs#8
$key = get_diaspora_key($author_link); $key = get_diaspora_key($author_link);
if(! $key) { if(! $key) {
@ -510,9 +508,10 @@ function diaspora_comment($importer,$xml,$msg) {
} }
} }
if(! rsa_verify($author_signed_data,$author_signature,$key)) { if(! rsa_verify($author_signed_data,$author_signature,$key,'sha1')) {
logger('diaspora_comment: verification failed.'); logger('diaspora_comment: verification failed.');
return; // until we figure out what is different about their signing algorithm, accept it
// return;
} }
@ -523,9 +522,9 @@ function diaspora_comment($importer,$xml,$msg) {
$key = $msg['key']; $key = $msg['key'];
if(! rsa_verify($owner_signed_data,$parent_author_signature,$key)) { if(! rsa_verify($owner_signed_data,$parent_author_signature,$key,'sha1')) {
logger('diaspora_comment: owner verification failed.'); logger('diaspora_comment: owner verification failed.');
return; // return;
} }
} }
@ -677,9 +676,9 @@ function diaspora_like($importer,$xml,$msg) {
} }
} }
if(! rsa_verify($author_signed_data,$author_signature,$key)) { if(! rsa_verify($author_signed_data,$author_signature,$key,'sha1')) {
logger('diaspora_like: verification failed.'); logger('diaspora_like: verification failed.');
return; // return;
} }
if($parent_author_signature) { if($parent_author_signature) {
@ -689,9 +688,9 @@ function diaspora_like($importer,$xml,$msg) {
$key = $msg['key']; $key = $msg['key'];
if(! rsa_verify($owner_signed_data,$parent_author_signature,$key)) { if(! rsa_verify($owner_signed_data,$parent_author_signature,$key,'sha1')) {
logger('diaspora_like: owner verification failed.'); logger('diaspora_like: owner verification failed.');
return; // return;
} }
} }
@ -790,7 +789,6 @@ function diaspora_share($me,$contact) {
$myaddr = $me['nickname'] . '@' . substr($a->get_baseurl(), strpos($a->get_baseurl(),'://') + 3); $myaddr = $me['nickname'] . '@' . substr($a->get_baseurl(), strpos($a->get_baseurl(),'://') + 3);
$theiraddr = $contact['addr']; $theiraddr = $contact['addr'];
logger('diaspora_share: contact: ' . print_r($contact,true), LOGGER_DATA);
$tpl = get_markup_template('diaspora_share.tpl'); $tpl = get_markup_template('diaspora_share.tpl');
$msg = replace_macros($tpl, array( $msg = replace_macros($tpl, array(
'$sender' => $myaddr, '$sender' => $myaddr,
@ -871,7 +869,7 @@ function diaspora_send_followup($item,$owner,$contact) {
else else
$signed_text = $item['guid'] . ';' . $parent_guid . ';' . $text . ';' . $myaddr; $signed_text = $item['guid'] . ';' . $parent_guid . ';' . $text . ';' . $myaddr;
$authorsig = base64_encode(rsa_sign($signed_text,$owner['uprvkey'])); $authorsig = base64_encode(rsa_sign($signed_text,$owner['uprvkey']),'sha1');
$msg = replace_macros($tpl,array( $msg = replace_macros($tpl,array(
'$guid' => xmlify($item['guid']), '$guid' => xmlify($item['guid']),
@ -939,7 +937,7 @@ function diaspora_send_relay($item,$owner,$contact) {
else else
$parent_signed_text = $orig_sign['signed_text']; $parent_signed_text = $orig_sign['signed_text'];
$parentauthorsig = base64_encode(rsa_sign($signed_text,$owner['uprvkey'])); $parentauthorsig = base64_encode(rsa_sign($signed_text,$owner['uprvkey'],'sha1'));
$msg = replace_macros($tpl,array( $msg = replace_macros($tpl,array(
'$guid' => xmlify($item['guid']), '$guid' => xmlify($item['guid']),