Merge branch 'bug-1459' into release (Emergency bugfix)
[cacert-devel.git] / includes / account_stuff.php
index 794266a..0fda2f1 100644 (file)
@@ -22,6 +22,7 @@
        function showheader($title = "CAcert.org", $title2 = "")
        {
                global $id, $PHP_SELF;
+       $PHP_SELF = &$_SERVER['PHP_SELF'];
        $expand="";
        $tmpid = $id;
        if($PHP_SELF == "/wot.php")
 
        switch($tmpid)
        {
-               case 1:
-               case 2: $expand = " explode('emailacc');"; break;
-               case 3:
-               case 4:
-               case 5:
-               case 6: $expand = " explode('clicerts');"; break;
-               case 7:
-               case 8:
-               case 9: $expand = " explode('domains');"; break;
-               case 10:
-               case 11:
-               case 12:
-               case 15: $expand = " explode('servercert');"; break;
-               case 13:
-               case 14:
-               case 36:
-               case 41:
+               case 1:                                                 // Add email address
+               case 2: $expand = " explode('emailacc');"; break;       // View email addresses
+               case 3:                                                 // Add Client certificate
+               case 4:                                                 // Confirm Client Certificate Request
+               case 5:                                                 // View Client Certificates
+               case 6: $expand = " explode('clicerts');"; break;       // Client Certificate page
+               case 7:                                                 // Add new domain
+               case 8:                                                 // Confirm Domain page
+               case 9: $expand = " explode('domains');"; break;        // View Domains
+               case 10:                                                // Add Server Certifiacte
+               case 11:                                                // Confirm Server Certificate Rewust
+               case 12:                                                // View Server Cerificate
+               case 15: $expand = " explode('servercert');"; break;    // Server Certificate page
+               case 13:                                                // ViewEdit
+               case 14:                                                // Change password
+               case 36:                                                // My Alert settings
+               case 41:                                                // Language Settings
+               case 55:                                                // Trainings
+               case 59:                                                // Account History
                case 507:
-               case 508:
-               case 513: $expand = " explode('mydetails');"; break;
-               case 16:
-               case 17:
-               case 18:
-               case 19: $expand = " explode('clientorg');"; break;
-               case 20:
-               case 21:
-               case 22:
-               case 23: $expand = " explode('serverorg');"; break;
-               case 24:
-               case 25:
-               case 26:
-               case 27:
-               case 28:
-               case 29:
-               case 30:
+               case 508:                                               // My Listing
+               case 510:                                               // Old points calculation
+               case 515:                                               // New points calculation
+               case 513: $expand = " explode('mydetails');"; break;    // My Location
+               case 16:                                                // Add Org Client Cert
+               case 17:                                                // Confirm Org Client Certificate Request
+               case 18:                                                // View Org Client Certificate
+               case 19: $expand = " explode('clientorg');"; break;     // Org Cleint Cert page
+               case 20:                                                // Add Org Server Cert
+               case 21:                                                // Conform Org Server Cert Request
+               case 22:                                                // View Org Server Certs
+               case 23: $expand = " explode('serverorg');"; break;     // Org Server Certificate page
+               case 24:                                                // Add new Organisation
+               case 25:                                                // View Organisation List
+               case 26:                                                // View Organisation Domains
+               case 27:                                                // Edit Org Account
+               case 28:                                                // View Add Org Domain
+               case 29:                                                // Edit Org Domain
+               case 30:                                                // Delete Org Domain
                case 31:
-               case 32:
-               case 33:
-               case 34:
-               case 35: $expand = " explode('orgadmin');"; break;
+               case 32:                                                // View Org Admin
+               case 33:                                                // Add Org Admin
+               case 34:                                                // Delete Org Admin
+               case 60:                                                // View Organisation Account History
+               case 35: $expand = " explode('orgadmin');"; break;      // View Org Admin Organisation List
                case 42:
                case 43:
                case 44:
                case 50:
                case 54:
                case 53: $expand = " explode('sysadmin');"; break;
-               case 500:
+               case 500:                                               // CAcert Web of Trust
                case 501:
-               case 502:
-               case 503:
-               case 504:
-               case 505:
+               case 502:                                               // Become an Assurer
+               case 503:                                               // CAcert Web of Trust Roles
+               case 504:                                               // TTP
+               case 505:                                               // Assurer Some one
                case 506:
                case 509:
-               case 510:
                case 511:
-               case 512: $expand = " explode('WoT');"; break;
+               case 512: $expand = " explode('WoT');"; break;          // Find Assurer
                case 1000:
                case 1001:
-               case 1002:
+               case 1002:                                              // View GPG key
                case 1003:
                case 1004:
                case 1005:
                case 1008:
                case 1009:
                case 1010: $expand = " explode('gpg');"; break;
-               case 1500:
-               case 1501:
-               case 1502:
+               case 1500:                                              // Dipute
+               case 1501:                                              // Dispute Email Request
+               case 1502:                                              // ViewEdit
                case 1503:
                case 1504:
                case 1505:
@@ -172,9 +177,11 @@ function hideall() {
     </div>
     <div class="relatedLinks">
       <h3 class="pointer" onclick="explode('mydetails')">+ <?=_("My Details")?></h3>
-      <ul class="menu" id="mydetails"><li><a href="account.php?id=13"><?=_("Edit")?></a></li><li><a href="account.php?id=14"><?=_("Change Password")?></a></li><li><a href="account.php?id=41"><?=_("Default Language")?></a></li><li><a href="wot.php?id=8"><?=_("My Listing")?></a></li><li><a href="wot.php?id=13"><?=_("My Location")?></a></li><li><a href="account.php?id=36"><?=_("My Alert Settings")?></a></li><li><a href="wot.php?id=10"><?=_("My Points")?></a></li><?
+      <ul class="menu" id="mydetails"><li><a href="account.php?id=13"><?=_("View/Edit")?></a></li><li><a href="account.php?id=14"><?=_("Change Password")?></a></li><li><a href="account.php?id=41"><?=_("Default Language")?></a></li><li><a href="wot.php?id=8"><?=_("My Listing")?></a></li><li><a href="wot.php?id=13"><?=_("My Location")?></a></li><li><a href="account.php?id=36"><?=_("My Alert Settings")?></a></li><li><a href="account.php?id=55"><?=_("My Trainings")?></a></li><li><a href="wot.php?id=10"><?=_("My Points")?></a></li><?
+/* to delete
        if($_SESSION['profile']['id'] == 1 || $_SESSION['profile']['id'] == 5897)
                echo "<li><a href='sqldump.php'>SQL Dump</a></li>";
+*/
        ?></ul>
     </div>
     <div class="relatedLinks">
@@ -217,7 +224,7 @@ function hideall() {
 <? } ?>
     <div class="relatedLinks">
       <h3 class="pointer" onclick="explode('WoT')">+ <?=_("CAcert Web of Trust")?></h3>
-      <ul class="menu" id="WoT"><li><a href="wot.php?id=0"><?=_("About")?></a></li><li><a href="wot.php?id=12"><?=_("Find an Assurer")?></a></li><li><a href="wot.php?id=3"><?=_("Rules")?></a></li><li><? if($_SESSION['profile']['assurer'] != 1) { ?><a href="wot.php?id=2"><?=_("Becoming an Assurer")?></a><? } else { ?><a href="wot.php?id=5"><?=_("Assure Someone")?></a><? } ?></li><li><a href="wot.php?id=4"><?=_("Trusted ThirdParties")?></a></li><? if($_SESSION['profile']['points'] >= 500) { ?><li><a href="wot.php?id=11"><div style="white-space:nowrap"><?=_("Organisation Assurance")?></div></a></li><? } ?><li><a href="account.php?id=55"><?=_("Training")?></a></li></ul>
+      <ul class="menu" id="WoT"><li><a href="wot.php?id=0"><?=_("About")?></a></li><li><a href="wot.php?id=12"><?=_("Find an Assurer")?></a></li><li><a href="wot.php?id=3"><?=_("Rules")?></a></li><li><? if($_SESSION['profile']['assurer'] != 1) { ?><a href="wot.php?id=2"><?=_("Becoming an Assurer")?></a><? } else { ?><a href="wot.php?id=5"><?=_("Assure Someone")?></a><? } ?></li><li><a href="wot.php?id=4"><?=_("Trusted ThirdParties")?></a></li><? if($_SESSION['profile']['points'] >= 500) { ?><li><a href="wot.php?id=11"><div style="white-space:nowrap"><?=_("Organisation Assurance")?></div></a></li><? } ?></ul>
     </div>
     <div class="relatedLinks">
       <h3 class="pointer" onclick="explode('WoTForms')">+ <?=_("CAP Forms")?></h3><?
@@ -262,6 +269,7 @@ function hideall() {
       <ul class="menu" id="advertising"><li><a href="advertising.php?id=1"><?=_("New Ad")?></a></li><li><a href="advertising.php?id=0"><?=_("View Ads")?></a></li></ul>
     </div>
 <? } ?>
+    <? include("about_menu.php"); ?>
   </div>
   <div id="content">
     <div class="story">
@@ -280,365 +288,7 @@ function hideall() {
   <div id="siteInfo"><a href="//wiki.cacert.org/FAQ/AboutUs"><?=_("About Us")?></a> | <a href="account.php?id=38"><?=_("Donations")?></a> | <a href="http://wiki.cacert.org/wiki/CAcertIncorporated"><?=_("Association Membership")?></a> |
        <a href="/policy/PrivacyPolicy.html"><?=_("Privacy Policy")?></a> | <a href="account.php?id=40"><?=_("Contact Us")?></a>
                | &copy;2002-<?=date("Y")?> <?=_("by CAcert")?></div>
-</div>  
-</body>             
+</div>
+</body>
 </html><?
        }
-       
-       /**
-        * Produces a log entry with the error message with log level E_USER_WARN
-        * and a random ID an returns a message that can be displayed to the user
-        * including the generated ID
-        * 
-        * @param $errormessage string
-        *              The error message that should be logged
-        * @return string containing the generated ID that can be displayed to the
-        *              user
-        */
-       function failWithId($errormessage) {
-               $errorId = rand();
-               trigger_error("$errormessage. ID: $errorId", E_USER_WARNING);
-               return sprintf(_("Something went wrong when processing your request. ".
-                               "Please contact %s for help and provide them with the ".
-                               "following ID: %d"),
-                       "<a href='mailto:support@cacert.org?subject=System%20Error%20-%20".
-                               "ID%3A%20$errorId'>support@cacert.org</a>",
-                       $errorId);
-       }
-       
-       /**
-        * Checks whether the given CSR contains a vulnerable key
-        * 
-        * @param $csr string
-        *              The CSR to be checked
-        * @param $encoding string [optional]
-        *              The encoding the CSR is in (for the "-inform" parameter of OpenSSL,
-        *              currently only "PEM" (default) or "DER" allowed)
-        * @return string containing the reason if the key is considered weak,
-        *              empty string otherwise
-        */
-       function checkWeakKeyCSR($csr, $encoding = "PEM")
-       {
-               // non-PEM-encodings may be binary so don't use echo
-               $descriptorspec = array(
-                       0 => array("pipe", "r"), // STDIN for child
-                       1 => array("pipe", "w"), // STDOUT for child
-               );
-               $encoding = escapeshellarg($encoding);
-               $proc = proc_open("openssl req -inform $encoding -text -noout",
-                       $descriptorspec, $pipes);
-               
-               if (is_resource($proc))
-               {
-                       fwrite($pipes[0], $csr);
-                       fclose($pipes[0]);
-                       
-                       $csrText = ""; 
-                       while (!feof($pipes[1]))
-                       {
-                               $csrText .= fread($pipes[1], 8192);
-                       }
-                       fclose($pipes[1]);
-                       
-                       if (($status = proc_close($proc)) !== 0 || $csrText === "")
-                       {
-                               return _("I didn't receive a valid Certificate Request, hit ".
-                               "the back button and try again.");
-                       }
-               } else {
-                       return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
-               }
-               
-               
-               return checkWeakKeyText($csrText);
-       }
-       
-       /**
-        * Checks whether the given X509 certificate contains a vulnerable key
-        * 
-        * @param $cert string
-        *              The X509 certificate to be checked
-        * @param $encoding string [optional]
-        *              The encoding the certificate is in (for the "-inform" parameter of
-        *              OpenSSL, currently only "PEM" (default), "DER" or "NET" allowed)
-        * @return string containing the reason if the key is considered weak,
-        *              empty string otherwise
-        */
-       function checkWeakKeyX509($cert, $encoding = "PEM")
-       {
-               // non-PEM-encodings may be binary so don't use echo
-               $descriptorspec = array(
-                       0 => array("pipe", "r"), // STDIN for child
-                       1 => array("pipe", "w"), // STDOUT for child
-               );
-               $encoding = escapeshellarg($encoding);
-               $proc = proc_open("openssl x509 -inform $encoding -text -noout",
-                       $descriptorspec, $pipes);
-               
-               if (is_resource($proc))
-               {
-                       fwrite($pipes[0], $cert);
-                       fclose($pipes[0]);
-                       
-                       $certText = ""; 
-                       while (!feof($pipes[1]))
-                       {
-                               $certText .= fread($pipes[1], 8192);
-                       }
-                       fclose($pipes[1]);
-                       
-                       if (($status = proc_close($proc)) !== 0 || $certText === "")
-                       {
-                               return _("I didn't receive a valid Certificate Request, hit ".
-                               "the back button and try again.");
-                       }
-               } else {
-                       return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
-               }
-               
-               
-               return checkWeakKeyText($certText);
-       }
-       
-       /**
-        * Checks whether the given SPKAC contains a vulnerable key
-        * 
-        * @param $spkac string
-        *              The SPKAC to be checked
-        * @param $spkacname string [optional]
-        *              The name of the variable that contains the SPKAC. The default is
-        *              "SPKAC"
-        * @return string containing the reason if the key is considered weak,
-        *              empty string otherwise
-        */
-       function checkWeakKeySPKAC($spkac, $spkacname = "SPKAC")
-       {
-               /* Check for the debian OpenSSL vulnerability */
-               
-               $spkac = escapeshellarg($spkac);
-               $spkacname = escapeshellarg($spkacname);
-               $spkacText = `echo $spkac | openssl spkac -spkac $spkacname`;
-               if ($spkacText === null) {
-                       return _("I didn't receive a valid Certificate Request, hit the ".
-                               "back button and try again.");
-               }
-               
-               return checkWeakKeyText($spkacText);
-       }
-       
-       /**
-        * Checks whether the given text representation of a CSR or a SPKAC contains
-        * a weak key
-        * 
-        * @param $text string
-        *              The text representation of a key as output by the
-        *              "openssl <foo> -text -noout" commands
-        * @return string containing the reason if the key is considered weak,
-        *              empty string otherwise
-        */
-       function checkWeakKeyText($text)
-       {
-               /* Which public key algorithm? */
-               if (!preg_match('/^\s*Public Key Algorithm: ([^\s]+)$/m', $text,
-                               $algorithm))
-               {
-                       return failWithId("checkWeakKeyText(): Couldn't extract the ".
-                                       "public key algorithm used");
-               } else {
-                       $algorithm = $algorithm[1];
-               }
-               
-               
-               if ($algorithm === "rsaEncryption")
-               {
-                       if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
-                                       $keysize))
-                       {
-                               return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
-                                               "key size");
-                       } else {
-                               $keysize = intval($keysize[1]);
-                       }
-                       
-                       if ($keysize < 1024)
-                       {
-                               return sprintf(_("The keys that you use are very small ".
-                                               "and therefore insecure. Please generate stronger ".
-                                               "keys. More information about this issue can be ".
-                                               "found in %sthe wiki%s"),
-                                       "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>",
-                                       "</a>");
-                       } elseif ($keysize < 2048) {
-                               // not critical but log so we have some statistics about
-                               // affected users
-                               trigger_error("checkWeakKeyText(): Certificate for small ".
-                                               "key (< 2048 bit) requested", E_USER_NOTICE);
-                       }
-                       
-                       
-                       $debianVuln = checkDebianVulnerability($text, $keysize);
-                       if ($debianVuln === true)
-                       {
-                               return sprintf(_("The keys you use have very likely been ".
-                                               "generated with a vulnerable version of OpenSSL which ".
-                                               "was distributed by debian. Please generate new keys. ".
-                                               "More information about this issue can be found in ".
-                                               "%sthe wiki%s"),
-                                       "<a href='//wiki.cacert.org/WeakKeys#DebianVulnerability'>",
-                                       "</a>");
-                       } elseif ($debianVuln === false) {
-                               // not vulnerable => do nothing
-                       } else {
-                               return failWithId("checkWeakKeyText(): Something went wrong in".
-                                       "checkDebianVulnerability()");
-                       }
-                       
-                       if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m', $text,
-                                       $exponent))
-                       {
-                               return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
-                                               "exponent");
-                       } else {
-                               $exponent = $exponent[1]; // exponent might be very big =>
-                                       //handle as string using bc*()  
-                               
-                               if (bccomp($exponent, "3") === 0)
-                               {
-                                       return sprintf(_("The keys you use might be insecure. ".
-                                                       "Although there is currently no known attack for ".
-                                                       "reasonable encryption schemes, we're being ".
-                                                       "cautious and don't allow certificates for such ".
-                                                       "keys. Please generate stronger keys. More ".
-                                                       "information about this issue can be found in ".
-                                                       "%sthe wiki%s"),
-                                               "<a href='//wiki.cacert.org/WeakKeys#SmallExponent'>",
-                                               "</a>");
-                               } elseif (!(bccomp($exponent, "65537") >= 0 &&
-                                               (bccomp($exponent, "100000") === -1 ||
-                                                       // speed things up if way smaller than 2^256
-                                               bccomp($exponent, bcpow("2", "256")) === -1) )) {
-                                       // 65537 <= exponent < 2^256 recommended by NIST
-                                       // not critical but log so we have some statistics about
-                                       // affected users
-                                       trigger_error("checkWeakKeyText(): Certificate for ".
-                                                       "unsuitable exponent '$exponent' requested",
-                                                       E_USER_NOTICE);
-                               }
-                       }
-               }
-               
-               /* No weakness found */
-               return "";
-       }
-       
-       /**
-        * Reimplement the functionality of the openssl-vulnkey tool
-        * 
-        * @param $text string
-        *              The text representation of a key as output by the
-        *              "openssl <foo> -text -noout" commands
-        * @param $keysize int [optional]
-        *              If the key size is already known it can be provided so it doesn't
-        *              have to be parsed again. This also skips the check whether the key
-        *              is an RSA key => use wisely
-        * @return TRUE if key is vulnerable, FALSE otherwise, NULL in case of error
-        */
-       function checkDebianVulnerability($text, $keysize = 0)
-       {
-               $keysize = intval($keysize);
-               
-               if ($keysize === 0)
-               {
-                       /* Which public key algorithm? */
-                       if (!preg_match('/^\s*Public Key Algorithm: ([^\s]+)$/m', $text,
-                               $algorithm))
-                       {
-                               trigger_error("checkDebianVulnerability(): Couldn't extract ".
-                                       "the public key algorithm used", E_USER_WARNING);
-                               return null;
-                       } else {
-                               $algorithm = $algorithm[1];
-                       }
-                       
-                       if ($algorithm !== "rsaEncryption") return false;
-                       
-                       /* Extract public key size */
-                       if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
-                               $keysize))
-                       {
-                               trigger_error("checkDebianVulnerability(): Couldn't parse the ".
-                                       "RSA key size", E_USER_WARNING);
-                               return null;
-                       } else {
-                               $keysize = intval($keysize[1]);
-                       }
-               }
-               
-               // $keysize has been made sure to contain an int
-               $blacklist = "/usr/share/openssl-blacklist/blacklist.RSA-$keysize";
-               if (!(is_file($blacklist) && is_readable($blacklist)))
-               {
-                       if (in_array($keysize, array(512, 1024, 2048, 4096)))
-                       {
-                               trigger_error("checkDebianVulnerability(): Blacklist for ".
-                                               "$keysize bit keys not accessible. Expected at ".
-                                               "$blacklist", E_USER_ERROR);
-                               return null;
-                       }
-                       
-                       trigger_error("checkDebianVulnerability(): $blacklist is not ".
-                               "readable. Unsupported key size?", E_USER_WARNING);
-                       return false;
-               }
-               
-               
-               /* Extract RSA modulus */
-               if (!preg_match('/^\s*Modulus \(\d+ bit\):\n'.
-                               '((?:\s*[0-9a-f][0-9a-f]:(?:\n)?)+[0-9a-f][0-9a-f])$/m',
-                       $text, $modulus))
-               {
-                       trigger_error("checkDebianVulnerability(): Couldn't extract the ".
-                               "RSA modulus", E_USER_WARNING);
-                       return null;
-               } else {
-                       $modulus = $modulus[1];
-                       // strip whitespace and colon leftovers
-                       $modulus = str_replace(array(" ", "\t", "\n", ":"), "", $modulus);
-                       
-                       // when using "openssl xxx -text" first byte was 00 in all my test
-                       // cases but 00 not present in the "openssl xxx -modulus" output
-                       if ($modulus[0] === "0" && $modulus[1] === "0")
-                       {
-                               $modulus = substr($modulus, 2);
-                       } else {
-                               trigger_error("checkDebianVulnerability(): First byte is not ".
-                                       "zero", E_USER_NOTICE);
-                       }
-                       
-                       $modulus = strtoupper($modulus);
-               }
-               
-               
-               /* calculate checksum and look it up in the blacklist */
-               $checksum = substr(sha1("Modulus=$modulus\n"), 20);
-               
-               // $checksum and $blacklist should be safe, but just to make sure
-               $checksum = escapeshellarg($checksum);
-               $blacklist = escapeshellarg($blacklist);
-               exec("grep $checksum $blacklist", $dummy, $debianVuln);
-               if ($debianVuln === 0) // grep returned something => it is on the list
-               {
-                       return true;
-               } elseif ($debianVuln === 1) { // grep returned nothing
-                       return false;
-               } else {
-                       trigger_error("checkDebianVulnerability(): Something went wrong ".
-                               "when looking up the key with checksum $checksum in the ".
-                               "blacklist $blacklist", E_USER_ERROR);
-                       return null;
-               }
-               
-               // Should not get here
-               return null;
-       }
-?>