diff options
| author | mgrooms <mgrooms@shrew.net> | 2009-03-12 08:02:37 +0000 |
|---|---|---|
| committer | mgrooms <mgrooms@shrew.net> | 2009-03-12 08:06:17 +0000 |
| commit | 73fbece8f11fa253120f549e6ea837c9242534a2 (patch) | |
| tree | 0c48b4e9f746bb11b55d42941d1653f54b400335 /etc | |
| parent | fabd8cdbcf57764aac61ce597ae0c27f7e738cfe (diff) | |
| download | pfsense-73fbece8f11fa253120f549e6ea837c9242534a2.zip pfsense-73fbece8f11fa253120f549e6ea837c9242534a2.tar.gz | |
Migrate IPsec certificate management to centralized system.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/config.inc | 42 | ||||
| -rw-r--r-- | etc/inc/vpn.inc | 97 |
2 files changed, 82 insertions, 57 deletions
diff --git a/etc/inc/config.inc b/etc/inc/config.inc index 20178af..5b0ff2a 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -2163,6 +2163,46 @@ endif; $config['version'] = "5.5"; } + /* Convert 5.5 -> 5.6 */ + if ($config['version'] <= 5.5) { + + /* migrate ipsec ca's to cert manager */ + if (!is_array($config['system']['ca'])) + $config['system']['ca'] = array(); + if (!is_array($config['system']['cert'])) + $config['system']['cert'] = array(); + if (is_array($config['ipsec']['cacert'])) { + foreach($config['ipsec']['cacert'], & $cacert) { + $ca = new array(); + $ca['crt'] = $cacert['cert']; + $ca['name'] = $cacert['ident']; + $config['system']['ca'][] = $ca; + } + unset($config['ipsec']['cacert']); + } + + /* migrate phase1 certificates to cert manager */ + if (is_array($config['ipsec']['phase1'])) { + foreach($config['ipsec']['phase1'], & $ph1ent) { + if($ph1ent['cert'] && $ph1ent['private-key']) { + $cert = new array(); + $cert['name'] = "IPsec Peer {$ph1ent['remote-gateway']} Certificate"; + $cert['crt'] = $ph1ent['cert']; + $cert['prv'] = $ph1ent['private-key']; + $config['system']['cert'][] = $cert; + } + if($ph1ent['cert']) + unset($ph1ent['cert']); + if($ph1ent['private-key']) + unset($ph1ent['private-key']); + if($ph1ent['peercert']) + unset($ph1ent['peercert']); + } + } + + $config['version'] = "5.6"; + } + $now = date("H:i:s"); log_error("Ended Configuration upgrade at $now"); @@ -3080,4 +3120,4 @@ function set_device_perms() { if($g['booting']) echo "."; $config = parse_config(); -?>
\ No newline at end of file +?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index b9753ee..db4b6a0 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -209,23 +209,22 @@ function vpn_ipsec_configure($ipchg = false) } /* generate CA certificates files */ - $cacertnum = 0; - if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert'])) { - foreach ($ipseccfg['cacert'] as $cacert) { - ++ $cacertnum; - if (isset ($cacert['cert'])) { - $cert = base64_decode($cacert['cert']); - $x509cert = openssl_x509_parse(openssl_x509_read($cert)); - if (is_array($x509cert) && isset ($x509cert['hash'])) { - $fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w"); - if (!$fd1) { - printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n"); - return 1; - } - chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600); - fwrite($fd1, $cert); - fclose($fd1); - } + if (is_array($config['system']['ca']) && count($config['system']['ca'])) { + foreach ($config['system']['ca'] as $ca) { + if (!isset($ca['crt'])) { + log_error("Error: Invalid certificate info for {$ca['name']}"); + continue; + } + $cert = base64_decode($ca['crt']); + $x509cert = openssl_x509_parse(openssl_x509_read($cert)); + if (!is_array($x509cert) || !isset($x509cert['hash'])) { + log_error("Error: Invalid certificate hash info for {$ca['name']}"); + continue; + } + $fname = $g['varetc_path']."/".$x509cert['hash']; + if (!file_put_contents($fname, $cert)) { + log_error("Error: Cannot write IPsec CA file for {$ca['name']}"); + continue; } } } @@ -487,52 +486,38 @@ function vpn_ipsec_configure($ipchg = false) $certline = ''; if (strstr($authmethod,'rsa')) { - if ($ph1ent['cert'] && $ph1ent['private-key']) { - $cert = base64_decode($ph1ent['cert']); - $private_key = base64_decode($ph1ent['private-key']); - } else { - /* null certificate/key */ - $cert = ''; - $private_key = ''; - } - if ($ph1ent['peercert']) - $peercert = base64_decode($ph1ent['peercert']); - else - $peercert = ''; + $cert = lookup_cert($ph1ent['certref']); - $fd1 = fopen("{$g['varetc_path']}/server{$ikeid}-signed.pem", "w"); - if (!$fd1) { - printf("Error: cannot open server{$ikeid}-signed.pem in vpn.\n"); - return 1; + if (!$cert) + { + log_error("Error: Invalid phase1 certificate reference for {$ph1ent['name']}"); + continue; } - - chmod("{$g['varetc_path']}/server{$ikeid}-signed.pem", 0600); - fwrite($fd1, $cert); - fclose($fd1); - - $fd1 = fopen("{$g['varetc_path']}/server{$ikeid}-key.pem", "w"); - if (!$fd1) { - printf("Error: cannot open server{$ikeid}-key.pem in vpn.\n"); - return 1; + + $certfile = "cert-".$ikeid.".crt"; + $certpath = $g['varetc_path']."/".$certfile; + + if (!file_put_contents($certpath, base64_decode($cert['crt']))) + { + log_error("Error: Cannot write phase1 certificate file for {$ph1ent['name']}"); + continue; } - chmod("{$g['varetc_path']}/server{$ikeid}-key.pem", 0600); - fwrite($fd1, $private_key); - fclose($fd1); - $certline = "certificate_type x509 \"server{$ikeid}-signed.pem\" \"server{$ikeid}-key.pem\";"; + chmod($certpath, 0600); - if ($peercert != '') { - $fd1 = fopen("{$g['varetc_path']}/peer{$ikeid}-signed.pem", "w"); - if (!$fd1) { - printf("Error: cannot open server{$ikeid}-signed.pem in vpn.\n"); - return 1; - } - chmod("{$g['varetc_path']}/peer{$ikeid}-signed.pem", 0600); - fwrite($fd1, $peercert); - fclose($fd1); - $certline .="peers_certfile \"peer{$ikeid}-signed.pem\""; + $keyfile = "cert-".$ikeid.".key"; + $keypath = $g['varetc_path']."/".$keyfile; + + if (!file_put_contents($keypath, base64_decode($cert['crt']))) + { + log_error("Error: Cannot write phase1 key file for {$ph1ent['name']}"); + continue; } + + chmod($keypath, 0600); + + $certline = "certificate_type x509 \"{$certpath}\" \"{$keypath}.key\";"; } $ealgos = ''; |
