GEANT /
CAT
Duplicate code is one of the most pungent code smells. A rule that is often used is to re-structure code once it is duplicated in three or more places.
Common duplication problems, and corresponding solutions are:
Complex classes like RADIUSTests often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes. You can also have a look at the cohesion graph to spot any un-connected, or weakly-connected components.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use RADIUSTests, and based on these observations, apply Extract Interface, too.
| 1 | <?php |
||
| 40 | class RADIUSTests extends AbstractTest { |
||
| 41 | |||
| 42 | /** |
||
| 43 | * The variables below maintain state of the result of previous checks. |
||
| 44 | * |
||
| 45 | */ |
||
| 46 | private $UDP_reachability_executed; |
||
| 47 | private $errorlist; |
||
| 48 | |||
| 49 | /** |
||
| 50 | * This private variable contains the realm to be checked. Is filled in the |
||
| 51 | * class constructor. |
||
| 52 | * |
||
| 53 | * @var string |
||
| 54 | */ |
||
| 55 | private $realm; |
||
| 56 | private $outerUsernameForChecks; |
||
| 57 | private $expectedCABundle; |
||
| 58 | private $expectedServerNames; |
||
| 59 | |||
| 60 | /** |
||
| 61 | * the list of EAP types which the IdP allegedly supports. |
||
| 62 | * |
||
| 63 | * @var array |
||
| 64 | */ |
||
| 65 | private $supportedEapTypes; |
||
| 66 | private $opMode; |
||
| 67 | public $UDP_reachability_result; |
||
| 68 | |||
| 69 | const RADIUS_TEST_OPERATION_MODE_SHALLOW = 1; |
||
| 70 | const RADIUS_TEST_OPERATION_MODE_THOROUGH = 2; |
||
| 71 | |||
| 72 | /** |
||
| 73 | * Constructor for the EAPTests class. The single mandatory parameter is the |
||
| 74 | * realm for which the tests are to be carried out. |
||
| 75 | * |
||
| 76 | * @param string $realm |
||
| 77 | * @param string $outerUsernameForChecks |
||
| 78 | * @param array $supportedEapTypes (array of integer representations of EAP types) |
||
| 79 | * @param array $expectedServerNames (array of strings) |
||
| 80 | * @param array $expectedCABundle (array of PEM blocks) |
||
| 81 | */ |
||
| 82 | public function __construct($realm, $outerUsernameForChecks, $supportedEapTypes = [], $expectedServerNames = [], $expectedCABundle = []) { |
||
| 83 | parent::__construct(); |
||
| 84 | $oldlocale = $this->languageInstance->setTextDomain('diagnostics'); |
||
| 85 | |||
| 86 | $this->realm = $realm; |
||
| 87 | $this->outerUsernameForChecks = $outerUsernameForChecks; |
||
| 88 | $this->expectedCABundle = $expectedCABundle; |
||
| 89 | $this->expectedServerNames = $expectedServerNames; |
||
| 90 | $this->supportedEapTypes = $supportedEapTypes; |
||
| 91 | |||
| 92 | $this->opMode = self::RADIUS_TEST_OPERATION_MODE_SHALLOW; |
||
| 93 | |||
| 94 | $caNeeded = FALSE; |
||
| 95 | $serverNeeded = FALSE; |
||
| 96 | foreach ($supportedEapTypes as $oneEapType) { |
||
| 97 | if ($oneEapType->needsServerCACert()) { |
||
| 98 | $caNeeded = TRUE; |
||
| 99 | } |
||
| 100 | if ($oneEapType->needsServerName()) { |
||
| 101 | $serverNeeded = TRUE; |
||
| 102 | } |
||
| 103 | } |
||
| 104 | |||
| 105 | if ($caNeeded) { |
||
| 106 | // we need to have info about at least one CA cert and server names |
||
| 107 | if (count($this->expectedCABundle) == 0) { |
||
| 108 | Throw new Exception("Thorough checks for an EAP type needing CAs were requested, but the required parameters were not given."); |
||
| 109 | } else { |
||
| 110 | $this->opMode = self::RADIUS_TEST_OPERATION_MODE_THOROUGH; |
||
| 111 | } |
||
| 112 | } |
||
| 113 | |||
| 114 | if ($serverNeeded) { |
||
| 115 | if (count($this->expectedServerNames) == 0) { |
||
| 116 | Throw new Exception("Thorough checks for an EAP type needing server names were requested, but the required parameter was not given."); |
||
| 117 | } else { |
||
| 118 | $this->opMode = self::RADIUS_TEST_OPERATION_MODE_THOROUGH; |
||
| 119 | } |
||
| 120 | } |
||
| 121 | |||
| 122 | $this->loggerInstance->debug(4, "RADIUSTests is in opMode " . $this->opMode . ", parameters were: $realm, $outerUsernameForChecks, " . print_r($supportedEapTypes, true)); |
||
| 123 | $this->loggerInstance->debug(4, print_r($expectedServerNames, true)); |
||
| 124 | $this->loggerInstance->debug(4, print_r($expectedCABundle, true)); |
||
| 125 | |||
| 126 | $this->UDP_reachability_result = []; |
||
| 127 | $this->errorlist = []; |
||
| 128 | $this->languageInstance->setTextDomain($oldlocale); |
||
| 129 | } |
||
| 130 | |||
| 131 | private function printDN($distinguishedName) { |
||
| 132 | $out = ''; |
||
| 133 | foreach (array_reverse($distinguishedName) as $nameType => $nameValue) { // to give an example: "CN" => "some.host.example" |
||
| 134 | if (!is_array($nameValue)) { // single-valued: just a string |
||
| 135 | $nameValue = ["$nameValue"]; // convert it to a multi-value attrib with just one value :-) for unified processing later on |
||
| 136 | } |
||
| 137 | foreach ($nameValue as $oneValue) { |
||
| 138 | if ($out) { |
||
| 139 | $out .= ','; |
||
| 140 | } |
||
| 141 | $out .= "$nameType=$oneValue"; |
||
| 142 | } |
||
| 143 | } |
||
| 144 | return($out); |
||
| 145 | } |
||
| 146 | |||
| 147 | private function printTm($time) { |
||
| 148 | return(gmdate(\DateTime::COOKIE, $time)); |
||
| 149 | } |
||
| 150 | |||
| 151 | /** |
||
| 152 | * This function parses a X.509 server cert and checks if it finds client device incompatibilities |
||
| 153 | * |
||
| 154 | * @param array $servercert the properties of the certificate as returned by processCertificate(), |
||
| 155 | * $servercert is modified, if CRL is defied, it is downloaded and added to the array |
||
| 156 | * incoming_server_names, sAN_DNS and CN array values are also defined |
||
| 157 | * @return array of oddities; the array is empty if everything is fine |
||
| 158 | */ |
||
| 159 | private function propertyCheckServercert(&$servercert) { |
||
| 160 | $this->loggerInstance->debug(5, "SERVER CERT IS: " . print_r($servercert, TRUE)); |
||
| 161 | // we share the same checks as for CAs when it comes to signature algorithm and basicconstraints |
||
| 162 | // so call that function and memorise the outcome |
||
| 163 | $returnarray = $this->propertyCheckIntermediate($servercert, TRUE); |
||
| 164 | $sANlist = []; |
||
| 165 | $sANdns = []; |
||
| 166 | if (!isset($servercert['full_details']['extensions'])) { |
||
| 167 | $returnarray[] = RADIUSTests::CERTPROB_NO_TLS_WEBSERVER_OID; |
||
| 168 | $returnarray[] = RADIUSTests::CERTPROB_NO_CDP_HTTP; |
||
| 169 | } else { // Extensions are present... |
||
| 170 | if (!isset($servercert['full_details']['extensions']['extendedKeyUsage']) || !preg_match("/TLS Web Server Authentication/", $servercert['full_details']['extensions']['extendedKeyUsage'])) { |
||
| 171 | $returnarray[] = RADIUSTests::CERTPROB_NO_TLS_WEBSERVER_OID; |
||
| 172 | } |
||
| 173 | if (isset($servercert['full_details']['extensions']['subjectAltName'])) { |
||
| 174 | $sANlist = explode(", ", $servercert['full_details']['extensions']['subjectAltName']); |
||
| 175 | foreach ($sANlist as $subjectAltName) { |
||
| 176 | if (preg_match("/^DNS:/", $subjectAltName)) { |
||
| 177 | $sANdns[] = substr($subjectAltName, 4); |
||
| 178 | } |
||
| 179 | } |
||
| 180 | } |
||
| 181 | } |
||
| 182 | |||
| 183 | // often, there is only one name, so we store it in an array of one member |
||
| 184 | $commonName = [$servercert['full_details']['subject']['CN']]; |
||
| 185 | // if we got an array of names instead, then that is already an array, so override |
||
| 186 | if (isset($servercert['full_details']['subject']['CN']) && is_array($servercert['full_details']['subject']['CN'])) { |
||
| 187 | $commonName = $servercert['full_details']['subject']['CN']; |
||
| 188 | $returnarray[] = RADIUSTests::CERTPROB_MULTIPLE_CN; |
||
| 189 | } |
||
| 190 | |||
| 191 | $allnames = array_unique(array_merge($commonName, $sANdns)); |
||
| 192 | // check for wildcards |
||
| 193 | // check for real hostnames, and whether there is a wildcard in a name |
||
| 194 | foreach ($allnames as $onename) { |
||
| 195 | if (preg_match("/\*/", $onename)) { |
||
| 196 | $returnarray[] = RADIUSTests::CERTPROB_WILDCARD_IN_NAME; |
||
| 197 | continue; // otherwise we'd ALSO complain that it's not a real hostname |
||
| 198 | } |
||
| 199 | if ($onename != "" && filter_var("foo@" . idn_to_ascii($onename), FILTER_VALIDATE_EMAIL) === FALSE) { |
||
| 200 | $returnarray[] = RADIUSTests::CERTPROB_NOT_A_HOSTNAME; |
||
| 201 | } |
||
| 202 | } |
||
| 203 | $servercert['incoming_server_names'] = $allnames; |
||
| 204 | $servercert['sAN_DNS'] = $sANdns; |
||
| 205 | $servercert['CN'] = $commonName; |
||
| 206 | return $returnarray; |
||
| 207 | } |
||
| 208 | |||
| 209 | /** |
||
| 210 | * This function parses a X.509 intermediate CA cert and checks if it finds client device incompatibilities |
||
| 211 | * |
||
| 212 | * @param array $intermediateCa the properties of the certificate as returned by processCertificate() |
||
| 213 | * @param boolean complain_about_cdp_existence: for intermediates, not having a CDP is less of an issue than for servers. Set the REMARK (..._INTERMEDIATE) flag if not complaining; and _SERVER if so |
||
| 214 | * @return array of oddities; the array is empty if everything is fine |
||
| 215 | */ |
||
| 216 | private function propertyCheckIntermediate(&$intermediateCa, $serverCert = FALSE) { |
||
| 217 | $returnarray = []; |
||
| 218 | if (preg_match("/md5/i", $intermediateCa['full_details']['signatureTypeSN'])) { |
||
| 219 | $returnarray[] = RADIUSTests::CERTPROB_MD5_SIGNATURE; |
||
| 220 | } |
||
| 221 | if (preg_match("/sha1/i", $intermediateCa['full_details']['signatureTypeSN'])) { |
||
| 222 | $returnarray[] = RADIUSTests::CERTPROB_SHA1_SIGNATURE; |
||
| 223 | } |
||
| 224 | $this->loggerInstance->debug(4, "CERT IS: " . print_r($intermediateCa, TRUE)); |
||
| 225 | if ($intermediateCa['basicconstraints_set'] == 0) { |
||
| 226 | $returnarray[] = RADIUSTests::CERTPROB_NO_BASICCONSTRAINTS; |
||
| 227 | } |
||
| 228 | if ($intermediateCa['full_details']['public_key_length'] < 1024) { |
||
| 229 | $returnarray[] = RADIUSTests::CERTPROB_LOW_KEY_LENGTH; |
||
| 230 | } |
||
| 231 | $validFrom = $intermediateCa['full_details']['validFrom_time_t']; |
||
| 232 | $now = time(); |
||
| 233 | $validTo = $intermediateCa['full_details']['validTo_time_t']; |
||
| 234 | if ($validFrom > $now || $validTo < $now) { |
||
| 235 | $returnarray[] = RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD; |
||
| 236 | } |
||
| 237 | $addCertCrlResult = $this->addCrltoCert($intermediateCa); |
||
| 238 | if ($addCertCrlResult !== 0 && $serverCert) { |
||
| 239 | $returnarray[] = $addCertCrlResult; |
||
| 240 | } |
||
| 241 | |||
| 242 | return $returnarray; |
||
| 243 | } |
||
| 244 | |||
| 245 | /** |
||
| 246 | * This function returns an array of errors which were encountered in all the tests. |
||
| 247 | * |
||
| 248 | * @return array all the errors |
||
| 249 | */ |
||
| 250 | public function listerrors() { |
||
| 251 | return $this->errorlist; |
||
| 252 | } |
||
| 253 | |||
| 254 | /** |
||
| 255 | * This function performs actual authentication checks with MADE-UP credentials. |
||
| 256 | * Its purpose is to check if a RADIUS server is reachable and speaks EAP. |
||
| 257 | * The function fills array RADIUSTests::UDP_reachability_result[$probeindex] with all check detail |
||
| 258 | * in case more than the return code is needed/wanted by the caller |
||
| 259 | * |
||
| 260 | * @param int $probeindex refers to the specific UDP-host in the config that should be checked |
||
| 261 | * @param boolean $opnameCheck should we check choking on Operator-Name? |
||
| 262 | * @param boolean $frag should we cause UDP fragmentation? (Warning: makes use of Operator-Name!) |
||
| 263 | * @return int returncode |
||
| 264 | */ |
||
| 265 | public function udpReachability($probeindex, $opnameCheck = TRUE, $frag = TRUE) { |
||
| 266 | // for EAP-TLS to be a viable option, we need to pass a random client cert to make eapol_test happy |
||
| 267 | // the following PEM data is one of the SENSE EAPLab client certs (not secret at all) |
||
| 268 | $clientcert = file_get_contents(dirname(__FILE__) . "/clientcert.p12"); |
||
| 269 | if ($clientcert === FALSE) { |
||
| 270 | throw new Exception("A dummy client cert is part of the source distribution, but could not be loaded!"); |
||
| 271 | } |
||
| 272 | // if we are in thorough opMode, use our knowledge for a more clever check |
||
| 273 | // otherwise guess |
||
| 274 | if ($this->opMode == self::RADIUS_TEST_OPERATION_MODE_THOROUGH) { |
||
| 275 | return $this->udpLogin($probeindex, $this->supportedEapTypes[0]->getArrayRep(), $this->outerUsernameForChecks, 'eaplab', $opnameCheck, $frag, $clientcert); |
||
| 276 | } |
||
| 277 | return $this->udpLogin($probeindex, \core\common\EAP::EAPTYPE_ANY, "cat-connectivity-test@" . $this->realm, 'eaplab', $opnameCheck, $frag, $clientcert); |
||
| 278 | } |
||
| 279 | |||
| 280 | /** |
||
| 281 | * There is a CRL Distribution Point URL in the certificate. So download the |
||
| 282 | * CRL and attach it to the cert structure so that we can later find out if |
||
| 283 | * the cert was revoked |
||
| 284 | * @param array $cert by-reference: the cert data we are writing into |
||
| 285 | * @return int result code whether we were successful in retrieving the CRL |
||
| 286 | */ |
||
| 287 | private function addCrltoCert(&$cert) { |
||
| 288 | $crlUrl = []; |
||
| 289 | $returnresult = 0; |
||
| 290 | if (!isset($cert['full_details']['extensions']['crlDistributionPoints'])) { |
||
| 291 | $returnresult = RADIUSTests::CERTPROB_NO_CDP; |
||
| 292 | } else if (!preg_match("/^.*URI\:(http)(.*)$/", str_replace(["\r", "\n"], ' ', $cert['full_details']['extensions']['crlDistributionPoints']), $crlUrl)) { |
||
| 293 | $returnresult = RADIUSTests::CERTPROB_NO_CDP_HTTP; |
||
| 294 | } else { // first and second sub-match is the full URL... check it |
||
| 295 | $crlcontent = \core\common\OutsideComm::downloadFile(trim($crlUrl[1] . $crlUrl[2])); |
||
| 296 | if ($crlcontent === FALSE) { |
||
| 297 | $returnresult = RADIUSTests::CERTPROB_NO_CRL_AT_CDP_URL; |
||
| 298 | } |
||
| 299 | $crlBegin = strpos($crlcontent, "-----BEGIN X509 CRL-----"); |
||
| 300 | if ($crlBegin === FALSE) { |
||
| 301 | $pem = chunk_split(base64_encode($crlcontent), 64, "\n"); |
||
| 302 | $crlcontent = "-----BEGIN X509 CRL-----\n" . $pem . "-----END X509 CRL-----\n"; |
||
| 303 | } |
||
| 304 | $cert['CRL'] = []; |
||
| 305 | $cert['CRL'][] = $crlcontent; |
||
| 306 | } |
||
| 307 | return $returnresult; |
||
| 308 | } |
||
| 309 | |||
| 310 | /** |
||
| 311 | * We don't want to write passwords of the live login test to our logs. Filter them out |
||
| 312 | * @param string $stringToRedact what should be redacted |
||
| 313 | * @param array $inputarray array of strings (outputs of eapol_test command) |
||
| 314 | * @return string[] the output of eapol_test with the password redacted |
||
| 315 | */ |
||
| 316 | private function redact($stringToRedact, $inputarray) { |
||
| 317 | $temparray = preg_replace("/^.*$stringToRedact.*$/", "LINE CONTAINING PASSWORD REDACTED", $inputarray); |
||
| 318 | $hex = bin2hex($stringToRedact); |
||
| 319 | $spaced = ""; |
||
| 320 | $origLength = strlen($hex); |
||
| 321 | for ($i = 1; $i < $origLength; $i++) { |
||
| 322 | if ($i % 2 == 1 && $i != strlen($hex)) { |
||
| 323 | $spaced .= $hex[$i] . " "; |
||
| 324 | } else { |
||
| 325 | $spaced .= $hex[$i]; |
||
| 326 | } |
||
| 327 | } |
||
| 328 | return preg_replace("/$spaced/", " HEX ENCODED PASSWORD REDACTED ", $temparray); |
||
| 329 | } |
||
| 330 | |||
| 331 | /** |
||
| 332 | * Filters eapol_test output and finds out the packet codes out of which the conversation was comprised of |
||
| 333 | * |
||
| 334 | * @param array $inputarray array of strings (outputs of eapol_test command) |
||
| 335 | * @return array the packet codes which were exchanged, in sequence |
||
| 336 | */ |
||
| 337 | private function filterPackettype($inputarray) { |
||
| 338 | $retarray = []; |
||
| 339 | foreach ($inputarray as $line) { |
||
| 340 | if (preg_match("/RADIUS message:/", $line)) { |
||
| 341 | $linecomponents = explode(" ", $line); |
||
| 342 | $packettypeExploded = explode("=", $linecomponents[2]); |
||
| 343 | $packettype = $packettypeExploded[1]; |
||
| 344 | $retarray[] = $packettype; |
||
| 345 | } |
||
| 346 | } |
||
| 347 | return $retarray; |
||
| 348 | } |
||
| 349 | |||
| 350 | const LINEPARSE_CHECK_REJECTIGNORE = 1; |
||
| 351 | const LINEPARSE_CHECK_691 = 2; |
||
| 352 | const LINEPARSE_EAPACK = 3; |
||
| 353 | |||
| 354 | /** |
||
| 355 | * this function checks for various special conditions which can be found |
||
| 356 | * only by parsing eapol_test output line by line. Checks currently |
||
| 357 | * implemented are: |
||
| 358 | * * if the ETLRs sent back an Access-Reject because there appeared to |
||
| 359 | * be a timeout further downstream |
||
| 360 | * * did the server send an MSCHAP Error 691 - Retry Allowed in a Challenge |
||
| 361 | * instead of an outright reject? |
||
| 362 | * * was an EAP method ever acknowledged by both sides during the EAP |
||
| 363 | * conversation |
||
| 364 | * |
||
| 365 | * @param array $inputarray array of strings (outputs of eapol_test command) |
||
| 366 | * @param int $desiredCheck which test should be run (see constants above) |
||
| 367 | * @return boolean returns TRUE if ETLR Reject logic was detected; FALSE if not |
||
| 368 | */ |
||
| 369 | private function checkLineparse($inputarray, $desiredCheck) { |
||
| 370 | foreach ($inputarray as $lineid => $line) { |
||
| 371 | switch ($desiredCheck) { |
||
| 372 | case self::LINEPARSE_CHECK_REJECTIGNORE: |
||
| 373 | if (preg_match("/Attribute 18 (Reply-Message)/", $line) && preg_match("/Reject instead of Ignore at eduroam.org/", $inputarray[$lineid + 1])) { |
||
| 374 | return TRUE; |
||
| 375 | } |
||
| 376 | break; |
||
| 377 | case self::LINEPARSE_CHECK_691: |
||
| 378 | if (preg_match("/MSCHAPV2: error 691/", $line) && preg_match("/MSCHAPV2: retry is allowed/", $inputarray[$lineid + 1])) { |
||
| 379 | return TRUE; |
||
| 380 | } |
||
| 381 | break; |
||
| 382 | case self::LINEPARSE_EAPACK: |
||
| 383 | if (preg_match("/CTRL-EVENT-EAP-PROPOSED-METHOD/", $line) && !preg_match("/NAK$/", $line)) { |
||
| 384 | return TRUE; |
||
| 385 | } |
||
| 386 | break; |
||
| 387 | default: |
||
| 388 | throw new Exception("This lineparse test does not exist."); |
||
| 389 | } |
||
| 390 | } |
||
| 391 | return FALSE; |
||
| 392 | } |
||
| 393 | |||
| 394 | /** |
||
| 395 | * |
||
| 396 | * @param array $eaptype array representation of the EAP type |
||
| 397 | * @param string $inner inner username |
||
| 398 | * @param string $outer outer username |
||
| 399 | * @param string $password the password |
||
| 400 | * @return string[] [0] is the actual config for wpa_supplicant, [1] is a redacted version for logs |
||
| 401 | */ |
||
| 402 | private function wpaSupplicantConfig(array $eaptype, string $inner, string $outer, string $password) { |
||
| 403 | $eapText = \core\common\EAP::eapDisplayName($eaptype); |
||
| 404 | $config = ' |
||
| 405 | network={ |
||
| 406 | ssid="' . CONFIG['APPEARANCE']['productname'] . ' testing" |
||
| 407 | key_mgmt=WPA-EAP |
||
| 408 | proto=WPA2 |
||
| 409 | pairwise=CCMP |
||
| 410 | group=CCMP |
||
| 411 | '; |
||
| 412 | // phase 1 |
||
| 413 | $config .= 'eap=' . $eapText['OUTER'] . "\n"; |
||
| 414 | $logConfig = $config; |
||
| 415 | // phase 2 if applicable; all inner methods have passwords |
||
| 416 | if (isset($eapText['INNER']) && $eapText['INNER'] != "") { |
||
| 417 | $config .= ' phase2="auth=' . $eapText['INNER'] . "\"\n"; |
||
| 418 | $logConfig .= ' phase2="auth=' . $eapText['INNER'] . "\"\n"; |
||
| 419 | } |
||
| 420 | // all methods set a password, except EAP-TLS |
||
| 421 | if ($eaptype != \core\common\EAP::EAPTYPE_TLS) { |
||
| 422 | $config .= " password=\"$password\"\n"; |
||
| 423 | $logConfig .= " password=\"not logged for security reasons\"\n"; |
||
| 424 | } |
||
| 425 | // for methods with client certs, add a client cert config block |
||
| 426 | if ($eaptype == \core\common\EAP::EAPTYPE_TLS || $eaptype == \core\common\EAP::EAPTYPE_ANY) { |
||
| 427 | $config .= " private_key=\"./client.p12\"\n"; |
||
| 428 | $logConfig .= " private_key=\"./client.p12\"\n"; |
||
| 429 | $config .= " private_key_passwd=\"$password\"\n"; |
||
| 430 | $logConfig .= " private_key_passwd=\"not logged for security reasons\"\n"; |
||
| 431 | } |
||
| 432 | |||
| 433 | // inner identity |
||
| 434 | $config .= ' identity="' . $inner . "\"\n"; |
||
| 435 | $logConfig .= ' identity="' . $inner . "\"\n"; |
||
| 436 | // outer identity, may be equal |
||
| 437 | $config .= ' anonymous_identity="' . $outer . "\"\n"; |
||
| 438 | $logConfig .= ' anonymous_identity="' . $outer . "\"\n"; |
||
| 439 | // done |
||
| 440 | $config .= "}"; |
||
| 441 | $logConfig .= "}"; |
||
| 442 | |||
| 443 | return [$config, $logConfig]; |
||
| 444 | } |
||
| 445 | |||
| 446 | private function packetCountEvaluation(&$testresults, $packetcount) { |
||
| 447 | $reqs = $packetcount[1] ?? 0; |
||
| 448 | $accepts = $packetcount[2] ?? 0; |
||
| 449 | $rejects = $packetcount[3] ?? 0; |
||
| 450 | $challenges = $packetcount[11] ?? 0; |
||
| 451 | $testresults['packetflow_sane'] = TRUE; |
||
| 452 | if ($reqs - $accepts - $rejects - $challenges != 0 || $accepts > 1 || $rejects > 1) { |
||
| 453 | $testresults['packetflow_sane'] = FALSE; |
||
| 454 | } |
||
| 455 | |||
| 456 | $this->loggerInstance->debug(5, "XYZ: Counting req, acc, rej, chal: $reqs, $accepts, $rejects, $challenges"); |
||
| 457 | |||
| 458 | // calculate the main return values that this test yielded |
||
| 459 | |||
| 460 | $finalretval = RADIUSTests::RETVAL_INVALID; |
||
| 461 | if ($accepts + $rejects == 0) { // no final response. hm. |
||
| 462 | if ($challenges > 0) { // but there was an Access-Challenge |
||
| 463 | $finalretval = RADIUSTests::RETVAL_SERVER_UNFINISHED_COMM; |
||
| 464 | } else { |
||
| 465 | $finalretval = RADIUSTests::RETVAL_NO_RESPONSE; |
||
| 466 | } |
||
| 467 | } else // either an accept or a reject |
||
| 468 | // rejection without EAP is fishy |
||
| 469 | if ($rejects > 0) { |
||
| 470 | if ($challenges == 0) { |
||
| 471 | $finalretval = RADIUSTests::RETVAL_IMMEDIATE_REJECT; |
||
| 472 | } else { // i.e. if rejected with challenges |
||
| 473 | $finalretval = RADIUSTests::RETVAL_CONVERSATION_REJECT; |
||
| 474 | } |
||
| 475 | } else if ($accepts > 0) { |
||
| 476 | $finalretval = RADIUSTests::RETVAL_OK; |
||
| 477 | } |
||
| 478 | |||
| 479 | return $finalretval; |
||
| 480 | } |
||
| 481 | |||
| 482 | /** |
||
| 483 | * generate an eapol_test command-line config for the fixed config filename |
||
| 484 | * ./udp_login_test.conf |
||
| 485 | * @param int $probeindex number of the probe to check against |
||
| 486 | * @param boolean $opName include Operator-Name in request? |
||
| 487 | * @param boolean $frag make request so large that fragmentation is needed? |
||
| 488 | * @return string the command-line for eapol_test |
||
| 489 | */ |
||
| 490 | private function eapolTestConfig($probeindex, $opName, $frag) { |
||
| 491 | $cmdline = CONFIG_DIAGNOSTICS['PATHS']['eapol_test'] . |
||
| 492 | " -a " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['ip'] . |
||
| 493 | " -s " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['secret'] . |
||
| 494 | " -o serverchain.pem" . |
||
| 495 | " -c ./udp_login_test.conf" . |
||
| 496 | " -M 22:44:66:CA:20:" . sprintf("%02d", $probeindex) . " " . |
||
| 497 | " -t " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['timeout'] . " "; |
||
| 498 | if ($opName) { |
||
| 499 | $cmdline .= '-N126:s:"1cat.eduroam.org" '; |
||
| 500 | } |
||
| 501 | if ($frag) { |
||
| 502 | for ($i = 0; $i < 6; $i++) { // 6 x 250 bytes means UDP fragmentation will occur - good! |
||
| 503 | $cmdline .= '-N26:x:0000625A0BF961616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 '; |
||
| 504 | } |
||
| 505 | } |
||
| 506 | return $cmdline; |
||
| 507 | } |
||
| 508 | |||
| 509 | private function thoroughChainChecks(&$testresults, &$intermOdditiesCAT, $tmpDir, $servercert, $eapIntermediates, $eapIntermediateCRLs) { |
||
| 510 | |||
| 511 | // collect CA certificates, both the incoming EAP chain and from CAT config |
||
| 512 | // Write the root CAs into a trusted root CA dir |
||
| 513 | // and intermediate and first server cert into a PEM file |
||
| 514 | // for later chain validation |
||
| 515 | |||
| 516 | if (!mkdir($tmpDir . "/root-ca-allcerts/", 0700, true)) { |
||
| 517 | throw new Exception("unable to create root CA directory (RADIUS Tests): $tmpDir/root-ca-allcerts/\n"); |
||
| 518 | } |
||
| 519 | if (!mkdir($tmpDir . "/root-ca-eaponly/", 0700, true)) { |
||
| 520 | throw new Exception("unable to create root CA directory (RADIUS Tests): $tmpDir/root-ca-eaponly/\n"); |
||
| 521 | } |
||
| 522 | |||
| 523 | // make a copy of the EAP-received chain and add the configured intermediates, if any |
||
| 524 | $catIntermediates = []; |
||
| 525 | $catRoots = []; |
||
| 526 | foreach ($this->expectedCABundle as $oneCA) { |
||
| 527 | $x509 = new \core\common\X509(); |
||
| 528 | $decoded = $x509->processCertificate($oneCA); |
||
| 529 | if ($decoded === FALSE) { |
||
| 530 | throw new Exception("Unable to parse an expected CA certificate."); |
||
| 531 | } |
||
| 532 | if ($decoded['ca'] == 1) { |
||
| 533 | if ($decoded['root'] == 1) { // save CAT roots to the root directory |
||
| 534 | file_put_contents($tmpDir . "/root-ca-eaponly/configuredroot" . count($catRoots) . ".pem", $decoded['pem']); |
||
| 535 | file_put_contents($tmpDir . "/root-ca-allcerts/configuredroot" . count($catRoots) . ".pem", $decoded['pem']); |
||
| 536 | $catRoots[] = $decoded['pem']; |
||
| 537 | } else { // save the intermediates to allcerts directory |
||
| 538 | file_put_contents($tmpDir . "/root-ca-allcerts/cat-intermediate" . count($catIntermediates) . ".pem", $decoded['pem']); |
||
| 539 | $intermOdditiesCAT = array_merge($intermOdditiesCAT, $this->propertyCheckIntermediate($decoded)); |
||
| 540 | if (isset($decoded['CRL']) && isset($decoded['CRL'][0])) { |
||
| 541 | $this->loggerInstance->debug(4, "got an intermediate CRL; adding them to the chain checks. (Remember: checking end-entity cert only, not the whole chain"); |
||
| 542 | file_put_contents($tmpDir . "/root-ca-allcerts/crl_cat" . count($catIntermediates) . ".pem", $decoded['CRL'][0]); |
||
| 543 | } |
||
| 544 | $catIntermediates[] = $decoded['pem']; |
||
| 545 | } |
||
| 546 | } |
||
| 547 | } |
||
| 548 | // save all intermediate certificates and CRLs to separate files in |
||
| 549 | // both root-ca directories |
||
| 550 | foreach ($eapIntermediates as $index => $onePem) { |
||
| 551 | file_put_contents($tmpDir . "/root-ca-eaponly/intermediate$index.pem", $onePem); |
||
| 552 | file_put_contents($tmpDir . "/root-ca-allcerts/intermediate$index.pem", $onePem); |
||
| 553 | } |
||
| 554 | foreach ($eapIntermediateCRLs as $index => $onePem) { |
||
| 555 | file_put_contents($tmpDir . "/root-ca-eaponly/intermediateCRL$index.pem", $onePem); |
||
| 556 | file_put_contents($tmpDir . "/root-ca-allcerts/intermediateCRL$index.pem", $onePem); |
||
| 557 | } |
||
| 558 | |||
| 559 | $checkstring = ""; |
||
| 560 | if (isset($servercert['CRL']) && isset($servercert['CRL'][0])) { |
||
| 561 | $this->loggerInstance->debug(4, "got a server CRL; adding them to the chain checks. (Remember: checking end-entity cert only, not the whole chain"); |
||
| 562 | $checkstring = "-crl_check_all"; |
||
| 563 | file_put_contents($tmpDir . "/root-ca-eaponly/crl-server.pem", $servercert['CRL'][0]); |
||
| 564 | file_put_contents($tmpDir . "/root-ca-allcerts/crl-server.pem", $servercert['CRL'][0]); |
||
| 565 | } |
||
| 566 | |||
| 567 | |||
| 568 | // now c_rehash the root CA directory ... |
||
| 569 | system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash'] . " $tmpDir/root-ca-eaponly/ > /dev/null"); |
||
| 570 | system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash'] . " $tmpDir/root-ca-allcerts/ > /dev/null"); |
||
| 571 | |||
| 572 | // ... and run the verification test |
||
| 573 | $verifyResultEaponly = []; |
||
| 574 | $verifyResultAllcerts = []; |
||
| 575 | // the error log will complain if we run this test against an empty file of certs |
||
| 576 | // so test if there's something PEMy in the file at all |
||
| 577 | if (filesize("$tmpDir/incomingserver.pem") > 10) { |
||
| 578 | exec(CONFIG['PATHS']['openssl'] . " verify $checkstring -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/incomingserver.pem", $verifyResultEaponly); |
||
| 579 | $this->loggerInstance->debug(4, CONFIG['PATHS']['openssl'] . " verify $checkstring -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/incomingserver.pem\n"); |
||
| 580 | $this->loggerInstance->debug(4, "Chain verify pass 1: " . print_r($verifyResultEaponly, TRUE) . "\n"); |
||
| 581 | exec(CONFIG['PATHS']['openssl'] . " verify $checkstring -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/incomingserver.pem", $verifyResultAllcerts); |
||
| 582 | $this->loggerInstance->debug(4, CONFIG['PATHS']['openssl'] . " verify $checkstring -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/incomingserver.pem\n"); |
||
| 583 | $this->loggerInstance->debug(4, "Chain verify pass 2: " . print_r($verifyResultAllcerts, TRUE) . "\n"); |
||
| 584 | } |
||
| 585 | |||
| 586 | |||
| 587 | // now we do certificate verification against the collected parents |
||
| 588 | // this is done first for the server and then for each of the intermediate CAs |
||
| 589 | // any oddities observed will |
||
| 590 | // openssl should havd returned exactly one line of output, |
||
| 591 | // and it should have ended with the string "OK", anything else is fishy |
||
| 592 | // The result can also be an empty array - this means there were no |
||
| 593 | // certificates to check. Don't complain about chain validation errors |
||
| 594 | // in that case. |
||
| 595 | // we have the following test result possibilities: |
||
| 596 | // 1. test against allcerts failed |
||
| 597 | // 2. test against allcerts succeded, but against eaponly failed - warn admin |
||
| 598 | // 3. test against eaponly succeded, in this case critical errors about expired certs |
||
| 599 | // need to be changed to notices, since these certs obviously do tot participate |
||
| 600 | // in server certificate validation. |
||
| 601 | if (count($verifyResultAllcerts) == 0 || count($verifyResultEaponly) == 0) { |
||
| 602 | throw new Exception("No output at all from openssl?"); |
||
| 603 | } |
||
| 604 | if (!preg_match("/OK$/", $verifyResultAllcerts[0])) { // case 1 |
||
| 605 | if (preg_match("/certificate revoked$/", $verifyResultAllcerts[1])) { |
||
| 606 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_SERVER_CERT_REVOKED; |
||
| 607 | } elseif (preg_match("/unable to get certificate CRL/", $verifyResultAllcerts[1])) { |
||
| 608 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_UNABLE_TO_GET_CRL; |
||
| 609 | } else { |
||
| 610 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_TRUST_ROOT_NOT_REACHED; |
||
| 611 | } |
||
| 612 | return 1; |
||
| 613 | } |
||
| 614 | if (!preg_match("/OK$/", $verifyResultEaponly[0])) { // case 2 |
||
| 615 | if (preg_match("/certificate revoked$/", $verifyResultEaponly[1])) { |
||
| 616 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_SERVER_CERT_REVOKED; |
||
| 617 | } elseif (preg_match("/unable to get certificate CRL/", $verifyResultEaponly[1])) { |
||
| 618 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_UNABLE_TO_GET_CRL; |
||
| 619 | } else { |
||
| 620 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES; |
||
| 621 | } |
||
| 622 | return 2; |
||
| 623 | } |
||
| 624 | return 3; |
||
| 625 | } |
||
| 626 | |||
| 627 | private function thoroughNameChecks($servercert, &$testresults) { |
||
| 628 | // check the incoming hostname (both Subject:CN and subjectAltName:DNS |
||
| 629 | // against what is configured in the profile; it's a significant error |
||
| 630 | // if there is no match! |
||
| 631 | // FAIL if none of the configured names show up in the server cert |
||
| 632 | // WARN if the configured name is only in either CN or sAN:DNS |
||
| 633 | // Strategy for checks: we are TOTALLY happy if any one of the |
||
| 634 | // configured names shows up in both the CN and a sAN |
||
| 635 | // This is the primary check. |
||
| 636 | // If that was not the case, we are PARTIALLY happy if any one of |
||
| 637 | // the configured names was in either of the CN or sAN lists. |
||
| 638 | // we are UNHAPPY if no names match! |
||
| 639 | |||
| 640 | $happiness = "UNHAPPY"; |
||
| 641 | foreach ($this->expectedServerNames as $expectedName) { |
||
| 642 | $this->loggerInstance->debug(4, "Managing expectations for $expectedName: " . print_r($servercert['CN'], TRUE) . print_r($servercert['sAN_DNS'], TRUE)); |
||
| 643 | if (array_search($expectedName, $servercert['CN']) !== FALSE && array_search($expectedName, $servercert['sAN_DNS']) !== FALSE) { |
||
| 644 | $this->loggerInstance->debug(4, "Totally happy!"); |
||
| 645 | $happiness = "TOTALLY"; |
||
| 646 | break; |
||
| 647 | } else { |
||
| 648 | if (array_search($expectedName, $servercert['CN']) !== FALSE || array_search($expectedName, $servercert['sAN_DNS']) !== FALSE) { |
||
| 649 | $happiness = "PARTIALLY"; |
||
| 650 | // keep trying with other expected names! We could be happier! |
||
| 651 | } |
||
| 652 | } |
||
| 653 | } |
||
| 654 | switch ($happiness) { |
||
| 655 | case "UNHAPPY": |
||
| 656 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_SERVER_NAME_MISMATCH; |
||
| 657 | return; |
||
| 658 | case "PARTIALLY": |
||
| 659 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_SERVER_NAME_PARTIAL_MATCH; |
||
| 660 | return; |
||
| 661 | default: // nothing to complain about! |
||
| 662 | return; |
||
| 663 | } |
||
| 664 | } |
||
| 665 | |||
| 666 | private function executeEapolTest($tmpDir, $probeindex, $eaptype, $innerUser, $password, $opnameCheck, $frag) { |
||
| 667 | $finalInner = $innerUser; |
||
| 668 | $finalOuter = $this->outerUsernameForChecks; |
||
| 669 | |||
| 670 | $theconfigs = $this->wpaSupplicantConfig($eaptype, $finalInner, $finalOuter, $password); |
||
| 671 | // the config intentionally does not include CA checking. We do this |
||
| 672 | // ourselves after getting the chain with -o. |
||
| 673 | file_put_contents($tmpDir . "/udp_login_test.conf", $theconfigs[0]); |
||
| 674 | |||
| 675 | $cmdline = $this->eapolTestConfig($probeindex, $opnameCheck, $frag); |
||
| 676 | $this->loggerInstance->debug(4, "Shallow reachability check cmdline: $cmdline\n"); |
||
| 677 | $this->loggerInstance->debug(4, "Shallow reachability check config: $tmpDir\n" . $theconfigs[1] . "\n"); |
||
| 678 | $time_start = microtime(true); |
||
| 679 | $pflow = []; |
||
| 680 | exec($cmdline, $pflow); |
||
| 681 | if ($pflow === NULL) { |
||
| 682 | throw new Exception("The output of an exec() call really can't be NULL!"); |
||
| 683 | } |
||
| 684 | $time_stop = microtime(true); |
||
| 685 | $this->loggerInstance->debug(5, print_r($this->redact($password, $pflow), TRUE)); |
||
| 686 | return [ |
||
| 687 | "time" => ($time_stop - $time_start) * 1000, |
||
| 688 | "output" => $pflow, |
||
| 689 | ]; |
||
| 690 | } |
||
| 691 | |||
| 692 | /** |
||
| 693 | * The big Guy. This performs an actual login with EAP and records how far |
||
| 694 | * it got and what oddities were observed along the way |
||
| 695 | * @param int $probeindex the probe we are connecting to (as set in product config) |
||
| 696 | * @param array $eaptype EAP type to use for connection |
||
| 697 | * @param string $innerUser inner username to try |
||
| 698 | * @param string $password password to try |
||
| 699 | * @param boolean $opnameCheck whether or not we check with Operator-Name set |
||
| 700 | * @param boolean $frag whether or not we check with an oversized packet forcing fragmentation |
||
| 701 | * @param string $clientcertdata client certificate credential to try |
||
| 702 | * @return int overall return code of the login test |
||
| 703 | * @throws Exception |
||
| 704 | */ |
||
| 705 | public function udpLogin($probeindex, $eaptype, $innerUser, $password, $opnameCheck = TRUE, $frag = TRUE, $clientcertdata = NULL) { |
||
| 706 | |||
| 707 | /** preliminaries */ |
||
| 708 | $eapText = \core\common\EAP::eapDisplayName($eaptype); |
||
| 709 | // no host to send probes to? Nothing to do then |
||
| 710 | if (!isset(CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex])) { |
||
| 711 | $this->UDP_reachability_executed = RADIUSTests::RETVAL_NOTCONFIGURED; |
||
| 712 | return RADIUSTests::RETVAL_NOTCONFIGURED; |
||
| 713 | } |
||
| 714 | // if we need client certs but don't have one, return |
||
| 715 | if (($eaptype == \core\common\EAP::EAPTYPE_ANY || $eaptype == \core\common\EAP::EAPTYPE_TLS) && $clientcertdata === NULL) { |
||
| 716 | $this->UDP_reachability_executed = RADIUSTests::RETVAL_NOTCONFIGURED; |
||
| 717 | return RADIUSTests::RETVAL_NOTCONFIGURED; |
||
| 718 | } |
||
| 719 | // if we don't have a string for outer EAP method name, give up |
||
| 720 | if (!isset($eapText['OUTER'])) { |
||
| 721 | $this->UDP_reachability_executed = RADIUSTests::RETVAL_NOTCONFIGURED; |
||
| 722 | return RADIUSTests::RETVAL_NOTCONFIGURED; |
||
| 723 | } |
||
| 724 | // we will need a config blob for wpa_supplicant, in a temporary directory |
||
| 725 | $temporary = $this->createTemporaryDirectory('test'); |
||
| 726 | $tmpDir = $temporary['dir']; |
||
| 727 | chdir($tmpDir); |
||
| 728 | $this->loggerInstance->debug(4, "temp dir: $tmpDir\n"); |
||
| 729 | if ($clientcertdata !== NULL) { |
||
| 730 | file_put_contents($tmpDir . "/client.p12", $clientcertdata); |
||
| 731 | } |
||
| 732 | |||
| 733 | /** execute RADIUS/EAP converation */ |
||
| 734 | $testresults = []; |
||
| 735 | $runtime_results = $this->executeEapolTest($tmpDir, $probeindex, $eaptype, $innerUser, $password, $opnameCheck, $frag); |
||
| 736 | |||
| 737 | $testresults['time_millisec'] = $runtime_results['time']; |
||
| 738 | $packetflow_orig = $runtime_results['output']; |
||
| 739 | |||
| 740 | $packetflow = $this->filterPackettype($packetflow_orig); |
||
| 741 | |||
| 742 | |||
| 743 | // when MS-CHAPv2 allows retry, we never formally get a reject (just a |
||
| 744 | // Challenge that PW was wrong but and we should try a different one; |
||
| 745 | // but that effectively is a reject |
||
| 746 | // so change the flow results to take that into account |
||
| 747 | if ($packetflow[count($packetflow) - 1] == 11 && $this->checkLineparse($packetflow_orig, self::LINEPARSE_CHECK_691)) { |
||
| 748 | $packetflow[count($packetflow) - 1] = 3; |
||
| 749 | } |
||
| 750 | // also, the ETLRs sometimes send a reject when the server is not |
||
| 751 | // responding. This should not be considered a real reject; it's a middle |
||
| 752 | // box unduly altering the end-to-end result. Do not consider this final |
||
| 753 | // Reject if it comes from ETLR |
||
| 754 | if ($packetflow[count($packetflow) - 1] == 3 && $this->checkLineparse($packetflow_orig, self::LINEPARSE_CHECK_REJECTIGNORE)) { |
||
| 755 | array_pop($packetflow); |
||
| 756 | } |
||
| 757 | $this->loggerInstance->debug(5, "Packetflow: " . print_r($packetflow, TRUE)); |
||
| 758 | $packetcount = array_count_values($packetflow); |
||
| 759 | $testresults['packetcount'] = $packetcount; |
||
| 760 | $testresults['packetflow'] = $packetflow; |
||
| 761 | |||
| 762 | // calculate packet counts and see what the overall flow was |
||
| 763 | $finalretval = $this->packetCountEvaluation($testresults, $packetcount); |
||
| 764 | |||
| 765 | // only to make sure we've defined this in all code paths |
||
| 766 | // not setting it has no real-world effect, but Scrutinizer mocks |
||
| 767 | $ackedmethod = FALSE; |
||
| 768 | $testresults['cert_oddities'] = []; |
||
| 769 | if ($finalretval == RADIUSTests::RETVAL_CONVERSATION_REJECT) { |
||
| 770 | $ackedmethod = $this->checkLineparse($packetflow_orig, self::LINEPARSE_EAPACK); |
||
| 771 | if (!$ackedmethod) { |
||
| 772 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_NO_COMMON_EAP_METHOD; |
||
| 773 | } |
||
| 774 | } |
||
| 775 | |||
| 776 | |||
| 777 | // now let's look at the server cert+chain, if we got a cert at all |
||
| 778 | // that's not the case if we do EAP-pwd or could not negotiate an EAP method at |
||
| 779 | // all |
||
| 780 | if ( |
||
| 781 | $eaptype != \core\common\EAP::EAPTYPE_PWD && |
||
| 782 | (($finalretval == RADIUSTests::RETVAL_CONVERSATION_REJECT && $ackedmethod) || $finalretval == RADIUSTests::RETVAL_OK) |
||
| 783 | ) { |
||
| 784 | |||
| 785 | |||
| 786 | // ALWAYS check: |
||
| 787 | // 1) it is unnecessary to include the root CA itself (adding it has |
||
| 788 | // detrimental effects on performance) |
||
| 789 | // 2) TLS Web Server OID presence (Windows OSes need that) |
||
| 790 | // 3) MD5 signature algorithm (iOS barks if so) |
||
| 791 | // 4) CDP URL (Windows Phone 8 barks if not present) |
||
| 792 | // 5) there should be exactly one server cert in the chain |
||
| 793 | // FOR OWN REALMS check: |
||
| 794 | // 1) does the incoming chain have a root in one of the configured roots |
||
| 795 | // if not, this is a signficant configuration error |
||
| 796 | // return this with one or more of the CERTPROB_ constants (see defs) |
||
| 797 | // TRUST_ROOT_NOT_REACHED |
||
| 798 | // TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES |
||
| 799 | // then check the presented names |
||
| 800 | $x509 = new \core\common\X509(); |
||
| 801 | // $eap_certarray holds all certs received in EAP conversation |
||
| 802 | $eapCertArray = []; |
||
| 803 | $chainHandle = fopen($tmpDir . "/serverchain.pem", "r"); |
||
| 804 | if ($chainHandle !== FALSE) { |
||
| 805 | $content = fread($chainHandle, "1000000"); |
||
| 806 | if ($content !== FALSE) { |
||
| 807 | $eapCertArray = $x509->splitCertificate($content); |
||
| 808 | } |
||
| 809 | } |
||
| 810 | // we want no root cert, and exactly one server cert |
||
| 811 | $numberRoot = 0; |
||
| 812 | $numberServer = 0; |
||
| 813 | $eapIntermediates = []; |
||
| 814 | $eapIntermediateCRLs = []; |
||
| 815 | $servercert = FALSE; |
||
| 816 | $totallySelfsigned = FALSE; |
||
| 817 | $intermOdditiesEAP = []; |
||
| 818 | |||
| 819 | $testresults['certdata'] = []; |
||
| 820 | |||
| 821 | |||
| 822 | foreach ($eapCertArray as $certPem) { |
||
| 823 | $cert = $x509->processCertificate($certPem); |
||
| 824 | if ($cert == FALSE) { |
||
| 825 | continue; |
||
| 826 | } |
||
| 827 | // consider the certificate a server cert |
||
| 828 | // a) if it is not a CA and is not a self-signed root |
||
| 829 | // b) if it is a CA, and self-signed, and it is the only cert in |
||
| 830 | // the incoming cert chain |
||
| 831 | // (meaning the self-signed is itself the server cert) |
||
| 832 | if (($cert['ca'] == 0 && $cert['root'] != 1) || ($cert['ca'] == 1 && $cert['root'] == 1 && count($eapCertArray) == 1)) { |
||
| 833 | if ($cert['ca'] == 1 && $cert['root'] == 1 && count($eapCertArray) == 1) { |
||
| 834 | $totallySelfsigned = TRUE; |
||
| 835 | $cert['full_details']['type'] = 'totally_selfsigned'; |
||
| 836 | } |
||
| 837 | $numberServer++; |
||
| 838 | |||
| 839 | $servercert = $cert; |
||
| 840 | if ($numberServer == 1) { |
||
| 841 | if (file_put_contents($tmpDir . "/incomingserver.pem", $certPem . "\n") === FALSE) { |
||
| 842 | $this->loggerInstance->debug(4, "The (first) server certificate could not be written to $tmpDir/incomingserver.pem!\n"); |
||
| 843 | } |
||
| 844 | $this->loggerInstance->debug(4, "This is the (first) server certificate, with CRL content if applicable: " . print_r($servercert, true)); |
||
| 845 | } |
||
| 846 | } else |
||
| 847 | if ($cert['root'] == 1) { |
||
| 848 | $numberRoot++; |
||
| 849 | // do not save the root CA, it serves no purpose |
||
| 850 | // chain checks need to be against the UPLOADED CA of the |
||
| 851 | // IdP/profile, not against an EAP-discovered CA |
||
| 852 | } else { |
||
| 853 | $intermOdditiesEAP = array_merge($intermOdditiesEAP, $this->propertyCheckIntermediate($cert)); |
||
| 854 | $eapIntermediates[] = $certPem; |
||
| 855 | |||
| 856 | if (isset($cert['CRL']) && isset($cert['CRL'][0])) { |
||
| 857 | $eapIntermediateCRLs[] = $cert['CRL'][0]; |
||
| 858 | } |
||
| 859 | } |
||
| 860 | $testresults['certdata'][] = $cert['full_details']; |
||
| 861 | } |
||
| 862 | |||
| 863 | if ($numberRoot > 0 && !$totallySelfsigned) { |
||
| 864 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_ROOT_INCLUDED; |
||
| 865 | } |
||
| 866 | if ($numberServer > 1) { |
||
| 867 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_TOO_MANY_SERVER_CERTS; |
||
| 868 | } |
||
| 869 | if ($numberServer == 0) { |
||
| 870 | $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_NO_SERVER_CERT; |
||
| 871 | } |
||
| 872 | // check server cert properties |
||
| 873 | if ($numberServer > 0) { |
||
| 874 | if ($servercert === FALSE) { |
||
| 875 | throw new Exception("We incremented the numberServer counter and added a certificate. Now it's gone?!"); |
||
| 876 | } |
||
| 877 | $testresults['cert_oddities'] = array_merge($testresults['cert_oddities'], $this->propertyCheckServercert($servercert)); |
||
| 878 | $testresults['incoming_server_names'] = $servercert['incoming_server_names']; |
||
| 879 | } |
||
| 880 | |||
| 881 | // check intermediate ca cert properties |
||
| 882 | // check trust chain for completeness |
||
| 883 | // works only for thorough checks, not shallow, so: |
||
| 884 | $intermOdditiesCAT = []; |
||
| 885 | $verifyResult = 0; |
||
| 886 | |||
| 887 | if ($this->opMode == self::RADIUS_TEST_OPERATION_MODE_THOROUGH) { |
||
| 888 | $verifyResult = $this->thoroughChainChecks($testresults, $intermOdditiesCAT, $tmpDir, $servercert, $eapIntermediates, $eapIntermediateCRLs); |
||
| 889 | $this->thoroughNameChecks($servercert, $testresults); |
||
| 890 | } |
||
| 891 | |||
| 892 | $testresults['cert_oddities'] = array_merge($testresults['cert_oddities'], $intermOdditiesEAP); |
||
| 893 | if (in_array(RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD, $intermOdditiesCAT) && $verifyResult == 3) { |
||
| 894 | $key = array_search(RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD, $intermOdditiesCAT); |
||
| 895 | $intermOdditiesCAT[$key] = RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN; |
||
| 896 | } |
||
| 897 | |||
| 898 | $testresults['cert_oddities'] = array_merge($testresults['cert_oddities'], $intermOdditiesCAT); |
||
| 899 | |||
| 900 | // mention trust chain failure only if no expired cert was in the chain; otherwise path validation will trivially fail |
||
| 901 | if (in_array(RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD, $testresults['cert_oddities'])) { |
||
| 902 | $this->loggerInstance->debug(4, "Deleting trust chain problem report, if present."); |
||
| 903 | if (($key = array_search(RADIUSTests::CERTPROB_TRUST_ROOT_NOT_REACHED, $testresults['cert_oddities'])) !== false) { |
||
| 904 | unset($testresults['cert_oddities'][$key]); |
||
| 905 | } |
||
| 906 | if (($key = array_search(RADIUSTests::CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES, $testresults['cert_oddities'])) !== false) { |
||
| 907 | unset($testresults['cert_oddities'][$key]); |
||
| 908 | } |
||
| 909 | } |
||
| 910 | } |
||
| 911 | $this->loggerInstance->debug(4, "UDP_LOGIN\n"); |
||
| 912 | $this->loggerInstance->debug(4, $testresults); |
||
| 913 | $this->loggerInstance->debug(4, "\nEND\n"); |
||
| 914 | $this->UDP_reachability_result[$probeindex] = $testresults; |
||
| 915 | $this->UDP_reachability_executed = $finalretval; |
||
| 916 | return $finalretval; |
||
| 917 | } |
||
| 918 | |||
| 919 | public function consolidateUdpResult($host) { |
||
| 920 | $ret = []; |
||
| 921 | $serverCert = []; |
||
| 922 | $udpResult = $this->UDP_reachability_result[$host]; |
||
| 923 | if (isset($udpResult['certdata']) && count($udpResult['certdata'])) { |
||
| 924 | foreach ($udpResult['certdata'] as $certdata) { |
||
| 925 | if ($certdata['type'] != 'server' && $certdata['type'] != 'totally_selfsigned') { |
||
| 926 | continue; |
||
| 927 | } |
||
| 928 | if (isset($certdata['extensions'])) { |
||
| 929 | foreach ($certdata['extensions'] as $k => $v) { |
||
| 930 | <<<<<<< HEAD |
||
|
Bug
introduced
by
|
|||
| 931 | ======= |
||
| 932 | //error_log('extension '.$k.' '.$certdata['extensions'][$k]); |
||
| 933 | >>>>>>> d0ff55e916bc398b201ef1f455c391cd4e2f9ca9 |
||
| 934 | $certdata['extensions'][$k] = iconv('UTF-8', 'UTF-8//IGNORE', $certdata['extensions'][$k]); |
||
| 935 | } |
||
| 936 | } |
||
| 937 | $serverCert = [ |
||
| 938 | 'subject' => $this->printDN($certdata['subject']), |
||
| 939 | 'issuer' => $this->printDN($certdata['issuer']), |
||
| 940 | 'validFrom' => $this->printTm($certdata['validFrom_time_t']), |
||
| 941 | 'validTo' => $this->printTm($certdata['validTo_time_t']), |
||
| 942 | 'serialNumber' => $certdata['serialNumber'] . sprintf(" (0x%X)", $certdata['serialNumber']), |
||
| 943 | 'sha1' => $certdata['sha1'], |
||
| 944 | 'extensions' => $certdata['extensions'] |
||
| 945 | ]; |
||
| 946 | } |
||
| 947 | } |
||
| 948 | $ret['server_cert'] = $serverCert; |
||
| 949 | $ret['server'] = 0; |
||
| 950 | if (isset($udpResult['incoming_server_names'][0])) { |
||
| 951 | $ret['server'] = sprintf(_("Connected to %s."), $udpResult['incoming_server_names'][0]); |
||
| 952 | } |
||
| 953 | $ret['level'] = \core\common\Entity::L_OK; |
||
| 954 | $ret['time_millisec'] = sprintf("%d", $udpResult['time_millisec']); |
||
| 955 | if (empty($udpResult['cert_oddities'])) { |
||
| 956 | $ret['message'] = _("<strong>Test successful</strong>: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned."); |
||
| 957 | return $ret; |
||
| 958 | } |
||
| 959 | |||
| 960 | $ret['message'] = _("<strong>Test partially successful</strong>: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some properties of the connection attempt were sub-optimal; the list is below."); |
||
| 961 | $ret['cert_oddities'] = []; |
||
| 962 | foreach ($udpResult['cert_oddities'] as $oddity) { |
||
| 963 | $o = []; |
||
| 964 | $o['code'] = $oddity; |
||
| 965 | $o['message'] = isset($this->returnCodes[$oddity]["message"]) && $this->returnCodes[$oddity]["message"] ? $this->returnCodes[$oddity]["message"] : $oddity; |
||
| 966 | $o['level'] = $this->returnCodes[$oddity]["severity"]; |
||
| 967 | $ret['level'] = max($ret['level'], $this->returnCodes[$oddity]["severity"]); |
||
| 968 | $ret['cert_oddities'][] = $o; |
||
| 969 | } |
||
| 970 | |||
| 971 | return $ret; |
||
| 972 | } |
||
| 975 |
Loading history...