From 7e038ec3fed45caff219636a45bcc8b97d6407d7 Mon Sep 17 00:00:00 2001 From: cash Date: Thu, 12 Nov 2009 12:43:26 +0000 Subject: added a nonce to hmac signature and header so same call in same second does not get caught by replay check git-svn-id: http://code.elgg.org/elgg/trunk@3672 36083f99-b078-4883-b0ff-0f9b5a30f544 --- engine/lib/api.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'engine') diff --git a/engine/lib/api.php b/engine/lib/api.php index 91c3743a3..b3da52c5a 100644 --- a/engine/lib/api.php +++ b/engine/lib/api.php @@ -716,6 +716,7 @@ function api_auth_hmac() { // calculate expected HMAC $hmac = calculate_hmac( $api_header->hmac_algo, $api_header->time, + $api_header->nonce, $api_header->api_key, $secret_key, $query, @@ -787,6 +788,11 @@ function get_and_validate_api_headers() { throw new APIException(elgg_echo('APIException:TemporalDrift')); } + $result->nonce = $_SERVER['HTTP_X_ELGG_NONCE']; + if ($result->nonce == "") { + throw new APIException(elgg_echo('APIException:MissingNonce')); + } + if ($result->method == "POST") { $result->posthash = $_SERVER['HTTP_X_ELGG_POSTHASH']; if ($result->posthash == "") { @@ -844,7 +850,7 @@ function map_api_hash($algo) { * @param $post_hash string Optional sha1 hash of the post data. * @return string The HMAC string */ -function calculate_hmac($algo, $time, $api_key, $secret_key, $get_variables, $post_hash = "") { +function calculate_hmac($algo, $time, $nonce, $api_key, $secret_key, $get_variables, $post_hash = "") { global $CONFIG; elgg_log("HMAC Parts: $algo, $time, $api_key, $secret_key, $get_variables, $post_hash"); @@ -852,6 +858,7 @@ function calculate_hmac($algo, $time, $api_key, $secret_key, $get_variables, $po $ctx = hash_init(map_api_hash($algo), HASH_HMAC, $secret_key); hash_update($ctx, trim($time)); + hash_update($ctx, trim($nonce)); hash_update($ctx, trim($api_key)); hash_update($ctx, trim($get_variables)); if (trim($post_hash)!="") { @@ -1163,6 +1170,9 @@ function send_api_call(array $keys, $url, array $call, $method = 'GET', $post_da // Time $time = time(); + + // Nonce + $nonce = uniqid(''); // URL encode all the parameters foreach ($call as $k => $v){ @@ -1183,9 +1193,11 @@ function send_api_call(array $keys, $url, array $call, $method = 'GET', $post_da if ((isset($keys['public'])) && (isset($keys['private']))) { $headers['X-Elgg-apikey'] = $keys['public']; $headers['X-Elgg-time'] = $time; + $headers['X-Elgg-nonce'] = $nonce; $headers['X-Elgg-hmac-algo'] = 'sha1'; $headers['X-Elgg-hmac'] = calculate_hmac('sha1', $time, + $nonce, $keys['public'], $keys['private'], $params, -- cgit v1.2.3