|
@@ -165,7 +165,7 @@ discard block |
|
|
block discarded – undo |
|
165
|
165
|
} |
|
166
|
166
|
} |
|
167
|
167
|
|
|
168
|
|
- $this->loggerInstance->debug(4, "RADIUSTests is in opMode " . $this->opMode . ", parameters were: $realm, $outerUsernameForChecks, " . /** @scrutinizer ignore-type */ print_r($supportedEapTypes, true)); |
|
|
168
|
+ $this->loggerInstance->debug(4, "RADIUSTests is in opMode ".$this->opMode.", parameters were: $realm, $outerUsernameForChecks, "./** @scrutinizer ignore-type */ print_r($supportedEapTypes, true)); |
|
169
|
169
|
$this->loggerInstance->debug(4, /** @scrutinizer ignore-type */ print_r($expectedServerNames, true)); |
|
170
|
170
|
$this->loggerInstance->debug(4, /** @scrutinizer ignore-type */ print_r($expectedCABundle, true)); |
|
171
|
171
|
|
|
@@ -252,7 +252,7 @@ discard block |
|
|
block discarded – undo |
|
252
|
252
|
$returnarray[] = RADIUSTests::CERTPROB_WILDCARD_IN_NAME; |
|
253
|
253
|
continue; // otherwise we'd ALSO complain that it's not a real hostname |
|
254
|
254
|
} |
|
255
|
|
- if ($onename != "" && filter_var("foo@" . idn_to_ascii($onename), FILTER_VALIDATE_EMAIL) === FALSE) { |
|
|
255
|
+ if ($onename != "" && filter_var("foo@".idn_to_ascii($onename), FILTER_VALIDATE_EMAIL) === FALSE) { |
|
256
|
256
|
$returnarray[] = RADIUSTests::CERTPROB_NOT_A_HOSTNAME; |
|
257
|
257
|
} |
|
258
|
258
|
} |
|
@@ -278,7 +278,7 @@ discard block |
|
|
block discarded – undo |
|
278
|
278
|
$probValue = RADIUSTests::CERTPROB_SHA1_SIGNATURE; |
|
279
|
279
|
$returnarray[] = $probValue; |
|
280
|
280
|
} |
|
281
|
|
- $this->loggerInstance->debug(4, "CERT IS: " . /** @scrutinizer ignore-type */ print_r($intermediateCa, TRUE)); |
|
|
281
|
+ $this->loggerInstance->debug(4, "CERT IS: "./** @scrutinizer ignore-type */ print_r($intermediateCa, TRUE)); |
|
282
|
282
|
if ($intermediateCa['basicconstraints_set'] == 0) { |
|
283
|
283
|
$returnarray[] = RADIUSTests::CERTPROB_NO_BASICCONSTRAINTS; |
|
284
|
284
|
} |
|
@@ -326,7 +326,7 @@ discard block |
|
|
block discarded – undo |
|
326
|
326
|
public function udpReachability($probeindex, $opnameCheck = TRUE, $frag = TRUE) { |
|
327
|
327
|
// for EAP-TLS to be a viable option, we need to pass a random client cert to make eapol_test happy |
|
328
|
328
|
// the following PEM data is one of the SENSE EAPLab client certs (not secret at all) |
|
329
|
|
- $clientcert = file_get_contents(dirname(__FILE__) . "/clientcert.p12"); |
|
|
329
|
+ $clientcert = file_get_contents(dirname(__FILE__)."/clientcert.p12"); |
|
330
|
330
|
if ($clientcert === FALSE) { |
|
331
|
331
|
throw new Exception("A dummy client cert is part of the source distribution, but could not be loaded!"); |
|
332
|
332
|
} |
|
@@ -335,7 +335,7 @@ discard block |
|
|
block discarded – undo |
|
335
|
335
|
if ($this->opMode == self::RADIUS_TEST_OPERATION_MODE_THOROUGH) { |
|
336
|
336
|
return $this->udpLogin($probeindex, $this->supportedEapTypes[0]->getArrayRep(), $this->outerUsernameForChecks, 'eaplab', $opnameCheck, $frag, $clientcert); |
|
337
|
337
|
} |
|
338
|
|
- return $this->udpLogin($probeindex, \core\common\EAP::EAPTYPE_ANY, "cat-connectivity-test@" . $this->realm, 'eaplab', $opnameCheck, $frag, $clientcert); |
|
|
338
|
+ return $this->udpLogin($probeindex, \core\common\EAP::EAPTYPE_ANY, "cat-connectivity-test@".$this->realm, 'eaplab', $opnameCheck, $frag, $clientcert); |
|
339
|
339
|
} |
|
340
|
340
|
|
|
341
|
341
|
/** |
|
@@ -356,7 +356,7 @@ discard block |
|
|
block discarded – undo |
|
356
|
356
|
return RADIUSTests::CERTPROB_NO_CDP_HTTP; |
|
357
|
357
|
} |
|
358
|
358
|
// first and second sub-match is the full URL... check it |
|
359
|
|
- $crlcontent = \core\common\OutsideComm::downloadFile(trim($crlUrl[1] . $crlUrl[2]), 10); |
|
|
359
|
+ $crlcontent = \core\common\OutsideComm::downloadFile(trim($crlUrl[1].$crlUrl[2]), 10); |
|
360
|
360
|
if ($crlcontent === FALSE) { |
|
361
|
361
|
return RADIUSTests::CERTPROB_NO_CRL_AT_CDP_URL; |
|
362
|
362
|
} |
|
@@ -371,7 +371,7 @@ discard block |
|
|
block discarded – undo |
|
371
|
371
|
// $pem = chunk_split(base64_encode($crlcontent), 64, "\n"); |
|
372
|
372
|
// inspired by https://stackoverflow.com/questions/2390604/how-to-pass-variables-as-stdin-into-command-line-from-php |
|
373
|
373
|
|
|
374
|
|
- $proc = \config\Master::PATHS['openssl'] . " crl -inform der"; |
|
|
374
|
+ $proc = \config\Master::PATHS['openssl']." crl -inform der"; |
|
375
|
375
|
$descriptorspec = [ |
|
376
|
376
|
0 => ["pipe", "r"], |
|
377
|
377
|
1 => ["pipe", "w"], |
|
@@ -409,7 +409,7 @@ discard block |
|
|
block discarded – undo |
|
409
|
409
|
$origLength = strlen($hex); |
|
410
|
410
|
for ($i = 1; $i < $origLength; $i++) { |
|
411
|
411
|
if ($i % 2 == 1 && $i != strlen($hex)) { |
|
412
|
|
- $spaced .= $hex[$i] . " "; |
|
|
412
|
+ $spaced .= $hex[$i]." "; |
|
413
|
413
|
} else { |
|
414
|
414
|
$spaced .= $hex[$i]; |
|
415
|
415
|
} |
|
@@ -534,19 +534,19 @@ discard block |
|
|
block discarded – undo |
|
534
|
534
|
$eapText = \core\common\EAP::eapDisplayName($eaptype); |
|
535
|
535
|
$config = ' |
|
536
|
536
|
network={ |
|
537
|
|
- ssid="' . \config\Master::APPEARANCE['productname'] . ' testing" |
|
|
537
|
+ ssid="' . \config\Master::APPEARANCE['productname'].' testing" |
|
538
|
538
|
key_mgmt=WPA-EAP |
|
539
|
539
|
proto=WPA2 |
|
540
|
540
|
pairwise=CCMP |
|
541
|
541
|
group=CCMP |
|
542
|
542
|
'; |
|
543
|
543
|
// phase 1 |
|
544
|
|
- $config .= 'eap=' . $eapText['OUTER'] . "\n"; |
|
|
544
|
+ $config .= 'eap='.$eapText['OUTER']."\n"; |
|
545
|
545
|
$logConfig = $config; |
|
546
|
546
|
// phase 2 if applicable; all inner methods have passwords |
|
547
|
547
|
if (isset($eapText['INNER']) && $eapText['INNER'] != "") { |
|
548
|
|
- $config .= ' phase2="auth=' . $eapText['INNER'] . "\"\n"; |
|
549
|
|
- $logConfig .= ' phase2="auth=' . $eapText['INNER'] . "\"\n"; |
|
|
548
|
+ $config .= ' phase2="auth='.$eapText['INNER']."\"\n"; |
|
|
549
|
+ $logConfig .= ' phase2="auth='.$eapText['INNER']."\"\n"; |
|
550
|
550
|
} |
|
551
|
551
|
// all methods set a password, except EAP-TLS |
|
552
|
552
|
if ($eaptype != \core\common\EAP::EAPTYPE_TLS) { |
|
@@ -562,11 +562,11 @@ discard block |
|
|
block discarded – undo |
|
562
|
562
|
} |
|
563
|
563
|
|
|
564
|
564
|
// inner identity |
|
565
|
|
- $config .= ' identity="' . $inner . "\"\n"; |
|
566
|
|
- $logConfig .= ' identity="' . $inner . "\"\n"; |
|
|
565
|
+ $config .= ' identity="'.$inner."\"\n"; |
|
|
566
|
+ $logConfig .= ' identity="'.$inner."\"\n"; |
|
567
|
567
|
// outer identity, may be equal |
|
568
|
|
- $config .= ' anonymous_identity="' . $outer . "\"\n"; |
|
569
|
|
- $logConfig .= ' anonymous_identity="' . $outer . "\"\n"; |
|
|
568
|
+ $config .= ' anonymous_identity="'.$outer."\"\n"; |
|
|
569
|
+ $logConfig .= ' anonymous_identity="'.$outer."\"\n"; |
|
570
|
570
|
// done |
|
571
|
571
|
$config .= "}"; |
|
572
|
572
|
$logConfig .= "}"; |
|
@@ -627,13 +627,13 @@ discard block |
|
|
block discarded – undo |
|
627
|
627
|
* @return string the command-line for eapol_test |
|
628
|
628
|
*/ |
|
629
|
629
|
private function eapolTestConfig($probeindex, $opName, $frag) { |
|
630
|
|
- $cmdline = \config\Diagnostics::PATHS['eapol_test'] . |
|
631
|
|
- " -a " . \config\Diagnostics::RADIUSTESTS['UDP-hosts'][$probeindex]['ip'] . |
|
632
|
|
- " -s " . \config\Diagnostics::RADIUSTESTS['UDP-hosts'][$probeindex]['secret'] . |
|
633
|
|
- " -o serverchain.pem" . |
|
634
|
|
- " -c ./udp_login_test.conf" . |
|
635
|
|
- " -M 22:44:66:CA:20:" . sprintf("%02d", $probeindex) . " " . |
|
636
|
|
- " -t " . \config\Diagnostics::RADIUSTESTS['UDP-hosts'][$probeindex]['timeout'] . " "; |
|
|
630
|
+ $cmdline = \config\Diagnostics::PATHS['eapol_test']. |
|
|
631
|
+ " -a ".\config\Diagnostics::RADIUSTESTS['UDP-hosts'][$probeindex]['ip']. |
|
|
632
|
+ " -s ".\config\Diagnostics::RADIUSTESTS['UDP-hosts'][$probeindex]['secret']. |
|
|
633
|
+ " -o serverchain.pem". |
|
|
634
|
+ " -c ./udp_login_test.conf". |
|
|
635
|
+ " -M 22:44:66:CA:20:".sprintf("%02d", $probeindex)." ". |
|
|
636
|
+ " -t ".\config\Diagnostics::RADIUSTESTS['UDP-hosts'][$probeindex]['timeout']." "; |
|
637
|
637
|
if ($opName) { |
|
638
|
638
|
$cmdline .= '-N126:s:"1cat.eduroam.org" '; |
|
639
|
639
|
} |
|
@@ -662,10 +662,10 @@ discard block |
|
|
block discarded – undo |
|
662
|
662
|
* @throws Exception |
|
663
|
663
|
*/ |
|
664
|
664
|
private function createCArepository($tmpDir, &$intermOdditiesCAT, $servercert, $eapIntermediates, $eapIntermediateCRLs) { |
|
665
|
|
- if (!mkdir($tmpDir . "/root-ca-allcerts/", 0700, true)) { |
|
|
665
|
+ if (!mkdir($tmpDir."/root-ca-allcerts/", 0700, true)) { |
|
666
|
666
|
throw new Exception("unable to create root CA directory (RADIUS Tests): $tmpDir/root-ca-allcerts/\n"); |
|
667
|
667
|
} |
|
668
|
|
- if (!mkdir($tmpDir . "/root-ca-eaponly/", 0700, true)) { |
|
|
668
|
+ if (!mkdir($tmpDir."/root-ca-eaponly/", 0700, true)) { |
|
669
|
669
|
throw new Exception("unable to create root CA directory (RADIUS Tests): $tmpDir/root-ca-eaponly/\n"); |
|
670
|
670
|
} |
|
671
|
671
|
// make a copy of the EAP-received chain and add the configured intermediates, if any |
|
@@ -679,15 +679,15 @@ discard block |
|
|
block discarded – undo |
|
679
|
679
|
} |
|
680
|
680
|
if ($decoded['ca'] == 1) { |
|
681
|
681
|
if ($decoded['root'] == 1) { // save CAT roots to the root directory |
|
682
|
|
- file_put_contents($tmpDir . "/root-ca-eaponly/configuredroot" . count($catRoots) . ".pem", $decoded['pem']); |
|
683
|
|
- file_put_contents($tmpDir . "/root-ca-allcerts/configuredroot" . count($catRoots) . ".pem", $decoded['pem']); |
|
|
682
|
+ file_put_contents($tmpDir."/root-ca-eaponly/configuredroot".count($catRoots).".pem", $decoded['pem']); |
|
|
683
|
+ file_put_contents($tmpDir."/root-ca-allcerts/configuredroot".count($catRoots).".pem", $decoded['pem']); |
|
684
|
684
|
$catRoots[] = $decoded['pem']; |
|
685
|
685
|
} else { // save the intermediates to allcerts directory |
|
686
|
|
- file_put_contents($tmpDir . "/root-ca-allcerts/cat-intermediate" . count($catIntermediates) . ".pem", $decoded['pem']); |
|
|
686
|
+ file_put_contents($tmpDir."/root-ca-allcerts/cat-intermediate".count($catIntermediates).".pem", $decoded['pem']); |
|
687
|
687
|
$intermOdditiesCAT = array_merge($intermOdditiesCAT, $this->propertyCheckIntermediate($decoded)); |
|
688
|
688
|
if (isset($decoded['CRL']) && isset($decoded['CRL'][0])) { |
|
689
|
689
|
$this->loggerInstance->debug(4, "got an intermediate CRL; adding them to the chain checks. (Remember: checking end-entity cert only, not the whole chain"); |
|
690
|
|
- file_put_contents($tmpDir . "/root-ca-allcerts/crl_cat" . count($catIntermediates) . ".pem", $decoded['CRL'][0]); |
|
|
690
|
+ file_put_contents($tmpDir."/root-ca-allcerts/crl_cat".count($catIntermediates).".pem", $decoded['CRL'][0]); |
|
691
|
691
|
} |
|
692
|
692
|
$catIntermediates[] = $decoded['pem']; |
|
693
|
693
|
} |
|
@@ -696,26 +696,26 @@ discard block |
|
|
block discarded – undo |
|
696
|
696
|
// save all intermediate certificates and CRLs to separate files in |
|
697
|
697
|
// both root-ca directories |
|
698
|
698
|
foreach ($eapIntermediates as $index => $onePem) { |
|
699
|
|
- file_put_contents($tmpDir . "/root-ca-eaponly/intermediate$index.pem", $onePem); |
|
700
|
|
- file_put_contents($tmpDir . "/root-ca-allcerts/intermediate$index.pem", $onePem); |
|
|
699
|
+ file_put_contents($tmpDir."/root-ca-eaponly/intermediate$index.pem", $onePem); |
|
|
700
|
+ file_put_contents($tmpDir."/root-ca-allcerts/intermediate$index.pem", $onePem); |
|
701
|
701
|
} |
|
702
|
702
|
foreach ($eapIntermediateCRLs as $index => $onePem) { |
|
703
|
|
- file_put_contents($tmpDir . "/root-ca-eaponly/intermediateCRL$index.pem", $onePem); |
|
704
|
|
- file_put_contents($tmpDir . "/root-ca-allcerts/intermediateCRL$index.pem", $onePem); |
|
|
703
|
+ file_put_contents($tmpDir."/root-ca-eaponly/intermediateCRL$index.pem", $onePem); |
|
|
704
|
+ file_put_contents($tmpDir."/root-ca-allcerts/intermediateCRL$index.pem", $onePem); |
|
705
|
705
|
} |
|
706
|
706
|
|
|
707
|
707
|
$checkstring = ""; |
|
708
|
708
|
if (isset($servercert['CRL']) && isset($servercert['CRL'][0])) { |
|
709
|
709
|
$this->loggerInstance->debug(4, "got a server CRL; adding them to the chain checks. (Remember: checking end-entity cert only, not the whole chain"); |
|
710
|
710
|
$checkstring = "-crl_check_all"; |
|
711
|
|
- file_put_contents($tmpDir . "/root-ca-eaponly/crl-server.pem", $servercert['CRL'][0]); |
|
712
|
|
- file_put_contents($tmpDir . "/root-ca-allcerts/crl-server.pem", $servercert['CRL'][0]); |
|
|
711
|
+ file_put_contents($tmpDir."/root-ca-eaponly/crl-server.pem", $servercert['CRL'][0]); |
|
|
712
|
+ file_put_contents($tmpDir."/root-ca-allcerts/crl-server.pem", $servercert['CRL'][0]); |
|
713
|
713
|
} |
|
714
|
714
|
|
|
715
|
715
|
|
|
716
|
716
|
// now c_rehash the root CA directory ... |
|
717
|
|
- system(\config\Diagnostics::PATHS['c_rehash'] . " $tmpDir/root-ca-eaponly/ > /dev/null"); |
|
718
|
|
- system(\config\Diagnostics::PATHS['c_rehash'] . " $tmpDir/root-ca-allcerts/ > /dev/null"); |
|
|
717
|
+ system(\config\Diagnostics::PATHS['c_rehash']." $tmpDir/root-ca-eaponly/ > /dev/null"); |
|
|
718
|
+ system(\config\Diagnostics::PATHS['c_rehash']." $tmpDir/root-ca-allcerts/ > /dev/null"); |
|
719
|
719
|
return $checkstring; |
|
720
|
720
|
} |
|
721
|
721
|
|
|
@@ -746,12 +746,12 @@ discard block |
|
|
block discarded – undo |
|
746
|
746
|
// so test if there's something PEMy in the file at all |
|
747
|
747
|
// serverchain.pem is the output from eapol_test; incomingserver.pem is written by extractIncomingCertsfromEAP() if there was at least one server cert. |
|
748
|
748
|
if (filesize("$tmpDir/serverchain.pem") > 10 && filesize("$tmpDir/incomingserver.pem") > 10) { |
|
749
|
|
- exec(\config\Master::PATHS['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/incomingserver.pem", $verifyResultEaponly); |
|
750
|
|
- $this->loggerInstance->debug(4, \config\Master::PATHS['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/serverchain.pem\n"); |
|
751
|
|
- $this->loggerInstance->debug(4, "Chain verify pass 1: " . /** @scrutinizer ignore-type */ print_r($verifyResultEaponly, TRUE) . "\n"); |
|
752
|
|
- exec(\config\Master::PATHS['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/incomingserver.pem", $verifyResultAllcerts); |
|
753
|
|
- $this->loggerInstance->debug(4, \config\Master::PATHS['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/serverchain.pem\n"); |
|
754
|
|
- $this->loggerInstance->debug(4, "Chain verify pass 2: " . /** @scrutinizer ignore-type */ print_r($verifyResultAllcerts, TRUE) . "\n"); |
|
|
749
|
+ exec(\config\Master::PATHS['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/incomingserver.pem", $verifyResultEaponly); |
|
|
750
|
+ $this->loggerInstance->debug(4, \config\Master::PATHS['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/serverchain.pem\n"); |
|
|
751
|
+ $this->loggerInstance->debug(4, "Chain verify pass 1: "./** @scrutinizer ignore-type */ print_r($verifyResultEaponly, TRUE)."\n"); |
|
|
752
|
+ exec(\config\Master::PATHS['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/incomingserver.pem", $verifyResultAllcerts); |
|
|
753
|
+ $this->loggerInstance->debug(4, \config\Master::PATHS['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/serverchain.pem\n"); |
|
|
754
|
+ $this->loggerInstance->debug(4, "Chain verify pass 2: "./** @scrutinizer ignore-type */ print_r($verifyResultAllcerts, TRUE)."\n"); |
|
755
|
755
|
} |
|
756
|
756
|
|
|
757
|
757
|
// now we do certificate verification against the collected parents |
|
@@ -817,7 +817,7 @@ discard block |
|
|
block discarded – undo |
|
817
|
817
|
// we are UNHAPPY if no names match! |
|
818
|
818
|
$happiness = "UNHAPPY"; |
|
819
|
819
|
foreach ($this->expectedServerNames as $expectedName) { |
|
820
|
|
- $this->loggerInstance->debug(4, "Managing expectations for $expectedName: " . /** @scrutinizer ignore-type */ print_r($servercert['CN'], TRUE) . /** @scrutinizer ignore-type */ print_r($servercert['sAN_DNS'], TRUE)); |
|
|
820
|
+ $this->loggerInstance->debug(4, "Managing expectations for $expectedName: "./** @scrutinizer ignore-type */ print_r($servercert['CN'], TRUE)./** @scrutinizer ignore-type */ print_r($servercert['sAN_DNS'], TRUE)); |
|
821
|
821
|
if (array_search($expectedName, $servercert['CN']) !== FALSE && array_search($expectedName, $servercert['sAN_DNS']) !== FALSE) { |
|
822
|
822
|
$this->loggerInstance->debug(4, "Totally happy!"); |
|
823
|
823
|
$happiness = "TOTALLY"; |
|
@@ -861,11 +861,11 @@ discard block |
|
|
block discarded – undo |
|
861
|
861
|
$theconfigs = $this->wpaSupplicantConfig($eaptype, $finalInner, $finalOuter, $password); |
|
862
|
862
|
// the config intentionally does not include CA checking. We do this |
|
863
|
863
|
// ourselves after getting the chain with -o. |
|
864
|
|
- file_put_contents($tmpDir . "/udp_login_test.conf", $theconfigs[0]); |
|
|
864
|
+ file_put_contents($tmpDir."/udp_login_test.conf", $theconfigs[0]); |
|
865
|
865
|
|
|
866
|
866
|
$cmdline = $this->eapolTestConfig($probeindex, $opnameCheck, $frag); |
|
867
|
867
|
$this->loggerInstance->debug(4, "Shallow reachability check cmdline: $cmdline\n"); |
|
868
|
|
- $this->loggerInstance->debug(4, "Shallow reachability check config: $tmpDir\n" . $theconfigs[1] . "\n"); |
|
|
868
|
+ $this->loggerInstance->debug(4, "Shallow reachability check config: $tmpDir\n".$theconfigs[1]."\n"); |
|
869
|
869
|
$time_start = microtime(true); |
|
870
|
870
|
$pflow = []; |
|
871
|
871
|
exec($cmdline, $pflow); |
|
@@ -874,7 +874,7 @@ discard block |
|
|
block discarded – undo |
|
874
|
874
|
} |
|
875
|
875
|
$time_stop = microtime(true); |
|
876
|
876
|
$output = print_r($this->redact($password, $pflow), TRUE); |
|
877
|
|
- file_put_contents($tmpDir . "/eapol_test_output_redacted_$probeindex.txt", $output); |
|
|
877
|
+ file_put_contents($tmpDir."/eapol_test_output_redacted_$probeindex.txt", $output); |
|
878
|
878
|
$this->loggerInstance->debug(5, "eapol_test output saved to eapol_test_output_redacted_$probeindex.txt\n"); |
|
879
|
879
|
return [ |
|
880
|
880
|
"time" => ($time_stop - $time_start) * 1000, |
|
@@ -909,7 +909,7 @@ discard block |
|
|
block discarded – undo |
|
909
|
909
|
if ($packetflow[count($packetflow) - 1] == 3 && $this->checkLineparse($packetflow_orig, self::LINEPARSE_CHECK_REJECTIGNORE)) { |
|
910
|
910
|
array_pop($packetflow); |
|
911
|
911
|
} |
|
912
|
|
- $this->loggerInstance->debug(5, "Packetflow: " . /** @scrutinizer ignore-type */ print_r($packetflow, TRUE)); |
|
|
912
|
+ $this->loggerInstance->debug(5, "Packetflow: "./** @scrutinizer ignore-type */ print_r($packetflow, TRUE)); |
|
913
|
913
|
$packetcount = array_count_values($packetflow); |
|
914
|
914
|
$testresults['packetcount'] = $packetcount; |
|
915
|
915
|
$testresults['packetflow'] = $packetflow; |
|
@@ -949,7 +949,7 @@ discard block |
|
|
block discarded – undo |
|
949
|
949
|
*/ |
|
950
|
950
|
private function wasModernTlsNegotiated(&$testresults, $packetflow_orig) { |
|
951
|
951
|
$negotiatedTlsVersion = $this->checkLineparse($packetflow_orig, self::LINEPARSE_TLSVERSION); |
|
952
|
|
- $this->loggerInstance->debug(4, "TLS version found is: $negotiatedTlsVersion" . "\n"); |
|
|
952
|
+ $this->loggerInstance->debug(4, "TLS version found is: $negotiatedTlsVersion"."\n"); |
|
953
|
953
|
if ($negotiatedTlsVersion === FALSE) { |
|
954
|
954
|
$testresults['cert_oddities'][] = RADIUSTests::TLSPROB_UNKNOWN_TLS_VERSION; |
|
955
|
955
|
} elseif ($negotiatedTlsVersion != self::TLS_VERSION_1_2 && $negotiatedTlsVersion != self::TLS_VERSION_1_3) { |
|
@@ -1007,7 +1007,7 @@ discard block |
|
|
block discarded – undo |
|
1007
|
1007
|
|
|
1008
|
1008
|
$x509 = new \core\common\X509(); |
|
1009
|
1009
|
// $eap_certarray holds all certs received in EAP conversation |
|
1010
|
|
- $incomingData = file_get_contents($tmpDir . "/serverchain.pem"); |
|
|
1010
|
+ $incomingData = file_get_contents($tmpDir."/serverchain.pem"); |
|
1011
|
1011
|
if ($incomingData !== FALSE && strlen($incomingData) > 0) { |
|
1012
|
1012
|
$eapCertArray = $x509->splitCertificate($incomingData); |
|
1013
|
1013
|
} else { |
|
@@ -1037,10 +1037,10 @@ discard block |
|
|
block discarded – undo |
|
1037
|
1037
|
case RADIUSTests::SERVER_CA_SELFSIGNED: |
|
1038
|
1038
|
$servercert[] = $cert; |
|
1039
|
1039
|
if (count($servercert) == 1) { |
|
1040
|
|
- if (file_put_contents($tmpDir . "/incomingserver.pem", $cert['pem'] . "\n") === FALSE) { |
|
|
1040
|
+ if (file_put_contents($tmpDir."/incomingserver.pem", $cert['pem']."\n") === FALSE) { |
|
1041
|
1041
|
$this->loggerInstance->debug(4, "The (first) server certificate could not be written to $tmpDir/incomingserver.pem!\n"); |
|
1042
|
1042
|
} |
|
1043
|
|
- $this->loggerInstance->debug(4, "This is the (first) server certificate, with CRL content if applicable: " . /** @scrutinizer ignore-type */ print_r($servercert[0], true)); |
|
|
1043
|
+ $this->loggerInstance->debug(4, "This is the (first) server certificate, with CRL content if applicable: "./** @scrutinizer ignore-type */ print_r($servercert[0], true)); |
|
1044
|
1044
|
} elseif (!in_array(RADIUSTests::CERTPROB_TOO_MANY_SERVER_CERTS, $testresults['cert_oddities'])) { |
|
1045
|
1045
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_TOO_MANY_SERVER_CERTS; |
|
1046
|
1046
|
} |
|
@@ -1110,7 +1110,7 @@ discard block |
|
|
block discarded – undo |
|
1110
|
1110
|
public function autodetectCAWithProbe($outerId) { |
|
1111
|
1111
|
// for EAP-TLS to be a viable option, we need to pass a random client cert to make eapol_test happy |
|
1112
|
1112
|
// the following PEM data is one of the SENSE EAPLab client certs (not secret at all) |
|
1113
|
|
- $clientcert = file_get_contents(dirname(__FILE__) . "/clientcert.p12"); |
|
|
1113
|
+ $clientcert = file_get_contents(dirname(__FILE__)."/clientcert.p12"); |
|
1114
|
1114
|
if ($clientcert === FALSE) { |
|
1115
|
1115
|
throw new Exception("A dummy client cert is part of the source distribution, but could not be loaded!"); |
|
1116
|
1116
|
} |
|
@@ -1125,7 +1125,7 @@ discard block |
|
|
block discarded – undo |
|
1125
|
1125
|
$tmpDir = $temporary['dir']; |
|
1126
|
1126
|
chdir($tmpDir); |
|
1127
|
1127
|
$this->loggerInstance->debug(4, "temp dir: $tmpDir\n"); |
|
1128
|
|
- file_put_contents($tmpDir . "/client.p12", $clientcert); |
|
|
1128
|
+ file_put_contents($tmpDir."/client.p12", $clientcert); |
|
1129
|
1129
|
$testresults = ['cert_oddities' => []]; |
|
1130
|
1130
|
$runtime_results = $this->executeEapolTest($tmpDir, $probeindex, \core\common\EAP::EAPTYPE_ANY, $outerId, $outerId, "eaplab", FALSE, FALSE); |
|
1131
|
1131
|
$packetflow_orig = $runtime_results['output']; |
|
@@ -1141,8 +1141,7 @@ discard block |
|
|
block discarded – undo |
|
1141
|
1141
|
// that's not the case if we do EAP-pwd or could not negotiate an EAP method at |
|
1142
|
1142
|
// all |
|
1143
|
1143
|
// in that case: no server CA guess possible |
|
1144
|
|
- if (! |
|
1145
|
|
- ($radiusResult == RADIUSTests::RETVAL_CONVERSATION_REJECT && $negotiatedEapType) || $radiusResult == RADIUSTests::RETVAL_OK |
|
|
1144
|
+ if (!($radiusResult == RADIUSTests::RETVAL_CONVERSATION_REJECT && $negotiatedEapType) || $radiusResult == RADIUSTests::RETVAL_OK |
|
1146
|
1145
|
) { |
|
1147
|
1146
|
return RADIUSTests::RETVAL_INVALID; |
|
1148
|
1147
|
} |
|
@@ -1182,7 +1181,7 @@ discard block |
|
|
block discarded – undo |
|
1182
|
1181
|
// trust, and custom ones we may have configured |
|
1183
|
1182
|
$ourRoots = file_get_contents(\config\ConfAssistant::PATHS['trust-store-custom']); |
|
1184
|
1183
|
$mozillaRoots = file_get_contents(\config\ConfAssistant::PATHS['trust-store-mozilla']); |
|
1185
|
|
- $allRoots = $x509->splitCertificate($ourRoots . "\n" . $mozillaRoots); |
|
|
1184
|
+ $allRoots = $x509->splitCertificate($ourRoots."\n".$mozillaRoots); |
|
1186
|
1185
|
foreach ($allRoots as $oneRoot) { |
|
1187
|
1186
|
$processedRoot = $x509->processCertificate($oneRoot); |
|
1188
|
1187
|
if ($processedRoot['full_details']['subject'] == $currentHighestKnownIssuer) { |
|
@@ -1226,7 +1225,7 @@ discard block |
|
|
block discarded – undo |
|
1226
|
1225
|
chdir($tmpDir); |
|
1227
|
1226
|
$this->loggerInstance->debug(4, "temp dir: $tmpDir\n"); |
|
1228
|
1227
|
if ($clientcertdata !== NULL) { |
|
1229
|
|
- file_put_contents($tmpDir . "/client.p12", $clientcertdata); |
|
|
1228
|
+ file_put_contents($tmpDir."/client.p12", $clientcertdata); |
|
1230
|
1229
|
} |
|
1231
|
1230
|
$testresults = []; |
|
1232
|
1231
|
// initialise the sub-array for cleaner parsing |
|
@@ -1331,7 +1330,7 @@ discard block |
|
|
block discarded – undo |
|
1331
|
1330
|
'issuer' => $this->printDN($certdata['issuer']), |
|
1332
|
1331
|
'validFrom' => $this->printTm($certdata['validFrom_time_t']), |
|
1333
|
1332
|
'validTo' => $this->printTm($certdata['validTo_time_t']), |
|
1334
|
|
- 'serialNumber' => $certdata['serialNumber'] . sprintf(" (0x%X)", $certdata['serialNumber']), |
|
|
1333
|
+ 'serialNumber' => $certdata['serialNumber'].sprintf(" (0x%X)", $certdata['serialNumber']), |
|
1335
|
1334
|
'sha1' => $certdata['sha1'], |
|
1336
|
1335
|
'public_key_length' => $certdata['public_key_length'], |
|
1337
|
1336
|
'extensions' => $certdata['extensions'] |
GEANT /
CAT
