From 46bc6e545a17e77202aaf01ec0cd8d5a46567525 Mon Sep 17 00:00:00 2001
From: Renato Botelho <renato@netgate.com>
Date: Tue, 25 Aug 2015 08:08:24 -0300
Subject: Move main pfSense content to src/

---
 src/etc/inc/openvpn.tls-verify.php | 97 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 97 insertions(+)
 create mode 100644 src/etc/inc/openvpn.tls-verify.php

(limited to 'src/etc/inc/openvpn.tls-verify.php')

diff --git a/src/etc/inc/openvpn.tls-verify.php b/src/etc/inc/openvpn.tls-verify.php
new file mode 100644
index 0000000..9e21342
--- /dev/null
+++ b/src/etc/inc/openvpn.tls-verify.php
@@ -0,0 +1,97 @@
+#!/usr/local/bin/php-cgi -f
+<?php
+/* $Id$ */
+/*
+	openvpn.tls-verify.php
+
+	Copyright (C) 2011 Jim Pingle
+	Copyright (C) 2013-2015 Electric Sheep Fencing, LP
+	All rights reserved.
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are met:
+
+	1. Redistributions of source code must retain the above copyright notice,
+	   this list of conditions and the following disclaimer.
+
+	2. Redistributions in binary form must reproduce the above copyright
+	   notice, this list of conditions and the following disclaimer in the
+	   documentation and/or other materials provided with the distribution.
+
+	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+	POSSIBILITY OF SUCH DAMAGE.
+
+*/
+/*
+	pfSense_BUILDER_BINARIES:
+	pfSense_MODULE:	openvpn
+*/
+/*
+ * OpenVPN calls this script to validate a certificate
+ *  This script is called ONCE per DEPTH of the certificate chain
+ *  Normal operation would have two runs - one for the server certificate
+ *  and one for the client certificate. Beyond that, you're dealing with
+ *  intermediates.
+ */
+
+require_once("globals.inc");
+require_once("config.inc");
+require_once("interfaces.inc");
+
+openlog("openvpn", LOG_ODELAY, LOG_AUTH);
+
+/* read data from command line */
+if (isset($_GET['certdepth'])) {
+	$cert_depth = $_GET['certdepth'];
+	$cert_subject = urldecode($_GET['certsubject']);
+	$allowed_depth = $_GET['depth'];
+	$server_cn = $_GET['servercn'];
+} else {
+	$cert_depth = intval($argv[1]);
+	$cert_subject = $argv[2];
+}
+
+/* Reserved for future use in case we decide to verify CNs and such as well
+$subj = explode("/", $cert_subject);
+foreach ($subj at $s) {
+	list($n, $v) = explode("=", $s);
+	if ($n == "CN") {
+		$common_name = $v;
+	}
+}
+*/
+
+/* Replaced by sed with proper variables used below ( $server_cn and $allowed_depth ). */
+//<template>
+
+if (isset($allowed_depth) && ($cert_depth > $allowed_depth)) {
+	syslog(LOG_WARNING, "Certificate depth {$cert_depth} exceeded max allowed depth of {$allowed_depth}.\n");
+	if (isset($_GET['certdepth'])) {
+		echo "FAILED";
+		closelog();
+		return;
+	} else {
+		closelog();
+		exit(1);
+	}
+}
+
+// Debug
+//syslog(LOG_WARNING, "Found certificate {$argv[2]} with depth {$cert_depth}\n");
+
+closelog();
+if (isset($_GET['certdepth'])) {
+	echo "OK";
+} else {
+	exit(0);
+}
+
+?>
-- 
cgit v1.1