summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authormgrooms <mgrooms@shrew.net>2009-03-12 08:02:37 +0000
committermgrooms <mgrooms@shrew.net>2009-03-12 08:06:17 +0000
commit73fbece8f11fa253120f549e6ea837c9242534a2 (patch)
tree0c48b4e9f746bb11b55d42941d1653f54b400335 /etc
parentfabd8cdbcf57764aac61ce597ae0c27f7e738cfe (diff)
downloadpfsense-73fbece8f11fa253120f549e6ea837c9242534a2.zip
pfsense-73fbece8f11fa253120f549e6ea837c9242534a2.tar.gz
Migrate IPsec certificate management to centralized system.
Diffstat (limited to 'etc')
-rw-r--r--etc/inc/config.inc42
-rw-r--r--etc/inc/vpn.inc97
2 files changed, 82 insertions, 57 deletions
diff --git a/etc/inc/config.inc b/etc/inc/config.inc
index 20178af..5b0ff2a 100644
--- a/etc/inc/config.inc
+++ b/etc/inc/config.inc
@@ -2163,6 +2163,46 @@ endif;
$config['version'] = "5.5";
}
+ /* Convert 5.5 -> 5.6 */
+ if ($config['version'] <= 5.5) {
+
+ /* migrate ipsec ca's to cert manager */
+ if (!is_array($config['system']['ca']))
+ $config['system']['ca'] = array();
+ if (!is_array($config['system']['cert']))
+ $config['system']['cert'] = array();
+ if (is_array($config['ipsec']['cacert'])) {
+ foreach($config['ipsec']['cacert'], & $cacert) {
+ $ca = new array();
+ $ca['crt'] = $cacert['cert'];
+ $ca['name'] = $cacert['ident'];
+ $config['system']['ca'][] = $ca;
+ }
+ unset($config['ipsec']['cacert']);
+ }
+
+ /* migrate phase1 certificates to cert manager */
+ if (is_array($config['ipsec']['phase1'])) {
+ foreach($config['ipsec']['phase1'], & $ph1ent) {
+ if($ph1ent['cert'] && $ph1ent['private-key']) {
+ $cert = new array();
+ $cert['name'] = "IPsec Peer {$ph1ent['remote-gateway']} Certificate";
+ $cert['crt'] = $ph1ent['cert'];
+ $cert['prv'] = $ph1ent['private-key'];
+ $config['system']['cert'][] = $cert;
+ }
+ if($ph1ent['cert'])
+ unset($ph1ent['cert']);
+ if($ph1ent['private-key'])
+ unset($ph1ent['private-key']);
+ if($ph1ent['peercert'])
+ unset($ph1ent['peercert']);
+ }
+ }
+
+ $config['version'] = "5.6";
+ }
+
$now = date("H:i:s");
log_error("Ended Configuration upgrade at $now");
@@ -3080,4 +3120,4 @@ function set_device_perms() {
if($g['booting']) echo ".";
$config = parse_config();
-?> \ No newline at end of file
+?>
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index b9753ee..db4b6a0 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -209,23 +209,22 @@ function vpn_ipsec_configure($ipchg = false)
}
/* generate CA certificates files */
- $cacertnum = 0;
- if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert'])) {
- foreach ($ipseccfg['cacert'] as $cacert) {
- ++ $cacertnum;
- if (isset ($cacert['cert'])) {
- $cert = base64_decode($cacert['cert']);
- $x509cert = openssl_x509_parse(openssl_x509_read($cert));
- if (is_array($x509cert) && isset ($x509cert['hash'])) {
- $fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w");
- if (!$fd1) {
- printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n");
- return 1;
- }
- chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600);
- fwrite($fd1, $cert);
- fclose($fd1);
- }
+ if (is_array($config['system']['ca']) && count($config['system']['ca'])) {
+ foreach ($config['system']['ca'] as $ca) {
+ if (!isset($ca['crt'])) {
+ log_error("Error: Invalid certificate info for {$ca['name']}");
+ continue;
+ }
+ $cert = base64_decode($ca['crt']);
+ $x509cert = openssl_x509_parse(openssl_x509_read($cert));
+ if (!is_array($x509cert) || !isset($x509cert['hash'])) {
+ log_error("Error: Invalid certificate hash info for {$ca['name']}");
+ continue;
+ }
+ $fname = $g['varetc_path']."/".$x509cert['hash'];
+ if (!file_put_contents($fname, $cert)) {
+ log_error("Error: Cannot write IPsec CA file for {$ca['name']}");
+ continue;
}
}
}
@@ -487,52 +486,38 @@ function vpn_ipsec_configure($ipchg = false)
$certline = '';
if (strstr($authmethod,'rsa')) {
- if ($ph1ent['cert'] && $ph1ent['private-key']) {
- $cert = base64_decode($ph1ent['cert']);
- $private_key = base64_decode($ph1ent['private-key']);
- } else {
- /* null certificate/key */
- $cert = '';
- $private_key = '';
- }
- if ($ph1ent['peercert'])
- $peercert = base64_decode($ph1ent['peercert']);
- else
- $peercert = '';
+ $cert = lookup_cert($ph1ent['certref']);
- $fd1 = fopen("{$g['varetc_path']}/server{$ikeid}-signed.pem", "w");
- if (!$fd1) {
- printf("Error: cannot open server{$ikeid}-signed.pem in vpn.\n");
- return 1;
+ if (!$cert)
+ {
+ log_error("Error: Invalid phase1 certificate reference for {$ph1ent['name']}");
+ continue;
}
-
- chmod("{$g['varetc_path']}/server{$ikeid}-signed.pem", 0600);
- fwrite($fd1, $cert);
- fclose($fd1);
-
- $fd1 = fopen("{$g['varetc_path']}/server{$ikeid}-key.pem", "w");
- if (!$fd1) {
- printf("Error: cannot open server{$ikeid}-key.pem in vpn.\n");
- return 1;
+
+ $certfile = "cert-".$ikeid.".crt";
+ $certpath = $g['varetc_path']."/".$certfile;
+
+ if (!file_put_contents($certpath, base64_decode($cert['crt'])))
+ {
+ log_error("Error: Cannot write phase1 certificate file for {$ph1ent['name']}");
+ continue;
}
- chmod("{$g['varetc_path']}/server{$ikeid}-key.pem", 0600);
- fwrite($fd1, $private_key);
- fclose($fd1);
- $certline = "certificate_type x509 \"server{$ikeid}-signed.pem\" \"server{$ikeid}-key.pem\";";
+ chmod($certpath, 0600);
- if ($peercert != '') {
- $fd1 = fopen("{$g['varetc_path']}/peer{$ikeid}-signed.pem", "w");
- if (!$fd1) {
- printf("Error: cannot open server{$ikeid}-signed.pem in vpn.\n");
- return 1;
- }
- chmod("{$g['varetc_path']}/peer{$ikeid}-signed.pem", 0600);
- fwrite($fd1, $peercert);
- fclose($fd1);
- $certline .="peers_certfile \"peer{$ikeid}-signed.pem\"";
+ $keyfile = "cert-".$ikeid.".key";
+ $keypath = $g['varetc_path']."/".$keyfile;
+
+ if (!file_put_contents($keypath, base64_decode($cert['crt'])))
+ {
+ log_error("Error: Cannot write phase1 key file for {$ph1ent['name']}");
+ continue;
}
+
+ chmod($keypath, 0600);
+
+ $certline = "certificate_type x509 \"{$certpath}\" \"{$keypath}.key\";";
}
$ealgos = '';
OpenPOWER on IntegriCloud