Streams/streams
Streams/streams
1
0
Fork 0
mirror of https://codeberg.org/streams/streams.git synced 2024-09-20 06:55:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
streams/include/crypto.php

158 lines
4 KiB
PHP
Raw Normal View History

start formatting for Doxygen
2013-02-26 01:09:40 +00:00
<?php /** @file */
helper functions for Diaspora cert mangling
2011-07-26 02:57:17 +00:00
until algorithm is sorted, ignore D* verification failures so we can debug the rest
2011-08-20 22:09:09 +00:00
function rsa_sign($data,$key,$alg = 'sha256') {
y'all got mail
2012-12-06 00:44:07 +00:00
if(! $key)
return 'no key';
crypto stuff
2011-08-10 01:55:46 +00:00
$sig = '';
bloody hell - it isn't defined either.
2013-12-16 02:43:54 +00:00
if(intval(OPENSSL_ALGO_SHA256) && $alg === 'sha256')
bloody hell... php version incompatibility with openssl - openssl no longer accepts a string as an algorithm. Earlier versions didn't recognise sha256. So we'll look to see if the algorithm constant for sha256 is defined and if so we'll use that instead of the string.
2013-12-16 02:30:10 +00:00
$alg = OPENSSL_ALGO_SHA256;
simplify
2012-07-21 10:48:59 +00:00
openssl_sign($data,$sig,$key,$alg);
crypto stuff
2011-08-10 01:55:46 +00:00
return $sig;
}
until algorithm is sorted, ignore D* verification failures so we can debug the rest
2011-08-20 22:09:09 +00:00
function rsa_verify($data,$sig,$key,$alg = 'sha256') {
crypto stuff
2011-08-10 01:55:46 +00:00
y'all got mail
2012-12-06 00:44:07 +00:00
if(! $key)
return false;
bloody hell - it isn't defined either.
2013-12-16 02:43:54 +00:00
if(intval(OPENSSL_ALGO_SHA256) && $alg === 'sha256')
bloody hell... php version incompatibility with openssl - openssl no longer accepts a string as an algorithm. Earlier versions didn't recognise sha256. So we'll look to see if the algorithm constant for sha256 is defined and if so we'll use that instead of the string.
2013-12-16 02:30:10 +00:00
$alg = OPENSSL_ALGO_SHA256;
simplify
2012-07-21 10:48:59 +00:00
$verify = openssl_verify($data,$sig,$key,$alg);
crypto stuff
2011-08-10 01:55:46 +00:00
return $verify;
}
recover padding functions which are still used
2013-07-25 00:07:45 +00:00
function pkcs5_pad ($text, $blocksize)
{
$pad = $blocksize - (strlen($text) % $blocksize);
return $text . str_repeat(chr($pad), $pad);
}
function pkcs5_unpad($text)
{
$pad = ord($text{strlen($text)-1});
if ($pad > strlen($text)) return false;
if (strspn($text, chr($pad), strlen($text) - $pad) != $pad) return false;
return substr($text, 0, -1 * $pad);
}
remove public disclosure risk
2011-08-28 01:09:43 +00:00
function AES256CBC_encrypt($data,$key,$iv) {
return mcrypt_encrypt(
MCRYPT_RIJNDAEL_128,
str_pad($key,32,"\0"),
pkcs5_pad($data,16),
MCRYPT_MODE_CBC,
str_pad($iv,16,"\0"));
}
function AES256CBC_decrypt($data,$key,$iv) {
return pkcs5_unpad(mcrypt_decrypt(
MCRYPT_RIJNDAEL_128,
str_pad($key,32,"\0"),
$data,
MCRYPT_MODE_CBC,
str_pad($iv,16,"\0")));
}
Protocol: now set data['alg'] on all encapsulated encrypted packets, so that we can more easily retire 'aes256cbc' once it is no longer viable.
2013-11-20 23:20:12 +00:00
function crypto_encapsulate($data,$pubkey,$alg='aes256cbc') {
if($alg === 'aes256cbc')
return aes_encapsulate($data,$pubkey);
}
remove public disclosure risk
2011-08-28 01:09:43 +00:00
function aes_encapsulate($data,$pubkey) {
crypto logging
2013-07-24 03:51:37 +00:00
if(! $pubkey)
logger('aes_encapsulate: no key. data: ' . $data);
remove public disclosure risk
2011-08-28 01:09:43 +00:00
$key = random_string(32,RANDOM_STRING_TEXT);
$iv = random_string(16,RANDOM_STRING_TEXT);
$result['data'] = base64url_encode(AES256CBC_encrypt($data,$key,$iv),true);
get rid of legacy (unused) encryption stuff.
2013-07-25 00:03:47 +00:00
// log the offending call so we can track it down
crypto logging
2013-07-24 03:51:37 +00:00
if(! openssl_public_encrypt($key,$k,$pubkey)) {
not quite so much crypto logging
2013-07-24 12:13:21 +00:00
$x = debug_backtrace();
logger('aes_encapsulate: RSA failed. ' . print_r($x[0],true));
crypto logging
2013-07-24 03:51:37 +00:00
}
Protocol: now set data['alg'] on all encapsulated encrypted packets, so that we can more easily retire 'aes256cbc' once it is no longer viable.
2013-11-20 23:20:12 +00:00
$result['alg'] = 'aes256cbc';
crypto logging
2013-07-24 03:51:37 +00:00
$result['key'] = base64url_encode($k,true);
remove public disclosure risk
2011-08-28 01:09:43 +00:00
openssl_public_encrypt($iv,$i,$pubkey);
$result['iv'] = base64url_encode($i,true);
return $result;
}
Protocol: now set data['alg'] on all encapsulated encrypted packets, so that we can more easily retire 'aes256cbc' once it is no longer viable.
2013-11-20 23:20:12 +00:00
function crypto_unencapsulate($data,$prvkey) {
post_activity_item issues
2013-12-08 07:29:26 +00:00
if(! $data)
return;
Protocol: now set data['alg'] on all encapsulated encrypted packets, so that we can more easily retire 'aes256cbc' once it is no longer viable.
2013-11-20 23:20:12 +00:00
$alg = ((array_key_exists('alg',$data)) ? $data['alg'] : 'aes256cbc');
if($alg === 'aes256cbc')
return aes_unencapsulate($data,$prvkey);
}
remove public disclosure risk
2011-08-28 01:09:43 +00:00
function aes_unencapsulate($data,$prvkey) {
openssl_private_decrypt(base64url_decode($data['key']),$k,$prvkey);
openssl_private_decrypt(base64url_decode($data['iv']),$i,$prvkey);
return AES256CBC_decrypt(base64url_decode($data['data']),$k,$i);
}
rev update
2012-05-21 01:30:02 +00:00
function new_keypair($bits) {
$openssl_options = array(
'digest_alg' => 'sha1',
'private_key_bits' => $bits,
'encrypt_key' => false
);
$conf = get_config('system','openssl_conf_file');
if($conf)
$openssl_options['config'] = $conf;
$result = openssl_pkey_new($openssl_options);
if(empty($result)) {
logger('new_keypair: failed');
return false;
}
// Get private key
$response = array('prvkey' => '', 'pubkey' => '');
openssl_pkey_export($result, $response['prvkey']);
// Get public key
$pkey = openssl_pkey_get_details($result);
$response['pubkey'] = $pkey["key"];
return $response;
}
doc update
2014-08-15 13:05:52 +00:00
function pkcs1to8($oldkey,$len) {
if($len == 4096)
$c = 'g';
if($len == 2048)
$c = 'Q';
pkcs1 to pkcs8 key conversion - this is a lot easier than parsing ASN.1 DER formats and rebuilding the darn things like we used to do. Check for illegal hex encoded album names in mod/photo so we don't throw php errors. Don't know where they come from but we get a lot of them.
2014-08-15 06:05:19 +00:00
if(strstr($oldkey,'BEGIN PUBLIC'))
return $oldkey;
$oldkey = str_replace('-----BEGIN RSA PUBLIC KEY-----', '', $oldkey);
$oldkey = trim(str_replace('-----END RSA PUBLIC KEY-----', '', $oldkey));
doc update
2014-08-15 13:05:52 +00:00
$key = 'MIICIjANBgkqhkiG9w0BAQEFAAOCA' . $c . '8A' . str_replace("\n", '', $oldkey);
pkcs1 to pkcs8 key conversion - this is a lot easier than parsing ASN.1 DER formats and rebuilding the darn things like we used to do. Check for illegal hex encoded album names in mod/photo so we don't throw php errors. Don't know where they come from but we get a lot of them.
2014-08-15 06:05:19 +00:00
$key = "-----BEGIN PUBLIC KEY-----\n" . wordwrap($key, 64, "\n", true) . "\n-----END PUBLIC KEY-----";
return $key;
}
doc update
2014-08-15 13:05:52 +00:00
function pkcs8to1($oldkey,$len) {
pkcs1 to pkcs8 key conversion - this is a lot easier than parsing ASN.1 DER formats and rebuilding the darn things like we used to do. Check for illegal hex encoded album names in mod/photo so we don't throw php errors. Don't know where they come from but we get a lot of them.
2014-08-15 06:05:19 +00:00
if(strstr($oldkey,'BEGIN RSA'))
return $oldkey;
$oldkey = str_replace('-----BEGIN PUBLIC KEY-----', '', $oldkey);
$oldkey = trim(str_replace('-----END PUBLIC KEY-----', '', $oldkey));
$key = str_replace("\n",'',$oldkey);
$key = substr($key,32);
$key = "-----BEGIN RSA PUBLIC KEY-----\n" . wordwrap($key, 64, "\n", true) . "\n-----END RSA PUBLIC KEY-----";
return $key;
}
Reference in a new issue Copy permalink