X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=mod%2Fdfrn_notify.php;h=780fb456f5cd33f43e7bc6783196fd15e55570f1;hb=287c9cfbdd156ddc4edbea6b9b76d950071aaf04;hp=2aa654534621dbb186a5dd6b61db1068397ae212;hpb=a3ae3c9156851a0ef458e0c757cc915a26b6c1d2;p=friendica.git

diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php
index 2aa6545346..780fb456f5 100644
--- a/mod/dfrn_notify.php
+++ b/mod/dfrn_notify.php
@@ -1,9 +1,10 @@
 <?php
 
-require_once('library/simplepie/simplepie.inc');
 require_once('include/items.php');
+require_once('include/dfrn.php');
 require_once('include/event.php');
 
+require_once('library/defuse/php-encryption-1.2.1/Crypto.php');
 
 function dfrn_notify_post(&$a) {
     logger(__function__, LOGGER_TRACE);
@@ -12,6 +13,7 @@ function dfrn_notify_post(&$a) {
 	$challenge    = ((x($_POST,'challenge'))    ? notags(trim($_POST['challenge'])) : '');
 	$data         = ((x($_POST,'data'))         ? $_POST['data']                    : '');
 	$key          = ((x($_POST,'key'))          ? $_POST['key']                     : '');
+	$rino_remote  = ((x($_POST,'rino'))         ? intval($_POST['rino'])            :  0);
 	$dissolve     = ((x($_POST,'dissolve'))     ? intval($_POST['dissolve'])        :  0);
 	$perm         = ((x($_POST,'perm'))         ? notags(trim($_POST['perm']))      : 'r');
 	$ssl_policy   = ((x($_POST,'ssl_policy'))   ? notags(trim($_POST['ssl_policy'])): 'none');
@@ -91,6 +93,8 @@ function dfrn_notify_post(&$a) {
 
 	$importer = $r[0];
 
+	logger("Remote rino version: ".$rino_remote." for ".$importer["url"], LOGGER_DEBUG);
+
 	if((($writable != (-1)) && ($writable != $importer['writable'])) || ($importer['forum'] != $forum) || ($importer['prv'] != $prv)) {
 		q("UPDATE `contact` SET `writable` = %d, forum = %d, prv = %d WHERE `id` = %d",
 			intval(($writable == (-1)) ? $importer['writable'] : $writable),
@@ -126,12 +130,27 @@ function dfrn_notify_post(&$a) {
 
 
 	// If we are setup as a soapbox we aren't accepting input from this person
+	// This behaviour is deactivated since it really doesn't make sense to even disallow comments
+	// The check if someone is a friend or simply a follower is done in a later place so it needn't to be done here
+	//if($importer['page-flags'] == PAGE_SOAPBOX)
+	//	xml_status(0);
 
-	if($importer['page-flags'] == PAGE_SOAPBOX)
-		xml_status(0);
+	$rino = get_config('system','rino_encrypt');
+	$rino = intval($rino);
+	// use RINO1 if mcrypt isn't installed and RINO2 was selected
+	if ($rino==2 and !function_exists('mcrypt_create_iv')) $rino=1;
 
+	logger("Local rino version: ". $rino, LOGGER_DEBUG);
 
 	if(strlen($key)) {
+
+		// if local rino is lower than remote rino, abort: should not happen!
+		// but only for $remote_rino > 1, because old code did't send rino version
+		if ($rino_remote_version > 1 && $rino < $rino_remote) {
+			logger("rino version '$rino_remote' is lower than supported '$rino'");
+			xml_status(0,"rino version '$rino_remote' is lower than supported '$rino'");
+		}
+
 		$rawkey = hex2bin(trim($key));
 		logger('rino: md5 raw key: ' . md5($rawkey));
 		$final_key = '';
@@ -153,13 +172,44 @@ function dfrn_notify_post(&$a) {
 			}
 		}
 
-		logger('rino: received key : ' . $final_key);
-		$data = aes_decrypt(hex2bin($data),$final_key);
+		#logger('rino: received key : ' . $final_key);
+
+		switch($rino_remote) {
+			case 0:
+			case 1:
+				// we got a key. old code send only the key, without RINO version.
+				// we assume RINO 1 if key and no RINO version
+				$data = aes_decrypt(hex2bin($data),$final_key);
+				break;
+			case 2:
+				try {
+					$data = Crypto::decrypt(hex2bin($data),$final_key);
+				} catch (InvalidCiphertext $ex) { // VERY IMPORTANT
+					// Either:
+					//   1. The ciphertext was modified by the attacker,
+					//   2. The key is wrong, or
+					//   3. $ciphertext is not a valid ciphertext or was corrupted.
+					// Assume the worst.
+					logger('The ciphertext has been tampered with!');
+					xml_status(0,'The ciphertext has been tampered with!');
+				} catch (Ex\CryptoTestFailed $ex) {
+					logger('Cannot safely perform dencryption');
+					xml_status(0,'CryptoTestFailed');
+				} catch (Ex\CannotPerformOperation $ex) {
+					logger('Cannot safely perform decryption');
+					xml_status(0,'Cannot safely perform decryption');
+				}
+				break;
+			default:
+				logger("rino: invalid sent verision '$rino_remote'");
+				xml_status(0);
+		}
+
+
 		logger('rino: decrypted data: ' . $data, LOGGER_DATA);
 	}
 
-
-	$ret = local_delivery($importer,$data);
+	$ret = dfrn::import($data, $importer);
 	xml_status($ret);
 
 	// NOTREACHED
@@ -175,6 +225,7 @@ function dfrn_notify_content(&$a) {
 
 		$dfrn_id = notags(trim($_GET['dfrn_id']));
 		$dfrn_version = (float) $_GET['dfrn_version'];
+		$rino_remote = ((x($_GET,'rino')) ? intval($_GET['rino']) : 0);
 		$type = "";
 		$last_update = "";
 
@@ -193,7 +244,7 @@ function dfrn_notify_content(&$a) {
 		$r = q("DELETE FROM `challenge` WHERE `expire` < " . intval(time()));
 
 		$r = q("INSERT INTO `challenge` ( `challenge`, `dfrn-id`, `expire` , `type`, `last_update` )
-			VALUES( '%s', '%s', %d ) ",
+			VALUES( '%s', '%s', %d, '%s', '%s' ) ",
 			dbesc($hash),
 			dbesc($dfrn_id),
 			intval(time() + 90 ),
@@ -201,7 +252,7 @@ function dfrn_notify_content(&$a) {
 			dbesc($last_update)
 		);
 
-		logger('dfrn_notify: challenge=' . $hash, LOGGER_DEBUG );
+		logger('dfrn_notify: challenge=' . $hash, LOGGER_DEBUG);
 
 		$sql_extra = '';
 		switch($direction) {
@@ -231,6 +282,8 @@ function dfrn_notify_content(&$a) {
 		if(! count($r))
 			$status = 1;
 
+		logger("Remote rino version: ".$rino_remote." for ".$r[0]["url"], LOGGER_DEBUG);
+
 		$challenge = '';
 		$encrypted_id = '';
 		$id_str = $my_id . '.' . mt_rand(1000,9999);
@@ -253,12 +306,17 @@ function dfrn_notify_content(&$a) {
 		$challenge    = bin2hex($challenge);
 		$encrypted_id = bin2hex($encrypted_id);
 
-		$rino = ((function_exists('mcrypt_encrypt')) ? 1 : 0);
 
-		$rino_enable = get_config('system','rino_encrypt');
+		$rino = get_config('system','rino_encrypt');
+		$rino = intval($rino);
+		// use RINO1 if mcrypt isn't installed and RINO2 was selected
+		if ($rino==2 and !function_exists('mcrypt_create_iv')) $rino=1;
+
+		logger("Local rino version: ". $rino, LOGGER_DEBUG);
 
-		if(! $rino_enable)
-			$rino = 0;
+		// if requested rino is lower than enabled local rino, lower local rino version
+		// if requested rino is higher than enabled local rino, reply with local rino
+		if ($rino_remote < $rino) $rino = $rino_remote;
 
 		if((($r[0]['rel']) && ($r[0]['rel'] != CONTACT_IS_SHARING)) || ($r[0]['page-flags'] == PAGE_COMMUNITY)) {
 			$perm = 'rw';