Skip to content

O
OpnSense
Commit e7aaafea authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner
Browse files
Options

(openvpn, auth) remove dead code 

(cherry picked from commit 7b59e10c)
parent 2b5188cb
Hide whitespace changes
Inline Side-by-side
Showing with 0 additions and 229 deletions
src/etc/inc/openvpn.auth-user.php
View file @ e7aaafea
...@@ -39,178 +39,6 @@ require_once("auth.inc"); ...@@ -39,178 +39,6 @@ require_once("auth.inc");
require_once("util.inc"); require_once("util.inc");
require_once("interfaces.inc"); require_once("interfaces.inc");
function cisco_to_cidr($addr)
{
if (!is_ipaddr($addr)) {
return 0;
}
$mask = decbin(~ip2long($addr));
$mask = substr($mask, -32);
$k = 0;
for ($i = 0; $i <= 32; $i++) {
$k += intval($mask[$i]);
}
return $k;
}
function cisco_extract_index($prule)
{
$index = explode("#", $prule);
if (is_numeric($index[1])) {
return intval($index[1]);
} else {
syslog(LOG_WARNING, "Error parsing rule {$prule}: Could not extract index");
}
return -1;;
}
function parse_cisco_acl($attribs) {
global $devname, $attributes;
if (!is_array($attribs)) {
return "";
}
$finalrules = "";
if (is_array($attribs['ciscoavpair'])) {
$inrules = array();
$outrules = array();
foreach ($attribs['ciscoavpair'] as $avrules) {
$rule = explode("=", $avrules);
$dir = "";
if (strstr($rule[0], "inacl")) {
$dir = "in";
} elseif (strstr($rule[0], "outacl")) {
$dir = "out";
} elseif (strstr($rule[0], "dns-servers")) {
$attributes['dns-servers'] = explode(" ", $rule[1]);
continue;
} elseif (strstr($rule[0], "route")) {
if (!is_array($attributes['routes'])) {
$attributes['routes'] = array();
}
$attributes['routes'][] = $rule[1];
continue;
}
$rindex = cisco_extract_index($rule[0]);
if ($rindex < 0) {
continue;
}
$rule = $rule[1];
$rule = explode(" ", $rule);
$tmprule = "";
$index = 0;
$isblock = false;
if ($rule[$index] == "permit") {
$tmprule = "pass {$dir} quick on {$devname} ";
} elseif ($rule[$index] == "deny") {
//continue;
$isblock = true;
$tmprule = "block {$dir} quick on {$devname} ";
} else {
continue;
}
$index++;
switch ($rule[$index]) {
case "tcp":
case "udp":
$tmprule .= "proto {$rule[$index]} ";
break;
}
$index++;
/* Source */
if (trim($rule[$index]) == "host") {
$index++;
$tmprule .= "from {$rule[$index]} ";
$index++;
if ($isblock == true) {
$isblock = false;
}
} elseif (trim($rule[$index]) == "any") {
$tmprule .= "from any";
$index++;
} else {
$tmprule .= "from {$rule[$index]}";
$index++;
$netmask = cisco_to_cidr($rule[$index]);
$tmprule .= "/{$netmask} ";
$index++;
if ($isblock == true) {
$isblock = false;
}
}
/* Destination */
if (trim($rule[$index]) == "host") {
$index++;
$tmprule .= "to {$rule[$index]} ";
$index++;
if ($isblock == true) {
$isblock = false;
}
} elseif (trim($rule[$index]) == "any") {
$index++;
$tmprule .= "to any";
} else {
$tmprule .= "to {$rule[$index]}";
$index++;
$netmask = cisco_to_cidr($rule[$index]);
$tmprule .= "/{$netmask} ";
$index++;
if ($isblock == true) {
$isblock = false;
}
}
if ($isblock == true) {
continue;
}
if ($dir == "in") {
$inrules[$rindex] = $tmprule;
} elseif ($dir == "out") {
$outrules[$rindex] = $tmprule;
}
}
$state = "";
if (!empty($outrules)) {
$state = "no state";
}
ksort($inrules, SORT_NUMERIC);
foreach ($inrules as $inrule) {
$finalrules .= "{$inrule} {$state}\n";
}
if (!empty($outrules)) {
ksort($outrules, SORT_NUMERIC);
foreach ($outrules as $outrule) {
$finalrules .= "{$outrule} {$state}\n";
}
}
}
return $finalrules;
}
/**
* Get the NAS-Identifier
*
* We will use our local hostname to make up the nas_id
*/
if (!function_exists("getNasID")) {
function getNasID()
{
global $g;
$nasId = gethostname();
if (empty($nasId)) {
$nasId = $g['product_name'];
}
return $nasId;
}
}
/* setup syslog logging */ /* setup syslog logging */
openlog("openvpn", LOG_ODELAY, LOG_AUTH); openlog("openvpn", LOG_ODELAY, LOG_AUTH);
...@@ -221,11 +49,6 @@ if (count($argv) > 6) { ...@@ -221,11 +49,6 @@ if (count($argv) > 6) {
$common_name = $argv[3]; $common_name = $argv[3];
$modeid = $argv[6]; $modeid = $argv[6];
$strictusercn = $argv[4] == 'false' ? false : true; $strictusercn = $argv[4] == 'false' ? false : true;
} else {
/* read data from environment */
$username = getenv("username");
$password = getenv("password");
$common_name = getenv("common_name");
} }
if (!$username || !$password) { if (!$username || !$password) {
...@@ -243,7 +66,6 @@ if (file_exists("/var/etc/openvpn/{$modeid}.ca")) { ...@@ -243,7 +66,6 @@ if (file_exists("/var/etc/openvpn/{$modeid}.ca")) {
} }
$authenticated = false; $authenticated = false;
if (($strictusercn === true) && ($common_name != $username)) { if (($strictusercn === true) && ($common_name != $username)) {
syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n"); syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
closelog(); closelog();
...@@ -256,7 +78,6 @@ if (!is_array($authmodes)) { ...@@ -256,7 +78,6 @@ if (!is_array($authmodes)) {
exit(1); exit(1);
} }
$attributes = array();
foreach ($authmodes as $authmode) { foreach ($authmodes as $authmode) {
$authcfg = auth_get_authserver($authmode); $authcfg = auth_get_authserver($authmode);
if (!$authcfg && $authmode != "local") { if (!$authcfg && $authmode != "local") {
...@@ -275,56 +96,6 @@ if ($authenticated == false) { ...@@ -275,56 +96,6 @@ if ($authenticated == false) {
exit(-1); exit(-1);
} }
if (empty($common_name)) {
$common_name = getenv("common_name");
if (empty($common_name)) {
$common_name = getenv("username");
}
}
$devname = getenv("dev");
if (empty($devname)) {
$devname = "openvpn";
}
$rules = parse_cisco_acl($attributes);
if (!empty($rules)) {
$pid = getmypid();
@file_put_contents("/tmp/ovpn_{$pid}{$common_name}.rules", $rules);
mwexec("/sbin/pfctl -a " . escapeshellarg("openvpn/{$common_name}") . " -f /tmp/ovpn_{$pid}" . escapeshellarg($common_name) . ".rules");
@unlink("/tmp/ovpn_{$pid}{$common_name}.rules");
}
$content = "";
if (is_array($attributes['dns-servers'])) {
foreach ($attributes['dns-servers'] as $dnssrv) {
if (is_ipaddr($dnssrv)) {
$content .= "push \"dhcp-option DNS {$dnssrv}\"\n";
}
}
}
if (is_array($attributes['routes'])) {
foreach ($attributes['routes'] as $route) {
$content .= "push \"route {$route} vpn_gateway\"\n";
}
}
if (isset($attributes['framed_ip'])) {
/* XXX: only use when TAP windows driver >= 8.2.x */
/* if (isset($attributes['framed_mask'])) {
$content .= "topology subnet\n";
$content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}";
} else {
*/
$content .= "topology net30\n";
$content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) + 1));
// }
}
if (!empty($content)) {
@file_put_contents("/tmp/{$username}", $content);
}
syslog(LOG_NOTICE, "user '{$username}' authenticated\n"); syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
closelog(); closelog();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023