diff options
-rw-r--r-- | etc/inc/config.inc | 42 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 97 | ||||
-rw-r--r-- | usr/local/www/system_certmanager.php | 21 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec.php | 1 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_ca.php | 110 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_ca_edit.php | 137 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_ca_edit_create_cert.php | 243 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_mobile.php | 1 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 82 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 1 |
10 files changed, 133 insertions, 602 deletions
diff --git a/etc/inc/config.inc b/etc/inc/config.inc index 20178af..5b0ff2a 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -2163,6 +2163,46 @@ endif; $config['version'] = "5.5"; } + /* Convert 5.5 -> 5.6 */ + if ($config['version'] <= 5.5) { + + /* migrate ipsec ca's to cert manager */ + if (!is_array($config['system']['ca'])) + $config['system']['ca'] = array(); + if (!is_array($config['system']['cert'])) + $config['system']['cert'] = array(); + if (is_array($config['ipsec']['cacert'])) { + foreach($config['ipsec']['cacert'], & $cacert) { + $ca = new array(); + $ca['crt'] = $cacert['cert']; + $ca['name'] = $cacert['ident']; + $config['system']['ca'][] = $ca; + } + unset($config['ipsec']['cacert']); + } + + /* migrate phase1 certificates to cert manager */ + if (is_array($config['ipsec']['phase1'])) { + foreach($config['ipsec']['phase1'], & $ph1ent) { + if($ph1ent['cert'] && $ph1ent['private-key']) { + $cert = new array(); + $cert['name'] = "IPsec Peer {$ph1ent['remote-gateway']} Certificate"; + $cert['crt'] = $ph1ent['cert']; + $cert['prv'] = $ph1ent['private-key']; + $config['system']['cert'][] = $cert; + } + if($ph1ent['cert']) + unset($ph1ent['cert']); + if($ph1ent['private-key']) + unset($ph1ent['private-key']); + if($ph1ent['peercert']) + unset($ph1ent['peercert']); + } + } + + $config['version'] = "5.6"; + } + $now = date("H:i:s"); log_error("Ended Configuration upgrade at $now"); @@ -3080,4 +3120,4 @@ function set_device_perms() { if($g['booting']) echo "."; $config = parse_config(); -?>
\ No newline at end of file +?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index b9753ee..db4b6a0 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -209,23 +209,22 @@ function vpn_ipsec_configure($ipchg = false) } /* generate CA certificates files */ - $cacertnum = 0; - if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert'])) { - foreach ($ipseccfg['cacert'] as $cacert) { - ++ $cacertnum; - if (isset ($cacert['cert'])) { - $cert = base64_decode($cacert['cert']); - $x509cert = openssl_x509_parse(openssl_x509_read($cert)); - if (is_array($x509cert) && isset ($x509cert['hash'])) { - $fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w"); - if (!$fd1) { - printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n"); - return 1; - } - chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600); - fwrite($fd1, $cert); - fclose($fd1); - } + if (is_array($config['system']['ca']) && count($config['system']['ca'])) { + foreach ($config['system']['ca'] as $ca) { + if (!isset($ca['crt'])) { + log_error("Error: Invalid certificate info for {$ca['name']}"); + continue; + } + $cert = base64_decode($ca['crt']); + $x509cert = openssl_x509_parse(openssl_x509_read($cert)); + if (!is_array($x509cert) || !isset($x509cert['hash'])) { + log_error("Error: Invalid certificate hash info for {$ca['name']}"); + continue; + } + $fname = $g['varetc_path']."/".$x509cert['hash']; + if (!file_put_contents($fname, $cert)) { + log_error("Error: Cannot write IPsec CA file for {$ca['name']}"); + continue; } } } @@ -487,52 +486,38 @@ function vpn_ipsec_configure($ipchg = false) $certline = ''; if (strstr($authmethod,'rsa')) { - if ($ph1ent['cert'] && $ph1ent['private-key']) { - $cert = base64_decode($ph1ent['cert']); - $private_key = base64_decode($ph1ent['private-key']); - } else { - /* null certificate/key */ - $cert = ''; - $private_key = ''; - } - if ($ph1ent['peercert']) - $peercert = base64_decode($ph1ent['peercert']); - else - $peercert = ''; + $cert = lookup_cert($ph1ent['certref']); - $fd1 = fopen("{$g['varetc_path']}/server{$ikeid}-signed.pem", "w"); - if (!$fd1) { - printf("Error: cannot open server{$ikeid}-signed.pem in vpn.\n"); - return 1; + if (!$cert) + { + log_error("Error: Invalid phase1 certificate reference for {$ph1ent['name']}"); + continue; } - - chmod("{$g['varetc_path']}/server{$ikeid}-signed.pem", 0600); - fwrite($fd1, $cert); - fclose($fd1); - - $fd1 = fopen("{$g['varetc_path']}/server{$ikeid}-key.pem", "w"); - if (!$fd1) { - printf("Error: cannot open server{$ikeid}-key.pem in vpn.\n"); - return 1; + + $certfile = "cert-".$ikeid.".crt"; + $certpath = $g['varetc_path']."/".$certfile; + + if (!file_put_contents($certpath, base64_decode($cert['crt']))) + { + log_error("Error: Cannot write phase1 certificate file for {$ph1ent['name']}"); + continue; } - chmod("{$g['varetc_path']}/server{$ikeid}-key.pem", 0600); - fwrite($fd1, $private_key); - fclose($fd1); - $certline = "certificate_type x509 \"server{$ikeid}-signed.pem\" \"server{$ikeid}-key.pem\";"; + chmod($certpath, 0600); - if ($peercert != '') { - $fd1 = fopen("{$g['varetc_path']}/peer{$ikeid}-signed.pem", "w"); - if (!$fd1) { - printf("Error: cannot open server{$ikeid}-signed.pem in vpn.\n"); - return 1; - } - chmod("{$g['varetc_path']}/peer{$ikeid}-signed.pem", 0600); - fwrite($fd1, $peercert); - fclose($fd1); - $certline .="peers_certfile \"peer{$ikeid}-signed.pem\""; + $keyfile = "cert-".$ikeid.".key"; + $keypath = $g['varetc_path']."/".$keyfile; + + if (!file_put_contents($keypath, base64_decode($cert['crt']))) + { + log_error("Error: Cannot write phase1 key file for {$ph1ent['name']}"); + continue; } + + chmod($keypath, 0600); + + $certline = "certificate_type x509 \"{$certpath}\" \"{$keypath}.key\";"; } $ealgos = ''; diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index 2e4b9e7..dc58aed 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -106,6 +106,24 @@ if ($act == "exp") { exit; } +if ($act == "key") { + + if (!$a_cert[$id]) { + pfSenseHeader("system_certmanager.php"); + exit; + } + + $exp_name = urlencode("{$a_cert[$id]['name']}.key"); + $exp_data = base64_decode($a_cert[$id]['prv']); + $exp_size = strlen($exp_data); + + header("Content-Type: application/octet-stream"); + header("Content-Disposition: attachment; filename={$exp_name}"); + header("Content-Length: $exp_size"); + echo $exp_data; + exit; +} + if ($act == "csr") { if (!$a_cert[$id]) { @@ -722,6 +740,9 @@ function internalca_change() { <a href="system_certmanager.php?act=exp&id=<?=$i;?>")"> <img src="/themes/<?= $g['theme'];?>/images/icons/icon_down.gif" title="export cert" alt="export ca" width="17" height="17" border="0" /> </a> + <a href="system_certmanager.php?act=key&id=<?=$i;?>")"> + <img src="/themes/<?= $g['theme'];?>/images/icons/icon_down.gif" title="export key" alt="export ca" width="17" height="17" border="0" /> + </a> <a href="system_certmanager.php?act=del&id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this Certificate?");?>')"> <img src="/themes/<?= $g['theme'];?>/images/icons/icon_x.gif" title="delete cert" alt="delete cert" width="17" height="17" border="0" /> </a> diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index ce240a0..44efa5a 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -146,7 +146,6 @@ include("head.inc"); $tab_array = array(); $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php"); $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/vpn_ipsec_ca.php b/usr/local/www/vpn_ipsec_ca.php deleted file mode 100755 index 76f5399..0000000 --- a/usr/local/www/vpn_ipsec_ca.php +++ /dev/null @@ -1,110 +0,0 @@ -<?php -/* - vpn_ipsec_ca.php - part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-ipsec-certificateauthority -##|*NAME=VPN: IPsec: Certificate Authority page -##|*DESCR=Allow access to the 'VPN: IPsec: Certificate Authority' page. -##|*MATCH=vpn_ipsec_ca.php* -##|-PRIV - - -require("guiconfig.inc"); - -if (!is_array($config['ipsec']['cacert'])) { - $config['ipsec']['cacert'] = array(); -} -ipsec_ca_sort(); -$a_secret = &$config['ipsec']['cacert']; - -if ($_GET['act'] == "del") { - if ($a_secret[$_GET['id']]) { - unset($a_secret[$_GET['id']]); - write_config(); - touch($d_ipsecconfdirty_path); - header("Location: vpn_ipsec_ca.php"); - exit; - } -} - -$pgtitle = array("VPN","IPsec","Certificate Authority"); -include("head.inc"); - -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<form action="vpn_ipsec.php" method="post"> -<?php - if ($savemsg) - print_info_box($savemsg); - if ($pconfig['enable'] && file_exists($d_ipsecconfdirty_path)) - print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect."); -?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); - $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("CAs", true, "vpn_ipsec_ca.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="listhdrr">Identifier</td> - <td class="list"></td> - </tr> - <?php $i = 0; foreach ($a_secret as $secretent): ?> - <tr> - <td class="listlr"> - <?=htmlspecialchars($secretent['ident']);?> - </td> - <td class="list" nowrap> <a href="vpn_ipsec_ca_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit certificate" width="17" height="17" border="0"></a> - <a href="vpn_ipsec_ca.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this certificate?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete certificate" width="17" height="17" border="0"></a></td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list"></td> - <td class="list"> <a href="vpn_ipsec_ca_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> - </tr> - </table> - </div> - </td> - </tr> -</table> -</form> -<?php include("fend.inc"); ?> -</body> -</html> diff --git a/usr/local/www/vpn_ipsec_ca_edit.php b/usr/local/www/vpn_ipsec_ca_edit.php deleted file mode 100755 index 814e153..0000000 --- a/usr/local/www/vpn_ipsec_ca_edit.php +++ /dev/null @@ -1,137 +0,0 @@ -<?php -/* - vpn_ipsec_ca_edit.php - part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-ipsec-certificateauthority-edit -##|*NAME=VPN: IPsec: Certificate Authority: Edit page -##|*DESCR=Allow access to the 'VPN: IPsec: Certificate Authority: Edit' page. -##|*MATCH=vpn_ipsec_ca_edit.php* -##|-PRIV - - -require("guiconfig.inc"); - -if (!is_array($config['ipsec']['cacert'])) { - $config['ipsec']['cacert'] = array(); -} -ipsec_ca_sort(); -$a_secret = &$config['ipsec']['cacert']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $a_secret[$id]) { - $pconfig['ident'] = $a_secret[$id]['ident']; - $pconfig['cert'] = base64_decode($a_secret[$id]['cert']); -} - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - $reqdfields = explode(" ", "ident cert"); - $reqdfieldsn = explode(",", "Identifier,CA Certificate"); - if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) - $input_errors[] = "This certificate does not appear to be valid."; - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (preg_match("/[^a-zA-Z0-9@\.\-]/", $_POST['ident'])) - $input_errors[] = "The identifier contains invalid characters."; - - if (!$input_errors && !(isset($id) && $a_secret[$id])) { - /* make sure there are no dupes */ - foreach ($a_secret as $secretent) { - if ($secretent['ident'] == $_POST['ident']) { - $input_errors[] = "Another entry with the same identifier already exists."; - break; - } - } - } - - if (!$input_errors) { - - if (isset($id) && $a_secret[$id]) - $secretent = $a_secret[$id]; - - $secretent['ident'] = $_POST['ident']; - $secretent['cert'] = base64_encode($_POST['cert']); - - if (isset($id) && $a_secret[$id]) - $a_secret[$id] = $secretent; - else - $a_secret[] = $secretent; - - write_config(); - touch($d_ipsecconfdirty_path); - - header("Location: vpn_ipsec_ca.php"); - exit; - } -} - -$pgtitle = array("VPN","IPsec","Certificate Authority","Edit"); -include("head.inc"); - -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors); ?> - <form action="vpn_ipsec_ca_edit.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td valign="top" class="vncellreq">Identifier</td> - <td class="vtable"> - <input name="ident" type="text" class="formfld unknown" id="ident" size="30" value="<?=$pconfig['ident'];?>"> - <br>This can be any text to describe the certificate authority. - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Certificate</td> - <td width="78%" class="vtable"> - <textarea name="cert" cols="65" rows="7" id="cert" class="formpre"><?=htmlspecialchars($pconfig['cert']);?></textarea> - <br>Paste a CA certificate in X.509 PEM format here. <A TARGET='_new' HREF='vpn_ipsec_ca_edit_create_cert.php'>Create Certificates</A></td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <?php if (isset($id) && $a_secret[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> - </table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_ipsec_ca_edit_create_cert.php b/usr/local/www/vpn_ipsec_ca_edit_create_cert.php deleted file mode 100755 index 8b86bb9..0000000 --- a/usr/local/www/vpn_ipsec_ca_edit_create_cert.php +++ /dev/null @@ -1,243 +0,0 @@ -<? -/* $Id$ */ -/* - vpn_ipsec_ca_edit_create_cert.php - part of pfSense - - Copyright (C) 2005 Scott Ullrich and Jason Ellingson - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require('guiconfig.inc'); - -$fd = fopen('/etc/ssl/openssl.cnf', 'r'); -$openssl = fread($fd, 8096); -fclose($fd); - -/* Lets match the fileds in the read in file and - populate the variables for the form */ -preg_match('/\nC\=(.*)\n/', $openssl, $countrycodeA); -preg_match('/\nST\=(.*)\n/', $openssl, $stateorprovinceA); -preg_match('/\nL\=(.*)\n/', $openssl, $citynameA); -preg_match('/\nO\=(.*)\n/', $openssl, $orginizationnameA); -preg_match('/\nOU\=(.*)\n/', $openssl, $orginizationdepartmentA); -preg_match('/\nCN\=(.*)\n/', $openssl, $commonnameA); - -$pgtitle = array("IPsec","Certificate Authority","Create Certificates"); - -$countrycode = $countrycodeA[1]; -$stateorprovince = $stateorprovinceA[1]; -$cityname = $citynameA[1]; -$orginizationname = $orginizationnameA[1]; -$orginizationdepartment = $orginizationdepartmentA[1]; -$commonname = $commonnameA[1]; - -if($_POST) { - - /* Grab posted variables and create a new openssl.cnf */ - $countrycode=$_POST['countrycode']; - $stateorprovince=$_POST['stateorprovince']; - $cityname=$_POST['cityname']; - $orginizationname=$_POST['orginizationname']; - $orginizationdepartment=$_POST['orginizationdepartment']; - $commonname=$_POST['commonname']; - - /* Write out /etc/ssl/openssl.cnf */ - conf_mount_rw(); - $fd = fopen('/etc/ssl/openssl.cnf', 'w'); - fwrite($fd, ''); - fwrite($fd, "[ req ]\n"); - fwrite($fd, "distinguished_name = req_distinguished_name\n"); - fwrite($fd, "req_extensions = v3_req\n"); - fwrite($fd, "prompt = no\n"); - fwrite($fd, "default_bits = 1024\n"); - fwrite($fd, "default_keyfile = privkey.pem\n"); - fwrite($fd, "distinguished_name = req_distinguished_name\n"); - fwrite($fd, "attributes = req_attributes\n"); - fwrite($fd, "x509_extensions = v3_ca # The extentions to add to the self signed cert\n"); - fwrite($fd, "[ req_distinguished_name ]\n"); - fwrite($fd, "C = " . $countrycode . "\n"); - fwrite($fd, "ST = " . $stateorprovince. "\n"); - fwrite($fd, "L = " . $cityname . "\n"); - fwrite($fd, "O = " . $orginizationname . "\n"); - fwrite($fd, "OU = " . $orginizationdepartment . "\n"); - fwrite($fd, "CN = " . $commonname . "\n"); - fwrite($fd, "[EMAIL PROTECTED]\n"); - fwrite($fd, "[EMAIL PROTECTED]\n"); - fwrite($fd, "[ v3_req ]\n"); - fwrite($fd, "basicConstraints = critical,CA:FALSE\n"); - fwrite($fd, "keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement\n"); - fwrite($fd, "extendedKeyUsage = emailProtection,clientAuth\n"); - fwrite($fd, "[ ca ]\n"); - fwrite($fd, "default_ca = CA_default\n"); - fwrite($fd, "[ CA_default ]\n"); - fwrite($fd, "certificate = /tmp/cacert.pem\n"); - fwrite($fd, "private_key = /tmp/cakey.pem n"); - fwrite($fd, "dir = /tmp/\n"); - fwrite($fd, "certs = /tmp/certs\n"); - fwrite($fd, "crl_dir = /tmp/crl\n"); - fwrite($fd, "database = /tmp/index.txt\n"); - fwrite($fd, "new_certs_dir = /tmp/newcerts\n"); - fwrite($fd, "serial = /tmp/serial\n"); - fwrite($fd, "crl = /tmp/crl.pem\n"); - fwrite($fd, "RANDFILE = /tmp/.rand\n"); - fwrite($fd, "x509_extensions = usr_cert\n"); - fwrite($fd, "name_opt = ca_default\n"); - fwrite($fd, "cert_opt = ca_default\n"); - fwrite($fd, "default_days = 365\n"); - fwrite($fd, "default_crl_days = 30\n"); - fwrite($fd, "default_md = md5\n"); - fwrite($fd, "preserve = no\n"); - fwrite($fd, "policy = policy_match\n"); - fwrite($fd, "[ policy_match ]\n"); - fwrite($fd, "countryName = match\n"); - fwrite($fd, "stateOrProvinceName = match\n"); - fwrite($fd, "organizationName = match\n"); - fwrite($fd, "organizationalUnitName = optional\n"); - fwrite($fd, "commonName = supplied\n"); - fwrite($fd, "emailAddress = optional\n"); - fwrite($fd, "[ policy_anything ]\n"); - fwrite($fd, "countryName = optional\n"); - fwrite($fd, "stateOrProvinceName = optional\n"); - fwrite($fd, "localityName = optional\n"); - fwrite($fd, "organizationName = optional\n"); - fwrite($fd, "organizationalUnitName = optional\n"); - fwrite($fd, "commonName = supplied\n"); - fwrite($fd, "emailAddress = optional\n"); - fwrite($fd, "[ req_distinguished_name ]\n"); - fwrite($fd, "countryName = US\n"); - fwrite($fd, "[ req_attributes ]\n"); - fwrite($fd, "challengePassword = A challenge password\n"); - fwrite($fd, "unstructuredName = An optional company name\n"); - fwrite($fd, "[ usr_cert ]\n"); - fwrite($fd, "basicConstraints = CA:FALSE\n"); - fwrite($fd, "[ v3_ca ]\n"); - fwrite($fd, "subjectKeyIdentifier = hash\n"); - fwrite($fd, "authorityKeyIdentifier = keyid:always,issuer:always\n"); - fwrite($fd, "basicConstraints = CA:true\n"); - fwrite($fd, "[ crl_ext ]\n"); - fwrite($fd, "authorityKeyIdentifier = keyid:always,issuer:always\n"); - fclose($fd); - conf_mount_ro(); - -include("head.inc"); - -?> - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<? include('fbegin.inc'); ?> - <form action="vpn_ipsec_ca_edit_create_cert.php" method="post" name="iform" id="iform"> -<? - if($input_errors) - print_input_errors($input_errors); - if($savemsg) - print_info_box($savemsg); -?> - <p> - One moment please... - </p> -<? - mwexec('cd /tmp/ && /usr/bin/openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650 -config /etc/ssl/openssl.cnf -passin pass:test -nodes'); - //mwexec('cd /tmp/ && /usr/bin/openssl req -config openssl.cnf -new -nodes > cacert.pem'); - //mwexec('cd /tmp/ && /usr/bin/openssl x509 -in cert.csr -out cert.pem -req -signkey cakey.pem'); - $fd = fopen('/tmp/cacert.pem', 'r'); - $cacert = fread($fd, 8096); - fclose($fd); - $fd = fopen('/tmp/cakey.pem', 'r'); - $cakey = fread($fd, 8096); - fclose($fd); - $cacertA = ereg_replace("\r", '', $cacert); - $cakeyA = ereg_replace("\r", '', $cakey); - $cacert = ereg_replace("\n", '\n', $cacert); - $cakey = ereg_replace("\n", '\n', $cakey); -?> - <script language="JavaScript"> - <!-- - var cacert='<?=$cacert?>'; - var ident='<?=$commonname?>'; - opener.document.forms[0].cert.value=cacert; - opener.document.forms[0].ident.value=ident; - this.close(); - //--> - </script> -<? - include('fend.inc'); -?> - </form> - </body> -</html> -<? -} else { //if($_POST) - -include("head.inc"); - -?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<? include('fbegin.inc'); ?> - - <form action="vpn_ipsec_ca_edit_create_cert.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td nowrap="nowrap" width="30%" class="vncell"><b>Country Code (2 Letters)</b></td> - <td nowrap="nowrap" width="70%" class="vtable"><input name="countrycode" value="<?=$countrycode?>"></td> - </tr> - <tr> - <td nowrap="nowrap" class="vncell"><b>State or Province name</b></td> - <td nowrap="nowrap" class="vtable"><input name="stateorprovince" value="<?=$stateorprovince?>"></td> - </tr> - <tr> - <td nowrap="nowrap" class="vncell"><b>City name</b></td> - <td nowrap="nowrap" class="vtable"><input name="cityname" value="<?=$cityname?>"></td> - </tr> - <tr> - <td nowrap="nowrap" class="vncell"><b>Organization name</b></td> - <td nowrap="nowrap" class="vtable"><input name="orginizationname" value="<?=$orginizationname?>"></td> - </tr> - <tr> - <td nowrap="nowrap" class="vncell"><b>Organization department</b></td> - <td nowrap="nowrap" class="vtable"><input name="orginizationdepartment" value="<?=$orginizationdepartment?>"></td> - </tr> - <tr> - <td nowrap="nowrap" class="vncell"><b>Common Name (Your name)</b></td> - <td nowrap="nowrap" class="vtable"><input name="commonname" value="<?=$commonname?>"></td> - </tr> -<!-- - <tr> - <td nowrap="nowrap" class="vncell"><b>E-Mail address</b></td> - <td nowrap="nowrap" class="vtable"><input name="email" value="<?=$email?>"></td> - </tr> ---> - <tr> - <td nowrap="nowrap"> </td> - <td nowrap="nowrap"><input name="Submit" type="submit" class="formbtn" value="Save"></td> - </tr> - </table> - </form> -<? - include('fend.inc'); -?> - </body> -</html> -<? -} // if($_POST) -?> diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php index fc0fbaa..47ac3a3 100755 --- a/usr/local/www/vpn_ipsec_mobile.php +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -305,7 +305,6 @@ function login_banner_change() { $tab_array = array(); $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); $tab_array[1] = array("Mobile clients", true, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index a47d90d..174f884 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -95,9 +95,7 @@ if (isset($p1index) && $a_phase1[$p1index]) ($pconfig['authentication_method'] == "xauth_psk_server")) { $pconfig['pskey'] = $a_phase1[$p1index]['pre-shared-key']; } else { - $pconfig['cert'] = base64_decode($a_phase1[$p1index]['cert']); - $pconfig['peercert'] = base64_decode($a_phase1[$p1index]['peercert']); - $pconfig['privatekey'] = base64_decode($a_phase1[$p1index]['private-key']); + $pconfig['certref'] = $a_phase1[$p1index]['certref']; } $pconfig['descr'] = $a_phase1[$p1index]['descr']; @@ -146,13 +144,9 @@ if ($_POST) { if (($method == "pre_shared_key")||($method == "xauth_psk_server")) { $reqdfields = explode(" ", "pskey"); $reqdfieldsn = explode(",", "Pre-Shared Key"); - } else { - if (!strstr($pconfig['cert'], "BEGIN CERTIFICATE") || !strstr($pconfig['cert'], "END CERTIFICATE")) - $input_errors[] = "This certificate does not appear to be valid."; - if (!strstr($pconfig['privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($pconfig['privatekey'], "END RSA PRIVATE KEY")) - $input_errors[] = "This key does not appear to be valid."; - if ($pconfig['peercert']!="" && (!strstr($pconfig['peercert'], "BEGIN CERTIFICATE") || !strstr($pconfig['peercert'], "END CERTIFICATE"))) - $input_errors[] = "This peer certificate does not appear to be valid."; + } else { + $reqdfields = explode(" ", "certref"); + $reqdfieldsn = explode(",", "My Certificate"); } if (!$pconfig['mobile']) { $reqdfields[] = "remotegw"; @@ -297,8 +291,7 @@ if ($_POST) { $ph1ent['lifetime'] = $pconfig['lifetime']; $ph1ent['pre-shared-key'] = $pconfig['pskey']; $ph1ent['private-key'] = base64_encode($pconfig['privatekey']); - $ph1ent['cert'] = base64_encode($pconfig['cert']); - $ph1ent['peercert'] = base64_encode($pconfig['peercert']); + $ph1ent['certref'] = $pconfig['certref']; $ph1ent['authentication_method'] = $pconfig['authentication_method']; $ph1ent['descr'] = $pconfig['descr']; @@ -378,22 +371,16 @@ function methodsel_change() { switch (value) { case 'hybrid_rsa_server': document.getElementById('opt_psk').style.display = 'none'; - document.getElementById('opt_my_cert').style.display = ''; - document.getElementById('opt_my_pkey').style.display = ''; - document.getElementById('opt_peer_cert').style.display = 'none'; + document.getElementById('opt_cert').style.display = ''; break; case 'xauth_rsa_server': case 'rsasig': document.getElementById('opt_psk').style.display = 'none'; - document.getElementById('opt_my_cert').style.display = ''; - document.getElementById('opt_my_pkey').style.display = ''; - document.getElementById('opt_peer_cert').style.display = ''; + document.getElementById('opt_cert').style.display = ''; break; default: /* psk modes*/ document.getElementById('opt_psk').style.display = ''; - document.getElementById('opt_my_cert').style.display = 'none'; - document.getElementById('opt_my_pkey').style.display = 'none'; - document.getElementById('opt_peer_cert').style.display = 'none'; + document.getElementById('opt_cert').style.display = 'none'; break; } } @@ -462,7 +449,6 @@ function dpdchkbox_change() { $tab_array = array(); $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php"); $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); display_top_tabs($tab_array); ?> </td> @@ -660,9 +646,9 @@ function dpdchkbox_change() { <?php endforeach; ?> </select> <br> - <span class="vexpl"> - Must match the setting chosen on the remote side. - </span> + <span class="vexpl"> + Must match the setting chosen on the remote side. + </span> </td> </tr> <tr id="opt_psk"> @@ -670,37 +656,29 @@ function dpdchkbox_change() { <td width="78%" class="vtable"> <?=$mandfldhtml;?> <input name="pskey" type="text" class="formfld unknown" id="pskey" size="40" value="<?=htmlspecialchars($pconfig['pskey']);?>"> - </td> - </tr> - <tr id="opt_my_cert"> - <td width="22%" valign="top" class="vncellreq">My Certificate</td> - <td width="78%" class="vtable"> - <textarea name="cert" cols="65" rows="7" id="cert" class="formpre"> - <?=htmlspecialchars($pconfig['cert']);?> - </textarea> - <br> - Paste a certificate in X.509 PEM format here. - </td> - </tr> - <tr id="opt_my_pkey"> - <td width="22%" valign="top" class="vncellreq">My Private Key</td> - <td width="78%" class="vtable"> - <textarea name="privatekey" cols="65" rows="7" id="privatekey" class="formpre"> - <?=htmlspecialchars($pconfig['privatekey']);?> - </textarea> + <span class="vexpl"> <br> - Paste an RSA private key in PEM format here. + Input your pre-shared key string. + </span> </td> </tr> - <tr id="opt_peer_cert"> - <td width="22%" valign="top" class="vncell">Peer Certificate</td> + <tr id="opt_cert"> + <td width="22%" valign="top" class="vncellreq">My Certificate</td> <td width="78%" class="vtable"> - <textarea name="peercert" cols="65" rows="7" id="peercert" class="formpre"> - <?=htmlspecialchars($pconfig['peercert']);?> - </textarea> + <select name='certref' class="formselect"> + <?php + foreach ($config['system']['cert'] as $cert): + $selected = ""; + if ($pconfig['certref'] == $cert['refid']) + $selected = "selected"; + ?> + <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['name'];?></option> + <?php endforeach; ?> + </select> <br> - Paste the peer X.509 certificate in PEM format here.<br> - Leave this blank if you want to use a CA certificate for identity validation. + <span class="vexpl"> + Select a certificate previously configured in the Certificate Manager. + </span> </td> </tr> <tr> @@ -740,7 +718,7 @@ function dpdchkbox_change() { <input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=$pconfig['dpd_maxfail'];?>"> retries<br> <span class="vexpl"> - Number consecutive failures allowed before disconnect. + Number of consecutive failures allowed before disconnect. </span> <br> </div> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index b9a7cb9..6ca7a7a 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -270,7 +270,6 @@ function typesel_change_remote(bits) { $tab_array = array(); $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php"); $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); display_top_tabs($tab_array); ?> </td> |