diff options
| author | jim-p <jimp@pfsense.org> | 2011-05-11 16:10:08 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2011-05-11 16:10:49 -0400 |
| commit | 728003c8934207a87e7c32a0aa2caecccf3ff8c1 (patch) | |
| tree | ca55a1a50aaea389907ee1cdf3c8fa44f0bc1c0d | |
| parent | 51b9e41d9ec65536b6ee3f572d9896f7145ee724 (diff) | |
| download | pfsense-728003c8934207a87e7c32a0aa2caecccf3ff8c1.zip pfsense-728003c8934207a87e7c32a0aa2caecccf3ff8c1.tar.gz | |
Various CRL fixes, handle empty internal CRLs better.
| -rw-r--r-- | etc/inc/certs.inc | 13 | ||||
| -rw-r--r-- | etc/inc/openvpn.inc | 1 | ||||
| -rw-r--r-- | usr/local/www/system_crlmanager.php | 1 |
3 files changed, 10 insertions, 5 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index c6cd787..e62719c 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -479,7 +479,7 @@ function crl_update(& $crl) { if (!$ca) return false; // If we have text but no certs, it was imported and cannot be updated. - if (!empty($crl['text']) && empty($crl['cert'])) + if (($crl["method"] != "internal") && (!empty($crl['text']) && empty($crl['cert']))) return false; $crl['serial']++; $ca_str_crt = base64_decode($ca['crt']); @@ -514,9 +514,12 @@ function cert_unrevoke($cert, & $crl) { foreach ($crl['cert'] as $id => $rcert) { if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) { unset($crl['cert'][$id]); - if (count($crl['cert']) == 0) - unset($crl['text']); - else + if (count($crl['cert']) == 0) { + // Protect against accidentally switching the type to imported, for older CRLs + if (!isset($crl['method'])) + $crl['method'] = "internal"; + crl_update($crl); + } else crl_update($crl); return true; } @@ -567,7 +570,7 @@ function crl_in_use($crlref) { } function is_crl_internal($crl) { - return !(!empty($crl['text']) && empty($crl['cert'])); + return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal")); } ?> diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 4115784..7f82975 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -953,6 +953,7 @@ function openvpn_refresh_crls() { case 'server_user': if (!empty($settings['crlref'])) { $crl = lookup_crl($settings['crlref']); + crl_update($crl); $fpath = $g['varetc_path']."/openvpn/server{$settings['vpnid']}.crl-verify"; file_put_contents($fpath, base64_decode($crl['text'])); @chmod($fpath, 0644); diff --git a/usr/local/www/system_crlmanager.php b/usr/local/www/system_crlmanager.php index 67e4b2f..72e795b 100644 --- a/usr/local/www/system_crlmanager.php +++ b/usr/local/www/system_crlmanager.php @@ -223,6 +223,7 @@ if ($_POST) { $crl['descr'] = $pconfig['descr']; $crl['caref'] = $pconfig['caref']; + $crl['method'] = $pconfig['method']; if ($pconfig['method'] == "existing") { $crl['text'] = base64_encode($pconfig['crltext']); |
