summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2021-11-03 11:24:18 +0100
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2021-11-03 12:36:04 +0100
commita63aa61293249895ec37ffbf2fbcf9ea6885cd25 (patch)
tree3f6951dcb500a991b5d00a014b58f4a1a26ce853
parentbcc65559cc1d2f78e000bb733c8d87e4dcdc1326 (diff)
downloadvyos-1x-a63aa61293249895ec37ffbf2fbcf9ea6885cd25.tar.gz
vyos-1x-a63aa61293249895ec37ffbf2fbcf9ea6885cd25.zip
sstp: T3931: Fixes PKI integration with SSTP
-rwxr-xr-xsrc/conf_mode/vpn_sstp.py40
1 files changed, 23 insertions, 17 deletions
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 68139dc47..68980e5ab 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -26,6 +26,7 @@ from vyos.pki import wrap_private_key
from vyos.template import render
from vyos.util import call
from vyos.util import dict_search
+from vyos.util import write_file
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -34,6 +35,10 @@ cfg_dir = '/run/accel-pppd'
sstp_conf = '/run/accel-pppd/sstp.conf'
sstp_chap_secrets = '/run/accel-pppd/sstp.chap-secrets'
+cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem')
+cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key')
+ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem')
+
def get_config(config=None):
if config:
conf = config
@@ -72,22 +77,32 @@ def verify(sstp):
ssl = sstp['ssl']
+ # CA
if 'ca_certificate' not in ssl:
raise ConfigError('SSL CA certificate missing on SSTP config')
+ ca_name = ssl['ca_certificate']
+
+ if ca_name not in sstp['pki']['ca']:
+ raise ConfigError('Invalid CA certificate on SSTP config')
+
+ if 'certificate' not in sstp['pki']['ca'][ca_name]:
+ raise ConfigError('Missing certificate data for CA certificate on SSTP config')
+
+ # Certificate
if 'certificate' not in ssl:
raise ConfigError('SSL certificate missing on SSTP config')
cert_name = ssl['certificate']
- if ssl['ca_certificate'] not in sstp['pki']['ca']:
- raise ConfigError('Invalid CA certificate on SSTP config')
-
if cert_name not in sstp['pki']['certificate']:
raise ConfigError('Invalid certificate on SSTP config')
pki_cert = sstp['pki']['certificate'][cert_name]
+ if 'certificate' not in pki_cert:
+ raise ConfigError('Missing certificate data for certificate on SSTP config')
+
if 'private' not in pki_cert or 'key' not in pki_cert['private']:
raise ConfigError('Missing private key for certificate on SSTP config')
@@ -98,27 +113,18 @@ def generate(sstp):
if not sstp:
return None
- cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem')
- cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key')
- ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem')
+ # accel-cmd reload doesn't work so any change results in a restart of the daemon
+ render(sstp_conf, 'accel-ppp/sstp.config.tmpl', sstp)
cert_name = sstp['ssl']['certificate']
pki_cert = sstp['pki']['certificate'][cert_name]
- with open(cert_file_path, 'w') as f:
- f.write(wrap_certificate(pki_cert['certificate']))
-
- with open(cert_key_path, 'w') as f:
- f.write(wrap_private_key(pki_cert['private']['key']))
-
ca_cert_name = sstp['ssl']['ca_certificate']
pki_ca = sstp['pki']['ca'][ca_cert_name]
- with open(ca_cert_file_path, 'w') as f:
- f.write(wrap_certificate(pki_ca['certificate']))
-
- # accel-cmd reload doesn't work so any change results in a restart of the daemon
- render(sstp_conf, 'accel-ppp/sstp.config.tmpl', sstp)
+ write_file(cert_file_path, wrap_certificate(pki_cert['certificate']))
+ write_file(cert_key_path, wrap_private_key(pki_cert['private']['key']))
+ write_file(ca_cert_file_path, wrap_certificate(pki_ca['certificate']))
if dict_search('authentication.mode', sstp) == 'local':
render(sstp_chap_secrets, 'accel-ppp/chap-secrets.config_dict.tmpl',