reciprocal verification on notify, poll

diff --git a/include/notifier.php b/include/notifier.php
index a2d313b5fd83d23c98e8ac69d89c60a4f6244e3b..7d9b09da34d3ae6041566af8c411ce65e6b81802 100644 (file)
--- a/include/notifier.php
+++ b/include/notifier.php
@@ -267,12 +267,22 @@ echo $xml;
 
                $res = simplexml_load_string($xml);
 
-               if((intval($res->status) != 0) || (! strlen($res->challenge)) || ($res->dfrn_id != $rr['dfrn-id']))
+               if((intval($res->status) != 0) || (! strlen($res->challenge)) || (! strlen($res->dfrn_id)))
                        continue;
 
                $postvars = array();
+               $sent_dfrn_id = hex2bin($res->dfrn_id);
+
+               $final_dfrn_id = '';
+               openssl_public_decrypt($sent_dfrn_id,$final_dfrn_id,$rr['pubkey']);
+               $final_dfrn_id = substr($final_dfrn_id, 0, strpos($final_dfrn_id, '.'));
+               if($final_dfrn_id != $rr['dfrn-id']) {
+                       // did not decode properly - cannot trust this site 
+                       continue;
+               }
 
                $postvars['dfrn_id'] = $rr['dfrn-id'];
+
                $challenge = hex2bin($res->challenge);
 
                openssl_public_decrypt($challenge,$postvars['challenge'],$rr['pubkey']);
@@ -295,7 +305,7 @@ echo $xml;
                // Currently there is no retry attempt for failed mail delivery.
                // We need to handle this in the UI, report the non-deliverables and try again
  
-               if(($cmd == 'mail) && (intval($res->status) == 0)) {
+               if(($cmd == 'mail') && (intval($res->status) == 0)) {
 
                        $r = q("UPDATE `mail` SET `delivered` = 1 WHERE `id` = %d LIMIT 1",
                                intval($item_id)

diff --git a/include/poller.php b/include/poller.php
index e0b4d79b21aac18e4f970c7f75d8cd9190da6d33..be073b93b0b2c33badf1fe8ca1c44d86aba87b83 100644 (file)
--- a/include/poller.php
+++ b/include/poller.php
@@ -84,11 +84,21 @@ echo "XML: " . $xml;
 
                $res = simplexml_load_string($xml);
 
-               if((intval($res->status) != 0) || (! strlen($res->challenge)) || ($res->dfrn_id != $contact['dfrn-id']))
+               if((intval($res->status) != 0) || (! strlen($res->challenge)) || (! strlen($res->dfrn_id)))
                        continue;
 
                $postvars = array();
 
+               $sent_dfrn_id = hex2bin($res->dfrn_id);
+
+               $final_dfrn_id = '';
+               openssl_public_decrypt($sent_dfrn_id,$final_dfrn_id,$contact['pubkey']);
+               $final_dfrn_id = substr($final_dfrn_id, 0, strpos($final_dfrn_id, '.'));
+               if($final_dfrn_id != $contact['dfrn-id']) {
+                       // did not decode properly - cannot trust this site 
+                       continue;
+               }
+
                $postvars['dfrn_id'] = $contact['dfrn-id'];
                $challenge = hex2bin($res->challenge);
 

diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php
index 38756f724efea389cc860673dfd253b0ef0e0235..5655977e5a99cefa70ba978445c4979d7a6dfb36 100644 (file)
--- a/mod/dfrn_notify.php
+++ b/mod/dfrn_notify.php
@@ -253,7 +253,14 @@ function dfrn_notify_content(&$a) {
 
                openssl_private_encrypt($hash,$challenge,$r[0]['prvkey']);
                $challenge = bin2hex($challenge);
-               echo '<?xml version="1.0" encoding="UTF-8"?><dfrn_notify><status>' .$status . '</status><dfrn_id>' . $_GET['dfrn_id'] . '</dfrn_id>'
+
+               $encrypted_id = '';
+               $id_str = $_GET['dfrn_id'] . '.' . mt_rand(1000,9999);
+
+               openssl_private_encrypt($id_str,$encrypted_id,$r[0]['prvkey']);
+               $encrypted_id = bin2hex($encrypted_id);
+
+               echo '<?xml version="1.0" encoding="UTF-8"?><dfrn_notify><status>' .$status . '</status><dfrn_id>' . $encrypted_id . '</dfrn_id>'
                        . '<challenge>' . $challenge . '</challenge></dfrn_notify>' . "\r\n" ;
                session_write_close();
                exit;

diff --git a/mod/dfrn_poll.php b/mod/dfrn_poll.php
index dadcd31487f8d10cb8b94eb39038ebfc66486063..8d93700d6a7b61b66c3da9113fe13f2c491a544c 100644 (file)
--- a/mod/dfrn_poll.php
+++ b/mod/dfrn_poll.php
@@ -174,7 +174,15 @@ function dfrn_poll_content(&$a) {
 
                openssl_private_encrypt($hash,$challenge,$r[0]['prvkey']);
                $challenge = bin2hex($challenge);
-               echo '<?xml version="1.0" encoding="UTF-8"?><dfrn_poll><status>' .$status . '</status><dfrn_id>' . $_GET['dfrn_id'] . '</dfrn_id>'
+
+               $encrypted_id = '';
+               $id_str = $_GET['dfrn_id'] . '.' . mt_rand(1000,9999);
+
+               openssl_private_encrypt($id_str,$encrypted_id,$r[0]['prvkey']);
+               $encrypted_id = bin2hex($encrypted_id);
+
+
+               echo '<?xml version="1.0" encoding="UTF-8"?><dfrn_poll><status>' .$status . '</status><dfrn_id>' . $encrypted_id . '</dfrn_id>'
                        . '<challenge>' . $challenge . '</challenge></dfrn_poll>' . "\r\n" ;
                session_write_close();
                exit;           

diff --git a/mod/regmod.php b/mod/regmod.php
index f2c3cb807963a10eb9d1764548b85e388eecce46..f03c2a3fe5d14fca26fbc0f7efde309151389cb4 100644 (file)
--- a/mod/regmod.php
+++ b/mod/regmod.php
@@ -6,7 +6,7 @@ function regmod_content(&$a) {
 
        if(! local_user()) {
                notice( t('Please login.') . EOL);
-               $o = login(($a->config['register_policy'] == REGISTER_CLOSED) ? 0 : 1);
+               $o .= '<br /><br />' . login(($a->config['register_policy'] == REGISTER_CLOSED) ? 0 : 1);
                return $o;
        }