Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
O
OpnSense
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kulya
OpnSense
Commits
69a81ab1
Commit
69a81ab1
authored
Jan 17, 2016
by
Franco Fichtner
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
certs: refactor ca_chain for #664
parent
f2d200cd
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
36 additions
and
32 deletions
+36
-32
certs.inc
src/etc/inc/certs.inc
+18
-11
openvpn-client-export.inc
src/etc/inc/openvpn-client-export.inc
+10
-14
system.inc
src/etc/inc/system.inc
+6
-6
generate_certs.php
...pnsense/scripts/OPNsense/CaptivePortal/generate_certs.php
+2
-1
No files found.
src/etc/inc/certs.inc
View file @
69a81ab1
...
@@ -111,19 +111,26 @@ function ca_chain_array(& $cert) {
...
@@ -111,19 +111,26 @@ function ca_chain_array(& $cert) {
return
false
;
return
false
;
}
}
function
ca_chain
(
&
$cert
)
{
function
ca_chain
(
&
$cert
)
if
(
isset
(
$cert
[
'caref'
]))
{
{
$ca
=
""
;
$ca
=
''
;
if
(
!
isset
(
$cert
[
'caref'
]))
{
return
$ca
;
}
$cas
=
ca_chain_array
(
$cert
);
$cas
=
ca_chain_array
(
$cert
);
if
(
is_array
(
$cas
))
if
(
!
is_array
(
$cas
))
{
foreach
(
$cas
as
&
$ca_cert
)
return
$ca
;
{
}
foreach
(
$cas
as
&
$ca_cert
)
{
$ca
.=
base64_decode
(
$ca_cert
[
'crt'
]);
$ca
.=
base64_decode
(
$ca_cert
[
'crt'
]);
$ca
.=
"
\n
"
;
$ca
.=
"
\n
"
;
}
}
return
$ca
;
}
/* sanitise output to make sure we generate clean files */
return
""
;
return
str_replace
(
"
\n\n
"
,
"
\n
"
,
str_replace
(
"
\r
"
,
""
,
$ca
))
;
}
}
function
ca_create
(
&
$ca
,
$keylen
,
$lifetime
,
$dn
,
$digest_alg
=
'sha256'
)
function
ca_create
(
&
$ca
,
$keylen
,
$lifetime
,
$dn
,
$digest_alg
=
'sha256'
)
...
...
src/etc/inc/openvpn-client-export.inc
View file @
69a81ab1
...
@@ -49,10 +49,11 @@ function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null) {
...
@@ -49,10 +49,11 @@ function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null) {
$port
=
$settings
[
'local_port'
];
$port
=
$settings
[
'local_port'
];
$filename_addition
=
""
;
$filename_addition
=
""
;
if
(
$usrid
&&
is_numeric
(
$usrid
))
if
(
$usrid
&&
is_numeric
(
$usrid
))
{
$filename_addition
=
"-"
.
$config
[
'system'
][
'user'
][
$usrid
][
'name'
];
$filename_addition
=
"-"
.
$config
[
'system'
][
'user'
][
$usrid
][
'name'
];
elseif
(
$crtid
&&
is_numeric
(
$crtid
)
&&
function_exists
(
"cert_get_cn"
))
}
elseif
(
$crtid
&&
is_numeric
(
$crtid
))
{
$filename_addition
=
"-"
.
str_replace
(
' '
,
'_'
,
cert_get_cn
(
$config
[
'cert'
][
$crtid
][
'crt'
]));
$filename_addition
=
"-"
.
str_replace
(
' '
,
'_'
,
cert_get_cn
(
$config
[
'cert'
][
$crtid
][
'crt'
]));
}
return
"
{
$host
}
-
{
$prot
}
-
{
$port
}{
$filename_addition
}
"
;
return
"
{
$host
}
-
{
$prot
}
-
{
$port
}{
$filename_addition
}
"
;
}
}
...
@@ -95,14 +96,12 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) {
...
@@ -95,14 +96,12 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) {
{
{
$input_errors
[]
=
gettext
(
"Could not locate server certificate."
);
$input_errors
[]
=
gettext
(
"Could not locate server certificate."
);
}
else
{
}
else
{
$server_ca
=
isset
(
$server_cert
[
'caref'
])
?
str_replace
(
"
\n\n
"
,
"
\n
"
,
str_replace
(
"
\r
"
,
""
,
ca_chain
(
$server_cert
)))
:
null
;
$server_ca
=
ca_chain
(
$server_cert
)
;
if
(
!
$server_ca
)
{
if
(
empty
(
$server_ca
)
)
{
$input_errors
[]
=
gettext
(
"Could not locate the CA reference for the server certificate."
);
$input_errors
[]
=
gettext
(
"Could not locate the CA reference for the server certificate."
);
}
}
if
(
function_exists
(
"cert_get_cn"
))
{
$servercn
=
cert_get_cn
(
$server_cert
[
'crt'
]);
$servercn
=
cert_get_cn
(
$server_cert
[
'crt'
]);
}
}
}
// lookup user info
// lookup user info
if
(
is_numeric
(
$usrid
))
{
if
(
is_numeric
(
$usrid
))
{
...
@@ -277,11 +276,9 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys
...
@@ -277,11 +276,9 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys
// - Disable for now, it requires the server cert to include special options
// - Disable for now, it requires the server cert to include special options
//$conf .= "remote-cert-tls server{$nl}";
//$conf .= "remote-cert-tls server{$nl}";
// Extra protection for the server cert, if it's supported
if
(
function_exists
(
"cert_get_purpose"
))
{
if
(
is_array
(
$server_cert
)
&&
(
$server_cert
[
'crt'
]))
{
if
(
is_array
(
$server_cert
)
&&
(
$server_cert
[
'crt'
]))
{
$purpose
=
cert_get_purpose
(
$server_cert
[
'crt'
],
true
);
$purpose
=
cert_get_purpose
(
$server_cert
[
'crt'
],
true
);
if
(
$purpose
[
'server'
]
==
'Yes'
)
if
(
$purpose
[
'server'
]
==
'Yes'
)
{
$conf
.=
"ns-cert-type server
{
$nl
}
"
;
$conf
.=
"ns-cert-type server
{
$nl
}
"
;
}
}
}
}
...
@@ -919,4 +916,3 @@ function openvpn_client_export_find_hostname($interface) {
...
@@ -919,4 +916,3 @@ function openvpn_client_export_find_hostname($interface) {
}
}
}
}
?>
src/etc/inc/system.inc
View file @
69a81ab1
...
@@ -970,16 +970,16 @@ function system_webgui_start()
...
@@ -970,16 +970,16 @@ function system_webgui_start()
$a_cert
[]
=
$cert
;
$a_cert
[]
=
$cert
;
$config
[
'system'
][
'webgui'
][
'ssl-certref'
]
=
$cert
[
'refid'
];
$config
[
'system'
][
'webgui'
][
'ssl-certref'
]
=
$cert
[
'refid'
];
write_config
(
gettext
(
"Importing HTTPS certificate"
));
write_config
(
gettext
(
"Importing HTTPS certificate"
));
if
(
!
$config
[
'system'
][
'webgui'
][
'port'
])
$portarg
=
"443"
;
$ca
=
ca_chain
(
$cert
);
}
else
{
}
else
{
$crt
=
base64_decode
(
$cert
[
'crt'
]);
$crt
=
base64_decode
(
$cert
[
'crt'
]);
$key
=
base64_decode
(
$cert
[
'prv'
]);
$key
=
base64_decode
(
$cert
[
'prv'
]);
if
(
!
$config
[
'system'
][
'webgui'
][
'port'
])
$portarg
=
"443"
;
$ca
=
ca_chain
(
$cert
);
}
}
if
(
!
$config
[
'system'
][
'webgui'
][
'port'
])
{
$portarg
=
'443'
;
}
$ca
=
ca_chain
(
$cert
);
}
}
/* generate lighttpd configuration */
/* generate lighttpd configuration */
...
...
src/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php
View file @
69a81ab1
#!/usr/local/bin/php
#!/usr/local/bin/php
<?php
<?php
/**
/**
* Copyright (C) 2015 Deciso B.V.
* Copyright (C) 2015 Deciso B.V.
*
*
...
@@ -56,7 +57,7 @@ if (isset($configObj->OPNsense->captiveportal->zones)) {
...
@@ -56,7 +57,7 @@ if (isset($configObj->OPNsense->captiveportal->zones)) {
// generate ca pem file
// generate ca pem file
if
(
!
empty
(
$cert
->
caref
))
{
if
(
!
empty
(
$cert
->
caref
))
{
$output_pem_filename
=
"/var/etc/ca-cp-zone"
.
$zone_id
.
".pem"
;
$output_pem_filename
=
"/var/etc/ca-cp-zone"
.
$zone_id
.
".pem"
;
$ca
=
str_replace
(
"
\n\n
"
,
"
\n
"
,
str_replace
(
"
\r
"
,
""
,
ca_chain
(
$cert
))
);
$ca
=
ca_chain
(
$cert
);
file_put_contents
(
$output_pem_filename
,
$pem_content
);
file_put_contents
(
$output_pem_filename
,
$pem_content
);
chmod
(
$output_pem_filename
,
0600
);
chmod
(
$output_pem_filename
,
0600
);
echo
"certificate generated "
.
$output_pem_filename
.
"
\n
"
;
echo
"certificate generated "
.
$output_pem_filename
.
"
\n
"
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment