Issues in DeviceW8W10.php (master) - Issues in master - GEANT/CAT - Measure and Improve Code Quality continuously with Scrutinizer

Issues (173)

Security Analysis 13 potential vulnerabilities

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting (3)

Response Splitting can be used to send arbitrary responses.

File Manipulation (6)

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting (1)

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection (3)

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

devices/ms/DeviceW8W10.php (7 issues)

Labels

Severity

<?php

/*
 * *****************************************************************************
 * Contributions to this work were made on behalf of the GÉANT project, a 
 * project that has received funding from the European Union’s Framework 
 * Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
 * Horizon 2020 research and innovation programme under Grant Agreements No. 
 * 691567 (GN4-1) and No. 731122 (GN4-2).
 * On behalf of the aforementioned projects, GEANT Association is the sole owner
 * of the copyright in all material which was developed by a member of the GÉANT
 * project. GÉANT Vereniging (Association) is registered with the Chamber of 
 * Commerce in Amsterdam with registration number 40535155 and operates in the 
 * UK as a branch of GÉANT Vereniging.
 * 
 * Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. 
 * UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
 *
 * License: see the web/copyright.inc.php file in the file structure or
 *          <base_url>/copyright.php after deploying the software
 */

/**
 * This file creates MS Windows 8 and 10 installers
 * It supports EAP-TLS, TTLS (both native and GEANTLink), PEAP.
 * Other EAP methods could be added.
 * 
 * The file is an interface between the global CAT system and individual EAP
 * methods modules. It also performs global operations like preparing
 * and saving certificates and generating the installers.
 * 
 * Adding a new EAP handler requires defining an extension of the MsEapProfile
 * class. Such an extension is required to define a public getConfig method
 * returning a valid Windows XML <Config> element.
 * Extensions to Files/common.inc will also be required.
 * 
 * @author Tomasz Wolniewicz <[email protected]>
 *
 * @package ModuleWriting
 */

namespace devices\ms;
use Exception;

class DeviceW8W10 extends \devices\ms\WindowsCommon
{
    public function __construct()
    {
        parent::__construct();
        \core\common\Entity::intoThePotatoes();
        $this->setSupportedEapMethods([
            \core\common\EAP::EAPTYPE_TLS,
            \core\common\EAP::EAPTYPE_PEAP_MSCHAP2,
            \core\common\EAP::EAPTYPE_TTLS_PAP,
            \core\common\EAP::EAPTYPE_TTLS_MSCHAP2,
            \core\common\EAP::EAPTYPE_SILVERBULLET
        ]);
        $this->profileNames = [];
        $this->specialities['internal:use_anon_outer'][serialize(\core\common\EAP::EAPTYPE_PEAP_MSCHAP2)] = _("Anonymous identities do not use the realm as specified in the profile - it is derived from the suffix of the user's username input instead.");
        $this->specialities['media:openroaming'] = _("While OpenRoaming can be configured, it is possible that the Wi-Fi hardware does not support it; then the network definition is ignored.");
        $this->specialities['media:consortium_OI'] = _("While Passpoint networks can be configured, it is possible that the Wi-Fi hardware does not support it; then the network definition is ignored.");
        \core\common\Entity::outOfThePotatoes();
    } 
    
    /**
     * create the actual installer executable
     * 
     * @return string filename of the generated installer
     *
     */  
    public function writeInstaller()
    {
        \core\common\Entity::intoThePotatoes();
        $this->prepareInstallerLang();
        $this->setupEapConfig();
        $setWired = isset($this->attributes['media:wired'][0]) && $this->attributes['media:wired'][0] == 'on' ? 1 : 0;
        $this->iterator = 0;
        $fcontentsProfile = '';
        $this->createProfileDir();
        foreach ($this->attributes['internal:networks'] as $networkName => $oneNetwork) {
            if ($this::separateHS20profiles === true) {
                $fcontentsProfile .= $this->saveNetworkProfileSeparateHS($networkName, $oneNetwork);
            } else {
                $fcontentsProfile .= $this->saveNetworkProfileJoinedHS($networkName, $oneNetwork);
            }
        }
        file_put_contents('profiles.nsh', $fcontentsProfile);
        $delSSIDs = $this->attributes['internal:remove_SSID'];
        $delProfiles = [];
        foreach ($delSSIDs as $ssid => $cipher) {
            if ($cipher == 'DEL') {
                $delProfiles[] = $ssid;
            }
            if ($cipher == 'TKIP') {
                $delProfiles[] = $ssid.' (TKIP)';
            }
        }
        // the two lines below remove the eduroam® profiles we used to install, this is a temporary hack untill a better solution is implemented
        $delProfiles[] = 'eduroam®';
        $delProfiles[] = 'eduroam® via partner';
        // this removes the profile container that we used in CAT 2.1 and removed in 2.1.1
        $delProfiles[] = sprintf('%s Custom Network', \core\CAT::$nomenclature_participant);
        $this->writeAdditionalDeletes($delProfiles);
        if ($setWired) {
            $this->loggerInstance->debug(4, "Saving LAN profile\n");
            $windowsProfile = $this->generateLANprofile();
            $this->saveProfile($windowsProfile);
        }
        $this->saveCerts();
        if ($this->selectedEap == \core\common\EAP::EAPTYPE_SILVERBULLET) {
            $this->writeClientP12File();
        }
        $this->copyFiles($this->selectedEap);
        $this->saveLogo();
        $this->writeMainNSH($this->selectedEap, $this->attributes);
        $this->compileNSIS();
        $installerPath = $this->signInstaller();
        \core\common\Entity::outOfThePotatoes();
        return $installerPath;
    }
    
    private function createProfileDir()
    {
        if (!is_dir('profiles')) {
            mkdir('profiles');
        }
    }
    
    /**
     * If separateHS20profiles is true then we should be saving OID and SSID
     * profiles separately. OID profiles should be considered optionl, i.e.
     * the installer should not report installation failure (??). If we decide
     * that such installation failures should be silent then it is enough if
     * these profiles are marked as hs20 and no "nohs" profiles are created
     */
    
    private function saveNetworkProfileSeparateHS($profileName, $network)
    {
        $out = '';
        if (!empty($network['ssid'])) {
            if ($this::separateSSIDprofiles === true && !empty($network['condition']) && $network['condition'] === 'locally_defined') {
                $out = "";
                foreach ($network['ssid'] as $ssid) {
                    $this->loggerInstance->debug(4, "SSID network: $ssid\n");
                    $windowsProfileSSID = $this->generateWlanProfile($ssid, [$ssid], 'WPA2', 'AES', [], false);
                    $this->saveProfile($windowsProfileSSID, $this->iterator, true);
                    $out .= "!insertmacro define_wlan_profile \"$ssid\" \"AES\" 0 \"0\"\n";
                    $this->iterator++;                     
                }
            } else {
                $this->loggerInstance->debug(4, "SSID network: $profileName\n");
                $windowsProfileSSID = $this->generateWlanProfile($profileName, $network['ssid'], 'WPA2', 'AES', [], false);
                $this->saveProfile($windowsProfileSSID, $this->iterator, true);
                $ssids = '';
                foreach ($network['ssid'] as $ssid) {
                    if ($ssid != $profileName) {
                        $ssids .= '|'.$ssid;
                    }
                }
                $out = "!insertmacro define_wlan_profile \"$profileName\" \"AES\" 0 \"$ssids\"\n";
                $this->iterator++;
            }
            $profileName .= " via partner";
        }
        if (!empty($network['oi'])) {
            $this->loggerInstance->debug(4, "RCOI network: $profileName\n");
            $windowsProfileHS = $this->generateWlanProfile($profileName, ['cat-passpoint-profile'], 'WPA2', 'AES', $network['oi'], true);
            $this->saveProfile($windowsProfileHS, $this->iterator, true);
            $out .= "!insertmacro define_wlan_profile \"$profileName\" \"AES\" 1 \"0\"\n";
            $this->iterator++;
        }
        return($out);
    }
    
    /**
     * If separateHS20profiles is false then we should be saving a hs20 profile
     * containing both OIDs and SSIDs. In addition we should also be saving
     * a nohs_... profile. When  the installer runs it first tries the normal
     * profile and if this fails it will try the nohs (if one exists)
     */
    
    private function saveNetworkProfileJoinedHS($profileName, $network)
    {
        $oiOnly = false;
        if ($network['ssid'] == []) {
            $oiOnly = true;
            $network['ssid'] = ['cat-passpoint-profile'];
        }
        $windowsProfile = $this->generateWlanProfile($profileName, $network['ssid'], 'WPA2', 'AES', $network['oi'], true);
        $this->saveProfile($windowsProfile, $this->iterator, true);
        if (!$oiOnly) {
            $windowsProfile = $this->generateWlanProfile($profileName, $network['ssid'], 'WPA2', 'AES', [], false);
            $this->saveProfile($windowsProfile, $this->iterator, false);
        }
        $this->iterator++;
        return("!insertmacro define_wlan_profile \"$profileName\" \"AES\" 2 \"".implode('|', $network['ssid'])."\"\n");
    }

    private function saveLogo()
    {
        $fedLogo = $this->attributes['fed:logo_file'] ?? NULL;
        $idpLogo = $this->attributes['internal:logo_file'] ?? NULL;
        $this->combineLogo($idpLogo, $fedLogo);
    }

    private function writeMainNSH($eap, $attr)
    {
        $this->loggerInstance->debug(4, "writeMainNSH");
        $this->loggerInstance->debug(4, $attr);
        $this->loggerInstance->debug(4, "Device_id = ".$this->device_id."\n");
        $fcontents = "!define W8\n";
        if ($this->device_id == 'w10') {
            $fcontents .= "!define W10\n";
        }
        $fcontents .= "Unicode true\n";
        if ($this->useGeantLink && $this->selectedEap['OUTER'] == \core\common\EAP::TTLS) {
            $eapStr = 'GEANTLink';
        } else {
            $eapStr = \core\common\EAP::eapDisplayName($this->selectedEap)['OUTER'];
        }
        if (isset($this->tlsOtherUsername) && $this->tlsOtherUsername == 1) {
            $fcontents .= "!define PFX_USERNAME\n";
        }
        if ($eap == \core\common\EAP::EAPTYPE_SILVERBULLET) {
            $fcontents .= "!define SILVERBULLET\n";
        }
        $fcontents .= '!define '.$eapStr;
        $fcontents .= "\n".'!define EXECLEVEL "user"';
        $fcontents .= $this->writeNsisDefines($attr);
        file_put_contents('main.nsh', $fcontents);
    }

    
    private function copyFiles($eap)
    {
        $this->loggerInstance->debug(4, "copyFiles start\n");
        $this->copyBasicFiles();
        switch ($eap["OUTER"]) {
            case \core\common\EAP::TTLS:
                if ($this->useGeantLink) {
                    $this->copyGeantLinkFiles();
                } else {
                    $this->copyStandardNsi();
                }
                break;
            default:
                $this->copyStandardNsi();
        }
        $this->loggerInstance->debug(4, "copyFiles end\n");
        return true;
    }
    
    private function copyStandardNsi()
    {
        if (!$this->translateFile('eap_w8.inc', 'cat.NSI')) {
            throw new Exception("Translating needed file eap_w8.inc failed!");
        }
    }
    
    private function saveCerts()
    {
        $caArray = $this->saveCertificateFiles('der');
        $fcontentsCerts = '';
        $fileHandleCerts = fopen('certs.nsh', 'w');
        if ($fileHandleCerts === false) {
            throw new Exception("Unable to open new certs.nsh file for writing CAs.");
        }
        foreach ($caArray as $certAuthority) {
            $store = $certAuthority['root'] ? "root" : "ca";
            $fcontentsCerts .= '!insertmacro install_ca_cert "'.$certAuthority['file'].'" "'.$certAuthority['sha1'].'" "'.$store."\"\n";
        }
        fwrite($fileHandleCerts, $fcontentsCerts);
        fclose($fileHandleCerts);
    }

    /* saveProvile writes a LAN or WLAN profile
     * @param string $profile the XML content to be saved
     * @param int $profileNumber the profile index or NULL to indicate a LAN profile
     * @param boolean $hs20 for WLAN profiles indicates if use the nohs prefix
     */
    private function saveProfile($profile, $profileNumber = NULL, $hs20 = false)
    {
        if ($hs20) {
            $prefix = 'w';
        } else {
            $prefix = 'nohs_w';
        }
        if (is_null($profileNumber)) {
            $prefix = '';
            $suffix = '';
        } else {
            $suffix = "-$profileNumber";
        }
        $xmlFname = "profiles/".$prefix."lan_prof".$suffix.".xml";
        $this->loggerInstance->debug(4, "Saving profile to ".$xmlFname."\n");
        file_put_contents($xmlFname, $profile);
    }

    /**
     * Selects the appropriate handler for a given EAP type and retirns
     * an initiated object
     * 
     * @return a profile object

     */
    
    private function setEapObject()
    {        
        switch ($this->selectedEap['OUTER']) {
            case \core\common\EAP::TTLS:
                if ($this->useGeantLink) {
                    return(new GeantLinkTtlsProfile());

                } else {
                    return(new MsTtlsProfile());

                }
            case \core\common\EAP::PEAP:
                return(new MsPeapProfile());

            case \core\common\EAP::TLS:
                return(new MsTlsProfile());

            default:
                // use Exception here
                break;
        }
    }
    
    private function setupEapConfig() {
        $servers = empty($this->attributes['eap:server_name']) ? '' : implode(';', $this->attributes['eap:server_name']);
        $outerId = $this->determineOuterIdString();
        $nea = (\core\common\Entity::getAttributeValue($this->attributes, 'media:wired', 0) === 'on') ? 'true' : 'false';
        $otherTlsName = \core\common\Entity::getAttributeValue($this->attributes, 'eap-specific:tls_use_other_id', 0) === 'on' ? 'true' : 'false';
        if (isset(\core\common\Entity::getAttributeValue($this->attributes, 'device-specific:geantlink', $this->device_id)[0]) &&
             \core\common\Entity::getAttributeValue($this->attributes, 'device-specific:geantlink', $this->device_id)[0] === 'on') {
             $this->useGeantLink = true;
        } else { 
             $this->useGeantLink = false;
        }
        $eapConfig = $this->setEapObject();
        $eapConfig->setInnerType($this->selectedEap['INNER']);
        $eapConfig->setInnerTypeDisplay(\core\common\EAP::eapDisplayName($this->selectedEap)['INNER']);
        $eapConfig->setCAList($this->getAttribute('internal:CAs')[0]);
        $eapConfig->setServerNames($servers);
        $eapConfig->setOuterId($outerId);
        $eapConfig->setNea($nea);
        $eapConfig->setDisplayName($this->translateString($this->attributes['general:instname'][0]));
        $eapConfig->setIdPId($this->deviceUUID);
        $eapConfig->setOtherTlsName($otherTlsName);
        $eapConfig->setConfig();
        $this->eapConfigObject = $eapConfig;
    } 
        
    private function generateWlanProfile($networkName, $ssids, $authentication, $encryption, $ois, $hs20 = false)
    {
        if (empty($this->attributes['internal:realm'][0])) {
            $domainName = \config\ConfAssistant::CONSORTIUM['interworking-domainname-fallback'];
        } else {
            $domainName = $this->attributes['internal:realm'][0];
        }
        $wlanProfile = new MsWlanProfile();
        $wlanProfile->setName($networkName);       
        $wlanProfile->setEncryption($authentication, $encryption);
        $wlanProfile->setSSIDs($ssids);
        $wlanProfile->setHS20($hs20);
        $wlanProfile->setOIs($ois);
        $wlanProfile->setDomainName($domainName);
        $wlanProfile->setEapConfig($this->eapConfigObject);
        return($wlanProfile->writeWLANprofile());
    }
    
    private function generateLanProfile()
    {
        $lanProfile = new MsLanProfile();
        $lanProfile->setEapConfig($this->eapConfigObject);
        return($lanProfile->writeLANprofile());
    }

    private $eapTypeId;

    private $eapAuthorId;

    private $eapConfigObject;
    private $profileNames;
    private $iterator;
}





1			<?php
2
3			/*
4			* *****************************************************************************
5			* Contributions to this work were made on behalf of the GÉANT project, a
6			* project that has received funding from the European Union’s Framework
7			* Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
8			* Horizon 2020 research and innovation programme under Grant Agreements No.
9			* 691567 (GN4-1) and No. 731122 (GN4-2).
10			* On behalf of the aforementioned projects, GEANT Association is the sole owner
11			* of the copyright in all material which was developed by a member of the GÉANT
12			* project. GÉANT Vereniging (Association) is registered with the Chamber of
13			* Commerce in Amsterdam with registration number 40535155 and operates in the
14			* UK as a branch of GÉANT Vereniging.
15			*
16			* Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands.
17			* UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
18			*
19			* License: see the web/copyright.inc.php file in the file structure or
20			* <base_url>/copyright.php after deploying the software
21			*/
22
23			/**
24			* This file creates MS Windows 8 and 10 installers
25			* It supports EAP-TLS, TTLS (both native and GEANTLink), PEAP.
26			* Other EAP methods could be added.
27			*
28			* The file is an interface between the global CAT system and individual EAP
29			* methods modules. It also performs global operations like preparing
30			* and saving certificates and generating the installers.
31			*
32			* Adding a new EAP handler requires defining an extension of the MsEapProfile
33			* class. Such an extension is required to define a public getConfig method
34			* returning a valid Windows XML <Config> element.
35			* Extensions to Files/common.inc will also be required.
36			*
37			* @author Tomasz Wolniewicz <[email protected]>
38			*
39			* @package ModuleWriting
40			*/
41
42			namespace devices\ms;
43			use Exception;
44
45			class DeviceW8W10 extends \devices\ms\WindowsCommon
46			{
47			public function __construct()
48			{
49			parent::__construct();
50			\core\common\Entity::intoThePotatoes();
51			$this->setSupportedEapMethods([
52			\core\common\EAP::EAPTYPE_TLS,
53			\core\common\EAP::EAPTYPE_PEAP_MSCHAP2,
54			\core\common\EAP::EAPTYPE_TTLS_PAP,
55			\core\common\EAP::EAPTYPE_TTLS_MSCHAP2,
56			\core\common\EAP::EAPTYPE_SILVERBULLET
57			]);
58			$this->profileNames = [];
59			$this->specialities['internal:use_anon_outer'][serialize(\core\common\EAP::EAPTYPE_PEAP_MSCHAP2)] = _("Anonymous identities do not use the realm as specified in the profile - it is derived from the suffix of the user's username input instead.");
60			$this->specialities['media:openroaming'] = _("While OpenRoaming can be configured, it is possible that the Wi-Fi hardware does not support it; then the network definition is ignored.");
61			$this->specialities['media:consortium_OI'] = _("While Passpoint networks can be configured, it is possible that the Wi-Fi hardware does not support it; then the network definition is ignored.");
62			\core\common\Entity::outOfThePotatoes();
63			}
64
65			/**
66			* create the actual installer executable
67			*
68			* @return string filename of the generated installer
69			*
70			*/
71			public function writeInstaller()
72			{
73			\core\common\Entity::intoThePotatoes();
74			$this->prepareInstallerLang();
75			$this->setupEapConfig();
76			$setWired = isset($this->attributes['media:wired'][0]) && $this->attributes['media:wired'][0] == 'on' ? 1 : 0;
77			$this->iterator = 0;
78			$fcontentsProfile = '';
79			$this->createProfileDir();
80			foreach ($this->attributes['internal:networks'] as $networkName => $oneNetwork) {
81			if ($this::separateHS20profiles === true) {
82			$fcontentsProfile .= $this->saveNetworkProfileSeparateHS($networkName, $oneNetwork);
83			} else {
84			$fcontentsProfile .= $this->saveNetworkProfileJoinedHS($networkName, $oneNetwork);
85			}
86			}
87			file_put_contents('profiles.nsh', $fcontentsProfile);
88			$delSSIDs = $this->attributes['internal:remove_SSID'];
89			$delProfiles = [];
90			foreach ($delSSIDs as $ssid => $cipher) {
91			if ($cipher == 'DEL') {
92			$delProfiles[] = $ssid;
93			}
94			if ($cipher == 'TKIP') {
95			$delProfiles[] = $ssid.' (TKIP)';
96			}
97			}
98			// the two lines below remove the eduroam® profiles we used to install, this is a temporary hack untill a better solution is implemented
99			$delProfiles[] = 'eduroam®';
100			$delProfiles[] = 'eduroam® via partner';
101			// this removes the profile container that we used in CAT 2.1 and removed in 2.1.1
102			$delProfiles[] = sprintf('%s Custom Network', \core\CAT::$nomenclature_participant);
103			$this->writeAdditionalDeletes($delProfiles);
104			if ($setWired) {
105			$this->loggerInstance->debug(4, "Saving LAN profile\n");
106			$windowsProfile = $this->generateLANprofile();
107			$this->saveProfile($windowsProfile);
108			}
109			$this->saveCerts();
110			if ($this->selectedEap == \core\common\EAP::EAPTYPE_SILVERBULLET) {
111			$this->writeClientP12File();
112			}
113			$this->copyFiles($this->selectedEap);
114			$this->saveLogo();
115			$this->writeMainNSH($this->selectedEap, $this->attributes);
116			$this->compileNSIS();
117			$installerPath = $this->signInstaller();
118			\core\common\Entity::outOfThePotatoes();
119			return $installerPath;
120			}
121
122			private function createProfileDir()
123			{
124			if (!is_dir('profiles')) {
125			mkdir('profiles');
126			}
127			}
128
129			/**
130			* If separateHS20profiles is true then we should be saving OID and SSID
131			* profiles separately. OID profiles should be considered optionl, i.e.
132			* the installer should not report installation failure (??). If we decide
133			* that such installation failures should be silent then it is enough if
134			* these profiles are marked as hs20 and no "nohs" profiles are created
135			*/
136
137			private function saveNetworkProfileSeparateHS($profileName, $network)
138			{
139			$out = '';
140			if (!empty($network['ssid'])) {
141			if ($this::separateSSIDprofiles === true && !empty($network['condition']) && $network['condition'] === 'locally_defined') {
142			$out = "";
143			foreach ($network['ssid'] as $ssid) {
144			$this->loggerInstance->debug(4, "SSID network: $ssid\n");
145			$windowsProfileSSID = $this->generateWlanProfile($ssid, [$ssid], 'WPA2', 'AES', [], false);
146			$this->saveProfile($windowsProfileSSID, $this->iterator, true);
147			$out .= "!insertmacro define_wlan_profile \"$ssid\" \"AES\" 0 \"0\"\n";
148			$this->iterator++;
149			}
150			} else {
151			$this->loggerInstance->debug(4, "SSID network: $profileName\n");
152			$windowsProfileSSID = $this->generateWlanProfile($profileName, $network['ssid'], 'WPA2', 'AES', [], false);
153			$this->saveProfile($windowsProfileSSID, $this->iterator, true);
154			$ssids = '';
155			foreach ($network['ssid'] as $ssid) {
156			if ($ssid != $profileName) {
157			$ssids .= '\|'.$ssid;
158			}
159			}
160			$out = "!insertmacro define_wlan_profile \"$profileName\" \"AES\" 0 \"$ssids\"\n";
161			$this->iterator++;
162			}
163			$profileName .= " via partner";
164			}
165			if (!empty($network['oi'])) {
166			$this->loggerInstance->debug(4, "RCOI network: $profileName\n");
167			$windowsProfileHS = $this->generateWlanProfile($profileName, ['cat-passpoint-profile'], 'WPA2', 'AES', $network['oi'], true);
168			$this->saveProfile($windowsProfileHS, $this->iterator, true);
169			$out .= "!insertmacro define_wlan_profile \"$profileName\" \"AES\" 1 \"0\"\n";
170			$this->iterator++;
171			}
172			return($out);
173			}
174
175			/**
176			* If separateHS20profiles is false then we should be saving a hs20 profile
177			* containing both OIDs and SSIDs. In addition we should also be saving
178			* a nohs_... profile. When the installer runs it first tries the normal
179			* profile and if this fails it will try the nohs (if one exists)
180			*/
181
182			private function saveNetworkProfileJoinedHS($profileName, $network)
183			{
184			$oiOnly = false;
185			if ($network['ssid'] == []) {
186			$oiOnly = true;
187			$network['ssid'] = ['cat-passpoint-profile'];
188			}
189			$windowsProfile = $this->generateWlanProfile($profileName, $network['ssid'], 'WPA2', 'AES', $network['oi'], true);
190			$this->saveProfile($windowsProfile, $this->iterator, true);
191			if (!$oiOnly) {
192			$windowsProfile = $this->generateWlanProfile($profileName, $network['ssid'], 'WPA2', 'AES', [], false);
193			$this->saveProfile($windowsProfile, $this->iterator, false);
194			}
195			$this->iterator++;
196			return("!insertmacro define_wlan_profile \"$profileName\" \"AES\" 2 \"".implode('\|', $network['ssid'])."\"\n");
197			}
198
199			private function saveLogo()
200			{
201			$fedLogo = $this->attributes['fed:logo_file'] ?? NULL;
202			$idpLogo = $this->attributes['internal:logo_file'] ?? NULL;
203			$this->combineLogo($idpLogo, $fedLogo);
204			}
205
206			private function writeMainNSH($eap, $attr)
207			{
208			$this->loggerInstance->debug(4, "writeMainNSH");
209			$this->loggerInstance->debug(4, $attr);
210			$this->loggerInstance->debug(4, "Device_id = ".$this->device_id."\n");
211			$fcontents = "!define W8\n";
212			if ($this->device_id == 'w10') {
213			$fcontents .= "!define W10\n";
214			}
215			$fcontents .= "Unicode true\n";
216			if ($this->useGeantLink && $this->selectedEap['OUTER'] == \core\common\EAP::TTLS) {
217			$eapStr = 'GEANTLink';
218			} else {
219			$eapStr = \core\common\EAP::eapDisplayName($this->selectedEap)['OUTER'];
220			}
221			if (isset($this->tlsOtherUsername) && $this->tlsOtherUsername == 1) {
222			$fcontents .= "!define PFX_USERNAME\n";
223			}
224			if ($eap == \core\common\EAP::EAPTYPE_SILVERBULLET) {
225			$fcontents .= "!define SILVERBULLET\n";
226			}
227			$fcontents .= '!define '.$eapStr;
228			$fcontents .= "\n".'!define EXECLEVEL "user"';
229			$fcontents .= $this->writeNsisDefines($attr);
230			file_put_contents('main.nsh', $fcontents);
231			}
232
233
234			private function copyFiles($eap)
235			{
236			$this->loggerInstance->debug(4, "copyFiles start\n");
237			$this->copyBasicFiles();
238			switch ($eap["OUTER"]) {
239			case \core\common\EAP::TTLS:
240			if ($this->useGeantLink) {
241			$this->copyGeantLinkFiles();
242			} else {
243			$this->copyStandardNsi();
244			}
245			break;
246			default:
247			$this->copyStandardNsi();
248			}
249			$this->loggerInstance->debug(4, "copyFiles end\n");
250			return true;
251			}
252
253			private function copyStandardNsi()
254			{
255			if (!$this->translateFile('eap_w8.inc', 'cat.NSI')) {
256			throw new Exception("Translating needed file eap_w8.inc failed!");
257			}
258			}
259
260			private function saveCerts()
261			{
262			$caArray = $this->saveCertificateFiles('der');
263			$fcontentsCerts = '';
264			$fileHandleCerts = fopen('certs.nsh', 'w');
265			if ($fileHandleCerts === false) {
266			throw new Exception("Unable to open new certs.nsh file for writing CAs.");
267			}
268			foreach ($caArray as $certAuthority) {
269			$store = $certAuthority['root'] ? "root" : "ca";
270			$fcontentsCerts .= '!insertmacro install_ca_cert "'.$certAuthority['file'].'" "'.$certAuthority['sha1'].'" "'.$store."\"\n";
271			}
272			fwrite($fileHandleCerts, $fcontentsCerts);
273			fclose($fileHandleCerts);
274			}
275
276			/* saveProvile writes a LAN or WLAN profile
277			* @param string $profile the XML content to be saved
278			* @param int $profileNumber the profile index or NULL to indicate a LAN profile
279			* @param boolean $hs20 for WLAN profiles indicates if use the nohs prefix
280			*/
281			private function saveProfile($profile, $profileNumber = NULL, $hs20 = false)
282			{
283			if ($hs20) {
284			$prefix = 'w';
285			} else {
286			$prefix = 'nohs_w';
287			}
288			if (is_null($profileNumber)) {
289			$prefix = '';
290			$suffix = '';
291			} else {
292			$suffix = "-$profileNumber";
293			}
294			$xmlFname = "profiles/".$prefix."lan_prof".$suffix.".xml";
295			$this->loggerInstance->debug(4, "Saving profile to ".$xmlFname."\n");
296			file_put_contents($xmlFname, $profile);
297			}
298
299			/**
300			* Selects the appropriate handler for a given EAP type and retirns
301			* an initiated object
302			*
303			* @return a profile object
			0 ignored issues – show Bug introduced 2021-11-04 19:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `devices\ms\a` was not found. Did you mean `a`? If so, make sure to prefix the type with `\`. Loading history...
304			*/
305
306			private function setEapObject()
307			{
308			switch ($this->selectedEap['OUTER']) {
309			case \core\common\EAP::TTLS:
310			if ($this->useGeantLink) {
311			return(new GeantLinkTtlsProfile());
			0 ignored issues – show Bug Best Practice introduced 2021-11-04 19:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return new devices\ms\GeantLinkTtlsProfile()` returns the type `devices\ms\GeantLinkTtlsProfile` which is incompatible with the documented return type `devices\ms\a`. Loading history...
312			} else {
313			return(new MsTtlsProfile());
			0 ignored issues – show Bug Best Practice introduced 2021-11-04 19:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return new devices\ms\MsTtlsProfile()` returns the type `devices\ms\MsTtlsProfile` which is incompatible with the documented return type `devices\ms\a`. Loading history...
314			}
315			case \core\common\EAP::PEAP:
316			return(new MsPeapProfile());
			0 ignored issues – show Bug Best Practice introduced 2021-11-04 19:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return new devices\ms\MsPeapProfile()` returns the type `devices\ms\MsPeapProfile` which is incompatible with the documented return type `devices\ms\a`. Loading history...
317			case \core\common\EAP::TLS:
318			return(new MsTlsProfile());
			0 ignored issues – show Bug Best Practice introduced 2021-11-04 19:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return new devices\ms\MsTlsProfile()` returns the type `devices\ms\MsTlsProfile` which is incompatible with the documented return type `devices\ms\a`. Loading history...
319			default:
320			// use Exception here
321			break;
322			}
323			}
324
325			private function setupEapConfig() {
326			$servers = empty($this->attributes['eap:server_name']) ? '' : implode(';', $this->attributes['eap:server_name']);
327			$outerId = $this->determineOuterIdString();
328			$nea = (\core\common\Entity::getAttributeValue($this->attributes, 'media:wired', 0) === 'on') ? 'true' : 'false';
329			$otherTlsName = \core\common\Entity::getAttributeValue($this->attributes, 'eap-specific:tls_use_other_id', 0) === 'on' ? 'true' : 'false';
330			if (isset(\core\common\Entity::getAttributeValue($this->attributes, 'device-specific:geantlink', $this->device_id)[0]) &&
331			\core\common\Entity::getAttributeValue($this->attributes, 'device-specific:geantlink', $this->device_id)[0] === 'on') {
332			$this->useGeantLink = true;
333			} else {
334			$this->useGeantLink = false;
335			}
336			$eapConfig = $this->setEapObject();
337			$eapConfig->setInnerType($this->selectedEap['INNER']);
338			$eapConfig->setInnerTypeDisplay(\core\common\EAP::eapDisplayName($this->selectedEap)['INNER']);
339			$eapConfig->setCAList($this->getAttribute('internal:CAs')[0]);
340			$eapConfig->setServerNames($servers);
341			$eapConfig->setOuterId($outerId);
342			$eapConfig->setNea($nea);
343			$eapConfig->setDisplayName($this->translateString($this->attributes['general:instname'][0]));
344			$eapConfig->setIdPId($this->deviceUUID);
345			$eapConfig->setOtherTlsName($otherTlsName);
346			$eapConfig->setConfig();
347			$this->eapConfigObject = $eapConfig;
348			}
349
350			private function generateWlanProfile($networkName, $ssids, $authentication, $encryption, $ois, $hs20 = false)
351			{
352			if (empty($this->attributes['internal:realm'][0])) {
353			$domainName = \config\ConfAssistant::CONSORTIUM['interworking-domainname-fallback'];
354			} else {
355			$domainName = $this->attributes['internal:realm'][0];
356			}
357			$wlanProfile = new MsWlanProfile();
358			$wlanProfile->setName($networkName);
359			$wlanProfile->setEncryption($authentication, $encryption);
360			$wlanProfile->setSSIDs($ssids);
361			$wlanProfile->setHS20($hs20);
362			$wlanProfile->setOIs($ois);
363			$wlanProfile->setDomainName($domainName);
364			$wlanProfile->setEapConfig($this->eapConfigObject);
365			return($wlanProfile->writeWLANprofile());
366			}
367
368			private function generateLanProfile()
369			{
370			$lanProfile = new MsLanProfile();
371			$lanProfile->setEapConfig($this->eapConfigObject);
372			return($lanProfile->writeLANprofile());
373			}
374
375			private $eapTypeId;
			0 ignored issues – show introduced 2021-11-04 19:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this The private property `$eapTypeId` is not used, and could be removed. Loading history...
376			private $eapAuthorId;
			0 ignored issues – show introduced 2021-11-04 19:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this The private property `$eapAuthorId` is not used, and could be removed. Loading history...
377			private $eapConfigObject;
378			private $profileNames;
379			private $iterator;
380			}
381
382
383
384

GEANT / CAT

Issues (173)

Security Analysis 13 potential vulnerabilities

devices/ms/DeviceW8W10.php (7 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like