From d2ea58428d00c802924970e0173ead700906a957 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan <hypolite@mrpetovan.com> Date: Wed, 23 Nov 2022 11:22:54 -0500 Subject: [PATCH] Ensure the existence of various keys in decoded data in Diaspora::decodeRaw - Address https://github.com/friendica/friendica/issues/11994#issuecomment-1302681295 --- src/Protocol/Diaspora.php | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/src/Protocol/Diaspora.php b/src/Protocol/Diaspora.php index 4a42a5e0b..54f09e9d9 100644 --- a/src/Protocol/Diaspora.php +++ b/src/Protocol/Diaspora.php @@ -224,14 +224,34 @@ class Diaspora // Is it a private post? Then decrypt the outer Salmon if (is_object($data)) { - $encrypted_aes_key_bundle = base64_decode($data->aes_key); - $ciphertext = base64_decode($data->encrypted_magic_envelope); + try { + if (!isset($data->aes_key) || !isset($data->encrypted_magic_envelope)) { + Logger::info('Missing keys "aes_key" and/or "encrypted_magic_envelope"', ['data' => $data]); + throw new \RuntimeException('Missing keys "aes_key" and/or "encrypted_magic_envelope"'); + } - $outer_key_bundle = ''; - @openssl_private_decrypt($encrypted_aes_key_bundle, $outer_key_bundle, $privKey); - $j_outer_key_bundle = json_decode($outer_key_bundle); + $encrypted_aes_key_bundle = base64_decode($data->aes_key); + $ciphertext = base64_decode($data->encrypted_magic_envelope); - if (!is_object($j_outer_key_bundle)) { + $outer_key_bundle = ''; + @openssl_private_decrypt($encrypted_aes_key_bundle, $outer_key_bundle, $privKey); + $j_outer_key_bundle = json_decode($outer_key_bundle); + + if (!is_object($j_outer_key_bundle)) { + Logger::info('Unable to decode outer key bundle', ['outer_key_bundle' => $outer_key_bundle]); + throw new \RuntimeException('Unable to decode outer key bundle'); + } + + if (!isset($j_outer_key_bundle->iv) || !isset($j_outer_key_bundle->key)) { + Logger::info('Missing keys "iv" and/or "key" from outer Salmon', ['j_outer_key_bundle' => $j_outer_key_bundle]); + throw new \RuntimeException('Missing keys "iv" and/or "key" from outer Salmon'); + } + + $outer_iv = base64_decode($j_outer_key_bundle->iv); + $outer_key = base64_decode($j_outer_key_bundle->key); + + $xml = self::aesDecrypt($outer_key, $outer_iv, $ciphertext); + } catch (\Throwable $e) { Logger::notice('Outer Salmon did not verify. Discarding.'); if ($no_exit) { return false; @@ -239,11 +259,6 @@ class Diaspora throw new \Friendica\Network\HTTPException\BadRequestException(); } } - - $outer_iv = base64_decode($j_outer_key_bundle->iv); - $outer_key = base64_decode($j_outer_key_bundle->key); - - $xml = self::aesDecrypt($outer_key, $outer_iv, $ciphertext); } else { $xml = $raw; }