Subject: CAcert Code Development list.
List archive
- From: Benny Baumann <benbe AT cacert.org>
- To: "critical-admin AT cacert.org" <critical-admin AT cacert.org>, Developers CAcert <cacert-devel AT lists.cacert.org>
- Cc: 'dirk astrath' <dirk.astrath AT cacert.org>, Bernhard Fröhlich <bernhard AT cacert.org>, Eva Stöwe <estoewe AT cacert.org>, Neal Oakey <neal AT cacert.org>, Wytze van der Raay <wytze AT cacert.org>
- Subject: Patch Request Bugs #1276, #1292, #1297, #1298
- Date: Thu, 21 Aug 2014 06:30:31 +0200
Dear critical,
we have patches for the following issues:
- Bug #1276: Middle Initial Matching for uid on GPG identities
https://bugs.cacert.org/view.php?id=1276
- Bug #1292: Issuing Certificates with "Public Exponent: 1 (0x1)"
https://bugs.cacert.org/view.php?id=1292
- Bug #1297: includes/lib/check_weak_key.php is broken after upgrade to
Debian Wheezy with openssl 1.0
https://bugs.cacert.org/view.php?id=1297
- Bug #1298: CommModule code requires a trivial change to run with
Debian Wheezy
https://bugs.cacert.org/view.php?id=1298
The patches were reviewed by me (BenBE), Dirk Astrath (dastrath) and
Bernhard Fröhlich (Ted).
The patches were tested by Eva Stöwe (katzazi), Felix Dörre (felixd),
Neal Oakey (neal) and Wytze v.d. Raay (wytze).
The installation instructions might be a bit more complicated in this
batch, thus let's do one-by-one.
For bug #1276 normal installation procedure applies.
For bug #1292 after applying the patch it would be nice to get some
statistics (orders of magnitude should suffice) on the number of
warnings triggered by violation of the boundaries set for RSA exponents.
For bug #1297 and bug #1298 installation should be done as required to
keep services running. As PHP 5.4 should not trigger any of the
show-blockers experienced in PHP 5.5 and onwards, it should be possible
to run with those patches based on PHP 5.4. Note that once installed bug
#1287 you can't downgrade to OpenSSL 0.9.* as the regexp are
incompatible. Thus when installing the patch for bug #1297 an upgrade of
OpenSSL to 1.0.1 has to be performed. As bug #1298 holds breaking
changes too upgrades should be done with care too: Apply as necessary.
Restart the affected parts of the signer as required.
As the last two changes in this set contain breaking changes a backup of
the whole environment should be performed and be kept ready for rollback
as necessary.
Once done the translations should be synchronised with the translation
server.
Please update the bugtracker accordingly.
Kind regards,
BenBE.
diff --git a/www/gpg.php b/www/gpg.php
index 263c1d3..80d8f21 100644
--- a/www/gpg.php
+++ b/www/gpg.php
@@ -63,12 +63,18 @@ if(0)
function verifyName($name)
{
if($name == "") return 0;
- if($name == $_SESSION['profile']['fname']." ".$_SESSION['profile']['lname']) return 1;
- if($name == $_SESSION['profile']['fname']." ".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']) return 1;
- if($name == $_SESSION['profile']['fname']." ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix']) return 1;
- if($name == $_SESSION['profile']['fname']." ".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix']) return 1;
- return 0;
+ if(!strcasecmp($name, $_SESSION['profile']['fname']." ".$_SESSION['profile']['lname'])) return 1; // John Doe
+ if(!strcasecmp($name, $_SESSION['profile']['fname']." ".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname'])) return 1; // John Joseph Doe
+ if(!strcasecmp($name, $_SESSION['profile']['fname']." ".$_SESSION['profile']['mname'][0]." ".$_SESSION['profile']['lname'])) return 1; // John J Doe
+ if(!strcasecmp($name, $_SESSION['profile']['fname']." ".$_SESSION['profile']['mname'][0].". ".$_SESSION['profile']['lname'])) return 1; // John J. Doe
+
+ if(!strcasecmp($name, $_SESSION['profile']['fname']." ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix'])) return 1; // John Doe Jr.
+ if(!strcasecmp($name, $_SESSION['profile']['fname']." ".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix'])) return 1; //John Joseph Doe Jr.
+ if(!strcasecmp($name, $_SESSION['profile']['fname']." ".$_SESSION['profile']['mname'][0]." ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix'])) return 1; //John J Doe Jr.
+ if(!strcasecmp($name, $_SESSION['profile']['fname']." ".$_SESSION['profile']['mname'][0].". ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix'])) return 1; //John J. Doe Jr.
+
+ return 0;
}
function verifyEmail($email)
diff --git a/includes/lib/check_weak_key.php b/includes/lib/check_weak_key.php
index 8ad2ccf..59c6cd6 100644
--- a/includes/lib/check_weak_key.php
+++ b/includes/lib/check_weak_key.php
@@ -173,7 +173,7 @@ function checkWeakKeyText($text)
$exponent = $exponent[1]; // exponent might be very big =>
//handle as string using bc*()
- if (bccomp($exponent, "3") === 0)
+ if (bccomp($exponent, "65537") < 0)
{
return sprintf(_("The keys you use might be insecure. ".
"Although there is currently no known attack for ".
diff --git a/includes/lib/check_weak_key.php b/includes/lib/check_weak_key.php
index 59c6cd6..dd4f3a5 100644
--- a/includes/lib/check_weak_key.php
+++ b/includes/lib/check_weak_key.php
@@ -128,7 +128,7 @@ function checkWeakKeyText($text)
if ($algorithm === "rsaEncryption")
{
- if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, $keysize))
+ if (!preg_match('/^\s*Public-Key: \((\d+) bit\)$/m', $text, $keysize))
{
return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
"key size.\nData:\n$text");
@@ -308,7 +308,7 @@ function checkDebianVulnerability($text, $keysize = 0)
if ($algorithm !== "rsaEncryption") return false;
/* Extract public key size */
- if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
+ if (!preg_match('/^\s*Public-Key: \((\d+) bit\)$/m', $text,
$keysize))
{
trigger_error("checkDebianVulnerability(): Couldn't parse the ".
@@ -338,7 +338,7 @@ function checkDebianVulnerability($text, $keysize = 0)
/* Extract RSA modulus */
- if (!preg_match('/^\s*Modulus \(\d+ bit\):\n'.
+ if (!preg_match('/^\s*Modulus:\n'.
'((?:\s*[0-9a-f][0-9a-f]:(?:\n)?)+[0-9a-f][0-9a-f])$/m',
$text, $modulus))
{
diff --git a/CommModule/client.pl b/CommModule/client.pl index 532761e..25e6a73 100755 --- a/CommModule/client.pl +++ b/CommModule/client.pl @@ -31,7 +31,7 @@ use DBI; use Locale::gettext; use IO::Socket; use MIME::Base64; -use Digest::SHA1 qw(sha1_hex); +use Digest::SHA qw(sha1_hex); #Protocol version: my $ver=1;
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Patch Request Bugs #1276, #1292, #1297, #1298, Benny Baumann, 08/21/2014
- Re: Patch Request Bugs #1276, #1292, #1297, #1298, Wytze van der Raay, 08/21/2014
- Re: Patch Request Bugs #1276, #1292, #1297, #1298, Wytze van der Raay, 08/28/2014
Archive powered by MHonArc 2.6.18.