Merge pull request #4276 from MrPetovan/bug/4272-upgrade-php-encryption
Remove RINO2
This commit is contained in:
commit
ce411da958
10 changed files with 29 additions and 148 deletions
|
@ -18,7 +18,6 @@
|
||||||
"ezyang/htmlpurifier": "~4.7.0",
|
"ezyang/htmlpurifier": "~4.7.0",
|
||||||
"mobiledetect/mobiledetectlib": "2.8.*",
|
"mobiledetect/mobiledetectlib": "2.8.*",
|
||||||
"league/html-to-markdown": "~4.4.1",
|
"league/html-to-markdown": "~4.4.1",
|
||||||
"defuse/php-encryption": "1.*",
|
|
||||||
"pear/Text_LanguageDetect": "1.*",
|
"pear/Text_LanguageDetect": "1.*",
|
||||||
"pear/Text_Highlighter": "dev-master",
|
"pear/Text_Highlighter": "dev-master",
|
||||||
"paragonie/random_compat": "^2.0",
|
"paragonie/random_compat": "^2.0",
|
||||||
|
|
47
composer.lock
generated
47
composer.lock
generated
|
@ -4,7 +4,7 @@
|
||||||
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
|
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
|
||||||
"This file is @generated automatically"
|
"This file is @generated automatically"
|
||||||
],
|
],
|
||||||
"content-hash": "6cf3b635594e443a7268a3bd9100d62d",
|
"content-hash": "7fcbb730be98076fe8318b03c858f41c",
|
||||||
"packages": [
|
"packages": [
|
||||||
{
|
{
|
||||||
"name": "bower-asset/Chart-js",
|
"name": "bower-asset/Chart-js",
|
||||||
|
@ -69,51 +69,6 @@
|
||||||
"description": "Base64 encoding and decoding",
|
"description": "Base64 encoding and decoding",
|
||||||
"time": "2017-03-25T21:16:21+00:00"
|
"time": "2017-03-25T21:16:21+00:00"
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"name": "defuse/php-encryption",
|
|
||||||
"version": "v1.2.1",
|
|
||||||
"source": {
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://github.com/defuse/php-encryption.git",
|
|
||||||
"reference": "b87737b2eec06b13f025cabea847338fa203d1b4"
|
|
||||||
},
|
|
||||||
"dist": {
|
|
||||||
"type": "zip",
|
|
||||||
"url": "https://api.github.com/repos/defuse/php-encryption/zipball/b87737b2eec06b13f025cabea847338fa203d1b4",
|
|
||||||
"reference": "b87737b2eec06b13f025cabea847338fa203d1b4",
|
|
||||||
"shasum": ""
|
|
||||||
},
|
|
||||||
"require": {
|
|
||||||
"ext-mcrypt": "*",
|
|
||||||
"ext-openssl": "*",
|
|
||||||
"php": ">=5.4.0"
|
|
||||||
},
|
|
||||||
"type": "library",
|
|
||||||
"autoload": {
|
|
||||||
"files": [
|
|
||||||
"Crypto.php"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"notification-url": "https://packagist.org/downloads/",
|
|
||||||
"license": [
|
|
||||||
"MIT"
|
|
||||||
],
|
|
||||||
"authors": [
|
|
||||||
{
|
|
||||||
"name": "Taylor Hornby",
|
|
||||||
"email": "havoc@defuse.ca"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"description": "Secure PHP Encryption Library",
|
|
||||||
"keywords": [
|
|
||||||
"aes",
|
|
||||||
"cipher",
|
|
||||||
"encryption",
|
|
||||||
"mcrypt",
|
|
||||||
"security"
|
|
||||||
],
|
|
||||||
"time": "2015-03-14T20:27:45+00:00"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"name": "ezyang/htmlpurifier",
|
"name": "ezyang/htmlpurifier",
|
||||||
"version": "v4.7.0",
|
"version": "v4.7.0",
|
||||||
|
|
|
@ -61,10 +61,9 @@ $a->config['system']['maximagesize'] = 800000;
|
||||||
$a->config['php_path'] = 'php';
|
$a->config['php_path'] = 'php';
|
||||||
|
|
||||||
// Server-to-server private message encryption (RINO) is allowed by default.
|
// Server-to-server private message encryption (RINO) is allowed by default.
|
||||||
// Encryption will only be provided if this setting is set to a non zero value
|
// set to 0 to disable, 1 to enable
|
||||||
// set to 0 to disable, 2 to enable, 1 is deprecated
|
|
||||||
|
|
||||||
$a->config['system']['rino_encrypt'] = 2;
|
$a->config['system']['rino_encrypt'] = 1;
|
||||||
|
|
||||||
// allowed themes (change this from admin panel after installation)
|
// allowed themes (change this from admin panel after installation)
|
||||||
|
|
||||||
|
|
|
@ -488,7 +488,7 @@ function validate_url($url)
|
||||||
/// @TODO Really suppress function outcomes? Why not find them + debug them?
|
/// @TODO Really suppress function outcomes? Why not find them + debug them?
|
||||||
$h = @parse_url($url);
|
$h = @parse_url($url);
|
||||||
|
|
||||||
if ((is_array($h)) && (dns_get_record($h['host'], DNS_A + DNS_CNAME + DNS_PTR) || filter_var($h['host'], FILTER_VALIDATE_IP) )) {
|
if ((is_array($h)) && (@dns_get_record($h['host'], DNS_A + DNS_CNAME + DNS_PTR) || filter_var($h['host'], FILTER_VALIDATE_IP) )) {
|
||||||
return $url;
|
return $url;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1336,7 +1336,7 @@ function admin_page_site(App $a)
|
||||||
|
|
||||||
'$relocate_url' => ['relocate_url', t("New base url"), System::baseUrl(), t("Change base url for this server. Sends relocate message to all Friendica and Diaspora* contacts of all users.")],
|
'$relocate_url' => ['relocate_url', t("New base url"), System::baseUrl(), t("Change base url for this server. Sends relocate message to all Friendica and Diaspora* contacts of all users.")],
|
||||||
|
|
||||||
'$rino' => ['rino', t("RINO Encryption"), intval(Config::get('system','rino_encrypt')), t("Encryption layer between nodes."), ["Disabled", "RINO1 (deprecated)", "RINO2"]],
|
'$rino' => ['rino', t("RINO Encryption"), intval(Config::get('system','rino_encrypt')), t("Encryption layer between nodes."), [0 => "Disabled", 1 => "Enabled"]],
|
||||||
|
|
||||||
'$worker_queues' => ['worker_queues', t("Maximum number of parallel workers"), Config::get('system','worker_queues'), t("On shared hosters set this to 2. On larger systems, values of 10 are great. Default value is 4.")],
|
'$worker_queues' => ['worker_queues', t("Maximum number of parallel workers"), Config::get('system','worker_queues'), t("On shared hosters set this to 2. On larger systems, values of 10 are great. Default value is 4.")],
|
||||||
'$worker_dont_fork' => ['worker_dont_fork', t("Don't use 'proc_open' with the worker"), Config::get('system','worker_dont_fork'), t("Enable this if your system doesn't allow the use of 'proc_open'. This can happen on shared hosters. If this is enabled you should increase the frequency of worker calls in your crontab.")],
|
'$worker_dont_fork' => ['worker_dont_fork', t("Don't use 'proc_open' with the worker"), Config::get('system','worker_dont_fork'), t("Enable this if your system doesn't allow the use of 'proc_open'. This can happen on shared hosters. If this is enabled you should increase the frequency of worker calls in your crontab.")],
|
||||||
|
|
|
@ -143,7 +143,7 @@ function dfrn_notify_post(App $a) {
|
||||||
|
|
||||||
// if local rino is lower than remote rino, abort: should not happen!
|
// if local rino is lower than remote rino, abort: should not happen!
|
||||||
// but only for $remote_rino > 1, because old code did't send rino version
|
// but only for $remote_rino > 1, because old code did't send rino version
|
||||||
if ($rino_remote_version > 1 && $rino < $rino_remote) {
|
if ($rino_remote > 1 && $rino < $rino_remote) {
|
||||||
logger("rino version '$rino_remote' is lower than supported '$rino'");
|
logger("rino version '$rino_remote' is lower than supported '$rino'");
|
||||||
xml_status(0, "rino version '$rino_remote' is lower than supported '$rino'");
|
xml_status(0, "rino version '$rino_remote' is lower than supported '$rino'");
|
||||||
}
|
}
|
||||||
|
@ -166,44 +166,18 @@ function dfrn_notify_post(App $a) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#logger('rino: received key : ' . $final_key);
|
|
||||||
|
|
||||||
switch($rino_remote) {
|
switch($rino_remote) {
|
||||||
case 0:
|
case 0:
|
||||||
case 1:
|
case 1:
|
||||||
/*
|
// we got a key. old code send only the key, without RINO version.
|
||||||
*we got a key. old code send only the key, without RINO version.
|
// we assume RINO 1 if key and no RINO version
|
||||||
* we assume RINO 1 if key and no RINO version
|
|
||||||
*/
|
|
||||||
$data = DFRN::aesDecrypt(hex2bin($data), $final_key);
|
$data = DFRN::aesDecrypt(hex2bin($data), $final_key);
|
||||||
break;
|
break;
|
||||||
case 2:
|
|
||||||
try {
|
|
||||||
$data = \Crypto::decrypt(hex2bin($data), $final_key);
|
|
||||||
} catch (\InvalidCiphertextException $ex) { // VERY IMPORTANT
|
|
||||||
/*
|
|
||||||
* Either:
|
|
||||||
* 1. The ciphertext was modified by the attacker,
|
|
||||||
* 2. The key is wrong, or
|
|
||||||
* 3. $ciphertext is not a valid ciphertext or was corrupted.
|
|
||||||
* Assume the worst.
|
|
||||||
*/
|
|
||||||
logger('The ciphertext has been tampered with!');
|
|
||||||
xml_status(0, 'The ciphertext has been tampered with!');
|
|
||||||
} catch (\CryptoTestFailedException $ex) {
|
|
||||||
logger('Cannot safely perform dencryption');
|
|
||||||
xml_status(0, 'CryptoTestFailed');
|
|
||||||
} catch (\CannotPerformOperationException $ex) {
|
|
||||||
logger('Cannot safely perform decryption');
|
|
||||||
xml_status(0, 'Cannot safely perform decryption');
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default:
|
default:
|
||||||
logger("rino: invalid sent version '$rino_remote'");
|
logger("rino: invalid sent version '$rino_remote'");
|
||||||
xml_status(0, "Invalid sent version '$rino_remote'");
|
xml_status(0, "Invalid sent version '$rino_remote'");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
logger('rino: decrypted data: ' . $data, LOGGER_DATA);
|
logger('rino: decrypted data: ' . $data, LOGGER_DATA);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -63,7 +63,7 @@ function install_post(App $a) {
|
||||||
$timezone = notags(trim($_POST['timezone']));
|
$timezone = notags(trim($_POST['timezone']));
|
||||||
$language = notags(trim($_POST['language']));
|
$language = notags(trim($_POST['language']));
|
||||||
$adminmail = notags(trim($_POST['adminmail']));
|
$adminmail = notags(trim($_POST['adminmail']));
|
||||||
$rino = 2;
|
$rino = 1;
|
||||||
|
|
||||||
// connect to db
|
// connect to db
|
||||||
dba::connect($dbhost, $dbuser, $dbpass, $dbdata, true);
|
dba::connect($dbhost, $dbuser, $dbpass, $dbdata, true);
|
||||||
|
|
|
@ -22,11 +22,14 @@ use Friendica\Model\Term;
|
||||||
use Friendica\Model\User;
|
use Friendica\Model\User;
|
||||||
use Friendica\Object\Image;
|
use Friendica\Object\Image;
|
||||||
use Friendica\Protocol\OStatus;
|
use Friendica\Protocol\OStatus;
|
||||||
|
use Friendica\Util\Crypto;
|
||||||
use Friendica\Util\XML;
|
use Friendica\Util\XML;
|
||||||
|
|
||||||
use dba;
|
use dba;
|
||||||
use DOMDocument;
|
use DOMDocument;
|
||||||
use DOMXPath;
|
use DOMXPath;
|
||||||
|
use HTMLPurifier;
|
||||||
|
use HTMLPurifier_Config;
|
||||||
|
|
||||||
require_once 'boot.php';
|
require_once 'boot.php';
|
||||||
require_once 'include/dba.php';
|
require_once 'include/dba.php';
|
||||||
|
@ -1291,31 +1294,9 @@ class DFRN
|
||||||
|
|
||||||
switch ($rino_remote_version) {
|
switch ($rino_remote_version) {
|
||||||
case 1:
|
case 1:
|
||||||
// Deprecated rino version!
|
|
||||||
$key = openssl_random_pseudo_bytes(16);
|
$key = openssl_random_pseudo_bytes(16);
|
||||||
$data = self::aesEncrypt($postvars['data'], $key);
|
$data = self::aesEncrypt($postvars['data'], $key);
|
||||||
break;
|
break;
|
||||||
case 2:
|
|
||||||
// RINO 2 based on php-encryption
|
|
||||||
try {
|
|
||||||
$key = \Crypto::CreateNewRandomKey();
|
|
||||||
} catch (\CryptoTestFailedException $ex) {
|
|
||||||
logger('Cannot safely create a key');
|
|
||||||
return -4;
|
|
||||||
} catch (\CannotPerformOperationException $ex) {
|
|
||||||
logger('Cannot safely create a key');
|
|
||||||
return -5;
|
|
||||||
}
|
|
||||||
try {
|
|
||||||
$data = \Crypto::Encrypt($postvars['data'], $key);
|
|
||||||
} catch (\CryptoTestFailedException $ex) {
|
|
||||||
logger('Cannot safely perform encryption');
|
|
||||||
return -6;
|
|
||||||
} catch (\CannotPerformOperationException $ex) {
|
|
||||||
logger('Cannot safely perform encryption');
|
|
||||||
return -7;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default:
|
default:
|
||||||
logger("rino: invalid requested version '$rino_remote_version'");
|
logger("rino: invalid requested version '$rino_remote_version'");
|
||||||
return -8;
|
return -8;
|
||||||
|
@ -1324,9 +1305,6 @@ class DFRN
|
||||||
$postvars['rino'] = $rino_remote_version;
|
$postvars['rino'] = $rino_remote_version;
|
||||||
$postvars['data'] = bin2hex($data);
|
$postvars['data'] = bin2hex($data);
|
||||||
|
|
||||||
//logger('rino: sent key = ' . $key, LOGGER_DEBUG);
|
|
||||||
|
|
||||||
|
|
||||||
if ($dfrn_version >= 2.1) {
|
if ($dfrn_version >= 2.1) {
|
||||||
if (($contact['duplex'] && strlen($contact['pubkey']))
|
if (($contact['duplex'] && strlen($contact['pubkey']))
|
||||||
|| ($owner['page-flags'] == PAGE_COMMUNITY && strlen($contact['pubkey']))
|
|| ($owner['page-flags'] == PAGE_COMMUNITY && strlen($contact['pubkey']))
|
||||||
|
@ -2177,8 +2155,6 @@ class DFRN
|
||||||
* valid community action. Also forum_mode makes it valid for sure.
|
* valid community action. Also forum_mode makes it valid for sure.
|
||||||
* If neither, it's not.
|
* If neither, it's not.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/// @TODO Maybe merge these if() blocks into one?
|
|
||||||
if ($is_a_remote_action && $community && (!$r[0]["forum_mode"]) && (!$r[0]["wall"])) {
|
if ($is_a_remote_action && $community && (!$r[0]["forum_mode"]) && (!$r[0]["wall"])) {
|
||||||
$is_a_remote_action = false;
|
$is_a_remote_action = false;
|
||||||
logger("not a community action");
|
logger("not a community action");
|
||||||
|
@ -2380,21 +2356,12 @@ class DFRN
|
||||||
$title = "";
|
$title = "";
|
||||||
foreach ($links as $link) {
|
foreach ($links as $link) {
|
||||||
foreach ($link->attributes as $attributes) {
|
foreach ($link->attributes as $attributes) {
|
||||||
/// @TODO Rewrite these repeated (same) if () statements to a switch()
|
switch ($attributes->name) {
|
||||||
if ($attributes->name == "href") {
|
case "href" : $href = $attributes->textContent; break;
|
||||||
$href = $attributes->textContent;
|
case "rel" : $rel = $attributes->textContent; break;
|
||||||
}
|
case "type" : $type = $attributes->textContent; break;
|
||||||
if ($attributes->name == "rel") {
|
case "length": $length = $attributes->textContent; break;
|
||||||
$rel = $attributes->textContent;
|
case "title" : $title = $attributes->textContent; break;
|
||||||
}
|
|
||||||
if ($attributes->name == "type") {
|
|
||||||
$type = $attributes->textContent;
|
|
||||||
}
|
|
||||||
if ($attributes->name == "length") {
|
|
||||||
$length = $attributes->textContent;
|
|
||||||
}
|
|
||||||
if ($attributes->name == "title") {
|
|
||||||
$title = $attributes->textContent;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (($rel != "") && ($href != "")) {
|
if (($rel != "") && ($href != "")) {
|
||||||
|
@ -2489,13 +2456,13 @@ class DFRN
|
||||||
|
|
||||||
$item['body'] = OEmbed::HTML2BBCode($item['body']);
|
$item['body'] = OEmbed::HTML2BBCode($item['body']);
|
||||||
|
|
||||||
$config = \HTMLPurifier_Config::createDefault();
|
$config = HTMLPurifier_Config::createDefault();
|
||||||
$config->set('Cache.DefinitionImpl', null);
|
$config->set('Cache.DefinitionImpl', null);
|
||||||
|
|
||||||
// we shouldn't need a whitelist, because the bbcode converter
|
// we shouldn't need a whitelist, because the bbcode converter
|
||||||
// will strip out any unsupported tags.
|
// will strip out any unsupported tags.
|
||||||
|
|
||||||
$purifier = new \HTMLPurifier($config);
|
$purifier = new HTMLPurifier($config);
|
||||||
$item['body'] = $purifier->purify($item['body']);
|
$item['body'] = $purifier->purify($item['body']);
|
||||||
|
|
||||||
$item['body'] = @html2bbcode($item['body']);
|
$item['body'] = @html2bbcode($item['body']);
|
||||||
|
@ -2645,16 +2612,6 @@ class DFRN
|
||||||
if (($item["network"] != $author["network"]) && ($author["network"] != "")) {
|
if (($item["network"] != $author["network"]) && ($author["network"] != "")) {
|
||||||
$item["network"] = $author["network"];
|
$item["network"] = $author["network"];
|
||||||
}
|
}
|
||||||
|
|
||||||
/// @TODO maybe remove this old-lost code then?
|
|
||||||
// This code was taken from the old DFRN code
|
|
||||||
// When activated, forums don't work.
|
|
||||||
// And: Why should we disallow commenting by followers?
|
|
||||||
// the behaviour is now similar to the Diaspora part.
|
|
||||||
//if ($importer["rel"] == CONTACT_IS_FOLLOWER) {
|
|
||||||
// logger("Contact ".$importer["id"]." is only follower. Quitting", LOGGER_DEBUG);
|
|
||||||
// return;
|
|
||||||
//}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($entrytype == DFRN_REPLY_RC) {
|
if ($entrytype == DFRN_REPLY_RC) {
|
||||||
|
@ -2671,12 +2628,11 @@ class DFRN
|
||||||
$ev = bbtoevent($item["body"]);
|
$ev = bbtoevent($item["body"]);
|
||||||
if ((x($ev, "desc") || x($ev, "summary")) && x($ev, "start")) {
|
if ((x($ev, "desc") || x($ev, "summary")) && x($ev, "start")) {
|
||||||
logger("Event in item ".$item["uri"]." was found.", LOGGER_DEBUG);
|
logger("Event in item ".$item["uri"]." was found.", LOGGER_DEBUG);
|
||||||
/// @TODO Mixure of "/' ahead ...
|
|
||||||
$ev["cid"] = $importer["id"];
|
$ev["cid"] = $importer["id"];
|
||||||
$ev["uid"] = $importer["uid"];
|
$ev["uid"] = $importer["uid"];
|
||||||
$ev["uri"] = $item["uri"];
|
$ev["uri"] = $item["uri"];
|
||||||
$ev["edited"] = $item["edited"];
|
$ev["edited"] = $item["edited"];
|
||||||
$ev['private'] = $item['private'];
|
$ev["private"] = $item["private"];
|
||||||
$ev["guid"] = $item["guid"];
|
$ev["guid"] = $item["guid"];
|
||||||
|
|
||||||
$r = q(
|
$r = q(
|
||||||
|
|
|
@ -49,10 +49,9 @@ $a->config['php_path'] = '/usr/bin/php';
|
||||||
|
|
||||||
|
|
||||||
// Server-to-server private message encryption (RINO) is allowed by default.
|
// Server-to-server private message encryption (RINO) is allowed by default.
|
||||||
// Encryption will only be provided if this setting is true and the
|
// set to 0 to disable, 1 to enable
|
||||||
// PHP mcrypt extension is installed on both systems
|
|
||||||
|
|
||||||
$a->config['system']['rino_encrypt'] = true;
|
$a->config['system']['rino_encrypt'] = 1;
|
||||||
|
|
||||||
// default system theme
|
// default system theme
|
||||||
|
|
||||||
|
|
|
@ -78,8 +78,7 @@ $a->config['max_import_size'] = 200000;
|
||||||
$a->config['system']['maximagesize'] = 800000;
|
$a->config['system']['maximagesize'] = 800000;
|
||||||
|
|
||||||
// Server-to-server private message encryption (RINO) is allowed by default.
|
// Server-to-server private message encryption (RINO) is allowed by default.
|
||||||
// Encryption will only be provided if this setting is set to a non zero value
|
// set to 0 to disable, 1 to enable
|
||||||
// set to 0 to disable, 2 to enable, 1 is deprecated
|
|
||||||
|
|
||||||
$a->config['system']['rino_encrypt'] = {{$rino}};
|
$a->config['system']['rino_encrypt'] = {{$rino}};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue