MDL-16301 - address issue

author peterbulmer <peterbulmer>

Sun, 7 Sep 2008 03:19:35 +0000 (03:19 +0000)

committer peterbulmer <peterbulmer>

Sun, 7 Sep 2008 03:19:35 +0000 (03:19 +0000)
author peterbulmer <peterbulmer>
Sun, 7 Sep 2008 03:19:35 +0000 (03:19 +0000)
committer peterbulmer <peterbulmer>
Sun, 7 Sep 2008 03:19:35 +0000 (03:19 +0000)
diff --git a/mnet/xmlrpc/server.php b/mnet/xmlrpc/server.php

index 7b6db4b53f3c13fae062be9790b41a64b39384d1..3c0bc9d45b444c4834836f09bffd28779406f3a6 100644 (file)
--- a/mnet/xmlrpc/server.php
+++ b/mnet/xmlrpc/server.php
@@ -187,20 +187,26 @@ function mnet_server_check_signature($plaintextmessage) {
  
      // Does the signature match the data and the public cert?
      $signature_verified = openssl_verify($payload, $signature, $certificate);
-    if ($signature_verified == 1) {
-        $MNET_REMOTE_CLIENT->was_signed();
-        $MNET_REMOTE_CLIENT->touch();
-    } elseif ($signature_verified == 0) {
+    if ($signature_verified == 0) {
+        // $signature was not generated for $payload using $certificate
+        // Get the key the remote peer is currently publishing:
          $currkey = mnet_get_public_key($MNET_REMOTE_CLIENT->wwwroot, $MNET_REMOTE_CLIENT->application);
+        // If the key the remote peer is currently publishing is different to $certificate
          if($currkey != $certificate) {
-            // Has the server updated its certificate since our last
-            // handshake?
-            if(!$MNET_REMOTE_CLIENT->refresh_key()) {
+            // If we can't get the server's new key through trusted means
+            if(!$MNET_REMOTE_CLIENT->refresh_key()){
                  exit(mnet_server_fault(7026, 'verifysignature-invalid'));
              }
-        } else {
-            exit(mnet_server_fault(710, 'verifysignature-invalid'));
+            // If we did manage to re-key, try to verify the signature again.
+            $signature_verified = openssl_verify($payload, base64_decode($sig_parser->signature), $certificate);
          }
+    }
+
+    if ($signature_verified == 1) {
+        $MNET_REMOTE_CLIENT->was_signed();
+        $MNET_REMOTE_CLIENT->touch();
+    } elseif ($signature_verified == 0) {
+        exit(mnet_server_fault(710, 'verifysignature-invalid'));
      } else {
          exit(mnet_server_fault(711, 'verifysignature-error'));
      }
author	peterbulmer <peterbulmer>
	Sun, 7 Sep 2008 03:19:35 +0000 (03:19 +0000)
committer	peterbulmer <peterbulmer>
	Sun, 7 Sep 2008 03:19:35 +0000 (03:19 +0000)