CAcert Code Development list.

[Wytze van der Raay <wytze AT cacert.org>]

Hi Benny,

On 08/21/2014 06:30 AM, Benny Baumann wrote:
> we have patches for the following issues:
> - Bug #1276: Middle Initial Matching for uid on GPG identities
>   https://bugs.cacert.org/view.php?id=1276
> - Bug #1292: Issuing Certificates with "Public Exponent: 1 (0x1)"
>   https://bugs.cacert.org/view.php?id=1292
> - Bug #1297: includes/lib/check_weak_key.php is broken after upgrade to
> Debian Wheezy with openssl 1.0
>   https://bugs.cacert.org/view.php?id=1297
> - Bug #1298: CommModule code requires a trivial change to run with
> Debian Wheezy
>   https://bugs.cacert.org/view.php?id=1298
> 
> The patches were reviewed by me (BenBE), Dirk Astrath (dastrath) and
> Bernhard Fröhlich (Ted).
> 
> The patches were tested by Eva Stöwe (katzazi), Felix Dörre (felixd),
> Neal Oakey (neal) and Wytze v.d. Raay (wytze).
> 
> The installation instructions might be a bit more complicated in this
> batch, thus let's do one-by-one.
> 
> For bug #1276 normal installation procedure applies.

This patch has been installed on the production server on August 21, 2014.
See also the attached log message that was sent out to cacert-systemlog.

> For bug #1292 after applying the patch it would be nice to get some
> statistics (orders of magnitude should suffice) on the number of
> warnings triggered by violation of the boundaries set for RSA exponents.

This patch has been installed also on the production server on August 21,
2014. See also the attached log message that was sent out to cacert-systemlog.

As for statistics: to my knowledge there is no logging of the various key
failures determined by the checkWeakKey functions, so it's impossible to
tell how often these boundary checks are failing. The warnings issued are
only displayed on the web page presented to the user, and not recorded in
the system.

> For bug #1297 and bug #1298 installation should be done as required to
> keep services running. As PHP 5.4 should not trigger any of the
> show-blockers experienced in PHP 5.5 and onwards, it should be possible
> to run with those patches based on PHP 5.4. Note that once installed bug
> #1287 you can't downgrade to OpenSSL 0.9.* as the regexp are
> incompatible. Thus when installing the patch for bug #1297 an upgrade of
> OpenSSL to 1.0.1 has to be performed. As bug #1298 holds breaking
> changes too upgrades should be done with care too: Apply as necessary.
> Restart the affected parts of the signer as required.

The patch for #1298 has been committed on the production server on August 21
(it was already active since the upgrade of the main server to Debian Wheezy).

The patch for #1297 will have to be installed in combination with an upgrade
of the CAcert chroot application environment to Debian Wheezy. This is a
procedure which will cause some downtime for the user community, hence we
will announce it first before proceeding with it, sometime next week I guess.

> As the last two changes in this set contain breaking changes a backup of
> the whole environment should be performed and be kept ready for rollback
> as necessary.

The upgrade of the chroot environment is done by creating a new (Wheezy-based)
environment first, then moving over the CAcert data files from the old
(Squeeze-based) environment to the new environment. After that the two
environments are switched. A rollback will be possible for a limited amount
of time by reversing that switch.

> Once done the translations should be synchronised with the translation
> server.

Updating translations is part of the upgrade mentioned above.

> Please update the bugtracker accordingly.

Done for #1276, #1292 and #1298. A report for #1297 will follow later.

Regards,
-- wytze

--- Begin Message ---

• From: Wytze van der Raay <wytze AT cacert.org>
• To: cacert-systemlog AT lists.cacert.org
• Subject: Fwd: cvs.cacert.org checkin notification
• Date: Thu, 21 Aug 2014 16:38:05 +0200
• Organization: CAcert

Fix for https://bugs.cacert.org/view.php?id=1276
"Middle Initial Matching for uid on GPG identities"

In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php

-- end

--- Begin Message ---

• From: "root" <root AT cvs.cacert.org>
• To: critical-admin AT cacert.org
• Subject: cvs.cacert.org checkin notification
• Date: Thu, 21 Aug 2014 16:34:00 +0200 (CEST)

uid=0(root) gid=0(root) groups=0(root)
gpg.php 1.36 1.37
Thu Aug 21 16:34:00 CEST 2014
Update of /var/lib/cvs/cacert/www
In directory webdb:/home/cacert/www/www

Modified Files:
gpg.php
Log Message:
Fix for https://bugs.cacert.org/view.php?id=1276
"Middle Initial Matching for uid on GPG identities"

===================================================================
RCS file: /var/lib/cvs/cacert/www/gpg.php,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- gpg.php 2014/04/18 08:10:17 1.36
+++ gpg.php 2014/08/21 14:33:59 1.37
@@ -63,12 +63,18 @@
function verifyName($name)
{
if($name == "") return 0;
- if($name == $_SESSION['profile']['fname']."
".$_SESSION['profile']['lname']) return 1;
- if($name == $_SESSION['profile']['fname']."
".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']) return 1;
- if($name == $_SESSION['profile']['fname']."
".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix']) return 1;
- if($name == $_SESSION['profile']['fname']."
".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']."
".$_SESSION['profile']['suffix']) return 1;
- return 0;

+ if(!strcasecmp($name, $_SESSION['profile']['fname']."
".$_SESSION['profile']['lname'])) return 1; // John Doe
+ if(!strcasecmp($name, $_SESSION['profile']['fname']."
".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname'])) return 1;
// John Joseph Doe
+ if(!strcasecmp($name, $_SESSION['profile']['fname']."
".$_SESSION['profile']['mname'][0]." ".$_SESSION['profile']['lname'])) return
1; // John J Doe
+ if(!strcasecmp($name, $_SESSION['profile']['fname']."
".$_SESSION['profile']['mname'][0].". ".$_SESSION['profile']['lname']))
return 1; // John J. Doe
+
+ if(!strcasecmp($name, $_SESSION['profile']['fname']."
".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix'])) return
1; // John Doe Jr.
+ if(!strcasecmp($name, $_SESSION['profile']['fname']."
".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']."
".$_SESSION['profile']['suffix'])) return 1; //John Joseph Doe Jr.
+ if(!strcasecmp($name, $_SESSION['profile']['fname']."
".$_SESSION['profile']['mname'][0]." ".$_SESSION['profile']['lname']."
".$_SESSION['profile']['suffix'])) return 1; //John J Doe Jr.
+ if(!strcasecmp($name, $_SESSION['profile']['fname']."
".$_SESSION['profile']['mname'][0].". ".$_SESSION['profile']['lname']."
".$_SESSION['profile']['suffix'])) return 1; //John J. Doe Jr.
+
+ return 0;
}

function verifyEmail($email)

--- End Message ---

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--- End Message ---

--- Begin Message ---

• From: Wytze van der Raay <wytze AT cacert.org>
• To: cacert-systemlog AT lists.cacert.org
• Subject: Fwd: cvs.cacert.org checkin notification
• Date: Thu, 21 Aug 2014 16:38:41 +0200
• Organization: CAcert

Fix for https://bugs.cacert.org/view.php?id=1292
"Issuing Certificates with "Public Exponent: 1 (0x1)""

In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php

-- end

--- Begin Message ---

• From: "root" <root AT cvs.cacert.org>
• To: critical-admin AT cacert.org
• Subject: cvs.cacert.org checkin notification
• Date: Thu, 21 Aug 2014 16:35:40 +0200 (CEST)

uid=0(root) gid=0(root) groups=0(root)
check_weak_key.php 1.3 1.4
Thu Aug 21 16:35:40 CEST 2014
Update of /var/lib/cvs/cacert/includes/lib
In directory webdb:/home/cacert/www/includes/lib

Modified Files:
check_weak_key.php
Log Message:
Fix for https://bugs.cacert.org/view.php?id=1292
"Issuing Certificates with "Public Exponent: 1 (0x1)""

===================================================================
RCS file: /var/lib/cvs/cacert/includes/lib/check_weak_key.php,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- check_weak_key.php 2014/03/10 16:32:07 1.3
+++ check_weak_key.php 2014/08/21 14:35:40 1.4
@@ -173,7 +173,7 @@
$exponent = $exponent[1]; // exponent might be very
big =>
//handle as string using bc*()

- if (bccomp($exponent, "3") === 0)
+ if (bccomp($exponent, "65537") < 0)
{
return sprintf(_("The keys you use might be
insecure. ".
"Although there is
currently no known attack for ".

--- End Message ---

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--- End Message ---

--- Begin Message ---

• From: Wytze van der Raay <wytze AT cacert.org>
• To: cacert-systemlog AT lists.cacert.org
• Subject: Fwd: cvs.cacert.org checkin notification
• Date: Thu, 21 Aug 2014 16:57:57 +0200
• Organization: CAcert

Fix for https://bugs.cacert.org/view.php?id=1298
"CommModule code requires a trivial change to run with Debian Wheezy"

In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php

-- end

--- Begin Message ---

• From: "root" <root AT cvs.cacert.org>
• To: critical-admin AT cacert.org
• Subject: cvs.cacert.org checkin notification
• Date: Thu, 21 Aug 2014 16:57:06 +0200 (CEST)

uid=0(root) gid=0(root) groups=0(root)
client.pl 1.27 1.28
Thu Aug 21 16:57:06 CEST 2014
Update of /var/lib/cvs/cacert/CommModule
In directory webdb:/home/cacert/www/CommModule

Modified Files:
client.pl
Log Message:
Fix for https://bugs.cacert.org/view.php?id=1298
"CommModule code requires a trivial change to run with Debian Wheezy"

===================================================================
RCS file: /var/lib/cvs/cacert/CommModule/client.pl,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- client.pl 2014/06/07 09:13:12 1.27
+++ client.pl 2014/08/21 14:57:05 1.28
@@ -31,7 +31,7 @@
use Locale::gettext;
use IO::Socket;
use MIME::Base64;
-use Digest::SHA1 qw(sha1_hex);
+use Digest::SHA qw(sha1_hex);

#Protocol version:
my $ver=1;

--- End Message ---

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--- End Message ---

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature