diff options
author | Ermal <eri@pfsense.org> | 2013-12-19 09:10:50 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2013-12-19 09:10:50 +0000 |
commit | b95b40a1356d194ef62148c485153f5555913619 (patch) | |
tree | 7bd29652c26edde3d463af6bdc9e6656addc4d2f /etc | |
parent | 5e28dad4a34bc3b8da8134b23c85a8f922ebb401 (diff) | |
download | pfsense-b95b40a1356d194ef62148c485153f5555913619.zip pfsense-b95b40a1356d194ef62148c485153f5555913619.tar.gz |
Move also tls-verify to fcgicli to avoid forking php process. Maybe even this should be done as a plugin to avoid overhead of forking.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/openvpn.inc | 13 | ||||
-rw-r--r-- | etc/inc/openvpn.tls-verify.php | 26 |
2 files changed, 26 insertions, 13 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index c1c4579..30b84c3 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -585,22 +585,17 @@ function openvpn_reconfigure($mode, $settings) { $strictusercn = "false"; if ($settings['strictusercn']) $strictusercn = "true"; - mwexec("/bin/cat /etc/inc/openvpn.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.php"); - $conf .= "auth-user-pass-verify /usr/local/sbin/ovpn_auth_verify '{$settings['authmode']}' {$strictusercn} {$mode_id} via-env\n"; + $conf .= "auth-user-pass-verify /usr/local/sbin/ovpn_auth_verify user '{$settings['authmode']}' {$strictusercn} {$mode_id} via-env\n"; } break; } if (!isset($settings['cert_depth']) && (strstr($settings['mode'], 'tls'))) $settings['cert_depth'] = 1; if (is_numeric($settings['cert_depth'])) { - $sed = ""; $cert = lookup_cert($settings['certref']); - $servercn = cert_get_cn($cert['crt']); - $sed .= "\$server_cn = \"{$servercn}\";\\\n"; - $sed .= "\$allowed_depth = {$settings['cert_depth']};\\\n"; - mwexec("/bin/cat /etc/inc/openvpn.tls-verify.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php"); - mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php"); - $conf .= "tls-verify {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php\n"; + /* XXX: Seems not used at all! */ + $servercn = urlencode(cert_get_cn($cert['crt'])); + $conf .= "tls-verify /usr/local/sbin/ovpn_auth_verify tls '{$servercn}' {$settings['cert_depth']} via-env\n"; } // The local port to listen on diff --git a/etc/inc/openvpn.tls-verify.php b/etc/inc/openvpn.tls-verify.php index 8ef5189..44d5d84 100644 --- a/etc/inc/openvpn.tls-verify.php +++ b/etc/inc/openvpn.tls-verify.php @@ -49,8 +49,15 @@ require_once("interfaces.inc"); openlog("openvpn", LOG_ODELAY, LOG_AUTH); /* read data from command line */ -$cert_depth = intval($argv[1]); -$cert_subject = $argv[2]; +if (isset($_GET)) { + $cert_depth = $_GET['certdepth']; + $cert_subject = urldecode($_GET['certsubject']); + $allowed_depth = $_GET['depth']; + $server_cn = $_GET['servercn']; +} else { + $cert_depth = intval($argv[1]); + $cert_subject = $argv[2]; +} /* Reserved for future use in case we decide to verify CNs and such as well $subj = explode("/", $cert_subject); @@ -66,12 +73,23 @@ foreach ($subj at $s) { if (isset($allowed_depth) && ($cert_depth > $allowed_depth)) { syslog(LOG_WARNING, "Certificate depth {$cert_depth} exceeded max allowed depth of {$allowed_depth}.\n"); - exit(1); + if (isset($_GET)) { + echo "FAILED"; + closelog(); + return; + } else { + closelog(); + exit(1); + } } // Debug //syslog(LOG_WARNING, "Found certificate {$argv[2]} with depth {$cert_depth}\n"); -exit(0); +closelog(); +if (isset($_GET)) + echo "OK"; +else + exit(0); ?> |