From 728003c8934207a87e7c32a0aa2caecccf3ff8c1 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 11 May 2011 16:10:08 -0400 Subject: Various CRL fixes, handle empty internal CRLs better. --- etc/inc/certs.inc | 13 ++++++++----- etc/inc/openvpn.inc | 1 + usr/local/www/system_crlmanager.php | 1 + 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index c6cd787..e62719c 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -479,7 +479,7 @@ function crl_update(& $crl) { if (!$ca) return false; // If we have text but no certs, it was imported and cannot be updated. - if (!empty($crl['text']) && empty($crl['cert'])) + if (($crl["method"] != "internal") && (!empty($crl['text']) && empty($crl['cert']))) return false; $crl['serial']++; $ca_str_crt = base64_decode($ca['crt']); @@ -514,9 +514,12 @@ function cert_unrevoke($cert, & $crl) { foreach ($crl['cert'] as $id => $rcert) { if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) { unset($crl['cert'][$id]); - if (count($crl['cert']) == 0) - unset($crl['text']); - else + if (count($crl['cert']) == 0) { + // Protect against accidentally switching the type to imported, for older CRLs + if (!isset($crl['method'])) + $crl['method'] = "internal"; + crl_update($crl); + } else crl_update($crl); return true; } @@ -567,7 +570,7 @@ function crl_in_use($crlref) { } function is_crl_internal($crl) { - return !(!empty($crl['text']) && empty($crl['cert'])); + return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal")); } ?> diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 4115784..7f82975 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -953,6 +953,7 @@ function openvpn_refresh_crls() { case 'server_user': if (!empty($settings['crlref'])) { $crl = lookup_crl($settings['crlref']); + crl_update($crl); $fpath = $g['varetc_path']."/openvpn/server{$settings['vpnid']}.crl-verify"; file_put_contents($fpath, base64_decode($crl['text'])); @chmod($fpath, 0644); diff --git a/usr/local/www/system_crlmanager.php b/usr/local/www/system_crlmanager.php index 67e4b2f..72e795b 100644 --- a/usr/local/www/system_crlmanager.php +++ b/usr/local/www/system_crlmanager.php @@ -223,6 +223,7 @@ if ($_POST) { $crl['descr'] = $pconfig['descr']; $crl['caref'] = $pconfig['caref']; + $crl['method'] = $pconfig['method']; if ($pconfig['method'] == "existing") { $crl['text'] = base64_encode($pconfig['crltext']); -- cgit v1.1