friendica
/
friendica
mirror of https://github.com/friendica/friendica.git
4
6
Fork 3
Code Issues Releases 13 Wiki Activity
Browse Source

magic-envelope verification, status.net appears to do it wrong. 

Ultimately we need to do it right (or why bother having a spec?),
and fallback to doing it wrong if we're talking to a broken system - which
ironically seems to include most of the federated social web projects.
pull/1/head
Mike Macgirvin 11 years ago
parent
39b19cd089
commit
5edee3c4d1
8 changed files with 354 additions and 27 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 73
      boot.php
  2. 1
      database.sql
  3. 2
      include/items.php
  4. 109
      include/salmon.php
  5. 2
      library/asn1.php
  6. 170
      mod/salmon.php
  7. 6
      update.php
  8. 18
      view/fake_feed.tpl

73
boot.php
View File

@ -2,7 +2,7 @@
set_time_limit(0);
define ( 'BUILD_ID', 1010 );
define ( 'BUILD_ID', 1011 );
define ( 'DFRN_PROTOCOL_VERSION', '2.0' );
define ( 'EOL', "<br />\r\n" );
@ -116,6 +116,7 @@ class App {
private $db;
private $curl_code;
private $curl_headers;
function __construct() {
@ -204,6 +205,15 @@ class App {
return $this->curl_code;
}
function set_curl_headers($headers) {
$this->curl_headers = $headers;
}
function get_curl_headers() {
return $this->curl_headers;
}
}}
// retrieve the App structure
@ -339,13 +349,12 @@ function t($s) {
// results.
if(! function_exists('fetch_url')) {
function fetch_url($url,$binary = false) {
function fetch_url($url,$binary = false, &$redirects = 0) {
$ch = curl_init($url);
if(! $ch) return false;
if(($redirects > 8) || (! $ch))
return false;
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,true);
curl_setopt($ch, CURLOPT_MAXREDIRS,8);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
// by default we will allow self-signed certs
@ -366,26 +375,41 @@ function fetch_url($url,$binary = false) {
curl_setopt($ch, CURLOPT_BINARYTRANSFER,1);
$s = curl_exec($ch);
$info = curl_getinfo($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$header = substr($s,0,strpos($s,"\r\n\r\n"));
if($http_code == 301 || $http_code == 302 || $http_code == 303) {
$matches = array();
preg_match('/(Location:|URI:)(.*?)\n/', $header, $matches);
$url = trim(array_pop($matches));
$url_parsed = parse_url($url);
if (isset($url_parsed)) {
$redirects++;
return fetch_url($url,$binary,$redirects);
}
}
$a = get_app();
$a->set_curl_code($info['http_code']);
$a->set_curl_code($http_code);
$body = substr($s,strlen($header)+4);
$a->set_curl_headers($header);
curl_close($ch);
return($s);
return($body);
}}
// post request to $url. $params is an array of post variables.
if(! function_exists('post_url')) {
function post_url($url,$params) {
function post_url($url,$params, &$redirects = 0) {
$ch = curl_init($url);
if(! $ch) return false;
if(($redirects > 8) || (! $ch))
return false;
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,true);
curl_setopt($ch, CURLOPT_MAXREDIRS,8);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS,$params);
$check_cert = get_config('system','verifyssl');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (($check_cert) ? true : false));
$prx = get_config('system','proxy');
@ -398,11 +422,26 @@ function post_url($url,$params) {
}
$s = curl_exec($ch);
$info = curl_getinfo($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$header = substr($s,0,strpos($s,"\r\n\r\n"));
if($http_code == 301 || $http_code == 302 || $http_code == 303) {
$matches = array();
preg_match('/(Location:|URI:)(.*?)\n/', $header, $matches);
$url = trim(array_pop($matches));
$url_parsed = parse_url($url);
if (isset($url_parsed)) {
$redirects++;
return post_url($url,$binary,$redirects);
}
}
$a = get_app();
$a->set_curl_code($info['http_code']);
$a->set_curl_code($http_code);
$body = substr($s,strlen($header)+4);
$a->set_curl_headers($header);
curl_close($ch);
return($s);
return($body);
}}
// random hash, 64 chars

1
database.sql
View File

@ -62,6 +62,7 @@ CREATE TABLE IF NOT EXISTS `contact` (
`issued-id` char(255) NOT NULL,
`dfrn-id` char(255) NOT NULL,
`url` char(255) NOT NULL,
`lrdd` char(255) NOT NULL,
`pubkey` text NOT NULL,
`prvkey` text NOT NULL,
`request` text NOT NULL,

2
include/items.php
View File

@ -139,7 +139,7 @@ function get_feed_for(&$a, $dfrn_id, $owner_id, $last_update, $direction = 0) {
}
$salmon = '<link rel="salmon" href="' . xmlify($a->get_baseurl() . '/salmon/' . $owner_nick) . '" />' . "\n" ;
$salmon = ''; // remove this line when salmon handler is finished
// $salmon = ''; // remove this line when salmon handler is finished
$atom .= replace_macros($feed_template, array(
'$feed_id' => xmlify($a->get_baseurl() . '/profile/' . $owner_nick),

109
include/salmon.php
View File

@ -16,3 +16,112 @@ function salmon_key($pubkey) {
return 'RSA' . '.' . $m . '.' . $e ;
}
function base64url_encode($s) {
return strtr(base64_encode($s),'+/','-_');
}
function base64url_decode($s) {
return base64_decode(strtr($s,'-_','+/'));
}
function get_salmon_key($uri,$keyhash) {
$ret = array();
$debugging = get_config('system','debugging');
if($debugging)
file_put_contents('salmon.out', "\n" . 'Fetch key' . "\n", FILE_APPEND);
if(strstr($uri,'@')) {
$arr = webfinger($uri);
if($debugging)
file_put_contents('salmon.out', "\n" . 'Fetch key from webfinger' . "\n", FILE_APPEND);
}
else {
$html = fetch_url($uri);
$a = get_app();
$h = $a->get_curl_headers();
if($debugging)
file_put_contents('salmon.out', "\n" . 'Fetch key via HTML header: ' . $h . "\n", FILE_APPEND);
$l = explode("\n",$h);
if(count($l)) {
foreach($l as $line) {
if($debugging)
file_put_contents('salmon.out', "\n" . $line . "\n", FILE_APPEND);
if((stristr($line,'link:')) && preg_match('/<([^>].*)>.*rel\=[\'\"]lrdd[\'\"]/',$line,$matches)) {
$link = $matches[1];
if($debugging)
file_put_contents('salmon.out', "\n" . 'Fetch key via Link from header: ' . $link . "\n", FILE_APPEND);
break;
}
}
}
}
if(! isset($link)) {
require_once('library/HTML5/Parser.php');
$dom = HTML5_Parser::parse($html);
if(! $dom)
return '';
$items = $dom->getElementsByTagName('link');
foreach($items as $item) {
$x = $item->getAttribute('rel');
if($x == "lrdd") {
$link = $item->getAttribute('href');
if($debugging)
file_put_contents('salmon.out', "\n" . 'Fetch key via HTML body' . $link . "\n", FILE_APPEND);
break;
}
}
}
if(! isset($link))
return '';
$arr = fetch_xrd_links($link);
if($arr) {
foreach($arr as $a) {
if($a['@attributes']['rel'] === 'magic-public-key') {
$ret[] = $a['@attributes']['href'];
}
}
}
if(count($ret)) {
for($x = 0; $x < count($ret); $x ++) {
if(substr($ret[$x],0,5) === 'data:') {
if(strstr($ret[$x],','))
$ret[$x] = substr($ret[$x],strpos($ret[$x],',')+1);
else
$ret[$x] = substr($ret[$x],5);
}
else
$ret[$x] = fetch_url($ret[$x]);
}
}
if($debugging)
file_put_contents('salmon.out', "\n" . 'Key located: ' . print_r($ret,true) . "\n", FILE_APPEND);
if(count($ret) == 1) {
return $ret[0];
}
else {
foreach($ret as $a) {
$hash = base64url_encode(hash('sha256',$a));
if($hash == $keyhash)
return $a;
}
}
return '';
}

2
library/asn1.php
View File

@ -186,7 +186,7 @@ class ASN_BASE {
case ASN_BOOLEAN:
return new ASN_BOOLEAN((bool)$data);
case ASN_INTEGER:
return new ASN_INTEGER(strtr(base64_encode($data),'+/=','-_,'));
return new ASN_INTEGER(strtr(base64_encode($data),'+/','-_'));
// return new ASN_INTEGER(ord($data));
case ASN_BIT_STR:
return new ASN_BIT_STR(self::parseASNString($data, $level+1, $maxLevels));

170
mod/salmon.php
View File

@ -1,5 +1,15 @@
<?php
// TODO: pass keyhash to key discovery
// add relevant contacts so they can use this
// There is a lot of debug stuff in here because this is quite a
// complicated process to try and sort out.
require_once('include/salmon.php');
require_once('simplepie/simplepie.inc');
function salmon_return($val) {
if($val >= 500)
@ -18,7 +28,7 @@ function salmon_post(&$a) {
$debugging = get_config('system','debugging');
if($debugging)
file_put_contents('salmon.out',$xml,FILE_APPEND);
file_put_contents('salmon.out','New Salmon: ' . $xml . "\n",FILE_APPEND);
$nick = (($a->argc > 1) ? notags(trim($a->argv[1])) : '');
$mentions = (($a->argc > 2 && $a->argv[2] === 'mention') ? true : false);
@ -31,22 +41,168 @@ function salmon_post(&$a) {
$importer = $r[0];
require_once('include/items.php');
// parse the xml
$dom = simplexml_load_string($xml,'SimpleXMLElement',0,NAMESPACE_SALMON_ME);
if($debugging)
file_put_contents('salmon.out', "\n" . print_r($dom,true) . "\n" , FILE_APPEND);
// figure out where in the DOM tree our data is hiding
if($dom->provenance->data)
$base = $dom->provenance;
elseif($dom->env->data)
$base = $dom->env;
elseif($dom->data)
$base = $dom;
if(! $base) {
if($debugging)
file_put_contents('salmon.out', "\n" . 'Unable to find salmon data in XML' . "\n" , FILE_APPEND);
salmon_return(500);
}
// Stash the signature away for now. We have to find their key or it won't be good for anything.
$signature = base64url_decode($base->sig);
if($debugging)
file_put_contents('salmon.out', "\n" . 'Encoded Signature: ' . $base->sig . "\n" , FILE_APPEND);
// unpack our data element.
// strip whitespace
$data = str_replace(array(" ","\t","\r","\n"),array("","","",""),$base->data);
$type = $base->data[0]->attributes()->type[0];
$encoding = $base->encoding;
$alg = $base->alg;
$signed_data = $data;
// . '.' . base64url_encode($type) . '.' . base64url_encode($encoding) . '.' . base64url_encode($alg);
// decode it
$data = base64url_decode($data);
if($debugging)
file_put_contents('salmon.out', "\n" . 'Signed data:>>>' . $signed_data . "<<<\n" , FILE_APPEND);
// Remove the xml declaration
$data = preg_replace('/\<\?xml[^\?].*\?\>/','',$data);
// Create a fake feed wrapper so simplepie doesn't choke
$tpl = load_view_file('view/atom_feed.tpl');
$tpl = load_view_file('view/fake_feed.tpl');
$base = substr($xml,strpos($xml,'<entry'));
$base = substr($data,strpos($data,'<entry'));
$feedxml = $tpl . $base . '</feed>';
if($debugging) {
file_put_contents('salmon.out', 'Processed feed: ' . $feedxml . "\n", FILE_APPEND);
}
// Now parse it like a normal atom feed to scrape out the author URI
$feed = new SimplePie();
$feed->set_raw_data($feedxml);
$feed->enable_order_by_date(false);
$feed->init();
if($debugging) {
file_put_contents('salmon.out', "\n" . 'Feed parsed.' . "\n", FILE_APPEND);
}
if($feed->get_item_quantity()) {
foreach($feed->get_items() as $item) {
$author = $item->get_author();
$author_link = unxmlify($author->get_link());
break;
}
}
if(! $author_link) {
if($debugging)
file_put_contents('salmon.out',"\n" . 'Could not retrieve author URI.' . "\n", FILE_APPEND);
salmon_return(500);
}
$xml = $tpl . $base . '</feed>';
// Once we have the author URI, go to the web and find their public key
salmon_return(500); // until the handler is finished
if($debugging) {
file_put_contents('salmon.out', "\n" . 'Fetching key for ' . $author_link . "\n", FILE_APPEND);
}
// consume_salmon($xml,$importer);
$key = get_salmon_key($author_link,$keyhash);
if(! $key) {
if($debugging)
file_put_contents('salmon.out',"\n" . 'Could not retrieve author key.' . "\n", FILE_APPEND);
salmon_return(500);
}
// Setup RSA stuff to verify the signature
set_include_path(get_include_path() . PATH_SEPARATOR . 'phpsec');
require_once('phpsec/Crypt/RSA.php');
$key_info = explode('.',$key);
$m = base64url_decode($key_info[1]);
$e = base64url_decode($key_info[2]);
if($debugging)
file_put_contents('salmon.out',"\n" . print_r($key_info,true) . "\n", FILE_APPEND);
$rsa = new CRYPT_RSA();
$rsa->signatureMode = CRYPT_RSA_SIGNATURE_PKCS1;
$rsa->setHash('sha256');
$rsa->modulus = new Math_BigInteger($m, 256);
$rsa->k = strlen($rsa->modulus->toBytes());
$rsa->exponent = new Math_BigInteger($e, 256);
// We should have everything we need now. Let's see if it verifies.
$verify = $rsa->verify($signed_data,$signature);
if(! $verify) {
if($debugging)
file_put_contents('salmon.out',"\n" . 'Message did not verify. Discarding.' . "\n", FILE_APPEND);
salmon_return(500);
}
if($debugging)
file_put_contents('salmon.out',"\n" . 'Message verified.' . "\n", FILE_APPEND);
/*
*
* If we reached this point, the message is good. Now let's figure out if the author is allowed to send us stuff.
*
*/
$r = q("SELECT * FROM `contact` WHERE `network` = 'stat' AND `lrdd` = '%s' AND `uid` = %d LIMIT 1",
dbesc($author_link),
intval($importer['uid'])
);
if(! count($r)) {
if($debugging)
file_put_contents('salmon.out',"\n" . 'Author unknown to us.' . "\n", FILE_APPEND);
salmon_return(500);
}
require_once('include/items.php');
$hub = '';
consume_feed($feedxml,$importer,$r[0],$hub);
salmon_return(200);
}

6
update.php
View File

@ -75,4 +75,8 @@ function update_1008() {
function update_1009() {
q("ALTER TABLE `user` ADD `allow_location` TINYINT( 1 ) NOT NULL DEFAULT '0' AFTER `default-location` ");
}
}
function update_1010() {
q("ALTER TABLE `contact` ADD `lrdd` CHAR( 255 ) NOT NULL AFTER `url` ");
}

18
view/fake_feed.tpl
View File

@ -0,0 +1,18 @@
<?xml version="1.0" encoding="utf-8" ?>
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:thr="http://purl.org/syndication/thread/1.0"
xmlns:at="http://purl.org/atompub/tombstones/1.0"
xmlns:media="http://purl.org/syndication/atommedia"
xmlns:dfrn="http://purl.org/macgirvin/dfrn/1.0"
xmlns:as="http://activitystrea.ms/spec/1.0/"
xmlns:georss="http://www.georss.org/georss" >
<id>fake feed</id>
<title>fake title</title>
<updated>1970-01-01T00:00:00Z</updated>
<author>
<name>Fake Name</name>
<uri>http://example.com</uri>
</author>
Write Preview
Loading…
Cancel
Save