/etc/inc/vpn.inc - Diff - UnivNautes - Redmine Entr’ouvert

« Précédent | Suivant »

Révision fa4e059e

Ajouté par Ermal il y a plus de 9 ans

ID fa4e059e17708cc12f258b636a7b701a99528c84
Parent e373e4cd
Enfant ac19d32a

Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases

     	$cfgtext = array();
     	foreach ($ipsec_loglevels as $lkey => $ldescr) {
     		if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig)
     			mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
     			mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -1", false);
     		else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
     		    intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5)
     			$forconfig ? $cfgtext[] = "${lkey} = " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
-...
     		return 0;
     	} else {
     		$certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs";
     		$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts";
     		$keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private";
     		mwexec("/sbin/ifconfig enc0 up");
     		set_single_sysctl("net.inet.ip.ipsec_in_use", "1");
     		/* needed for config files */
-...
     			mkdir("{$g['varetc_path']}/ipsec");
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d");
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts");
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/private"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/private");
     		if (!is_dir($capath))
     			mkdir($capath);
     		if (!is_dir($keypath))
     			mkdir($keypath);
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls");
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/certs"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/certs");
     		if (!is_dir($certpath))
     			mkdir($certpath);
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts");
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"))
-...
     					log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr']));
     					continue;
+    				}
     				$fname = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$x509cert['hash']}.0";
     				$fname = "{$capath}/{$x509cert['hash']}.0.crt";
     				if (!@file_put_contents($fname, $cert)) {
     					log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr']));
     					continue;
-...
     				if (isset($ph1ent['disabled']))
     					continue;
     				if (strstr($ph1ent['authentication_method'],'rsa')) {
     				if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') {
     					$certline = '';
     					if (strstr($authmethod,'rsa')) {
     						$ikeid = $ph1ent['ikeid'];
     						$cert = lookup_cert($ph1ent['certref']);
     						if (!$cert) {
     							log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
     							continue;
+    						}
     						chmod($certpath, 0600);
     						$keyfile = "cert-{$ikeid}.key";
     						$keypath = "{$g['varetc_path']}/ipsec/{$keyfile}";
     						if (!file_put_contents($keypath, base64_decode($cert['prv']))) {
     							log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
     							continue;
+    						}
     					$ikeid = $ph1ent['ikeid'];
     					$cert = lookup_cert($ph1ent['certref']);
     						chmod($keypath, 0600);
     						/* XXX" Traffic selectors? */
     						$pskconf .= " : RSA {$keypath}\n";
     					if (!$cert) {
     						log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
     						continue;
+    					}
     						$ca = lookup_ca($ph1ent['caref']);
     						if ($ca) {
     							$cafile = "ca-{$ikeid}.crt";
     							$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$cafile}";
     					@chmod($certpath, 0600);
     							if (!file_put_contents($capath, base64_decode($ca['crt'])))
+    							{
     								log_error(sprintf(gettext("Error: Cannot write phase1 CA certificate file for %s"), $ph1ent['name']));
     								continue;
+    							}
     					$ph1keyfile = "{$keypath}/cert-{$ikeid}.key";
     					if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
     						log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
     						continue;
+    					}
     					@chmod($ph1keyfile, 0600);
     							chmod($capath, 0600);
+    						}
     					$ph1certfile = "{$certpath}/cert-{$ikeid}.crt";
     					if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
     						log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
     						@unlink($ph1keyfile);
     						continue;
+    					}
     					@chmod($ph1certfile, 0600);
     					/* XXX" Traffic selectors? */
     					$pskconf .= " : RSA {$ph1keyfile}\n";
     				} else {
     					list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
     					list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
-...
     				$authentication = "";
     				switch ($ph1ent['authentication_method']) {
     				case 'eap-tls':
     					$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
     					if (!empty($ph1ent['certref']))
     						$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
     					break;
     				case 'xauth_rsa_server':
     					$authentication = "leftauth = pubkey\n\trightauth = pubkey";
     					$authentication .= "\n\trightauth2 = xauth-generic";

Formats disponibles : Unified diff

Projet

Général

Profil

UnivNautes

Révision fa4e059e

Ajouté par Ermal il y a plus de 9 ans