summaryrefslogtreecommitdiffstats
path: root/etc/inc/vpn.inc
diff options
context:
space:
mode:
Diffstat (limited to 'etc/inc/vpn.inc')
-rw-r--r--etc/inc/vpn.inc97
1 files changed, 41 insertions, 56 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index b9753ee..db4b6a0 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -209,23 +209,22 @@ function vpn_ipsec_configure($ipchg = false)
}
/* generate CA certificates files */
- $cacertnum = 0;
- if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert'])) {
- foreach ($ipseccfg['cacert'] as $cacert) {
- ++ $cacertnum;
- if (isset ($cacert['cert'])) {
- $cert = base64_decode($cacert['cert']);
- $x509cert = openssl_x509_parse(openssl_x509_read($cert));
- if (is_array($x509cert) && isset ($x509cert['hash'])) {
- $fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w");
- if (!$fd1) {
- printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n");
- return 1;
- }
- chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600);
- fwrite($fd1, $cert);
- fclose($fd1);
- }
+ if (is_array($config['system']['ca']) && count($config['system']['ca'])) {
+ foreach ($config['system']['ca'] as $ca) {
+ if (!isset($ca['crt'])) {
+ log_error("Error: Invalid certificate info for {$ca['name']}");
+ continue;
+ }
+ $cert = base64_decode($ca['crt']);
+ $x509cert = openssl_x509_parse(openssl_x509_read($cert));
+ if (!is_array($x509cert) || !isset($x509cert['hash'])) {
+ log_error("Error: Invalid certificate hash info for {$ca['name']}");
+ continue;
+ }
+ $fname = $g['varetc_path']."/".$x509cert['hash'];
+ if (!file_put_contents($fname, $cert)) {
+ log_error("Error: Cannot write IPsec CA file for {$ca['name']}");
+ continue;
}
}
}
@@ -487,52 +486,38 @@ function vpn_ipsec_configure($ipchg = false)
$certline = '';
if (strstr($authmethod,'rsa')) {
- if ($ph1ent['cert'] && $ph1ent['private-key']) {
- $cert = base64_decode($ph1ent['cert']);
- $private_key = base64_decode($ph1ent['private-key']);
- } else {
- /* null certificate/key */
- $cert = '';
- $private_key = '';
- }
- if ($ph1ent['peercert'])
- $peercert = base64_decode($ph1ent['peercert']);
- else
- $peercert = '';
+ $cert = lookup_cert($ph1ent['certref']);
- $fd1 = fopen("{$g['varetc_path']}/server{$ikeid}-signed.pem", "w");
- if (!$fd1) {
- printf("Error: cannot open server{$ikeid}-signed.pem in vpn.\n");
- return 1;
+ if (!$cert)
+ {
+ log_error("Error: Invalid phase1 certificate reference for {$ph1ent['name']}");
+ continue;
}
-
- chmod("{$g['varetc_path']}/server{$ikeid}-signed.pem", 0600);
- fwrite($fd1, $cert);
- fclose($fd1);
-
- $fd1 = fopen("{$g['varetc_path']}/server{$ikeid}-key.pem", "w");
- if (!$fd1) {
- printf("Error: cannot open server{$ikeid}-key.pem in vpn.\n");
- return 1;
+
+ $certfile = "cert-".$ikeid.".crt";
+ $certpath = $g['varetc_path']."/".$certfile;
+
+ if (!file_put_contents($certpath, base64_decode($cert['crt'])))
+ {
+ log_error("Error: Cannot write phase1 certificate file for {$ph1ent['name']}");
+ continue;
}
- chmod("{$g['varetc_path']}/server{$ikeid}-key.pem", 0600);
- fwrite($fd1, $private_key);
- fclose($fd1);
- $certline = "certificate_type x509 \"server{$ikeid}-signed.pem\" \"server{$ikeid}-key.pem\";";
+ chmod($certpath, 0600);
- if ($peercert != '') {
- $fd1 = fopen("{$g['varetc_path']}/peer{$ikeid}-signed.pem", "w");
- if (!$fd1) {
- printf("Error: cannot open server{$ikeid}-signed.pem in vpn.\n");
- return 1;
- }
- chmod("{$g['varetc_path']}/peer{$ikeid}-signed.pem", 0600);
- fwrite($fd1, $peercert);
- fclose($fd1);
- $certline .="peers_certfile \"peer{$ikeid}-signed.pem\"";
+ $keyfile = "cert-".$ikeid.".key";
+ $keypath = $g['varetc_path']."/".$keyfile;
+
+ if (!file_put_contents($keypath, base64_decode($cert['crt'])))
+ {
+ log_error("Error: Cannot write phase1 key file for {$ph1ent['name']}");
+ continue;
}
+
+ chmod($keypath, 0600);
+
+ $certline = "certificate_type x509 \"{$certpath}\" \"{$keypath}.key\";";
}
$ealgos = '';
OpenPOWER on IntegriCloud