3 files changed, 113 insertions, 41 deletions
diff --git a/includes/lib/account.php b/includes/lib/account.php
index e311668..4c4d5ac 100644
--- a/includes/lib/account.php
+++ b/includes/lib/account.php
@@ -19,10 +19,10 @@
 
 /**
  * Function to recalculate the cached Assurer status
- * 
+ *
  * @param int $userID
  * 	if the user ID is not given the flag will be recalculated for all users
- * 
+ *
  * @return bool
  * 	false if there was an error on fixing the flag. This does NOT return the
  * 	new value of the flag
@@ -30,7 +30,7 @@
 function fix_assurer_flag($userID = NULL)
 {
 	// Update Assurer-Flag on users table if 100 points and CATS passed.
-	// 
+	//
 	// We may have some performance issues here if no userID is given
 	// there are ~150k assurances and ~220k users currently
 	// but the exists-clause on cats_passed should be a good filter
@@ -46,20 +46,21 @@ function fix_assurer_flag($userID = NULL)
 				WHERE `cp`.`variant_id` = `cv`.`id`
 					AND `cv`.`type_id` = 1
 					AND `cp`.`user_id` = `u`.`id`
-			) 
+			)
 			AND (
 				SELECT SUM(`points`) FROM `notary` AS `n`
 				WHERE `n`.`to` = `u`.`id`
 					AND (`n`.`expire` > now()
-					OR `n`.`expire` IS NULL)
+					     OR `n`.`expire` IS NULL)
+					AND `n`.`deleted` = 0
 			) >= 100';
-	
+
 	$query = mysql_query($sql);
 	if (!$query) {
 		return false;
 	}
 	// Challenge has been passed and non-expired points >= 100
-	
+
 	// Reset flag if requirements are not met
 	//
 	// Also a bit performance critical but assurer flag is only set on
@@ -86,13 +87,14 @@ function fix_assurer_flag($userID = NULL)
 							`n`.`expire` > now()
 							OR `n`.`expire` IS NULL
 						)
+						AND `n`.`deleted` = 0
 				) < 100
 			)';
-	
+
 	$query = mysql_query($sql);
 	if (!$query) {
 		return false;
 	}
-	
+
 	return true;
-}
-\ No newline at end of file
+}
diff --git a/includes/lib/check_weak_key.php b/includes/lib/check_weak_key.php
index 217b885..8ad2ccf 100644
--- a/includes/lib/check_weak_key.php
+++ b/includes/lib/check_weak_key.php
@@ -128,15 +128,14 @@ function checkWeakKeyText($text)
 
 	if ($algorithm === "rsaEncryption")
 	{
-		if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
-		$keysize))
+		if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, $keysize))
 		{
 			return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
 						"key size.\nData:\n$text");
 		} else {
 			$keysize = intval($keysize[1]);
 		}
-			
+
 		if ($keysize < 2048)
 		{
 			return sprintf(_("The keys that you use are very small ".
@@ -146,8 +145,7 @@ function checkWeakKeyText($text)
 					"<a href='//wiki.cacert.org/WeakKeys#SmallKey'>",
 					"</a>");
 		}
-			
-			
+
 		$debianVuln = checkDebianVulnerability($text, $keysize);
 		if ($debianVuln === true)
 		{
@@ -165,7 +163,7 @@ function checkWeakKeyText($text)
 					"checkDebianVulnerability().\nKeysize: $keysize\n".
 					"Data:\n$text");
 		}
-			
+
 		if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m', $text,
 		$exponent))
 		{
@@ -187,9 +185,9 @@ function checkWeakKeyText($text)
 						"<a href='//wiki.cacert.org/WeakKeys#SmallExponent'>",
 						"</a>");
 			} elseif (!(bccomp($exponent, "65537") >= 0 &&
-			(bccomp($exponent, "100000") === -1 ||
-			// speed things up if way smaller than 2^256
-			bccomp($exponent, bcpow("2", "256")) === -1) )) {
+					(bccomp($exponent, "100000") === -1 ||
+					// speed things up if way smaller than 2^256
+					bccomp($exponent, bcpow("2", "256")) === -1) )) {
 				// 65537 <= exponent < 2^256 recommended by NIST
 				// not critical but log so we have some statistics about
 				// affected users
@@ -198,10 +196,83 @@ function checkWeakKeyText($text)
 				E_USER_NOTICE);
 			}
 		}
-	}
 
-	/* No weakness found */
-	return "";
+		// No weakness found
+		return "";
+	} // End RSA
+
+/*
+//Fails to work due to outdated OpenSSL 0.9.8o
+//For this to work OpenSSL 1.0.1f or newer is required
+//which is currently unavailable on the systems
+//If DSA2048 or longer is used the CSR hangs pending on the signer.
+	if ($algorithm ===  "dsaEncryption")
+	{
+		if (!preg_match('/^\s*Public Key Algorithm:\s+dsaEncryption\s+pub:\s+([0-9a-fA-F:\s]+)\s+P:\s+([0-9a-fA-F:\s]+)\s+Q:\s+([0-9a-fA-F:\s]+)\s+G:\s+([0-9a-fA-F:\s]+)\s+$/sm', $text, $keydetail))
+		{
+			return failWithId("checkWeakKeyText(): Couldn't parse the DSA ".
+					"key size.\nData:\n$text");
+		}
+
+		$key_pub = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[1]), "ABCDEF", "abcdef");
+		$key_P = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[2]), "ABCDEF", "abcdef");
+		$key_Q = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[3]), "ABCDEF", "abcdef");
+		$key_G = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[4]), "ABCDEF", "abcdef");
+
+		//Verify the numbers provided by the client
+		$num_pub = @gmp_init($key_pub, 16);
+		$num_P = @gmp_init($key_P, 16);
+		$num_Q = @gmp_init($key_Q, 16);
+		$num_G = @gmp_init($key_G, 16);
+
+		$bit_P = ltrim(gmp_strval($num_P, 2), "0");
+		$keysize = strlen($bit_P);
+
+		if ($keysize < 2048) {
+			return sprintf(_("The keys that you use are very small ".
+						"and therefore insecure. Please generate stronger ".
+						"keys. More information about this issue can be ".
+						"found in %sthe wiki%s"),
+					"<a href='//wiki.cacert.org/WeakKeys#SmallKey'>",
+					"</a>");
+		}
+
+		//Following checks based on description of key generation in Wikipedia
+		//These checks do not ensure a strong key, but at least check for enough sanity in the key material
+		// cf. https://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Key_generation
+
+		//Check that P is prime
+		if(!gmp_testprime($num_P)) {
+			return failWithId("checkWeakKeyText(): The supplied DSA ".
+					"key does seem to have a non-prime public modulus.\nData:\n$text");
+		}
+
+		//Check that Q is prime
+		if(!gmp_testprime($num_Q)) {
+			return failWithId("checkWeakKeyText(): The supplied DSA ".
+					"key does seem to have a non-prime Q-value.\nData:\n$text");
+		}
+
+		//Check if P-1 is diviseable by Q
+		if(0 !== gmp_cmp("1", gmp_mod($num_P, $num_Q))) {
+			return failWithId("checkWeakKeyText(): The supplied DSA ".
+					"key does seem to have P mod Q === 1 (i.e. P-1 is not diviseable by Q).\nData:\n$text");
+		}
+
+		//Check the numbers are all less than the public modulus P
+		if(0 <= gmp_cmp($num_Q, $num_P) || 0 <= gmp_cmp($num_G, $num_P) || 0 <= gmp_cmp($num_pub, $num_P)) {
+			return failWithId("checkWeakKeyText(): The supplied DSA ".
+					"key does seem to be normalized to have Q < P, G < P and pub < P.\nData:\n$text");
+		}
+
+		// No weakness found
+		return "";
+	} // End DSA
+*/
+
+
+	return _("The keys you supplied use an unrecognized algorithm. ".
+			"For security reasons these keys can not be signed by CAcert.");
 }
 
 /**
diff --git a/includes/lib/general.php b/includes/lib/general.php
index 85b132d..127c6b7 100644
--- a/includes/lib/general.php
+++ b/includes/lib/general.php
@@ -18,10 +18,10 @@
 
 /**
  * Checks if the user may log in and retrieve the user id
- * 
+ *
  * Usually called with $_SERVER['SSL_CLIENT_M_SERIAL'] and
  * 	$_SERVER['SSL_CLIENT_I_DN_CN']
- * 
+ *
  * @param $serial string
  * 	usually $_SERVER['SSL_CLIENT_M_SERIAL']
  * @param $issuer_cn string
@@ -43,7 +43,7 @@ function get_user_id_from_cert($serial, $issuer_cn)
 		$row = mysql_fetch_assoc($res);
 		return intval($row['memid']);
 	}
-	
+
 	return -1;
 }
 
@@ -71,7 +71,7 @@ function failWithId($errormessage) {
 
 /**
  * Runs a command on the shell and return it's exit code and output
- * 
+ *
  * @param string $command
  * 		The command to run. Make sure that you escapeshellarg() any non-constant
  * 		parts as this is executed on a shell!
@@ -85,7 +85,7 @@ function failWithId($errormessage) {
  * @param string|bool $errors
  * 		The output the command wrote to STDERR (this is passed as reference),
  * 		if true (default) the output will be written to the real STDERR
- * 
+ *
  * @return int|bool
  * 		The exit code of the command, true if the execution of the command
  * 		failed (true because then
@@ -93,38 +93,38 @@ function failWithId($errormessage) {
  */
 function runCommand($command, $input = "", &$output = null, &$errors = true) {
 	$descriptorspec = array();
-	
+
 	if ($input !== true) {
 		$descriptorspec[0] = array("pipe", "r"); // STDIN for child
 	}
-	
+
 	if ($output !== true) {
 		$descriptorspec[1] = array("pipe", "w"); // STDOUT for child
 	}
-	
+
 	if ($errors !== true) {
 		$descriptorspec[2] = array("pipe", "w"); // STDERR for child
 	}
-	
+
 	$proc = proc_open($command, $descriptorspec, $pipes);
-	
+
 	if (is_resource($proc))
 	{
 		if ($input !== true) {
 			fwrite($pipes[0], $input);
 			fclose($pipes[0]);
 		}
-		
+
 		if ($output !== true) {
 			$output = stream_get_contents($pipes[1]);
 		}
-		
+
 		if ($errors !== true) {
 			$errors = stream_get_contents($pipes[2]);
 		}
-		
+
 		return proc_close($proc);
-		
+
 	} else {
 		return true;
 	}
@@ -145,19 +145,18 @@ function runCommand($command, $input = "", &$output = null, &$errors = true) {
 		{
 			$Result |= 5;
 		}
-		
-		$query = mysql_query('SELECT SUM(`points`) AS `points` FROM `notary` AS `n` WHERE `n`.`to` = \''.(int)intval($userID).'\' AND `n`.`expire` < now()');
+
+		$query = mysql_query('SELECT SUM(`points`) AS `points` FROM `notary` AS `n` WHERE `n`.`to` = \''.(int)intval($userID).'\' AND `n`.`expire` < now() and `deleted` = 0');
 		$row = mysql_fetch_assoc($query);
 		if ($row['points'] < 100) {
 			$Result |= 3;
 		}
-		
+
 		$query = mysql_query('SELECT `assurer_blocked` FROM `users` WHERE `id` = \''.(int)intval($userID).'\'');
 		$row = mysql_fetch_assoc($query);
 		if ($row['assurer_blocked'] > 0) {
 			$Result |= 9;
 		}
-		
+
 		return $Result;
 	}
-	
-\ No newline at end of file