summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
Diffstat (limited to 'scripts')
-rw-r--r--scripts/53de-ate-amberg-email.txt93
-rw-r--r--scripts/53de-ate-amberg-mail.php.txt133
-rwxr-xr-xscripts/cron/refresh_stats.php55
-rwxr-xr-xscripts/cron/warning.php3
-rwxr-xr-xscripts/db_migrations/version5.sh249
-rw-r--r--scripts/gpgfillmissingemail.php4
-rwxr-xr-xscripts/scanforexponents.php5
-rw-r--r--scripts/send_heartbleed.php248
8 files changed, 758 insertions, 32 deletions
diff --git a/scripts/53de-ate-amberg-email.txt b/scripts/53de-ate-amberg-email.txt
new file mode 100644
index 0000000..d8f76ff
--- /dev/null
+++ b/scripts/53de-ate-amberg-email.txt
@@ -0,0 +1,93 @@
+[Deutsch]
+
+Es hat sich viel getan in den letzten Jahren. Eine ganze Reihe von bisher
+eher "muendlich ueberlieferten" Regeln wurden in Policies gegossen.
+Neue Prozeduren (z.B. die Assurer Challenge) und Verpflichtungen (z.B.
+in dem CAcert Community Agreement) wurden beschlossen. Die Assurer
+Training Events wollen versuchen, die ganzen Informationen unter's
+Volk zu bringen:
+
+- Welcher Satz fehlt auf alten CAP Formularen?
+- Warum soll ich mir R/L/O einpraegen?
+- Wie verhaelst du dich,
+ wenn du ein fremdes Ausweisdokument das erste Mal pruefst?
+
+Antworten auf diese und weitere Fragen erhaelst du bei den
+Assurer Training Events (ATEs).
+
+Darueberhinaus wird beim ATE der Vorgang der Identitaetsueberpruefung
+trainiert und auditiert, um die Qualitaet der Assurances in der
+taeglichen Praxis zu erfassen. Dabei gilt es moegliche Fehler und
+Fallstricke zu erkennen und aufzudecken. Die Assurer haben also die
+Moeglichkeit, sich mit den Fehlern auseinanderzusetzen und zu erfahren,
+wie diese vermieden werden koennen.
+
+Wie IanG sagte: The ATE or Assurer Training Event is exceptionally
+recommended for all Assurers, and include parts which contribute
+directly to our audit. Come and find out how you can also contribute.
+
+Die kommende Veranstaltung in deiner Naehe findet statt am:
+
+- Montag, den 6. Januar 2014
+- in der Zeit von: 12:00 - ca. 16:00 Uhr
+- ASAMnet e.V.
+- Emailfabrik 1. Stock
+- Emailfabrikstrasse 12
+- 92224 Amberg
+
+
+Details zum Veranstaltungsort und Anfahrthinweise findet Ihr im
+Wiki [https://wiki.cacert.org/Events/2014-01-06ATE-Amberg]
+Blog [http://blog.cacert.org/2013/12/ate-amberg-de-2014-01-06/]
+
+Teilnehmer Registrierung mit Rueckantwort:
+ 'Ich moechte am ATE-Amberg teilnehmen'
+
+Das Veranstaltungs-Team freut sich schon auf Eure Teilnahme.
+
+Kontakt: events@cacert.org
+
+
+
+[English]
+
+During the last year many changes took place inside CAcert. Many "oral"
+rules have been put into Policies. New procedures
+(e.g. Assurer Challenge) and obligations
+(e.g. CAcert Community Agreement) have been put into live.
+The Assurer Training Events (ATE) try to spread this information:
+
+- What is missing on the "old" CAP forms?
+- Why should I remember R/L/O?
+- What can you do if an Assuree shows an ID document unknown to you?
+
+These and more questions will be answered during the
+Assurer Training Events (ATEs)
+
+Furthermore, the ATE trains how to do assurances and audits assurances,
+to measure the quality of assurances in the daily routine. Here are some
+possible errors and pitfalls which need to be found. Assurers have the
+opportunity to see those errors and how to avoid them.
+
+As IanG said: The ATE or Assurer Training Event is exceptionally
+recommended for all Assurers and includes parts which contribute
+directly to our audit. Come and find out how you can also contribute.
+
+The next event held in your area will be:
+
+- Monday, January 6th 2014
+- during: 12:00 - ca. 16:00
+- ASAMnet e.V.
+- Emailfabrik 1. Stock
+- Emailfabrikstrasse 12
+- 92224 Amberg
+
+Details to the location can be found:
+Wiki [https://wiki.cacert.org/Events/2014-01-06ATE-Amberg]
+Blog [http://blog.cacert.org/2013/12/ate-amberg-de-2014-01-06/]
+
+User reply for registration: 'I will attend the ATE-Amberg'
+
+The event team is looking forward for your attendance:
+
+Contact: events@cacert.org
diff --git a/scripts/53de-ate-amberg-mail.php.txt b/scripts/53de-ate-amberg-mail.php.txt
new file mode 100644
index 0000000..4be2ebd
--- /dev/null
+++ b/scripts/53de-ate-amberg-mail.php.txt
@@ -0,0 +1,133 @@
+#!/usr/bin/php -q
+<? /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2013 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+ include_once("../includes/mysql.php");
+
+ $lines = "";
+ $fp = fopen("53de-ate-amberg-email.txt", "r");
+ while(!feof($fp))
+ {
+ $line = trim(fgets($fp, 4096));
+ $lines .= wordwrap($line, 75, "\n")."\n";
+ }
+ fclose($fp);
+
+
+// $locid = intval($_REQUEST['location']);
+// $maxdist = intval($_REQUEST['maxdist']);
+// maxdist in [Km]
+ $maxdist = 200;
+
+
+// location location.ID
+// verified: 29.4.09 u.schroeter
+// $locid = 7902857; // Paris
+// $locid = 238568; // Bielefeld
+// $locid = 715191; // Hamburg
+// $locid = 1102495; // London
+// $locid = 606058; // Frankfurt
+// $locid = 1775784; // Stuttgart
+// $locid = 228950; // Berlin
+// $locid = 606058; // Frankfurt
+// $locid = 599389; // Flensburg
+// $locid = 61065; // Amsterdam, Eemnes
+// $locid = 228950; // Berlin
+// $locid = 2138880; // Baltimore (Baltimore (city)), Maryland, United States
+// $locid = 1486658; // Potsdam
+// $locid = 664715; // Goteborg, Vastra Gotaland, Sweden
+// $locid = 2094781; // Mission Hills (Los Angeles), California, United States
+// $locid = 423655; // Copenhagen, Kobenhavn*, Denmark
+// $locid = 2093625; // Los Angeles, CA ???
+// $locid = 2094326 // Los Angeles (Los Angeles), California, United States
+// $locid = 2257312; // Sydney, New South Wales, Australia
+// $locid = 572764; // Essen, Nordrhein-Westfalen, Germany
+// $locid = 78; // Aachen, Nordrhein-Westfalen, Germany
+// $locid = 1260319; // Muenchen
+// $locid = 266635; // Bonn, Nordrhein-Westfalen, Germany
+// $locid = 873779; // Karlsruhe, Baden-Wuerttemberg, Germany
+// $locid = 520340; // Dusseldorf, Nordrhein-Westfalen, Germany
+// $locid = 2262656; // Melbourne, Victoria, Australia
+// $locid = 2185076; // Raleigh (Wake), North Carolina, United States
+
+// CAcert Assurance and Keysigning event at FUDcon, Lawrence, KS, Jan 19th 2013
+// $locid = 2126955; // Lawrence (Douglas), Kansas, United States
+// $eventname = "CAcert Assurance and Keysigning at FUDcon Lawrence, KS";
+// $city = "January 19th 2013";
+
+// ATE-Kiel 2013-02-11
+// $locid = 919560; // Kiel, Schleswig-Holstein, Germany
+// $eventname = "ATE-Kiel";
+// $city = "11. Februar 2013";
+
+// Linuxtag, Berlin, May 22-25, 2013,
+// $locid = 228950; // Berlin
+// $eventname = "Linuxtag Berlin";
+// $city = "22.-25. Mai, 2013";
+
+// $locid = 1117395; // Lubeck Hansestadt, Schleswig-Holstein, Germany
+// $eventname = "ATE-Luebeck";
+// $city = "07. Juni 2013";
+
+// $locid = 675661; // Graz, Steiermark, Austria
+// $eventname = "ATE-Graz";
+// $city = "16. August 2013";
+
+// $locid = 1992733; // Wien, Wien, Austria
+// $eventname = "ATE-Wien";
+// $city = "15. Oktober 2013";
+
+ $locid = 54334; // Amberg, Bayern, Germany
+ $eventname = "ATE-Amberg";
+ $city = "06. Januar 2014";
+ $query = "select * from `locations` where `id`='$locid'";
+ $loc = mysql_fetch_assoc(mysql_query($query));
+
+ $query = "SELECT ROUND(6378.137 * ACOS(0.9999999*((SIN(PI() * $loc[lat] / 180) * SIN(PI() * `locations`.`lat` / 180)) +
+ (COS(PI() * $loc[lat] / 180 ) * COS(PI() * `locations`.`lat` / 180) *
+ COS(PI() * `locations`.`long` / 180 - PI() * $loc[long] / 180)))), -1) AS `distance`, sum(`points`) as pts, `users`.*
+ FROM `locations`
+ inner join `users` on `users`.`locid` = `locations`.`id`
+ inner join `alerts` on `users`.`id`=`alerts`.`memid`
+ inner join `notary` on `users`.`id`=`notary`.`to`
+ WHERE (`alerts`.`general`=1 OR `alerts`.`country`=1 OR `alerts`.`regional`=1 OR `alerts`.`radius`=1)
+ GROUP BY `users`.`id`
+ HAVING `distance` <= '$maxdist'
+ ORDER BY `distance` ";
+ echo $query;
+
+ // comment next line when starting to send mail not only to me
+ // $query = "select * from `users` where `email` like 'cacerttest%'";
+
+ $res = mysql_query($query);
+ $xrows = mysql_num_rows($res);
+
+ while($row = mysql_fetch_assoc($res))
+ {
+ // uncomment next line to send mails ...
+ sendmail($row['email'], "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ }
+ // 1x cc to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ // 1x mailing report to events.cacert.org
+ sendmail("events@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+
+ // 1x mailing report to Arbitrator of case http://wiki.cacert.org/wiki/Arbitrations/a20090525.1
+ sendmail("p.dunkel@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1);
+ echo "invitation sent to $xrows recipients.\n";
+
+?>
diff --git a/scripts/cron/refresh_stats.php b/scripts/cron/refresh_stats.php
index 2a3d2b5..3b446ba 100755
--- a/scripts/cron/refresh_stats.php
+++ b/scripts/cron/refresh_stats.php
@@ -23,7 +23,7 @@ require_once(dirname(__FILE__).'/../../includes/mysql.php');
/**
* Wrapper around mysql_query() to provide some error handling. Prints an error
* message and dies if query fails
- *
+ *
* @param string $sql
* the SQL statement to execute
* @return resource|boolean
@@ -35,7 +35,7 @@ function sql_query($sql) {
fwrite(STDERR, "MySQL query failed:\n\"$sql\"\n".mysql_error());
die(1);
}
-
+
return $res;
}
@@ -54,7 +54,7 @@ function updateCache($stats) {
$sql = "insert into `statscache` (`timestamp`, `cache`) values
('$timestamp', '".mysql_real_escape_string(serialize($stats))."')";
sql_query($sql);
-
+
// Make sure the new statistic was inserted successfully
$res = sql_query(
"select 1 from `statscache` where `timestamp` = '$timestamp'");
@@ -62,7 +62,7 @@ function updateCache($stats) {
fwrite(STDERR, "Error on inserting the new statistic");
return false;
}
-
+
sql_query("delete from `statscache` where `timestamp` != '$timestamp'");
return true;
}
@@ -74,22 +74,22 @@ function updateCache($stats) {
*/
function getDataFromLive() {
echo "Calculating current statistics\n";
-
+
$stats = array();
$stats['verified_users'] = number_format(tc(
"select count(*) as `count` from `users`
where `verified` = 1
and `deleted` = 0
and `locked` = 0"));
-
+
$stats['verified_emails'] = number_format(tc(
"select count(*) as `count` from `email`
where `hash` = '' and `deleted` = 0"));
-
+
$stats['verified_domains'] = number_format(tc(
"select count(*) as `count` from `domains`
where `hash` = '' and `deleted` = 0"));
-
+
$certs = tc("select count(*) as `count` from `domaincerts`
where `expire` != 0");
$certs += tc("select count(*) as `count` from `emailcerts`
@@ -101,7 +101,7 @@ function getDataFromLive() {
$certs += tc("select count(*) as `count` from `orgemailcerts`
where `expire` != 0");
$stats['verified_certificates'] = number_format($certs);
-
+
$certs = tc("select count(*) as `count` from `domaincerts`
where `revoked` = 0 and `expire` > NOW()");
$certs += tc("select count(*) as `count` from `emailcerts`
@@ -113,11 +113,12 @@ function getDataFromLive() {
$certs += tc("select count(*) as `count` from `orgemailcerts`
where `revoked` = 0 and `expire` > NOW()");
$stats['valid_certificates'] = number_format($certs);
-
+
$stats['assurances_made'] = number_format(tc(
"select count(*) as `count` from `notary`
- where `method` = '' or `method` = 'Face to Face Meeting'"));
-
+ where (`method` = '' or `method` = 'Face to Face Meeting')
+ and `deleted` = 0"));
+
$stats['users_1to49'] = number_format(tc(
"select count(*) as `count` from (
select 1 from `notary`
@@ -125,7 +126,7 @@ function getDataFromLive() {
group by `to`
having sum(`points`) > 0 and sum(`points`) < 50
) as `low_points`"));
-
+
$stats['users_50to99'] = number_format(tc(
"select count(*) as `count` from (
select 1 from `notary`
@@ -133,7 +134,7 @@ function getDataFromLive() {
group by `to`
having sum(`points`) >= 50 and sum(`points`) < 100
) as `high_points`"));
-
+
$stats['assurer_candidates'] = number_format(tc(
"select count(*) as `count` from `users`
where (
@@ -148,7 +149,7 @@ function getDataFromLive() {
and `cv`.`type_id`=1
)"
));
-
+
$stats['aussurers_with_test'] = number_format(tc(
"select count(*) as `count` from `users`
where (
@@ -163,7 +164,7 @@ function getDataFromLive() {
and `cv`.`type_id`=1
)"
));
-
+
$stats['points_issued'] = number_format(tc(
"select sum(greatest(`points`, `awarded`)) as `count` from `notary`
where `deleted` = 0
@@ -177,16 +178,16 @@ function getDataFromLive() {
$next_month_ts = mktime(0, 0, 0, date("m") - $i + 1, 1, date("Y"));
$first = date("Y-m-d", $first_ts);
$next_month = date("Y-m-d", $next_month_ts);
-
+
echo "Calculating statistics for month $first\n";
-
+
$totalusers += $users = tc(
- "select count(*) as `count` from `users`
+ "select count(*) as `count` from `users`
where `created` >= '$first' and `created` < '$next_month'
and `verified` = 1
and `deleted` = 0
and `locked` = 0");
-
+
$totassurers += $assurers = tc(
"select count(*) as `count` from (
select 1 from `notary`
@@ -195,7 +196,7 @@ function getDataFromLive() {
and `deleted` = 0
group by `to` having sum(`points`) >= 100
) as `assurer_candidates`");
-
+
$certs = tc(
"select count(*) as `count` from `domaincerts`
where `created` >= '$first' and `created` < '$next_month'
@@ -240,16 +241,16 @@ function getDataFromLive() {
$next_year_ts = mktime(0, 0, 0, 1, 1, $i + 1);
$first = date("Y-m-d", $first_ts);
$next_year = date("Y-m-d", $next_year_ts);
-
+
echo "Calculating statistics for year $i\n";
-
+
$totalusers += $users = tc(
- "select count(*) as `count` from `users`
+ "select count(*) as `count` from `users`
where `created` >= '$first' and `created` < '$next_year'
and `verified` = 1
and `deleted` = 0
and `locked` = 0");
-
+
$totassurers += $assurers = tc(
"select count(*) as `count` from (
select 1 from `notary`
@@ -258,7 +259,7 @@ function getDataFromLive() {
and `deleted` = 0
group by `to` having sum(`points`) >= 100
) as `assurer_candidates`");
-
+
$certs = tc(
"select count(*) as `count` from `domaincerts`
where `created` >= '$first' and `created` < '$next_year'
@@ -286,7 +287,7 @@ function getDataFromLive() {
$tmp_arr['new_users'] = number_format($users);
$tmp_arr['new_assurers'] = number_format($assurers);
$tmp_arr['new_certificates'] = number_format($certs);
-
+
$stats['growth_last_years'][] = $tmp_arr;
}
$stats['growth_last_years_total'] = array(
diff --git a/scripts/cron/warning.php b/scripts/cron/warning.php
index 0c97ba2..8f607cd 100755
--- a/scripts/cron/warning.php
+++ b/scripts/cron/warning.php
@@ -38,7 +38,8 @@
{
$row['crt_name'] = str_replace("../", "www/", $row['crt_name']);
$row['crt_name'] = "/home/cacert/".$row['crt_name'];
- $subject = `openssl x509 -in '$row[crt_name]' -text -noout|grep Subject:`;
+ $crt_name = escapeshellarg($row['crt_name']);
+ $subject = `openssl x509 -in $crt_name -text -noout|grep Subject:`;
$bits = explode("/", $subject);
foreach($bits as $val)
{
diff --git a/scripts/db_migrations/version5.sh b/scripts/db_migrations/version5.sh
new file mode 100755
index 0000000..f18f8c6
--- /dev/null
+++ b/scripts/db_migrations/version5.sh
@@ -0,0 +1,249 @@
+#!/bin/sh
+# LibreSSL - CAcert web application
+# Copyright (C) 2004-2011 CAcert Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+
+
+# script to do database migrations
+
+set -e # script fails if any command fails
+
+STDIN=0
+STDOUT=1
+STDERR=2
+
+if [ "$1" = "--help" ]; then
+ cat >&$STDERR <<- USAGE
+ Usage: $0 [MYSQL_OPTIONS]
+ You have to specify all options needed by "mysql" as if you had started
+ the MySQL command line client directly (including the name of the
+ database to operate on). The MySQL user used has to have enough
+ privileges to do all necessary operations (among others CREATE, ALTER,
+ DROP, UPDATE, INSERT, DELETE).
+ You might need to enter the mysql password multiple times if you
+ specify the -p option.
+ USAGE
+ exit 1
+fi
+
+mysql_opt=" --batch --skip-column-names $@"
+
+schema_version=$( mysql $mysql_opt <<- 'SQL'
+
+ SELECT MAX(`version`) FROM `schema_version`;
+SQL
+)
+if [ $schema_version != 4 ]; then
+ cat >&$STDERR <<- ERROR
+ Error: database schema is not in the right version to do the migration!
+ Expected version: 4
+ ERROR
+ exit 2
+fi
+
+mysql $mysql_opt <<- 'SQL'
+
+-- Move myISAM to InnoDB bug #1172
+
+ALTER TABLE `abusereports` ENGINE=INNODB;
+system echo "table abusereports altered to InnoDB"
+
+
+ALTER TABLE `addlang` ENGINE=INNODB;
+system echo "table addlang altered to InnoDB"
+
+
+ALTER TABLE `adminlog` ENGINE=INNODB;
+system echo "table adminlog altered to InnoDB"
+
+
+ALTER TABLE `advertising` ENGINE=INNODB;
+system echo "table advertising altered to InnoDB"
+
+
+ALTER TABLE `alerts` ENGINE=INNODB;
+system echo "table alerts altered to InnoDB"
+
+
+ALTER TABLE `baddomains` ENGINE=INNODB;
+system echo "table baddomains altered to InnoDB"
+
+
+ALTER TABLE `cats_passed` ENGINE=INNODB;
+system echo "table cats_passed altered to InnoDB"
+
+
+ALTER TABLE `cats_type` ENGINE=INNODB;
+system echo "table cats_type altered to InnoDB"
+
+
+ALTER TABLE `cats_variant` ENGINE=INNODB;
+system echo "table cats_variant altered to InnoDB"
+
+
+ALTER TABLE `countries` ENGINE=INNODB;
+system echo "table countries altered to InnoDB"
+
+
+ALTER TABLE `disputedomain` ENGINE=INNODB;
+system echo "table disputedomain altered to InnoDB"
+
+
+ALTER TABLE `disputeemail` ENGINE=INNODB;
+system echo "table disputeemail altered to InnoDB"
+
+ALTER TABLE `domaincerts` ENGINE=INNODB;
+system echo "table domainderts altered to InnoDB"
+
+
+ALTER TABLE `domains` ENGINE=INNODB;
+system echo "table domains altered to InnoDB"
+
+
+ALTER TABLE `domlink` ENGINE=INNODB;
+system echo "table domlink altered to InnoDB"
+
+
+ALTER TABLE `email` ENGINE=INNODB;
+system echo "table email altered to InnoDB"
+
+
+ALTER TABLE `emailcerts` ENGINE=INNODB;
+system echo "table emailcerts altered to InnoDB"
+
+
+ALTER TABLE `emaillink` ENGINE=INNODB;
+system echo "table emaillink altered to InnoDB"
+
+
+ALTER TABLE `gpg` ENGINE=INNODB;
+system echo "table gpg altered to InnoDB"
+
+
+ALTER TABLE `languages` ENGINE=INNODB;
+system echo "table languages altered to InnoDB"
+
+
+ALTER TABLE `localias` ENGINE=INNODB;
+system echo "table localias altered to InnoDB"
+
+
+ALTER TABLE `locations` ENGINE=INNODB;
+system echo "table locations altered to InnoDB"
+
+
+ALTER TABLE `news` ENGINE=INNODB;
+system echo "table news altered to InnoDB"
+
+
+ALTER TABLE `notary` ENGINE=INNODB;
+system echo "table notary altered to InnoDB"
+
+
+ALTER TABLE `org` ENGINE=INNODB;
+system echo "table org altered to InnoDB"
+
+
+ALTER TABLE `orgadminlog` ENGINE=INNODB;
+system echo "table orgadminlog altered to InnoDB"
+
+
+ALTER TABLE `orgdomaincerts` ENGINE=INNODB;
+system echo "table orgdomaincerts altered to InnoDB"
+
+
+ALTER TABLE `orgdomains` ENGINE=INNODB;
+system echo "table orgdomains altered to InnoDB"
+
+
+ALTER TABLE `orgdomlink` ENGINE=INNODB;
+system echo "table orgdomlink altered to InnoDB"
+
+
+ALTER TABLE `orgemailcerts` ENGINE=INNODB;
+system echo "table orgemailcerts altered to InnoDB"
+
+
+ALTER TABLE `orgemaillink` ENGINE=INNODB;
+system echo "table orgemaillink altered to InnoDB"
+
+
+ALTER TABLE `orginfo` ENGINE=INNODB;
+system echo "table orginfo altered to InnoDB"
+
+
+ALTER TABLE `otphashes` ENGINE=INNODB;
+system echo "table otphashes altered to InnoDB"
+
+
+ALTER TABLE `pinglog` ENGINE=INNODB;
+system echo "table pinglog altered to InnoDB"
+
+
+ALTER TABLE `regions` ENGINE=INNODB;
+system echo "table regions altered to InnoDB"
+
+
+ALTER TABLE `root_certs` ENGINE=INNODB;
+system echo "table root_certs altered to InnoDB"
+
+
+ALTER TABLE `schema_version` ENGINE=INNODB;
+system echo "table schema_version altered to InnoDB"
+
+
+ALTER TABLE `stampcache` ENGINE=INNODB;
+system echo "table stampcache altered to InnoDB"
+
+
+ALTER TABLE `statscache` ENGINE=INNODB;
+system echo "table statscache altered to InnoDB"
+
+
+ALTER TABLE `tickets` ENGINE=INNODB;
+system echo "table tickets altered to InnoDB"
+
+
+ALTER TABLE `tverify` ENGINE=INNODB;
+system echo "table tverify altered to InnoDB"
+
+
+ALTER TABLE `tverify-vote` ENGINE=INNODB;
+system echo "table tverify-vote altered to InnoDB"
+
+
+ALTER TABLE `user_agreements` ENGINE=INNODB;
+system echo "table user_agreements altered to InnoDB"
+
+
+ALTER TABLE `userlocations` ENGINE=INNODB;
+system echo "table userlocations altered to InnoDB"
+
+
+ALTER TABLE `users` ENGINE=INNODB;
+system echo "table users altered to InnoDB"
+
+
+ -- Update schema version number
+ INSERT INTO `schema_version`
+ (`version`, `when`) VALUES
+ ('5' , NOW() );
+SQL
+
+
+echo "Database successfully migrated to version 5"
+exit 0
+
diff --git a/scripts/gpgfillmissingemail.php b/scripts/gpgfillmissingemail.php
index f328876..39f9d8f 100644
--- a/scripts/gpgfillmissingemail.php
+++ b/scripts/gpgfillmissingemail.php
@@ -18,7 +18,7 @@
require_once("../includes/mysql.php"); //general.php");
//include "../includes/general.php";
-function hex2bin($data)
+function gpg_hex2bin($data)
{
while(strstr($data, "\\x"))
{
@@ -69,7 +69,7 @@ echo "Found:\n";
if (preg_match("/<([\w.-]*\@[\w.-]*)>/", $bits[9],$match))
{
//echo "Found: ".$match[1];
- $mail = trim(hex2bin($match[1]));
+ $mail = trim(gpg_hex2bin($match[1]));
echo "EMail: *$mail**\n";
diff --git a/scripts/scanforexponents.php b/scripts/scanforexponents.php
index 7136723..388fe1e 100755
--- a/scripts/scanforexponents.php
+++ b/scripts/scanforexponents.php
@@ -29,10 +29,11 @@
if(!is_file($file))
continue;
+ $file_esc = escapeshellarg($file);
if(substr($file, -3) == "der")
- $do = trim(`openssl x509 -inform der -in $file -text -noout 2>&1 |grep 'Exponent'`);
+ $do = trim(`openssl x509 -inform der -in $file_esc -text -noout 2>&1 |grep 'Exponent'`);
else
- $do = trim(`openssl x509 -in $file -text -noout 2>&1 |grep 'Exponent'`);
+ $do = trim(`openssl x509 -in $file_esc -text -noout 2>&1 |grep 'Exponent'`);
if($do == "")
continue;
diff --git a/scripts/send_heartbleed.php b/scripts/send_heartbleed.php
new file mode 100644
index 0000000..6bf0f5f
--- /dev/null
+++ b/scripts/send_heartbleed.php
@@ -0,0 +1,248 @@
+#!/usr/bin/php -q
+<?php
+/*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2009 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+include_once("../includes/mysql.php");
+
+// read texts
+
+$lines_EN = <<<EOF
+
+there are news [1] about a bug in OpenSSL that may allow an attacker to leak arbitrary information from any process using OpenSSL. [2]
+
+We contacted you, because you have subscribed to get general announcements, or you have had a server certificate since the bug was introduced into the OpenSSL releases and are especially likely to be affected by it.
+
+CAcert is not responsible for this issue. But we want to inform members about it, who are especially likely to be vulnerable or otherwise affected.
+
+
+Good news:
+==========
+Certificates issued by CAcert are not broken and our central systems did not leak your keys.
+
+
+Bad news:
+=========
+Even then you may be affected.
+
+Although your keys were not leaked by CAcert your keys on your own systems might have been compromised if you were or are running a vulnerable version of OpenSSL.
+
+
+To elaborate on this:
+=====================
+The central systems of CAcert and our root certificates are not affected by this issue. Regrettably some of our infrastructure systems were affected by the bug. We are working to fix them and already completed work for the most critical ones. If you logged into those systems, within the last two years, (see list in the blog post) you might be affected!
+
+But unfortunately given the nature of this bug we have to assume that the certificates of our members may be affected, if they were used in an environment with a publicly accessible OpenSSL connection (e.g. Apache web server, mail server, Jabber server, ...). The bug has been open in OpenSSL for two years - from December 2011 and was introduced in stable releases starting with OpenSSL 1.0.1.
+
+When an attacker can reach a vulnerable service he can abuse the TLS heartbeat extension to retrieve arbitrary chunks of memory by exploiting a missing bounds check. This can lead to disclosure of your private keys, resident session keys and other key material as well as all volatile memory contents of the server process like passwords, transmitted user data (e.g. web content) as well as other potentially confidential information.
+
+Exploiting this bug does not leave any noticeable traces, thus for any system which is (or has been) running a vulnerable version of OpenSSL you must assume that at least your used server keys are compromised and therefore must be replaced by newly generated ones. Simply renewing existing certificates is not sufficient! - Please generate NEW keys with at least 2048 bit RSA or stronger!
+
+As mentioned above this bug can be used to leak passwords and thus you should consider changing your login credentials to potentially compromised systems as well as any other system where those credentials might have been used as soon as possible.
+
+An (incomplete) list of commonly used software which include or link to OpenSSL can be found at [5].
+
+
+What to do?
+===========
+- Ensure that you upgrade your system to a fixed OpenSSL version (1.0.1g or above).
+- Only then create new keys for your certificates.
+- Revoke all certificates, which may be affected.
+- Check what services you have used that may have been affected within the last two years.
+- Wait until you think that those environments got fixed.
+- Then (and only then) change your credentials for those services. If you do it too early, i.e. before the sites got fixed, your data may be leaked, again. So be careful when you do this.
+
+
+CAcert's response to the bug:
+=============================
+- We updated most of the affected infrastructure systems and created new certificates for them. The remaining will follow, soon.
+- We used this opportunity to upgrade to 4096 bit RSA keys signed with SHA-512. The new fingerprints can be found in the list in the blog post. ;-)
+- With this email we contact all members, who had active server certificates within the last two years.
+- We will keep you updated, in the blog.
+
+A list of affected and fixed infrastructure systems and new information can be found at:
+
+https://blog.cacert.org/2014/04/openssl-heartbleed-bug/
+
+
+Links:
+[1] http://heartbleed.com/
+[2] https://www.openssl.org/news/secadv_20140407.txt
+[3] https://security-tracker.debian.org/tracker/CVE-2014-0160
+[4] http://www.golem.de/news/sicherheitsluecke-keys-auslesen-mit-openssl-1404-105685.html
+[5] https://www.openssl.org/related/apps.html
+EOF;
+
+$lines_EN = wordwrap($lines_EN, 75, "\n");
+$lines_EN = mb_convert_encoding($lines_EN, "HTML-ENTITIES", "UTF-8");
+
+
+$lines_DE = <<<EOF
+---
+German Translation / Deutsche Übersetzung:
+
+
+Liebes CAcert-Mitglied,
+
+es wurde ein Bug in OpenSSL gefunden [4], der es einem Angreifer erlaubt beliebige Informationen jedes Prozesses zu erlangen, der OpenSSL nutzt. [2]
+
+Wir schicken diese Mail an alle Mitglieder, die entweder die "Allgemeinen Ankündigungen" abonniert haben, oder von dem Bug besonders betroffen sein können, da sie Server-Zertifikate in der Zeit besessen haben, seitdem der Bug in die Releases von OpenSSL integriert wurde.
+
+Diese Gefahr geht nicht von CAcert aus, wir möchten aber gefährdete Mitglieder entsprechend informieren.
+
+
+Die gute Nachricht:
+===================
+Die von CAcert ausgestellten Zertifikate sind nicht kaputt und unsere zentralen Systeme waren auch nicht angreifbar und haben auch keine Schlüssel verraten.
+
+
+Die schlechte Nachricht:
+========================
+Dennoch kann jeder betroffen sein!
+
+Auch wenn keine Schlüssel durch CAcert preisgegeben wurden, können sie dennoch später kompromittiert worden sein, wenn auf Ihren Systemen eine angreifbaren Version von OpenSSL lief und die Schlüssel dort verwendet wurden.
+
+
+Um ins Detail zu gehen:
+=======================
+Die zentralen Systeme und die Stammzertifikate von CAcert sind von diesem Problem nicht betroffen. Leider sind einige unserer Infrastruktur-Systeme durch den Fehler betroffen. Wir arbeiten daran diese zu beheben und haben dies auch schon für die meisten erledigt. Jeder, der sich auf diese Systeme in den letzten zwei Jahren eingeloggt hat kann betroffen sein!
+
+Aufgrund der Art des Fehlers, müssen wir leider davon ausgehen, dass die Zertifikate unserer Mitglieder betroffen sind, wenn sie sich in eine Umgebung eingeloggt haben, die über öffentliche OpenSSL-Verbindungen zugänglich war (z.B. Apache Webserver, Mail-Server, Jabber-Server, ...). Dieser Fehler war zwei Jahre lang in OpenSSL - seit Dezember 2011 - und kam beginnend mit Version 1.0.1 in die stabilen Versionen.
+
+Angreifer, die einen verwundbaren Service erreichen können, können die TLS-Erweiterung "heartbeat" ausnutzen, um beliebige Speicherbereiche zu auslesen, indem sie eine fehlende Bereichsprüfung ausnutzen. Das kann zur Offenlegung von privaten Schlüsseln, im Speicher abgelegten Sitzungsschlüsseln, sonstige Schlüssel genauso wie jeglicher weiterer Speicherinhalt des Server-Prozesses wie Passwörter oder übermittelte Benutzerdaten (z.B. Webinhalte) oder anderer vertrauliche Informationen führen.
+
+Die Ausnutzung dieses Fehlers hinterlässt keine merklichen Spuren. Daher muss für jedes System, auf dem eine angreifbare Version von OpenSSL läuft (oder lief), angenommen werden, dass zumindest die verwendeten Server-Zertifikate kompromittiert sind und deswegen durch NEU generierte ersetzt werden müssen. Einfach die alten Zertifikate zu erneuern, reicht nicht aus! - Bitte NEUE Schlüssel mit 2048 Bit RSA oder stärker generieren!
+
+Wie oben erwähnt kann dieser Fehler ausgenutzt werden, um Passwörter zu entwenden. Daher sollte jeder überlegen, alle Zugangsdaten zu möglicherweise betroffenen Systemen und allen Systemen bei denen diese sonst noch verwendet worden sein könnten, so bald wie möglich auszutauschen.
+
+Eine (unvollständige) Liste an weit verbreiteter Software die OpenSSL verwendet kann z.B. unter folgendem Link gefunden werden. [5]
+
+
+Was ist zu tun?
+===============
+- Als erstes müssen die eigenen Systeme auf eine fehlerbereinigte Version von OpenSSL aktualisiert werden (Version 1.0.1g oder neuer).
+- Danach neue Schlüssel für die Zertifikate erstellen. Jetzt ist es sicher das zu tun.
+- Alle möglicherweise betroffenen Zertifikate widerrufen.
+- Überprüfen, welche fremden Dienste in den letzten zwei Jahren besucht worden sind.
+- Warten, bis dort wahrscheinlich der Fehler behoben wurde.
+- Dann (und erst dann) die Login-Daten für diese Dienste erneuern. Vorsicht: Wenn das zu früh getan wird, also wenn der Dienst noch nicht bereinigt wurde, können die Daten wieder abgegriffen werden.
+
+
+CAcerts Maßnahmen als Antwort auf den Bug:
+==========================================
+- Wir haben so gut wie alle Infrastruktur-Systeme auf den neuesten OpenSSL-Stand gebracht und für diese neue Zertifikate zu generiert, die restlichen folgen so schnell wie möglich.
+- Wir haben die Gelegenheit genutzt, um dabei auf 4096 Bit RSA-Schlüssel, die mit SHA-512 signiert sind, aufzurüsten.
+- Mit dieser E-Mail kontaktieren wir alle Mitglieder, die in den letzten zwei Jahren aktive Server-Zertifikate hatten.
+- Wir werden neue Informationen im Blog veröffentlichen.
+
+Eine Liste der betroffenen und reparierten Infrastruktur-Systeme befindet sich unter:
+
+https://blog.cacert.org/2014/04/openssl-heartbleed-bug/
+
+Links:
+[1] http://heartbleed.com/
+[2] https://www.openssl.org/news/secadv_20140407.txt
+[3] https://security-tracker.debian.org/tracker/CVE-2014-0160
+[4] http://www.golem.de/news/sicherheitsluecke-keys-auslesen-mit-openssl-1404-105685.html
+[5] https://www.openssl.org/related/apps.html
+EOF;
+
+$lines_DE = wordwrap($lines_DE, 75, "\n");
+$lines_DE = mb_convert_encoding($lines_DE, "HTML-ENTITIES", "UTF-8");
+
+
+// read last used id
+$lastid = 0;
+if (file_exists("send_heartbleed_lastid.txt"))
+{
+ $fp = fopen("send_heartbleed_lastid.txt", "r");
+ $lastid = trim(fgets($fp, 4096));
+ fclose($fp);
+}
+
+echo "ID now: $lastid\n";
+
+
+$count = 0;
+
+$query = "
+ (
+ select u.`id`, u.`fname`, u.`lname`, u.`email`, u.`language`
+ from `users` as u, `alerts` as a
+ where u.`deleted` = 0 and u.`id` > '$lastid'
+ and a.`memid` = u.`id`
+ and a.`general` = 1
+ )
+ union distinct
+ (
+ select u.`id`, u.`fname`, u.`lname`, u.`email`, u.`language`
+ from `users` as u, `domains` as d, `domaincerts` as dc
+ where u.`deleted` = 0 and u.`id` > '$lastid'
+ and dc.`domid` = d.`id` and d.`memid` = u.`id`
+ and dc.`expire` >= '2011-12-01'
+ )
+ union distinct
+ (
+ select u.`id`, u.`fname`, u.`lname`, u.`email`, u.`language`
+ from `users` as u, `domains` as d, `domlink` as dl, `domaincerts` as dc
+ where u.`deleted` = 0 and u.`id` > '$lastid'
+ and dc.`id` = dl.`certid` and dl.`domid` = d.`id` and d.`memid` = u.`id`
+ and dc.`expire` >= '2011-12-01'
+ )
+ union distinct
+ (
+ select u.`id`, u.`fname`, u.`lname`, u.`email`, u.`language`
+ from `users` as u, `org` as o, `orgdomaincerts` as dc
+ where u.`deleted` = 0 and u.`id` > '$lastid'
+ and dc.`orgid` = o.`orgid` and o.`memid` = u.`id`
+ and dc.`expire` >= '2011-12-01'
+ )
+ union distinct
+ (
+ select u.`id`, u.`fname`, u.`lname`, u.`email`, u.`language`
+ from `users` as u, `org` as o, `orgdomains` as d, `orgdomlink` as dl, `orgdomaincerts` as dc
+ where u.`deleted` = 0 and u.`id` > '$lastid'
+ and dc.`id` = dl.`orgcertid` and dl.`orgdomid` = d.`id`
+ and d.`orgid` = o.`orgid` and o.`memid` = u.`id`
+ and dc.`expire` >= '2011-12-01'
+ )
+ order by `id`";
+
+$res = mysql_query($query);
+
+while($row = mysql_fetch_assoc($res))
+{
+ $mailtxt = "Dear ${row["fname"]} ${row["lname"]},\n".$lines_EN."\n\n";
+ switch ($row["language"])
+ {
+ case "de_DE":
+ case "de":
+ $mailtxt .= $lines_DE;
+ break;
+ }
+
+ sendmail($row['email'], "[CAcert.org] Information about Heartbleed bug in OpenSSL 1.0.1 up to 1.0.1f", $mailtxt, "support@cacert.org", "", "", "CAcert", "returns@cacert.org", "");
+
+ $fp = fopen("send_heartbleed_lastid.txt", "w");
+ fputs($fp, $row["id"]."\n");
+ fclose($fp);
+
+ $count++;
+ echo "Sent ${count}th mail. User ID: ${row["id"]}\n";
+
+ sleep (1);
+}