diff options
Diffstat (limited to 'src/etc/inc')
-rw-r--r-- | src/etc/inc/auth.inc | 25 | ||||
-rw-r--r-- | src/etc/inc/authgui.inc | 8 | ||||
-rw-r--r-- | src/etc/inc/captiveportal.inc | 87 | ||||
-rw-r--r-- | src/etc/inc/certs.inc | 106 | ||||
-rw-r--r-- | src/etc/inc/filter.inc | 9 | ||||
-rw-r--r-- | src/etc/inc/globals.inc | 2 | ||||
-rw-r--r-- | src/etc/inc/interfaces.inc | 5 | ||||
-rw-r--r-- | src/etc/inc/openvpn.inc | 39 | ||||
-rw-r--r-- | src/etc/inc/pfsense-utils.inc | 8 | ||||
-rw-r--r-- | src/etc/inc/pkg-utils.inc | 15 | ||||
-rw-r--r-- | src/etc/inc/services.inc | 9 | ||||
-rw-r--r-- | src/etc/inc/system.inc | 73 | ||||
-rw-r--r-- | src/etc/inc/unbound.inc | 85 | ||||
-rw-r--r-- | src/etc/inc/upgrade_config.inc | 19 |
14 files changed, 364 insertions, 126 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 6e0824b..b573107 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -36,6 +36,31 @@ $security_passed = true; /* If this function doesn't exist, we're being called from Captive Portal or another internal subsystem which does not include authgui.inc */ +if (function_exists("display_error_form")) { + /* Extra layer of lockout protection. Check if the user is in the GUI + * lockout table before processing a request */ + + /* Fetch the contents of the lockout table. */ + exec("/sbin/pfctl -t 'webConfiguratorlockout' -T show", $entries); + + /* If the client is in the lockout table, print an error, kill states, and exit */ + if (in_array($_SERVER['REMOTE_ADDR'], array_map('trim', $entries))) { + if (!security_checks_disabled()) { + /* They may never see the error since the connection will be cut off, but try to be nice anyhow. */ + display_error_form("501", gettext("Access Denied<br/><br/>Access attempt from a temporarily locked out client address.<br /><br />Try accessing the firewall again after the lockout expires.")); + /* If they are locked out, they shouldn't have a state. Disconnect their connections. */ + $retval = pfSense_kill_states($_SERVER['REMOTE_ADDR']); + if (is_ipaddrv4($_SERVER['REMOTE_ADDR'])) { + $retval = pfSense_kill_states("0.0.0.0/0", $_SERVER['REMOTE_ADDR']); + } elseif (is_ipaddrv6($_SERVER['REMOTE_ADDR'])) { + $retval = pfSense_kill_states("::", $_SERVER['REMOTE_ADDR']); + } + exit; + } + $security_passed = false; + } +} + if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) { /* DNS ReBinding attack prevention. https://redmine.pfsense.org/issues/708 */ $found_host = false; diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc index 9fd92f3..f2f85c9 100644 --- a/src/etc/inc/authgui.inc +++ b/src/etc/inc/authgui.inc @@ -253,8 +253,8 @@ function display_login_form() { <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=1"> - <link rel="stylesheet" href="vendor/bootstrap/css/bootstrap.min.css" type="text/css"> - <link rel="stylesheet" href="css/login.css" type="text/css"> + <link rel="stylesheet" href="/vendor/bootstrap/css/bootstrap.min.css" type="text/css"> + <link rel="stylesheet" href="/css/login.css" type="text/css"> <title><?=gettext("Login"); ?></title> <script type="text/javascript"> //<![CDATA{ @@ -270,7 +270,7 @@ function display_login_form() { <div class="row"> <div class="col-sm-4"> <div id="logodiv" style="text-align:center" class="nowarning"> - <img src="pfsense-trans.png" height="100%"/> + <img src="/pfsense-trans.png" height="100%"/> </div> </div> @@ -304,7 +304,7 @@ function display_login_form() { <div class="loginCont center-block"> <form method="post" <?=$loginautocomplete?> class="login"> <p class="form-title">Sign In</p> - <input name="usernamefld" id="usernamefld" type="text" placeholder="Username" /> + <input name="usernamefld" id="usernamefld" type="text" placeholder="Username" autocorrect="off" autocapitalize="none"/> <input name="passwordfld" id="passwordfld" type="password" placeholder="Password" /> <input type="submit" name="login" value="Sign In" class="btn btn-success btn-sm" /> </form> diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc index 22138fe..1f232d7 100644 --- a/src/etc/inc/captiveportal.inc +++ b/src/etc/inc/captiveportal.inc @@ -630,9 +630,9 @@ function captiveportal_init_rules($reinit = false) { $cprules .= "table {$cpzone}_auth_up create type addr valtype pipe\n"; $cprules .= "table {$cpzone}_auth_down create type addr valtype pipe\n"; $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, - "pipe tablearg ip from table({$cpzone}_auth_up) to any in"); + "pipe tablearg ip from table({$cpzone}_auth_up) to any layer2 in"); $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, - "pipe tablearg ip from any to table({$cpzone}_auth_down) out"); + "pipe tablearg ip from any to table({$cpzone}_auth_down) layer2 out"); if (!empty($config['captiveportal'][$cpzone]['listenporthttp'])) { $listenporthttp = $config['captiveportal'][$cpzone]['listenporthttp']; @@ -663,7 +663,6 @@ function captiveportal_init_rules($reinit = false) { "skipto 65534 all from any to any"); /* generate passthru mac database */ - file_put_contents("/tmp/debug_antes", $cprules); $cprules .= captiveportal_passthrumac_configure(true); $cprules .= "\n"; @@ -801,7 +800,7 @@ function captiveportal_prune_old() { $uidletimeout = (is_numeric($cpentry[8])) ? $cpentry[8] : $idletimeout; /* if an idle timeout is specified, get last activity timestamp from ipfw */ if (!$timedout && $uidletimeout > 0) { - $lastact = captiveportal_get_last_activity($cpentry[2], $cpentry[3]); + $lastact = captiveportal_get_last_activity($cpentry[2]); /* If the user has logged on but not sent any traffic they will never be logged out. * We "fix" this by setting lastact to the login timestamp. */ @@ -861,10 +860,8 @@ function captiveportal_prune_old() { false, // Not an interim request $rastop_time); // Stop Time $clientsn = (is_ipaddrv6($cpentry[2])) ? 128 : 32; - /* XXX: Fix - $_gb = @pfSense_ipfw_table($cpzoneid, IP_FW_TABLE_XZEROENTRY, {$cpzone}_auth_up, $cpentry[2], $clientsn, $cpentry[3]); - $_gb = @pfSense_ipfw_table($cpzoneid, IP_FW_TABLE_XZEROENTRY, {$cpzone}_auth_down, $cpentry[2], $clientsn, $cpentry[3]); - */ + pfSense_ipfw_table_zerocnt("{$cpzone}_auth_up", "{$cpentry[2]}/{$clientsn}"); + pfSense_ipfw_table_zerocnt("{$cpzone}_auth_down", "{$cpentry[2]}/{$clientsn}"); if ($cpcfg['reauthenticateacct'] == "stopstartfreeradius") { /* Need to pause here or the FreeRADIUS server gets confused about packet ordering. */ sleep(1); @@ -1020,7 +1017,11 @@ function captiveportal_disconnect($dbent, $radiusservers, $term_cause = 1, $stop } if (is_ipaddr($dbent[2])) { - /* Delete client's ip entry from tables auth_up and auth_down. */ + /* + * Delete client's ip entry from tables auth_up and auth_down. + * + * It's not necessary to explicit specify mac address here + */ $clientsn = (is_ipaddrv6($dbent[2])) ? 128 : 32; pfSense_ipfw_table("{$cpzone}_auth_up", IP_FW_TABLE_XDEL, "{$dbent[2]}/{$clientsn}"); pfSense_ipfw_table("{$cpzone}_auth_down", IP_FW_TABLE_XDEL, "{$dbent[2]}/{$clientsn}"); @@ -1382,19 +1383,21 @@ function captiveportal_allowedip_configure() { } /* get last activity timestamp given client IP address */ -function captiveportal_get_last_activity($ip, $mac = NULL, $table = 1) { - global $cpzoneid; +function captiveportal_get_last_activity($ip) { + global $cpzone; - /* XXX Fix */ - return 0; - $ipfwoutput = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, $table, $ip, $mac); /* Reading only from one of the tables is enough of approximation. */ - if (is_array($ipfwoutput)) { - /* Workaround for #46652 */ - if ($ipfwoutput['packets'] > 0) { - return $ipfwoutput['timestamp']; - } else { - return 0; + $tables = array("{$cpzone}_allowed_up", "{$cpzone}_auth_up"); + + foreach ($tables as $table) { + $ipfw = pfSense_ipfw_table_lookup($table, $ip); + if (is_array($ipfw)) { + /* Workaround for #46652 */ + if ($ipfw['packets'] > 0) { + return $ipfw['timestamp']; + } else { + return 0; + } } } @@ -1871,35 +1874,42 @@ function captiveportal_get_dn_passthru_ruleno($value) { * */ -function getVolume($ip, $mac = NULL) { - global $config, $cpzone, $cpzoneid; +function getVolume($ip) { + global $config, $cpzone; - $reverse = isset($config['captiveportal'][$cpzone]['reverseacct']) ? true : false; + $reverse = isset($config['captiveportal'][$cpzone]['reverseacct']) + ? true : false; $volume = array(); // Initialize vars properly, since we don't want NULL vars - $volume['input_pkts'] = $volume['input_bytes'] = $volume['output_pkts'] = $volume['output_bytes'] = 0 ; + $volume['input_pkts'] = $volume['input_bytes'] = 0; + $volume['output_pkts'] = $volume['output_bytes'] = 0; - /* XXX Fix */ - return $volume; - $ipfw = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, 1, $ip, $mac); - if (is_array($ipfw)) { + $tables = array("allowed", "auth"); + + foreach($tables as $table) { + $ipfw = pfSense_ipfw_table_lookup("{$cpzone}_{$table}_up", $ip); + if (!is_array($ipfw)) { + continue; + } if ($reverse) { $volume['output_pkts'] = $ipfw['packets']; $volume['output_bytes'] = $ipfw['bytes']; - } - else { + } else { $volume['input_pkts'] = $ipfw['packets']; $volume['input_bytes'] = $ipfw['bytes']; } } - $ipfw = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, 2, $ip, $mac); - if (is_array($ipfw)) { + foreach($tables as $table) { + $ipfw = pfSense_ipfw_table_lookup("{$cpzone}_{$table}_down", + $ip); + if (!is_array($ipfw)) { + continue; + } if ($reverse) { $volume['input_pkts'] = $ipfw['packets']; $volume['input_bytes'] = $ipfw['bytes']; - } - else { + } else { $volume['output_pkts'] = $ipfw['packets']; $volume['output_bytes'] = $ipfw['bytes']; } @@ -2283,9 +2293,12 @@ function portal_allow($clientip, $clientmac, $username, $password = null, $attri $_gb = @pfSense_ipfw_pipe("pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s queue 100 buckets 16"); $_gb = @pfSense_ipfw_pipe("pipe {$bw_down_pipeno} config bw {$bw_down}Kbit/s queue 100 buckets 16"); - $clientsn = (is_ipaddrv6($clientip)) ? 128 : 32; - $_gb = @pfSense_ipfw_table("{$cpzone}_auth_up", IP_FW_TABLE_XADD, "{$clientip}/{$clientsn}", $bw_up_pipeno); - $_gb = @pfSense_ipfw_table("{$cpzone}_auth_down", IP_FW_TABLE_XADD, "{$clientip}/{$clientsn}", $bw_down_pipeno); + $rule_entry = "{$clientip}/" . (is_ipaddrv6($clientip) ? "128" : "32"); + if (!isset($config['captiveportal'][$cpzone]['nomacfilter'])) { + $rule_entry .= ",{$clientmac}"; + } + $_gb = @pfSense_ipfw_table("{$cpzone}_auth_up", IP_FW_TABLE_XADD, "{$rule_entry}", $bw_up_pipeno); + $_gb = @pfSense_ipfw_table("{$cpzone}_auth_down", IP_FW_TABLE_XADD, "{$rule_entry}", $bw_down_pipeno); if ($attributes['voucher']) { $attributes['session_timeout'] = $remaining_time; diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index b30a607..1ed1b6e 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -39,6 +39,15 @@ $openssl_crl_status = array( OCSP_REVOKED_STATUS_CERTIFICATEHOLD => "Certificate Hold" ); +global $cert_altname_types; +$cert_altname_types = array( + 'DNS' => gettext('FQDN or Hostname'), + 'IP' => gettext('IP address'), + 'URI' => gettext('URI'), + 'email' => gettext('email address'), +); + + function & lookup_ca($refid) { global $config; @@ -323,18 +332,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type = "user", $ $ca_serial = ++$ca['serial']; } - switch ($type) { - case "ca": - $cert_type = "v3_ca"; - break; - case "server": - case "self-signed": - $cert_type = "server"; - break; - default: - $cert_type = "usr_cert"; - break; - } + $cert_type = cert_type_config_section($type); // in case of using Subject Alternative Names use other sections (with postfix '_san') // pass subjectAltName over environment variable 'SAN' @@ -392,10 +390,21 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type = "user", $ return true; } -function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") { +function csr_generate(& $cert, $keylen, $dn, $type = "user", $digest_alg = "sha256") { + + $cert_type = cert_type_config_section($type); + + // in case of using Subject Alternative Names use other sections (with postfix '_san') + // pass subjectAltName over environment variable 'SAN' + if ($dn['subjectAltName']) { + putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file + $cert_type .= '_san'; + unset($dn['subjectAltName']); + } $args = array( - "x509_extensions" => "v3_req", + "x509_extensions" => $cert_type, + "req_extensions" => "req_{$cert_type}", "digest_alg" => $digest_alg, "private_key_bits" => (int)$keylen, "private_key_type" => OPENSSL_KEYTYPE_RSA, @@ -426,6 +435,41 @@ function csr_generate(& $cert, $keylen, $dn, $digest_alg = "sha256") { return true; } +function csr_sign($csr, & $ca, $duration, $type = "user", $altnames) { + global $config; + $old_err_level = error_reporting(0); + + // Gather the information required for signed cert + $ca_str_crt = base64_decode($ca['crt']); + $ca_str_key = base64_decode($ca['prv']); + $ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); + if (!$ca_res_key) { + return false; + } + if (empty($ca['serial'])) { + $ca['serial'] = 0; + } + $ca_serial = ++$ca['serial']; + + $cert_type = cert_type_config_section($type); + + if (!empty($altnames)) { + putenv("SAN={$altnames}"); // subjectAltName can be set _only_ via configuration file + $cert_type .= '_san'; + } + + $args = array( + "x509_extensions" => $cert_type, + "req_extensions" => "req_{$cert_type}" + ); + + // Sign the new cert and export it in x509 format + openssl_x509_export(openssl_csr_sign($csr, $ca_str_crt, $ca_str_key, $duration, $args, $ca_serial), $n509); + error_reporting($old_err_level); + + return $n509; +} + function csr_complete(& $cert, $str_crt) { $str_key = base64_decode($cert['prv']); cert_import($cert, $str_crt, $str_key); @@ -1011,4 +1055,38 @@ function cert_escape_x509_chars($str, $reverse = false) { } } +function cert_add_altname_type($str) { + $type = ""; + if (is_ipaddr($str)) { + $type = "IP"; + } elseif (is_hostname($str)) { + $type = "DNS"; + } elseif (is_URL($str)) { + $type = "URI"; + } elseif (filter_var($str, FILTER_VALIDATE_EMAIL)) { + $type = "email"; + } + if (!empty($type)) { + return "{$type}:" . cert_escape_x509_chars($str); + } else { + return ""; + } +} + +function cert_type_config_section($type) { + switch ($type) { + case "ca": + $cert_type = "v3_ca"; + break; + case "server": + case "self-signed": + $cert_type = "server"; + break; + default: + $cert_type = "usr_cert"; + break; + } + return $cert_type; +} + ?> diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index d940442..472bbb7 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -559,10 +559,7 @@ function filter_generate_scrubing() { } /* set up MSS clamping */ if (($scrubcfg['mss'] <> "") && - (is_numeric($scrubcfg['mss'])) && - ($scrubcfg['if'] != "pppoe") && - ($scrubcfg['if'] != "pptp") && - ($scrubif['if'] != "l2tp")) { + (is_numeric($scrubcfg['mss']))) { $mssclamp = "max-mss " . (intval($scrubcfg['mss'] - 40)); } else { $mssclamp = ""; @@ -2249,10 +2246,6 @@ function filter_nat_rules_generate() { $srcaddr = trim($srcaddr); $dstaddr = trim($dstaddr); - if (!$dstaddr) { - $dstaddr = $FilterIflist[$natif]['ip']; - } - $dstaddr_port = explode(" ", $dstaddr); if (empty($dstaddr_port[0]) || strtolower(trim($dstaddr_port[0])) == "port") { continue; // Skip port forward if no destination address found diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc index c4533d8..627bc1d 100644 --- a/src/etc/inc/globals.inc +++ b/src/etc/inc/globals.inc @@ -71,7 +71,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "16.5", + "latest_config" => "16.6", "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", "wan_interface_name" => "wan", diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc index 0787110..003738e 100644 --- a/src/etc/inc/interfaces.inc +++ b/src/etc/inc/interfaces.inc @@ -4407,10 +4407,11 @@ function DHCP6_Config_File_Advanced($interface, $wancfg, $wanif) { } $id_assoc_statement_prefix .= ";"; } - + + $realif = get_real_interface($wancfg['adv_dhcp6_prefix_selected_interface']); if (is_numeric($wancfg['adv_dhcp6_prefix_interface_statement_sla_id'])) { $id_assoc_statement_prefix .= "\n\tprefix-interface"; - $id_assoc_statement_prefix .= " {$wanif}"; + $id_assoc_statement_prefix .= " {$realif}"; $id_assoc_statement_prefix .= " {\n"; $id_assoc_statement_prefix .= "\t\tsla-id {$wancfg['adv_dhcp6_prefix_interface_statement_sla_id']};\n"; if (($wancfg['adv_dhcp6_prefix_interface_statement_sla_len'] >= 0) && diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index cce84bd..3509f1d 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -433,20 +433,55 @@ function openvpn_validate_curve($curve) { return array_key_exists($curve, $curves); } -function openvpn_get_digestlist() { +/* Obtain the list of digest algorithms supported by openssl and their alternate names */ +function openvpn_get_openssldigestmappings() { + $digests = array(); + $digest_out = shell_exec('/usr/bin/openssl list-message-digest-algorithms | /usr/bin/grep "=>"'); + $digest_lines = explode("\n", trim($digest_out)); + sort($digest_lines); + foreach ($digest_lines as $line) { + $words = explode(' => ', $line, 2); + $digests[$words[0]] = $words[1]; + } + return $digests; +} +/* Obtain the list of digest algorithms supported by openvpn */ +function openvpn_get_digestlist() { + /* Grab the list from OpenSSL to check for duplicates or aliases */ + $openssl_digest_mappings = openvpn_get_openssldigestmappings(); $digests = array(); $digest_out = shell_exec('/usr/local/sbin/openvpn --show-digests | /usr/bin/grep "digest size" | /usr/bin/awk \'{print $1, "(" $2 "-" $3 ")";}\''); $digest_lines = explode("\n", trim($digest_out)); sort($digest_lines); foreach ($digest_lines as $line) { $words = explode(' ', $line); - $digests[$words[0]] = "{$words[0]} {$words[1]}"; + /* Only add the entry if it is NOT also listed as being an alias/mapping by OpenSSL */ + if (!array_key_exists($words[0], $openssl_digest_mappings)) { + $digests[$words[0]] = "{$words[0]} {$words[1]}"; + } } $digests["none"] = gettext("None (No Authentication)"); return $digests; } +/* Check to see if a digest name is an alias and if so, find the actual digest + * algorithm instead. Useful for upgrade code that has to translate aliased + * algorithms to their actual names. + */ +function openvpn_remap_digest($digest) { + $openssl_digest_mappings = openvpn_get_openssldigestmappings(); + if (array_key_exists($digest, $openssl_digest_mappings)) { + /* Some mappings point to other mappings, keep going until we find the actual digest algorithm */ + if (array_key_exists($openssl_digest_mappings[$digest], $openssl_digest_mappings)) { + return openvpn_remap_digest($openssl_digest_mappings[$digest]); + } else { + return $openssl_digest_mappings[$digest]; + } + } + return $digest; +} + function openvpn_get_engines() { $openssl_engines = array('none' => gettext('No Hardware Crypto Acceleration')); exec("/usr/bin/openssl engine -t -c", $openssl_engine_output); diff --git a/src/etc/inc/pfsense-utils.inc b/src/etc/inc/pfsense-utils.inc index c0a083b..2be1720 100644 --- a/src/etc/inc/pfsense-utils.inc +++ b/src/etc/inc/pfsense-utils.inc @@ -1947,8 +1947,8 @@ function download_file($url, $destination, $verify_ssl = true, $connect_timeout curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); - if (!isset($config['system']['do_not_send_host_uuid'])) { - curl_setopt($ch, CURLOPT_USERAGENT, $g['product_name'] . '/' . $g['product_version'] . ' : ' . get_single_sysctl('kern.hostuuid')); + if (!isset($config['system']['do_not_send_uniqueid'])) { + curl_setopt($ch, CURLOPT_USERAGENT, $g['product_name'] . '/' . $g['product_version'] . ':' . system_get_uniqueid()); } else { curl_setopt($ch, CURLOPT_USERAGENT, $g['product_name'] . '/' . $g['product_version']); } @@ -2003,8 +2003,8 @@ function download_file_with_progress_bar($url, $destination, $verify_ssl = true, curl_setopt($ch, CURLOPT_NOPROGRESS, '1'); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $connect_timeout); curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); - if (!isset($config['system']['do_not_send_host_uuid'])) { - curl_setopt($ch, CURLOPT_USERAGENT, $g['product_name'] . '/' . $g['product_version'] . ' : ' . get_single_sysctl('kern.hostuuid')); + if (!isset($config['system']['do_not_send_uniqueid'])) { + curl_setopt($ch, CURLOPT_USERAGENT, $g['product_name'] . '/' . $g['product_version'] . ':' . system_get_uniqueid()); } else { curl_setopt($ch, CURLOPT_USERAGENT, $g['product_name'] . '/' . $g['product_version']); } diff --git a/src/etc/inc/pkg-utils.inc b/src/etc/inc/pkg-utils.inc index a7e51f5..e342d94 100644 --- a/src/etc/inc/pkg-utils.inc +++ b/src/etc/inc/pkg-utils.inc @@ -77,6 +77,11 @@ function pkg_update($force = false) { function pkg_env($extra_env = array()) { global $config, $g; + $user_agent = $g['product_name'] . '/' . $g['product_version']; + if (!isset($config['system']['do_not_send_uniqueid'])) { + $user_agent .= ':' . system_get_uniqueid(); + } + $pkg_env_vars = array( "LANG" => "C", "HTTP_USER_AGENT" => $user_agent, @@ -117,11 +122,6 @@ function pkg_call($params, $mute = false, $extra_env = array()) { return false; } - $user_agent = $g['product_name'] . '/' . $g['product_version']; - if (!isset($config['system']['do_not_send_host_uuid'])) { - $user_agent .= ' : ' . get_single_sysctl('kern.hostuuid'); - } - $descriptorspec = array( 1 => array("pipe", "w"), /* stdout */ 2 => array("pipe", "w") /* stderr */ @@ -199,11 +199,6 @@ function pkg_exec($params, &$stdout, &$stderr, $extra_env = array()) { return -1; } - $user_agent = $g['product_name'] . '/' . $g['product_version']; - if (!isset($config['system']['do_not_send_host_uuid'])) { - $user_agent .= ' : ' . get_single_sysctl('kern.hostuuid'); - } - $descriptorspec = array( 1 => array("pipe", "w"), /* stdout */ 2 => array("pipe", "w") /* stderr */ diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index 104a054..b17b088 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -2238,10 +2238,7 @@ function services_unbound_configure($restart_dhcp = true) { if (isset($config['unbound']['enable'])) { require_once('/etc/inc/unbound.inc'); - /* Attempt to stop unbound nicely */ - do_as_unbound_user("stop"); - - /* kill Unbound if it did not stop cleanly */ + /* Stop Unbound using TERM */ if (file_exists("{$g['varrun_path']}/unbound.pid")) { sigkillbypid("{$g['varrun_path']}/unbound.pid", "TERM"); } @@ -2273,7 +2270,7 @@ function services_unbound_configure($restart_dhcp = true) { } else { /* kill Unbound since it should not be enabled */ if (file_exists("{$g['varrun_path']}/unbound.pid")) { - sigkillbypid("{$g['varrun_path']}/unbound.pid", "TERM"); + sigkillbypid("{$g['varrun_path']}/unbound.pid", "KILL"); } } @@ -2885,7 +2882,7 @@ function install_cron_job($command, $active = false, $minute = "0", $hour = "*", } } else { if ($is_installed == true) { - unset($config['cron']['item'][$x]); + array_splice($config['cron']['item'], $x, 1); $change_message = "Removed cron job for %s"; } else { $cron_changed = false; diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index c7c6be2..b6b1444 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -298,13 +298,15 @@ function system_hosts_local_entries() { $hosts = array(); $hosts[] = array( 'ipaddr' => '127.0.0.1', - 'fqdn' => 'localhost', - 'name' => 'localhost.' . $syscfg['domain'] + 'fqdn' => 'localhost.' . $syscfg['domain'], + 'name' => 'localhost', + 'domain' => $syscfg['domain'] ); $hosts[] = array( 'ipaddr' => '::1', - 'fqdn' => 'localhost', - 'name' => 'localhost.' . $syscfg['domain'] + 'fqdn' => 'localhost.' . $syscfg['domain'], + 'name' => 'localhost', + 'domain' => $syscfg['domain'] ); if ($config['interfaces']['lan']) { @@ -323,7 +325,9 @@ function system_hosts_local_entries() { if (is_ipaddrv4($cfgip)) { $hosts[] = array( 'ipaddr' => $cfgip, - 'fqdn' => $local_fqdn + 'fqdn' => $local_fqdn, + 'name' => $syscfg['hostname'], + 'domain' => $syscfg['domain'] ); $hosts_if_found = true; } @@ -332,7 +336,9 @@ function system_hosts_local_entries() { if (is_ipaddrv6($cfgipv6)) { $hosts[] = array( 'ipaddr' => $cfgipv6, - 'fqdn' => $local_fqdn + 'fqdn' => $local_fqdn, + 'name' => $syscfg['hostname'], + 'domain' => $syscfg['domain'] ); $hosts_if_found = true; } @@ -364,7 +370,9 @@ function system_hosts_override_entries($dnscfg) { $hosts[] = array( 'ipaddr' => $host['ip'], - 'fqdn' => $fqdn + 'fqdn' => $fqdn, + 'name' => $host['host'], + 'domain' => $host['domain'] ); if (!is_array($host['aliases']) || @@ -381,7 +389,9 @@ function system_hosts_override_entries($dnscfg) { $hosts[] = array( 'ipaddr' => $host['ip'], - 'fqdn' => $fqdn + 'fqdn' => $fqdn, + 'name' => $alias['host'], + 'domain' => $alias['domain'] ); } } @@ -414,17 +424,20 @@ function system_hosts_dhcpd_entries() { } $fqdn = $host['hostname'] . "."; + $domain = ""; if ($host['domain']) { - $fqdn .= $host['domain']; + $domain = $host['domain']; } elseif ($dhcpifconf['domain']) { - $fqdn .= $dhcpifconf['domain']; + $domain = $dhcpifconf['domain']; } else { - $fqdn .= $syscfg['domain']; + $domain = $syscfg['domain']; } $hosts[] = array( 'ipaddr' => $host['ipaddr'], - 'fqdn' => $fqdn + 'fqdn' => $fqdn . $domain, + 'name' => $host['hostname'], + 'domain' => $domain ); } } @@ -468,17 +481,20 @@ function system_hosts_dhcpd_entries() { } $fqdn = $host['hostname'] . "."; + $domain = ""; if ($host['domain']) { - $fqdn .= $host['domain']; - } else if ($dhcpifconf['domain']) { - $fqdn .= $dhcpifconf['domain']; + $domain = $host['domain']; + } elseif ($dhcpifconf['domain']) { + $domain = $dhcpifconf['domain']; } else { - $fqdn .= $syscfg['domain']; + $domain = $syscfg['domain']; } $hosts[] = array( 'ipaddr' => $ipaddrv6, - 'fqdn' => $fqdn + 'fqdn' => $fqdn . $domain, + 'name' => $host['hostname'], + 'domain' => $domain ); } } @@ -532,10 +548,11 @@ function system_hosts_generate() { $hosts_array = system_hosts_entries($dnsmasqcfg); foreach ($hosts_array as $host) { - $hosts .= "{$host['ipaddr']}\t{$host['fqdn']}"; + $hosts .= "{$host['ipaddr']}\t"; if (!empty($host['name'])) { - $hosts .= " {$host['name']}"; + $hosts .= "{$host['name']} "; } + $hosts .= "{$host['fqdn']}"; $hosts .= "\n"; } unset($hosts_array); @@ -2345,6 +2362,24 @@ function system_get_serial() { return get_single_sysctl('kern.hostuuid'); } +function system_get_uniqueid() { + global $g; + + $uniqueid_file="{$g['vardb_path']}/uniqueid"; + + if (empty($g['uniqueid'])) { + if (!file_exists($uniqueid_file)) { + mwexec("/usr/sbin/gnid > {$g['vardb_path']}/uniqueid " . + "2>/dev/null"); + } + if (file_exists($uniqueid_file)) { + $g['uniqueid'] = @file_get_contents($uniqueid_file); + } + } + + return ($g['uniqueid'] ?: ''); +} + /* * attempt to identify the specific platform (for embedded systems) * Returns an array with two elements: diff --git a/src/etc/inc/unbound.inc b/src/etc/inc/unbound.inc index e8adc89..d9a745c 100644 --- a/src/etc/inc/unbound.inc +++ b/src/etc/inc/unbound.inc @@ -536,23 +536,13 @@ function unbound_add_domain_overrides($pvt_rev="", $cfgsubdir = "") { } } -function unbound_add_host_entries($cfgsubdir = "") { - global $config, $g; - - // Check if auto add host entries is not set - if (!isset($config['unbound']['disable_auto_added_host_entries'])) { - // Make sure the config setting is a valid unbound local zone type. If not use "transparent". - if (array_key_exists($config['unbound']['system_domain_local_zone_type'], unbound_local_zone_types())) { - $system_domain_local_zone_type = $config['unbound']['system_domain_local_zone_type']; - } else { - $system_domain_local_zone_type = "transparent"; - } - - $unbound_entries = "local-zone: \"{$config['system']['domain']}\" {$system_domain_local_zone_type}\n"; +function unbound_generate_zone_data($domain, $hosts, &$added_ptr, $zone_type = "transparent", $write_domain_zone_declaration = false, $always_add_short_names = false) { + global $config; + if ($write_domain_zone_declaration) { + $zone_data = "local-zone: \"{$domain}.\" {$zone_type}\n"; + } else { + $zone_data = ""; } - - $hosts = system_hosts_entries($config['unbound']); - $added_ptr = array(); foreach ($hosts as $host) { if (is_ipaddrv4($host['ipaddr'])) { $type = 'A'; @@ -561,12 +551,69 @@ function unbound_add_host_entries($cfgsubdir = "") { } else { continue; } - if (!$added_ptr[$host['ipaddr']]) { - $unbound_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n"; + $zone_data .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n"; $added_ptr[$host['ipaddr']] = true; } - $unbound_entries .= "local-data: \"{$host['fqdn']} {$type} {$host['ipaddr']}\"\n"; + /* For the system localhost entry, write an entry for just the hostname. */ + if ((($host['name'] == "localhost") && ($domain == $config['system']['domain'])) || $always_add_short_names) { + $zone_data .= "local-data: \"{$host['name']}. {$type} {$host['ipaddr']}\"\n"; + } + /* Redirect zones must have a zone declaration that matches the + * local-data record exactly, it cannot have entries "under" the + * domain. + */ + if ($zone_type == "redirect") { + $zone_data .= "local-zone: \"{$host['fqdn']}.\" {$zone_type}\n";; + } + $zone_data .= "local-data: \"{$host['fqdn']}. {$type} {$host['ipaddr']}\"\n"; + } + return $zone_data; +} + +function unbound_add_host_entries($cfgsubdir = "") { + global $config, $g; + + $hosts = system_hosts_entries($config['unbound']); + + /* Pass 1: Build domain list and hosts inside domains */ + $hosts_by_domain = array(); + foreach ($hosts as $host) { + if (!array_key_exists($host['domain'], $hosts_by_domain)) { + $hosts_by_domain[$host['domain']] = array(); + } + $hosts_by_domain[$host['domain']][] = $host; + } + + $added_ptr = array(); + /* Build local zone data */ + // Check if auto add host entries is not set + $system_domain_local_zone_type = "transparent"; + if (!isset($config['unbound']['disable_auto_added_host_entries'])) { + // Make sure the config setting is a valid unbound local zone type. If not use "transparent". + if (array_key_exists($config['unbound']['system_domain_local_zone_type'], unbound_local_zone_types())) { + $system_domain_local_zone_type = $config['unbound']['system_domain_local_zone_type']; + } + } + /* Add entries for the system domain before all others */ + if (array_key_exists($config['system']['domain'], $hosts_by_domain)) { + $unbound_entries .= unbound_generate_zone_data($config['system']['domain'], + $hosts_by_domain[$config['system']['domain']], + $added_ptr, + $system_domain_local_zone_type, + true); + /* Unset this so it isn't processed again by the loop below. */ + unset($hosts_by_domain[$config['system']['domain']]); + } + + /* Build zone data for other domain */ + foreach ($hosts_by_domain as $domain => $hosts) { + $unbound_entries .= unbound_generate_zone_data($domain, + $hosts, + $added_ptr, + "transparent", + false, + isset($config['unbound']['always_add_short_names'])); } // Write out entries diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc index 512d7de..74082dd 100644 --- a/src/etc/inc/upgrade_config.inc +++ b/src/etc/inc/upgrade_config.inc @@ -5304,4 +5304,23 @@ function upgrade_164_to_165() { } } +/* Fixup digest algorithm selection for OpenVPN clients and servers so they do not use aliased names. */ +function upgrade_165_to_166() { + require_once('openvpn.inc'); + global $config; + + if (isset($config['openvpn']) && is_array($config['openvpn'])) { + if (is_array($config['openvpn']['openvpn-server'])) { + foreach ($config['openvpn']['openvpn-server'] as &$vpn) { + $vpn['digest'] = openvpn_remap_digest($vpn['digest']); + } + } + if (is_array($config['openvpn']['openvpn-client'])) { + foreach ($config['openvpn']['openvpn-client'] as &$vpn) { + $vpn['digest'] = openvpn_remap_digest($vpn['digest']); + } + } + } +} + ?> |