diff options
| author | jim-p <jimp@netgate.com> | 2019-02-06 14:13:26 -0500 |
|---|---|---|
| committer | jim-p <jimp@netgate.com> | 2019-05-10 16:20:21 -0400 |
| commit | 44fb8aca0db0e8c7fe03cb2e37a3cfe71872b1b3 (patch) | |
| tree | 432551f3a295c410788239a4c36ad2fc4e8a031c /src/usr/local/www | |
| parent | fdb7f0a54726542d848f87e9158f7f0f9aeb648d (diff) | |
| download | pfsense-44fb8aca0db0e8c7fe03cb2e37a3cfe71872b1b3.zip pfsense-44fb8aca0db0e8c7fe03cb2e37a3cfe71872b1b3.tar.gz | |
Add back DNS over TLS host verification code. Fixes #8602
Requires Unbound 1.9.0_1 from pfsense/freebsd-ports, which fixes a bug
in Unbound 1.9.0 which did not fully implement OpenSSL 1.0.2 host
validation support. See https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4206#c5
(cherry picked from commit 7e8bfed216304b37342a0800eb35ef7c29546f5d)
Diffstat (limited to 'src/usr/local/www')
| -rw-r--r-- | src/usr/local/www/services_unbound_domainoverride_edit.php | 13 | ||||
| -rw-r--r-- | src/usr/local/www/system.php | 40 |
2 files changed, 51 insertions, 2 deletions
diff --git a/src/usr/local/www/services_unbound_domainoverride_edit.php b/src/usr/local/www/services_unbound_domainoverride_edit.php index b5429a6..b3e6957 100644 --- a/src/usr/local/www/services_unbound_domainoverride_edit.php +++ b/src/usr/local/www/services_unbound_domainoverride_edit.php @@ -42,6 +42,7 @@ if (isset($id) && $a_domainOverrides[$id]) { $pconfig['domain'] = $a_domainOverrides[$id]['domain']; $pconfig['ip'] = $a_domainOverrides[$id]['ip']; $pconfig['descr'] = $a_domainOverrides[$id]['descr']; + $pconfig['tls_hostname'] = $a_domainOverrides[$id]['tls_hostname']; $pconfig['forward_tls_upstream'] = isset($a_domainOverrides[$id]['forward_tls_upstream']); } @@ -80,11 +81,16 @@ if ($_POST['save']) { } } + if (!empty($_POST['tls_hostname']) && !is_hostname($_POST['tls_hostname'])) { + $input_errors[] = gettext("The supplied TLS hostname is not valid."); + } + if (!$input_errors) { $doment = array(); $doment['domain'] = $_POST['domain']; $doment['ip'] = $_POST['ip']; $doment['descr'] = $_POST['descr']; + $doment['tls_hostname'] = $_POST['tls_hostname']; $doment['forward_tls_upstream'] = isset($_POST['forward_tls_upstream']); if (isset($id) && $a_domainOverrides[$id]) { @@ -137,6 +143,13 @@ $section->addInput(new Form_Checkbox( ))->setHelp('When set, queries to %1$sall DNS servers for this domain%2$s will be sent using SSL/TLS on the default port of 853.', '<b>', '</b>'); $section->addInput(new Form_Input( + 'tls_hostname', + 'TLS Hostname', + 'text', + $pconfig['tls_hostname'] +))->setHelp('An optional TLS hostname used to verify the server certificate when performing TLS Queries.'); + +$section->addInput(new Form_Input( 'descr', 'Description', 'text', diff --git a/src/usr/local/www/system.php b/src/usr/local/www/system.php index d1cab7d..5337ca8 100644 --- a/src/usr/local/www/system.php +++ b/src/usr/local/www/system.php @@ -52,6 +52,14 @@ if (!isset($config['system']['language'])) { $config['system']['language'] = $g['language']; } +$dnshost_counter = 1; + +while (isset($config["system"]["dns{$dnshost_counter}host"])) { + $pconfig_dnshost_counter = $dnshost_counter - 1; + $pconfig["dnshost{$pconfig_dnshost_counter}"] = $config["system"]["dns{$dnshost_counter}host"]; + $dnshost_counter++; +} + $dnsgw_counter = 1; while (isset($config["system"]["dns{$dnsgw_counter}gw"])) { @@ -184,11 +192,15 @@ if ($_POST) { while (isset($_POST[$dnsname])) { $dnsgwname = "dnsgw{$dnscounter}"; + $dnshostname = "dnshost{$dnscounter}"; $dnslist[] = $_POST[$dnsname]; if (($_POST[$dnsname] && !is_ipaddr($_POST[$dnsname]))) { $input_errors[] = sprintf(gettext("A valid IP address must be specified for DNS server %s."), $dnscounter+1); } else { + if (!empty($_POST[$dnshostname]) && !is_hostname($_POST[$dnshostname])) { + $input_errors[] = sprintf(gettext('The hostname provided for DNS server "%1$s" is not valid.'), $_POST[$dnsname]); + } if (($_POST[$dnsgwname] <> "") && ($_POST[$dnsgwname] <> "none")) { // A real gateway has been selected. if (is_ipaddr($_POST[$dnsname])) { @@ -350,22 +362,29 @@ if ($_POST) { while (isset($_POST[$dnsname])) { // The $_POST array key of the corresponding gateway (starts from 0) $dnsgwname = "dnsgw{$dnscounter}"; - // The numbering of DNS GW entries in the config starts from 1 + $dnshostname = "dnshost{$dnscounter}"; + // The numbering of DNS GW/host entries in the config starts from 1 $dnsgwconfigcounter = $dnscounter + 1; + $dnshostconfigcounter = $dnscounter + 1; // So this is the array key of the DNS GW entry in $config['system'] $dnsgwconfigname = "dns{$dnsgwconfigcounter}gw"; + $dnshostconfigname = "dns{$dnshostconfigcounter}host"; $olddnsgwname = $config['system'][$dnsgwconfigname]; + $olddnshostname = $config['system'][$dnshostconfigname]; if ($ignore_posted_dnsgw[$dnsgwname]) { $thisdnsgwname = "none"; } else { $thisdnsgwname = $pconfig[$dnsgwname]; } + $thisdnshostname = $pconfig[$dnshostname]; // "Blank" out the settings for this index, then we set them below using the "outdnscounter" index. $config['system'][$dnsgwconfigname] = "none"; $pconfig[$dnsgwname] = "none"; + $config['system'][$dnshostconfigname] = ""; + $pconfig[$dnshostname] = ""; $pconfig[$dnsname] = ""; if ($_POST[$dnsname]) { @@ -377,19 +396,28 @@ if ($_POST) { $outdnsname = "dns{$outdnscounter}"; // The $pconfig array key of the corresponding gateway (starts from 0) $outdnsgwname = "dnsgw{$outdnscounter}"; - // The numbering of DNS GW entries in the config starts from 1 + // The $pconfig array key of the corresponding hostname (starts from 0) + $outdnshostname = "dnshost{$outdnscounter}"; + + // The numbering of DNS GW/host entries in the config starts from 1 $outdnsgwconfigcounter = $outdnscounter + 1; + $outdnshostconfigcounter = $outdnscounter + 1; // So this is the array key of the output DNS GW entry in $config['system'] $outdnsgwconfigname = "dns{$outdnsgwconfigcounter}gw"; + $outdnshostconfigname = "dns{$outdnshostconfigcounter}host"; $pconfig[$outdnsname] = $_POST[$dnsname]; if ($_POST[$dnsgwname]) { $config['system'][$outdnsgwconfigname] = $thisdnsgwname; $pconfig[$outdnsgwname] = $thisdnsgwname; + $config['system'][$outdnshostconfigname] = $thisdnshostname; + $pconfig[$outdnshostname] = $thisdnshostname; } else { // Note: when no DNS GW name is chosen, the entry is set to "none", so actually this case never happens. unset($config['system'][$outdnsgwconfigname]); $pconfig[$outdnsgwname] = ""; + unset($config['system'][$outdnshostconfigname]); + $pconfig[$outdnshostname] = ""; } $outdnscounter++; } @@ -485,6 +513,7 @@ $dnsserver_count = count($pconfig['dnsserver']); $dnsserver_num = 0; $dnsserver_help = gettext("Address") . '<br/>' . gettext("Enter IP addresses to be used by the system for DNS resolution.") . " " . gettext("These are also used for the DHCP service, DNS Forwarder and DNS Resolver when it has DNS Query Forwarding enabled."); +$dnshost_help = gettext("Hostname") . '<br/>' . gettext("Enter the DNS Server Hostname for TLS Verification in the DNS Resolver (optional)."); $dnsgw_help = gettext("Gateway") . '<br/>'. gettext("Optionally select the gateway for each DNS server.") . " " . gettext("When using multiple WAN connections there should be at least one unique DNS server per gateway."); @@ -506,6 +535,13 @@ foreach ($pconfig['dnsserver'] as $dnsserver) { $dnsserver ))->setHelp(($is_last_dnsserver) ? $dnsserver_help:null); + $group->add(new Form_Input( + 'dnshost' . $dnsserver_num, + 'DNS Hostname', + 'text', + $pconfig['dnshost' . $dnsserver_num] + ))->setHelp(($is_last_dnsserver) ? $dnshost_help:null); + if ($multiwan) { $options = array('none' => 'none'); |
