diff options
author | PiBa-NL <pba_2k3@yahoo.com> | 2012-11-24 19:33:06 +0100 |
---|---|---|
committer | PiBa-NL <pba_2k3@yahoo.com> | 2012-11-24 19:33:06 +0100 |
commit | 0e0679fd7a693cc4a092a4e632b473bf2bc99101 (patch) | |
tree | 98369bc4a5ff33900e136a23ba83e4b3ccce4d8d | |
parent | 43eb7bc003dd6b9b2725d0c9e6fb37a243bfde29 (diff) | |
download | pfsense-packages-0e0679fd7a693cc4a092a4e632b473bf2bc99101.tar.gz pfsense-packages-0e0679fd7a693cc4a092a4e632b473bf2bc99101.tar.bz2 pfsense-packages-0e0679fd7a693cc4a092a4e632b473bf2bc99101.zip |
openvpn-client-export, better checking/error reporting on unsupported/illogical OpenVPN configurations
-rwxr-xr-x | config/openvpn-client-export/openvpn-client-export.inc | 41 |
1 files changed, 28 insertions, 13 deletions
diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index 1ab962da..70c9dcf9 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -116,13 +116,23 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { // lookup server certificate info $server_cert = lookup_cert($settings['certref']); - $server_ca = lookup_ca($server_cert['caref']); - if (!$server_cert || !$server_ca) { - $input_errors[] = "Could not locate certificate."; - return false; - } - if (function_exists("cert_get_cn")) { - $servercn = cert_get_cn($server_cert['crt']); + if (!$server_cert) + { + $input_errors[] = "Could not locate server certificate."; + } else { + $server_cert_purpose = cert_get_purpose($server_cert['crt']); + if ($server_cert_purpose['ca'] == 'Yes') + $input_errors[] = "Server sertificate is a CA certificate."; + if ($server_cert_purpose['server'] != 'Yes') + $input_errors[] = "Server sertificate does not have the purpose 'Server: Yes'"; + + $server_ca = lookup_ca($server_cert['caref']); + if (!$server_ca) { + $input_errors[] = "Could not locate the CA reference for the server certificate."; + } + if (function_exists("cert_get_cn")) { + $servercn = cert_get_cn($server_cert['crt']); + } } // lookup user info @@ -130,7 +140,6 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { $user = $config['system']['user'][$usrid]; if (!$user) { $input_errors[] = "Could not find user settings."; - return false; } } @@ -142,17 +151,23 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { $cert = $config['cert'][$crtid]; } if (!$cert) - return false; - // If $cert is not an array, it's a certref not a cert. - if (!is_array($cert)) - $cert = lookup_cert($cert); + { + $input_errors[] = "Could not find client certificate."; + } else { + // If $cert is not an array, it's a certref not a cert. + if (!is_array($cert)) + $cert = lookup_cert($cert); + } } elseif (($settings['mode'] == "server_tls") || (($settings['mode'] == "server_tls_user") && ($settings['authmode'] != "Local Database"))) { $cert = $config['cert'][$crtid]; if (!$cert) - return false; + $input_errors[] = "Could not find client certifficate."; } else $nokeys = true; + if ($input_errors) + return false; + return array($settings, $server_cert, $server_ca, $servercn, $user, $cert, $nokeys); } |