Commit cfde5bfd authored by Nigel McNie's avatar Nigel McNie
Browse files

When decrypting responses to our XMLRPC requests, consider an older key to be...

When decrypting responses to our XMLRPC requests, consider an older key to be OK. This fixes keyswap when both hosts have different keys (!)
parent 731a61cc
......@@ -100,7 +100,9 @@ class Client {
if ($xml->getName() == 'encryptedMessage') {
$payload_encrypted = true;
$wwwroot = (string)$xml->wwwroot;
$payload = xmlenc_envelope_strip($xml);
// Strip encryption, using an older code is OK, because we're the client.
// The server is able to respond with the correct key, be we're not
$payload = xmlenc_envelope_strip($xml, true);
}
if ($xml->getName() == 'signedMessage') {
......
......@@ -420,13 +420,13 @@ function xmlrpc_error($message, $code) {
EOF;
}
function xmlenc_envelope_strip(&$xml) {
function xmlenc_envelope_strip(&$xml, $oldkeyok=false) {
$openssl = OpenSslRepo::singleton();
$payload_encrypted = true;
$data = base64_decode($xml->EncryptedData->CipherData->CipherValue);
$key = base64_decode($xml->EncryptedKey->CipherData->CipherValue);
$payload = ''; // Initialize payload var
$payload = $openssl->openssl_open($data, $key);
$payload = $openssl->openssl_open($data, $key, $oldkeyok);
$xml = parse_payload($payload);
return $payload;
}
......@@ -657,10 +657,13 @@ class OpenSslRepo {
*
* @param string $data
* @param string $key
* @param bool $oldkeyok If true, we will simply return the data rather
* than complaining about the key being old (if
* we could decrypt it with an older key)
* @return string
* @access public
*/
public function openssl_open($data, $key) {
public function openssl_open($data, $key, $oldkeyok=false) {
$payload = '';
$isOpen = openssl_open($data, $payload, $key, $this->keypair['privatekey']);
......@@ -674,8 +677,13 @@ class OpenSslRepo {
$isOpen = openssl_open($data, $payload, $key, $keyresource);
if ($isOpen) {
// It's an older code, sir, but it checks out
// We notify the remote host that the key has changed
throw new CryptException($this->keypair['certificate'], 7025);
if ($oldkeyok) {
return $payload;
}
else {
// We notify the remote host that the key has changed
throw new CryptException($this->keypair['certificate'], 7025);
}
}
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment