diff options
author | Ermal Luçi <ermal.luci@gmail.com> | 2012-07-03 11:01:13 -0700 |
---|---|---|
committer | Ermal Luçi <ermal.luci@gmail.com> | 2012-07-03 11:01:13 -0700 |
commit | b1dada0d0f99d7afb62c781820252d953683335f (patch) | |
tree | 16e82c4b29f5fbf3949d4a7da6a85151fcc5e0f5 | |
parent | a22b41d0e6e4e02eba1a09a34cbbc2f1da789711 (diff) | |
parent | 562ed531266d1a6dcabca2e33ef516e8a847fb0e (diff) | |
download | pfsense-b1dada0d0f99d7afb62c781820252d953683335f.zip pfsense-b1dada0d0f99d7afb62c781820252d953683335f.tar.gz |
Merge pull request #163 from bcyrill/cp_cert2
Implement certificate chain in Captive Portal
-rw-r--r-- | etc/inc/captiveportal.inc | 14 | ||||
-rw-r--r-- | etc/inc/certs.inc | 2 | ||||
-rw-r--r-- | etc/inc/upgrade_config.inc | 32 | ||||
-rwxr-xr-x | usr/local/www/services_captiveportal.php | 76 |
4 files changed, 47 insertions, 77 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index ba9d7e4..f0653ab 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -455,18 +455,14 @@ function captiveportal_init_webgui_zone($cpcfg) { if (isset($cpcfg['httpslogin'])) { $cert = lookup_cert($cpcfg['certref']); - $cert_crt = base64_decode($cert['crt']); - $cert_prv = base64_decode($cert['prv']); - if (isset($cpcfg['caref'])) { - $ca = lookup_ca($cpcfg['caref']); - $ca_crt = base64_decode($ca['crt']); - } - else - $ca_crt = ""; + $crt = base64_decode($cert['crt']); + $key = base64_decode($cert['prv']); + $ca = ca_chain($cert); + /* generate lighttpd configuration */ $listenporthttps = $cpcfg['listenporthttps'] ? $cpcfg['listenporthttps'] : ($cpcfg['zoneid'] + 1); system_generate_lighty_config("{$g['varetc_path']}/lighty-{$cpzone}-CaptivePortal-SSL.conf", - $cert_crt, $cert_prv, $ca_crt, "lighty-{$cpzone}-CaptivePortal-SSL.pid", $listenporthttps, "/usr/local/captiveportal", + $crt, $key, $ca, "lighty-{$cpzone}-CaptivePortal-SSL.pid", $listenporthttps, "/usr/local/captiveportal", "cert-portal.pem", "ca-portal.pem", "1", $use_fastcgi, $cpzone); } diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 862e91b..ed1f25c 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -533,7 +533,7 @@ function is_captiveportal_cert($certref) { if (!is_array($config['captiveportal'])) return; foreach ($config['captiveportal'] as $portal) { - if ($portal['enable'] && $portal['httpslogin_enable'] && ($portal['certref'] == $certref)) + if (isset($portal['enable']) && isset($portal['httpslogin']) && ($portal['certref'] == $certref)) return true; } return false; diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 88faba4..700cd25 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -2898,26 +2898,34 @@ function upgrade_088_to_089() { /* create cert entry */ $cert = array(); $cert['refid'] = uniqid(); - $cert['descr'] = "Captive Portal SSL Cert - {$setting['zone']}"; + $cert['descr'] = "Captive Portal Cert - {$setting['zone']}"; $cert['crt'] = $setting['certificate']; $cert['prv'] = $setting['private-key']; + + if (!empty($setting['cacertificate'])) { + /* create ca entry */ + $ca = array(); + $ca['refid'] = uniqid(); + $ca['descr'] = "Captive Portal CA - {$setting['zone']}"; + $ca['crt'] = $setting['cacertificate']; + $config['ca'][] = $ca; + + /* add ca reference to certificate */ + $cert['caref'] = $ca['refid']; + + /* create ca reference */ + $setting['caref'] = $ca['refid']; + } + $config['cert'][] = $cert; /* create cert reference */ - unset($setting['certificate']); - unset($setting['private-key']); $setting['certref'] = $cert['refid']; - /* create ca entry */ - $ca = array(); - $ca['refid'] = uniqid(); - $ca['descr'] = "Captive Portal SSL CA - {$setting['zone']}"; - $ca['crt'] = $setting['cacertificate']; - $config['ca'][] = $ca; - - /* create ca reference */ + unset($setting['certificate']); + unset($setting['private-key']); unset($setting['cacertificate']); - $setting['caref'] = $ca['refid']; + } } } diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php index dd59e7a..c49ea1a 100755 --- a/usr/local/www/services_captiveportal.php +++ b/usr/local/www/services_captiveportal.php @@ -108,7 +108,6 @@ if ($a_cp[$cpzone]) { $pconfig['httpsname'] = $a_cp[$cpzone]['httpsname']; $pconfig['preauthurl'] = strtolower($a_cp[$cpzone]['preauthurl']); $pconfig['certref'] = $a_cp[$cpzone]['certref']; - $pconfig['caref'] = $a_cp[$cpzone]['caref']; $pconfig['logoutwin_enable'] = isset($a_cp[$cpzone]['logoutwin_enable']); $pconfig['peruserbw'] = isset($a_cp[$cpzone]['peruserbw']); $pconfig['bwdefaultdn'] = $a_cp[$cpzone]['bwdefaultdn']; @@ -265,7 +264,6 @@ if ($_POST) { $newcp['bwdefaultdn'] = $_POST['bwdefaultdn']; $newcp['bwdefaultup'] = $_POST['bwdefaultup']; $newcp['certref'] = $_POST['certref']; - $newcp['caref'] = $_POST['caref']; $newcp['logoutwin_enable'] = $_POST['logoutwin_enable'] ? true : false; $newcp['nomacfilter'] = $_POST['nomacfilter'] ? true : false; $newcp['noconcurrentlogins'] = $_POST['noconcurrentlogins'] ? true : false; @@ -391,7 +389,6 @@ function enable_change(enable_change) { document.iform.radmac_format.disabled = radius_endis; document.iform.httpsname.disabled = https_endis; document.iform.certref.disabled = https_endis; - document.iform.caref.disabled = https_endis; document.iform.logoutwin_enable.disabled = endis; document.iform.nomacfilter.disabled = endis; document.iform.noconcurrentlogins.disabled = endis; @@ -870,59 +867,28 @@ function enable_change(enable_change) { <input name="httpsname" type="text" class="formfld unknown" id="httpsname" size="30" value="<?=htmlspecialchars($pconfig['httpsname']);?>"><br> <?php printf(gettext("This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS and verify on the client that the IP resolves to the correct interface IP on %s."), $g['product_name']);?> </td> </tr> - <tr id="tls_ca"> - <td width="22%" valign="top" class="vncell"><?=gettext("Certificate Authority"); ?></td> - <td width="78%" class="vtable"> - <?php if (count($a_ca)): ?> - <select name='caref' class="formselect"> - <option value=""><?=gettext("None"); ?></option> - <?php - foreach ($a_ca as $ca): - $selected = ""; - if ($pconfig['caref'] == $ca['refid']) - $selected = "selected"; - ?> - <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> - <?php endforeach; ?> - </select> - <?php else: ?> - <b><?=gettext("No Certificate Authorities defined."); ?></b> <br/>Create one under <a href="system_camanager.php">System > Cert Manager</a>. - <?php endif; ?> - </td> - </tr> - <tr id="tls_cert"> - <td width="22%" valign="top" class="vncell"><?=gettext("Server Certificate"); ?></td> - <td width="78%" class="vtable"> - <?php if (count($a_cert)): ?> - <select name='certref' class="formselect"> - <option value=""><?=gettext("None"); ?></option> - <?php - foreach ($a_cert as $cert): - $selected = ""; - $caname = ""; - $inuse = ""; - $revoked = ""; - $ca = lookup_ca($cert['caref']); - if ($ca) - $caname = " (CA: {$ca['descr']})"; - if ($pconfig['certref'] == $cert['refid']) - $selected = "selected"; - if (cert_in_use($cert['refid'])) - $inuse = " *In Use"; - if (is_cert_revoked($cert)) - $revoked = " *Revoked"; - ?> - <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> - <?php endforeach; ?> - </select> - <?php else: ?> - <b><?=gettext("No Certificates defined."); ?></b> <br/>Create one under <a href="system_certmanager.php">System > Cert Manager</a>. - <?php endif; ?> - </td> - </tr> + <tr id="ssl_opts"> + <td width="22%" valign="top" class="vncell"><?=gettext("SSL Certificate"); ?></td> + <td width="78%" class="vtable"> + <?php if (count($a_cert)): ?> + <select name="certref" id="certref" class="formselect"> + <?php + foreach($a_cert as $cert): + $selected = ""; + if ($pconfig['certref'] == $cert['refid']) + $selected = "selected"; + ?> + <option value="<?=$cert['refid'];?>"<?=$selected;?>><?=$cert['descr'];?></option> + <?php endforeach; ?> + </select> + <?php else: ?> + <b><?=gettext("No Certificates defined."); ?></b> <br/>Create one under <a href="system_certmanager.php">System > Cert Manager</a>. + <?php endif; ?> + </td> + </tr> <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Portal page contents"); ?></td> - <td width="78%" class="vtable"> + <td width="22%" valign="top" class="vncell"><?=gettext("Portal page contents"); ?></td> + <td width="78%" class="vtable"> <?=$mandfldhtml;?><input type="file" name="htmlfile" class="formfld file" id="htmlfile"><br> <?php list($host) = explode(":", $_SERVER['HTTP_HOST']); |