From af99d51a7cc8916c3fe9802a25f82a64b4b3b526 Mon Sep 17 00:00:00 2001 From: Leberwurscht Date: Sat, 14 Apr 2012 18:23:42 +0200 Subject: [PATCH] bug fixes and improvements --- jappixmini/README | 3 + jappixmini/jappixmini.php | 285 +++++++++++++++++++++++--------------- jappixmini/lib.js | 28 ++-- 3 files changed, 196 insertions(+), 120 deletions(-) diff --git a/jappixmini/README b/jappixmini/README index cf9eb70b..bd1e2aa1 100644 --- a/jappixmini/README +++ b/jappixmini/README @@ -10,6 +10,9 @@ address of a BOSH proxy that works with your account. The addon has an experimental autosubscribe and autosuggest functionality which tries to add your Friendica contacts to your roster automatically. +Limitations: + - can only handle Jabber passwords that are at most 39 characters long + Installation ------------ diff --git a/jappixmini/jappixmini.php b/jappixmini/jappixmini.php index 88959448..08ba248d 100644 --- a/jappixmini/jappixmini.php +++ b/jappixmini/jappixmini.php @@ -23,7 +23,8 @@ and not to the server (at least as soon as the user is logged in). It can be sto This encryption key could be the friendica password, but then this password would be stored in the browser in cleartext. It is better to use a hash of the password. The server should not be able to reconstruct the password, so we can't take the same hash the server stores. But we can - use hash("some_prefix"+password). This will however not work with OpenID logins. + use hash("some_prefix"+password). This will however not work with OpenID logins, for this type of login the password must +be queried manually. Problem: How to discover the jabber addresses of the friendica contacts? @@ -37,17 +38,23 @@ We do not want to make the jabber address public. Solution: When two friendica users connect using DFRN, the relation gets a DFRN ID and a keypair is generated. -Using this keypair, we can provide the jabber address only to contacs: +Using this keypair, we can provide the jabber address only to contacts: -Case 1: Alice has prvkey, Bob has pubkey. - Alice encrypts request - Bob decrypts the request, send jabber address unencrypted - Alice reads address +Alice: + signed_address = openssl_*_encrypt(alice_jabber_address) +send signed_address to Bob, who does + trusted_address = openssl_*_decrypt(signed_address) + save trusted_address + encrypted_address = openssl_*_encrypt(bob_jabber_address) +reply with encrypted_address to Alice, who does + decrypted_address = openssl_*_decrypt(encrypted_address) + save decrypted_address -Case 2: Alice has prvkey, Bob has pubkey - Alice send request - Bob encrypts jabber address - Alice decrypts jabber address +Interface for this: +GET /jappixmini/?role=%s&signed_address=%s&dfrn_id=%s + +Response: +json({"status":"ok", "encrypted_address":"%s"}) */ @@ -78,6 +85,8 @@ unregister_hook('about_hook', 'addon/jappixmini/jappixmini.php', 'jappixmini_dow } function jappixmini_plugin_admin(&$a, &$o) { + // display instructions and warnings on addon settings page for admin + if (!file_exists("addon/jappixmini/jappix")) { $o .= '

You need to install the Jappix application, adapted for Friendica (see README).

'; } @@ -91,81 +100,80 @@ function jappixmini_plugin_admin_post(&$a) { function jappixmini_module() {} function jappixmini_init(&$a) { - // Here, other friendica sites can fetch the jabber address of local users. - // Because we do not want to publish the addresses publicly, they are encrypted so - // that only contacts can read it. - $encrypt_for = $_REQUEST["encrypt_for"]; - if ($encrypt_for) { - $r = q("SELECT * FROM `contact` WHERE LENGTH(`pubkey`) AND `dfrn-id` = '%s' LIMIT 1", - dbesc($encrypt_for) - ); - if (!count($r)) killme(); + // module page where other Friendica sites can submit Jabber addresses to and also can query Jabber addresses + // of local users - // get public key to encrypt address - $pubkey = $r[0]['pubkey']; - - // get jabber address - $uid = $r[0]['uid']; - $username = get_pconfig($uid, 'jappixmini', 'username'); - if (!$username) killme(); - $server = get_pconfig($uid, 'jappixmini', 'server'); - if (!$server) killme(); + $dfrn_id = $_REQUEST["dfrn_id"]; + if (!$dfrn_id) killme(); - $address = $username."@".$server; - - // encrypt address - $encrypted = ""; - openssl_public_encrypt($address,$encrypted,$pubkey); - - // calculate hex representation of encrypted address - $hex = bin2hex($encrypted); + $role = $_REQUEST["role"]; + if ($role=="pub") { + $r = q("SELECT * FROM `contact` WHERE LENGTH(`pubkey`) AND `dfrn-id`='%s' LIMIT 1", + dbesc($dfrn_id) + ); + if (!count($r)) killme(); - // construct answer - $answer = Array("status"=>"ok", "encrypted_address"=>$hex); + $encrypt_func = openssl_public_encrypt; + $decrypt_func = openssl_public_decrypt; + $key = $r[0]["pubkey"]; + } else if ($role=="prv") { + $r = q("SELECT * FROM `contact` WHERE LENGTH(`prvkey`) AND `issued-id`='%s' LIMIT 1", + dbesc($dfrn_id) + ); + if (!count($r)) killme(); - // return answer as json - echo json_encode($answer); + $encrypt_func = openssl_private_encrypt; + $decrypt_func = openssl_private_decrypt; + $key = $r[0]["prvkey"]; + } else { killme(); } - // If we have only a private key, other site sends encrypted request, we answer unencrypted. - $encrypted_for = $_REQUEST["encrypted_for"]; - if (!$encrypted_for) killme(); + $uid = $r[0]["uid"]; - $encrypted_request_hex = $_REQUEST["encrypted_request"]; - if (!$encrypted_request_hex) killme(); - $encrypted_request = hex2bin($encrypted_request_hex); + // save the Jabber address we received + try { + $signed_address_hex = $_REQUEST["signed_address"]; + $signed_address = hex2bin($signed_address_hex); - $r = q("SELECT * FROM `contact` WHERE LENGTH(`prvkey`) AND `issued-id` = '%s' LIMIT 1", - dbesc($encrypted_for) - ); - if (!count($r)) killme(); + $trusted_address = ""; + $decrypt_func($signed_address, $trusted_address, $key); - // decrypt request, validate it - $prvkey = $r[0]['prvkey']; - $decrypted_request = ""; - openssl_private_decrypt($encrypted_request, $decrypted_request, $prvkey); + $now = intval(time()); + set_pconfig($uid, "jappixmini", "id:$dfrn_id", "$now:$trusted_address"); + } catch (Exception $e) { + } - if ($decrypted_request!=$encrypted_for) killme(); + // return the requested Jabber address + try { + $username = get_pconfig($uid, 'jappixmini', 'username'); + $server = get_pconfig($uid, 'jappixmini', 'server'); + $address = "$username@$server"; - // get jabber address - $uid = $r[0]['uid']; - $username = get_pconfig($uid, 'jappixmini', 'username'); - if (!$username) killme(); - $server = get_pconfig($uid, 'jappixmini', 'server'); - if (!$server) killme(); + $encrypted_address = ""; + $encrypt_func($address, $encrypted_address, $key); - $address = $username."@".$server; + $encrypted_address_hex = bin2hex($encrypted_address); - // construct answer - $answer = Array("status"=>"ok", "address"=>$address); + $answer = Array( + "status"=>"ok", + "encrypted_address"=>$encrypted_address_hex + ); - // return answer as json - echo json_encode($answer); - killme(); + $answer_json = json_encode($answer); + echo $answer_json; + killme(); + } catch (Exception $e) { + killme(); + } } function jappixmini_settings(&$a, &$s) { + // addon settings for a user + + $activate = get_pconfig(local_user(),'jappixmini','activate'); + $activate = intval($activate) ? ' checked="checked"' : ''; + $username = get_pconfig(local_user(),'jappixmini','username'); $username = htmlentities($username); $server = get_pconfig(local_user(),'jappixmini','server'); @@ -177,8 +185,6 @@ function jappixmini_settings(&$a, &$s) { $autosubscribe = intval($autosubscribe) ? ' checked="checked"' : ''; $autoapprove = get_pconfig(local_user(),'jappixmini','autoapprove'); $autoapprove = intval($autoapprove) ? ' checked="checked"' : ''; - $activate = get_pconfig(local_user(),'jappixmini','activate'); - $activate = intval($activate) ? ' checked="checked"' : ''; $s .= '
'; $s .= '

Jappix Mini addon settings

'; @@ -206,7 +212,7 @@ function jappixmini_settings(&$a, &$s) { $s .= ''; $s .= ' '; $s .= '
'; - $s .= ''; + $s .= ''; $s .= ' '; $s .= '
'; $s .= ''; @@ -220,20 +226,32 @@ function jappixmini_settings(&$a, &$s) { } function jappixmini_settings_post(&$a,&$b) { + // save addon settings for a user + if(! local_user()) return; + $uid = local_user(); if($_POST['jappixmini-submit']) { - set_pconfig(local_user(),'jappixmini','username',trim($b['jappixmini-username'])); - set_pconfig(local_user(),'jappixmini','server',trim($b['jappixmini-server'])); - set_pconfig(local_user(),'jappixmini','bosh',trim($b['jappixmini-bosh'])); - set_pconfig(local_user(),'jappixmini','encrypted-password',trim($b['jappixmini-encrypted-password'])); - set_pconfig(local_user(),'jappixmini','autosubscribe',intval($b['jappixmini-autosubscribe'])); - set_pconfig(local_user(),'jappixmini','autoapprove',intval($b['jappixmini-autoapprove'])); - set_pconfig(local_user(),'jappixmini','activate',intval($b['jappixmini-activate'])); + $purge = intval($b['jappixmini-purge']); + + $username = trim($b['jappixmini-username']); + $old_username = get_pconfig($uid,'jappixmini','username'); + if ($username!=$old_username) $purge = 1; + + $server = trim($b['jappixmini-server']); + $old_server = get_pconfig($uid,'jappixmini','server'); + if ($server!=$old_server) $purge = 1; + + set_pconfig($uid,'jappixmini','username',$username); + set_pconfig($uid,'jappixmini','server',$server); + set_pconfig($uid,'jappixmini','bosh',trim($b['jappixmini-bosh'])); + set_pconfig($uid,'jappixmini','encrypted-password',trim($b['jappixmini-encrypted-password'])); + set_pconfig($uid,'jappixmini','autosubscribe',intval($b['jappixmini-autosubscribe'])); + set_pconfig($uid,'jappixmini','autoapprove',intval($b['jappixmini-autoapprove'])); + set_pconfig($uid,'jappixmini','activate',intval($b['jappixmini-activate'])); info( 'Jappix Mini settings saved.' ); - if (intval($b['jappixmini-purge'])) { - $uid = local_user(); + if ($purge) { q("DELETE FROM `pconfig` WHERE `uid`=$uid AND `cat`='jappixmini' and `k` LIKE 'id%%'"); info( 'List of addresses purged.' ); } @@ -241,6 +259,8 @@ function jappixmini_settings_post(&$a,&$b) { } function jappixmini_script(&$a,&$s) { + // adds the script to the page header which starts Jappix Mini + if(! local_user()) return; $activate = get_pconfig(local_user(),'jappixmini','activate'); @@ -251,6 +271,7 @@ function jappixmini_script(&$a,&$s) { $a->page['htmlhead'] .= ''."\r\n"; $a->page['htmlhead'] .= ''."\r\n"; + $a->page['htmlhead'] .= ''."\r\n"; $a->page['htmlhead'] .= ''."\r\n"; @@ -271,18 +292,35 @@ function jappixmini_script(&$a,&$s) { // get a list of jabber accounts of the contacts $contacts = Array(); $uid = local_user(); - $rows = q("SELECT `v` FROM `pconfig` WHERE `uid`=$uid AND `cat`='jappixmini' and `k` LIKE 'id%%'"); + $rows = q("SELECT * FROM `pconfig` WHERE `uid`=$uid AND `cat`='jappixmini' and `k` LIKE 'id%%'"); foreach ($rows as $row) { + $key = $row['k']; + $pos = strpos($key, ":"); + $dfrn_id = substr($key, $pos+1); + $r = q("SELECT `name` FROM `contact` WHERE `uid`=$uid AND `dfrn-id`='%s' OR `issued-id`='%s'", + dbesc($dfrn_id), + dbesc($dfrn_id) + ); + $name = $r[0]["name"]; + $value = $row['v']; $pos = strpos($value, ":"); $address = substr($value, $pos+1); - $contacts[] = $address; + if (!$address) continue; + if (!$name) $name = $address; + + $contacts[$address] = $name; } $contacts_json = json_encode($contacts); + // get nickname + $r = q("SELECT `username` FROM `user` WHERE `uid`=$uid"); + $nickname = json_encode($r[0]["username"]); + + // add javascript to start Jappix Mini $a->page['htmlhead'] .= ""; @@ -291,7 +329,16 @@ function jappixmini_script(&$a,&$s) { } function jappixmini_login(&$a, &$o) { - // save hash of password using setDB + // for setDB, needed by jappixmini_addon_set_client_secret + $a->page['htmlhead'] .= ''."\r\n"; + + // for str_sha1, needed by jappixmini_addon_set_client_secret + $a->page['htmlhead'] .= ''."\r\n"; + + // for jappixmini_addon_set_client_secret + $a->page['htmlhead'] .= ''."\r\n"; + + // save hash of password $o = str_replace("
status != "ok") continue; - - $encrypted_address_hex = $answer->encrypted_address; - if (!$encrypted_address_hex) continue; - $encrypted_address = hex2bin($encrypted_address_hex); + $address = $username."@".$server; - $decrypted_address = ""; - openssl_private_decrypt($encrypted_address, $decrypted_address, $prvkey); - if (!$decrypted_address) continue; + // sign address + $signed_address = ""; + $encrypt_func($address, $signed_address, $key); - $address = $decrypted_address; - } else if ($pubkey) { - $encrypted_request = ""; - openssl_public_encrypt($dfrn_id, $encrypted_request, $pubkey); - if (!$encrypted_request) continue; - $encrypted_request_hex = bin2hex($encrypted_request); + // construct request url + $signed_address_hex = bin2hex($signed_address); + $url = $base."&signed_address=$signed_address_hex&dfrn_id=".urlencode($dfrn_id); - $retrieval_address = $base."?encrypted_for=".urlencode($dfrn_id)."&encrypted_request=".urlencode($encrypted_request_hex); + try { + // send request + $answer_json = fetch_url($url); - $answer_json = fetch_url($retrieval_address); + // parse answer $answer = json_decode($answer_json); - if ($answer->status != "ok") continue; + if ($answer->status != "ok") throw new Exception(); + + $encrypted_address_hex = $answer->encrypted_address; + if (!$encrypted_address_hex) throw new Exception(); + + $encrypted_address = hex2bin($encrypted_address_hex); + if (!$encrypted_address) throw new Exception(); - $address = $answer->address; - if (!$address) continue; + // decrypt address + $decrypted_address = ""; + $decrypt_func($encrypted_address, $decrypted_address, $key); + if (!$decrypted_address) throw new Exception(); + } catch (Exception $e) { + $decrypted_address = ""; } // save address - set_pconfig($uid, "jappixmini", "id:$dfrn_id", "$now:$address"); + set_pconfig($uid, "jappixmini", "id:$dfrn_id", "$now:$decrypted_address"); } } } function jappixmini_download_source(&$a,&$b) { + // Jappix Mini source download link on About page + $b .= '

Jappix Mini

'; $b .= '

This site uses Jappix Mini by the Jappix authors, which is distributed under the terms of the GNU Affero General Public License.

'; $b .= '

You can download the source code.

'; diff --git a/jappixmini/lib.js b/jappixmini/lib.js index dd95695f..6ab4644d 100644 --- a/jappixmini/lib.js +++ b/jappixmini/lib.js @@ -15,14 +15,23 @@ function jappixmini_addon_xor(str1, str2) { } function jappixmini_addon_set_client_secret(password) { - client_secret = str_sha1("client_secret:"+password); + if (!password) return; + + salt1 = "h8doCRekWto0njyQohKpdx6BN0UTyC6N"; + salt2 = "jdX8OwFC1kWAq3s9uOyAcE8g3UNNO5t3"; + + client_secret1 = str_sha1(salt1+password); + client_secret2 = str_sha1(salt2+password); + client_secret = client_secret1 + client_secret2; + setDB('jappix-mini', 'client_secret', client_secret); + console.log("client secret set"); } function jappixmini_addon_get_client_secret() { client_secret = getDB('jappix-mini', 'client_secret'); if (client_secret===null) { - div = $('
Reintroduce your Friendica password for chatting:
'); + div = $('
Retype your Friendica password for chatting:
'); div.append($("
")); input = $('') div.append(input); @@ -43,7 +52,7 @@ function jappixmini_addon_encrypt_password(password) { client_secret = jappixmini_addon_get_client_secret(); // add \0 to password until it has the same length as secret - if (client_secret.lengthclient_secret.length-1) throw "password too long"; while (password.length