diff options
Diffstat (limited to 'src/etc')
-rw-r--r-- | src/etc/inc/globals.inc | 2 | ||||
-rw-r--r-- | src/etc/inc/openvpn.inc | 39 | ||||
-rw-r--r-- | src/etc/inc/system.inc | 55 | ||||
-rw-r--r-- | src/etc/inc/unbound.inc | 85 | ||||
-rw-r--r-- | src/etc/inc/upgrade_config.inc | 19 |
5 files changed, 159 insertions, 41 deletions
diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc index c4533d8..627bc1d 100644 --- a/src/etc/inc/globals.inc +++ b/src/etc/inc/globals.inc @@ -71,7 +71,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "16.5", + "latest_config" => "16.6", "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", "wan_interface_name" => "wan", diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index cce84bd..3509f1d 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -433,20 +433,55 @@ function openvpn_validate_curve($curve) { return array_key_exists($curve, $curves); } -function openvpn_get_digestlist() { +/* Obtain the list of digest algorithms supported by openssl and their alternate names */ +function openvpn_get_openssldigestmappings() { + $digests = array(); + $digest_out = shell_exec('/usr/bin/openssl list-message-digest-algorithms | /usr/bin/grep "=>"'); + $digest_lines = explode("\n", trim($digest_out)); + sort($digest_lines); + foreach ($digest_lines as $line) { + $words = explode(' => ', $line, 2); + $digests[$words[0]] = $words[1]; + } + return $digests; +} +/* Obtain the list of digest algorithms supported by openvpn */ +function openvpn_get_digestlist() { + /* Grab the list from OpenSSL to check for duplicates or aliases */ + $openssl_digest_mappings = openvpn_get_openssldigestmappings(); $digests = array(); $digest_out = shell_exec('/usr/local/sbin/openvpn --show-digests | /usr/bin/grep "digest size" | /usr/bin/awk \'{print $1, "(" $2 "-" $3 ")";}\''); $digest_lines = explode("\n", trim($digest_out)); sort($digest_lines); foreach ($digest_lines as $line) { $words = explode(' ', $line); - $digests[$words[0]] = "{$words[0]} {$words[1]}"; + /* Only add the entry if it is NOT also listed as being an alias/mapping by OpenSSL */ + if (!array_key_exists($words[0], $openssl_digest_mappings)) { + $digests[$words[0]] = "{$words[0]} {$words[1]}"; + } } $digests["none"] = gettext("None (No Authentication)"); return $digests; } +/* Check to see if a digest name is an alias and if so, find the actual digest + * algorithm instead. Useful for upgrade code that has to translate aliased + * algorithms to their actual names. + */ +function openvpn_remap_digest($digest) { + $openssl_digest_mappings = openvpn_get_openssldigestmappings(); + if (array_key_exists($digest, $openssl_digest_mappings)) { + /* Some mappings point to other mappings, keep going until we find the actual digest algorithm */ + if (array_key_exists($openssl_digest_mappings[$digest], $openssl_digest_mappings)) { + return openvpn_remap_digest($openssl_digest_mappings[$digest]); + } else { + return $openssl_digest_mappings[$digest]; + } + } + return $digest; +} + function openvpn_get_engines() { $openssl_engines = array('none' => gettext('No Hardware Crypto Acceleration')); exec("/usr/bin/openssl engine -t -c", $openssl_engine_output); diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index ed93d0f..b6b1444 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -298,13 +298,15 @@ function system_hosts_local_entries() { $hosts = array(); $hosts[] = array( 'ipaddr' => '127.0.0.1', - 'fqdn' => 'localhost', - 'name' => 'localhost.' . $syscfg['domain'] + 'fqdn' => 'localhost.' . $syscfg['domain'], + 'name' => 'localhost', + 'domain' => $syscfg['domain'] ); $hosts[] = array( 'ipaddr' => '::1', - 'fqdn' => 'localhost', - 'name' => 'localhost.' . $syscfg['domain'] + 'fqdn' => 'localhost.' . $syscfg['domain'], + 'name' => 'localhost', + 'domain' => $syscfg['domain'] ); if ($config['interfaces']['lan']) { @@ -323,7 +325,9 @@ function system_hosts_local_entries() { if (is_ipaddrv4($cfgip)) { $hosts[] = array( 'ipaddr' => $cfgip, - 'fqdn' => $local_fqdn + 'fqdn' => $local_fqdn, + 'name' => $syscfg['hostname'], + 'domain' => $syscfg['domain'] ); $hosts_if_found = true; } @@ -332,7 +336,9 @@ function system_hosts_local_entries() { if (is_ipaddrv6($cfgipv6)) { $hosts[] = array( 'ipaddr' => $cfgipv6, - 'fqdn' => $local_fqdn + 'fqdn' => $local_fqdn, + 'name' => $syscfg['hostname'], + 'domain' => $syscfg['domain'] ); $hosts_if_found = true; } @@ -364,7 +370,9 @@ function system_hosts_override_entries($dnscfg) { $hosts[] = array( 'ipaddr' => $host['ip'], - 'fqdn' => $fqdn + 'fqdn' => $fqdn, + 'name' => $host['host'], + 'domain' => $host['domain'] ); if (!is_array($host['aliases']) || @@ -381,7 +389,9 @@ function system_hosts_override_entries($dnscfg) { $hosts[] = array( 'ipaddr' => $host['ip'], - 'fqdn' => $fqdn + 'fqdn' => $fqdn, + 'name' => $alias['host'], + 'domain' => $alias['domain'] ); } } @@ -414,17 +424,20 @@ function system_hosts_dhcpd_entries() { } $fqdn = $host['hostname'] . "."; + $domain = ""; if ($host['domain']) { - $fqdn .= $host['domain']; + $domain = $host['domain']; } elseif ($dhcpifconf['domain']) { - $fqdn .= $dhcpifconf['domain']; + $domain = $dhcpifconf['domain']; } else { - $fqdn .= $syscfg['domain']; + $domain = $syscfg['domain']; } $hosts[] = array( 'ipaddr' => $host['ipaddr'], - 'fqdn' => $fqdn + 'fqdn' => $fqdn . $domain, + 'name' => $host['hostname'], + 'domain' => $domain ); } } @@ -468,17 +481,20 @@ function system_hosts_dhcpd_entries() { } $fqdn = $host['hostname'] . "."; + $domain = ""; if ($host['domain']) { - $fqdn .= $host['domain']; - } else if ($dhcpifconf['domain']) { - $fqdn .= $dhcpifconf['domain']; + $domain = $host['domain']; + } elseif ($dhcpifconf['domain']) { + $domain = $dhcpifconf['domain']; } else { - $fqdn .= $syscfg['domain']; + $domain = $syscfg['domain']; } $hosts[] = array( 'ipaddr' => $ipaddrv6, - 'fqdn' => $fqdn + 'fqdn' => $fqdn . $domain, + 'name' => $host['hostname'], + 'domain' => $domain ); } } @@ -532,10 +548,11 @@ function system_hosts_generate() { $hosts_array = system_hosts_entries($dnsmasqcfg); foreach ($hosts_array as $host) { - $hosts .= "{$host['ipaddr']}\t{$host['fqdn']}"; + $hosts .= "{$host['ipaddr']}\t"; if (!empty($host['name'])) { - $hosts .= " {$host['name']}"; + $hosts .= "{$host['name']} "; } + $hosts .= "{$host['fqdn']}"; $hosts .= "\n"; } unset($hosts_array); diff --git a/src/etc/inc/unbound.inc b/src/etc/inc/unbound.inc index e8adc89..c541c87 100644 --- a/src/etc/inc/unbound.inc +++ b/src/etc/inc/unbound.inc @@ -536,23 +536,13 @@ function unbound_add_domain_overrides($pvt_rev="", $cfgsubdir = "") { } } -function unbound_add_host_entries($cfgsubdir = "") { - global $config, $g; - - // Check if auto add host entries is not set - if (!isset($config['unbound']['disable_auto_added_host_entries'])) { - // Make sure the config setting is a valid unbound local zone type. If not use "transparent". - if (array_key_exists($config['unbound']['system_domain_local_zone_type'], unbound_local_zone_types())) { - $system_domain_local_zone_type = $config['unbound']['system_domain_local_zone_type']; - } else { - $system_domain_local_zone_type = "transparent"; - } - - $unbound_entries = "local-zone: \"{$config['system']['domain']}\" {$system_domain_local_zone_type}\n"; +function unbound_generate_zone_data($domain, $hosts, &$added_ptr, $zone_type = "transparent", $write_domiain_zone_declaration = false, $always_add_short_names = false) { + global $config; + if ($write_domiain_zone_declaration) { + $zone_data = "local-zone: \"{$domain}.\" {$zone_type}\n"; + } else { + $zone_data = ""; } - - $hosts = system_hosts_entries($config['unbound']); - $added_ptr = array(); foreach ($hosts as $host) { if (is_ipaddrv4($host['ipaddr'])) { $type = 'A'; @@ -561,12 +551,69 @@ function unbound_add_host_entries($cfgsubdir = "") { } else { continue; } - if (!$added_ptr[$host['ipaddr']]) { - $unbound_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n"; + $zone_data .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n"; $added_ptr[$host['ipaddr']] = true; } - $unbound_entries .= "local-data: \"{$host['fqdn']} {$type} {$host['ipaddr']}\"\n"; + /* For the system localhost entry, write an entry for just the hostname. */ + if ((($host['name'] == "localhost") && ($domain == $config['system']['domain'])) || $always_add_short_names) { + $zone_data .= "local-data: \"{$host['name']}. {$type} {$host['ipaddr']}\"\n"; + } + /* Redirect zones must have a zone declaration that matches the + * local-data record exactly, it cannot have entries "under" the + * domain. + */ + if ($zone_type == "redirect") { + $zone_data .= "local-zone: \"{$host['fqdn']}.\" {$zone_type}\n";; + } + $zone_data .= "local-data: \"{$host['fqdn']}. {$type} {$host['ipaddr']}\"\n"; + } + return $zone_data; +} + +function unbound_add_host_entries($cfgsubdir = "") { + global $config, $g; + + $hosts = system_hosts_entries($config['unbound']); + + /* Pass 1: Build domain list and hosts inside domains */ + $hosts_by_domain = array(); + foreach ($hosts as $host) { + if (!array_key_exists($host['domain'], $hosts_by_domain)) { + $hosts_by_domain[$host['domain']] = array(); + } + $hosts_by_domain[$host['domain']][] = $host; + } + + $added_ptr = array(); + /* Build local zone data */ + // Check if auto add host entries is not set + $system_domain_local_zone_type = "transparent"; + if (!isset($config['unbound']['disable_auto_added_host_entries'])) { + // Make sure the config setting is a valid unbound local zone type. If not use "transparent". + if (array_key_exists($config['unbound']['system_domain_local_zone_type'], unbound_local_zone_types())) { + $system_domain_local_zone_type = $config['unbound']['system_domain_local_zone_type']; + } + } + /* Add entries for the system domain before all others */ + if (array_key_exists($config['system']['domain'], $hosts_by_domain)) { + $unbound_entries .= unbound_generate_zone_data($config['system']['domain'], + $hosts_by_domain[$config['system']['domain']], + $added_ptr, + $system_domain_local_zone_type, + true); + /* Unset this so it isn't processed again by the loop below. */ + unset($hosts_by_domain[$config['system']['domain']]); + } + + /* Build zone data for other domain */ + foreach ($hosts_by_domain as $domain => $hosts) { + $unbound_entries .= unbound_generate_zone_data($domain, + $hosts, + $added_ptr, + "transparent", + false, + isset($config['unbound']['always_add_short_names'])); } // Write out entries diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc index 512d7de..74082dd 100644 --- a/src/etc/inc/upgrade_config.inc +++ b/src/etc/inc/upgrade_config.inc @@ -5304,4 +5304,23 @@ function upgrade_164_to_165() { } } +/* Fixup digest algorithm selection for OpenVPN clients and servers so they do not use aliased names. */ +function upgrade_165_to_166() { + require_once('openvpn.inc'); + global $config; + + if (isset($config['openvpn']) && is_array($config['openvpn'])) { + if (is_array($config['openvpn']['openvpn-server'])) { + foreach ($config['openvpn']['openvpn-server'] as &$vpn) { + $vpn['digest'] = openvpn_remap_digest($vpn['digest']); + } + } + if (is_array($config['openvpn']['openvpn-client'])) { + foreach ($config['openvpn']['openvpn-client'] as &$vpn) { + $vpn['digest'] = openvpn_remap_digest($vpn['digest']); + } + } + } +} + ?> |