From dd48bdb1c41986b68f8c855728a9285bb22c916e Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Mon, 20 Dec 2010 10:46:23 -0800 Subject: [PATCH 1/3] Logging helper for bogus hmacs on PuSH in -- record the url & hub with the err msg to help tell what broke --- plugins/OStatus/classes/FeedSub.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/OStatus/classes/FeedSub.php b/plugins/OStatus/classes/FeedSub.php index 140f323846..b34d7cd854 100644 --- a/plugins/OStatus/classes/FeedSub.php +++ b/plugins/OStatus/classes/FeedSub.php @@ -487,7 +487,7 @@ class FeedSub extends Memcached_DataObject if ($their_hmac === $our_hmac) { return true; } - common_log(LOG_ERR, __METHOD__ . ": ignoring PuSH with bad SHA-1 HMAC: got $their_hmac, expected $our_hmac"); + common_log(LOG_ERR, __METHOD__ . ": ignoring PuSH with bad SHA-1 HMAC: got $their_hmac, expected $our_hmac for feed $this->uri on $this->huburi"); } else { common_log(LOG_ERR, __METHOD__ . ": ignoring PuSH with bogus HMAC '$hmac'"); } From a4e2f3835643c1d4b6d228151de2f863c02cb63c Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Mon, 20 Dec 2010 13:05:17 -0800 Subject: [PATCH 2/3] Slightly fancier debug code for PuSH hmac mismatches -- save the post to a temp file if feedsub/debug is on in config. --- plugins/OStatus/classes/FeedSub.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/plugins/OStatus/classes/FeedSub.php b/plugins/OStatus/classes/FeedSub.php index b34d7cd854..97245203d5 100644 --- a/plugins/OStatus/classes/FeedSub.php +++ b/plugins/OStatus/classes/FeedSub.php @@ -483,11 +483,19 @@ class FeedSub extends Memcached_DataObject if ($this->secret) { if (preg_match('/^sha1=([0-9a-fA-F]{40})$/', $hmac, $matches)) { $their_hmac = strtolower($matches[1]); - $our_hmac = hash_hmac('sha1', $post, $this->secret); + $our_hmac = hash_hmac('sha1', $post, $this->secret) . 'x'; if ($their_hmac === $our_hmac) { return true; } - common_log(LOG_ERR, __METHOD__ . ": ignoring PuSH with bad SHA-1 HMAC: got $their_hmac, expected $our_hmac for feed $this->uri on $this->huburi"); + if (common_config('feedsub', 'debug')) { + $tempfile = tempnam(sys_get_temp_dir(), 'feedsub-receive'); + if ($tempfile) { + file_put_contents($tempfile, $post); + } + common_log(LOG_ERR, __METHOD__ . ": ignoring PuSH with bad SHA-1 HMAC: got $their_hmac, expected $our_hmac for feed $this->uri on $this->huburi; saved to $tempfile"); + } else { + common_log(LOG_ERR, __METHOD__ . ": ignoring PuSH with bad SHA-1 HMAC: got $their_hmac, expected $our_hmac for feed $this->uri on $this->huburi"); + } } else { common_log(LOG_ERR, __METHOD__ . ": ignoring PuSH with bogus HMAC '$hmac'"); } From 46123e37543be4ea784e90528176fd205bfece49 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Mon, 20 Dec 2010 13:06:58 -0800 Subject: [PATCH 3/3] *cough* don't commit the code that breaks your code that you used to test the debug code :D --- plugins/OStatus/classes/FeedSub.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/OStatus/classes/FeedSub.php b/plugins/OStatus/classes/FeedSub.php index 97245203d5..7756f6a234 100644 --- a/plugins/OStatus/classes/FeedSub.php +++ b/plugins/OStatus/classes/FeedSub.php @@ -483,7 +483,7 @@ class FeedSub extends Memcached_DataObject if ($this->secret) { if (preg_match('/^sha1=([0-9a-fA-F]{40})$/', $hmac, $matches)) { $their_hmac = strtolower($matches[1]); - $our_hmac = hash_hmac('sha1', $post, $this->secret) . 'x'; + $our_hmac = hash_hmac('sha1', $post, $this->secret); if ($their_hmac === $our_hmac) { return true; }