X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=mod%2Fdfrn_notify.php;h=eebaa076d94b9bc0ece344ee5e09ae9478f8ee37;hb=061bcd7d2fcfb8da18e63ed4fde436b38463539d;hp=43414dc87c5bf8e350c972c323fd82c0b01be747;hpb=709022ddee9bc2e9995911e02e40d1b1dd5150b0;p=friendica.git

diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php
index 43414dc87c..eebaa076d9 100644
--- a/mod/dfrn_notify.php
+++ b/mod/dfrn_notify.php
@@ -1,17 +1,24 @@
 <?php
 
-require_once('library/simplepie/simplepie.inc');
+/**
+ * @file mod/dfrn_notify.php
+ * @brief The dfrn notify endpoint
+ * @see PDF with dfrn specs: https://github.com/friendica/friendica/blob/master/spec/dfrn2.pdf
+ */
 require_once('include/items.php');
+require_once('include/dfrn.php');
 require_once('include/event.php');
 
+require_once('library/defuse/php-encryption-1.2.1/Crypto.php');
 
-function dfrn_notify_post(&$a) {
-    logger(__function__, LOGGER_TRACE);
+function dfrn_notify_post(App &$a) {
+	logger(__function__, LOGGER_TRACE);
 	$dfrn_id      = ((x($_POST,'dfrn_id'))      ? notags(trim($_POST['dfrn_id']))   : '');
 	$dfrn_version = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version']    : 2.0);
 	$challenge    = ((x($_POST,'challenge'))    ? notags(trim($_POST['challenge'])) : '');
 	$data         = ((x($_POST,'data'))         ? $_POST['data']                    : '');
 	$key          = ((x($_POST,'key'))          ? $_POST['key']                     : '');
+	$rino_remote  = ((x($_POST,'rino'))         ? intval($_POST['rino'])            :  0);
 	$dissolve     = ((x($_POST,'dissolve'))     ? intval($_POST['dissolve'])        :  0);
 	$perm         = ((x($_POST,'perm'))         ? notags(trim($_POST['perm']))      : 'r');
 	$ssl_policy   = ((x($_POST,'ssl_policy'))   ? notags(trim($_POST['ssl_policy'])): 'none');
@@ -35,7 +42,7 @@ function dfrn_notify_post(&$a) {
 		dbesc($dfrn_id),
 		dbesc($challenge)
 	);
-	if(! count($r)) {
+	if (! dbm::is_result($r)) {
 		logger('dfrn_notify: could not match challenge to dfrn_id ' . $dfrn_id . ' challenge=' . $challenge);
 		xml_status(3);
 	}
@@ -81,7 +88,7 @@ function dfrn_notify_post(&$a) {
 		dbesc($a->argv[1])
 	);
 
-	if(! count($r)) {
+	if (! dbm::is_result($r)) {
 		logger('dfrn_notify: contact not found for dfrn_id ' . $dfrn_id);
 		xml_status(3);
 		//NOTREACHED
@@ -91,6 +98,8 @@ function dfrn_notify_post(&$a) {
 
 	$importer = $r[0];
 
+	logger("Remote rino version: ".$rino_remote." for ".$importer["url"], LOGGER_DEBUG);
+
 	if((($writable != (-1)) && ($writable != $importer['writable'])) || ($importer['forum'] != $forum) || ($importer['prv'] != $prv)) {
 		q("UPDATE `contact` SET `writable` = %d, forum = %d, prv = %d WHERE `id` = %d",
 			intval(($writable == (-1)) ? $importer['writable'] : $writable),
@@ -113,7 +122,7 @@ function dfrn_notify_post(&$a) {
 
 	if($dissolve == 1) {
 
-		/**
+		/*
 		 * Relationship is dissolved permanently
 		 */
 
@@ -126,12 +135,27 @@ function dfrn_notify_post(&$a) {
 
 
 	// If we are setup as a soapbox we aren't accepting input from this person
+	// This behaviour is deactivated since it really doesn't make sense to even disallow comments
+	// The check if someone is a friend or simply a follower is done in a later place so it needn't to be done here
+	//if($importer['page-flags'] == PAGE_SOAPBOX)
+	//	xml_status(0);
 
-	if($importer['page-flags'] == PAGE_SOAPBOX)
-		xml_status(0);
+	$rino = get_config('system','rino_encrypt');
+	$rino = intval($rino);
+	// use RINO1 if mcrypt isn't installed and RINO2 was selected
+	if ($rino==2 and !function_exists('mcrypt_create_iv')) $rino=1;
 
+	logger("Local rino version: ". $rino, LOGGER_DEBUG);
 
 	if(strlen($key)) {
+
+		// if local rino is lower than remote rino, abort: should not happen!
+		// but only for $remote_rino > 1, because old code did't send rino version
+		if ($rino_remote_version > 1 && $rino < $rino_remote) {
+			logger("rino version '$rino_remote' is lower than supported '$rino'");
+			xml_status(0,"rino version '$rino_remote' is lower than supported '$rino'");
+		}
+
 		$rawkey = hex2bin(trim($key));
 		logger('rino: md5 raw key: ' . md5($rawkey));
 		$final_key = '';
@@ -153,20 +177,51 @@ function dfrn_notify_post(&$a) {
 			}
 		}
 
-		logger('rino: received key : ' . $final_key);
-		$data = aes_decrypt(hex2bin($data),$final_key);
+		#logger('rino: received key : ' . $final_key);
+
+		switch($rino_remote) {
+			case 0:
+			case 1:
+				// we got a key. old code send only the key, without RINO version.
+				// we assume RINO 1 if key and no RINO version
+				$data = aes_decrypt(hex2bin($data),$final_key);
+				break;
+			case 2:
+				try {
+					$data = Crypto::decrypt(hex2bin($data),$final_key);
+				} catch (InvalidCiphertext $ex) { // VERY IMPORTANT
+					// Either:
+					//   1. The ciphertext was modified by the attacker,
+					//   2. The key is wrong, or
+					//   3. $ciphertext is not a valid ciphertext or was corrupted.
+					// Assume the worst.
+					logger('The ciphertext has been tampered with!');
+					xml_status(0,'The ciphertext has been tampered with!');
+				} catch (Ex\CryptoTestFailed $ex) {
+					logger('Cannot safely perform dencryption');
+					xml_status(0,'CryptoTestFailed');
+				} catch (Ex\CannotPerformOperation $ex) {
+					logger('Cannot safely perform decryption');
+					xml_status(0,'Cannot safely perform decryption');
+				}
+				break;
+			default:
+				logger("rino: invalid sent verision '$rino_remote'");
+				xml_status(0);
+		}
+
+
 		logger('rino: decrypted data: ' . $data, LOGGER_DATA);
 	}
 
-
-	$ret = local_delivery($importer,$data);
+	$ret = dfrn::import($data, $importer);
 	xml_status($ret);
 
 	// NOTREACHED
 }
 
 
-function dfrn_notify_content(&$a) {
+function dfrn_notify_content(App &$a) {
 
 	if(x($_GET,'dfrn_id')) {
 
@@ -175,6 +230,7 @@ function dfrn_notify_content(&$a) {
 
 		$dfrn_id = notags(trim($_GET['dfrn_id']));
 		$dfrn_version = (float) $_GET['dfrn_version'];
+		$rino_remote = ((x($_GET,'rino')) ? intval($_GET['rino']) : 0);
 		$type = "";
 		$last_update = "";
 
@@ -201,7 +257,7 @@ function dfrn_notify_content(&$a) {
 			dbesc($last_update)
 		);
 
-		logger('dfrn_notify: challenge=' . $hash, LOGGER_DEBUG );
+		logger('dfrn_notify: challenge=' . $hash, LOGGER_DEBUG);
 
 		$sql_extra = '';
 		switch($direction) {
@@ -228,8 +284,11 @@ function dfrn_notify_content(&$a) {
 				dbesc($a->argv[1])
 		);
 
-		if(! count($r))
+		if (! dbm::is_result($r)) {
 			$status = 1;
+		}
+
+		logger("Remote rino version: ".$rino_remote." for ".$r[0]["url"], LOGGER_DEBUG);
 
 		$challenge = '';
 		$encrypted_id = '';
@@ -253,12 +312,17 @@ function dfrn_notify_content(&$a) {
 		$challenge    = bin2hex($challenge);
 		$encrypted_id = bin2hex($encrypted_id);
 
-		$rino = ((function_exists('mcrypt_encrypt')) ? 1 : 0);
 
-		$rino_enable = get_config('system','rino_encrypt');
+		$rino = get_config('system','rino_encrypt');
+		$rino = intval($rino);
+		// use RINO1 if mcrypt isn't installed and RINO2 was selected
+		if ($rino==2 and !function_exists('mcrypt_create_iv')) $rino=1;
+
+		logger("Local rino version: ". $rino, LOGGER_DEBUG);
 
-		if(! $rino_enable)
-			$rino = 0;
+		// if requested rino is lower than enabled local rino, lower local rino version
+		// if requested rino is higher than enabled local rino, reply with local rino
+		if ($rino_remote < $rino) $rino = $rino_remote;
 
 		if((($r[0]['rel']) && ($r[0]['rel'] != CONTACT_IS_SHARING)) || ($r[0]['page-flags'] == PAGE_COMMUNITY)) {
 			$perm = 'rw';