diff options
Diffstat (limited to 'usr')
-rw-r--r-- | usr/local/pkg/openvpn.xml | 73 | ||||
-rw-r--r-- | usr/local/pkg/openvpn_cli.xml | 6 | ||||
-rw-r--r-- | usr/local/www/vpn_openvpn_certs.php | 29 | ||||
-rw-r--r-- | usr/local/www/vpn_openvpn_certs_create.php | 105 |
4 files changed, 104 insertions, 109 deletions
diff --git a/usr/local/pkg/openvpn.xml b/usr/local/pkg/openvpn.xml index 665bcf1..8b0cbd3 100644 --- a/usr/local/pkg/openvpn.xml +++ b/usr/local/pkg/openvpn.xml @@ -157,68 +157,17 @@ <onchange>onAuthMethodChanged()</onchange> </field> <field> - <fieldname>shared_key</fieldname> - <fielddescr>Shared key</fielddescr> - <description>Paste your shared key here.</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> - <field> - <fieldname>ca_cert</fieldname> - <fielddescr>CA certificate</fielddescr> - <description>Paste your CA certificate in X.509 format here.</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> - <field> - <fieldname>server_cert</fieldname> - <fielddescr>Server certificate</fielddescr> - <description>Paste your server certificate in X.509 format here.</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> - <field> - <fieldname>server_key</fieldname> - <fielddescr>Server key</fielddescr> - <description>Paste your server key in RSA format here.</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> - <field> - <fieldname>dh_params</fieldname> - <fielddescr>DH parameters</fielddescr> - <description>Paste your Diffie Hellman parameters in PEM format here.</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> - <field> - <fieldname>crl</fieldname> - <fielddescr>CRL</fielddescr> - <description>Paste your certificate revocation list (CRL) in PEM format here (optional).</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> - <field> - <fieldname>tls</fieldname> - <fielddescr>TLS</fielddescr> - <description>Paste your HMAC signature (TLS) here (optional).</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> + <fieldname>cipher</fieldname> + <fielddescr>Certificates to apply<fielddescr> + <description>Certificates generated from the certificate generation tab.</description> + <type>select</type> + <options> + <option> + <value>none</value> + <name>none</name> + </option> + </options> + </field> <field> <fieldname>dhcp_domainname</fieldname> <fielddescr>DHCP-Opt.: DNS-Domainname</fielddescr> diff --git a/usr/local/pkg/openvpn_cli.xml b/usr/local/pkg/openvpn_cli.xml index d942403..129b86f 100644 --- a/usr/local/pkg/openvpn_cli.xml +++ b/usr/local/pkg/openvpn_cli.xml @@ -146,7 +146,7 @@ <cols>40</cols> </field> <field> - <fieldname>ca_cert</fieldname> + <fieldname>ca.crt</fieldname> <fielddescr>CA certificate</fielddescr> <description>Paste the server's CA certificate in X.509 format here.</description> <type>textarea</type> @@ -155,7 +155,7 @@ <cols>40</cols> </field> <field> - <fieldname>client_cert</fieldname> + <fieldname>client.crt</fieldname> <fielddescr>Client certificate</fielddescr> <description>Paste your client certificate in X.509 format here.</description> <type>textarea</type> @@ -164,7 +164,7 @@ <cols>40</cols> </field> <field> - <fieldname>client_key</fieldname> + <fieldname>client.key</fieldname> <fielddescr>Client key</fielddescr> <description>Paste your client key in RSA format here.</description> <type>textarea</type> diff --git a/usr/local/www/vpn_openvpn_certs.php b/usr/local/www/vpn_openvpn_certs.php index dd4b943..bcf170b 100644 --- a/usr/local/www/vpn_openvpn_certs.php +++ b/usr/local/www/vpn_openvpn_certs.php @@ -30,7 +30,7 @@ require("guiconfig.inc"); -//$pgtitle = array("OpenVPN", "Certificate management"); +$pgtitle = array("OpenVPN", "Certificate management"); $ovpncapath = $g['varetc_path']."/openvpn/certificates"; if ($_GET['reset']) { @@ -51,6 +51,29 @@ if ($_GET['delete']) { write_config(); } } + /* XXX: Lets do some hacking now! This implies we are not on embedded platform!!! */ + $pkg_config = parse_xml_config_pkg("/usr/local/pkg/openvpn.xml", "packagegui"); + $options =& $pkg_config['fields']['field'][11]['options']['option']; + if (is_array($options)) { + for ($i = 0; $i < count($options); $i++) { + if ($options[$i]['name'] == $caname) { + unset($options[$i]); + break; + } + } + + conf_mount_rw(); + + $xmlcf = dump_xml_config_pkg($pkg_config, "packagegui"); + /* write new configuration */ + $fd = fopen("/usr/local/pkg/openvpn.xml", "w"); + if (!$fd) + die("Unable to open openvpn.xml for writing in write_config()\n"); + fwrite($fd, $xmlcf); + fclose($fd); + + conf_mount_ro(); + } } exec("cd ".$g['varetc_path']."/openvpn/certificates && /usr/bin/find . -type d -name \"[a-zA-Z0-9_]*\"", $certificates); @@ -91,8 +114,10 @@ include("head.inc"); <td><a href="vpn_openvpn_certs.php?delete=<?=$cert;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="<?=gettext("delete certificate");?>" width="17" height="17" border="0" alt="" /></a></td> </tr> <?php } ?> - <tr><td><a href="vpn_openvpn_certs_create.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add a new certificate");?> width="17" height="17" border="0" alt="" /></a></td></tr> + <tr><td><a href="vpn_openvpn_create_certs.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add a new certificate");?> width="17" height="17" border="0" alt="" /></a></td></tr> </table> <?php include("fend.inc"); ?> </body> </html> + + diff --git a/usr/local/www/vpn_openvpn_certs_create.php b/usr/local/www/vpn_openvpn_certs_create.php index e1cb298..676810f 100644 --- a/usr/local/www/vpn_openvpn_certs_create.php +++ b/usr/local/www/vpn_openvpn_certs_create.php @@ -1,6 +1,7 @@ <?php +/* $Id$ */ /* - vpn_openvpn_certs_create.php + vpn_openvpn_create_certs.php part of pfSense Copyright (C) 2004 Scott Ullrich @@ -30,39 +31,24 @@ require("guiconfig.inc"); -//$pgtitle = array("VPN", "OpenVPN Create Certs"); +$pgtitle = array("VPN", "OpenVPN Create Certs"); $ovpncapath = $g['varetc_path']."/openvpn/certificates"; -/* XXX: hardcoded path */ +/* XXX: hardcoded path; worth making it a global?! */ $easyrsapath = "/usr/local/share/openvpn/certificates"; if ($_GET['ca']) { - //$openssl = file_get_contents("$ovpncapath/".trim($_GET['ca'])."/vars"); - $openssl = ""; - if(file_exists("$ovpncapath/".trim($_GET['ca'])."/vars")) { - $fd = fopen("$ovpncapath/".trim($_GET['ca'])."/vars", "r"); - $tmp = fread($fd,8096); - $openssl .= $tmp; - fclose($fd); - - preg_match('/\nsetenv KEY_EXPIRE(.*)\n/', $openssl, $cakeyexpireA); - preg_match('/\nsetenv CA_EXPIRE(.*)\n/', $openssl, $caexpireA); - preg_match('/\nsetenv KEY_SIZE(.*)\n/', $openssl, $cakeysize); - preg_match('/\nsetenv KEY_COUNTRY(.*)\n/', $openssl, $countrycodeA); - preg_match('/\nsetenv KEY_SIZE(.*)\n/', $openssl, $cakeysize); - preg_match('/\nsetenv KEY_PROVINCE(.*)\n/', $openssl, $stateorprovinceA); - preg_match('/\nsetenv KEY_CITY(.*)\n/', $openssl, $citynameA); - preg_match('/\nsetenv KEY_ORG(.*)\n/', $openssl, $orginizationnameA); - preg_match('/\nsetenv KEY_EMAIL(.*)\n/', $openssl, $emailA); - - $caname = trim($_GET['ca']); - $cakeysize = trim($cakeysizeA[1]); - $caexpire = trim($caexpireA[1]); - $cakeyexpire = trim($cakeyexpire[1]); - $countrycode=trim($countrycodeA[1]); - $stateorprovince=trim($stateorprovinceA[1]); - $cityname=trim($citynameA[1]); - $orginizationname=trim($orginizationnameA[1]); - $email = trim($emailA[1]); + if ($config['openvpn']['keys'][$_GET['ca']]) { + $data = $config['openvpn']['keys'][$_GET['ca']]; + $caname = trim($_GET['ca']); + $cakeysize = $data['keysize']; + $caexpire = $data['caexpire']; + $cakeyexpire = $data['keyexpire']; + $countrycode= $data['keycountry']; + $stateorprovince= $data['keyprovince']; + $cityname= $data['keyclient']; + $orginizationname= $data['keyorg']; + $email = $data['keyemail']; + $caclients = $data['caclients']; } else $input_errors[] = "Certificate does not exist."; } @@ -129,19 +115,21 @@ if ($_POST) { fwrite($fd, "$easyrsapath/pkitool --batch --server server \n"); fwrite($fd, "echo \"Creating DH Parms...\" \n"); fwrite($fd, "openssl dhparam -out $ovpncapath/$caname/dh_params.dh $cakeysize \n"); - fwrite($fd, "echo \"Creating Client Certificates...\" \n"); - /* NOTE: i know that shel can do this too but i just do not care! */ - $cmdclients = ""; - for ($i = 0; $i < intval($caclients); $i++) { - $cmdclients .= "echo \"Creating client$i certificate...\" \n"; - $cmdclients .= "$ovpncapath/pkitool --batch client$i \n"; + if ($caclients && intval($caclients) > 0) { + fwrite($fd, "echo \"Creating Client Certificates...\" \n"); + /* NOTE: i know that shel can do this too but i just do not care! */ + $cmdclients = ""; + for ($i = 0; $i < intval($caclients); $i++) { + $cmdclients .= "echo \"Creating client$i certificate...\" \n"; + $cmdclients .= "$ovpncapath/pkitool --batch client$i \n"; + } + fwrite($fd, "$cmdclients \n"); + fwrite($fd, "cd $ovpncapath/$caname \n"); + fwrite($fd, "tar czvf client_certificates.tar.gz $ovpncapath/$caname/ca.crt $ovpncapath/$caname/shared.key $ovpncapath/$caname/client* \n"); + fwrite($fd, "echo \"Removing client certificates...\" \n"); + fwrite($fd, "rm $ovpncapath/$caname/client* \n"); + fwrite($fd, "cp $ovpncapath/client_certificates.tar.gz $ovpncapath/$caname/ \n"); } - fwrite($fd, "$cmdclients \n"); - fwrite($fd, "cd $ovpncapath/$caname \n"); - fwrite($fd, "tar czvf $ovpncapath/$caname/client_certificates.tar.gz $ovpncapath/$caname/ca.crt $ovpncapath/$caname/shared.key $ovpncapath/$caname/client* \n"); - fwrite($fd, "echo \"Removing client certificates...\" \n"); - fwrite($fd, "rm $ovpncapath/$caname/client* \n"); - fwrite($fd, "cp $ovpncapath/client_certificates.tar.gz $ovpncapath/$caname/ \n"); fwrite($fd, "echo \"Done!\" \n"); fclose($fd); } @@ -183,13 +171,46 @@ if ($_POST) { $ovpnkeys =& $config['openvpn']['keys']; if (!is_array($ovpnkeys[$caname])) $ovpnkeys[$caname] = array(); + /* vars */ + $ovpnkeys[$caname]['KEYSIZE'] = $cakeysize; + $ovpnkeys[$caname]['KEYEXPIRE'] = $cakeyexpire; + $ovpnkeys[$caname]['CAEXPIRE'] = $caexpire; + $ovpnkeys[$caname]['KEYCOUNTRY'] = $countrycode; + $ovpnkeys[$caname]['KEYPROVINCE'] = $stateorprovince; + $ovpnkeys[$caname]['KEYCITY'] = $cityname; + $ovpnkeys[$caname]['KEYORG'] = $orginizationname; + $ovpnkeys[$caname]['KEYEMAIL'] = $email; + $ovpnkeys[$caname]['caclients'] = intval($caclients); + /* ciphers */ $ovpnkeys[$caname]['ca.key'] = file_get_contents("$ovpncapath/$caname/ca.key"); $ovpnkeys[$caname]['ca.crt'] = file_get_contents("$ovpncapath/$caname/ca.crt"); $ovpnkeys[$caname]['shared.key'] = file_get_contents("$ovpncapath/$caname/shared.key"); $ovpnkeys[$caname]['server.key'] = file_get_contents("$ovpncapath/$caname/server.key"); $ovpnkeys[$caname]['server.crt'] = file_get_contents("$ovpncapath/$caname/server.crt"); $ovpnkeys[$caname]['dh_params.dh'] = file_get_contents("$ovpncapath/$caname/dh_params.dh"); + /* save it */ write_config(); + /* XXX: Lets do some hacking now! This implies we are not on embedded platform!!! */ + $pkg_config = parse_xml_config_pkg("/usr/local/pkg/openvpn.xml", "packagegui"); + $options =& $pkg_config['fields']['field'][11]['options']['option']; + if (!is_array($options)) + $options = array(); + $opt = array(); + $opt['name'] = $caname; + $opt['value'] = $caname; + $options[] = $opt; + + conf_mount_rw(); + + $xmlcf = dump_xml_config_pkg($pkg_config, "packagegui"); + /* write new configuration */ + $fd = fopen("/usr/local/pkg/openvpn.xml", "w"); + if (!$fd) + die("Unable to open openvpn.xml for writing in write_config()\n"); + fwrite($fd, $xmlcf); + fclose($fd); + + conf_mount_ro(); } else { ?> <tr> <td width="35%" valign="top" class="vncell"><B>Certificate Name</td> |