freeradius2 - Include certificate revocation list (CRL) to EAP conf

2 files changed, 36 insertions, 5 deletions

diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 38093780..84bc9f71 100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -5,6 +5,7 @@
 	freeradius.inc
 	part of pfSense (http://www.pfSense.com)
 	Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+	Copyright (C) 2013 Marcello Coutinho (revocation list code)
 	All rights reserved.
 
 	Based on m0n0wall (http://m0n0.ch/wall)
@@ -948,12 +949,18 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') {
 
 
 			if(base64_decode($ca_cert['crt'])) {
+				$crl_cert = lookup_crl($eapconf["ssl_ca_crl"]);
+				if ($crl_cert != false){
+					$crl=base64_decode($crl_cert['txt']);
+					$check_crl="check_crl = yes";
+				}
+				else{
+					$check_crl="check_crl = no";
+				}
 				file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem", 
-					base64_decode($ca_cert['crt']));
+					base64_decode($ca_cert['crt']). $crl);
 				$conf['ssl_ca_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem";
 			}
-
-
 			$svr_cert = lookup_cert($eapconf["ssl_server_cert"]);
 			if ($svr_cert != false) {
 				if(base64_decode($svr_cert['prv'])) {
@@ -1055,7 +1062,7 @@ else {
 			random_file = \${certdir}/random
 			fragment_size = $vareapconffragmentsize
 			include_length = $vareapconfincludelength
-		#	check_crl = yes
+			{$check_crl}
 			CA_path = \${cadir}
 			$vareapconfcheckcertissuer
 			$vareapconfcheckcertcn
@@ -1120,6 +1127,18 @@ function freeradius_get_ca_certs() {
 }
 
 // Gets started from freeradiuseapconf.xml
+function freeradius_get_ca_crl() {
+	global $config;
+	$crl_arr = array();
+	$crl_arr[] = array('refid' => 'none', 'descr' => 'none');
+
+	foreach ($config['crl'] as $crl) {
+		$crl_arr[] = array('refid' => $crl['refid'], 'descr' => $crl['descr']);
+	}
+	return $crl_arr;
+}
+
+// Gets started from freeradiuseapconf.xml
 function freeradius_get_server_certs() {
 	global $config;
 	$cert_arr = array();
diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml
index ac761523..d9c39c4f 100644
--- a/config/freeradius2/freeradiuseapconf.xml
+++ b/config/freeradius2/freeradiuseapconf.xml
@@ -10,6 +10,7 @@
 	freeradiuseapconf.xml
 	part of pfSense (http://www.pfSense.com)
 	Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+	Copyright (C) 2013 Marcello Coutinho (revocation list code)
 	All rights reserved.
 
 	Based on m0n0wall (http://m0n0.ch/wall)
@@ -171,7 +172,7 @@
 									<b>uncheked</b>: FreeRADIUS Cert-Manager (not recommended) (Default: unchecked)<br>
 									<b>cheked</b>: Firewall Cert-Manager (recommended)]]></description>
 			<type>checkbox</type>
-			<enablefields>ssl_ca_cert,ssl_server_cert,vareapconfenableclientp12</enablefields>
+			<enablefields>ssl_ca_cert,ssl_ca_crl,ssl_server_cert,vareapconfenableclientp12</enablefields>
 		</field>
 		<field>
 			<fielddescr>Private Key Password</fielddescr>
@@ -191,6 +192,17 @@
 			<source_value>refid</source_value>
 		</field>
 		<field>
+			<fielddescr>SSL Revocation List</fielddescr>
+			<fieldname>ssl_ca_crl</fieldname>
+			<description><![CDATA[Choose the SSL CA Certficate revocation list here which you created with the firewall's Cert Manager.<br>
+									Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description>
+			<type>select_source</type>
+			<source><![CDATA[freeradius_get_ca_crl()]]></source>
+			<source_name>descr</source_name>
+			<source_value>refid</source_value>
+		</field>
+
+		<field>
 			<fielddescr>SSL Server Certificate</fielddescr>
 			<fieldname>ssl_server_cert</fieldname>
 			<description><![CDATA[Choose the SSL Server Certficate here which you created with the firewall's Cert Manager.<br>