aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarcello Coutinho <marcellocoutinho@gmail.com>2013-04-19 17:38:17 -0300
committerMarcello Coutinho <marcellocoutinho@gmail.com>2013-04-19 17:38:17 -0300
commit3b7875ae2180e3fc7f7464b5d36300d05d1e9c49 (patch)
tree6352b4043c3ce9730d5d9d19795f6593b384f62e
parente9bac1e88c8183d85c5ceaea6dc38a6fdae01bbd (diff)
downloadpfsense-packages-3b7875ae2180e3fc7f7464b5d36300d05d1e9c49.tar.gz
pfsense-packages-3b7875ae2180e3fc7f7464b5d36300d05d1e9c49.tar.bz2
pfsense-packages-3b7875ae2180e3fc7f7464b5d36300d05d1e9c49.zip
freeradius2 - Include certificate revocation list (CRL) to EAP conf
-rw-r--r--config/freeradius2/freeradius.inc27
-rw-r--r--config/freeradius2/freeradiuseapconf.xml14
2 files changed, 36 insertions, 5 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 38093780..84bc9f71 100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -5,6 +5,7 @@
freeradius.inc
part of pfSense (http://www.pfSense.com)
Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Marcello Coutinho (revocation list code)
All rights reserved.
Based on m0n0wall (http://m0n0.ch/wall)
@@ -948,12 +949,18 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') {
if(base64_decode($ca_cert['crt'])) {
+ $crl_cert = lookup_crl($eapconf["ssl_ca_crl"]);
+ if ($crl_cert != false){
+ $crl=base64_decode($crl_cert['txt']);
+ $check_crl="check_crl = yes";
+ }
+ else{
+ $check_crl="check_crl = no";
+ }
file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem",
- base64_decode($ca_cert['crt']));
+ base64_decode($ca_cert['crt']). $crl);
$conf['ssl_ca_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem";
}
-
-
$svr_cert = lookup_cert($eapconf["ssl_server_cert"]);
if ($svr_cert != false) {
if(base64_decode($svr_cert['prv'])) {
@@ -1055,7 +1062,7 @@ else {
random_file = \${certdir}/random
fragment_size = $vareapconffragmentsize
include_length = $vareapconfincludelength
- # check_crl = yes
+ {$check_crl}
CA_path = \${cadir}
$vareapconfcheckcertissuer
$vareapconfcheckcertcn
@@ -1120,6 +1127,18 @@ function freeradius_get_ca_certs() {
}
// Gets started from freeradiuseapconf.xml
+function freeradius_get_ca_crl() {
+ global $config;
+ $crl_arr = array();
+ $crl_arr[] = array('refid' => 'none', 'descr' => 'none');
+
+ foreach ($config['crl'] as $crl) {
+ $crl_arr[] = array('refid' => $crl['refid'], 'descr' => $crl['descr']);
+ }
+ return $crl_arr;
+}
+
+// Gets started from freeradiuseapconf.xml
function freeradius_get_server_certs() {
global $config;
$cert_arr = array();
diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml
index ac761523..d9c39c4f 100644
--- a/config/freeradius2/freeradiuseapconf.xml
+++ b/config/freeradius2/freeradiuseapconf.xml
@@ -10,6 +10,7 @@
freeradiuseapconf.xml
part of pfSense (http://www.pfSense.com)
Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Marcello Coutinho (revocation list code)
All rights reserved.
Based on m0n0wall (http://m0n0.ch/wall)
@@ -171,7 +172,7 @@
<b>uncheked</b>: FreeRADIUS Cert-Manager (not recommended) (Default: unchecked)<br>
<b>cheked</b>: Firewall Cert-Manager (recommended)]]></description>
<type>checkbox</type>
- <enablefields>ssl_ca_cert,ssl_server_cert,vareapconfenableclientp12</enablefields>
+ <enablefields>ssl_ca_cert,ssl_ca_crl,ssl_server_cert,vareapconfenableclientp12</enablefields>
</field>
<field>
<fielddescr>Private Key Password</fielddescr>
@@ -191,6 +192,17 @@
<source_value>refid</source_value>
</field>
<field>
+ <fielddescr>SSL Revocation List</fielddescr>
+ <fieldname>ssl_ca_crl</fieldname>
+ <description><![CDATA[Choose the SSL CA Certficate revocation list here which you created with the firewall's Cert Manager.<br>
+ Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description>
+ <type>select_source</type>
+ <source><![CDATA[freeradius_get_ca_crl()]]></source>
+ <source_name>descr</source_name>
+ <source_value>refid</source_value>
+ </field>
+
+ <field>
<fielddescr>SSL Server Certificate</fielddescr>
<fieldname>ssl_server_cert</fieldname>
<description><![CDATA[Choose the SSL Server Certficate here which you created with the firewall's Cert Manager.<br>