From cddbe8e902c6e194363bdf1cb13f68df56bf2200 Mon Sep 17 00:00:00 2001
From: doktornotor <notordoktor@gmail.com>
Date: Wed, 26 Aug 2015 17:09:44 +0200
Subject: tinc - pfSense 2.2.x fixes, code style and improvements

- Add copyright header
- Fix code style, whitespace and indentation
- Added some basic input validation
- Add a symlink to make this work on pfSense 2.2.x (fixes Bug #4409)
- Added an enable checkbox to make it possible to disable tinc without uninstalling the package
---
 config/tinc/tinc.inc | 323 +++++++++++++++++++++++++++++----------------------
 1 file changed, 187 insertions(+), 136 deletions(-)

(limited to 'config/tinc/tinc.inc')

diff --git a/config/tinc/tinc.inc b/config/tinc/tinc.inc
index 82d5b453..65f07e32 100644
--- a/config/tinc/tinc.inc
+++ b/config/tinc/tinc.inc
@@ -1,204 +1,255 @@
 <?php
-
+/*
+	tinc.inc
+	part of pfSense (https://www.pfSense.org/)
+	Copyright (C) 2012-2015 ESF, LLC
+	All rights reserved.
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are met:
+
+	1. Redistributions of source code must retain the above copyright notice,
+	   this list of conditions and the following disclaimer.
+
+	2. Redistributions in binary form must reproduce the above copyright
+	   notice, this list of conditions and the following disclaimer in the
+	   documentation and/or other materials provided with the distribution.
+
+	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+	POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* include_once('guiconfig.inc'); is needed for clear_log_file() during package installation while booting.
+ * However, guiconfig.inc includes authgui.inc which requires a valid php session_auth() and exits when not found.
+ * So we include the function here.
+*/
 if (!function_exists('clear_log_file')) {
-//include_once('guiconfig.inc'); // needed for clear_log_file() during package installation while booting
-//however guiconfig.inc includes authgui.inc which requires a valid php session_auth(), and exits when not found..
-//so include the function here..
+
 	function clear_log_file($logfile = "/var/log/system.log", $restart_syslogd = true) {
 		global $config, $g;
-		if ($restart_syslogd)
+		if ($restart_syslogd) {
 			exec("/usr/bin/killall syslogd");
-		if(isset($config['system']['disablesyslogclog'])) {
+		}
+		if (isset($config['system']['disablesyslogclog'])) {
 			unlink($logfile);
 			touch($logfile);
 		} else {
 			$log_size = isset($config['syslog']['logfilesize']) ? $config['syslog']['logfilesize'] : "511488";
-			if(isset($config['system']['usefifolog']))
+			if (isset($config['system']['usefifolog'])) {
 				exec("/usr/sbin/fifolog_create -s {$log_size} " . escapeshellarg($logfile));
-			else
+			} else {
 				exec("/usr/local/sbin/clog -i -s {$log_size} " . escapeshellarg($logfile));
+			}
 		}
-		if ($restart_syslogd)
+		if ($restart_syslogd) {
 			system_syslogd_start();
+		}
 	}
 }
 
 function tinc_save() {
-	global $config;
+	global $config, $configpath;
+	$configpath = '/usr/local/etc/tinc/';
+
 	conf_mount_rw();
-	exec("/bin/mv -f /usr/local/etc/tinc /usr/local/etc/tinc.old");
-	safe_mkdir("/usr/local/etc/tinc");
-	safe_mkdir("/usr/local/etc/tinc/hosts");
-	exec("touch /usr/local/etc/tinc/WARNING-ENTIRE_DIRECTORY_ERASED_ON_SAVE_FROM_GUI");
+
+	rename("{$configpath}", "{$configpath}.old");
+	safe_mkdir("{$configpath}");
+	safe_mkdir("{$configpath}/hosts");
+	touch("{$configpath}/WARNING-ENTIRE_DIRECTORY_ERASED_ON_SAVE_FROM_GUI");
 	$tincconf = &$config['installedpackages']['tinc']['config'][0];
-	$fout = fopen("/usr/local/etc/tinc/tinc.conf","w");
+	$fout = fopen("{$configpath}/tinc.conf", "w");
 
 	// No proper config, bail out.
-	if (!isset($tincconf['name']) || empty($tincconf['name']))
+	if (!isset($tincconf['name']) || empty($tincconf['name'])) {
+		log_error("[tinc] Cannot configure (name not set). Check your configuration.");
 		return;
+	}
 
-	fwrite($fout, "name=".$tincconf['name']."\n");
-	fwrite($fout, "AddressFamily=".$tincconf['addressfamily']."\n");
-	if(!is_array($config['installedpackages']['tinchosts']['config'])) { $config['installedpackages']['tinchosts']['config']=Array(); }
-	foreach($config['installedpackages']['tinchosts']['config'] as $host) {
-		if($host['connect'])
-		{
+	fwrite($fout, "name=" . $tincconf['name'] . "\n");
+	fwrite($fout, "AddressFamily=" . $tincconf['addressfamily'] . "\n");
+	if (!is_array($config['installedpackages']['tinchosts']['config'])) {
+		$config['installedpackages']['tinchosts']['config']= array();
+	}
+	foreach ($config['installedpackages']['tinchosts']['config'] as $host) {
+		if($host['connect']) {
 			fwrite($fout, "ConnectTo=" . $host['name'] . "\n");
 		}
-		
-		$_output = "Address=".$host['address']."\n";
-		$_output .= "Subnet=".$host['subnet']."\n";
-		$_output .= base64_decode($host['extra'])."\n";
-		$_output .= base64_decode($host['cert_pub'])."\n";
-		file_put_contents('/usr/local/etc/tinc/hosts/'.$host['name'],$_output);
-		if($host['host_up'])
-		{
-			file_put_contents('/usr/local/etc/tinc/hosts/'.$host['name'].'-up',str_replace("\r", "", base64_decode($host['host_up']))."\n");
-			chmod('/usr/local/etc/tinc/hosts/'.$host['name'].'-up', 0744);
+
+		$_output = "Address=" . $host['address'] . "\n";
+		$_output .= "Subnet=" . $host['subnet'] . "\n";
+		$_output .= base64_decode($host['extra']) . "\n";
+		$_output .= base64_decode($host['cert_pub']) . "\n";
+		file_put_contents("{$configpath}/hosts/" . $host['name'], $_output);
+		if ($host['host_up']) {
+			file_put_contents("{$configpath}/hosts/" . $host['name'] . '-up', str_replace("\r", "", base64_decode($host['host_up'])) . "\n");
+			chmod("{$configpath}/hosts/" . $host['name'] . '-up', 0744);
 		}
-		if($host['host_down'])
-		{
-			file_put_contents('/usr/local/etc/tinc/hosts/'.$host['name'].'-down',str_replace("\r", "", base64_decode($host['host_down']))."\n");
-			chmod('/usr/local/etc/tinc/hosts/'.$host['name'].'-down', 0744);
+		if ($host['host_down']) {
+			file_put_contents("{$configpath}/hosts/" . $host['name'] . '-down', str_replace("\r", "", base64_decode($host['host_down'])) . "\n");
+			chmod("{$configpath}/hosts/" . $host['name'] . '-down', 0744);
 		}
 	}
-	fwrite($fout, base64_decode($tincconf['extra'])."\n");
+	fwrite($fout, base64_decode($tincconf['extra']) . "\n");
 	fclose($fout);
 
 	// Check if we need to generate a new RSA key pair.
-	if ($tincconf['gen_rsa'])
-	{
-		safe_mkdir("/usr/local/etc/tinc/tmp");
-		exec("/usr/local/sbin/tincd -c /usr/local/etc/tinc/tmp -K");
-		$tincconf['cert_pub'] = base64_encode(file_get_contents('/usr/local/etc/tinc/tmp/rsa_key.pub'));
-		$tincconf['cert_key'] = base64_encode(file_get_contents('/usr/local/etc/tinc/tmp/rsa_key.priv'));
+	if ($tincconf['gen_rsa']) {
+		safe_mkdir("{$configpath}/tmp");
+		exec("/usr/local/sbin/tincd -c {$configpath}/tmp -K");
+		$tincconf['cert_pub'] = base64_encode(file_get_contents("{$configpath}/tmp/rsa_key.pub"));
+		$tincconf['cert_key'] = base64_encode(file_get_contents("{$configpath}/tmp/rsa_key.priv"));
 		$tincconf['gen_rsa'] = false;
 		$config['installedpackages']['tinc']['config'][0]['cert_pub'] = $tincconf['cert_pub'];
 		$config['installedpackages']['tinc']['config'][0]['cert_key'] = $tincconf['cert_key'];
 		$config['installedpackages']['tinc']['config'][0]['gen_rsa'] = $tincconf['gen_rsa'];
-		rmdir_recursive("/usr/local/etc/tinc/tmp");
-		write_config();
+		rmdir_recursive("{$configpath}/tmp");
+		write_config("[tinc] New RSA key pair generated.");
 	}
 
 	$_output = "Subnet=" . $tincconf['localsubnet'] . "\n";
 	$_output .= base64_decode($tincconf['host_extra']) . "\n";
 	$_output .= base64_decode($tincconf['cert_pub']) . "\n";
-	file_put_contents('/usr/local/etc/tinc/hosts/' . $tincconf['name'],$_output);
-	file_put_contents('/usr/local/etc/tinc/rsa_key.priv',base64_decode($tincconf['cert_key'])."\n");
-	chmod("/usr/local/etc/tinc/rsa_key.priv", 0600);
-	if($tincconf['tinc_up'])
-	{
+	file_put_contents("{$configpath}/hosts/" . $tincconf['name'], $_output);
+	file_put_contents("{$configpath}/rsa_key.priv", base64_decode($tincconf['cert_key']) . "\n");
+	chmod("{$configpath}/rsa_key.priv", 0600);
+	if ($tincconf['tinc_up']) {
 		$_output = base64_decode($tincconf['tinc_up']) . "\n";
-	}
-	else
-	{
+	} else {
 		$_output = "ifconfig \$INTERFACE " . $tincconf['localip'] . " netmask " . $tincconf['vpnnetmask'] . "\n";
 		$_output .= "ifconfig \$INTERFACE group tinc\n";
 	}
-	file_put_contents('/usr/local/etc/tinc/tinc-up',$_output);
-	chmod("/usr/local/etc/tinc/tinc-up", 0744);
-	if($tincconf['tinc_down'])
-	{
-		file_put_contents('/usr/local/etc/tinc/tinc-down',str_replace("\r", "", base64_decode($tincconf['tinc_down'])) . "\n");
-		chmod("/usr/local/etc/tinc/tinc-down", 0744);
-	}
-	if($tincconf['host_up'])
-	{
-		file_put_contents('/usr/local/etc/tinc/host-up',str_replace("\r", "", base64_decode($tincconf['host_up'])) . "\n");
-		chmod("/usr/local/etc/tinc/host-up", 0744);
-	}
-	if($tincconf['host_down'])
-	{
-		file_put_contents('/usr/local/etc/tinc/host-down',str_replace("\r", "", base64_decode($tincconf['host_down'])) . "\n");
-		chmod("/usr/local/etc/tinc/host-down", 0744);
-	}
-	if($tincconf['subnet_up'])
-	{
-		file_put_contents('/usr/local/etc/tinc/subnet-up',str_replace("\r", "", base64_decode($tincconf['subnet_up'])) . "\n");
-		chmod("/usr/local/etc/tinc/subnet-up", 0744);
-	}
-	if($tincconf['subnet_down'])
-	{
-		file_put_contents('/usr/local/etc/tinc/subnet-down',str_replace("\r", "", base64_decode($tincconf['subnet_down'])) . "\n");
-		chmod("/usr/local/etc/tinc/subnet-down", 0744);
-	}
-	system("/usr/local/etc/rc.d/tinc.sh restart 2>/dev/null");
-	rmdir_recursive("/usr/local/etc/tinc.old");
+	file_put_contents("{$configpath}/tinc-up", $_output);
+	chmod("{$configpath}/tinc-up", 0744);
+	if ($tincconf['tinc_down']) {
+		file_put_contents("{$configpath}/tinc-down", str_replace("\r", "", base64_decode($tincconf['tinc_down'])) . "\n");
+		chmod("{$configpath}/tinc-down", 0744);
+	}
+	if ($tincconf['host_up']) {
+		file_put_contents("{$configpath}/host-up", str_replace("\r", "", base64_decode($tincconf['host_up'])) . "\n");
+		chmod("{$configpath}/host-up", 0744);
+	}
+	if ($tincconf['host_down']) {
+		file_put_contents("{$configpath}/host-down", str_replace("\r", "", base64_decode($tincconf['host_down'])) . "\n");
+		chmod("{$configpath}/host-down", 0744);
+	}
+	if ($tincconf['subnet_up']) {
+		file_put_contents("{$configpath}/subnet-up", str_replace("\r", "", base64_decode($tincconf['subnet_up'])) . "\n");
+		chmod("{$configpath}/subnet-up", 0744);
+	}
+	if ($tincconf['subnet_down']) {
+		file_put_contents("{$configpath}/subnet-down", str_replace("\r", "", base64_decode($tincconf['subnet_down'])) . "\n");
+		chmod("{$configpath}/subnet-down", 0744);
+	}
+
+	$pfs_version = substr(trim(file_get_contents("/etc/version")), 0, 3);
+	if ($pfs_version == "2.2") {
+		$pbietcpath = '/usr/pbi/tinc-' . php_uname("m") . '/local/etc';
+		unlink_if_exists("{$pbietcpath}/tinc");
+		symlink($configpath, "{$pbietcpath}/tinc");
+	}
+
+	if ($tincconf['enable'] != "") {
+		restart_service("tinc");
+	} elseif (is_process_running("tincd")); {
+			stop_service("tinc");
+	}
 
+	rmdir_recursive("/usr/local/etc/tinc.old");
 	conf_mount_ro();
 }
 
 function tinc_install() {
 	global $config;
+
 	safe_mkdir("/usr/local/etc/tinc");
 	safe_mkdir("/usr/local/etc/tinc/hosts");
-	$_rcfile['file']='tinc.sh';
-	$_rcfile['start'].="/usr/local/sbin/tincd --config=/usr/local/etc/tinc\n\t";
-	$_rcfile['stop'].="/usr/local/sbin/tincd --kill \n\t";
-	write_rcfile($_rcfile);
+	$rc['file'] = 'tinc.sh';
+	$rc['start'] .= "/usr/local/sbin/tincd --config=/usr/local/etc/tinc\n\t";
+	$rc['stop'] .= "/usr/local/sbin/tincd --kill \n\t";
+	write_rcfile($rc);
 	unlink_if_exists("/usr/local/etc/rc.d/tincd");
 	clear_log_file("/var/log/tinc.log");
-	
-	conf_mount_rw();
 
-        /* Create Interface Group */
-        if (!is_array($config['ifgroups']['ifgroupentry']))
-        $config['ifgroups']['ifgroupentry'] = array();
-
-        $a_ifgroups = &$config['ifgroups']['ifgroupentry'];
-        $ifgroupentry = array();
-        $ifgroupentry['members'] = '';
-        $ifgroupentry['descr'] = 'tinc mesh VPN interface group';
-        $ifgroupentry['ifname'] = 'tinc';
-        $a_ifgroups[] = $ifgroupentry;
+	/* Create Interface Group */
+	if (!is_array($config['ifgroups']['ifgroupentry'])) {
+		$config['ifgroups']['ifgroupentry'] = array();
+	}
 
-        /* XXX: Do not remove this. */
-        mwexec("/bin/rm -f /tmp/config.cache");
+	$a_ifgroups = &$config['ifgroups']['ifgroupentry'];
+	$ifgroupentry = array();
+	$ifgroupentry['members'] = '';
+	$ifgroupentry['descr'] = 'tinc mesh VPN interface group';
+	$ifgroupentry['ifname'] = 'tinc';
+	$a_ifgroups[] = $ifgroupentry;
 
-        write_config();
+	/* XXX: Do not remove this. WTH?! */
+	mwexec("/bin/rm -f /tmp/config.cache");
 
-	conf_mount_ro();
+	write_config("[tinc] Package installed.");
 }
 
 function tinc_deinstall() {
 	global $config;
-        /* Remove Interface Group */
-        conf_mount_rw();
-        if (!is_array($config['ifgroups']['ifgroupentry']))
-        $config['ifgroups']['ifgroupentry'] = array();
-
-        $a_ifgroups = &$config['ifgroups']['ifgroupentry'];
-
-        $myid=-1;
-        $i = 0;
-        foreach ($a_ifgroups as $ifgroupentry)
-        {
-                if($ifgroupentry['ifname']=='tinc')
-                {
-                        $myid=$i;
-                        break;
-                }
-                $i++;
-        }
-
-        if ($myid >= 0 && $a_ifgroups[$myid])
-        {
-                $members = explode(" ", $a_ifgroups[$_GET['id']]['members']);
-                foreach ($members as $ifs)
-                {
-                        $realif = get_real_interface($ifs);
-                        if ($realif)
-                                mwexec("/sbin/ifconfig  {$realif} -group " . escapeshellarg($a_ifgroups[$_GET['id']]['ifname']));
-                }
-                unset($a_ifgroups[$myid]);
-        	mwexec("/bin/rm -f /tmp/config.cache");
-        	write_config();
-        }
-	conf_mount_ro();
 
+	/* Remove Interface Group */
+	if (!is_array($config['ifgroups']['ifgroupentry'])) {
+		$config['ifgroups']['ifgroupentry'] = array();
+	}
+
+	$a_ifgroups = &$config['ifgroups']['ifgroupentry'];
+
+	$myid = -1;
+	$i = 0;
+	foreach ($a_ifgroups as $ifgroupentry) {
+		if ($ifgroupentry['ifname'] == 'tinc') {
+			$myid = $i;
+			break;
+		}
+		$i++;
+	}
+
+	if ($myid >= 0 && $a_ifgroups[$myid]) {
+		$members = explode(" ", $a_ifgroups[$_GET['id']]['members']);
+		foreach ($members as $ifs) {
+			$realif = get_real_interface($ifs);
+			if ($realif) {
+				mwexec("/sbin/ifconfig {$realif} -group " . escapeshellarg($a_ifgroups[$_GET['id']]['ifname']));
+			}
+		}
+		unset($a_ifgroups[$myid]);
+		/* WTH?! */
+		mwexec("/bin/rm -f /tmp/config.cache");
+		write_config("[tinc] Package uninstalled.");
+	}
 	rmdir_recursive("/var/tmp/tinc");
 	rmdir_recursive("/usr/local/etc/tinc*");
-	unlink_if_exists("/usr/local/etc/rc.d/tinc.sh");
 }
 
+function tinc_validate_input($post, &$input_errors) {
+	if ($post['localip']) {
+		if ((!is_ipaddr($post['localip'])) && (!is_hostname($post['localip']))) {
+			$input_errors[] = gettext("'Local IP' must be a valid IP address or hostname.");
+		}
+	}
+	if ($post['address']) {
+		if ((!is_ipaddr($post['address'])) && (!is_hostname($post['address']))) {
+			$input_errors[] = gettext("'Host Address' must be a valid IP address or hostname.");
+		}
+	}
+	if (($post['localsubnet']) && (!is_subnet($post['localsubnet']))) {
+		$input_errors[] = gettext("'Local Subnet' must be a valid subnet.");
+	}
+	if (($post['subnet']) && (!is_subnet($post['subnet']))) {
+		$input_errors[] = gettext("'Subnet' must be a valid subnet.");
+	}
+}
 ?>
-- 
cgit v1.2.3