5 files changed, 159 insertions, 41 deletions

diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc
index c4533d8..627bc1d 100644
--- a/src/etc/inc/globals.inc
+++ b/src/etc/inc/globals.inc
@@ -71,7 +71,7 @@ $g = array(
 	"disablecrashreporter" => false,
 	"crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php",
 	"debug" => false,
-	"latest_config" => "16.5",
+	"latest_config" => "16.6",
 	"minimum_ram_warning" => "101",
 	"minimum_ram_warning_text" => "128 MB",
 	"wan_interface_name" => "wan",
diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index cce84bd..3509f1d 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -433,20 +433,55 @@ function openvpn_validate_curve($curve) {
 	return array_key_exists($curve, $curves);
 }
 
-function openvpn_get_digestlist() {
+/* Obtain the list of digest algorithms supported by openssl and their alternate names */
+function openvpn_get_openssldigestmappings() {
+	$digests = array();
+	$digest_out = shell_exec('/usr/bin/openssl list-message-digest-algorithms | /usr/bin/grep "=>"');
+	$digest_lines = explode("\n", trim($digest_out));
+	sort($digest_lines);
+	foreach ($digest_lines as $line) {
+		$words = explode(' => ', $line, 2);
+		$digests[$words[0]] = $words[1];
+	}
+	return $digests;
+}
 
+/* Obtain the list of digest algorithms supported by openvpn */
+function openvpn_get_digestlist() {
+	/* Grab the list from OpenSSL to check for duplicates or aliases */
+	$openssl_digest_mappings = openvpn_get_openssldigestmappings();
 	$digests = array();
 	$digest_out = shell_exec('/usr/local/sbin/openvpn --show-digests | /usr/bin/grep "digest size" | /usr/bin/awk \'{print $1, "(" $2 "-" $3 ")";}\'');
 	$digest_lines = explode("\n", trim($digest_out));
 	sort($digest_lines);
 	foreach ($digest_lines as $line) {
 		$words = explode(' ', $line);
-		$digests[$words[0]] = "{$words[0]} {$words[1]}";
+		/* Only add the entry if it is NOT also listed as being an alias/mapping by OpenSSL */
+		if (!array_key_exists($words[0], $openssl_digest_mappings)) {
+			$digests[$words[0]] = "{$words[0]} {$words[1]}";
+		}
 	}
 	$digests["none"] = gettext("None (No Authentication)");
 	return $digests;
 }
 
+/* Check to see if a digest name is an alias and if so, find the actual digest
+ * algorithm instead. Useful for upgrade code that has to translate aliased
+ * algorithms to their actual names.
+ */
+function openvpn_remap_digest($digest) {
+	$openssl_digest_mappings = openvpn_get_openssldigestmappings();
+	if (array_key_exists($digest, $openssl_digest_mappings)) {
+		/* Some mappings point to other mappings, keep going until we find the actual digest algorithm */
+		if (array_key_exists($openssl_digest_mappings[$digest], $openssl_digest_mappings)) {
+			return openvpn_remap_digest($openssl_digest_mappings[$digest]);
+		} else {
+			return $openssl_digest_mappings[$digest];
+		}
+	}
+	return $digest;
+}
+
 function openvpn_get_engines() {
 	$openssl_engines = array('none' => gettext('No Hardware Crypto Acceleration'));
 	exec("/usr/bin/openssl engine -t -c", $openssl_engine_output);
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index ed93d0f..b6b1444 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -298,13 +298,15 @@ function system_hosts_local_entries() {
 	$hosts = array();
 	$hosts[] = array(
 	    'ipaddr' => '127.0.0.1',
-	    'fqdn' => 'localhost',
-	    'name' => 'localhost.' . $syscfg['domain']
+	    'fqdn' => 'localhost.' . $syscfg['domain'],
+	    'name' => 'localhost',
+	    'domain' => $syscfg['domain']
 	);
 	$hosts[] = array(
 	    'ipaddr' => '::1',
-	    'fqdn' => 'localhost',
-	    'name' => 'localhost.' . $syscfg['domain']
+	    'fqdn' => 'localhost.' . $syscfg['domain'],
+	    'name' => 'localhost',
+	    'domain' => $syscfg['domain']
 	);
 
 	if ($config['interfaces']['lan']) {
@@ -323,7 +325,9 @@ function system_hosts_local_entries() {
 		if (is_ipaddrv4($cfgip)) {
 			$hosts[] = array(
 			    'ipaddr' => $cfgip,
-			    'fqdn' => $local_fqdn
+			    'fqdn' => $local_fqdn,
+			    'name' => $syscfg['hostname'],
+			    'domain' => $syscfg['domain']
 			);
 			$hosts_if_found = true;
 		}
@@ -332,7 +336,9 @@ function system_hosts_local_entries() {
 			if (is_ipaddrv6($cfgipv6)) {
 				$hosts[] = array(
 					'ipaddr' => $cfgipv6,
-					'fqdn' => $local_fqdn
+					'fqdn' => $local_fqdn,
+					'name' => $syscfg['hostname'],
+					'domain' => $syscfg['domain']
 				);
 				$hosts_if_found = true;
 			}
@@ -364,7 +370,9 @@ function system_hosts_override_entries($dnscfg) {
 
 		$hosts[] = array(
 		    'ipaddr' => $host['ip'],
-		    'fqdn' => $fqdn
+		    'fqdn' => $fqdn,
+		    'name' => $host['host'],
+		    'domain' => $host['domain']
 		);
 
 		if (!is_array($host['aliases']) ||
@@ -381,7 +389,9 @@ function system_hosts_override_entries($dnscfg) {
 
 			$hosts[] = array(
 			    'ipaddr' => $host['ip'],
-			    'fqdn' => $fqdn
+			    'fqdn' => $fqdn,
+			    'name' => $alias['host'],
+			    'domain' => $alias['domain']
 			);
 		}
 	}
@@ -414,17 +424,20 @@ function system_hosts_dhcpd_entries() {
 			}
 
 			$fqdn = $host['hostname'] . ".";
+			$domain = "";
 			if ($host['domain']) {
-				$fqdn .= $host['domain'];
+				$domain = $host['domain'];
 			} elseif ($dhcpifconf['domain']) {
-				$fqdn .= $dhcpifconf['domain'];
+				$domain = $dhcpifconf['domain'];
 			} else {
-				$fqdn .= $syscfg['domain'];
+				$domain = $syscfg['domain'];
 			}
 
 			$hosts[] = array(
 			    'ipaddr' => $host['ipaddr'],
-			    'fqdn' => $fqdn
+			    'fqdn' => $fqdn . $domain,
+			    'name' => $host['hostname'],
+			    'domain' => $domain
 			);
 		}
 	}
@@ -468,17 +481,20 @@ function system_hosts_dhcpd_entries() {
 			}
 
 			$fqdn = $host['hostname'] . ".";
+			$domain = "";
 			if ($host['domain']) {
-				$fqdn .= $host['domain'];
-			} else if ($dhcpifconf['domain']) {
-				$fqdn .= $dhcpifconf['domain'];
+				$domain = $host['domain'];
+			} elseif ($dhcpifconf['domain']) {
+				$domain = $dhcpifconf['domain'];
 			} else {
-				$fqdn .= $syscfg['domain'];
+				$domain = $syscfg['domain'];
 			}
 
 			$hosts[] = array(
 			    'ipaddr' => $ipaddrv6,
-			    'fqdn' => $fqdn
+			    'fqdn' => $fqdn . $domain,
+			    'name' => $host['hostname'],
+			    'domain' => $domain
 			);
 		}
 	}
@@ -532,10 +548,11 @@ function system_hosts_generate() {
 
 	$hosts_array = system_hosts_entries($dnsmasqcfg);
 	foreach ($hosts_array as $host) {
-		$hosts .= "{$host['ipaddr']}\t{$host['fqdn']}";
+		$hosts .= "{$host['ipaddr']}\t";
 		if (!empty($host['name'])) {
-			$hosts .= " {$host['name']}";
+			$hosts .= "{$host['name']} ";
 		}
+		$hosts .= "{$host['fqdn']}";
 		$hosts .= "\n";
 	}
 	unset($hosts_array);
diff --git a/src/etc/inc/unbound.inc b/src/etc/inc/unbound.inc
index e8adc89..c541c87 100644
--- a/src/etc/inc/unbound.inc
+++ b/src/etc/inc/unbound.inc
@@ -536,23 +536,13 @@ function unbound_add_domain_overrides($pvt_rev="", $cfgsubdir = "") {
 	}
 }
 
-function unbound_add_host_entries($cfgsubdir = "") {
-	global $config, $g;
-
-	// Check if auto add host entries is not set
-	if (!isset($config['unbound']['disable_auto_added_host_entries'])) {
-		// Make sure the config setting is a valid unbound local zone type.  If not use "transparent".
-		if (array_key_exists($config['unbound']['system_domain_local_zone_type'], unbound_local_zone_types())) {
-			$system_domain_local_zone_type = $config['unbound']['system_domain_local_zone_type'];
-		} else {
-			$system_domain_local_zone_type = "transparent";
-		}
-
-		$unbound_entries = "local-zone: \"{$config['system']['domain']}\" {$system_domain_local_zone_type}\n";
+function unbound_generate_zone_data($domain, $hosts, &$added_ptr, $zone_type = "transparent", $write_domiain_zone_declaration = false, $always_add_short_names = false) {
+	global $config;
+	if ($write_domiain_zone_declaration) {
+		$zone_data = "local-zone: \"{$domain}.\" {$zone_type}\n";
+	} else {
+		$zone_data = "";
 	}
-
-	$hosts = system_hosts_entries($config['unbound']);
-	$added_ptr = array();
 	foreach ($hosts as $host) {
 		if (is_ipaddrv4($host['ipaddr'])) {
 			$type = 'A';
@@ -561,12 +551,69 @@ function unbound_add_host_entries($cfgsubdir = "") {
 		} else {
 			continue;
 		}
-
 		if (!$added_ptr[$host['ipaddr']]) {
-			$unbound_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n";
+			$zone_data .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n";
 			$added_ptr[$host['ipaddr']] = true;
 		}
-		$unbound_entries .= "local-data: \"{$host['fqdn']} {$type} {$host['ipaddr']}\"\n";
+		/* For the system localhost entry, write an entry for just the hostname. */
+		if ((($host['name'] == "localhost") && ($domain == $config['system']['domain'])) || $always_add_short_names) {
+			$zone_data .= "local-data: \"{$host['name']}. {$type} {$host['ipaddr']}\"\n";
+		}
+		/* Redirect zones must have a zone declaration that matches the
+		 * local-data record exactly, it cannot have entries "under" the
+		 * domain.
+		 */
+		if ($zone_type == "redirect") {
+			$zone_data .= "local-zone: \"{$host['fqdn']}.\" {$zone_type}\n";;
+		}
+		$zone_data .= "local-data: \"{$host['fqdn']}. {$type} {$host['ipaddr']}\"\n";
+	}
+	return $zone_data;
+}
+
+function unbound_add_host_entries($cfgsubdir = "") {
+	global $config, $g;
+
+	$hosts = system_hosts_entries($config['unbound']);
+
+	/* Pass 1: Build domain list and hosts inside domains */
+	$hosts_by_domain = array();
+	foreach ($hosts as $host) {
+		if (!array_key_exists($host['domain'], $hosts_by_domain)) {
+			$hosts_by_domain[$host['domain']] = array();
+		}
+		$hosts_by_domain[$host['domain']][] = $host;
+	}
+
+	$added_ptr = array();
+	/* Build local zone data */
+	// Check if auto add host entries is not set
+	$system_domain_local_zone_type = "transparent";
+	if (!isset($config['unbound']['disable_auto_added_host_entries'])) {
+		// Make sure the config setting is a valid unbound local zone type.  If not use "transparent".
+		if (array_key_exists($config['unbound']['system_domain_local_zone_type'], unbound_local_zone_types())) {
+			$system_domain_local_zone_type = $config['unbound']['system_domain_local_zone_type'];
+		}
+	}
+	/* Add entries for the system domain before all others */
+	if (array_key_exists($config['system']['domain'], $hosts_by_domain)) {
+		$unbound_entries .= unbound_generate_zone_data($config['system']['domain'],
+					$hosts_by_domain[$config['system']['domain']],
+					$added_ptr,
+					$system_domain_local_zone_type,
+					true);
+		/* Unset this so it isn't processed again by the loop below. */
+		unset($hosts_by_domain[$config['system']['domain']]);
+	}
+
+	/* Build zone data for other domain */
+	foreach ($hosts_by_domain as $domain => $hosts) {
+		$unbound_entries .= unbound_generate_zone_data($domain,
+					$hosts,
+					$added_ptr,
+					"transparent",
+					false,
+					isset($config['unbound']['always_add_short_names']));
 	}
 
 	// Write out entries
diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc
index 512d7de..74082dd 100644
--- a/src/etc/inc/upgrade_config.inc
+++ b/src/etc/inc/upgrade_config.inc
@@ -5304,4 +5304,23 @@ function upgrade_164_to_165() {
 	}
 }
 
+/* Fixup digest algorithm selection for OpenVPN clients and servers so they do not use aliased names. */
+function upgrade_165_to_166() {
+	require_once('openvpn.inc');
+	global $config;
+
+	if (isset($config['openvpn']) && is_array($config['openvpn'])) {
+		if (is_array($config['openvpn']['openvpn-server'])) {
+			foreach ($config['openvpn']['openvpn-server'] as &$vpn) {
+				$vpn['digest'] = openvpn_remap_digest($vpn['digest']);
+			}
+		}
+		if (is_array($config['openvpn']['openvpn-client'])) {
+			foreach ($config['openvpn']['openvpn-client'] as &$vpn) {
+				$vpn['digest'] = openvpn_remap_digest($vpn['digest']);
+			}
+		}
+	}
+}
+
 ?>