From: peterbulmer Date: Sun, 7 Sep 2008 03:19:35 +0000 (+0000) Subject: MDL-16301 - address issue X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=454a6e7c4dedcd907dade197aedc51ffbd8f4fb4;p=moodle.git MDL-16301 - address issue Author: Peter Bulmer --- diff --git a/mnet/xmlrpc/server.php b/mnet/xmlrpc/server.php index 7b6db4b53f..3c0bc9d45b 100644 --- a/mnet/xmlrpc/server.php +++ b/mnet/xmlrpc/server.php @@ -187,20 +187,26 @@ function mnet_server_check_signature($plaintextmessage) { // Does the signature match the data and the public cert? $signature_verified = openssl_verify($payload, $signature, $certificate); - if ($signature_verified == 1) { - $MNET_REMOTE_CLIENT->was_signed(); - $MNET_REMOTE_CLIENT->touch(); - } elseif ($signature_verified == 0) { + if ($signature_verified == 0) { + // $signature was not generated for $payload using $certificate + // Get the key the remote peer is currently publishing: $currkey = mnet_get_public_key($MNET_REMOTE_CLIENT->wwwroot, $MNET_REMOTE_CLIENT->application); + // If the key the remote peer is currently publishing is different to $certificate if($currkey != $certificate) { - // Has the server updated its certificate since our last - // handshake? - if(!$MNET_REMOTE_CLIENT->refresh_key()) { + // If we can't get the server's new key through trusted means + if(!$MNET_REMOTE_CLIENT->refresh_key()){ exit(mnet_server_fault(7026, 'verifysignature-invalid')); } - } else { - exit(mnet_server_fault(710, 'verifysignature-invalid')); + // If we did manage to re-key, try to verify the signature again. + $signature_verified = openssl_verify($payload, base64_decode($sig_parser->signature), $certificate); } + } + + if ($signature_verified == 1) { + $MNET_REMOTE_CLIENT->was_signed(); + $MNET_REMOTE_CLIENT->touch(); + } elseif ($signature_verified == 0) { + exit(mnet_server_fault(710, 'verifysignature-invalid')); } else { exit(mnet_server_fault(711, 'verifysignature-error')); }