Revision 9aa8f6a8
Added by Jim Pingle almost 7 years ago
| src/etc/inc/certs.inc | ||
|---|---|---|
| 904 | 904 |
return $result; |
| 905 | 905 |
} |
| 906 | 906 |
|
| 907 |
function crl_create(& $crl, $caref, $name, $serial = 0, $lifetime = 9999) {
|
|
| 907 |
/* Detect a rollover at 2038 on some platforms (e.g. ARM) |
|
| 908 |
* See: https://redmine.pfsense.org/issues/9098 */ |
|
| 909 |
function crl_get_max_lifetime($max = 9999) {
|
|
| 910 |
if ($max <= 0) {
|
|
| 911 |
return 0; |
|
| 912 |
} |
|
| 913 |
$current_time = time(); |
|
| 914 |
while ((int)($current_time + ($max * 24 * 60 * 60)) < 0) {
|
|
| 915 |
$max--; |
|
| 916 |
} |
|
| 917 |
return $max; |
|
| 918 |
} |
|
| 919 |
|
|
| 920 |
function crl_create(& $crl, $caref, $name, $serial = 0, $lifetime = 3650) {
|
|
| 908 | 921 |
global $config; |
| 922 |
$max_lifetime = crl_get_max_lifetime(); |
|
| 909 | 923 |
$ca =& lookup_ca($caref); |
| 910 | 924 |
if (!$ca) {
|
| 911 | 925 |
return false; |
| ... | ... | |
| 913 | 927 |
$crl['descr'] = $name; |
| 914 | 928 |
$crl['caref'] = $caref; |
| 915 | 929 |
$crl['serial'] = $serial; |
| 916 |
$crl['lifetime'] = $lifetime; |
|
| 930 |
$crl['lifetime'] = ($lifetime > $max_lifetime) ? $max_lifetime : $lifetime;
|
|
| 917 | 931 |
$crl['cert'] = array(); |
| 918 | 932 |
$config['crl'][] = $crl; |
| 919 | 933 |
return $crl; |
| ... | ... | |
| 942 | 956 |
require_once('X509_CRL.php');
|
| 943 | 957 |
|
| 944 | 958 |
global $config; |
| 959 |
$max_lifetime = crl_get_max_lifetime(); |
|
| 945 | 960 |
$ca =& lookup_ca($crl['caref']); |
| 946 | 961 |
if (!$ca) {
|
| 947 | 962 |
return false; |
| ... | ... | |
| 957 | 972 |
$crlconf = array( |
| 958 | 973 |
'no' => $crl['serial'], |
| 959 | 974 |
'version' => 2, |
| 960 |
'days' => $crl['lifetime'], |
|
| 975 |
'days' => ($crl['lifetime'] > $max_lifetime) ? $max_lifetime : $crl['lifetime'],
|
|
| 961 | 976 |
'alg' => OPENSSL_ALGO_SHA1, |
| 962 | 977 |
'revoked' => array() |
| 963 | 978 |
); |
| src/usr/local/www/system_crlmanager.php | ||
|---|---|---|
| 32 | 32 |
require_once("pfsense-utils.inc");
|
| 33 | 33 |
require_once("vpn.inc");
|
| 34 | 34 |
|
| 35 |
$max_lifetime = crl_get_max_lifetime(); |
|
| 36 |
$default_lifetime = 3650; |
|
| 37 |
if ($max_lifetime < $default_lifetime) {
|
|
| 38 |
$default_lifetime = $max_lifetime; |
|
| 39 |
} |
|
| 40 |
|
|
| 35 | 41 |
global $openssl_crl_status; |
| 36 | 42 |
|
| 37 | 43 |
$crl_methods = array( |
| ... | ... | |
| 101 | 107 |
if ($act == "new") {
|
| 102 | 108 |
$pconfig['method'] = $_REQUEST['method']; |
| 103 | 109 |
$pconfig['caref'] = $_REQUEST['caref']; |
| 104 |
$pconfig['lifetime'] = "9999";
|
|
| 110 |
$pconfig['lifetime'] = $default_lifetime;
|
|
| 105 | 111 |
$pconfig['serial'] = "0"; |
| 106 | 112 |
} |
| 107 | 113 |
|
| ... | ... | |
| 210 | 216 |
if (preg_match("/[\?\>\<\&\/\\\"\']/", $pconfig['descr'])) {
|
| 211 | 217 |
array_push($input_errors, "The field 'Descriptive Name' contains invalid characters."); |
| 212 | 218 |
} |
| 219 |
if ($pconfig['lifetime'] > $max_lifetime) {
|
|
| 220 |
$input_errors[] = gettext("Lifetime is longer than the maximum allowed value. Use a shorter lifetime.");
|
|
| 221 |
} |
|
| 213 | 222 |
|
| 214 | 223 |
/* save modifications */ |
| 215 | 224 |
if (!$input_errors) {
|
| ... | ... | |
| 234 | 243 |
|
| 235 | 244 |
if ($pconfig['method'] == "internal") {
|
| 236 | 245 |
$crl['serial'] = empty($pconfig['serial']) ? 9999 : $pconfig['serial']; |
| 237 |
$crl['lifetime'] = empty($pconfig['lifetime']) ? 9999 : $pconfig['lifetime'];
|
|
| 246 |
$crl['lifetime'] = empty($pconfig['lifetime']) ? $default_lifetime : $pconfig['lifetime'];
|
|
| 238 | 247 |
$crl['cert'] = array(); |
| 239 | 248 |
} |
| 240 | 249 |
|
| ... | ... | |
| 388 | 397 |
'Lifetime (Days)', |
| 389 | 398 |
'number', |
| 390 | 399 |
$pconfig['lifetime'], |
| 391 |
['max' => '9999']
|
|
| 400 |
['max' => $max_lifetime]
|
|
| 392 | 401 |
)); |
| 393 | 402 |
|
| 394 | 403 |
$section->addInput(new Form_Input( |
Also available in: Unified diff
Prevent CRL from using too large a lifetime on ARM. Fixes #9098