|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
/* |
|
4
|
|
|
* ****************************************************************************** |
|
5
|
|
|
* Copyright 2011-2017 DANTE Ltd. and GÉANT on behalf of the GN3, GN3+, GN4-1 |
|
6
|
|
|
* and GN4-2 consortia |
|
7
|
|
|
* |
|
8
|
|
|
* License: see the web/copyright.php file in the file structure |
|
9
|
|
|
* ****************************************************************************** |
|
10
|
|
|
*/ |
|
11
|
|
|
|
|
12
|
|
|
/** |
|
13
|
|
|
* This file contains code for testing EAP servers |
|
14
|
|
|
* |
|
15
|
|
|
* @author Stefan Winter <[email protected]> |
|
16
|
|
|
* @author Tomasz Wolniewicz <[email protected]> |
|
17
|
|
|
* @author Maja Gorecka-Wolniewicz <[email protected]> |
|
18
|
|
|
* |
|
19
|
|
|
* @package Developer |
|
20
|
|
|
* |
|
21
|
|
|
*/ |
|
22
|
|
|
|
|
23
|
|
|
namespace core\diag; |
|
24
|
|
|
|
|
25
|
|
|
use \Exception; |
|
26
|
|
|
|
|
27
|
|
|
require_once(dirname(dirname(__DIR__)) . "/config/_config.php"); |
|
28
|
|
|
|
|
29
|
|
|
/** |
|
30
|
|
|
* Test suite to verify that an EAP setup is actually working as advertised in |
|
31
|
|
|
* the real world. Can only be used if CONFIG_DIAGNOSTICS['RADIUSTESTS'] is configured. |
|
32
|
|
|
* |
|
33
|
|
|
* @author Stefan Winter <[email protected]> |
|
34
|
|
|
* @author Tomasz Wolniewicz <[email protected]> |
|
35
|
|
|
* |
|
36
|
|
|
* @license see LICENSE file in root directory |
|
37
|
|
|
* |
|
38
|
|
|
* @package Developer |
|
39
|
|
|
*/ |
|
40
|
|
|
class RADIUSTests extends AbstractTest { |
|
41
|
|
|
|
|
42
|
|
|
/** |
|
43
|
|
|
* The variables below maintain state of the result of previous checks. |
|
44
|
|
|
* |
|
45
|
|
|
*/ |
|
46
|
|
|
private $UDP_reachability_executed; |
|
47
|
|
|
private $errorlist; |
|
48
|
|
|
|
|
49
|
|
|
/** |
|
50
|
|
|
* This private variable contains the realm to be checked. Is filled in the |
|
51
|
|
|
* class constructor. |
|
52
|
|
|
* |
|
53
|
|
|
* @var string |
|
54
|
|
|
*/ |
|
55
|
|
|
private $realm; |
|
56
|
|
|
private $outerUsernameForChecks; |
|
57
|
|
|
private $expectedCABundle; |
|
58
|
|
|
private $expectedServerNames; |
|
59
|
|
|
|
|
60
|
|
|
/** |
|
61
|
|
|
* the list of EAP types which the IdP allegedly supports. |
|
62
|
|
|
* |
|
63
|
|
|
* @var array |
|
64
|
|
|
*/ |
|
65
|
|
|
private $supportedEapTypes; |
|
66
|
|
|
private $opMode; |
|
67
|
|
|
public $UDP_reachability_result; |
|
68
|
|
|
|
|
69
|
|
|
const RADIUS_TEST_OPERATION_MODE_SHALLOW = 1; |
|
70
|
|
|
const RADIUS_TEST_OPERATION_MODE_THOROUGH = 2; |
|
71
|
|
|
|
|
72
|
|
|
/** |
|
73
|
|
|
* Constructor for the EAPTests class. The single mandatory parameter is the |
|
74
|
|
|
* realm for which the tests are to be carried out. |
|
75
|
|
|
* |
|
76
|
|
|
* @param string $realm |
|
77
|
|
|
* @param string $outerUsernameForChecks |
|
78
|
|
|
* @param array $supportedEapTypes (array of integer representations of EAP types) |
|
79
|
|
|
* @param array $expectedServerNames (array of strings) |
|
80
|
|
|
* @param array $expectedCABundle (array of PEM blocks) |
|
81
|
|
|
*/ |
|
82
|
|
|
public function __construct($realm, $outerUsernameForChecks, $supportedEapTypes = [], $expectedServerNames = [], $expectedCABundle = []) { |
|
83
|
|
|
parent::__construct(); |
|
84
|
|
|
$oldlocale = $this->languageInstance->setTextDomain('diagnostics'); |
|
85
|
|
|
|
|
86
|
|
|
$this->realm = $realm; |
|
87
|
|
|
$this->outerUsernameForChecks = $outerUsernameForChecks; |
|
88
|
|
|
$this->expectedCABundle = $expectedCABundle; |
|
89
|
|
|
$this->expectedServerNames = $expectedServerNames; |
|
90
|
|
|
$this->supportedEapTypes = $supportedEapTypes; |
|
91
|
|
|
|
|
92
|
|
|
$this->opMode = self::RADIUS_TEST_OPERATION_MODE_SHALLOW; |
|
93
|
|
|
|
|
94
|
|
|
$caNeeded = FALSE; |
|
95
|
|
|
$serverNeeded = FALSE; |
|
96
|
|
|
foreach ($supportedEapTypes as $oneEapType) { |
|
97
|
|
|
if ($oneEapType->needsServerCACert()) { |
|
98
|
|
|
$caNeeded = TRUE; |
|
99
|
|
|
} |
|
100
|
|
|
if ($oneEapType->needsServerName()) { |
|
101
|
|
|
$serverNeeded = TRUE; |
|
102
|
|
|
} |
|
103
|
|
|
} |
|
104
|
|
|
|
|
105
|
|
|
if ($caNeeded) { |
|
106
|
|
|
// we need to have info about at least one CA cert and server names |
|
107
|
|
|
if (count($this->expectedCABundle) == 0) { |
|
108
|
|
|
Throw new Exception("Thorough checks for an EAP type needing CAs were requested, but the required parameters were not given."); |
|
109
|
|
|
} else { |
|
110
|
|
|
$this->opMode = self::RADIUS_TEST_OPERATION_MODE_THOROUGH; |
|
111
|
|
|
} |
|
112
|
|
|
} |
|
113
|
|
|
|
|
114
|
|
|
if ($serverNeeded) { |
|
115
|
|
|
if (count($this->expectedServerNames) == 0) { |
|
116
|
|
|
Throw new Exception("Thorough checks for an EAP type needing server names were requested, but the required parameter was not given."); |
|
117
|
|
|
} else { |
|
118
|
|
|
$this->opMode = self::RADIUS_TEST_OPERATION_MODE_THOROUGH; |
|
119
|
|
|
} |
|
120
|
|
|
} |
|
121
|
|
|
|
|
122
|
|
|
$this->loggerInstance->debug(4, "RADIUSTests is in opMode " . $this->opMode . ", parameters were: $realm, $outerUsernameForChecks, " . print_r($supportedEapTypes, true)); |
|
123
|
|
|
$this->loggerInstance->debug(4, print_r($expectedServerNames, true)); |
|
124
|
|
|
$this->loggerInstance->debug(4, print_r($expectedCABundle, true)); |
|
125
|
|
|
|
|
126
|
|
|
$this->UDP_reachability_result = []; |
|
127
|
|
|
$this->errorlist = []; |
|
128
|
|
|
$this->languageInstance->setTextDomain($oldlocale); |
|
129
|
|
|
} |
|
130
|
|
|
|
|
131
|
|
|
private function printDN($distinguishedName) { |
|
132
|
|
|
$out = ''; |
|
133
|
|
|
foreach (array_reverse($distinguishedName) as $nameType => $nameValue) { // to give an example: "CN" => "some.host.example" |
|
134
|
|
|
if (!is_array($nameValue)) { // single-valued: just a string |
|
135
|
|
|
$nameValue = ["$nameValue"]; // convert it to a multi-value attrib with just one value :-) for unified processing later on |
|
136
|
|
|
} |
|
137
|
|
|
foreach ($nameValue as $oneValue) { |
|
138
|
|
|
if ($out) { |
|
139
|
|
|
$out .= ','; |
|
140
|
|
|
} |
|
141
|
|
|
$out .= "$nameType=$oneValue"; |
|
142
|
|
|
} |
|
143
|
|
|
} |
|
144
|
|
|
return($out); |
|
145
|
|
|
} |
|
146
|
|
|
|
|
147
|
|
|
private function printTm($time) { |
|
148
|
|
|
return(gmdate(\DateTime::COOKIE, $time)); |
|
149
|
|
|
} |
|
150
|
|
|
|
|
151
|
|
|
/** |
|
152
|
|
|
* This function parses a X.509 server cert and checks if it finds client device incompatibilities |
|
153
|
|
|
* |
|
154
|
|
|
* @param array $servercert the properties of the certificate as returned by processCertificate(), |
|
155
|
|
|
* $servercert is modified, if CRL is defied, it is downloaded and added to the array |
|
156
|
|
|
* incoming_server_names, sAN_DNS and CN array values are also defined |
|
157
|
|
|
* @return array of oddities; the array is empty if everything is fine |
|
158
|
|
|
*/ |
|
159
|
|
|
private function propertyCheckServercert(&$servercert) { |
|
160
|
|
|
$this->loggerInstance->debug(5, "SERVER CERT IS: " . print_r($servercert, TRUE)); |
|
161
|
|
|
// we share the same checks as for CAs when it comes to signature algorithm and basicconstraints |
|
162
|
|
|
// so call that function and memorise the outcome |
|
163
|
|
|
$returnarray = $this->propertyCheckIntermediate($servercert, TRUE); |
|
164
|
|
|
$sANdns = []; |
|
165
|
|
|
if (!isset($servercert['full_details']['extensions'])) { |
|
166
|
|
|
$returnarray[] = RADIUSTests::CERTPROB_NO_TLS_WEBSERVER_OID; |
|
167
|
|
|
$returnarray[] = RADIUSTests::CERTPROB_NO_CDP_HTTP; |
|
168
|
|
|
} else { // Extensions are present... |
|
169
|
|
|
if (!isset($servercert['full_details']['extensions']['extendedKeyUsage']) || !preg_match("/TLS Web Server Authentication/", $servercert['full_details']['extensions']['extendedKeyUsage'])) { |
|
170
|
|
|
$returnarray[] = RADIUSTests::CERTPROB_NO_TLS_WEBSERVER_OID; |
|
171
|
|
|
} |
|
172
|
|
|
if (isset($servercert['full_details']['extensions']['subjectAltName'])) { |
|
173
|
|
|
$sANlist = explode(", ", $servercert['full_details']['extensions']['subjectAltName']); |
|
174
|
|
|
foreach ($sANlist as $subjectAltName) { |
|
175
|
|
|
if (preg_match("/^DNS:/", $subjectAltName)) { |
|
176
|
|
|
$sANdns[] = substr($subjectAltName, 4); |
|
177
|
|
|
} |
|
178
|
|
|
} |
|
179
|
|
|
} |
|
180
|
|
|
} |
|
181
|
|
|
|
|
182
|
|
|
// often, there is only one name, so we store it in an array of one member |
|
183
|
|
|
$commonName = [$servercert['full_details']['subject']['CN']]; |
|
184
|
|
|
// if we got an array of names instead, then that is already an array, so override |
|
185
|
|
|
if (isset($servercert['full_details']['subject']['CN']) && is_array($servercert['full_details']['subject']['CN'])) { |
|
186
|
|
|
$commonName = $servercert['full_details']['subject']['CN']; |
|
187
|
|
|
$returnarray[] = RADIUSTests::CERTPROB_MULTIPLE_CN; |
|
188
|
|
|
} |
|
189
|
|
|
|
|
190
|
|
|
$allnames = array_unique(array_merge($commonName, $sANdns)); |
|
191
|
|
|
// check for wildcards |
|
192
|
|
|
// check for real hostnames, and whether there is a wildcard in a name |
|
193
|
|
|
foreach ($allnames as $onename) { |
|
194
|
|
|
if (preg_match("/\*/", $onename)) { |
|
195
|
|
|
$returnarray[] = RADIUSTests::CERTPROB_WILDCARD_IN_NAME; |
|
196
|
|
|
continue; // otherwise we'd ALSO complain that it's not a real hostname |
|
197
|
|
|
} |
|
198
|
|
|
if ($onename != "" && filter_var("foo@" . idn_to_ascii($onename), FILTER_VALIDATE_EMAIL) === FALSE) { |
|
199
|
|
|
$returnarray[] = RADIUSTests::CERTPROB_NOT_A_HOSTNAME; |
|
200
|
|
|
} |
|
201
|
|
|
} |
|
202
|
|
|
$servercert['incoming_server_names'] = $allnames; |
|
203
|
|
|
$servercert['sAN_DNS'] = $sANdns; |
|
204
|
|
|
$servercert['CN'] = $commonName; |
|
205
|
|
|
return $returnarray; |
|
206
|
|
|
} |
|
207
|
|
|
|
|
208
|
|
|
/** |
|
209
|
|
|
* This function parses a X.509 intermediate CA cert and checks if it finds client device incompatibilities |
|
210
|
|
|
* |
|
211
|
|
|
* @param array $intermediateCa the properties of the certificate as returned by processCertificate() |
|
212
|
|
|
* @param boolean complain_about_cdp_existence: for intermediates, not having a CDP is less of an issue than for servers. Set the REMARK (..._INTERMEDIATE) flag if not complaining; and _SERVER if so |
|
213
|
|
|
* @return array of oddities; the array is empty if everything is fine |
|
214
|
|
|
*/ |
|
215
|
|
|
private function propertyCheckIntermediate(&$intermediateCa, $serverCert = FALSE) { |
|
216
|
|
|
$returnarray = []; |
|
217
|
|
|
if (preg_match("/md5/i", $intermediateCa['full_details']['signatureTypeSN'])) { |
|
218
|
|
|
$returnarray[] = RADIUSTests::CERTPROB_MD5_SIGNATURE; |
|
219
|
|
|
} |
|
220
|
|
|
if (preg_match("/sha1/i", $intermediateCa['full_details']['signatureTypeSN'])) { |
|
221
|
|
|
$returnarray[] = RADIUSTests::CERTPROB_SHA1_SIGNATURE; |
|
222
|
|
|
} |
|
223
|
|
|
$this->loggerInstance->debug(4, "CERT IS: " . print_r($intermediateCa, TRUE)); |
|
224
|
|
|
if ($intermediateCa['basicconstraints_set'] == 0) { |
|
225
|
|
|
$returnarray[] = RADIUSTests::CERTPROB_NO_BASICCONSTRAINTS; |
|
226
|
|
|
} |
|
227
|
|
|
if ($intermediateCa['full_details']['public_key_length'] < 1024) { |
|
228
|
|
|
$returnarray[] = RADIUSTests::CERTPROB_LOW_KEY_LENGTH; |
|
229
|
|
|
} |
|
230
|
|
|
$validFrom = $intermediateCa['full_details']['validFrom_time_t']; |
|
231
|
|
|
$now = time(); |
|
232
|
|
|
$validTo = $intermediateCa['full_details']['validTo_time_t']; |
|
233
|
|
|
if ($validFrom > $now || $validTo < $now) { |
|
234
|
|
|
$returnarray[] = RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD; |
|
235
|
|
|
} |
|
236
|
|
|
$addCertCrlResult = $this->addCrltoCert($intermediateCa); |
|
237
|
|
|
if ($addCertCrlResult !== 0 && $serverCert) { |
|
238
|
|
|
$returnarray[] = $addCertCrlResult; |
|
239
|
|
|
} |
|
240
|
|
|
|
|
241
|
|
|
return $returnarray; |
|
242
|
|
|
} |
|
243
|
|
|
|
|
244
|
|
|
/** |
|
245
|
|
|
* This function returns an array of errors which were encountered in all the tests. |
|
246
|
|
|
* |
|
247
|
|
|
* @return array all the errors |
|
248
|
|
|
*/ |
|
249
|
|
|
public function listerrors() { |
|
250
|
|
|
return $this->errorlist; |
|
251
|
|
|
} |
|
252
|
|
|
|
|
253
|
|
|
/** |
|
254
|
|
|
* This function performs actual authentication checks with MADE-UP credentials. |
|
255
|
|
|
* Its purpose is to check if a RADIUS server is reachable and speaks EAP. |
|
256
|
|
|
* The function fills array RADIUSTests::UDP_reachability_result[$probeindex] with all check detail |
|
257
|
|
|
* in case more than the return code is needed/wanted by the caller |
|
258
|
|
|
* |
|
259
|
|
|
* @param int $probeindex refers to the specific UDP-host in the config that should be checked |
|
260
|
|
|
* @param boolean $opnameCheck should we check choking on Operator-Name? |
|
261
|
|
|
* @param boolean $frag should we cause UDP fragmentation? (Warning: makes use of Operator-Name!) |
|
262
|
|
|
* @return int returncode |
|
263
|
|
|
*/ |
|
264
|
|
|
public function udpReachability($probeindex, $opnameCheck = TRUE, $frag = TRUE) { |
|
265
|
|
|
// for EAP-TLS to be a viable option, we need to pass a random client cert to make eapol_test happy |
|
266
|
|
|
// the following PEM data is one of the SENSE EAPLab client certs (not secret at all) |
|
267
|
|
|
$clientcert = file_get_contents(dirname(__FILE__) . "/clientcert.p12"); |
|
268
|
|
|
if ($clientcert === FALSE) { |
|
269
|
|
|
throw new Exception("A dummy client cert is part of the source distribution, but could not be loaded!"); |
|
270
|
|
|
} |
|
271
|
|
|
// if we are in thorough opMode, use our knowledge for a more clever check |
|
272
|
|
|
// otherwise guess |
|
273
|
|
|
if ($this->opMode == self::RADIUS_TEST_OPERATION_MODE_THOROUGH) { |
|
274
|
|
|
return $this->udpLogin($probeindex, $this->supportedEapTypes[0]->getArrayRep(), $this->outerUsernameForChecks, 'eaplab', $opnameCheck, $frag, $clientcert); |
|
275
|
|
|
} |
|
276
|
|
|
return $this->udpLogin($probeindex, \core\common\EAP::EAPTYPE_ANY, "cat-connectivity-test@" . $this->realm, 'eaplab', $opnameCheck, $frag, $clientcert); |
|
277
|
|
|
} |
|
278
|
|
|
|
|
279
|
|
|
/** |
|
280
|
|
|
* There is a CRL Distribution Point URL in the certificate. So download the |
|
281
|
|
|
* CRL and attach it to the cert structure so that we can later find out if |
|
282
|
|
|
* the cert was revoked |
|
283
|
|
|
* @param array $cert by-reference: the cert data we are writing into |
|
284
|
|
|
* @return int result code whether we were successful in retrieving the CRL |
|
285
|
|
|
*/ |
|
286
|
|
|
private function addCrltoCert(&$cert) { |
|
287
|
|
|
$crlUrl = []; |
|
288
|
|
|
$returnresult = 0; |
|
289
|
|
|
if (!isset($cert['full_details']['extensions']['crlDistributionPoints'])) { |
|
290
|
|
|
$returnresult = RADIUSTests::CERTPROB_NO_CDP; |
|
291
|
|
|
} else if (!preg_match("/^.*URI\:(http)(.*)$/", str_replace(["\r", "\n"], ' ', $cert['full_details']['extensions']['crlDistributionPoints']), $crlUrl)) { |
|
292
|
|
|
$returnresult = RADIUSTests::CERTPROB_NO_CDP_HTTP; |
|
293
|
|
|
} else { // first and second sub-match is the full URL... check it |
|
294
|
|
|
$crlcontent = \core\common\OutsideComm::downloadFile(trim($crlUrl[1] . $crlUrl[2])); |
|
295
|
|
|
if ($crlcontent === FALSE) { |
|
296
|
|
|
$returnresult = RADIUSTests::CERTPROB_NO_CRL_AT_CDP_URL; |
|
297
|
|
|
} |
|
298
|
|
|
$crlBegin = strpos($crlcontent, "-----BEGIN X509 CRL-----"); |
|
299
|
|
|
if ($crlBegin === FALSE) { |
|
300
|
|
|
$pem = chunk_split(base64_encode($crlcontent), 64, "\n"); |
|
301
|
|
|
$crlcontent = "-----BEGIN X509 CRL-----\n" . $pem . "-----END X509 CRL-----\n"; |
|
302
|
|
|
} |
|
303
|
|
|
$cert['CRL'] = []; |
|
304
|
|
|
$cert['CRL'][] = $crlcontent; |
|
305
|
|
|
} |
|
306
|
|
|
return $returnresult; |
|
307
|
|
|
} |
|
308
|
|
|
|
|
309
|
|
|
/** |
|
310
|
|
|
* We don't want to write passwords of the live login test to our logs. Filter them out |
|
311
|
|
|
* @param string $stringToRedact what should be redacted |
|
312
|
|
|
* @param array $inputarray array of strings (outputs of eapol_test command) |
|
313
|
|
|
* @return string[] the output of eapol_test with the password redacted |
|
314
|
|
|
*/ |
|
315
|
|
|
private function redact($stringToRedact, $inputarray) { |
|
316
|
|
|
$temparray = preg_replace("/^.*$stringToRedact.*$/", "LINE CONTAINING PASSWORD REDACTED", $inputarray); |
|
317
|
|
|
$hex = bin2hex($stringToRedact); |
|
318
|
|
|
$spaced = ""; |
|
319
|
|
|
$origLength = strlen($hex); |
|
320
|
|
|
for ($i = 1; $i < $origLength; $i++) { |
|
321
|
|
|
if ($i % 2 == 1 && $i != strlen($hex)) { |
|
322
|
|
|
$spaced .= $hex[$i] . " "; |
|
323
|
|
|
} else { |
|
324
|
|
|
$spaced .= $hex[$i]; |
|
325
|
|
|
} |
|
326
|
|
|
} |
|
327
|
|
|
return preg_replace("/$spaced/", " HEX ENCODED PASSWORD REDACTED ", $temparray); |
|
328
|
|
|
} |
|
329
|
|
|
|
|
330
|
|
|
/** |
|
331
|
|
|
* Filters eapol_test output and finds out the packet codes out of which the conversation was comprised of |
|
332
|
|
|
* |
|
333
|
|
|
* @param array $inputarray array of strings (outputs of eapol_test command) |
|
334
|
|
|
* @return array the packet codes which were exchanged, in sequence |
|
335
|
|
|
*/ |
|
336
|
|
|
private function filterPackettype($inputarray) { |
|
337
|
|
|
$retarray = []; |
|
338
|
|
|
foreach ($inputarray as $line) { |
|
339
|
|
|
if (preg_match("/RADIUS message:/", $line)) { |
|
340
|
|
|
$linecomponents = explode(" ", $line); |
|
341
|
|
|
$packettypeExploded = explode("=", $linecomponents[2]); |
|
342
|
|
|
$packettype = $packettypeExploded[1]; |
|
343
|
|
|
$retarray[] = $packettype; |
|
344
|
|
|
} |
|
345
|
|
|
} |
|
346
|
|
|
return $retarray; |
|
347
|
|
|
} |
|
348
|
|
|
|
|
349
|
|
|
const LINEPARSE_CHECK_REJECTIGNORE = 1; |
|
350
|
|
|
const LINEPARSE_CHECK_691 = 2; |
|
351
|
|
|
const LINEPARSE_EAPACK = 3; |
|
352
|
|
|
|
|
353
|
|
|
/** |
|
354
|
|
|
* this function checks for various special conditions which can be found |
|
355
|
|
|
* only by parsing eapol_test output line by line. Checks currently |
|
356
|
|
|
* implemented are: |
|
357
|
|
|
* * if the ETLRs sent back an Access-Reject because there appeared to |
|
358
|
|
|
* be a timeout further downstream |
|
359
|
|
|
* * did the server send an MSCHAP Error 691 - Retry Allowed in a Challenge |
|
360
|
|
|
* instead of an outright reject? |
|
361
|
|
|
* * was an EAP method ever acknowledged by both sides during the EAP |
|
362
|
|
|
* conversation |
|
363
|
|
|
* |
|
364
|
|
|
* @param array $inputarray array of strings (outputs of eapol_test command) |
|
365
|
|
|
* @param int $desiredCheck which test should be run (see constants above) |
|
366
|
|
|
* @return boolean returns TRUE if ETLR Reject logic was detected; FALSE if not |
|
367
|
|
|
*/ |
|
368
|
|
|
private function checkLineparse($inputarray, $desiredCheck) { |
|
369
|
|
|
foreach ($inputarray as $lineid => $line) { |
|
370
|
|
|
switch ($desiredCheck) { |
|
371
|
|
|
case self::LINEPARSE_CHECK_REJECTIGNORE: |
|
372
|
|
|
if (preg_match("/Attribute 18 (Reply-Message)/", $line) && preg_match("/Reject instead of Ignore at eduroam.org/", $inputarray[$lineid + 1])) { |
|
373
|
|
|
return TRUE; |
|
374
|
|
|
} |
|
375
|
|
|
break; |
|
376
|
|
|
case self::LINEPARSE_CHECK_691: |
|
377
|
|
|
if (preg_match("/MSCHAPV2: error 691/", $line) && preg_match("/MSCHAPV2: retry is allowed/", $inputarray[$lineid + 1])) { |
|
378
|
|
|
return TRUE; |
|
379
|
|
|
} |
|
380
|
|
|
break; |
|
381
|
|
|
case self::LINEPARSE_EAPACK: |
|
382
|
|
|
if (preg_match("/CTRL-EVENT-EAP-PROPOSED-METHOD/", $line) && !preg_match("/NAK$/", $line)) { |
|
383
|
|
|
return TRUE; |
|
384
|
|
|
} |
|
385
|
|
|
break; |
|
386
|
|
|
default: |
|
387
|
|
|
throw new Exception("This lineparse test does not exist."); |
|
388
|
|
|
} |
|
389
|
|
|
} |
|
390
|
|
|
return FALSE; |
|
391
|
|
|
} |
|
392
|
|
|
|
|
393
|
|
|
/** |
|
394
|
|
|
* |
|
395
|
|
|
* @param array $eaptype array representation of the EAP type |
|
396
|
|
|
* @param string $inner inner username |
|
397
|
|
|
* @param string $outer outer username |
|
398
|
|
|
* @param string $password the password |
|
399
|
|
|
* @return string[] [0] is the actual config for wpa_supplicant, [1] is a redacted version for logs |
|
400
|
|
|
*/ |
|
401
|
|
|
private function wpaSupplicantConfig(array $eaptype, string $inner, string $outer, string $password) { |
|
402
|
|
|
$eapText = \core\common\EAP::eapDisplayName($eaptype); |
|
403
|
|
|
$config = ' |
|
404
|
|
|
network={ |
|
405
|
|
|
ssid="' . CONFIG['APPEARANCE']['productname'] . ' testing" |
|
|
|
|
|
|
406
|
|
|
key_mgmt=WPA-EAP |
|
407
|
|
|
proto=WPA2 |
|
408
|
|
|
pairwise=CCMP |
|
409
|
|
|
group=CCMP |
|
410
|
|
|
'; |
|
411
|
|
|
// phase 1 |
|
412
|
|
|
$config .= 'eap=' . $eapText['OUTER'] . "\n"; |
|
413
|
|
|
$logConfig = $config; |
|
414
|
|
|
// phase 2 if applicable; all inner methods have passwords |
|
415
|
|
|
if (isset($eapText['INNER']) && $eapText['INNER'] != "") { |
|
416
|
|
|
$config .= ' phase2="auth=' . $eapText['INNER'] . "\"\n"; |
|
417
|
|
|
$logConfig .= ' phase2="auth=' . $eapText['INNER'] . "\"\n"; |
|
418
|
|
|
} |
|
419
|
|
|
// all methods set a password, except EAP-TLS |
|
420
|
|
|
if ($eaptype != \core\common\EAP::EAPTYPE_TLS) { |
|
421
|
|
|
$config .= " password=\"$password\"\n"; |
|
422
|
|
|
$logConfig .= " password=\"not logged for security reasons\"\n"; |
|
423
|
|
|
} |
|
424
|
|
|
// for methods with client certs, add a client cert config block |
|
425
|
|
|
if ($eaptype == \core\common\EAP::EAPTYPE_TLS || $eaptype == \core\common\EAP::EAPTYPE_ANY) { |
|
426
|
|
|
$config .= " private_key=\"./client.p12\"\n"; |
|
427
|
|
|
$logConfig .= " private_key=\"./client.p12\"\n"; |
|
428
|
|
|
$config .= " private_key_passwd=\"$password\"\n"; |
|
429
|
|
|
$logConfig .= " private_key_passwd=\"not logged for security reasons\"\n"; |
|
430
|
|
|
} |
|
431
|
|
|
|
|
432
|
|
|
// inner identity |
|
433
|
|
|
$config .= ' identity="' . $inner . "\"\n"; |
|
434
|
|
|
$logConfig .= ' identity="' . $inner . "\"\n"; |
|
435
|
|
|
// outer identity, may be equal |
|
436
|
|
|
$config .= ' anonymous_identity="' . $outer . "\"\n"; |
|
437
|
|
|
$logConfig .= ' anonymous_identity="' . $outer . "\"\n"; |
|
438
|
|
|
// done |
|
439
|
|
|
$config .= "}"; |
|
440
|
|
|
$logConfig .= "}"; |
|
441
|
|
|
|
|
442
|
|
|
return [$config, $logConfig]; |
|
443
|
|
|
} |
|
444
|
|
|
|
|
445
|
|
|
private function packetCountEvaluation(&$testresults, $packetcount) { |
|
446
|
|
|
$reqs = $packetcount[1] ?? 0; |
|
447
|
|
|
$accepts = $packetcount[2] ?? 0; |
|
448
|
|
|
$rejects = $packetcount[3] ?? 0; |
|
449
|
|
|
$challenges = $packetcount[11] ?? 0; |
|
450
|
|
|
$testresults['packetflow_sane'] = TRUE; |
|
451
|
|
|
if ($reqs - $accepts - $rejects - $challenges != 0 || $accepts > 1 || $rejects > 1) { |
|
452
|
|
|
$testresults['packetflow_sane'] = FALSE; |
|
453
|
|
|
} |
|
454
|
|
|
|
|
455
|
|
|
$this->loggerInstance->debug(5, "XYZ: Counting req, acc, rej, chal: $reqs, $accepts, $rejects, $challenges"); |
|
456
|
|
|
|
|
457
|
|
|
// calculate the main return values that this test yielded |
|
458
|
|
|
|
|
459
|
|
|
$finalretval = RADIUSTests::RETVAL_INVALID; |
|
460
|
|
|
if ($accepts + $rejects == 0) { // no final response. hm. |
|
461
|
|
|
if ($challenges > 0) { // but there was an Access-Challenge |
|
462
|
|
|
$finalretval = RADIUSTests::RETVAL_SERVER_UNFINISHED_COMM; |
|
463
|
|
|
} else { |
|
464
|
|
|
$finalretval = RADIUSTests::RETVAL_NO_RESPONSE; |
|
465
|
|
|
} |
|
466
|
|
|
} else // either an accept or a reject |
|
467
|
|
|
// rejection without EAP is fishy |
|
468
|
|
|
if ($rejects > 0) { |
|
469
|
|
|
if ($challenges == 0) { |
|
470
|
|
|
$finalretval = RADIUSTests::RETVAL_IMMEDIATE_REJECT; |
|
471
|
|
|
} else { // i.e. if rejected with challenges |
|
472
|
|
|
$finalretval = RADIUSTests::RETVAL_CONVERSATION_REJECT; |
|
473
|
|
|
} |
|
474
|
|
|
} else if ($accepts > 0) { |
|
475
|
|
|
$finalretval = RADIUSTests::RETVAL_OK; |
|
476
|
|
|
} |
|
477
|
|
|
|
|
478
|
|
|
return $finalretval; |
|
479
|
|
|
} |
|
480
|
|
|
|
|
481
|
|
|
/** |
|
482
|
|
|
* generate an eapol_test command-line config for the fixed config filename |
|
483
|
|
|
* ./udp_login_test.conf |
|
484
|
|
|
* @param int $probeindex number of the probe to check against |
|
485
|
|
|
* @param boolean $opName include Operator-Name in request? |
|
486
|
|
|
* @param boolean $frag make request so large that fragmentation is needed? |
|
487
|
|
|
* @return string the command-line for eapol_test |
|
488
|
|
|
*/ |
|
489
|
|
|
private function eapolTestConfig($probeindex, $opName, $frag) { |
|
490
|
|
|
$cmdline = CONFIG_DIAGNOSTICS['PATHS']['eapol_test'] . |
|
|
|
|
|
|
491
|
|
|
" -a " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['ip'] . |
|
492
|
|
|
" -s " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['secret'] . |
|
493
|
|
|
" -o serverchain.pem" . |
|
494
|
|
|
" -c ./udp_login_test.conf" . |
|
495
|
|
|
" -M 22:44:66:CA:20:" . sprintf("%02d", $probeindex) . " " . |
|
496
|
|
|
" -t " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['timeout'] . " "; |
|
497
|
|
|
if ($opName) { |
|
498
|
|
|
$cmdline .= '-N126:s:"1cat.eduroam.org" '; |
|
499
|
|
|
} |
|
500
|
|
|
if ($frag) { |
|
501
|
|
|
for ($i = 0; $i < 6; $i++) { // 6 x 250 bytes means UDP fragmentation will occur - good! |
|
502
|
|
|
$cmdline .= '-N26:x:0000625A0BF961616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 '; |
|
503
|
|
|
} |
|
504
|
|
|
} |
|
505
|
|
|
return $cmdline; |
|
506
|
|
|
} |
|
507
|
|
|
|
|
508
|
|
|
private function createCArepository($tmpDir, &$intermOdditiesCAT, $servercert, $eapIntermediates, $eapIntermediateCRLs) { |
|
509
|
|
|
// collect CA certificates, both the incoming EAP chain and from CAT config |
|
510
|
|
|
// Write the root CAs into a trusted root CA dir |
|
511
|
|
|
// and intermediate and first server cert into a PEM file |
|
512
|
|
|
// for later chain validation |
|
513
|
|
|
|
|
514
|
|
|
if (!mkdir($tmpDir . "/root-ca-allcerts/", 0700, true)) { |
|
515
|
|
|
throw new Exception("unable to create root CA directory (RADIUS Tests): $tmpDir/root-ca-allcerts/\n"); |
|
516
|
|
|
} |
|
517
|
|
|
if (!mkdir($tmpDir . "/root-ca-eaponly/", 0700, true)) { |
|
518
|
|
|
throw new Exception("unable to create root CA directory (RADIUS Tests): $tmpDir/root-ca-eaponly/\n"); |
|
519
|
|
|
} |
|
520
|
|
|
// make a copy of the EAP-received chain and add the configured intermediates, if any |
|
521
|
|
|
$catIntermediates = []; |
|
522
|
|
|
$catRoots = []; |
|
523
|
|
|
foreach ($this->expectedCABundle as $oneCA) { |
|
524
|
|
|
$x509 = new \core\common\X509(); |
|
525
|
|
|
$decoded = $x509->processCertificate($oneCA); |
|
526
|
|
|
if ($decoded === FALSE) { |
|
527
|
|
|
throw new Exception("Unable to parse an expected CA certificate."); |
|
528
|
|
|
} |
|
529
|
|
|
if ($decoded['ca'] == 1) { |
|
530
|
|
|
if ($decoded['root'] == 1) { // save CAT roots to the root directory |
|
531
|
|
|
file_put_contents($tmpDir . "/root-ca-eaponly/configuredroot" . count($catRoots) . ".pem", $decoded['pem']); |
|
532
|
|
|
file_put_contents($tmpDir . "/root-ca-allcerts/configuredroot" . count($catRoots) . ".pem", $decoded['pem']); |
|
533
|
|
|
$catRoots[] = $decoded['pem']; |
|
534
|
|
|
} else { // save the intermediates to allcerts directory |
|
535
|
|
|
file_put_contents($tmpDir . "/root-ca-allcerts/cat-intermediate" . count($catIntermediates) . ".pem", $decoded['pem']); |
|
536
|
|
|
$intermOdditiesCAT = array_merge($intermOdditiesCAT, $this->propertyCheckIntermediate($decoded)); |
|
537
|
|
|
if (isset($decoded['CRL']) && isset($decoded['CRL'][0])) { |
|
538
|
|
|
$this->loggerInstance->debug(4, "got an intermediate CRL; adding them to the chain checks. (Remember: checking end-entity cert only, not the whole chain"); |
|
539
|
|
|
file_put_contents($tmpDir . "/root-ca-allcerts/crl_cat" . count($catIntermediates) . ".pem", $decoded['CRL'][0]); |
|
540
|
|
|
} |
|
541
|
|
|
$catIntermediates[] = $decoded['pem']; |
|
542
|
|
|
} |
|
543
|
|
|
} |
|
544
|
|
|
} |
|
545
|
|
|
// save all intermediate certificates and CRLs to separate files in |
|
546
|
|
|
// both root-ca directories |
|
547
|
|
|
foreach ($eapIntermediates as $index => $onePem) { |
|
548
|
|
|
file_put_contents($tmpDir . "/root-ca-eaponly/intermediate$index.pem", $onePem); |
|
549
|
|
|
file_put_contents($tmpDir . "/root-ca-allcerts/intermediate$index.pem", $onePem); |
|
550
|
|
|
} |
|
551
|
|
|
foreach ($eapIntermediateCRLs as $index => $onePem) { |
|
552
|
|
|
file_put_contents($tmpDir . "/root-ca-eaponly/intermediateCRL$index.pem", $onePem); |
|
553
|
|
|
file_put_contents($tmpDir . "/root-ca-allcerts/intermediateCRL$index.pem", $onePem); |
|
554
|
|
|
} |
|
555
|
|
|
|
|
556
|
|
|
$checkstring = ""; |
|
557
|
|
|
if (isset($servercert['CRL']) && isset($servercert['CRL'][0])) { |
|
558
|
|
|
$this->loggerInstance->debug(4, "got a server CRL; adding them to the chain checks. (Remember: checking end-entity cert only, not the whole chain"); |
|
559
|
|
|
$checkstring = "-crl_check_all"; |
|
560
|
|
|
file_put_contents($tmpDir . "/root-ca-eaponly/crl-server.pem", $servercert['CRL'][0]); |
|
561
|
|
|
file_put_contents($tmpDir . "/root-ca-allcerts/crl-server.pem", $servercert['CRL'][0]); |
|
562
|
|
|
} |
|
563
|
|
|
|
|
564
|
|
|
|
|
565
|
|
|
// now c_rehash the root CA directory ... |
|
566
|
|
|
system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash'] . " $tmpDir/root-ca-eaponly/ > /dev/null"); |
|
|
|
|
|
|
567
|
|
|
system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash'] . " $tmpDir/root-ca-allcerts/ > /dev/null"); |
|
568
|
|
|
return $checkstring; |
|
569
|
|
|
} |
|
570
|
|
|
|
|
571
|
|
|
private function thoroughChainChecks(&$testresults, &$intermOdditiesCAT, $tmpDir, $servercert, $eapIntermediates, $eapIntermediateCRLs) { |
|
572
|
|
|
|
|
573
|
|
|
$crlCheckString = $this->createCArepository($tmpDir, $intermOdditiesCAT, $servercert, $eapIntermediates, $eapIntermediateCRLs); |
|
574
|
|
|
|
|
575
|
|
|
// ... and run the verification test |
|
576
|
|
|
$verifyResultEaponly = []; |
|
577
|
|
|
$verifyResultAllcerts = []; |
|
578
|
|
|
// the error log will complain if we run this test against an empty file of certs |
|
579
|
|
|
// so test if there's something PEMy in the file at all |
|
580
|
|
|
if (filesize("$tmpDir/incomingserver.pem") > 10) { |
|
581
|
|
|
exec(CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/incomingserver.pem", $verifyResultEaponly); |
|
|
|
|
|
|
582
|
|
|
$this->loggerInstance->debug(4, CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/incomingserver.pem\n"); |
|
583
|
|
|
$this->loggerInstance->debug(4, "Chain verify pass 1: " . print_r($verifyResultEaponly, TRUE) . "\n"); |
|
584
|
|
|
exec(CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/incomingserver.pem", $verifyResultAllcerts); |
|
585
|
|
|
$this->loggerInstance->debug(4, CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/incomingserver.pem\n"); |
|
586
|
|
|
$this->loggerInstance->debug(4, "Chain verify pass 2: " . print_r($verifyResultAllcerts, TRUE) . "\n"); |
|
587
|
|
|
} |
|
588
|
|
|
|
|
589
|
|
|
|
|
590
|
|
|
// now we do certificate verification against the collected parents |
|
591
|
|
|
// this is done first for the server and then for each of the intermediate CAs |
|
592
|
|
|
// any oddities observed will |
|
593
|
|
|
// openssl should havd returned exactly one line of output, |
|
594
|
|
|
// and it should have ended with the string "OK", anything else is fishy |
|
595
|
|
|
// The result can also be an empty array - this means there were no |
|
596
|
|
|
// certificates to check. Don't complain about chain validation errors |
|
597
|
|
|
// in that case. |
|
598
|
|
|
// we have the following test result possibilities: |
|
599
|
|
|
// 1. test against allcerts failed |
|
600
|
|
|
// 2. test against allcerts succeded, but against eaponly failed - warn admin |
|
601
|
|
|
// 3. test against eaponly succeded, in this case critical errors about expired certs |
|
602
|
|
|
// need to be changed to notices, since these certs obviously do tot participate |
|
603
|
|
|
// in server certificate validation. |
|
604
|
|
|
if (count($verifyResultAllcerts) == 0 || count($verifyResultEaponly) == 0) { |
|
605
|
|
|
throw new Exception("No output at all from openssl?"); |
|
606
|
|
|
} |
|
607
|
|
|
if (!preg_match("/OK$/", $verifyResultAllcerts[0])) { // case 1 |
|
608
|
|
|
if (preg_match("/certificate revoked$/", $verifyResultAllcerts[1])) { |
|
609
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_SERVER_CERT_REVOKED; |
|
610
|
|
|
} elseif (preg_match("/unable to get certificate CRL/", $verifyResultAllcerts[1])) { |
|
611
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_UNABLE_TO_GET_CRL; |
|
612
|
|
|
} else { |
|
613
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_TRUST_ROOT_NOT_REACHED; |
|
614
|
|
|
} |
|
615
|
|
|
return 1; |
|
616
|
|
|
} |
|
617
|
|
|
if (!preg_match("/OK$/", $verifyResultEaponly[0])) { // case 2 |
|
618
|
|
|
if (preg_match("/certificate revoked$/", $verifyResultEaponly[1])) { |
|
619
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_SERVER_CERT_REVOKED; |
|
620
|
|
|
} elseif (preg_match("/unable to get certificate CRL/", $verifyResultEaponly[1])) { |
|
621
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_UNABLE_TO_GET_CRL; |
|
622
|
|
|
} else { |
|
623
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES; |
|
624
|
|
|
} |
|
625
|
|
|
return 2; |
|
626
|
|
|
} |
|
627
|
|
|
return 3; |
|
628
|
|
|
} |
|
629
|
|
|
|
|
630
|
|
|
private function thoroughNameChecks($servercert, &$testresults) { |
|
631
|
|
|
// check the incoming hostname (both Subject:CN and subjectAltName:DNS |
|
632
|
|
|
// against what is configured in the profile; it's a significant error |
|
633
|
|
|
// if there is no match! |
|
634
|
|
|
// FAIL if none of the configured names show up in the server cert |
|
635
|
|
|
// WARN if the configured name is only in either CN or sAN:DNS |
|
636
|
|
|
// Strategy for checks: we are TOTALLY happy if any one of the |
|
637
|
|
|
// configured names shows up in both the CN and a sAN |
|
638
|
|
|
// This is the primary check. |
|
639
|
|
|
// If that was not the case, we are PARTIALLY happy if any one of |
|
640
|
|
|
// the configured names was in either of the CN or sAN lists. |
|
641
|
|
|
// we are UNHAPPY if no names match! |
|
642
|
|
|
|
|
643
|
|
|
$happiness = "UNHAPPY"; |
|
644
|
|
|
foreach ($this->expectedServerNames as $expectedName) { |
|
645
|
|
|
$this->loggerInstance->debug(4, "Managing expectations for $expectedName: " . print_r($servercert['CN'], TRUE) . print_r($servercert['sAN_DNS'], TRUE)); |
|
646
|
|
|
if (array_search($expectedName, $servercert['CN']) !== FALSE && array_search($expectedName, $servercert['sAN_DNS']) !== FALSE) { |
|
647
|
|
|
$this->loggerInstance->debug(4, "Totally happy!"); |
|
648
|
|
|
$happiness = "TOTALLY"; |
|
649
|
|
|
break; |
|
650
|
|
|
} else { |
|
651
|
|
|
if (array_search($expectedName, $servercert['CN']) !== FALSE || array_search($expectedName, $servercert['sAN_DNS']) !== FALSE) { |
|
652
|
|
|
$happiness = "PARTIALLY"; |
|
653
|
|
|
// keep trying with other expected names! We could be happier! |
|
654
|
|
|
} |
|
655
|
|
|
} |
|
656
|
|
|
} |
|
657
|
|
|
switch ($happiness) { |
|
658
|
|
|
case "UNHAPPY": |
|
659
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_SERVER_NAME_MISMATCH; |
|
660
|
|
|
return; |
|
661
|
|
|
case "PARTIALLY": |
|
662
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_SERVER_NAME_PARTIAL_MATCH; |
|
663
|
|
|
return; |
|
664
|
|
|
default: // nothing to complain about! |
|
665
|
|
|
return; |
|
666
|
|
|
} |
|
667
|
|
|
} |
|
668
|
|
|
|
|
669
|
|
|
private function executeEapolTest($tmpDir, $probeindex, $eaptype, $innerUser, $password, $opnameCheck, $frag) { |
|
670
|
|
|
$finalInner = $innerUser; |
|
671
|
|
|
$finalOuter = $this->outerUsernameForChecks; |
|
672
|
|
|
|
|
673
|
|
|
$theconfigs = $this->wpaSupplicantConfig($eaptype, $finalInner, $finalOuter, $password); |
|
674
|
|
|
// the config intentionally does not include CA checking. We do this |
|
675
|
|
|
// ourselves after getting the chain with -o. |
|
676
|
|
|
file_put_contents($tmpDir . "/udp_login_test.conf", $theconfigs[0]); |
|
677
|
|
|
|
|
678
|
|
|
$cmdline = $this->eapolTestConfig($probeindex, $opnameCheck, $frag); |
|
679
|
|
|
$this->loggerInstance->debug(4, "Shallow reachability check cmdline: $cmdline\n"); |
|
680
|
|
|
$this->loggerInstance->debug(4, "Shallow reachability check config: $tmpDir\n" . $theconfigs[1] . "\n"); |
|
681
|
|
|
$time_start = microtime(true); |
|
682
|
|
|
$pflow = []; |
|
683
|
|
|
exec($cmdline, $pflow); |
|
684
|
|
|
if ($pflow === NULL) { |
|
685
|
|
|
throw new Exception("The output of an exec() call really can't be NULL!"); |
|
686
|
|
|
} |
|
687
|
|
|
$time_stop = microtime(true); |
|
688
|
|
|
$this->loggerInstance->debug(5, print_r($this->redact($password, $pflow), TRUE)); |
|
689
|
|
|
return [ |
|
690
|
|
|
"time" => ($time_stop - $time_start) * 1000, |
|
691
|
|
|
"output" => $pflow, |
|
692
|
|
|
]; |
|
693
|
|
|
} |
|
694
|
|
|
|
|
695
|
|
|
private function checkRadiusPacketFlow(&$testresults, $packetflow_orig) { |
|
696
|
|
|
|
|
697
|
|
|
$packetflow = $this->filterPackettype($packetflow_orig); |
|
698
|
|
|
|
|
699
|
|
|
|
|
700
|
|
|
// when MS-CHAPv2 allows retry, we never formally get a reject (just a |
|
701
|
|
|
// Challenge that PW was wrong but and we should try a different one; |
|
702
|
|
|
// but that effectively is a reject |
|
703
|
|
|
// so change the flow results to take that into account |
|
704
|
|
|
if ($packetflow[count($packetflow) - 1] == 11 && $this->checkLineparse($packetflow_orig, self::LINEPARSE_CHECK_691)) { |
|
705
|
|
|
$packetflow[count($packetflow) - 1] = 3; |
|
706
|
|
|
} |
|
707
|
|
|
// also, the ETLRs sometimes send a reject when the server is not |
|
708
|
|
|
// responding. This should not be considered a real reject; it's a middle |
|
709
|
|
|
// box unduly altering the end-to-end result. Do not consider this final |
|
710
|
|
|
// Reject if it comes from ETLR |
|
711
|
|
|
if ($packetflow[count($packetflow) - 1] == 3 && $this->checkLineparse($packetflow_orig, self::LINEPARSE_CHECK_REJECTIGNORE)) { |
|
712
|
|
|
array_pop($packetflow); |
|
713
|
|
|
} |
|
714
|
|
|
$this->loggerInstance->debug(5, "Packetflow: " . print_r($packetflow, TRUE)); |
|
715
|
|
|
$packetcount = array_count_values($packetflow); |
|
716
|
|
|
$testresults['packetcount'] = $packetcount; |
|
717
|
|
|
$testresults['packetflow'] = $packetflow; |
|
718
|
|
|
|
|
719
|
|
|
// calculate packet counts and see what the overall flow was |
|
720
|
|
|
return $this->packetCountEvaluation($testresults, $packetcount); |
|
721
|
|
|
} |
|
722
|
|
|
|
|
723
|
|
|
/** |
|
724
|
|
|
* parses the eapol_test output to determine whether we got to a point where |
|
725
|
|
|
* an EAP type was mutually agreed |
|
726
|
|
|
* |
|
727
|
|
|
* @param array $testresults by-reference, we add our findings if something is noteworthy |
|
728
|
|
|
* @param array $packetflow_orig the array of text output from eapol_test |
|
729
|
|
|
* @return bool |
|
730
|
|
|
*/ |
|
731
|
|
|
private function wasEapTypeNegotiated(&$testresults, $packetflow_orig) { |
|
732
|
|
|
$testresults['cert_oddities'] = []; |
|
733
|
|
|
|
|
734
|
|
|
$negotiatedEapType = $this->checkLineparse($packetflow_orig, self::LINEPARSE_EAPACK); |
|
735
|
|
|
if (!$negotiatedEapType) { |
|
736
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_NO_COMMON_EAP_METHOD; |
|
737
|
|
|
} |
|
738
|
|
|
|
|
739
|
|
|
return $negotiatedEapType; |
|
740
|
|
|
} |
|
741
|
|
|
|
|
742
|
|
|
const SERVER_NO_CA_EXTENSION = 1; |
|
743
|
|
|
const SERVER_CA_SELFSIGNED = 2; |
|
744
|
|
|
const CA_INTERMEDIATE = 3; |
|
745
|
|
|
const CA_ROOT = 4; |
|
746
|
|
|
|
|
747
|
|
|
private function determineCertificateType(&$cert, $totalCertCount) { |
|
748
|
|
|
if ($cert['ca'] == 0 && $cert['root'] == 0) { |
|
749
|
|
|
return RADIUSTests::SERVER_NO_CA_EXTENSION; |
|
750
|
|
|
} |
|
751
|
|
|
if ($cert['ca'] == 1 && $cert['root'] == 1) { |
|
752
|
|
|
if ($totalCertCount == 1) { |
|
753
|
|
|
$cert['full_details']['type'] = 'totally_selfsigned'; |
|
754
|
|
|
return RADIUSTests::SERVER_CA_SELFSIGNED; |
|
755
|
|
|
} else { |
|
756
|
|
|
return RADIUSTests::CA_ROOT; |
|
757
|
|
|
} |
|
758
|
|
|
} |
|
759
|
|
|
return RADIUSTests::CA_INTERMEDIATE; |
|
760
|
|
|
} |
|
761
|
|
|
|
|
762
|
|
|
private function extractIncomingCertsfromEAP(&$testresults, $tmpDir) { |
|
763
|
|
|
|
|
764
|
|
|
/* |
|
765
|
|
|
* EAP's house rules: |
|
766
|
|
|
* 1) it is unnecessary to include the root CA itself (adding it has |
|
767
|
|
|
* detrimental effects on performance) |
|
768
|
|
|
* 2) TLS Web Server OID presence (Windows OSes need that) |
|
769
|
|
|
* 3) MD5 signature algorithm disallowed (iOS barks if so) |
|
770
|
|
|
* 4) CDP URL (Windows Phone 8 barks if not present) |
|
771
|
|
|
* 5) there should be exactly one server cert in the chain |
|
772
|
|
|
*/ |
|
773
|
|
|
|
|
774
|
|
|
$x509 = new \core\common\X509(); |
|
775
|
|
|
$eapCertArray = []; |
|
776
|
|
|
// $eap_certarray holds all certs received in EAP conversation |
|
777
|
|
|
$incomingData = file_get_contents($tmpDir . "/serverchain.pem"); |
|
778
|
|
|
if ($incomingData !== FALSE) { |
|
779
|
|
|
$eapCertArray = $x509->splitCertificate($incomingData); |
|
780
|
|
|
} |
|
781
|
|
|
$eapIntermediates = []; |
|
782
|
|
|
$eapIntermediateCRLs = []; |
|
783
|
|
|
$servercert = []; |
|
784
|
|
|
$intermOdditiesEAP = []; |
|
785
|
|
|
|
|
786
|
|
|
$testresults['certdata'] = []; |
|
787
|
|
|
|
|
788
|
|
|
|
|
789
|
|
|
foreach ($eapCertArray as $certPem) { |
|
790
|
|
|
$cert = $x509->processCertificate($certPem); |
|
791
|
|
|
if ($cert == FALSE) { |
|
|
|
|
|
|
792
|
|
|
continue; |
|
793
|
|
|
} |
|
794
|
|
|
// consider the certificate a server cert |
|
795
|
|
|
// a) if it is not a CA and is not a self-signed root |
|
796
|
|
|
// b) if it is a CA, and self-signed, and it is the only cert in |
|
797
|
|
|
// the incoming cert chain |
|
798
|
|
|
// (meaning the self-signed is itself the server cert) |
|
799
|
|
|
switch ($this->determineCertificateType($cert, count($eapCertArray))) { |
|
800
|
|
|
case RADIUSTests::SERVER_NO_CA_EXTENSION: // both are handled same, fall-through |
|
801
|
|
|
case RADIUSTests::SERVER_CA_SELFSIGNED: |
|
802
|
|
|
$servercert[] = $cert; |
|
803
|
|
|
if (count($servercert) == 1) { |
|
804
|
|
|
if (file_put_contents($tmpDir . "/incomingserver.pem", $certPem . "\n") === FALSE) { |
|
805
|
|
|
$this->loggerInstance->debug(4, "The (first) server certificate could not be written to $tmpDir/incomingserver.pem!\n"); |
|
806
|
|
|
} |
|
807
|
|
|
$this->loggerInstance->debug(4, "This is the (first) server certificate, with CRL content if applicable: " . print_r($servercert[0], true)); |
|
808
|
|
|
} elseif (!in_array(RADIUSTests::CERTPROB_TOO_MANY_SERVER_CERTS, $testresults['cert_oddities'])) { |
|
809
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_TOO_MANY_SERVER_CERTS; |
|
810
|
|
|
} |
|
811
|
|
|
break; |
|
812
|
|
|
case RADIUSTests::CA_ROOT: |
|
813
|
|
|
if (!in_array(RADIUSTests::CERTPROB_ROOT_INCLUDED, $testresults['cert_oddities'])) { |
|
814
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_ROOT_INCLUDED; |
|
815
|
|
|
} |
|
816
|
|
|
// do not save the root CA, it serves no purpose |
|
817
|
|
|
// chain checks need to be against the UPLOADED CA of the |
|
818
|
|
|
// IdP/profile, not against an EAP-discovered CA |
|
819
|
|
|
break; |
|
820
|
|
|
case RADIUSTests::CA_INTERMEDIATE: |
|
821
|
|
|
$intermOdditiesEAP = array_merge($intermOdditiesEAP, $this->propertyCheckIntermediate($cert)); |
|
822
|
|
|
$eapIntermediates[] = $certPem; |
|
823
|
|
|
|
|
824
|
|
|
if (isset($cert['CRL']) && isset($cert['CRL'][0])) { |
|
825
|
|
|
$eapIntermediateCRLs[] = $cert['CRL'][0]; |
|
826
|
|
|
} |
|
827
|
|
|
break; |
|
828
|
|
|
default: |
|
829
|
|
|
throw new Exception("Status of certificate could not be determined!"); |
|
830
|
|
|
} |
|
831
|
|
|
$testresults['certdata'][] = $cert['full_details']; |
|
832
|
|
|
} |
|
833
|
|
|
|
|
834
|
|
|
switch (count($servercert)) { |
|
835
|
|
|
case 0: |
|
836
|
|
|
$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_NO_SERVER_CERT; |
|
837
|
|
|
break; |
|
838
|
|
|
default: |
|
839
|
|
|
// check (first) server cert's properties |
|
840
|
|
|
$testresults['cert_oddities'] = array_merge($testresults['cert_oddities'], $this->propertyCheckServercert($servercert[0])); |
|
841
|
|
|
$testresults['incoming_server_names'] = $servercert['incoming_server_names']; |
|
842
|
|
|
} |
|
843
|
|
|
return [ |
|
844
|
|
|
"SERVERCERT" => $servercert, |
|
845
|
|
|
"INTERMEDIATE_CA" => $eapIntermediates, |
|
846
|
|
|
"INTERMEDIATE_CRL" => $eapIntermediateCRLs, |
|
847
|
|
|
"INTERMEDIATE_OBSERVED_ODDITIES" => $intermOdditiesEAP, |
|
848
|
|
|
]; |
|
849
|
|
|
} |
|
850
|
|
|
|
|
851
|
|
|
/** |
|
852
|
|
|
* The big Guy. This performs an actual login with EAP and records how far |
|
853
|
|
|
* it got and what oddities were observed along the way |
|
854
|
|
|
* @param int $probeindex the probe we are connecting to (as set in product config) |
|
855
|
|
|
* @param array $eaptype EAP type to use for connection |
|
856
|
|
|
* @param string $innerUser inner username to try |
|
857
|
|
|
* @param string $password password to try |
|
858
|
|
|
* @param boolean $opnameCheck whether or not we check with Operator-Name set |
|
859
|
|
|
* @param boolean $frag whether or not we check with an oversized packet forcing fragmentation |
|
860
|
|
|
* @param string $clientcertdata client certificate credential to try |
|
861
|
|
|
* @return int overall return code of the login test |
|
862
|
|
|
* @throws Exception |
|
863
|
|
|
*/ |
|
864
|
|
|
public function udpLogin($probeindex, $eaptype, $innerUser, $password, $opnameCheck = TRUE, $frag = TRUE, $clientcertdata = NULL) { |
|
865
|
|
|
|
|
866
|
|
|
/** preliminaries */ |
|
867
|
|
|
$eapText = \core\common\EAP::eapDisplayName($eaptype); |
|
868
|
|
|
// no host to send probes to? Nothing to do then |
|
869
|
|
|
if (!isset(CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex])) { |
|
|
|
|
|
|
870
|
|
|
$this->UDP_reachability_executed = RADIUSTests::RETVAL_NOTCONFIGURED; |
|
871
|
|
|
return RADIUSTests::RETVAL_NOTCONFIGURED; |
|
872
|
|
|
} |
|
873
|
|
|
// if we need client certs but don't have one, return |
|
874
|
|
|
if (($eaptype == \core\common\EAP::EAPTYPE_ANY || $eaptype == \core\common\EAP::EAPTYPE_TLS) && $clientcertdata === NULL) { |
|
875
|
|
|
$this->UDP_reachability_executed = RADIUSTests::RETVAL_NOTCONFIGURED; |
|
876
|
|
|
return RADIUSTests::RETVAL_NOTCONFIGURED; |
|
877
|
|
|
} |
|
878
|
|
|
// if we don't have a string for outer EAP method name, give up |
|
879
|
|
|
if (!isset($eapText['OUTER'])) { |
|
880
|
|
|
$this->UDP_reachability_executed = RADIUSTests::RETVAL_NOTCONFIGURED; |
|
881
|
|
|
return RADIUSTests::RETVAL_NOTCONFIGURED; |
|
882
|
|
|
} |
|
883
|
|
|
// we will need a config blob for wpa_supplicant, in a temporary directory |
|
884
|
|
|
$temporary = $this->createTemporaryDirectory('test'); |
|
885
|
|
|
$tmpDir = $temporary['dir']; |
|
886
|
|
|
chdir($tmpDir); |
|
887
|
|
|
$this->loggerInstance->debug(4, "temp dir: $tmpDir\n"); |
|
888
|
|
|
if ($clientcertdata !== NULL) { |
|
889
|
|
|
file_put_contents($tmpDir . "/client.p12", $clientcertdata); |
|
890
|
|
|
} |
|
891
|
|
|
$testresults = []; |
|
892
|
|
|
// execute RADIUS/EAP converation |
|
893
|
|
|
$runtime_results = $this->executeEapolTest($tmpDir, $probeindex, $eaptype, $innerUser, $password, $opnameCheck, $frag); |
|
894
|
|
|
$testresults['time_millisec'] = $runtime_results['time']; |
|
895
|
|
|
$packetflow_orig = $runtime_results['output']; |
|
896
|
|
|
$radiusResult = $this->checkRadiusPacketFlow($testresults, $packetflow_orig); |
|
897
|
|
|
$negotiatedEapType = $this->wasEapTypeNegotiated($testresults, $packetflow_orig); |
|
898
|
|
|
// now let's look at the server cert+chain, if we got a cert at all |
|
899
|
|
|
// that's not the case if we do EAP-pwd or could not negotiate an EAP method at |
|
900
|
|
|
// all |
|
901
|
|
|
if ( |
|
902
|
|
|
$eaptype != \core\common\EAP::EAPTYPE_PWD && |
|
903
|
|
|
(($radiusResult == RADIUSTests::RETVAL_CONVERSATION_REJECT && $negotiatedEapType) || $radiusResult == RADIUSTests::RETVAL_OK) |
|
904
|
|
|
) { |
|
905
|
|
|
|
|
906
|
|
|
$bundle = $this->extractIncomingCertsfromEAP($testresults, $tmpDir); |
|
907
|
|
|
|
|
908
|
|
|
// FOR OWN REALMS check: |
|
909
|
|
|
// 1) does the incoming chain have a root in one of the configured roots |
|
910
|
|
|
// if not, this is a signficant configuration error |
|
911
|
|
|
// return this with one or more of the CERTPROB_ constants (see defs) |
|
912
|
|
|
// TRUST_ROOT_NOT_REACHED |
|
913
|
|
|
// TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES |
|
914
|
|
|
// then check the presented names |
|
915
|
|
|
// check intermediate ca cert properties |
|
916
|
|
|
// check trust chain for completeness |
|
917
|
|
|
// works only for thorough checks, not shallow, so: |
|
918
|
|
|
$intermOdditiesCAT = []; |
|
919
|
|
|
$verifyResult = 0; |
|
920
|
|
|
|
|
921
|
|
|
if ($this->opMode == self::RADIUS_TEST_OPERATION_MODE_THOROUGH) { |
|
922
|
|
|
$verifyResult = $this->thoroughChainChecks($testresults, $intermOdditiesCAT, $tmpDir, $bundle["SERVERCERT"], $bundle["INTERMEDIATE_CA"], $bundle["INTERMEDIATE_CRL"]); |
|
923
|
|
|
$this->thoroughNameChecks($bundle["SERVERCERT"], $testresults); |
|
924
|
|
|
} |
|
925
|
|
|
|
|
926
|
|
|
$testresults['cert_oddities'] = array_merge($testresults['cert_oddities'], $bundle["INTERMEDIATE_OBSERVED_ODDITIES"]); |
|
|
|
|
|
|
927
|
|
|
if (in_array(RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD, $intermOdditiesCAT) && $verifyResult == 3) { |
|
928
|
|
|
$key = array_search(RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD, $intermOdditiesCAT); |
|
929
|
|
|
$intermOdditiesCAT[$key] = RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN; |
|
930
|
|
|
} |
|
931
|
|
|
|
|
932
|
|
|
$testresults['cert_oddities'] = array_merge($testresults['cert_oddities'], $intermOdditiesCAT); |
|
933
|
|
|
|
|
934
|
|
|
// mention trust chain failure only if no expired cert was in the chain; otherwise path validation will trivially fail |
|
935
|
|
|
if (in_array(RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD, $testresults['cert_oddities'])) { |
|
936
|
|
|
$this->loggerInstance->debug(4, "Deleting trust chain problem report, if present."); |
|
937
|
|
|
if (($key = array_search(RADIUSTests::CERTPROB_TRUST_ROOT_NOT_REACHED, $testresults['cert_oddities'])) !== false) { |
|
938
|
|
|
unset($testresults['cert_oddities'][$key]); |
|
939
|
|
|
} |
|
940
|
|
|
if (($key = array_search(RADIUSTests::CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES, $testresults['cert_oddities'])) !== false) { |
|
941
|
|
|
unset($testresults['cert_oddities'][$key]); |
|
942
|
|
|
} |
|
943
|
|
|
} |
|
944
|
|
|
} |
|
945
|
|
|
$this->loggerInstance->debug(4, "UDP_LOGIN\n"); |
|
946
|
|
|
$this->loggerInstance->debug(4, $testresults); |
|
947
|
|
|
$this->loggerInstance->debug(4, "\nEND\n"); |
|
948
|
|
|
$this->UDP_reachability_result[$probeindex] = $testresults; |
|
949
|
|
|
$this->UDP_reachability_executed = $radiusResult; |
|
950
|
|
|
return $radiusResult; |
|
951
|
|
|
} |
|
952
|
|
|
|
|
953
|
|
|
public function consolidateUdpResult($host) { |
|
954
|
|
|
$ret = []; |
|
955
|
|
|
$serverCert = []; |
|
956
|
|
|
$udpResult = $this->UDP_reachability_result[$host]; |
|
957
|
|
|
if (isset($udpResult['certdata']) && count($udpResult['certdata'])) { |
|
958
|
|
|
foreach ($udpResult['certdata'] as $certdata) { |
|
959
|
|
|
if ($certdata['type'] != 'server' && $certdata['type'] != 'totally_selfsigned') { |
|
960
|
|
|
continue; |
|
961
|
|
|
} |
|
962
|
|
|
if (isset($certdata['extensions'])) { |
|
963
|
|
|
foreach ($certdata['extensions'] as $k => $v) { |
|
964
|
|
|
$certdata['extensions'][$k] = iconv('UTF-8', 'UTF-8//IGNORE', $certdata['extensions'][$k]); |
|
965
|
|
|
} |
|
966
|
|
|
} |
|
967
|
|
|
$serverCert = [ |
|
968
|
|
|
'subject' => $this->printDN($certdata['subject']), |
|
969
|
|
|
'issuer' => $this->printDN($certdata['issuer']), |
|
970
|
|
|
'validFrom' => $this->printTm($certdata['validFrom_time_t']), |
|
971
|
|
|
'validTo' => $this->printTm($certdata['validTo_time_t']), |
|
972
|
|
|
'serialNumber' => $certdata['serialNumber'] . sprintf(" (0x%X)", $certdata['serialNumber']), |
|
973
|
|
|
'sha1' => $certdata['sha1'], |
|
974
|
|
|
'extensions' => $certdata['extensions'] |
|
975
|
|
|
]; |
|
976
|
|
|
} |
|
977
|
|
|
} |
|
978
|
|
|
$ret['server_cert'] = $serverCert; |
|
979
|
|
|
$ret['server'] = 0; |
|
980
|
|
|
if (isset($udpResult['incoming_server_names'][0])) { |
|
981
|
|
|
$ret['server'] = sprintf(_("Connected to %s."), $udpResult['incoming_server_names'][0]); |
|
982
|
|
|
} |
|
983
|
|
|
$ret['level'] = \core\common\Entity::L_OK; |
|
984
|
|
|
$ret['time_millisec'] = sprintf("%d", $udpResult['time_millisec']); |
|
985
|
|
|
if (empty($udpResult['cert_oddities'])) { |
|
986
|
|
|
$ret['message'] = _("<strong>Test successful</strong>: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned."); |
|
987
|
|
|
return $ret; |
|
988
|
|
|
} |
|
989
|
|
|
|
|
990
|
|
|
$ret['message'] = _("<strong>Test partially successful</strong>: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some properties of the connection attempt were sub-optimal; the list is below."); |
|
991
|
|
|
$ret['cert_oddities'] = []; |
|
992
|
|
|
foreach ($udpResult['cert_oddities'] as $oddity) { |
|
993
|
|
|
$o = []; |
|
994
|
|
|
$o['code'] = $oddity; |
|
995
|
|
|
$o['message'] = isset($this->returnCodes[$oddity]["message"]) && $this->returnCodes[$oddity]["message"] ? $this->returnCodes[$oddity]["message"] : $oddity; |
|
996
|
|
|
$o['level'] = $this->returnCodes[$oddity]["severity"]; |
|
997
|
|
|
$ret['level'] = max($ret['level'], $this->returnCodes[$oddity]["severity"]); |
|
998
|
|
|
$ret['cert_oddities'][] = $o; |
|
999
|
|
|
} |
|
1000
|
|
|
|
|
1001
|
|
|
return $ret; |
|
1002
|
|
|
} |
|
1003
|
|
|
|
|
1004
|
|
|
} |
|
1005
|
|
|
|
GEANT /
CAT
Loading history...