aboutsummaryrefslogtreecommitdiffstats
path: root/config/openvpn-client-export
diff options
context:
space:
mode:
authorPiBa-NL <pba_2k3@yahoo.com>2012-11-24 19:33:06 +0100
committerPiBa-NL <pba_2k3@yahoo.com>2012-11-24 19:33:06 +0100
commit0e0679fd7a693cc4a092a4e632b473bf2bc99101 (patch)
tree98369bc4a5ff33900e136a23ba83e4b3ccce4d8d /config/openvpn-client-export
parent43eb7bc003dd6b9b2725d0c9e6fb37a243bfde29 (diff)
downloadpfsense-packages-0e0679fd7a693cc4a092a4e632b473bf2bc99101.tar.gz
pfsense-packages-0e0679fd7a693cc4a092a4e632b473bf2bc99101.tar.bz2
pfsense-packages-0e0679fd7a693cc4a092a4e632b473bf2bc99101.zip
openvpn-client-export, better checking/error reporting on unsupported/illogical OpenVPN configurations
Diffstat (limited to 'config/openvpn-client-export')
-rwxr-xr-xconfig/openvpn-client-export/openvpn-client-export.inc41
1 files changed, 28 insertions, 13 deletions
diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc
index 1ab962da..70c9dcf9 100755
--- a/config/openvpn-client-export/openvpn-client-export.inc
+++ b/config/openvpn-client-export/openvpn-client-export.inc
@@ -116,13 +116,23 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) {
// lookup server certificate info
$server_cert = lookup_cert($settings['certref']);
- $server_ca = lookup_ca($server_cert['caref']);
- if (!$server_cert || !$server_ca) {
- $input_errors[] = "Could not locate certificate.";
- return false;
- }
- if (function_exists("cert_get_cn")) {
- $servercn = cert_get_cn($server_cert['crt']);
+ if (!$server_cert)
+ {
+ $input_errors[] = "Could not locate server certificate.";
+ } else {
+ $server_cert_purpose = cert_get_purpose($server_cert['crt']);
+ if ($server_cert_purpose['ca'] == 'Yes')
+ $input_errors[] = "Server sertificate is a CA certificate.";
+ if ($server_cert_purpose['server'] != 'Yes')
+ $input_errors[] = "Server sertificate does not have the purpose 'Server: Yes'";
+
+ $server_ca = lookup_ca($server_cert['caref']);
+ if (!$server_ca) {
+ $input_errors[] = "Could not locate the CA reference for the server certificate.";
+ }
+ if (function_exists("cert_get_cn")) {
+ $servercn = cert_get_cn($server_cert['crt']);
+ }
}
// lookup user info
@@ -130,7 +140,6 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) {
$user = $config['system']['user'][$usrid];
if (!$user) {
$input_errors[] = "Could not find user settings.";
- return false;
}
}
@@ -142,17 +151,23 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) {
$cert = $config['cert'][$crtid];
}
if (!$cert)
- return false;
- // If $cert is not an array, it's a certref not a cert.
- if (!is_array($cert))
- $cert = lookup_cert($cert);
+ {
+ $input_errors[] = "Could not find client certificate.";
+ } else {
+ // If $cert is not an array, it's a certref not a cert.
+ if (!is_array($cert))
+ $cert = lookup_cert($cert);
+ }
} elseif (($settings['mode'] == "server_tls") || (($settings['mode'] == "server_tls_user") && ($settings['authmode'] != "Local Database"))) {
$cert = $config['cert'][$crtid];
if (!$cert)
- return false;
+ $input_errors[] = "Could not find client certifficate.";
} else
$nokeys = true;
+ if ($input_errors)
+ return false;
+
return array($settings, $server_cert, $server_ca, $servercn, $user, $cert, $nokeys);
}