Merge pull request #163 from bcyrill/cp_cert2

Implement certificate chain in Captive Portal
author: Ermal Luçi <ermal.luci@gmail.com> 2012-07-03 11:01:13 -0700
committer: Ermal Luçi <ermal.luci@gmail.com> 2012-07-03 11:01:13 -0700
commit: b1dada0d0f99d7afb62c781820252d953683335f (patch)
tree: 16e82c4b29f5fbf3949d4a7da6a85151fcc5e0f5
parent: a22b41d0e6e4e02eba1a09a34cbbc2f1da789711 (diff)
parent: 562ed531266d1a6dcabca2e33ef516e8a847fb0e (diff)
download: pfsense-b1dada0d0f99d7afb62c781820252d953683335f.zip
pfsense-b1dada0d0f99d7afb62c781820252d953683335f.tar.gz
4 files changed, 47 insertions, 77 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc
index ba9d7e4..f0653ab 100644
--- a/etc/inc/captiveportal.inc
+++ b/etc/inc/captiveportal.inc
@@ -455,18 +455,14 @@ function captiveportal_init_webgui_zone($cpcfg) {
 
 	if (isset($cpcfg['httpslogin'])) {
 		$cert = lookup_cert($cpcfg['certref']);
-		$cert_crt = base64_decode($cert['crt']);
-		$cert_prv = base64_decode($cert['prv']);
-		if (isset($cpcfg['caref'])) {
-			$ca = lookup_ca($cpcfg['caref']);
-			$ca_crt = base64_decode($ca['crt']);
-		}
-		else 
-			$ca_crt = "";
+		$crt = base64_decode($cert['crt']);
+		$key = base64_decode($cert['prv']);
+		$ca = ca_chain($cert);
+    
 		/* generate lighttpd configuration */
 		$listenporthttps = $cpcfg['listenporthttps'] ? $cpcfg['listenporthttps'] : ($cpcfg['zoneid'] + 1);
 		system_generate_lighty_config("{$g['varetc_path']}/lighty-{$cpzone}-CaptivePortal-SSL.conf",
-			$cert_crt, $cert_prv, $ca_crt, "lighty-{$cpzone}-CaptivePortal-SSL.pid", $listenporthttps, "/usr/local/captiveportal",
+			$crt, $key, $ca, "lighty-{$cpzone}-CaptivePortal-SSL.pid", $listenporthttps, "/usr/local/captiveportal",
 			"cert-portal.pem", "ca-portal.pem", "1", $use_fastcgi, $cpzone);
 	}
 
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc
index 862e91b..ed1f25c 100644
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@@ -533,7 +533,7 @@ function is_captiveportal_cert($certref) {
 	if (!is_array($config['captiveportal']))
 		return;
 	foreach ($config['captiveportal'] as $portal) {
-		if ($portal['enable'] && $portal['httpslogin_enable'] && ($portal['certref'] == $certref))
+		if (isset($portal['enable']) && isset($portal['httpslogin']) && ($portal['certref'] == $certref))
 			return true;
 	}
 	return false;
diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc
index 88faba4..700cd25 100644
--- a/etc/inc/upgrade_config.inc
+++ b/etc/inc/upgrade_config.inc
@@ -2898,26 +2898,34 @@ function upgrade_088_to_089() {
         /* create cert entry */
         $cert = array();
         $cert['refid'] = uniqid();
-        $cert['descr'] = "Captive Portal SSL Cert - {$setting['zone']}";
+        $cert['descr'] = "Captive Portal Cert - {$setting['zone']}";
         $cert['crt'] = $setting['certificate'];
         $cert['prv'] = $setting['private-key'];
+        
+        if (!empty($setting['cacertificate'])) {
+          /* create ca entry */
+          $ca = array();
+          $ca['refid'] = uniqid();
+          $ca['descr'] = "Captive Portal CA - {$setting['zone']}";
+          $ca['crt'] = $setting['cacertificate'];
+          $config['ca'][] = $ca;
+          
+          /* add ca reference to certificate */
+          $cert['caref'] = $ca['refid'];
+          
+          /* create ca reference */
+          $setting['caref'] = $ca['refid'];
+        }
+        
         $config['cert'][] = $cert;
         
         /* create cert reference */
-        unset($setting['certificate']);
-        unset($setting['private-key']);
         $setting['certref'] = $cert['refid'];
         
-        /* create ca entry */
-        $ca = array();
-        $ca['refid'] = uniqid();
-        $ca['descr'] = "Captive Portal SSL CA - {$setting['zone']}";
-        $ca['crt'] = $setting['cacertificate'];
-        $config['ca'][] = $ca;
-
-        /* create ca reference */
+        unset($setting['certificate']);
+        unset($setting['private-key']);
         unset($setting['cacertificate']);
-        $setting['caref'] = $ca['refid'];
+        
       }
     }
   }
diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php
index dd59e7a..c49ea1a 100755
--- a/usr/local/www/services_captiveportal.php
+++ b/usr/local/www/services_captiveportal.php
@@ -108,7 +108,6 @@ if ($a_cp[$cpzone]) {
 	$pconfig['httpsname'] = $a_cp[$cpzone]['httpsname'];
 	$pconfig['preauthurl'] = strtolower($a_cp[$cpzone]['preauthurl']);
 	$pconfig['certref'] = $a_cp[$cpzone]['certref'];
-	$pconfig['caref'] = $a_cp[$cpzone]['caref'];
 	$pconfig['logoutwin_enable'] = isset($a_cp[$cpzone]['logoutwin_enable']);
 	$pconfig['peruserbw'] = isset($a_cp[$cpzone]['peruserbw']);
 	$pconfig['bwdefaultdn'] = $a_cp[$cpzone]['bwdefaultdn'];
@@ -265,7 +264,6 @@ if ($_POST) {
 		$newcp['bwdefaultdn'] = $_POST['bwdefaultdn'];
 		$newcp['bwdefaultup'] = $_POST['bwdefaultup'];
 		$newcp['certref'] = $_POST['certref'];
-		$newcp['caref'] = $_POST['caref'];
 		$newcp['logoutwin_enable'] = $_POST['logoutwin_enable'] ? true : false;
 		$newcp['nomacfilter'] = $_POST['nomacfilter'] ? true : false;
 		$newcp['noconcurrentlogins'] = $_POST['noconcurrentlogins'] ? true : false;
@@ -391,7 +389,6 @@ function enable_change(enable_change) {
 	document.iform.radmac_format.disabled = radius_endis;
 	document.iform.httpsname.disabled = https_endis;
 	document.iform.certref.disabled = https_endis;
-	document.iform.caref.disabled = https_endis;
 	document.iform.logoutwin_enable.disabled = endis;
 	document.iform.nomacfilter.disabled = endis;
 	document.iform.noconcurrentlogins.disabled = endis;
@@ -870,59 +867,28 @@ function enable_change(enable_change) {
         <input name="httpsname" type="text" class="formfld unknown" id="httpsname" size="30" value="<?=htmlspecialchars($pconfig['httpsname']);?>"><br>
 	<?php printf(gettext("This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS and verify on the client that the IP resolves to the correct interface IP on %s."), $g['product_name']);?> </td>
 	</tr>
-  <tr id="tls_ca">
-    <td width="22%" valign="top" class="vncell"><?=gettext("Certificate Authority"); ?></td>
-      <td width="78%" class="vtable">
-      <?php if (count($a_ca)): ?>
-      <select name='caref' class="formselect">
-        <option value=""><?=gettext("None"); ?></option>
-      <?php
-        foreach ($a_ca as $ca):
-          $selected = "";
-          if ($pconfig['caref'] == $ca['refid'])
-            $selected = "selected";
-      ?>
-        <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option>
-      <?php endforeach; ?>
-      </select>
-      <?php else: ?>
-        <b><?=gettext("No Certificate Authorities defined."); ?></b> <br/>Create one under <a href="system_camanager.php">System &gt; Cert Manager</a>.
-      <?php endif; ?>
-      </td>
-  </tr>
-  <tr id="tls_cert">
-    <td width="22%" valign="top" class="vncell"><?=gettext("Server Certificate"); ?></td>
-      <td width="78%" class="vtable">
-      <?php if (count($a_cert)): ?>
-      <select name='certref' class="formselect">
-        <option value=""><?=gettext("None"); ?></option>
-      <?php
-      foreach ($a_cert as $cert):
-        $selected = "";
-        $caname = "";
-        $inuse = "";
-        $revoked = "";
-        $ca = lookup_ca($cert['caref']);
-        if ($ca)
-          $caname = " (CA: {$ca['descr']})";
-        if ($pconfig['certref'] == $cert['refid'])
-          $selected = "selected";
-        if (cert_in_use($cert['refid']))
-          $inuse = " *In Use";
-        if (is_cert_revoked($cert))
-        $revoked = " *Revoked";
-      ?>
-        <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option>
-      <?php endforeach; ?>
-      </select>
-      <?php else: ?>
-        <b><?=gettext("No Certificates defined."); ?></b> <br/>Create one under <a href="system_certmanager.php">System &gt; Cert Manager</a>.
-      <?php endif; ?>
-    </td>
-  </tr>
+	<tr id="ssl_opts">
+		<td width="22%" valign="top" class="vncell"><?=gettext("SSL Certificate"); ?></td>
+		<td width="78%" class="vtable">
+			<?php if (count($a_cert)): ?>
+			<select name="certref" id="certref" class="formselect">
+				<?php
+					foreach($a_cert as $cert):
+						$selected = "";
+						if ($pconfig['certref'] == $cert['refid'])
+							$selected = "selected";
+				?>
+				<option value="<?=$cert['refid'];?>"<?=$selected;?>><?=$cert['descr'];?></option>
+			<?php endforeach; ?>
+			</select>
+			<?php else: ?>
+				<b><?=gettext("No Certificates defined."); ?></b> <br/>Create one under <a href="system_certmanager.php">System &gt; Cert Manager</a>.
+			<?php endif; ?>
+		</td>
+	</tr>
 	<tr>
-	  <td width="22%" valign="top" class="vncell"><?=gettext("Portal page contents"); ?></td>
-	  <td width="78%" class="vtable">
+		<td width="22%" valign="top" class="vncell"><?=gettext("Portal page contents"); ?></td>
+		<td width="78%" class="vtable">
 		<?=$mandfldhtml;?><input type="file" name="htmlfile" class="formfld file" id="htmlfile"><br>
 		<?php
 			list($host) = explode(":", $_SERVER['HTTP_HOST']);
author	Ermal Luçi <ermal.luci@gmail.com>	2012-07-03 11:01:13 -0700
committer	Ermal Luçi <ermal.luci@gmail.com>	2012-07-03 11:01:13 -0700
commit	b1dada0d0f99d7afb62c781820252d953683335f (patch)
tree	16e82c4b29f5fbf3949d4a7da6a85151fcc5e0f5
parent	a22b41d0e6e4e02eba1a09a34cbbc2f1da789711 (diff)
parent	562ed531266d1a6dcabca2e33ef516e8a847fb0e (diff)
download	pfsense-b1dada0d0f99d7afb62c781820252d953683335f.zip pfsense-b1dada0d0f99d7afb62c781820252d953683335f.tar.gz