Added tinc package for pfSense 2.3

security/pfSense-pkg-tinc/Makefile

@@ -0,0 +1,46 @@
+# $FreeBSD$
+
+PORTNAME=	pfSense-pkg-tinc
+PORTVERSION=	1.0.28
+CATEGORIES=	security
+MASTER_SITES=	# empty
+DISTFILES=	# empty
+EXTRACT_ONLY=	# empty
+
+MAINTAINER=	dinoex@FreeBSD.org
+COMMENT=	pfSense package tinc
+
+LICENSE=	GPLv3
+
+RUN_DEPENDS=    ${LOCALBASE}/sbin/tincd:security/tinc
+
+NO_BUILD=	yes
+NO_MTREE=	yes
+
+SUB_FILES=	pkg-install pkg-deinstall
+SUB_LIST=	PORTNAME=${PORTNAME}
+
+do-extract:
+	${MKDIR} ${WRKSRC}
+
+do-install:
+	${MKDIR} ${STAGEDIR}${PREFIX}/pkg
+	${MKDIR} ${STAGEDIR}/etc/inc/priv
+	${MKDIR} ${STAGEDIR}${PREFIX}/www
+	${MKDIR} ${STAGEDIR}${DATADIR}
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/pkg/tinc.inc \
+		${STAGEDIR}${PREFIX}/pkg
+	${INSTALL_DATA} ${FILESDIR}/etc/inc/priv/tinc.priv.inc \
+		${STAGEDIR}/etc/inc/priv
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/pkg/tinc.xml \
+		${STAGEDIR}${PREFIX}/pkg
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/pkg/tinc_hosts.xml \
+		${STAGEDIR}${PREFIX}/pkg
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/status_tinc.php \
+		${STAGEDIR}${PREFIX}/www
+	${INSTALL_DATA} ${FILESDIR}${DATADIR}/info.xml \
+		${STAGEDIR}${DATADIR}
+	@${REINPLACE_CMD} -i '' -e "s|%%PKGVERSION%%|${PKGVERSION}|" \
+		${STAGEDIR}${DATADIR}/info.xml
+
+.include <bsd.port.mk>

security/pfSense-pkg-tinc/files/etc/inc/priv/tinc.priv.inc

@@ -0,0 +1,44 @@
+<?php
+/*
+	tinc.priv.inc
+	part of pfSense (http://www.pfSense.org/)
+	Copyright (C) 2015 ESF, LLC
+	All rights reserved.
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are met:
+
+	1. Redistributions of source code must retain the above copyright notice,
+	   this list of conditions and the following disclaimer.
+
+	2. Redistributions in binary form must reproduce the above copyright
+	   notice, this list of conditions and the following disclaimer in the
+	   documentation and/or other materials provided with the distribution.
+
+	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+	POSSIBILITY OF SUCH DAMAGE.
+*/
+global $priv_list;
+
+$priv_list['page-vpn-tinc'] = array();
+$priv_list['page-vpn-tinc']['name'] = "WebCfg - VPN: tinc package";
+$priv_list['page-vpn-tinc']['descr'] = "Allow access to tinc package GUI";
+$priv_list['page-vpn-tinc']['match'] = array();
+
+$priv_list['page-vpn-tinc']['match'][] = "pkg.php?xml=tinc.xml*";
+$priv_list['page-vpn-tinc']['match'][] = "pkg.php?xml=tinc_hosts.xml*";
+
+$priv_list['page-vpn-tinc']['match'][] = "pkg_edit.php?xml=tinc.xml*";
+$priv_list['page-vpn-tinc']['match'][] = "pkg_edit.php?xml=tinc_hosts.xml*";
+
+$priv_list['page-vpn-tinc']['match'][] = "status_tinc.php*";
+
+?>

security/pfSense-pkg-tinc/files/pkg-deinstall.in

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/local/bin/php -f /etc/rc.packages %%PORTNAME%% ${2}

security/pfSense-pkg-tinc/files/pkg-install.in

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ "${2}" != "POST-INSTALL" ]; then
+	exit 0
+fi
+
+/usr/local/bin/php -f /etc/rc.packages %%PORTNAME%% ${2}

security/pfSense-pkg-tinc/files/usr/local/pkg/tinc.inc

@@ -0,0 +1,275 @@
+<?php
+/*
+	tinc.inc
+	part of pfSense (https://www.pfSense.org/)
+	Copyright (C) 2012-2015 ESF, LLC
+	All rights reserved.
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are met:
+
+	1. Redistributions of source code must retain the above copyright notice,
+	   this list of conditions and the following disclaimer.
+
+	2. Redistributions in binary form must reproduce the above copyright
+	   notice, this list of conditions and the following disclaimer in the
+	   documentation and/or other materials provided with the distribution.
+
+	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+	POSSIBILITY OF SUCH DAMAGE.
+*/
+require_once('config.inc');
+require_once('service-utils.inc');
+require_once('util.inc');
+/* include_once('guiconfig.inc'); is needed for clear_log_file() during package installation while booting.
+ * However, guiconfig.inc includes authgui.inc which requires a valid php session_auth() and exits when not found.
+ * So we include the function here.
+*/
+if (!function_exists('clear_log_file')) {
+
+	function clear_log_file($logfile = "/var/log/system.log", $restart_syslogd = true) {
+		require_once('system.inc');
+		global $config;
+		if ($restart_syslogd) {
+			exec("/usr/bin/killall syslogd");
+		}
+		if (isset($config['system']['disablesyslogclog'])) {
+			unlink($logfile);
+			touch($logfile);
+		} else {
+			$log_size = isset($config['syslog']['logfilesize']) ? $config['syslog']['logfilesize'] : "511488";
+			if (isset($config['system']['usefifolog'])) {
+				exec("/usr/sbin/fifolog_create -s {$log_size} " . escapeshellarg($logfile));
+			} else {
+				exec("/usr/local/sbin/clog -i -s {$log_size} " . escapeshellarg($logfile));
+			}
+		}
+		if ($restart_syslogd) {
+			system_syslogd_start();
+		}
+	}
+}
+
+function tinc_save() {
+	global $config, $configpath;
+	$configpath = '/usr/local/etc/tinc';
+
+	conf_mount_rw();
+
+	rename("{$configpath}", "{$configpath}.old");
+	safe_mkdir("{$configpath}");
+	safe_mkdir("{$configpath}/hosts");
+	touch("{$configpath}/WARNING-ENTIRE_DIRECTORY_ERASED_ON_SAVE_FROM_GUI");
+	if (is_array($config['installedpackages']['tinc']['config'])) {
+		$tincconf = &$config['installedpackages']['tinc']['config'][0];
+	} else {
+		$tincconf = array();
+	}
+
+	// No proper config, bail out.
+	if (!isset($tincconf['name']) || empty($tincconf['name'])) {
+		log_error("[tinc] Cannot configure (name not set). Check your configuration.");
+		return;
+	}
+
+	$fout = fopen("{$configpath}/tinc.conf", "w");
+	fwrite($fout, "name=" . $tincconf['name'] . "\n");
+	fwrite($fout, "AddressFamily=" . $tincconf['addressfamily'] . "\n");
+
+	if (!is_array($config['installedpackages']['tinchosts']['config'])) {
+		$config['installedpackages']['tinchosts']['config'] = array();
+	}
+	foreach ($config['installedpackages']['tinchosts']['config'] as $host) {
+		if ($host['connect']) {
+			fwrite($fout, "ConnectTo=" . $host['name'] . "\n");
+		}
+
+		$_output = "Address=" . $host['address'] . "\n";
+		$_output .= "Subnet=" . $host['subnet'] . "\n";
+		$_output .= base64_decode($host['extra']) . "\n";
+		$_output .= base64_decode($host['cert_pub']) . "\n";
+		file_put_contents("{$configpath}/hosts/" . $host['name'], $_output);
+		if ($host['host_up']) {
+			file_put_contents("{$configpath}/hosts/" . $host['name'] . '-up', str_replace("\r", "", base64_decode($host['host_up'])) . "\n");
+			chmod("{$configpath}/hosts/" . $host['name'] . '-up', 0744);
+		}
+		if ($host['host_down']) {
+			file_put_contents("{$configpath}/hosts/" . $host['name'] . '-down', str_replace("\r", "", base64_decode($host['host_down'])) . "\n");
+			chmod("{$configpath}/hosts/" . $host['name'] . '-down', 0744);
+		}
+	}
+	fwrite($fout, base64_decode($tincconf['extra']) . "\n");
+	fclose($fout);
+
+	// Check if we need to generate a new RSA key pair.
+	if ($tincconf['gen_rsa']) {
+		safe_mkdir("{$configpath}/tmp");
+		exec("/usr/local/sbin/tincd -c {$configpath}/tmp -K");
+		$tincconf['cert_pub'] = base64_encode(file_get_contents("{$configpath}/tmp/rsa_key.pub"));
+		$tincconf['cert_key'] = base64_encode(file_get_contents("{$configpath}/tmp/rsa_key.priv"));
+		$tincconf['gen_rsa'] = false;
+		$config['installedpackages']['tinc']['config'][0]['cert_pub'] = $tincconf['cert_pub'];
+		$config['installedpackages']['tinc']['config'][0]['cert_key'] = $tincconf['cert_key'];
+		$config['installedpackages']['tinc']['config'][0]['gen_rsa'] = $tincconf['gen_rsa'];
+		rmdir_recursive("{$configpath}/tmp");
+		write_config("[tinc] New RSA key pair generated.");
+	}
+
+	$_output = "Subnet=" . $tincconf['localsubnet'] . "\n";
+	$_output .= base64_decode($tincconf['host_extra']) . "\n";
+	$_output .= base64_decode($tincconf['cert_pub']) . "\n";
+	file_put_contents("{$configpath}/hosts/" . $tincconf['name'], $_output);
+	file_put_contents("{$configpath}/rsa_key.priv", base64_decode($tincconf['cert_key']) . "\n");
+	chmod("{$configpath}/rsa_key.priv", 0600);
+	if ($tincconf['tinc_up']) {
+		$_output = base64_decode($tincconf['tinc_up']) . "\n";
+	} else {
+		$_output = "ifconfig \$INTERFACE " . $tincconf['localip'] . " netmask " . $tincconf['vpnnetmask'] . "\n";
+		$_output .= "ifconfig \$INTERFACE group tinc\n";
+	}
+	file_put_contents("{$configpath}/tinc-up", $_output);
+	chmod("{$configpath}/tinc-up", 0744);
+	if ($tincconf['tinc_down']) {
+		file_put_contents("{$configpath}/tinc-down", str_replace("\r", "", base64_decode($tincconf['tinc_down'])) . "\n");
+		chmod("{$configpath}/tinc-down", 0744);
+	}
+	if ($tincconf['host_up']) {
+		file_put_contents("{$configpath}/host-up", str_replace("\r", "", base64_decode($tincconf['host_up'])) . "\n");
+		chmod("{$configpath}/host-up", 0744);
+	}
+	if ($tincconf['host_down']) {
+		file_put_contents("{$configpath}/host-down", str_replace("\r", "", base64_decode($tincconf['host_down'])) . "\n");
+		chmod("{$configpath}/host-down", 0744);
+	}
+	if ($tincconf['subnet_up']) {
+		file_put_contents("{$configpath}/subnet-up", str_replace("\r", "", base64_decode($tincconf['subnet_up'])) . "\n");
+		chmod("{$configpath}/subnet-up", 0744);
+	}
+	if ($tincconf['subnet_down']) {
+		file_put_contents("{$configpath}/subnet-down", str_replace("\r", "", base64_decode($tincconf['subnet_down'])) . "\n");
+		chmod("{$configpath}/subnet-down", 0744);
+	}
+
+	$pfs_version = substr(trim(file_get_contents("/etc/version")), 0, 3);
+	if ($pfs_version == "2.2") {
+		$pbietcpath = '/usr/pbi/tinc-' . php_uname("m") . '/local/etc';
+		unlink_if_exists("{$pbietcpath}/tinc");
+		symlink($configpath, "{$pbietcpath}/tinc");
+	}
+
+	if ($tincconf['enable'] != "") {
+		tinc_write_rcfile();
+		if (is_service_running("tinc")) {
+			restart_service("tinc");
+		} else {
+			start_service("tinc");
+		}
+	} else {
+		if (is_process_running("tincd")) {
+			stop_service("tinc");
+		}
+		unlink_if_exists("/usr/local/etc/rc.d/tinc.sh");
+	}
+
+	rmdir_recursive("/usr/local/etc/tinc.old");
+	conf_mount_ro();
+}
+
+function tinc_write_rcfile() {
+	$rc['file'] = 'tinc.sh';
+	$rc['start'] .= "/usr/local/sbin/tincd --config=/usr/local/etc/tinc\n\t";
+	$rc['stop'] .= "/usr/local/sbin/tincd --kill \n\t";
+	write_rcfile($rc);
+}
+
+function tinc_install() {
+	global $config;
+
+	safe_mkdir("/usr/local/etc/tinc");
+	safe_mkdir("/usr/local/etc/tinc/hosts");
+	tinc_write_rcfile();
+	unlink_if_exists("/usr/local/etc/rc.d/tincd");
+	clear_log_file("/var/log/tinc.log");
+
+	/* Create Interface Group */
+	if (!is_array($config['ifgroups']['ifgroupentry'])) {
+		$config['ifgroups']['ifgroupentry'] = array();
+	}
+
+	$a_ifgroups = &$config['ifgroups']['ifgroupentry'];
+	$ifgroupentry = array();
+	$ifgroupentry['members'] = '';
+	$ifgroupentry['descr'] = 'tinc mesh VPN interface group';
+	$ifgroupentry['ifname'] = 'tinc';
+	$a_ifgroups[] = $ifgroupentry;
+
+	/* XXX: Do not remove this. WTH?! */
+	mwexec("/bin/rm -f /tmp/config.cache");
+
+	write_config("[tinc] Package installed.");
+}
+
+function tinc_deinstall() {
+	global $config;
+
+	/* Remove Interface Group */
+	if (!is_array($config['ifgroups']['ifgroupentry'])) {
+		$config['ifgroups']['ifgroupentry'] = array();
+	}
+
+	$a_ifgroups = &$config['ifgroups']['ifgroupentry'];
+
+	$myid = -1;
+	$i = 0;
+	foreach ($a_ifgroups as $ifgroupentry) {
+		if ($ifgroupentry['ifname'] == 'tinc') {
+			$myid = $i;
+			break;
+		}
+		$i++;
+	}
+
+	if ($myid >= 0 && $a_ifgroups[$myid]) {
+		$members = explode(" ", $a_ifgroups[$_GET['id']]['members']);
+		foreach ($members as $ifs) {
+			$realif = get_real_interface($ifs);
+			if ($realif) {
+				mwexec("/sbin/ifconfig {$realif} -group " . escapeshellarg($a_ifgroups[$_GET['id']]['ifname']));
+			}
+		}
+		unset($a_ifgroups[$myid]);
+		/* WTH?! */
+		mwexec("/bin/rm -f /tmp/config.cache");
+		write_config("[tinc] Package uninstalled.");
+	}
+	rmdir_recursive("/var/tmp/tinc");
+	rmdir_recursive("/usr/local/etc/tinc*");
+}
+
+function tinc_validate_input($post, &$input_errors) {
+	if ($post['localip']) {
+		if ((!is_ipaddr($post['localip'])) && (!is_hostname($post['localip']))) {
+			$input_errors[] = gettext("'Local IP' must be a valid IP address or hostname.");
+		}
+	}
+	if ($post['address']) {
+		if ((!is_ipaddr($post['address'])) && (!is_hostname($post['address']))) {
+			$input_errors[] = gettext("'Host Address' must be a valid IP address or hostname.");
+		}
+	}
+	if (($post['localsubnet']) && (!is_subnet($post['localsubnet']))) {
+		$input_errors[] = gettext("'Local Subnet' must be a valid subnet.");
+	}
+	if (($post['subnet']) && (!is_subnet($post['subnet']))) {
+		$input_errors[] = gettext("'Subnet' must be a valid subnet.");
+	}
+}
+?>