Inspection of "feature: warn if your server does not do TLS 1.2 a..." - GEANT/CAT - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — release_2_0 ( 2b9a09...993113 )

by Stefan

created 2020-01-29 14:54 UTC

Status

Spacing +54 added lines, -54 removed lines patch added patch discarded remove patch

@@ -35,7 +35,7 @@  discard block
 block discarded – undo
 
 use \Exception;
 
-require_once dirname(dirname(__DIR__)) . "/config/_config.php";
+require_once dirname(dirname(__DIR__))."/config/_config.php";
 
 /**
  * Test suite to verify that an EAP setup is actually working as advertised in
@@ -168,7 +168,7 @@  discard block
 block discarded – undo
             }
         }
 
-        $this->loggerInstance->debug(4, "RADIUSTests is in opMode " . $this->opMode . ", parameters were: $realm, $outerUsernameForChecks, " . print_r($supportedEapTypes, true));
+        $this->loggerInstance->debug(4, "RADIUSTests is in opMode ".$this->opMode.", parameters were: $realm, $outerUsernameForChecks, ".print_r($supportedEapTypes, true));
         $this->loggerInstance->debug(4, print_r($expectedServerNames, true));
         $this->loggerInstance->debug(4, print_r($expectedCABundle, true));
 
@@ -258,7 +258,7 @@  discard block
 block discarded – undo
                 $returnarray[] = RADIUSTests::CERTPROB_WILDCARD_IN_NAME;
                 continue; // otherwise we'd ALSO complain that it's not a real hostname
             }
-            if ($onename != "" && filter_var("foo@" . idn_to_ascii($onename), FILTER_VALIDATE_EMAIL) === FALSE) {
+            if ($onename != "" && filter_var("foo@".idn_to_ascii($onename), FILTER_VALIDATE_EMAIL) === FALSE) {
                 $returnarray[] = RADIUSTests::CERTPROB_NOT_A_HOSTNAME;
             }
         }
@@ -284,7 +284,7 @@  discard block
 block discarded – undo
         if (preg_match("/sha1/i", $intermediateCa['full_details']['signatureTypeSN'])) {
             $returnarray[] = RADIUSTests::CERTPROB_SHA1_SIGNATURE;
         }
-        $this->loggerInstance->debug(4, "CERT IS: " . print_r($intermediateCa, TRUE));
+        $this->loggerInstance->debug(4, "CERT IS: ".print_r($intermediateCa, TRUE));
         if ($intermediateCa['basicconstraints_set'] == 0) {
             $returnarray[] = RADIUSTests::CERTPROB_NO_BASICCONSTRAINTS;
         }
@@ -333,7 +333,7 @@  discard block
 block discarded – undo
     {
         // for EAP-TLS to be a viable option, we need to pass a random client cert to make eapol_test happy
         // the following PEM data is one of the SENSE EAPLab client certs (not secret at all)
-        $clientcert = file_get_contents(dirname(__FILE__) . "/clientcert.p12");
+        $clientcert = file_get_contents(dirname(__FILE__)."/clientcert.p12");
         if ($clientcert === FALSE) {
             throw new Exception("A dummy client cert is part of the source distribution, but could not be loaded!");
         }
@@ -342,7 +342,7 @@  discard block
 block discarded – undo
         if ($this->opMode == self::RADIUS_TEST_OPERATION_MODE_THOROUGH) {
             return $this->udpLogin($probeindex, $this->supportedEapTypes[0]->getArrayRep(), $this->outerUsernameForChecks, 'eaplab', $opnameCheck, $frag, $clientcert);
         }
-        return $this->udpLogin($probeindex, \core\common\EAP::EAPTYPE_ANY, "cat-connectivity-test@" . $this->realm, 'eaplab', $opnameCheck, $frag, $clientcert);
+        return $this->udpLogin($probeindex, \core\common\EAP::EAPTYPE_ANY, "cat-connectivity-test@".$this->realm, 'eaplab', $opnameCheck, $frag, $clientcert);
     }
 
     /**
@@ -363,7 +363,7 @@  discard block
 block discarded – undo
             return RADIUSTests::CERTPROB_NO_CDP_HTTP;
         }
         // first and second sub-match is the full URL... check it
-        $crlcontent = \core\common\OutsideComm::downloadFile(trim($crlUrl[1] . $crlUrl[2]));
+        $crlcontent = \core\common\OutsideComm::downloadFile(trim($crlUrl[1].$crlUrl[2]));
         if ($crlcontent === FALSE) {
             return RADIUSTests::CERTPROB_NO_CRL_AT_CDP_URL;
         }
@@ -377,7 +377,7 @@  discard block
 block discarded – undo
 
         // $pem = chunk_split(base64_encode($crlcontent), 64, "\n");
         // inspired by https://stackoverflow.com/questions/2390604/how-to-pass-variables-as-stdin-into-command-line-from-php
-        $proc = CONFIG['PATHS']['openssl'] . " crl -inform der";
+        $proc = CONFIG['PATHS']['openssl']." crl -inform der";
         $descriptorspec = [
             0 => ["pipe", "r"],
             1 => ["pipe", "w"],
@@ -416,7 +416,7 @@  discard block
 block discarded – undo
         $origLength = strlen($hex);
         for ($i = 1; $i < $origLength; $i++) {
             if ($i % 2 == 1 && $i != strlen($hex)) {
-                $spaced .= $hex[$i] . " ";
+                $spaced .= $hex[$i]." ";
             } else {
                 $spaced .= $hex[$i];
             }
@@ -540,19 +540,19 @@  discard block
 block discarded – undo
         $eapText = \core\common\EAP::eapDisplayName($eaptype);
         $config = '
 network={
-  ssid="' . CONFIG['APPEARANCE']['productname'] . ' testing"
+  ssid="' . CONFIG['APPEARANCE']['productname'].' testing"
   key_mgmt=WPA-EAP
   proto=WPA2
   pairwise=CCMP
   group=CCMP
   ';
 // phase 1
-        $config .= 'eap=' . $eapText['OUTER'] . "\n";
+        $config .= 'eap='.$eapText['OUTER']."\n";
         $logConfig = $config;
 // phase 2 if applicable; all inner methods have passwords
         if (isset($eapText['INNER']) && $eapText['INNER'] != "") {
-            $config .= '  phase2="auth=' . $eapText['INNER'] . "\"\n";
-            $logConfig .= '  phase2="auth=' . $eapText['INNER'] . "\"\n";
+            $config .= '  phase2="auth='.$eapText['INNER']."\"\n";
+            $logConfig .= '  phase2="auth='.$eapText['INNER']."\"\n";
         }
 // all methods set a password, except EAP-TLS
         if ($eaptype != \core\common\EAP::EAPTYPE_TLS) {
@@ -568,11 +568,11 @@  discard block
 block discarded – undo
         }
 
 // inner identity
-        $config .= '  identity="' . $inner . "\"\n";
-        $logConfig .= '  identity="' . $inner . "\"\n";
+        $config .= '  identity="'.$inner."\"\n";
+        $logConfig .= '  identity="'.$inner."\"\n";
 // outer identity, may be equal
-        $config .= '  anonymous_identity="' . $outer . "\"\n";
-        $logConfig .= '  anonymous_identity="' . $outer . "\"\n";
+        $config .= '  anonymous_identity="'.$outer."\"\n";
+        $logConfig .= '  anonymous_identity="'.$outer."\"\n";
 // done
         $config .= "}";
         $logConfig .= "}";
@@ -635,13 +635,13 @@  discard block
 block discarded – undo
      */
     private function eapolTestConfig($probeindex, $opName, $frag)
     {
-        $cmdline = CONFIG_DIAGNOSTICS['PATHS']['eapol_test'] .
-                " -a " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['ip'] .
-                " -s " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['secret'] .
-                " -o serverchain.pem" .
-                " -c ./udp_login_test.conf" .
-                " -M 22:44:66:CA:20:" . sprintf("%02d", $probeindex) . " " .
-                " -t " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['timeout'] . " ";
+        $cmdline = CONFIG_DIAGNOSTICS['PATHS']['eapol_test'].
+                " -a ".CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['ip'].
+                " -s ".CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['secret'].
+                " -o serverchain.pem".
+                " -c ./udp_login_test.conf".
+                " -M 22:44:66:CA:20:".sprintf("%02d", $probeindex)." ".
+                " -t ".CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['timeout']." ";
         if ($opName) {
             $cmdline .= '-N126:s:"1cat.eduroam.org" ';
         }
@@ -671,10 +671,10 @@  discard block
 block discarded – undo
      */
     private function createCArepository($tmpDir, &$intermOdditiesCAT, $servercert, $eapIntermediates, $eapIntermediateCRLs)
     {
-        if (!mkdir($tmpDir . "/root-ca-allcerts/", 0700, true)) {
+        if (!mkdir($tmpDir."/root-ca-allcerts/", 0700, true)) {
             throw new Exception("unable to create root CA directory (RADIUS Tests): $tmpDir/root-ca-allcerts/\n");
         }
-        if (!mkdir($tmpDir . "/root-ca-eaponly/", 0700, true)) {
+        if (!mkdir($tmpDir."/root-ca-eaponly/", 0700, true)) {
             throw new Exception("unable to create root CA directory (RADIUS Tests): $tmpDir/root-ca-eaponly/\n");
         }
 // make a copy of the EAP-received chain and add the configured intermediates, if any
@@ -688,15 +688,15 @@  discard block
 block discarded – undo
             }
             if ($decoded['ca'] == 1) {
                 if ($decoded['root'] == 1) { // save CAT roots to the root directory
-                    file_put_contents($tmpDir . "/root-ca-eaponly/configuredroot" . count($catRoots) . ".pem", $decoded['pem']);
-                    file_put_contents($tmpDir . "/root-ca-allcerts/configuredroot" . count($catRoots) . ".pem", $decoded['pem']);
+                    file_put_contents($tmpDir."/root-ca-eaponly/configuredroot".count($catRoots).".pem", $decoded['pem']);
+                    file_put_contents($tmpDir."/root-ca-allcerts/configuredroot".count($catRoots).".pem", $decoded['pem']);
                     $catRoots[] = $decoded['pem'];
                 } else { // save the intermediates to allcerts directory
-                    file_put_contents($tmpDir . "/root-ca-allcerts/cat-intermediate" . count($catIntermediates) . ".pem", $decoded['pem']);
+                    file_put_contents($tmpDir."/root-ca-allcerts/cat-intermediate".count($catIntermediates).".pem", $decoded['pem']);
                     $intermOdditiesCAT = array_merge($intermOdditiesCAT, $this->propertyCheckIntermediate($decoded));
                     if (isset($decoded['CRL']) && isset($decoded['CRL'][0])) {
                         $this->loggerInstance->debug(4, "got an intermediate CRL; adding them to the chain checks. (Remember: checking end-entity cert only, not the whole chain");
-                        file_put_contents($tmpDir . "/root-ca-allcerts/crl_cat" . count($catIntermediates) . ".pem", $decoded['CRL'][0]);
+                        file_put_contents($tmpDir."/root-ca-allcerts/crl_cat".count($catIntermediates).".pem", $decoded['CRL'][0]);
                     }
                     $catIntermediates[] = $decoded['pem'];
                 }
@@ -705,26 +705,26 @@  discard block
 block discarded – undo
         // save all intermediate certificates and CRLs to separate files in 
         // both root-ca directories
         foreach ($eapIntermediates as $index => $onePem) {
-            file_put_contents($tmpDir . "/root-ca-eaponly/intermediate$index.pem", $onePem);
-            file_put_contents($tmpDir . "/root-ca-allcerts/intermediate$index.pem", $onePem);
+            file_put_contents($tmpDir."/root-ca-eaponly/intermediate$index.pem", $onePem);
+            file_put_contents($tmpDir."/root-ca-allcerts/intermediate$index.pem", $onePem);
         }
         foreach ($eapIntermediateCRLs as $index => $onePem) {
-            file_put_contents($tmpDir . "/root-ca-eaponly/intermediateCRL$index.pem", $onePem);
-            file_put_contents($tmpDir . "/root-ca-allcerts/intermediateCRL$index.pem", $onePem);
+            file_put_contents($tmpDir."/root-ca-eaponly/intermediateCRL$index.pem", $onePem);
+            file_put_contents($tmpDir."/root-ca-allcerts/intermediateCRL$index.pem", $onePem);
         }
 
         $checkstring = "";
         if (isset($servercert['CRL']) && isset($servercert['CRL'][0])) {
             $this->loggerInstance->debug(4, "got a server CRL; adding them to the chain checks. (Remember: checking end-entity cert only, not the whole chain");
             $checkstring = "-crl_check_all";
-            file_put_contents($tmpDir . "/root-ca-eaponly/crl-server.pem", $servercert['CRL'][0]);
-            file_put_contents($tmpDir . "/root-ca-allcerts/crl-server.pem", $servercert['CRL'][0]);
+            file_put_contents($tmpDir."/root-ca-eaponly/crl-server.pem", $servercert['CRL'][0]);
+            file_put_contents($tmpDir."/root-ca-allcerts/crl-server.pem", $servercert['CRL'][0]);
         }
 
 
 // now c_rehash the root CA directory ...
-        system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash'] . " $tmpDir/root-ca-eaponly/ > /dev/null");
-        system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash'] . " $tmpDir/root-ca-allcerts/ > /dev/null");
+        system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash']." $tmpDir/root-ca-eaponly/ > /dev/null");
+        system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash']." $tmpDir/root-ca-allcerts/ > /dev/null");
         return $checkstring;
     }
 
@@ -756,12 +756,12 @@  discard block
 block discarded – undo
 // the error log will complain if we run this test against an empty file of certs
 // so test if there's something PEMy in the file at all
         if (filesize("$tmpDir/serverchain.pem") > 10) {
-            exec(CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/incomingserver.pem", $verifyResultEaponly);
-            $this->loggerInstance->debug(4, CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/serverchain.pem\n");
-            $this->loggerInstance->debug(4, "Chain verify pass 1: " . print_r($verifyResultEaponly, TRUE) . "\n");
-            exec(CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/incomingserver.pem", $verifyResultAllcerts);
-            $this->loggerInstance->debug(4, CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/serverchain.pem\n");
-            $this->loggerInstance->debug(4, "Chain verify pass 2: " . print_r($verifyResultAllcerts, TRUE) . "\n");
+            exec(CONFIG['PATHS']['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/incomingserver.pem", $verifyResultEaponly);
+            $this->loggerInstance->debug(4, CONFIG['PATHS']['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/serverchain.pem\n");
+            $this->loggerInstance->debug(4, "Chain verify pass 1: ".print_r($verifyResultEaponly, TRUE)."\n");
+            exec(CONFIG['PATHS']['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/incomingserver.pem", $verifyResultAllcerts);
+            $this->loggerInstance->debug(4, CONFIG['PATHS']['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/serverchain.pem\n");
+            $this->loggerInstance->debug(4, "Chain verify pass 2: ".print_r($verifyResultAllcerts, TRUE)."\n");
         }
 
 
@@ -828,7 +828,7 @@  discard block
 block discarded – undo
         // we are UNHAPPY if no names match!
         $happiness = "UNHAPPY";
         foreach ($this->expectedServerNames as $expectedName) {
-            $this->loggerInstance->debug(4, "Managing expectations for $expectedName: " . print_r($servercert['CN'], TRUE) . print_r($servercert['sAN_DNS'], TRUE));
+            $this->loggerInstance->debug(4, "Managing expectations for $expectedName: ".print_r($servercert['CN'], TRUE).print_r($servercert['sAN_DNS'], TRUE));
             if (array_search($expectedName, $servercert['CN']) !== FALSE && array_search($expectedName, $servercert['sAN_DNS']) !== FALSE) {
                 $this->loggerInstance->debug(4, "Totally happy!");
                 $happiness = "TOTALLY";
@@ -873,11 +873,11 @@  discard block
 block discarded – undo
         $theconfigs = $this->wpaSupplicantConfig($eaptype, $finalInner, $finalOuter, $password);
         // the config intentionally does not include CA checking. We do this
         // ourselves after getting the chain with -o.
-        file_put_contents($tmpDir . "/udp_login_test.conf", $theconfigs[0]);
+        file_put_contents($tmpDir."/udp_login_test.conf", $theconfigs[0]);
 
         $cmdline = $this->eapolTestConfig($probeindex, $opnameCheck, $frag);
         $this->loggerInstance->debug(4, "Shallow reachability check cmdline: $cmdline\n");
-        $this->loggerInstance->debug(4, "Shallow reachability check config: $tmpDir\n" . $theconfigs[1] . "\n");
+        $this->loggerInstance->debug(4, "Shallow reachability check config: $tmpDir\n".$theconfigs[1]."\n");
         $time_start = microtime(true);
         $pflow = [];
         exec($cmdline, $pflow);
@@ -921,7 +921,7 @@  discard block
 block discarded – undo
         if ($packetflow[count($packetflow) - 1] == 3 && $this->checkLineparse($packetflow_orig, self::LINEPARSE_CHECK_REJECTIGNORE)) {
             array_pop($packetflow);
         }
-        $this->loggerInstance->debug(5, "Packetflow: " . print_r($packetflow, TRUE));
+        $this->loggerInstance->debug(5, "Packetflow: ".print_r($packetflow, TRUE));
         $packetcount = array_count_values($packetflow);
         $testresults['packetcount'] = $packetcount;
         $testresults['packetflow'] = $packetflow;
@@ -952,7 +952,7 @@  discard block
 block discarded – undo
     private function wasModernTlsNegotiated(&$testresults, $packetflow_orig)
     {
         $negotiatedTlsVersion = $this->checkLineparse($packetflow_orig, self::LINEPARSE_TLSVERSION);
-        $this->loggerInstance->debug(4,"TLS version found is: $negotiatedTlsVersion"."\n");
+        $this->loggerInstance->debug(4, "TLS version found is: $negotiatedTlsVersion"."\n");
         if ($negotiatedTlsVersion == FALSE) {
             $testresults['cert_oddities'][] = RADIUSTests::TLSPROB_UNKNOWN_TLS_VERSION;
         } elseif ($negotiatedTlsVersion != self::TLS_VERSION_1_2 && $negotiatedTlsVersion != self::TLS_VERSION_1_3) {
@@ -1012,7 +1012,7 @@  discard block
 block discarded – undo
 
         $x509 = new \core\common\X509();
 // $eap_certarray holds all certs received in EAP conversation
-        $incomingData = file_get_contents($tmpDir . "/serverchain.pem");
+        $incomingData = file_get_contents($tmpDir."/serverchain.pem");
         if ($incomingData !== FALSE && strlen($incomingData) > 0) {
             $eapCertArray = $x509->splitCertificate($incomingData);
         } else {
@@ -1042,10 +1042,10 @@  discard block
 block discarded – undo
                 case RADIUSTests::SERVER_CA_SELFSIGNED:
                     $servercert[] = $cert;
                     if (count($servercert) == 1) {
-                        if (file_put_contents($tmpDir . "/incomingserver.pem", $certPem . "\n") === FALSE) {
+                        if (file_put_contents($tmpDir."/incomingserver.pem", $certPem."\n") === FALSE) {
                             $this->loggerInstance->debug(4, "The (first) server certificate could not be written to $tmpDir/incomingserver.pem!\n");
                         }
-                        $this->loggerInstance->debug(4, "This is the (first) server certificate, with CRL content if applicable: " . print_r($servercert[0], true));
+                        $this->loggerInstance->debug(4, "This is the (first) server certificate, with CRL content if applicable: ".print_r($servercert[0], true));
                     } elseif (!in_array(RADIUSTests::CERTPROB_TOO_MANY_SERVER_CERTS, $testresults['cert_oddities'])) {
                         $testresults['cert_oddities'][] = RADIUSTests::CERTPROB_TOO_MANY_SERVER_CERTS;
                     }
@@ -1126,7 +1126,7 @@  discard block
 block discarded – undo
         chdir($tmpDir);
         $this->loggerInstance->debug(4, "temp dir: $tmpDir\n");
         if ($clientcertdata !== NULL) {
-            file_put_contents($tmpDir . "/client.p12", $clientcertdata);
+            file_put_contents($tmpDir."/client.p12", $clientcertdata);
         }
         $testresults = [];
         // initialise the sub-array for cleaner parsing
@@ -1227,7 +1227,7 @@  discard block
 block discarded – undo
                     'issuer' => $this->printDN($certdata['issuer']),
                     'validFrom' => $this->printTm($certdata['validFrom_time_t']),
                     'validTo' => $this->printTm($certdata['validTo_time_t']),
-                    'serialNumber' => $certdata['serialNumber'] . sprintf(" (0x%X)", $certdata['serialNumber']),
+                    'serialNumber' => $certdata['serialNumber'].sprintf(" (0x%X)", $certdata['serialNumber']),
                     'sha1' => $certdata['sha1'],
                     'extensions' => $certdata['extensions']
                 ];

Please login to merge, or discard this patch.

		@@ -35,7 +35,7 @@ discard block
		block discarded – undo
35	35
36	36	use \Exception;
37	37
38		-require_once dirname(dirname(__DIR__)) . "/config/_config.php";
	38	+require_once dirname(dirname(__DIR__))."/config/_config.php";
39	39
40	40	/**
41	41	* Test suite to verify that an EAP setup is actually working as advertised in
		@@ -168,7 +168,7 @@ discard block
		block discarded – undo
168	168	}
169	169	}
170	170
171		- $this->loggerInstance->debug(4, "RADIUSTests is in opMode " . $this->opMode . ", parameters were: $realm, $outerUsernameForChecks, " . print_r($supportedEapTypes, true));
	171	+ $this->loggerInstance->debug(4, "RADIUSTests is in opMode ".$this->opMode.", parameters were: $realm, $outerUsernameForChecks, ".print_r($supportedEapTypes, true));
172	172	$this->loggerInstance->debug(4, print_r($expectedServerNames, true));
173	173	$this->loggerInstance->debug(4, print_r($expectedCABundle, true));
174	174
		@@ -258,7 +258,7 @@ discard block
		block discarded – undo
258	258	$returnarray[] = RADIUSTests::CERTPROB_WILDCARD_IN_NAME;
259	259	continue; // otherwise we'd ALSO complain that it's not a real hostname
260	260	}
261		- if ($onename != "" && filter_var("foo@" . idn_to_ascii($onename), FILTER_VALIDATE_EMAIL) === FALSE) {
	261	+ if ($onename != "" && filter_var("foo@".idn_to_ascii($onename), FILTER_VALIDATE_EMAIL) === FALSE) {
262	262	$returnarray[] = RADIUSTests::CERTPROB_NOT_A_HOSTNAME;
263	263	}
264	264	}
		@@ -284,7 +284,7 @@ discard block
		block discarded – undo
284	284	if (preg_match("/sha1/i", $intermediateCa['full_details']['signatureTypeSN'])) {
285	285	$returnarray[] = RADIUSTests::CERTPROB_SHA1_SIGNATURE;
286	286	}
287		- $this->loggerInstance->debug(4, "CERT IS: " . print_r($intermediateCa, TRUE));
	287	+ $this->loggerInstance->debug(4, "CERT IS: ".print_r($intermediateCa, TRUE));
288	288	if ($intermediateCa['basicconstraints_set'] == 0) {
289	289	$returnarray[] = RADIUSTests::CERTPROB_NO_BASICCONSTRAINTS;
290	290	}
		@@ -333,7 +333,7 @@ discard block
		block discarded – undo
333	333	{
334	334	// for EAP-TLS to be a viable option, we need to pass a random client cert to make eapol_test happy
335	335	// the following PEM data is one of the SENSE EAPLab client certs (not secret at all)
336		- $clientcert = file_get_contents(dirname(__FILE__) . "/clientcert.p12");
	336	+ $clientcert = file_get_contents(dirname(__FILE__)."/clientcert.p12");
337	337	if ($clientcert === FALSE) {
338	338	throw new Exception("A dummy client cert is part of the source distribution, but could not be loaded!");
339	339	}
		@@ -342,7 +342,7 @@ discard block
		block discarded – undo
342	342	if ($this->opMode == self::RADIUS_TEST_OPERATION_MODE_THOROUGH) {
343	343	return $this->udpLogin($probeindex, $this->supportedEapTypes[0]->getArrayRep(), $this->outerUsernameForChecks, 'eaplab', $opnameCheck, $frag, $clientcert);
344	344	}
345		- return $this->udpLogin($probeindex, \core\common\EAP::EAPTYPE_ANY, "cat-connectivity-test@" . $this->realm, 'eaplab', $opnameCheck, $frag, $clientcert);
	345	+ return $this->udpLogin($probeindex, \core\common\EAP::EAPTYPE_ANY, "cat-connectivity-test@".$this->realm, 'eaplab', $opnameCheck, $frag, $clientcert);
346	346	}
347	347
348	348	/**
		@@ -363,7 +363,7 @@ discard block
		block discarded – undo
363	363	return RADIUSTests::CERTPROB_NO_CDP_HTTP;
364	364	}
365	365	// first and second sub-match is the full URL... check it
366		- $crlcontent = \core\common\OutsideComm::downloadFile(trim($crlUrl[1] . $crlUrl[2]));
	366	+ $crlcontent = \core\common\OutsideComm::downloadFile(trim($crlUrl[1].$crlUrl[2]));
367	367	if ($crlcontent === FALSE) {
368	368	return RADIUSTests::CERTPROB_NO_CRL_AT_CDP_URL;
369	369	}
		@@ -377,7 +377,7 @@ discard block
		block discarded – undo
377	377
378	378	// $pem = chunk_split(base64_encode($crlcontent), 64, "\n");
379	379	// inspired by https://stackoverflow.com/questions/2390604/how-to-pass-variables-as-stdin-into-command-line-from-php
380		- $proc = CONFIG['PATHS']['openssl'] . " crl -inform der";
	380	+ $proc = CONFIG['PATHS']['openssl']." crl -inform der";
381	381	$descriptorspec = [
382	382	0 => ["pipe", "r"],
383	383	1 => ["pipe", "w"],
		@@ -416,7 +416,7 @@ discard block
		block discarded – undo
416	416	$origLength = strlen($hex);
417	417	for ($i = 1; $i < $origLength; $i++) {
418	418	if ($i % 2 == 1 && $i != strlen($hex)) {
419		- $spaced .= $hex[$i] . " ";
	419	+ $spaced .= $hex[$i]." ";
420	420	} else {
421	421	$spaced .= $hex[$i];
422	422	}
		@@ -540,19 +540,19 @@ discard block
		block discarded – undo
540	540	$eapText = \core\common\EAP::eapDisplayName($eaptype);
541	541	$config = '
542	542	network={
543		- ssid="' . CONFIG['APPEARANCE']['productname'] . ' testing"
	543	+ ssid="' . CONFIG['APPEARANCE']['productname'].' testing"
544	544	key_mgmt=WPA-EAP
545	545	proto=WPA2
546	546	pairwise=CCMP
547	547	group=CCMP
548	548	';
549	549	// phase 1
550		- $config .= 'eap=' . $eapText['OUTER'] . "\n";
	550	+ $config .= 'eap='.$eapText['OUTER']."\n";
551	551	$logConfig = $config;
552	552	// phase 2 if applicable; all inner methods have passwords
553	553	if (isset($eapText['INNER']) && $eapText['INNER'] != "") {
554		- $config .= ' phase2="auth=' . $eapText['INNER'] . "\"\n";
555		- $logConfig .= ' phase2="auth=' . $eapText['INNER'] . "\"\n";
	554	+ $config .= ' phase2="auth='.$eapText['INNER']."\"\n";
	555	+ $logConfig .= ' phase2="auth='.$eapText['INNER']."\"\n";
556	556	}
557	557	// all methods set a password, except EAP-TLS
558	558	if ($eaptype != \core\common\EAP::EAPTYPE_TLS) {
		@@ -568,11 +568,11 @@ discard block
		block discarded – undo
568	568	}
569	569
570	570	// inner identity
571		- $config .= ' identity="' . $inner . "\"\n";
572		- $logConfig .= ' identity="' . $inner . "\"\n";
	571	+ $config .= ' identity="'.$inner."\"\n";
	572	+ $logConfig .= ' identity="'.$inner."\"\n";
573	573	// outer identity, may be equal
574		- $config .= ' anonymous_identity="' . $outer . "\"\n";
575		- $logConfig .= ' anonymous_identity="' . $outer . "\"\n";
	574	+ $config .= ' anonymous_identity="'.$outer."\"\n";
	575	+ $logConfig .= ' anonymous_identity="'.$outer."\"\n";
576	576	// done
577	577	$config .= "}";
578	578	$logConfig .= "}";
		@@ -635,13 +635,13 @@ discard block
		block discarded – undo
635	635	*/
636	636	private function eapolTestConfig($probeindex, $opName, $frag)
637	637	{
638		- $cmdline = CONFIG_DIAGNOSTICS['PATHS']['eapol_test'] .
639		- " -a " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['ip'] .
640		- " -s " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['secret'] .
641		- " -o serverchain.pem" .
642		- " -c ./udp_login_test.conf" .
643		- " -M 22:44:66:CA:20:" . sprintf("%02d", $probeindex) . " " .
644		- " -t " . CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['timeout'] . " ";
	638	+ $cmdline = CONFIG_DIAGNOSTICS['PATHS']['eapol_test'].
	639	+ " -a ".CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['ip'].
	640	+ " -s ".CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['secret'].
	641	+ " -o serverchain.pem".
	642	+ " -c ./udp_login_test.conf".
	643	+ " -M 22:44:66:CA:20:".sprintf("%02d", $probeindex)." ".
	644	+ " -t ".CONFIG_DIAGNOSTICS['RADIUSTESTS']['UDP-hosts'][$probeindex]['timeout']." ";
645	645	if ($opName) {
646	646	$cmdline .= '-N126:s:"1cat.eduroam.org" ';
647	647	}
		@@ -671,10 +671,10 @@ discard block
		block discarded – undo
671	671	*/
672	672	private function createCArepository($tmpDir, &$intermOdditiesCAT, $servercert, $eapIntermediates, $eapIntermediateCRLs)
673	673	{
674		- if (!mkdir($tmpDir . "/root-ca-allcerts/", 0700, true)) {
	674	+ if (!mkdir($tmpDir."/root-ca-allcerts/", 0700, true)) {
675	675	throw new Exception("unable to create root CA directory (RADIUS Tests): $tmpDir/root-ca-allcerts/\n");
676	676	}
677		- if (!mkdir($tmpDir . "/root-ca-eaponly/", 0700, true)) {
	677	+ if (!mkdir($tmpDir."/root-ca-eaponly/", 0700, true)) {
678	678	throw new Exception("unable to create root CA directory (RADIUS Tests): $tmpDir/root-ca-eaponly/\n");
679	679	}
680	680	// make a copy of the EAP-received chain and add the configured intermediates, if any
		@@ -688,15 +688,15 @@ discard block
		block discarded – undo
688	688	}
689	689	if ($decoded['ca'] == 1) {
690	690	if ($decoded['root'] == 1) { // save CAT roots to the root directory
691		- file_put_contents($tmpDir . "/root-ca-eaponly/configuredroot" . count($catRoots) . ".pem", $decoded['pem']);
692		- file_put_contents($tmpDir . "/root-ca-allcerts/configuredroot" . count($catRoots) . ".pem", $decoded['pem']);
	691	+ file_put_contents($tmpDir."/root-ca-eaponly/configuredroot".count($catRoots).".pem", $decoded['pem']);
	692	+ file_put_contents($tmpDir."/root-ca-allcerts/configuredroot".count($catRoots).".pem", $decoded['pem']);
693	693	$catRoots[] = $decoded['pem'];
694	694	} else { // save the intermediates to allcerts directory
695		- file_put_contents($tmpDir . "/root-ca-allcerts/cat-intermediate" . count($catIntermediates) . ".pem", $decoded['pem']);
	695	+ file_put_contents($tmpDir."/root-ca-allcerts/cat-intermediate".count($catIntermediates).".pem", $decoded['pem']);
696	696	$intermOdditiesCAT = array_merge($intermOdditiesCAT, $this->propertyCheckIntermediate($decoded));
697	697	if (isset($decoded['CRL']) && isset($decoded['CRL'][0])) {
698	698	$this->loggerInstance->debug(4, "got an intermediate CRL; adding them to the chain checks. (Remember: checking end-entity cert only, not the whole chain");
699		- file_put_contents($tmpDir . "/root-ca-allcerts/crl_cat" . count($catIntermediates) . ".pem", $decoded['CRL'][0]);
	699	+ file_put_contents($tmpDir."/root-ca-allcerts/crl_cat".count($catIntermediates).".pem", $decoded['CRL'][0]);
700	700	}
701	701	$catIntermediates[] = $decoded['pem'];
702	702	}
		@@ -705,26 +705,26 @@ discard block
		block discarded – undo
705	705	// save all intermediate certificates and CRLs to separate files in
706	706	// both root-ca directories
707	707	foreach ($eapIntermediates as $index => $onePem) {
708		- file_put_contents($tmpDir . "/root-ca-eaponly/intermediate$index.pem", $onePem);
709		- file_put_contents($tmpDir . "/root-ca-allcerts/intermediate$index.pem", $onePem);
	708	+ file_put_contents($tmpDir."/root-ca-eaponly/intermediate$index.pem", $onePem);
	709	+ file_put_contents($tmpDir."/root-ca-allcerts/intermediate$index.pem", $onePem);
710	710	}
711	711	foreach ($eapIntermediateCRLs as $index => $onePem) {
712		- file_put_contents($tmpDir . "/root-ca-eaponly/intermediateCRL$index.pem", $onePem);
713		- file_put_contents($tmpDir . "/root-ca-allcerts/intermediateCRL$index.pem", $onePem);
	712	+ file_put_contents($tmpDir."/root-ca-eaponly/intermediateCRL$index.pem", $onePem);
	713	+ file_put_contents($tmpDir."/root-ca-allcerts/intermediateCRL$index.pem", $onePem);
714	714	}
715	715
716	716	$checkstring = "";
717	717	if (isset($servercert['CRL']) && isset($servercert['CRL'][0])) {
718	718	$this->loggerInstance->debug(4, "got a server CRL; adding them to the chain checks. (Remember: checking end-entity cert only, not the whole chain");
719	719	$checkstring = "-crl_check_all";
720		- file_put_contents($tmpDir . "/root-ca-eaponly/crl-server.pem", $servercert['CRL'][0]);
721		- file_put_contents($tmpDir . "/root-ca-allcerts/crl-server.pem", $servercert['CRL'][0]);
	720	+ file_put_contents($tmpDir."/root-ca-eaponly/crl-server.pem", $servercert['CRL'][0]);
	721	+ file_put_contents($tmpDir."/root-ca-allcerts/crl-server.pem", $servercert['CRL'][0]);
722	722	}
723	723
724	724
725	725	// now c_rehash the root CA directory ...
726		- system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash'] . " $tmpDir/root-ca-eaponly/ > /dev/null");
727		- system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash'] . " $tmpDir/root-ca-allcerts/ > /dev/null");
	726	+ system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash']." $tmpDir/root-ca-eaponly/ > /dev/null");
	727	+ system(CONFIG_DIAGNOSTICS['PATHS']['c_rehash']." $tmpDir/root-ca-allcerts/ > /dev/null");
728	728	return $checkstring;
729	729	}
730	730
		@@ -756,12 +756,12 @@ discard block
		block discarded – undo
756	756	// the error log will complain if we run this test against an empty file of certs
757	757	// so test if there's something PEMy in the file at all
758	758	if (filesize("$tmpDir/serverchain.pem") > 10) {
759		- exec(CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/incomingserver.pem", $verifyResultEaponly);
760		- $this->loggerInstance->debug(4, CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/serverchain.pem\n");
761		- $this->loggerInstance->debug(4, "Chain verify pass 1: " . print_r($verifyResultEaponly, TRUE) . "\n");
762		- exec(CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/incomingserver.pem", $verifyResultAllcerts);
763		- $this->loggerInstance->debug(4, CONFIG['PATHS']['openssl'] . " verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/serverchain.pem\n");
764		- $this->loggerInstance->debug(4, "Chain verify pass 2: " . print_r($verifyResultAllcerts, TRUE) . "\n");
	759	+ exec(CONFIG['PATHS']['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/incomingserver.pem", $verifyResultEaponly);
	760	+ $this->loggerInstance->debug(4, CONFIG['PATHS']['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-eaponly/ -purpose any $tmpDir/serverchain.pem\n");
	761	+ $this->loggerInstance->debug(4, "Chain verify pass 1: ".print_r($verifyResultEaponly, TRUE)."\n");
	762	+ exec(CONFIG['PATHS']['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/incomingserver.pem", $verifyResultAllcerts);
	763	+ $this->loggerInstance->debug(4, CONFIG['PATHS']['openssl']." verify $crlCheckString -CApath $tmpDir/root-ca-allcerts/ -purpose any $tmpDir/serverchain.pem\n");
	764	+ $this->loggerInstance->debug(4, "Chain verify pass 2: ".print_r($verifyResultAllcerts, TRUE)."\n");
765	765	}
766	766
767	767
		@@ -828,7 +828,7 @@ discard block
		block discarded – undo
828	828	// we are UNHAPPY if no names match!
829	829	$happiness = "UNHAPPY";
830	830	foreach ($this->expectedServerNames as $expectedName) {
831		- $this->loggerInstance->debug(4, "Managing expectations for $expectedName: " . print_r($servercert['CN'], TRUE) . print_r($servercert['sAN_DNS'], TRUE));
	831	+ $this->loggerInstance->debug(4, "Managing expectations for $expectedName: ".print_r($servercert['CN'], TRUE).print_r($servercert['sAN_DNS'], TRUE));
832	832	if (array_search($expectedName, $servercert['CN']) !== FALSE && array_search($expectedName, $servercert['sAN_DNS']) !== FALSE) {
833	833	$this->loggerInstance->debug(4, "Totally happy!");
834	834	$happiness = "TOTALLY";
		@@ -873,11 +873,11 @@ discard block
		block discarded – undo
873	873	$theconfigs = $this->wpaSupplicantConfig($eaptype, $finalInner, $finalOuter, $password);
874	874	// the config intentionally does not include CA checking. We do this
875	875	// ourselves after getting the chain with -o.
876		- file_put_contents($tmpDir . "/udp_login_test.conf", $theconfigs[0]);
	876	+ file_put_contents($tmpDir."/udp_login_test.conf", $theconfigs[0]);
877	877
878	878	$cmdline = $this->eapolTestConfig($probeindex, $opnameCheck, $frag);
879	879	$this->loggerInstance->debug(4, "Shallow reachability check cmdline: $cmdline\n");
880		- $this->loggerInstance->debug(4, "Shallow reachability check config: $tmpDir\n" . $theconfigs[1] . "\n");
	880	+ $this->loggerInstance->debug(4, "Shallow reachability check config: $tmpDir\n".$theconfigs[1]."\n");
881	881	$time_start = microtime(true);
882	882	$pflow = [];
883	883	exec($cmdline, $pflow);
		@@ -921,7 +921,7 @@ discard block
		block discarded – undo
921	921	if ($packetflow[count($packetflow) - 1] == 3 && $this->checkLineparse($packetflow_orig, self::LINEPARSE_CHECK_REJECTIGNORE)) {
922	922	array_pop($packetflow);
923	923	}
924		- $this->loggerInstance->debug(5, "Packetflow: " . print_r($packetflow, TRUE));
	924	+ $this->loggerInstance->debug(5, "Packetflow: ".print_r($packetflow, TRUE));
925	925	$packetcount = array_count_values($packetflow);
926	926	$testresults['packetcount'] = $packetcount;
927	927	$testresults['packetflow'] = $packetflow;
		@@ -952,7 +952,7 @@ discard block
		block discarded – undo
952	952	private function wasModernTlsNegotiated(&$testresults, $packetflow_orig)
953	953	{
954	954	$negotiatedTlsVersion = $this->checkLineparse($packetflow_orig, self::LINEPARSE_TLSVERSION);
955		- $this->loggerInstance->debug(4,"TLS version found is: $negotiatedTlsVersion"."\n");
	955	+ $this->loggerInstance->debug(4, "TLS version found is: $negotiatedTlsVersion"."\n");
956	956	if ($negotiatedTlsVersion == FALSE) {
957	957	$testresults['cert_oddities'][] = RADIUSTests::TLSPROB_UNKNOWN_TLS_VERSION;
958	958	} elseif ($negotiatedTlsVersion != self::TLS_VERSION_1_2 && $negotiatedTlsVersion != self::TLS_VERSION_1_3) {
		@@ -1012,7 +1012,7 @@ discard block
		block discarded – undo
1012	1012
1013	1013	$x509 = new \core\common\X509();
1014	1014	// $eap_certarray holds all certs received in EAP conversation
1015		- $incomingData = file_get_contents($tmpDir . "/serverchain.pem");
	1015	+ $incomingData = file_get_contents($tmpDir."/serverchain.pem");
1016	1016	if ($incomingData !== FALSE && strlen($incomingData) > 0) {
1017	1017	$eapCertArray = $x509->splitCertificate($incomingData);
1018	1018	} else {
		@@ -1042,10 +1042,10 @@ discard block
		block discarded – undo
1042	1042	case RADIUSTests::SERVER_CA_SELFSIGNED:
1043	1043	$servercert[] = $cert;
1044	1044	if (count($servercert) == 1) {
1045		- if (file_put_contents($tmpDir . "/incomingserver.pem", $certPem . "\n") === FALSE) {
	1045	+ if (file_put_contents($tmpDir."/incomingserver.pem", $certPem."\n") === FALSE) {
1046	1046	$this->loggerInstance->debug(4, "The (first) server certificate could not be written to $tmpDir/incomingserver.pem!\n");
1047	1047	}
1048		- $this->loggerInstance->debug(4, "This is the (first) server certificate, with CRL content if applicable: " . print_r($servercert[0], true));
	1048	+ $this->loggerInstance->debug(4, "This is the (first) server certificate, with CRL content if applicable: ".print_r($servercert[0], true));
1049	1049	} elseif (!in_array(RADIUSTests::CERTPROB_TOO_MANY_SERVER_CERTS, $testresults['cert_oddities'])) {
1050	1050	$testresults['cert_oddities'][] = RADIUSTests::CERTPROB_TOO_MANY_SERVER_CERTS;
1051	1051	}
		@@ -1126,7 +1126,7 @@ discard block
		block discarded – undo
1126	1126	chdir($tmpDir);
1127	1127	$this->loggerInstance->debug(4, "temp dir: $tmpDir\n");
1128	1128	if ($clientcertdata !== NULL) {
1129		- file_put_contents($tmpDir . "/client.p12", $clientcertdata);
	1129	+ file_put_contents($tmpDir."/client.p12", $clientcertdata);
1130	1130	}
1131	1131	$testresults = [];
1132	1132	// initialise the sub-array for cleaner parsing
		@@ -1227,7 +1227,7 @@ discard block
		block discarded – undo
1227	1227	'issuer' => $this->printDN($certdata['issuer']),
1228	1228	'validFrom' => $this->printTm($certdata['validFrom_time_t']),
1229	1229	'validTo' => $this->printTm($certdata['validTo_time_t']),
1230		- 'serialNumber' => $certdata['serialNumber'] . sprintf(" (0x%X)", $certdata['serialNumber']),
	1230	+ 'serialNumber' => $certdata['serialNumber'].sprintf(" (0x%X)", $certdata['serialNumber']),
1231	1231	'sha1' => $certdata['sha1'],
1232	1232	'extensions' => $certdata['extensions']
1233	1233	];

GEANT / CAT

Push — release_2_0 ( 2b9a09...993113 )

Status

Category

Spacing +54 added lines, -54 removed lines patch added patch discarded remove patch