| 1 |
cb7d18d5
|
Renato Botelho
|
#!/usr/local/bin/php-cgi -f
|
| 2 |
98963f27
|
jim-p
|
<?php
|
| 3 |
|
|
/*
|
| 4 |
|
|
openvpn.tls-verify.php
|
| 5 |
|
|
|
| 6 |
09221bc3
|
Renato Botelho
|
part of pfSense (https://www.pfsense.org)
|
| 7 |
|
|
Copyright (c) 2011-2016 Electric Sheep Fencing, LLC.
|
| 8 |
98963f27
|
jim-p
|
All rights reserved.
|
| 9 |
|
|
|
| 10 |
|
|
Redistribution and use in source and binary forms, with or without
|
| 11 |
|
|
modification, are permitted provided that the following conditions are met:
|
| 12 |
|
|
|
| 13 |
|
|
1. Redistributions of source code must retain the above copyright notice,
|
| 14 |
|
|
this list of conditions and the following disclaimer.
|
| 15 |
|
|
|
| 16 |
|
|
2. Redistributions in binary form must reproduce the above copyright
|
| 17 |
09221bc3
|
Renato Botelho
|
notice, this list of conditions and the following disclaimer in
|
| 18 |
|
|
the documentation and/or other materials provided with the
|
| 19 |
|
|
distribution.
|
| 20 |
98963f27
|
jim-p
|
|
| 21 |
09221bc3
|
Renato Botelho
|
3. All advertising materials mentioning features or use of this software
|
| 22 |
|
|
must display the following acknowledgment:
|
| 23 |
|
|
"This product includes software developed by the pfSense Project
|
| 24 |
|
|
for use in the pfSense® software distribution. (http://www.pfsense.org/).
|
| 25 |
|
|
|
| 26 |
|
|
4. The names "pfSense" and "pfSense Project" must not be used to
|
| 27 |
|
|
endorse or promote products derived from this software without
|
| 28 |
|
|
prior written permission. For written permission, please contact
|
| 29 |
|
|
coreteam@pfsense.org.
|
| 30 |
|
|
|
| 31 |
|
|
5. Products derived from this software may not be called "pfSense"
|
| 32 |
|
|
nor may "pfSense" appear in their names without prior written
|
| 33 |
|
|
permission of the Electric Sheep Fencing, LLC.
|
| 34 |
|
|
|
| 35 |
|
|
6. Redistributions of any form whatsoever must retain the following
|
| 36 |
|
|
acknowledgment:
|
| 37 |
|
|
|
| 38 |
|
|
"This product includes software developed by the pfSense Project
|
| 39 |
|
|
for use in the pfSense software distribution (http://www.pfsense.org/).
|
| 40 |
|
|
|
| 41 |
|
|
THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
|
| 42 |
|
|
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
| 43 |
|
|
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
| 44 |
|
|
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
|
| 45 |
|
|
ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
| 46 |
|
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
| 47 |
|
|
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
| 48 |
|
|
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
| 49 |
|
|
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
| 50 |
|
|
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
| 51 |
|
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
| 52 |
|
|
OF THE POSSIBILITY OF SUCH DAMAGE.
|
| 53 |
98963f27
|
jim-p
|
*/
|
| 54 |
09221bc3
|
Renato Botelho
|
|
| 55 |
98963f27
|
jim-p
|
/*
|
| 56 |
|
|
* OpenVPN calls this script to validate a certificate
|
| 57 |
|
|
* This script is called ONCE per DEPTH of the certificate chain
|
| 58 |
|
|
* Normal operation would have two runs - one for the server certificate
|
| 59 |
|
|
* and one for the client certificate. Beyond that, you're dealing with
|
| 60 |
|
|
* intermediates.
|
| 61 |
|
|
*/
|
| 62 |
|
|
|
| 63 |
|
|
require_once("globals.inc");
|
| 64 |
|
|
require_once("config.inc");
|
| 65 |
|
|
require_once("interfaces.inc");
|
| 66 |
|
|
|
| 67 |
|
|
openlog("openvpn", LOG_ODELAY, LOG_AUTH);
|
| 68 |
|
|
|
| 69 |
|
|
/* read data from command line */
|
| 70 |
ed56ce5a
|
Ermal LUÇI
|
if (isset($_GET['certdepth'])) {
|
| 71 |
b95b40a1
|
Ermal
|
$cert_depth = $_GET['certdepth'];
|
| 72 |
|
|
$cert_subject = urldecode($_GET['certsubject']);
|
| 73 |
|
|
$allowed_depth = $_GET['depth'];
|
| 74 |
|
|
$server_cn = $_GET['servercn'];
|
| 75 |
|
|
} else {
|
| 76 |
|
|
$cert_depth = intval($argv[1]);
|
| 77 |
|
|
$cert_subject = $argv[2];
|
| 78 |
|
|
}
|
| 79 |
98963f27
|
jim-p
|
|
| 80 |
|
|
/* Reserved for future use in case we decide to verify CNs and such as well
|
| 81 |
|
|
$subj = explode("/", $cert_subject);
|
| 82 |
|
|
foreach ($subj at $s) {
|
| 83 |
|
|
list($n, $v) = explode("=", $s);
|
| 84 |
b37a2e8c
|
Phil Davis
|
if ($n == "CN") {
|
| 85 |
98963f27
|
jim-p
|
$common_name = $v;
|
| 86 |
b37a2e8c
|
Phil Davis
|
}
|
| 87 |
98963f27
|
jim-p
|
}
|
| 88 |
|
|
*/
|
| 89 |
|
|
|
| 90 |
|
|
/* Replaced by sed with proper variables used below ( $server_cn and $allowed_depth ). */
|
| 91 |
|
|
//<template>
|
| 92 |
|
|
|
| 93 |
|
|
if (isset($allowed_depth) && ($cert_depth > $allowed_depth)) {
|
| 94 |
|
|
syslog(LOG_WARNING, "Certificate depth {$cert_depth} exceeded max allowed depth of {$allowed_depth}.\n");
|
| 95 |
ed56ce5a
|
Ermal LUÇI
|
if (isset($_GET['certdepth'])) {
|
| 96 |
b95b40a1
|
Ermal
|
echo "FAILED";
|
| 97 |
|
|
closelog();
|
| 98 |
|
|
return;
|
| 99 |
|
|
} else {
|
| 100 |
|
|
closelog();
|
| 101 |
|
|
exit(1);
|
| 102 |
|
|
}
|
| 103 |
98963f27
|
jim-p
|
}
|
| 104 |
|
|
|
| 105 |
|
|
// Debug
|
| 106 |
aa291f19
|
jim-p
|
//syslog(LOG_WARNING, "Found certificate {$argv[2]} with depth {$cert_depth}\n");
|
| 107 |
98963f27
|
jim-p
|
|
| 108 |
b95b40a1
|
Ermal
|
closelog();
|
| 109 |
b37a2e8c
|
Phil Davis
|
if (isset($_GET['certdepth'])) {
|
| 110 |
b95b40a1
|
Ermal
|
echo "OK";
|
| 111 |
b37a2e8c
|
Phil Davis
|
} else {
|
| 112 |
b95b40a1
|
Ermal
|
exit(0);
|
| 113 |
b37a2e8c
|
Phil Davis
|
}
|
| 114 |
98963f27
|
jim-p
|
|
| 115 |
|
|
?>
|