diff options
Diffstat (limited to 'includes/lib')
| -rw-r--r-- | includes/lib/account.php | 72 | ||||
| -rw-r--r-- | includes/lib/check_weak_key.php | 108 | ||||
| -rw-r--r-- | includes/lib/general.php | 58 | ||||
| -rw-r--r-- | includes/lib/l10n.php | 131 |
4 files changed, 266 insertions, 103 deletions
diff --git a/includes/lib/account.php b/includes/lib/account.php index e311668..dd8afd3 100644 --- a/includes/lib/account.php +++ b/includes/lib/account.php @@ -19,10 +19,10 @@ /** * Function to recalculate the cached Assurer status - * + * * @param int $userID * if the user ID is not given the flag will be recalculated for all users - * + * * @return bool * false if there was an error on fixing the flag. This does NOT return the * new value of the flag @@ -30,7 +30,7 @@ function fix_assurer_flag($userID = NULL) { // Update Assurer-Flag on users table if 100 points and CATS passed. - // + // // We may have some performance issues here if no userID is given // there are ~150k assurances and ~220k users currently // but the exists-clause on cats_passed should be a good filter @@ -46,20 +46,21 @@ function fix_assurer_flag($userID = NULL) WHERE `cp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `cp`.`user_id` = `u`.`id` - ) + ) AND ( SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND (`n`.`expire` > now() - OR `n`.`expire` IS NULL) + OR `n`.`expire` IS NULL) + AND `n`.`deleted` = 0 ) >= 100'; - + $query = mysql_query($sql); if (!$query) { return false; } // Challenge has been passed and non-expired points >= 100 - + // Reset flag if requirements are not met // // Also a bit performance critical but assurer flag is only set on @@ -86,13 +87,64 @@ function fix_assurer_flag($userID = NULL) `n`.`expire` > now() OR `n`.`expire` IS NULL ) + AND `n`.`deleted` = 0 ) < 100 )'; - + $query = mysql_query($sql); if (!$query) { return false; } - + return true; -}
\ No newline at end of file +} + +/** + * Supported hash algorithms for signing certificates + */ +class HashAlgorithms { + /** + * Default hash algorithm identifier for signing + * @var string + */ + public static $default = 'sha256'; + + /** + * Get display strings for the supported hash algorithms + * @return array(string=>array('name'=>string, 'info'=>string)) + * - [$hash_identifier]['name'] = Name that should be displayed in UI + * - [$hash_identifier]['info'] = Additional information that can help + * with the selection of a suitable algorithm + */ + public static function getInfo() { + return array( + 'sha256' => array( + 'name' => 'SHA-256', + 'info' => _('Currently recommended, because the other algorithms might break on some older versions of the GnuTLS library (older than 3.x) still shipped in Debian for example.'), + ), + 'sha384' => array( + 'name' => 'SHA-384', + 'info' => '', + ), + 'sha512' => array( + 'name' => 'SHA-512', + 'info' => _('Highest protection against hash collision attacks of the algorithms offered here.'), + ), + ); + } + + /** + * Check if the input is a supported hash algorithm identifier otherwise + * return the identifier of the default hash algorithm + * + * @param string $hash_identifier + * @return string The cleaned identifier + */ + public static function clean($hash_identifier) { + if (array_key_exists($hash_identifier, self::getInfo() )) { + return $hash_identifier; + } else { + return self::$default; + } + } +} diff --git a/includes/lib/check_weak_key.php b/includes/lib/check_weak_key.php index ca13ba2..dd4f3a5 100644 --- a/includes/lib/check_weak_key.php +++ b/includes/lib/check_weak_key.php @@ -128,16 +128,15 @@ function checkWeakKeyText($text) if ($algorithm === "rsaEncryption") { - if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, - $keysize)) + if (!preg_match('/^\s*Public-Key: \((\d+) bit\)$/m', $text, $keysize)) { return failWithId("checkWeakKeyText(): Couldn't parse the RSA ". "key size.\nData:\n$text"); } else { $keysize = intval($keysize[1]); } - - if ($keysize < 1024) + + if ($keysize < 2048) { return sprintf(_("The keys that you use are very small ". "and therefore insecure. Please generate stronger ". @@ -145,14 +144,8 @@ function checkWeakKeyText($text) "found in %sthe wiki%s"), "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>", "</a>"); - } elseif ($keysize < 2048) { - // not critical but log so we have some statistics about - // affected users - trigger_error("checkWeakKeyText(): Certificate for small ". - "key (< 2048 bit) requested", E_USER_NOTICE); } - - + $debianVuln = checkDebianVulnerability($text, $keysize); if ($debianVuln === true) { @@ -170,7 +163,7 @@ function checkWeakKeyText($text) "checkDebianVulnerability().\nKeysize: $keysize\n". "Data:\n$text"); } - + if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m', $text, $exponent)) { @@ -180,7 +173,7 @@ function checkWeakKeyText($text) $exponent = $exponent[1]; // exponent might be very big => //handle as string using bc*() - if (bccomp($exponent, "3") === 0) + if (bccomp($exponent, "65537") < 0) { return sprintf(_("The keys you use might be insecure. ". "Although there is currently no known attack for ". @@ -192,9 +185,9 @@ function checkWeakKeyText($text) "<a href='//wiki.cacert.org/WeakKeys#SmallExponent'>", "</a>"); } elseif (!(bccomp($exponent, "65537") >= 0 && - (bccomp($exponent, "100000") === -1 || - // speed things up if way smaller than 2^256 - bccomp($exponent, bcpow("2", "256")) === -1) )) { + (bccomp($exponent, "100000") === -1 || + // speed things up if way smaller than 2^256 + bccomp($exponent, bcpow("2", "256")) === -1) )) { // 65537 <= exponent < 2^256 recommended by NIST // not critical but log so we have some statistics about // affected users @@ -203,10 +196,83 @@ function checkWeakKeyText($text) E_USER_NOTICE); } } - } - /* No weakness found */ - return ""; + // No weakness found + return ""; + } // End RSA + +/* +//Fails to work due to outdated OpenSSL 0.9.8o +//For this to work OpenSSL 1.0.1f or newer is required +//which is currently unavailable on the systems +//If DSA2048 or longer is used the CSR hangs pending on the signer. + if ($algorithm === "dsaEncryption") + { + if (!preg_match('/^\s*Public Key Algorithm:\s+dsaEncryption\s+pub:\s+([0-9a-fA-F:\s]+)\s+P:\s+([0-9a-fA-F:\s]+)\s+Q:\s+([0-9a-fA-F:\s]+)\s+G:\s+([0-9a-fA-F:\s]+)\s+$/sm', $text, $keydetail)) + { + return failWithId("checkWeakKeyText(): Couldn't parse the DSA ". + "key size.\nData:\n$text"); + } + + $key_pub = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[1]), "ABCDEF", "abcdef"); + $key_P = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[2]), "ABCDEF", "abcdef"); + $key_Q = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[3]), "ABCDEF", "abcdef"); + $key_G = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[4]), "ABCDEF", "abcdef"); + + //Verify the numbers provided by the client + $num_pub = @gmp_init($key_pub, 16); + $num_P = @gmp_init($key_P, 16); + $num_Q = @gmp_init($key_Q, 16); + $num_G = @gmp_init($key_G, 16); + + $bit_P = ltrim(gmp_strval($num_P, 2), "0"); + $keysize = strlen($bit_P); + + if ($keysize < 2048) { + return sprintf(_("The keys that you use are very small ". + "and therefore insecure. Please generate stronger ". + "keys. More information about this issue can be ". + "found in %sthe wiki%s"), + "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>", + "</a>"); + } + + //Following checks based on description of key generation in Wikipedia + //These checks do not ensure a strong key, but at least check for enough sanity in the key material + // cf. https://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Key_generation + + //Check that P is prime + if(!gmp_testprime($num_P)) { + return failWithId("checkWeakKeyText(): The supplied DSA ". + "key does seem to have a non-prime public modulus.\nData:\n$text"); + } + + //Check that Q is prime + if(!gmp_testprime($num_Q)) { + return failWithId("checkWeakKeyText(): The supplied DSA ". + "key does seem to have a non-prime Q-value.\nData:\n$text"); + } + + //Check if P-1 is diviseable by Q + if(0 !== gmp_cmp("1", gmp_mod($num_P, $num_Q))) { + return failWithId("checkWeakKeyText(): The supplied DSA ". + "key does seem to have P mod Q === 1 (i.e. P-1 is not diviseable by Q).\nData:\n$text"); + } + + //Check the numbers are all less than the public modulus P + if(0 <= gmp_cmp($num_Q, $num_P) || 0 <= gmp_cmp($num_G, $num_P) || 0 <= gmp_cmp($num_pub, $num_P)) { + return failWithId("checkWeakKeyText(): The supplied DSA ". + "key does seem to be normalized to have Q < P, G < P and pub < P.\nData:\n$text"); + } + + // No weakness found + return ""; + } // End DSA +*/ + + + return _("The keys you supplied use an unrecognized algorithm. ". + "For security reasons these keys can not be signed by CAcert."); } /** @@ -242,7 +308,7 @@ function checkDebianVulnerability($text, $keysize = 0) if ($algorithm !== "rsaEncryption") return false; /* Extract public key size */ - if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, + if (!preg_match('/^\s*Public-Key: \((\d+) bit\)$/m', $text, $keysize)) { trigger_error("checkDebianVulnerability(): Couldn't parse the ". @@ -272,7 +338,7 @@ function checkDebianVulnerability($text, $keysize = 0) /* Extract RSA modulus */ - if (!preg_match('/^\s*Modulus \(\d+ bit\):\n'. + if (!preg_match('/^\s*Modulus:\n'. '((?:\s*[0-9a-f][0-9a-f]:(?:\n)?)+[0-9a-f][0-9a-f])$/m', $text, $modulus)) { diff --git a/includes/lib/general.php b/includes/lib/general.php index d91b24e..127c6b7 100644 --- a/includes/lib/general.php +++ b/includes/lib/general.php @@ -18,10 +18,10 @@ /** * Checks if the user may log in and retrieve the user id - * + * * Usually called with $_SERVER['SSL_CLIENT_M_SERIAL'] and * $_SERVER['SSL_CLIENT_I_DN_CN'] - * + * * @param $serial string * usually $_SERVER['SSL_CLIENT_M_SERIAL'] * @param $issuer_cn string @@ -43,7 +43,7 @@ function get_user_id_from_cert($serial, $issuer_cn) $row = mysql_fetch_assoc($res); return intval($row['memid']); } - + return -1; } @@ -71,7 +71,7 @@ function failWithId($errormessage) { /** * Runs a command on the shell and return it's exit code and output - * + * * @param string $command * The command to run. Make sure that you escapeshellarg() any non-constant * parts as this is executed on a shell! @@ -85,7 +85,7 @@ function failWithId($errormessage) { * @param string|bool $errors * The output the command wrote to STDERR (this is passed as reference), * if true (default) the output will be written to the real STDERR - * + * * @return int|bool * The exit code of the command, true if the execution of the command * failed (true because then @@ -93,40 +93,70 @@ function failWithId($errormessage) { */ function runCommand($command, $input = "", &$output = null, &$errors = true) { $descriptorspec = array(); - + if ($input !== true) { $descriptorspec[0] = array("pipe", "r"); // STDIN for child } - + if ($output !== true) { $descriptorspec[1] = array("pipe", "w"); // STDOUT for child } - + if ($errors !== true) { $descriptorspec[2] = array("pipe", "w"); // STDERR for child } - + $proc = proc_open($command, $descriptorspec, $pipes); - + if (is_resource($proc)) { if ($input !== true) { fwrite($pipes[0], $input); fclose($pipes[0]); } - + if ($output !== true) { $output = stream_get_contents($pipes[1]); } - + if ($errors !== true) { $errors = stream_get_contents($pipes[2]); } - + return proc_close($proc); - + } else { return true; } } + // returns 0 if $userID is an Assurer + // Otherwise : + // Bit 0 is always set + // Bit 1 is set if 100 Assurance Points are not reached + // Bit 2 is set if Assurer Test is missing + // Bit 3 is set if the user is not allowed to be an Assurer (assurer_blocked > 0) + function get_assurer_status($userID) + { + $Result = 0; + $query = mysql_query('SELECT * FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` '. + ' WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = \''.(int)intval($userID).'\''); + if(mysql_num_rows($query) < 1) + { + $Result |= 5; + } + + $query = mysql_query('SELECT SUM(`points`) AS `points` FROM `notary` AS `n` WHERE `n`.`to` = \''.(int)intval($userID).'\' AND `n`.`expire` < now() and `deleted` = 0'); + $row = mysql_fetch_assoc($query); + if ($row['points'] < 100) { + $Result |= 3; + } + + $query = mysql_query('SELECT `assurer_blocked` FROM `users` WHERE `id` = \''.(int)intval($userID).'\''); + $row = mysql_fetch_assoc($query); + if ($row['assurer_blocked'] > 0) { + $Result |= 9; + } + + return $Result; + } diff --git a/includes/lib/l10n.php b/includes/lib/l10n.php index 41d785d..4859946 100644 --- a/includes/lib/l10n.php +++ b/includes/lib/l10n.php @@ -22,10 +22,10 @@ class L10n { /** * These are tranlations we currently support. - * + * * If another translation is added, it doesn't suffice to have gettext set * up, you also need to add it here, because it acts as a white list. - * + * * @var array("ISO-language code" => "native name of the language") */ public static $translations = array( @@ -53,15 +53,15 @@ class L10n { "zh-cn" => "中文(简体)", "zh-tw" => "中文(臺灣)", ); - + /** * setlocale needs a language + region code for whatever reason so here's * the mapping from a translation code to locales with the region that * seemed the most common for this language - * + * * You probably never need this. Use {@link set_translation()} to change the * language instead of manually calling setlocale(). - * + * * @var array(string => string) */ private static $locales = array( @@ -101,11 +101,11 @@ class L10n { "zh-cn" => "zh_CN", "zh-tw" => "zh_TW", ); - + /** * Auto-detects the language that should be used and sets it. Only works for * HTTP, not in a command line script. - * + * * Priority: * <ol> * <li>explicit parameter "lang" passed in HTTP (e.g. via GET)</li> @@ -128,10 +128,10 @@ class L10n { return; } } - - + + $languages = array(); - + // parse Accept-Language header if (array_key_exists('HTTP_ACCEPT_LANGUAGE', $_SERVER)) { $bits = explode(",", strtolower( @@ -144,29 +144,29 @@ class L10n { $c = floatval(substr($b[1], 2)); else $c = 1; - + if ($c != 0) { $languages[trim($b[0])] = $c; } } } - + // check if there is an explicit language given as parameter if(array_key_exists("lang",$_REQUEST) && trim($_REQUEST["lang"]) != "") { // higher priority than those values in the header $languages[strtolower(trim($_REQUEST["lang"]))] = 2.0; } - + arsort($languages, SORT_NUMERIC); - + // this is used to be compatible with browsers like internet // explorer which only provide the language code including the // region not without. Also handles the fallback to English (qvalues // may only have three digits after the .) $fallbacks = array("en" => 0.0005); - + foreach($languages as $lang => $qvalue) { // ignore any non-conforming values (that's why we don't need to @@ -179,7 +179,7 @@ class L10n { } $lang_prefix = $matches[1]; // usually two-letter language code $fallbacks[$lang_prefix] = $qvalue; - + $chosen_translation = ""; if ($lang === '*') { // According to the standard '*' matches anything but any @@ -202,7 +202,7 @@ class L10n { } } } - + if ($chosen_translation !== "") { if (self::set_translation($chosen_translation)) { @@ -210,7 +210,7 @@ class L10n { } } } - + // No translation found yet => try the prefixes arsort($fallbacks, SORT_NUMERIC); foreach ($fallbacks as $lang => $qvalue) { @@ -218,16 +218,47 @@ class L10n { return; } } - + // should not get here, as the fallback of "en" is provided and that // should always work => log an error trigger_error("L10n::detect_language(): could not set language", E_USER_WARNING); } - + + /** + * Normalise the translation code (e.g. from the old codes to the new) + * + * @return string + * a translation code or the empty string if it can't be normalised + */ + public static function normalise_translation($translation_code) { + // check $translation_code against whitelist + if (array_key_exists($translation_code, self::$translations) ) { + return $translation_code; + } + + // maybe it's a locale as previously used in the system? e.g. en_AU + if (preg_match('/^([a-z][a-z])_([A-Z][A-Z])$/', $translation_code, $matches) !== 1) { + return ''; + } + + $lang_code = $matches[1]; + $region_code = strtolower($matches[2]); + + if (array_key_exists("${lang_code}-${region_code}", self::$translations)) { + return "${lang_code}-${region_code}"; + } + + if (array_key_exists($lang_code, self::$translations)) { + return $lang_code; + } + + return ''; + } + /** * Get the set translation - * + * * @return string * a translation code or the empty string if not set */ @@ -238,13 +269,13 @@ class L10n { return ""; } } - + /** * Set the translation to use. - * + * * @param string $translation_code * the translation code as specified in the keys of {@link $translations} - * + * * @return bool * <ul> * <li>true if the translation has been set successfully</li> @@ -255,27 +286,11 @@ class L10n { * </ul> */ public static function set_translation($translation_code) { - // check $translation_code against whitelist - if ( !array_key_exists($translation_code, self::$translations) ) { - // maybe it's a locale as previously used in the system? e.g. en_AU - if ( preg_match('/^([a-z][a-z])_([A-Z][A-Z])$/', $translation_code, - $matches) !== 1 ) { - return false; - } - - $lang_code = $matches[1]; - $region_code = strtolower($matches[2]); - - if ( array_key_exists("${lang_code}-${region_code}", - self::$translations) ) { - $translation_code = "${lang_code}-${region_code}"; - } elseif ( array_key_exists($lang_code, self::$translations) ) { - $translation_code = $lang_code; - } else { - return false; - } + $translation_code = self::normalise_translation($translation_code); + if (empty($translation_code)) { + return false; } - + // map translation to locale if ( !array_key_exists($translation_code, self::$locales) ) { // weird. maybe you added a translation but haven't added a @@ -285,7 +300,7 @@ class L10n { return false; } $locale = self::$locales[$translation_code]; - + // set up locale if ( !putenv("LANG=$locale") ) { trigger_error("L10n::set_translation(): could not set the ". @@ -297,42 +312,42 @@ class L10n { "LC_ALL to $locale", E_USER_WARNING); return false; } - - + + // only set if we're running in a server not in a script if (isset($_SESSION)) { // save the setting $_SESSION['_config']['language'] = $translation_code; - - + + // Set up the recode settings needed e.g. in PDF creation $_SESSION['_config']['recode'] = "html..latin-1"; - + if($translation_code === "zh-cn" || $translation_code === "zh-tw") { $_SESSION['_config']['recode'] = "html..gb2312"; - + } else if($translation_code === "pl" || $translation_code === "hu") { $_SESSION['_config']['recode'] = "html..ISO-8859-2"; - + } else if($translation_code === "ja") { $_SESSION['_config']['recode'] = "html..SHIFT-JIS"; - + } else if($translation_code === "ru") { $_SESSION['_config']['recode'] = "html..ISO-8859-5"; - + } else if($translation_code == "lt") { // legacy, keep for reference $_SESSION['_config']['recode'] = "html..ISO-8859-13"; - + } } - + return true; } - + /** * Sets up the text domain used by gettext - * + * * @param string $domain * the gettext domain that should be used, defaults to "messages" */ |