Merge pull request #4276 from MrPetovan/bug/4272-upgrade-php-encryption

Remove RINO2
This commit is contained in:
Michael Vogel 2018-01-19 23:45:37 +01:00 committed by GitHub
commit ce411da958
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 29 additions and 148 deletions

View file

@ -18,7 +18,6 @@
"ezyang/htmlpurifier": "~4.7.0", "ezyang/htmlpurifier": "~4.7.0",
"mobiledetect/mobiledetectlib": "2.8.*", "mobiledetect/mobiledetectlib": "2.8.*",
"league/html-to-markdown": "~4.4.1", "league/html-to-markdown": "~4.4.1",
"defuse/php-encryption": "1.*",
"pear/Text_LanguageDetect": "1.*", "pear/Text_LanguageDetect": "1.*",
"pear/Text_Highlighter": "dev-master", "pear/Text_Highlighter": "dev-master",
"paragonie/random_compat": "^2.0", "paragonie/random_compat": "^2.0",

47
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically" "This file is @generated automatically"
], ],
"content-hash": "6cf3b635594e443a7268a3bd9100d62d", "content-hash": "7fcbb730be98076fe8318b03c858f41c",
"packages": [ "packages": [
{ {
"name": "bower-asset/Chart-js", "name": "bower-asset/Chart-js",
@ -69,51 +69,6 @@
"description": "Base64 encoding and decoding", "description": "Base64 encoding and decoding",
"time": "2017-03-25T21:16:21+00:00" "time": "2017-03-25T21:16:21+00:00"
}, },
{
"name": "defuse/php-encryption",
"version": "v1.2.1",
"source": {
"type": "git",
"url": "https://github.com/defuse/php-encryption.git",
"reference": "b87737b2eec06b13f025cabea847338fa203d1b4"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/defuse/php-encryption/zipball/b87737b2eec06b13f025cabea847338fa203d1b4",
"reference": "b87737b2eec06b13f025cabea847338fa203d1b4",
"shasum": ""
},
"require": {
"ext-mcrypt": "*",
"ext-openssl": "*",
"php": ">=5.4.0"
},
"type": "library",
"autoload": {
"files": [
"Crypto.php"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Taylor Hornby",
"email": "havoc@defuse.ca"
}
],
"description": "Secure PHP Encryption Library",
"keywords": [
"aes",
"cipher",
"encryption",
"mcrypt",
"security"
],
"time": "2015-03-14T20:27:45+00:00"
},
{ {
"name": "ezyang/htmlpurifier", "name": "ezyang/htmlpurifier",
"version": "v4.7.0", "version": "v4.7.0",

View file

@ -61,10 +61,9 @@ $a->config['system']['maximagesize'] = 800000;
$a->config['php_path'] = 'php'; $a->config['php_path'] = 'php';
// Server-to-server private message encryption (RINO) is allowed by default. // Server-to-server private message encryption (RINO) is allowed by default.
// Encryption will only be provided if this setting is set to a non zero value // set to 0 to disable, 1 to enable
// set to 0 to disable, 2 to enable, 1 is deprecated
$a->config['system']['rino_encrypt'] = 2; $a->config['system']['rino_encrypt'] = 1;
// allowed themes (change this from admin panel after installation) // allowed themes (change this from admin panel after installation)

View file

@ -488,7 +488,7 @@ function validate_url($url)
/// @TODO Really suppress function outcomes? Why not find them + debug them? /// @TODO Really suppress function outcomes? Why not find them + debug them?
$h = @parse_url($url); $h = @parse_url($url);
if ((is_array($h)) && (dns_get_record($h['host'], DNS_A + DNS_CNAME + DNS_PTR) || filter_var($h['host'], FILTER_VALIDATE_IP) )) { if ((is_array($h)) && (@dns_get_record($h['host'], DNS_A + DNS_CNAME + DNS_PTR) || filter_var($h['host'], FILTER_VALIDATE_IP) )) {
return $url; return $url;
} }

View file

@ -1336,7 +1336,7 @@ function admin_page_site(App $a)
'$relocate_url' => ['relocate_url', t("New base url"), System::baseUrl(), t("Change base url for this server. Sends relocate message to all Friendica and Diaspora* contacts of all users.")], '$relocate_url' => ['relocate_url', t("New base url"), System::baseUrl(), t("Change base url for this server. Sends relocate message to all Friendica and Diaspora* contacts of all users.")],
'$rino' => ['rino', t("RINO Encryption"), intval(Config::get('system','rino_encrypt')), t("Encryption layer between nodes."), ["Disabled", "RINO1 (deprecated)", "RINO2"]], '$rino' => ['rino', t("RINO Encryption"), intval(Config::get('system','rino_encrypt')), t("Encryption layer between nodes."), [0 => "Disabled", 1 => "Enabled"]],
'$worker_queues' => ['worker_queues', t("Maximum number of parallel workers"), Config::get('system','worker_queues'), t("On shared hosters set this to 2. On larger systems, values of 10 are great. Default value is 4.")], '$worker_queues' => ['worker_queues', t("Maximum number of parallel workers"), Config::get('system','worker_queues'), t("On shared hosters set this to 2. On larger systems, values of 10 are great. Default value is 4.")],
'$worker_dont_fork' => ['worker_dont_fork', t("Don't use 'proc_open' with the worker"), Config::get('system','worker_dont_fork'), t("Enable this if your system doesn't allow the use of 'proc_open'. This can happen on shared hosters. If this is enabled you should increase the frequency of worker calls in your crontab.")], '$worker_dont_fork' => ['worker_dont_fork', t("Don't use 'proc_open' with the worker"), Config::get('system','worker_dont_fork'), t("Enable this if your system doesn't allow the use of 'proc_open'. This can happen on shared hosters. If this is enabled you should increase the frequency of worker calls in your crontab.")],

View file

@ -143,7 +143,7 @@ function dfrn_notify_post(App $a) {
// if local rino is lower than remote rino, abort: should not happen! // if local rino is lower than remote rino, abort: should not happen!
// but only for $remote_rino > 1, because old code did't send rino version // but only for $remote_rino > 1, because old code did't send rino version
if ($rino_remote_version > 1 && $rino < $rino_remote) { if ($rino_remote > 1 && $rino < $rino_remote) {
logger("rino version '$rino_remote' is lower than supported '$rino'"); logger("rino version '$rino_remote' is lower than supported '$rino'");
xml_status(0, "rino version '$rino_remote' is lower than supported '$rino'"); xml_status(0, "rino version '$rino_remote' is lower than supported '$rino'");
} }
@ -166,44 +166,18 @@ function dfrn_notify_post(App $a) {
} }
} }
#logger('rino: received key : ' . $final_key);
switch($rino_remote) { switch($rino_remote) {
case 0: case 0:
case 1: case 1:
/* // we got a key. old code send only the key, without RINO version.
*we got a key. old code send only the key, without RINO version. // we assume RINO 1 if key and no RINO version
* we assume RINO 1 if key and no RINO version
*/
$data = DFRN::aesDecrypt(hex2bin($data), $final_key); $data = DFRN::aesDecrypt(hex2bin($data), $final_key);
break; break;
case 2:
try {
$data = \Crypto::decrypt(hex2bin($data), $final_key);
} catch (\InvalidCiphertextException $ex) { // VERY IMPORTANT
/*
* Either:
* 1. The ciphertext was modified by the attacker,
* 2. The key is wrong, or
* 3. $ciphertext is not a valid ciphertext or was corrupted.
* Assume the worst.
*/
logger('The ciphertext has been tampered with!');
xml_status(0, 'The ciphertext has been tampered with!');
} catch (\CryptoTestFailedException $ex) {
logger('Cannot safely perform dencryption');
xml_status(0, 'CryptoTestFailed');
} catch (\CannotPerformOperationException $ex) {
logger('Cannot safely perform decryption');
xml_status(0, 'Cannot safely perform decryption');
}
break;
default: default:
logger("rino: invalid sent version '$rino_remote'"); logger("rino: invalid sent version '$rino_remote'");
xml_status(0, "Invalid sent version '$rino_remote'"); xml_status(0, "Invalid sent version '$rino_remote'");
} }
logger('rino: decrypted data: ' . $data, LOGGER_DATA); logger('rino: decrypted data: ' . $data, LOGGER_DATA);
} }

View file

@ -63,7 +63,7 @@ function install_post(App $a) {
$timezone = notags(trim($_POST['timezone'])); $timezone = notags(trim($_POST['timezone']));
$language = notags(trim($_POST['language'])); $language = notags(trim($_POST['language']));
$adminmail = notags(trim($_POST['adminmail'])); $adminmail = notags(trim($_POST['adminmail']));
$rino = 2; $rino = 1;
// connect to db // connect to db
dba::connect($dbhost, $dbuser, $dbpass, $dbdata, true); dba::connect($dbhost, $dbuser, $dbpass, $dbdata, true);

View file

@ -22,11 +22,14 @@ use Friendica\Model\Term;
use Friendica\Model\User; use Friendica\Model\User;
use Friendica\Object\Image; use Friendica\Object\Image;
use Friendica\Protocol\OStatus; use Friendica\Protocol\OStatus;
use Friendica\Util\Crypto;
use Friendica\Util\XML; use Friendica\Util\XML;
use dba; use dba;
use DOMDocument; use DOMDocument;
use DOMXPath; use DOMXPath;
use HTMLPurifier;
use HTMLPurifier_Config;
require_once 'boot.php'; require_once 'boot.php';
require_once 'include/dba.php'; require_once 'include/dba.php';
@ -1291,31 +1294,9 @@ class DFRN
switch ($rino_remote_version) { switch ($rino_remote_version) {
case 1: case 1:
// Deprecated rino version!
$key = openssl_random_pseudo_bytes(16); $key = openssl_random_pseudo_bytes(16);
$data = self::aesEncrypt($postvars['data'], $key); $data = self::aesEncrypt($postvars['data'], $key);
break; break;
case 2:
// RINO 2 based on php-encryption
try {
$key = \Crypto::CreateNewRandomKey();
} catch (\CryptoTestFailedException $ex) {
logger('Cannot safely create a key');
return -4;
} catch (\CannotPerformOperationException $ex) {
logger('Cannot safely create a key');
return -5;
}
try {
$data = \Crypto::Encrypt($postvars['data'], $key);
} catch (\CryptoTestFailedException $ex) {
logger('Cannot safely perform encryption');
return -6;
} catch (\CannotPerformOperationException $ex) {
logger('Cannot safely perform encryption');
return -7;
}
break;
default: default:
logger("rino: invalid requested version '$rino_remote_version'"); logger("rino: invalid requested version '$rino_remote_version'");
return -8; return -8;
@ -1324,9 +1305,6 @@ class DFRN
$postvars['rino'] = $rino_remote_version; $postvars['rino'] = $rino_remote_version;
$postvars['data'] = bin2hex($data); $postvars['data'] = bin2hex($data);
//logger('rino: sent key = ' . $key, LOGGER_DEBUG);
if ($dfrn_version >= 2.1) { if ($dfrn_version >= 2.1) {
if (($contact['duplex'] && strlen($contact['pubkey'])) if (($contact['duplex'] && strlen($contact['pubkey']))
|| ($owner['page-flags'] == PAGE_COMMUNITY && strlen($contact['pubkey'])) || ($owner['page-flags'] == PAGE_COMMUNITY && strlen($contact['pubkey']))
@ -2177,8 +2155,6 @@ class DFRN
* valid community action. Also forum_mode makes it valid for sure. * valid community action. Also forum_mode makes it valid for sure.
* If neither, it's not. * If neither, it's not.
*/ */
/// @TODO Maybe merge these if() blocks into one?
if ($is_a_remote_action && $community && (!$r[0]["forum_mode"]) && (!$r[0]["wall"])) { if ($is_a_remote_action && $community && (!$r[0]["forum_mode"]) && (!$r[0]["wall"])) {
$is_a_remote_action = false; $is_a_remote_action = false;
logger("not a community action"); logger("not a community action");
@ -2380,21 +2356,12 @@ class DFRN
$title = ""; $title = "";
foreach ($links as $link) { foreach ($links as $link) {
foreach ($link->attributes as $attributes) { foreach ($link->attributes as $attributes) {
/// @TODO Rewrite these repeated (same) if () statements to a switch() switch ($attributes->name) {
if ($attributes->name == "href") { case "href" : $href = $attributes->textContent; break;
$href = $attributes->textContent; case "rel" : $rel = $attributes->textContent; break;
} case "type" : $type = $attributes->textContent; break;
if ($attributes->name == "rel") { case "length": $length = $attributes->textContent; break;
$rel = $attributes->textContent; case "title" : $title = $attributes->textContent; break;
}
if ($attributes->name == "type") {
$type = $attributes->textContent;
}
if ($attributes->name == "length") {
$length = $attributes->textContent;
}
if ($attributes->name == "title") {
$title = $attributes->textContent;
} }
} }
if (($rel != "") && ($href != "")) { if (($rel != "") && ($href != "")) {
@ -2489,13 +2456,13 @@ class DFRN
$item['body'] = OEmbed::HTML2BBCode($item['body']); $item['body'] = OEmbed::HTML2BBCode($item['body']);
$config = \HTMLPurifier_Config::createDefault(); $config = HTMLPurifier_Config::createDefault();
$config->set('Cache.DefinitionImpl', null); $config->set('Cache.DefinitionImpl', null);
// we shouldn't need a whitelist, because the bbcode converter // we shouldn't need a whitelist, because the bbcode converter
// will strip out any unsupported tags. // will strip out any unsupported tags.
$purifier = new \HTMLPurifier($config); $purifier = new HTMLPurifier($config);
$item['body'] = $purifier->purify($item['body']); $item['body'] = $purifier->purify($item['body']);
$item['body'] = @html2bbcode($item['body']); $item['body'] = @html2bbcode($item['body']);
@ -2645,16 +2612,6 @@ class DFRN
if (($item["network"] != $author["network"]) && ($author["network"] != "")) { if (($item["network"] != $author["network"]) && ($author["network"] != "")) {
$item["network"] = $author["network"]; $item["network"] = $author["network"];
} }
/// @TODO maybe remove this old-lost code then?
// This code was taken from the old DFRN code
// When activated, forums don't work.
// And: Why should we disallow commenting by followers?
// the behaviour is now similar to the Diaspora part.
//if ($importer["rel"] == CONTACT_IS_FOLLOWER) {
// logger("Contact ".$importer["id"]." is only follower. Quitting", LOGGER_DEBUG);
// return;
//}
} }
if ($entrytype == DFRN_REPLY_RC) { if ($entrytype == DFRN_REPLY_RC) {
@ -2671,12 +2628,11 @@ class DFRN
$ev = bbtoevent($item["body"]); $ev = bbtoevent($item["body"]);
if ((x($ev, "desc") || x($ev, "summary")) && x($ev, "start")) { if ((x($ev, "desc") || x($ev, "summary")) && x($ev, "start")) {
logger("Event in item ".$item["uri"]." was found.", LOGGER_DEBUG); logger("Event in item ".$item["uri"]." was found.", LOGGER_DEBUG);
/// @TODO Mixure of "/' ahead ...
$ev["cid"] = $importer["id"]; $ev["cid"] = $importer["id"];
$ev["uid"] = $importer["uid"]; $ev["uid"] = $importer["uid"];
$ev["uri"] = $item["uri"]; $ev["uri"] = $item["uri"];
$ev["edited"] = $item["edited"]; $ev["edited"] = $item["edited"];
$ev['private'] = $item['private']; $ev["private"] = $item["private"];
$ev["guid"] = $item["guid"]; $ev["guid"] = $item["guid"];
$r = q( $r = q(

View file

@ -49,10 +49,9 @@ $a->config['php_path'] = '/usr/bin/php';
// Server-to-server private message encryption (RINO) is allowed by default. // Server-to-server private message encryption (RINO) is allowed by default.
// Encryption will only be provided if this setting is true and the // set to 0 to disable, 1 to enable
// PHP mcrypt extension is installed on both systems
$a->config['system']['rino_encrypt'] = true; $a->config['system']['rino_encrypt'] = 1;
// default system theme // default system theme

View file

@ -78,8 +78,7 @@ $a->config['max_import_size'] = 200000;
$a->config['system']['maximagesize'] = 800000; $a->config['system']['maximagesize'] = 800000;
// Server-to-server private message encryption (RINO) is allowed by default. // Server-to-server private message encryption (RINO) is allowed by default.
// Encryption will only be provided if this setting is set to a non zero value // set to 0 to disable, 1 to enable
// set to 0 to disable, 2 to enable, 1 is deprecated
$a->config['system']['rino_encrypt'] = {{$rino}}; $a->config['system']['rino_encrypt'] = {{$rino}};