diff --git a/CHANGELOG b/CHANGELOG index b0b48db..02acd67 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,7 @@ ====================== Version Description +1.1.32......Update release list, tarballs.php to include 13.3. 1.1.31......Update bastille config files. 1.1.30......Fix config check for Linux jails. 1.1.29......Ad note on how to fetch EOL/Unsupported releases. diff --git a/conf/system/freebsd-update/13.3/freebsd-update b/conf/system/freebsd-update/13.3/freebsd-update new file mode 100755 index 0000000..551d404 --- /dev/null +++ b/conf/system/freebsd-update/13.3/freebsd-update @@ -0,0 +1,3546 @@ +#!/bin/sh + +#- +# SPDX-License-Identifier: BSD-2-Clause +# +# Copyright 2004-2007 Colin Percival +# All rights reserved +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted providing that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +#### Usage function -- called from command-line handling code. + +# Usage instructions. Options not listed: +# --debug -- don't filter output from utilities +# --no-stats -- don't show progress statistics while fetching files +usage () { + cat < ${LINE}" + exit 1 + fi + done < ${CONFFILE} + + # Merge the settings read from the configuration file with those + # provided at the command line. + mergeconfig +} + +# Provide some default parameters +default_params () { + # Save any parameters already configured, and clear the slate + saveconfig + nullconfig + + # Default configurations + config_WorkDir /var/db/freebsd-update + config_MailTo root + config_AllowAdd yes + config_AllowDelete yes + config_KeepModifiedMetadata yes + config_BaseDir / + config_VerboseLevel stats + config_StrictComponents no + config_BackupKernel yes + config_BackupKernelDir /boot/kernel.old + config_BackupKernelSymbolFiles no + config_CreateBootEnv yes + + # Merge these defaults into the earlier-configured settings + mergeconfig +} + +# Set utility output filtering options, based on ${VERBOSELEVEL} +fetch_setup_verboselevel () { + case ${VERBOSELEVEL} in + debug) + QUIETREDIR="/dev/stderr" + QUIETFLAG=" " + STATSREDIR="/dev/stderr" + DDSTATS=".." + XARGST="-t" + NDEBUG=" " + ;; + nostats) + QUIETREDIR="" + QUIETFLAG="" + STATSREDIR="/dev/null" + DDSTATS=".." + XARGST="" + NDEBUG="" + ;; + stats) + QUIETREDIR="/dev/null" + QUIETFLAG="-q" + STATSREDIR="/dev/stdout" + DDSTATS="" + XARGST="" + NDEBUG="-n" + ;; + esac +} + +# Perform sanity checks and set some final parameters +# in preparation for fetching files. Figure out which +# set of updates should be downloaded: If the user is +# running *-p[0-9]+, strip off the last part; if the +# user is running -SECURITY, call it -RELEASE. Chdir +# into the working directory. +fetchupgrade_check_params () { + export HTTP_USER_AGENT="freebsd-update (${COMMAND}, `uname -r`)" + + _SERVERNAME_z=\ +"SERVERNAME must be given via command line or configuration file." + _KEYPRINT_z="Key must be given via -k option or configuration file." + _KEYPRINT_bad="Invalid key fingerprint: " + _WORKDIR_bad="Directory does not exist or is not writable: " + _WORKDIR_bad2="Directory is not on a persistent filesystem: " + + if [ -z "${SERVERNAME}" ]; then + echo -n "`basename $0`: " + echo "${_SERVERNAME_z}" + exit 1 + fi + if [ -z "${KEYPRINT}" ]; then + echo -n "`basename $0`: " + echo "${_KEYPRINT_z}" + exit 1 + fi + if ! echo "${KEYPRINT}" | grep -qE "^[0-9a-f]{64}$"; then + echo -n "`basename $0`: " + echo -n "${_KEYPRINT_bad}" + echo ${KEYPRINT} + exit 1 + fi + if ! [ -d "${WORKDIR}" -a -w "${WORKDIR}" ]; then + echo -n "`basename $0`: " + echo -n "${_WORKDIR_bad}" + echo ${WORKDIR} + exit 1 + fi + case `df -T ${WORKDIR}` in */dev/md[0-9]* | *tmpfs*) + echo -n "`basename $0`: " + echo -n "${_WORKDIR_bad2}" + echo ${WORKDIR} + exit 1 + ;; + esac + chmod 700 ${WORKDIR} + cd ${WORKDIR} || exit 1 + + # Generate release number. The s/SECURITY/RELEASE/ bit exists + # to provide an upgrade path for FreeBSD Update 1.x users, since + # the kernels provided by FreeBSD Update 1.x are always labelled + # as X.Y-SECURITY. + RELNUM=`uname -r | + sed -E 's,-p[0-9]+,,' | + sed -E 's,-SECURITY,-RELEASE,'` + ARCH=`uname -m` + FETCHDIR=${RELNUM}/${ARCH} + PATCHDIR=${RELNUM}/${ARCH}/bp + + # Disallow upgrade from a version that is not a release + case ${RELNUM} in + *-RELEASE | *-ALPHA* | *-BETA* | *-RC*) + ;; + *) + echo -n "`basename $0`: " + cat <<- EOF + Cannot upgrade from a version that is not a release + (including alpha, beta and release candidates) + using `basename $0`. Instead, FreeBSD can be directly + upgraded by source or upgraded to a RELEASE/RELENG version + prior to running `basename $0`. + Currently running: ${RELNUM} + EOF + exit 1 + ;; + esac + + # Figure out what directory contains the running kernel + BOOTFILE=`sysctl -n kern.bootfile` + KERNELDIR=${BOOTFILE%/kernel} + if ! [ -d ${KERNELDIR} ]; then + echo "Cannot identify running kernel" + exit 1 + fi + + # Figure out what kernel configuration is running. We start with + # the output of `uname -i`, and then make the following adjustments: + # 1. Replace "SMP-GENERIC" with "SMP". Why the SMP kernel config + # file says "ident SMP-GENERIC", I don't know... + # 2. If the kernel claims to be GENERIC _and_ ${ARCH} is "amd64" + # _and_ `sysctl kern.version` contains a line which ends "/SMP", then + # we're running an SMP kernel. This mis-identification is a bug + # which was fixed in 6.2-STABLE. + KERNCONF=`uname -i` + if [ ${KERNCONF} = "SMP-GENERIC" ]; then + KERNCONF=SMP + fi + if [ ${KERNCONF} = "GENERIC" ] && [ ${ARCH} = "amd64" ]; then + if sysctl kern.version | grep -qE '/SMP$'; then + KERNCONF=SMP + fi + fi + + # Define some paths + BSPATCH=/usr/bin/bspatch + SHA256=/sbin/sha256 + PHTTPGET=/usr/libexec/phttpget + + # Set up variables relating to VERBOSELEVEL + fetch_setup_verboselevel + + # Construct a unique name from ${BASEDIR} + BDHASH=`echo ${BASEDIR} | sha256 -q` +} + +# Perform sanity checks etc. before fetching updates. +fetch_check_params () { + fetchupgrade_check_params + + if ! [ -z "${TARGETRELEASE}" ]; then + echo -n "`basename $0`: " + echo -n "-r option is meaningless with 'fetch' command. " + echo "(Did you mean 'upgrade' instead?)" + exit 1 + fi + + # Check that we have updates ready to install + if [ -f ${BDHASH}-install/kerneldone -a $FORCEFETCH -eq 0 ]; then + echo "You have a partially completed upgrade pending" + echo "Run '$0 install' first." + echo "Run '$0 fetch -F' to proceed anyway." + exit 1 + fi +} + +# Perform sanity checks etc. before fetching upgrades. +upgrade_check_params () { + fetchupgrade_check_params + + # Unless set otherwise, we're upgrading to the same kernel config. + NKERNCONF=${KERNCONF} + + # We need TARGETRELEASE set + _TARGETRELEASE_z="Release target must be specified via -r option." + if [ -z "${TARGETRELEASE}" ]; then + echo -n "`basename $0`: " + echo "${_TARGETRELEASE_z}" + exit 1 + fi + + # The target release should be != the current release. + if [ "${TARGETRELEASE}" = "${RELNUM}" ]; then + echo -n "`basename $0`: " + echo "Cannot upgrade from ${RELNUM} to itself" + exit 1 + fi + + # Turning off AllowAdd or AllowDelete is a bad idea for upgrades. + if [ "${ALLOWADD}" = "no" ]; then + echo -n "`basename $0`: " + echo -n "WARNING: \"AllowAdd no\" is a bad idea " + echo "when upgrading between releases." + echo + fi + if [ "${ALLOWDELETE}" = "no" ]; then + echo -n "`basename $0`: " + echo -n "WARNING: \"AllowDelete no\" is a bad idea " + echo "when upgrading between releases." + echo + fi + + # Set EDITOR to /usr/bin/vi if it isn't already set + : ${EDITOR:='/usr/bin/vi'} +} + +# Perform sanity checks and set some final parameters in +# preparation for installing updates. +install_check_params () { + # Check that we are root. All sorts of things won't work otherwise. + if [ `id -u` != 0 ]; then + echo "You must be root to run this." + exit 1 + fi + + # Check that securelevel <= 0. Otherwise we can't update schg files. + if [ `sysctl -n kern.securelevel` -gt 0 ]; then + echo "Updates cannot be installed when the system securelevel" + echo "is greater than zero." + exit 1 + fi + + # Check that we have a working directory + _WORKDIR_bad="Directory does not exist or is not writable: " + if ! [ -d "${WORKDIR}" -a -w "${WORKDIR}" ]; then + echo -n "`basename $0`: " + echo -n "${_WORKDIR_bad}" + echo ${WORKDIR} + exit 1 + fi + cd ${WORKDIR} || exit 1 + + # Construct a unique name from ${BASEDIR} + BDHASH=`echo ${BASEDIR} | sha256 -q` + + # Check that we have updates ready to install + if ! [ -L ${BDHASH}-install ]; then + echo "No updates are available to install." + if [ $ISFETCHED -eq 0 ]; then + echo "Run '$0 fetch' first." + exit 2 + fi + exit 0 + fi + if ! [ -f ${BDHASH}-install/INDEX-OLD ] || + ! [ -f ${BDHASH}-install/INDEX-NEW ]; then + echo "Update manifest is corrupt -- this should never happen." + echo "Re-run '$0 fetch'." + exit 1 + fi + + # Figure out what directory contains the running kernel + BOOTFILE=`sysctl -n kern.bootfile` + KERNELDIR=${BOOTFILE%/kernel} + if ! [ -d ${KERNELDIR} ]; then + echo "Cannot identify running kernel" + exit 1 + fi +} + +# Creates a new boot environment +install_create_be () { + # Figure out if we're running in a jail and return if we are + if [ `sysctl -n security.jail.jailed` = 1 ]; then + return 1 + fi + # Operating on roots that aren't located at / will, more often than not, + # not touch the boot environment. + if [ "$BASEDIR" != "/" ]; then + return 1 + fi + # Create a boot environment if enabled + if [ ${BOOTENV} = yes ]; then + bectl check 2>/dev/null + case $? in + 0) + # Boot environment are supported + CREATEBE=yes + ;; + 255) + # Boot environments are not supported + CREATEBE=no + ;; + *) + # If bectl returns an unexpected exit code, don't create a BE + CREATEBE=no + ;; + esac + if [ ${CREATEBE} = yes ]; then + echo -n "Creating snapshot of existing boot environment... " + VERSION=`freebsd-version -ku | sort -V | tail -n 1` + TIMESTAMP=`date +"%Y-%m-%d_%H%M%S"` + bectl create -r ${VERSION}_${TIMESTAMP} + if [ $? -eq 0 ]; then + echo "done."; + else + echo "failed." + exit 1 + fi + fi + fi +} + +# Perform sanity checks and set some final parameters in +# preparation for UNinstalling updates. +rollback_check_params () { + # Check that we are root. All sorts of things won't work otherwise. + if [ `id -u` != 0 ]; then + echo "You must be root to run this." + exit 1 + fi + + # Check that we have a working directory + _WORKDIR_bad="Directory does not exist or is not writable: " + if ! [ -d "${WORKDIR}" -a -w "${WORKDIR}" ]; then + echo -n "`basename $0`: " + echo -n "${_WORKDIR_bad}" + echo ${WORKDIR} + exit 1 + fi + cd ${WORKDIR} || exit 1 + + # Construct a unique name from ${BASEDIR} + BDHASH=`echo ${BASEDIR} | sha256 -q` + + # Check that we have updates ready to rollback + if ! [ -L ${BDHASH}-rollback ]; then + echo "No rollback directory found." + exit 1 + fi + if ! [ -f ${BDHASH}-rollback/INDEX-OLD ] || + ! [ -f ${BDHASH}-rollback/INDEX-NEW ]; then + echo "Update manifest is corrupt -- this should never happen." + exit 1 + fi +} + +# Perform sanity checks and set some final parameters +# in preparation for comparing the system against the +# published index. Figure out which index we should +# compare against: If the user is running *-p[0-9]+, +# strip off the last part; if the user is running +# -SECURITY, call it -RELEASE. Chdir into the working +# directory. +IDS_check_params () { + export HTTP_USER_AGENT="freebsd-update (${COMMAND}, `uname -r`)" + + _SERVERNAME_z=\ +"SERVERNAME must be given via command line or configuration file." + _KEYPRINT_z="Key must be given via -k option or configuration file." + _KEYPRINT_bad="Invalid key fingerprint: " + _WORKDIR_bad="Directory does not exist or is not writable: " + + if [ -z "${SERVERNAME}" ]; then + echo -n "`basename $0`: " + echo "${_SERVERNAME_z}" + exit 1 + fi + if [ -z "${KEYPRINT}" ]; then + echo -n "`basename $0`: " + echo "${_KEYPRINT_z}" + exit 1 + fi + if ! echo "${KEYPRINT}" | grep -qE "^[0-9a-f]{64}$"; then + echo -n "`basename $0`: " + echo -n "${_KEYPRINT_bad}" + echo ${KEYPRINT} + exit 1 + fi + if ! [ -d "${WORKDIR}" -a -w "${WORKDIR}" ]; then + echo -n "`basename $0`: " + echo -n "${_WORKDIR_bad}" + echo ${WORKDIR} + exit 1 + fi + cd ${WORKDIR} || exit 1 + + # Generate release number. The s/SECURITY/RELEASE/ bit exists + # to provide an upgrade path for FreeBSD Update 1.x users, since + # the kernels provided by FreeBSD Update 1.x are always labelled + # as X.Y-SECURITY. + RELNUM=`uname -r | + sed -E 's,-p[0-9]+,,' | + sed -E 's,-SECURITY,-RELEASE,'` + ARCH=`uname -m` + FETCHDIR=${RELNUM}/${ARCH} + PATCHDIR=${RELNUM}/${ARCH}/bp + + # Figure out what directory contains the running kernel + BOOTFILE=`sysctl -n kern.bootfile` + KERNELDIR=${BOOTFILE%/kernel} + if ! [ -d ${KERNELDIR} ]; then + echo "Cannot identify running kernel" + exit 1 + fi + + # Figure out what kernel configuration is running. We start with + # the output of `uname -i`, and then make the following adjustments: + # 1. Replace "SMP-GENERIC" with "SMP". Why the SMP kernel config + # file says "ident SMP-GENERIC", I don't know... + # 2. If the kernel claims to be GENERIC _and_ ${ARCH} is "amd64" + # _and_ `sysctl kern.version` contains a line which ends "/SMP", then + # we're running an SMP kernel. This mis-identification is a bug + # which was fixed in 6.2-STABLE. + KERNCONF=`uname -i` + if [ ${KERNCONF} = "SMP-GENERIC" ]; then + KERNCONF=SMP + fi + if [ ${KERNCONF} = "GENERIC" ] && [ ${ARCH} = "amd64" ]; then + if sysctl kern.version | grep -qE '/SMP$'; then + KERNCONF=SMP + fi + fi + + # Define some paths + SHA256=/sbin/sha256 + PHTTPGET=/usr/libexec/phttpget + + # Set up variables relating to VERBOSELEVEL + fetch_setup_verboselevel +} + +#### Core functionality -- the actual work gets done here + +# Use an SRV query to pick a server. If the SRV query doesn't provide +# a useful answer, use the server name specified by the user. +# Put another way... look up _http._tcp.${SERVERNAME} and pick a server +# from that; or if no servers are returned, use ${SERVERNAME}. +# This allows a user to specify "portsnap.freebsd.org" (in which case +# portsnap will select one of the mirrors) or "portsnap5.tld.freebsd.org" +# (in which case portsnap will use that particular server, since there +# won't be an SRV entry for that name). +# +# We ignore the Port field, since we are always going to use port 80. + +# Fetch the mirror list, but do not pick a mirror yet. Returns 1 if +# no mirrors are available for any reason. +fetch_pick_server_init () { + : > serverlist_tried + +# Check that host(1) exists (i.e., that the system wasn't built with the +# WITHOUT_BIND set) and don't try to find a mirror if it doesn't exist. + if ! which -s host; then + : > serverlist_full + return 1 + fi + + echo -n "Looking up ${SERVERNAME} mirrors... " + +# Issue the SRV query and pull out the Priority, Weight, and Target fields. +# BIND 9 prints "$name has SRV record ..." while BIND 8 prints +# "$name server selection ..."; we allow either format. + MLIST="_http._tcp.${SERVERNAME}" + host -t srv "${MLIST}" | + sed -nE "s/${MLIST} (has SRV record|server selection) //Ip" | + cut -f 1,2,4 -d ' ' | + sed -e 's/\.$//' | + sort > serverlist_full + +# If no records, give up -- we'll just use the server name we were given. + if [ `wc -l < serverlist_full` -eq 0 ]; then + echo "none found." + return 1 + fi + +# Report how many mirrors we found. + echo `wc -l < serverlist_full` "mirrors found." + +# Generate a random seed for use in picking mirrors. If HTTP_PROXY +# is set, this will be used to generate the seed; otherwise, the seed +# will be random. + if [ -n "${HTTP_PROXY}${http_proxy}" ]; then + RANDVALUE=`sha256 -qs "${HTTP_PROXY}${http_proxy}" | + tr -d 'a-f' | + cut -c 1-9` + else + RANDVALUE=`jot -r 1 0 999999999` + fi +} + +# Pick a mirror. Returns 1 if we have run out of mirrors to try. +fetch_pick_server () { +# Generate a list of not-yet-tried mirrors + sort serverlist_tried | + comm -23 serverlist_full - > serverlist + +# Have we run out of mirrors? + if [ `wc -l < serverlist` -eq 0 ]; then + cat <<- EOF + No mirrors remaining, giving up. + + This may be because upgrading from this platform (${ARCH}) + or release (${RELNUM}) is unsupported by `basename $0`. Only + platforms with Tier 1 support can be upgraded by `basename $0`. + See https://www.freebsd.org/platforms/ for more info. + + If unsupported, FreeBSD must be upgraded by source. + EOF + return 1 + fi + +# Find the highest priority level (lowest numeric value). + SRV_PRIORITY=`cut -f 1 -d ' ' serverlist | sort -n | head -1` + +# Add up the weights of the response lines at that priority level. + SRV_WSUM=0; + while read X; do + case "$X" in + ${SRV_PRIORITY}\ *) + SRV_W=`echo $X | cut -f 2 -d ' '` + SRV_WSUM=$(($SRV_WSUM + $SRV_W)) + ;; + esac + done < serverlist + +# If all the weights are 0, pretend that they are all 1 instead. + if [ ${SRV_WSUM} -eq 0 ]; then + SRV_WSUM=`grep -E "^${SRV_PRIORITY} " serverlist | wc -l` + SRV_W_ADD=1 + else + SRV_W_ADD=0 + fi + +# Pick a value between 0 and the sum of the weights - 1 + SRV_RND=`expr ${RANDVALUE} % ${SRV_WSUM}` + +# Read through the list of mirrors and set SERVERNAME. Write the line +# corresponding to the mirror we selected into serverlist_tried so that +# we won't try it again. + while read X; do + case "$X" in + ${SRV_PRIORITY}\ *) + SRV_W=`echo $X | cut -f 2 -d ' '` + SRV_W=$(($SRV_W + $SRV_W_ADD)) + if [ $SRV_RND -lt $SRV_W ]; then + SERVERNAME=`echo $X | cut -f 3 -d ' '` + echo "$X" >> serverlist_tried + break + else + SRV_RND=$(($SRV_RND - $SRV_W)) + fi + ;; + esac + done < serverlist +} + +# Take a list of ${oldhash}|${newhash} and output a list of needed patches, +# i.e., those for which we have ${oldhash} and don't have ${newhash}. +fetch_make_patchlist () { + grep -vE "^([0-9a-f]{64})\|\1$" | + tr '|' ' ' | + while read X Y; do + if [ -f "files/${Y}.gz" ] || + [ ! -f "files/${X}.gz" ]; then + continue + fi + echo "${X}|${Y}" + done | sort -u +} + +# Print user-friendly progress statistics +fetch_progress () { + LNC=0 + while read x; do + LNC=$(($LNC + 1)) + if [ $(($LNC % 10)) = 0 ]; then + echo -n $LNC + elif [ $(($LNC % 2)) = 0 ]; then + echo -n . + fi + done + echo -n " " +} + +# Function for asking the user if everything is ok +continuep () { + while read -p "Does this look reasonable (y/n)? " CONTINUE; do + case "${CONTINUE}" in + [yY]*) + return 0 + ;; + [nN]*) + return 1 + ;; + esac + done +} + +# Initialize the working directory +workdir_init () { + mkdir -p files + touch tINDEX.present +} + +# Check that we have a public key with an appropriate hash, or +# fetch the key if it doesn't exist. Returns 1 if the key has +# not yet been fetched. +fetch_key () { + if [ -r pub.ssl ] && [ `${SHA256} -q pub.ssl` = ${KEYPRINT} ]; then + return 0 + fi + + echo -n "Fetching public key from ${SERVERNAME}... " + rm -f pub.ssl + fetch ${QUIETFLAG} http://${SERVERNAME}/${FETCHDIR}/pub.ssl \ + 2>${QUIETREDIR} || true + if ! [ -r pub.ssl ]; then + echo "failed." + return 1 + fi + if ! [ `${SHA256} -q pub.ssl` = ${KEYPRINT} ]; then + echo "key has incorrect hash." + rm -f pub.ssl + return 1 + fi + echo "done." +} + +# Fetch metadata signature, aka "tag". +fetch_tag () { + echo -n "Fetching metadata signature " + echo ${NDEBUG} "for ${RELNUM} from ${SERVERNAME}... " + rm -f latest.ssl + fetch ${QUIETFLAG} http://${SERVERNAME}/${FETCHDIR}/latest.ssl \ + 2>${QUIETREDIR} || true + if ! [ -r latest.ssl ]; then + echo "failed." + return 1 + fi + + openssl rsautl -pubin -inkey pub.ssl -verify \ + < latest.ssl > tag.new 2>${QUIETREDIR} || true + rm latest.ssl + + if ! [ `wc -l < tag.new` = 1 ] || + ! grep -qE \ + "^freebsd-update\|${ARCH}\|${RELNUM}\|[0-9]+\|[0-9a-f]{64}\|[0-9]{10}" \ + tag.new; then + echo "invalid signature." + return 1 + fi + + echo "done." + + RELPATCHNUM=`cut -f 4 -d '|' < tag.new` + TINDEXHASH=`cut -f 5 -d '|' < tag.new` + EOLTIME=`cut -f 6 -d '|' < tag.new` +} + +# Sanity-check the patch number in a tag, to make sure that we're not +# going to "update" backwards and to prevent replay attacks. +fetch_tagsanity () { + # Check that we're not going to move from -pX to -pY with Y < X. + RELPX=`uname -r | sed -E 's,.*-,,'` + if echo ${RELPX} | grep -qE '^p[0-9]+$'; then + RELPX=`echo ${RELPX} | cut -c 2-` + else + RELPX=0 + fi + if [ "${RELPATCHNUM}" -lt "${RELPX}" ]; then + echo + echo -n "Files on mirror (${RELNUM}-p${RELPATCHNUM})" + echo " appear older than what" + echo "we are currently running (`uname -r`)!" + echo "Cowardly refusing to proceed any further." + return 1 + fi + + # If "tag" exists and corresponds to ${RELNUM}, make sure that + # it contains a patch number <= RELPATCHNUM, in order to protect + # against rollback (replay) attacks. + if [ -f tag ] && + grep -qE \ + "^freebsd-update\|${ARCH}\|${RELNUM}\|[0-9]+\|[0-9a-f]{64}\|[0-9]{10}" \ + tag; then + LASTRELPATCHNUM=`cut -f 4 -d '|' < tag` + + if [ "${RELPATCHNUM}" -lt "${LASTRELPATCHNUM}" ]; then + echo + echo -n "Files on mirror (${RELNUM}-p${RELPATCHNUM})" + echo " are older than the" + echo -n "most recently seen updates" + echo " (${RELNUM}-p${LASTRELPATCHNUM})." + echo "Cowardly refusing to proceed any further." + return 1 + fi + fi +} + +# Fetch metadata index file +fetch_metadata_index () { + echo ${NDEBUG} "Fetching metadata index... " + rm -f ${TINDEXHASH} + fetch ${QUIETFLAG} http://${SERVERNAME}/${FETCHDIR}/t/${TINDEXHASH} + 2>${QUIETREDIR} + if ! [ -f ${TINDEXHASH} ]; then + echo "failed." + return 1 + fi + if [ `${SHA256} -q ${TINDEXHASH}` != ${TINDEXHASH} ]; then + echo "update metadata index corrupt." + return 1 + fi + echo "done." +} + +# Print an error message about signed metadata being bogus. +fetch_metadata_bogus () { + echo + echo "The update metadata$1 is correctly signed, but" + echo "failed an integrity check." + echo "Cowardly refusing to proceed any further." + return 1 +} + +# Construct tINDEX.new by merging the lines named in $1 from ${TINDEXHASH} +# with the lines not named in $@ from tINDEX.present (if that file exists). +fetch_metadata_index_merge () { + for METAFILE in $@; do + if [ `grep -E "^${METAFILE}\|" ${TINDEXHASH} | wc -l` \ + -ne 1 ]; then + fetch_metadata_bogus " index" + return 1 + fi + + grep -E "${METAFILE}\|" ${TINDEXHASH} + done | + sort > tINDEX.wanted + + if [ -f tINDEX.present ]; then + join -t '|' -v 2 tINDEX.wanted tINDEX.present | + sort -m - tINDEX.wanted > tINDEX.new + rm tINDEX.wanted + else + mv tINDEX.wanted tINDEX.new + fi +} + +# Sanity check all the lines of tINDEX.new. Even if more metadata lines +# are added by future versions of the server, this won't cause problems, +# since the only lines which appear in tINDEX.new are the ones which we +# specifically grepped out of ${TINDEXHASH}. +fetch_metadata_index_sanity () { + if grep -qvE '^[0-9A-Z.-]+\|[0-9a-f]{64}$' tINDEX.new; then + fetch_metadata_bogus " index" + return 1 + fi +} + +# Sanity check the metadata file $1. +fetch_metadata_sanity () { + # Some aliases to save space later: ${P} is a character which can + # appear in a path; ${M} is the four numeric metadata fields; and + # ${H} is a sha256 hash. + P="[-+./:=,%@_[~[:alnum:]]" + M="[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+" + H="[0-9a-f]{64}" + + # Check that the first four fields make sense. + if gunzip -c < files/$1.gz | + grep -qvE "^[a-z]+\|[0-9a-z-]+\|${P}+\|[fdL-]\|"; then + fetch_metadata_bogus "" + return 1 + fi + + # Remove the first three fields. + gunzip -c < files/$1.gz | + cut -f 4- -d '|' > sanitycheck.tmp + + # Sanity check entries with type 'f' + if grep -E '^f' sanitycheck.tmp | + grep -qvE "^f\|${M}\|${H}\|${P}*\$"; then + fetch_metadata_bogus "" + return 1 + fi + + # Sanity check entries with type 'd' + if grep -E '^d' sanitycheck.tmp | + grep -qvE "^d\|${M}\|\|\$"; then + fetch_metadata_bogus "" + return 1 + fi + + # Sanity check entries with type 'L' + if grep -E '^L' sanitycheck.tmp | + grep -qvE "^L\|${M}\|${P}*\|\$"; then + fetch_metadata_bogus "" + return 1 + fi + + # Sanity check entries with type '-' + if grep -E '^-' sanitycheck.tmp | + grep -qvE "^-\|\|\|\|\|\|"; then + fetch_metadata_bogus "" + return 1 + fi + + # Clean up + rm sanitycheck.tmp +} + +# Fetch the metadata index and metadata files listed in $@, +# taking advantage of metadata patches where possible. +fetch_metadata () { + fetch_metadata_index || return 1 + fetch_metadata_index_merge $@ || return 1 + fetch_metadata_index_sanity || return 1 + + # Generate a list of wanted metadata patches + join -t '|' -o 1.2,2.2 tINDEX.present tINDEX.new | + fetch_make_patchlist > patchlist + + if [ -s patchlist ]; then + # Attempt to fetch metadata patches + echo -n "Fetching `wc -l < patchlist | tr -d ' '` " + echo ${NDEBUG} "metadata patches.${DDSTATS}" + tr '|' '-' < patchlist | + lam -s "${FETCHDIR}/tp/" - -s ".gz" | + xargs ${XARGST} ${PHTTPGET} ${SERVERNAME} \ + 2>${STATSREDIR} | fetch_progress + echo "done." + + # Attempt to apply metadata patches + echo -n "Applying metadata patches... " + tr '|' ' ' < patchlist | + while read X Y; do + if [ ! -f "${X}-${Y}.gz" ]; then continue; fi + gunzip -c < ${X}-${Y}.gz > diff + gunzip -c < files/${X}.gz > diff-OLD + + # Figure out which lines are being added and removed + grep -E '^-' diff | + cut -c 2- | + while read PREFIX; do + look "${PREFIX}" diff-OLD + done | + sort > diff-rm + grep -E '^\+' diff | + cut -c 2- > diff-add + + # Generate the new file + comm -23 diff-OLD diff-rm | + sort - diff-add > diff-NEW + + if [ `${SHA256} -q diff-NEW` = ${Y} ]; then + mv diff-NEW files/${Y} + gzip -n files/${Y} + else + mv diff-NEW ${Y}.bad + fi + rm -f ${X}-${Y}.gz diff + rm -f diff-OLD diff-NEW diff-add diff-rm + done 2>${QUIETREDIR} + echo "done." + fi + + # Update metadata without patches + cut -f 2 -d '|' < tINDEX.new | + while read Y; do + if [ ! -f "files/${Y}.gz" ]; then + echo ${Y}; + fi + done | + sort -u > filelist + + if [ -s filelist ]; then + echo -n "Fetching `wc -l < filelist | tr -d ' '` " + echo ${NDEBUG} "metadata files... " + lam -s "${FETCHDIR}/m/" - -s ".gz" < filelist | + xargs ${XARGST} ${PHTTPGET} ${SERVERNAME} \ + 2>${QUIETREDIR} + + while read Y; do + if ! [ -f ${Y}.gz ]; then + echo "failed." + return 1 + fi + if [ `gunzip -c < ${Y}.gz | + ${SHA256} -q` = ${Y} ]; then + mv ${Y}.gz files/${Y}.gz + else + echo "metadata is corrupt." + return 1 + fi + done < filelist + echo "done." + fi + +# Sanity-check the metadata files. + cut -f 2 -d '|' tINDEX.new > filelist + while read X; do + fetch_metadata_sanity ${X} || return 1 + done < filelist + +# Remove files which are no longer needed + cut -f 2 -d '|' tINDEX.present | + sort > oldfiles + cut -f 2 -d '|' tINDEX.new | + sort | + comm -13 - oldfiles | + lam -s "files/" - -s ".gz" | + xargs rm -f + rm patchlist filelist oldfiles + rm ${TINDEXHASH} + +# We're done! + mv tINDEX.new tINDEX.present + mv tag.new tag + + return 0 +} + +# Extract a subset of a downloaded metadata file containing only the parts +# which are listed in COMPONENTS. +fetch_filter_metadata_components () { + METAHASH=`look "$1|" tINDEX.present | cut -f 2 -d '|'` + gunzip -c < files/${METAHASH}.gz > $1.all + + # Fish out the lines belonging to components we care about. + for C in ${COMPONENTS}; do + look "`echo ${C} | tr '/' '|'`|" $1.all + done > $1 + + # Remove temporary file. + rm $1.all +} + +# Generate a filtered version of the metadata file $1 from the downloaded +# file, by fishing out the lines corresponding to components we're trying +# to keep updated, and then removing lines corresponding to paths we want +# to ignore. +fetch_filter_metadata () { + # Fish out the lines belonging to components we care about. + fetch_filter_metadata_components $1 + + # Canonicalize directory names by removing any trailing / in + # order to avoid listing directories multiple times if they + # belong to multiple components. Turning "/" into "" doesn't + # matter, since we add a leading "/" when we use paths later. + cut -f 3- -d '|' $1 | + sed -e 's,/|d|,|d|,' | + sed -e 's,/|-|,|-|,' | + sort -u > $1.tmp + + # Figure out which lines to ignore and remove them. + for X in ${IGNOREPATHS}; do + grep -E "^${X}" $1.tmp + done | + sort -u | + comm -13 - $1.tmp > $1 + + # Remove temporary files. + rm $1.tmp +} + +# Filter the metadata file $1 by adding lines with "/boot/$2" +# replaced by ${KERNELDIR} (which is `sysctl -n kern.bootfile` minus the +# trailing "/kernel"); and if "/boot/$2" does not exist, remove +# the original lines which start with that. +# Put another way: Deal with the fact that the FOO kernel is sometimes +# installed in /boot/FOO/ and is sometimes installed elsewhere. +fetch_filter_kernel_names () { + grep ^/boot/$2 $1 | + sed -e "s,/boot/$2,${KERNELDIR},g" | + sort - $1 > $1.tmp + mv $1.tmp $1 + + if ! [ -d /boot/$2 ]; then + grep -v ^/boot/$2 $1 > $1.tmp + mv $1.tmp $1 + fi +} + +# For all paths appearing in $1 or $3, inspect the system +# and generate $2 describing what is currently installed. +fetch_inspect_system () { + # No errors yet... + rm -f .err + + # Tell the user why his disk is suddenly making lots of noise + echo -n "Inspecting system... " + + # Generate list of files to inspect + cat $1 $3 | + cut -f 1 -d '|' | + sort -u > filelist + + # Examine each file and output lines of the form + # /path/to/file|type|device-inum|user|group|perm|flags|value + # sorted by device and inode number. + while read F; do + # If the symlink/file/directory does not exist, record this. + if ! [ -e ${BASEDIR}/${F} ]; then + echo "${F}|-||||||" + continue + fi + if ! [ -r ${BASEDIR}/${F} ]; then + echo "Cannot read file: ${BASEDIR}/${F}" \ + >/dev/stderr + touch .err + return 1 + fi + + # Otherwise, output an index line. + if [ -L ${BASEDIR}/${F} ]; then + echo -n "${F}|L|" + stat -n -f '%d-%i|%u|%g|%Mp%Lp|%Of|' ${BASEDIR}/${F}; + readlink ${BASEDIR}/${F}; + elif [ -f ${BASEDIR}/${F} ]; then + echo -n "${F}|f|" + stat -n -f '%d-%i|%u|%g|%Mp%Lp|%Of|' ${BASEDIR}/${F}; + sha256 -q ${BASEDIR}/${F}; + elif [ -d ${BASEDIR}/${F} ]; then + echo -n "${F}|d|" + stat -f '%d-%i|%u|%g|%Mp%Lp|%Of|' ${BASEDIR}/${F}; + else + echo "Unknown file type: ${BASEDIR}/${F}" \ + >/dev/stderr + touch .err + return 1 + fi + done < filelist | + sort -k 3,3 -t '|' > $2.tmp + rm filelist + + # Check if an error occurred during system inspection + if [ -f .err ]; then + return 1 + fi + + # Convert to the form + # /path/to/file|type|user|group|perm|flags|value|hlink + # by resolving identical device and inode numbers into hard links. + cut -f 1,3 -d '|' $2.tmp | + sort -k 1,1 -t '|' | + sort -s -u -k 2,2 -t '|' | + join -1 2 -2 3 -t '|' - $2.tmp | + awk -F \| -v OFS=\| \ + '{ + if (($2 == $3) || ($4 == "-")) + print $3,$4,$5,$6,$7,$8,$9,"" + else + print $3,$4,$5,$6,$7,$8,$9,$2 + }' | + sort > $2 + rm $2.tmp + + # We're finished looking around + echo "done." +} + +# For any paths matching ${MERGECHANGES}, compare $2 against $1 and $3 and +# find any files with values unique to $2; generate $4 containing these paths +# and their corresponding hashes from $1. +fetch_filter_mergechanges () { + # Pull out the paths and hashes of the files matching ${MERGECHANGES}. + for F in $1 $2 $3; do + for X in ${MERGECHANGES}; do + grep -E "^${X}" ${F} + done | + cut -f 1,2,7 -d '|' | + sort > ${F}-values + done + + # Any line in $2-values which doesn't appear in $1-values or $3-values + # and is a file means that we should list the path in $3. + sort $1-values $3-values | + comm -13 - $2-values | + fgrep '|f|' | + cut -f 1 -d '|' > $2-paths + + # For each path, pull out one (and only one!) entry from $1-values. + # Note that we cannot distinguish which "old" version the user made + # changes to; but hopefully any changes which occur due to security + # updates will exist in both the "new" version and the version which + # the user has installed, so the merging will still work. + while read X; do + look "${X}|" $1-values | + head -1 + done < $2-paths > $4 + + # Clean up + rm $1-values $2-values $3-values $2-paths +} + +# For any paths matching ${UPDATEIFUNMODIFIED}, remove lines from $[123] +# which correspond to lines in $2 with hashes not matching $1 or $3, unless +# the paths are listed in $4. For entries in $2 marked "not present" +# (aka. type -), remove lines from $[123] unless there is a corresponding +# entry in $1. +fetch_filter_unmodified_notpresent () { + # Figure out which lines of $1 and $3 correspond to bits which + # should only be updated if they haven't changed, and fish out + # the (path, type, value) tuples. + # NOTE: We don't consider a file to be "modified" if it matches + # the hash from $3. + for X in ${UPDATEIFUNMODIFIED}; do + grep -E "^${X}" $1 + grep -E "^${X}" $3 + done | + cut -f 1,2,7 -d '|' | + sort > $1-values + + # Do the same for $2. + for X in ${UPDATEIFUNMODIFIED}; do + grep -E "^${X}" $2 + done | + cut -f 1,2,7 -d '|' | + sort > $2-values + + # Any entry in $2-values which is not in $1-values corresponds to + # a path which we need to remove from $1, $2, and $3, unless it + # that path appears in $4. + comm -13 $1-values $2-values | + sort -t '|' -k 1,1 > mlines.tmp + cut -f 1 -d '|' $4 | + sort | + join -v 2 -t '|' - mlines.tmp | + sort > mlines + rm $1-values $2-values mlines.tmp + + # Any lines in $2 which are not in $1 AND are "not present" lines + # also belong in mlines. + comm -13 $1 $2 | + cut -f 1,2,7 -d '|' | + fgrep '|-|' >> mlines + + # Remove lines from $1, $2, and $3 + for X in $1 $2 $3; do + sort -t '|' -k 1,1 ${X} > ${X}.tmp + cut -f 1 -d '|' < mlines | + sort | + join -v 2 -t '|' - ${X}.tmp | + sort > ${X} + rm ${X}.tmp + done + + # Store a list of the modified files, for future reference + fgrep -v '|-|' mlines | + cut -f 1 -d '|' > modifiedfiles + rm mlines +} + +# For each entry in $1 of type -, remove any corresponding +# entry from $2 if ${ALLOWADD} != "yes". Remove all entries +# of type - from $1. +fetch_filter_allowadd () { + cut -f 1,2 -d '|' < $1 | + fgrep '|-' | + cut -f 1 -d '|' > filesnotpresent + + if [ ${ALLOWADD} != "yes" ]; then + sort < $2 | + join -v 1 -t '|' - filesnotpresent | + sort > $2.tmp + mv $2.tmp $2 + fi + + sort < $1 | + join -v 1 -t '|' - filesnotpresent | + sort > $1.tmp + mv $1.tmp $1 + rm filesnotpresent +} + +# If ${ALLOWDELETE} != "yes", then remove any entries from $1 +# which don't correspond to entries in $2. +fetch_filter_allowdelete () { + # Produce a lists ${PATH}|${TYPE} + for X in $1 $2; do + cut -f 1-2 -d '|' < ${X} | + sort -u > ${X}.nodes + done + + # Figure out which lines need to be removed from $1. + if [ ${ALLOWDELETE} != "yes" ]; then + comm -23 $1.nodes $2.nodes > $1.badnodes + else + : > $1.badnodes + fi + + # Remove the relevant lines from $1 + while read X; do + look "${X}|" $1 + done < $1.badnodes | + comm -13 - $1 > $1.tmp + mv $1.tmp $1 + + rm $1.badnodes $1.nodes $2.nodes +} + +# If ${KEEPMODIFIEDMETADATA} == "yes", then for each entry in $2 +# with metadata not matching any entry in $1, replace the corresponding +# line of $3 with one having the same metadata as the entry in $2. +fetch_filter_modified_metadata () { + # Fish out the metadata from $1 and $2 + for X in $1 $2; do + cut -f 1-6 -d '|' < ${X} > ${X}.metadata + done + + # Find the metadata we need to keep + if [ ${KEEPMODIFIEDMETADATA} = "yes" ]; then + comm -13 $1.metadata $2.metadata > keepmeta + else + : > keepmeta + fi + + # Extract the lines which we need to remove from $3, and + # construct the lines which we need to add to $3. + : > $3.remove + : > $3.add + while read LINE; do + NODE=`echo "${LINE}" | cut -f 1-2 -d '|'` + look "${NODE}|" $3 >> $3.remove + look "${NODE}|" $3 | + cut -f 7- -d '|' | + lam -s "${LINE}|" - >> $3.add + done < keepmeta + + # Remove the specified lines and add the new lines. + sort $3.remove | + comm -13 - $3 | + sort -u - $3.add > $3.tmp + mv $3.tmp $3 + + rm keepmeta $1.metadata $2.metadata $3.add $3.remove +} + +# Remove lines from $1 and $2 which are identical; +# no need to update a file if it isn't changing. +fetch_filter_uptodate () { + comm -23 $1 $2 > $1.tmp + comm -13 $1 $2 > $2.tmp + + mv $1.tmp $1 + mv $2.tmp $2 +} + +# Fetch any "clean" old versions of files we need for merging changes. +fetch_files_premerge () { + # We only need to do anything if $1 is non-empty. + if [ -s $1 ]; then + # Tell the user what we're doing + echo -n "Fetching files from ${OLDRELNUM} for merging... " + + # List of files wanted + fgrep '|f|' < $1 | + cut -f 3 -d '|' | + sort -u > files.wanted + + # Only fetch the files we don't already have + while read Y; do + if [ ! -f "files/${Y}.gz" ]; then + echo ${Y}; + fi + done < files.wanted > filelist + + # Actually fetch them + lam -s "${OLDFETCHDIR}/f/" - -s ".gz" < filelist | + xargs ${XARGST} ${PHTTPGET} ${SERVERNAME} \ + 2>${QUIETREDIR} + + # Make sure we got them all, and move them into /files/ + while read Y; do + if ! [ -f ${Y}.gz ]; then + echo "failed." + return 1 + fi + if [ `gunzip -c < ${Y}.gz | + ${SHA256} -q` = ${Y} ]; then + mv ${Y}.gz files/${Y}.gz + else + echo "${Y} has incorrect hash." + return 1 + fi + done < filelist + echo "done." + + # Clean up + rm filelist files.wanted + fi +} + +# Prepare to fetch files: Generate a list of the files we need, +# copy the unmodified files we have into /files/, and generate +# a list of patches to download. +fetch_files_prepare () { + # Tell the user why his disk is suddenly making lots of noise + echo -n "Preparing to download files... " + + # Reduce indices to ${PATH}|${HASH} pairs + for X in $1 $2 $3; do + cut -f 1,2,7 -d '|' < ${X} | + fgrep '|f|' | + cut -f 1,3 -d '|' | + sort > ${X}.hashes + done + + # List of files wanted + cut -f 2 -d '|' < $3.hashes | + sort -u | + while read HASH; do + if ! [ -f files/${HASH}.gz ]; then + echo ${HASH} + fi + done > files.wanted + + # Generate a list of unmodified files + comm -12 $1.hashes $2.hashes | + sort -k 1,1 -t '|' > unmodified.files + + # Copy all files into /files/. We only need the unmodified files + # for use in patching; but we'll want all of them if the user asks + # to rollback the updates later. + while read LINE; do + F=`echo "${LINE}" | cut -f 1 -d '|'` + HASH=`echo "${LINE}" | cut -f 2 -d '|'` + + # Skip files we already have. + if [ -f files/${HASH}.gz ]; then + continue + fi + + # Make sure the file hasn't changed. + cp "${BASEDIR}/${F}" tmpfile + if [ `sha256 -q tmpfile` != ${HASH} ]; then + echo + echo "File changed while FreeBSD Update running: ${F}" + return 1 + fi + + # Place the file into storage. + gzip -c < tmpfile > files/${HASH}.gz + rm tmpfile + done < $2.hashes + + # Produce a list of patches to download + sort -k 1,1 -t '|' $3.hashes | + join -t '|' -o 2.2,1.2 - unmodified.files | + fetch_make_patchlist > patchlist + + # Garbage collect + rm unmodified.files $1.hashes $2.hashes $3.hashes + + # We don't need the list of possible old files any more. + rm $1 + + # We're finished making noise + echo "done." +} + +# Fetch files. +fetch_files () { + # Attempt to fetch patches + if [ -s patchlist ]; then + echo -n "Fetching `wc -l < patchlist | tr -d ' '` " + echo ${NDEBUG} "patches.${DDSTATS}" + tr '|' '-' < patchlist | + lam -s "${PATCHDIR}/" - | + xargs ${XARGST} ${PHTTPGET} ${SERVERNAME} \ + 2>${STATSREDIR} | fetch_progress + echo "done." + + # Attempt to apply patches + echo -n "Applying patches... " + tr '|' ' ' < patchlist | + while read X Y; do + if [ ! -f "${X}-${Y}" ]; then continue; fi + gunzip -c < files/${X}.gz > OLD + + bspatch OLD NEW ${X}-${Y} + + if [ `${SHA256} -q NEW` = ${Y} ]; then + mv NEW files/${Y} + gzip -n files/${Y} + fi + rm -f diff OLD NEW ${X}-${Y} + done 2>${QUIETREDIR} + echo "done." + fi + + # Download files which couldn't be generate via patching + while read Y; do + if [ ! -f "files/${Y}.gz" ]; then + echo ${Y}; + fi + done < files.wanted > filelist + + if [ -s filelist ]; then + echo -n "Fetching `wc -l < filelist | tr -d ' '` " + echo ${NDEBUG} "files... " + lam -s "${FETCHDIR}/f/" - -s ".gz" < filelist | + xargs ${XARGST} ${PHTTPGET} ${SERVERNAME} \ + 2>${STATSREDIR} | fetch_progress + + while read Y; do + if ! [ -f ${Y}.gz ]; then + echo "failed." + return 1 + fi + if [ `gunzip -c < ${Y}.gz | + ${SHA256} -q` = ${Y} ]; then + mv ${Y}.gz files/${Y}.gz + else + echo "${Y} has incorrect hash." + return 1 + fi + done < filelist + echo "done." + fi + + # Clean up + rm files.wanted filelist patchlist +} + +# Create and populate install manifest directory; and report what updates +# are available. +fetch_create_manifest () { + # If we have an existing install manifest, nuke it. + if [ -L "${BDHASH}-install" ]; then + rm -r ${BDHASH}-install/ + rm ${BDHASH}-install + fi + + # Report to the user if any updates were avoided due to local changes + if [ -s modifiedfiles ]; then + cat - modifiedfiles <<- EOF | ${PAGER} + The following files are affected by updates. No changes have + been downloaded, however, because the files have been modified + locally: + EOF + fi + rm modifiedfiles + + # If no files will be updated, tell the user and exit + if ! [ -s INDEX-PRESENT ] && + ! [ -s INDEX-NEW ]; then + rm INDEX-PRESENT INDEX-NEW + echo + echo -n "No updates needed to update system to " + echo "${RELNUM}-p${RELPATCHNUM}." + return + fi + + # Divide files into (a) removed files, (b) added files, and + # (c) updated files. + cut -f 1 -d '|' < INDEX-PRESENT | + sort > INDEX-PRESENT.flist + cut -f 1 -d '|' < INDEX-NEW | + sort > INDEX-NEW.flist + comm -23 INDEX-PRESENT.flist INDEX-NEW.flist > files.removed + comm -13 INDEX-PRESENT.flist INDEX-NEW.flist > files.added + comm -12 INDEX-PRESENT.flist INDEX-NEW.flist > files.updated + rm INDEX-PRESENT.flist INDEX-NEW.flist + + # Report removed files, if any + if [ -s files.removed ]; then + cat - files.removed <<- EOF | ${PAGER} + The following files will be removed as part of updating to + ${RELNUM}-p${RELPATCHNUM}: + EOF + fi + rm files.removed + + # Report added files, if any + if [ -s files.added ]; then + cat - files.added <<- EOF | ${PAGER} + The following files will be added as part of updating to + ${RELNUM}-p${RELPATCHNUM}: + EOF + fi + rm files.added + + # Report updated files, if any + if [ -s files.updated ]; then + cat - files.updated <<- EOF | ${PAGER} + The following files will be updated as part of updating to + ${RELNUM}-p${RELPATCHNUM}: + EOF + fi + rm files.updated + + # Create a directory for the install manifest. + MDIR=`mktemp -d install.XXXXXX` || return 1 + + # Populate it + mv INDEX-PRESENT ${MDIR}/INDEX-OLD + mv INDEX-NEW ${MDIR}/INDEX-NEW + + # Link it into place + ln -s ${MDIR} ${BDHASH}-install +} + +# Warn about any upcoming EoL +fetch_warn_eol () { + # What's the current time? + NOWTIME=`date "+%s"` + + # When did we last warn about the EoL date? + if [ -f lasteolwarn ]; then + LASTWARN=`cat lasteolwarn` + else + LASTWARN=`expr ${NOWTIME} - 63072000` + fi + + # If the EoL time is past, warn. + if [ ${EOLTIME} -lt ${NOWTIME} ]; then + echo + cat <<-EOF + WARNING: `uname -sr` HAS PASSED ITS END-OF-LIFE DATE. + Any security issues discovered after `date -r ${EOLTIME}` + will not have been corrected. + EOF + return 1 + fi + + # Figure out how long it has been since we last warned about the + # upcoming EoL, and how much longer we have left. + SINCEWARN=`expr ${NOWTIME} - ${LASTWARN}` + TIMELEFT=`expr ${EOLTIME} - ${NOWTIME}` + + # Don't warn if the EoL is more than 3 months away + if [ ${TIMELEFT} -gt 7884000 ]; then + return 0 + fi + + # Don't warn if the time remaining is more than 3 times the time + # since the last warning. + if [ ${TIMELEFT} -gt `expr ${SINCEWARN} \* 3` ]; then + return 0 + fi + + # Figure out what time units to use. + if [ ${TIMELEFT} -lt 604800 ]; then + UNIT="day" + SIZE=86400 + elif [ ${TIMELEFT} -lt 2678400 ]; then + UNIT="week" + SIZE=604800 + else + UNIT="month" + SIZE=2678400 + fi + + # Compute the right number of units + NUM=`expr ${TIMELEFT} / ${SIZE}` + if [ ${NUM} != 1 ]; then + UNIT="${UNIT}s" + fi + + # Print the warning + echo + cat <<-EOF + WARNING: `uname -sr` is approaching its End-of-Life date. + It is strongly recommended that you upgrade to a newer + release within the next ${NUM} ${UNIT}. + EOF + + # Update the stored time of last warning + echo ${NOWTIME} > lasteolwarn +} + +# Do the actual work involved in "fetch" / "cron". +fetch_run () { + workdir_init || return 1 + + # Prepare the mirror list. + fetch_pick_server_init && fetch_pick_server + + # Try to fetch the public key until we run out of servers. + while ! fetch_key; do + fetch_pick_server || return 1 + done + + # Try to fetch the metadata index signature ("tag") until we run + # out of available servers; and sanity check the downloaded tag. + while ! fetch_tag; do + fetch_pick_server || return 1 + done + fetch_tagsanity || return 1 + + # Fetch the latest INDEX-NEW and INDEX-OLD files. + fetch_metadata INDEX-NEW INDEX-OLD || return 1 + + # Generate filtered INDEX-NEW and INDEX-OLD files containing only + # the lines which (a) belong to components we care about, and (b) + # don't correspond to paths we're explicitly ignoring. + fetch_filter_metadata INDEX-NEW || return 1 + fetch_filter_metadata INDEX-OLD || return 1 + + # Translate /boot/${KERNCONF} into ${KERNELDIR} + fetch_filter_kernel_names INDEX-NEW ${KERNCONF} + fetch_filter_kernel_names INDEX-OLD ${KERNCONF} + + # For all paths appearing in INDEX-OLD or INDEX-NEW, inspect the + # system and generate an INDEX-PRESENT file. + fetch_inspect_system INDEX-OLD INDEX-PRESENT INDEX-NEW || return 1 + + # Based on ${UPDATEIFUNMODIFIED}, remove lines from INDEX-* which + # correspond to lines in INDEX-PRESENT with hashes not appearing + # in INDEX-OLD or INDEX-NEW. Also remove lines where the entry in + # INDEX-PRESENT has type - and there isn't a corresponding entry in + # INDEX-OLD with type -. + fetch_filter_unmodified_notpresent \ + INDEX-OLD INDEX-PRESENT INDEX-NEW /dev/null + + # For each entry in INDEX-PRESENT of type -, remove any corresponding + # entry from INDEX-NEW if ${ALLOWADD} != "yes". Remove all entries + # of type - from INDEX-PRESENT. + fetch_filter_allowadd INDEX-PRESENT INDEX-NEW + + # If ${ALLOWDELETE} != "yes", then remove any entries from + # INDEX-PRESENT which don't correspond to entries in INDEX-NEW. + fetch_filter_allowdelete INDEX-PRESENT INDEX-NEW + + # If ${KEEPMODIFIEDMETADATA} == "yes", then for each entry in + # INDEX-PRESENT with metadata not matching any entry in INDEX-OLD, + # replace the corresponding line of INDEX-NEW with one having the + # same metadata as the entry in INDEX-PRESENT. + fetch_filter_modified_metadata INDEX-OLD INDEX-PRESENT INDEX-NEW + + # Remove lines from INDEX-PRESENT and INDEX-NEW which are identical; + # no need to update a file if it isn't changing. + fetch_filter_uptodate INDEX-PRESENT INDEX-NEW + + # Prepare to fetch files: Generate a list of the files we need, + # copy the unmodified files we have into /files/, and generate + # a list of patches to download. + fetch_files_prepare INDEX-OLD INDEX-PRESENT INDEX-NEW || return 1 + + # Fetch files. + fetch_files || return 1 + + # Create and populate install manifest directory; and report what + # updates are available. + fetch_create_manifest || return 1 + + # Warn about any upcoming EoL + fetch_warn_eol || return 1 +} + +# If StrictComponents is not "yes", generate a new components list +# with only the components which appear to be installed. +upgrade_guess_components () { + if [ "${STRICTCOMPONENTS}" = "no" ]; then + # Generate filtered INDEX-ALL with only the components listed + # in COMPONENTS. + fetch_filter_metadata_components $1 || return 1 + + # Tell the user why his disk is suddenly making lots of noise + echo -n "Inspecting system... " + + # Look at the files on disk, and assume that a component is + # supposed to be present if it is more than half-present. + cut -f 1-3 -d '|' < INDEX-ALL | + tr '|' ' ' | + while read C S F; do + if [ -e ${BASEDIR}/${F} ]; then + echo "+ ${C}|${S}" + fi + echo "= ${C}|${S}" + done | + sort | + uniq -c | + sed -E 's,^ +,,' > compfreq + grep ' = ' compfreq | + cut -f 1,3 -d ' ' | + sort -k 2,2 -t ' ' > compfreq.total + grep ' + ' compfreq | + cut -f 1,3 -d ' ' | + sort -k 2,2 -t ' ' > compfreq.present + join -t ' ' -1 2 -2 2 compfreq.present compfreq.total | + while read S P T; do + if [ ${T} -ne 0 -a ${P} -gt `expr ${T} / 2` ]; then + echo ${S} + fi + done > comp.present + cut -f 2 -d ' ' < compfreq.total > comp.total + rm INDEX-ALL compfreq compfreq.total compfreq.present + + # We're done making noise. + echo "done." + + # Sometimes the kernel isn't installed where INDEX-ALL + # thinks that it should be: In particular, it is often in + # /boot/kernel instead of /boot/GENERIC or /boot/SMP. To + # deal with this, if "kernel|X" is listed in comp.total + # (i.e., is a component which would be upgraded if it is + # found to be present) we will add it to comp.present. + # If "kernel|" is in comp.total but "kernel|X" is + # not, we print a warning -- the user is running a kernel + # which isn't part of the release. + KCOMP=`echo ${KERNCONF} | tr 'A-Z' 'a-z'` + grep -E "^kernel\|${KCOMP}\$" comp.total >> comp.present + + if grep -qE "^kernel\|" comp.total && + ! grep -qE "^kernel\|${KCOMP}\$" comp.total; then + cat <<-EOF + +WARNING: This system is running a "${KCOMP}" kernel, which is not a +kernel configuration distributed as part of FreeBSD ${RELNUM}. +This kernel will not be updated: you MUST update the kernel manually +before running "$0 install". + EOF + fi + + # Re-sort the list of installed components and generate + # the list of non-installed components. + sort -u < comp.present > comp.present.tmp + mv comp.present.tmp comp.present + comm -13 comp.present comp.total > comp.absent + + # Ask the user to confirm that what we have is correct. To + # reduce user confusion, translate "X|Y" back to "X/Y" (as + # subcomponents must be listed in the configuration file). + echo + echo -n "The following components of FreeBSD " + echo "seem to be installed:" + tr '|' '/' < comp.present | + fmt -72 + echo + echo -n "The following components of FreeBSD " + echo "do not seem to be installed:" + tr '|' '/' < comp.absent | + fmt -72 + echo + continuep || return 1 + echo + + # Suck the generated list of components into ${COMPONENTS}. + # Note that comp.present.tmp is used due to issues with + # pipelines and setting variables. + COMPONENTS="" + tr '|' '/' < comp.present > comp.present.tmp + while read C; do + COMPONENTS="${COMPONENTS} ${C}" + done < comp.present.tmp + + # Delete temporary files + rm comp.present comp.present.tmp comp.absent comp.total + fi +} + +# If StrictComponents is not "yes", COMPONENTS contains an entry +# corresponding to the currently running kernel, and said kernel +# does not exist in the new release, add "kernel/generic" to the +# list of components. +upgrade_guess_new_kernel () { + if [ "${STRICTCOMPONENTS}" = "no" ]; then + # Grab the unfiltered metadata file. + METAHASH=`look "$1|" tINDEX.present | cut -f 2 -d '|'` + gunzip -c < files/${METAHASH}.gz > $1.all + + # If "kernel/${KCOMP}" is in ${COMPONENTS} and that component + # isn't in $1.all, we need to add kernel/generic. + for C in ${COMPONENTS}; do + if [ ${C} = "kernel/${KCOMP}" ] && + ! grep -qE "^kernel\|${KCOMP}\|" $1.all; then + COMPONENTS="${COMPONENTS} kernel/generic" + NKERNCONF="GENERIC" + cat <<-EOF + +WARNING: This system is running a "${KCOMP}" kernel, which is not a +kernel configuration distributed as part of FreeBSD ${RELNUM}. +As part of upgrading to FreeBSD ${RELNUM}, this kernel will be +replaced with a "generic" kernel. + EOF + continuep || return 1 + fi + done + + # Don't need this any more... + rm $1.all + fi +} + +# Convert INDEX-OLD (last release) and INDEX-ALL (new release) into +# INDEX-OLD and INDEX-NEW files (in the sense of normal upgrades). +upgrade_oldall_to_oldnew () { + # For each ${F}|... which appears in INDEX-ALL but does not appear + # in INDEX-OLD, add ${F}|-|||||| to INDEX-OLD. + cut -f 1 -d '|' < $1 | + sort -u > $1.paths + cut -f 1 -d '|' < $2 | + sort -u | + comm -13 $1.paths - | + lam - -s "|-||||||" | + sort - $1 > $1.tmp + mv $1.tmp $1 + + # Remove lines from INDEX-OLD which also appear in INDEX-ALL + comm -23 $1 $2 > $1.tmp + mv $1.tmp $1 + + # Remove lines from INDEX-ALL which have a file name not appearing + # anywhere in INDEX-OLD (since these must be files which haven't + # changed -- if they were new, there would be an entry of type "-"). + cut -f 1 -d '|' < $1 | + sort -u > $1.paths + sort -k 1,1 -t '|' < $2 | + join -t '|' - $1.paths | + sort > $2.tmp + rm $1.paths + mv $2.tmp $2 + + # Rename INDEX-ALL to INDEX-NEW. + mv $2 $3 +} + +# Helper for upgrade_merge: Return zero true iff the two files differ only +# in the contents of their RCS tags. +samef () { + X=`sed -E 's/\\$FreeBSD.*\\$/\$FreeBSD\$/' < $1 | ${SHA256}` + Y=`sed -E 's/\\$FreeBSD.*\\$/\$FreeBSD\$/' < $2 | ${SHA256}` + + if [ $X = $Y ]; then + return 0; + else + return 1; + fi +} + +# From the list of "old" files in $1, merge changes in $2 with those in $3, +# and update $3 to reflect the hashes of merged files. +upgrade_merge () { + # We only need to do anything if $1 is non-empty. + if [ -s $1 ]; then + cut -f 1 -d '|' $1 | + sort > $1-paths + + # Create staging area for merging files + rm -rf merge/ + while read F; do + D=`dirname ${F}` + mkdir -p merge/old/${D} + mkdir -p merge/${OLDRELNUM}/${D} + mkdir -p merge/${RELNUM}/${D} + mkdir -p merge/new/${D} + done < $1-paths + + # Copy in files + while read F; do + # Currently installed file + V=`look "${F}|" $2 | cut -f 7 -d '|'` + gunzip < files/${V}.gz > merge/old/${F} + + # Old release + if look "${F}|" $1 | fgrep -q "|f|"; then + V=`look "${F}|" $1 | cut -f 3 -d '|'` + gunzip < files/${V}.gz \ + > merge/${OLDRELNUM}/${F} + fi + + # New release + if look "${F}|" $3 | cut -f 1,2,7 -d '|' | + fgrep -q "|f|"; then + V=`look "${F}|" $3 | cut -f 7 -d '|'` + gunzip < files/${V}.gz \ + > merge/${RELNUM}/${F} + fi + done < $1-paths + + # Attempt to automatically merge changes + echo -n "Attempting to automatically merge " + echo -n "changes in files..." + : > failed.merges + while read F; do + # If the file doesn't exist in the new release, + # the result of "merging changes" is having the file + # not exist. + if ! [ -f merge/${RELNUM}/${F} ]; then + continue + fi + + # If the file didn't exist in the old release, we're + # going to throw away the existing file and hope that + # the version from the new release is what we want. + if ! [ -f merge/${OLDRELNUM}/${F} ]; then + cp merge/${RELNUM}/${F} merge/new/${F} + continue + fi + + # Some files need special treatment. + case ${F} in + /etc/spwd.db | /etc/pwd.db | /etc/login.conf.db) + # Don't merge these -- we're rebuild them + # after updates are installed. + cp merge/old/${F} merge/new/${F} + ;; + *) + if ! diff3 -E -m -L "current version" \ + -L "${OLDRELNUM}" -L "${RELNUM}" \ + merge/old/${F} \ + merge/${OLDRELNUM}/${F} \ + merge/${RELNUM}/${F} \ + > merge/new/${F} 2>/dev/null; then + echo ${F} >> failed.merges + fi + ;; + esac + done < $1-paths + echo " done." + + # Ask the user to handle any files which didn't merge. + while read F; do + # If the installed file differs from the version in + # the old release only due to RCS tag expansion + # then just use the version in the new release. + if samef merge/old/${F} merge/${OLDRELNUM}/${F}; then + cp merge/${RELNUM}/${F} merge/new/${F} + continue + fi + + cat <<-EOF + +The following file could not be merged automatically: ${F} +Press Enter to edit this file in ${EDITOR} and resolve the conflicts +manually... + EOF + while true; do + read response /dev/null; then + echo + break + fi + ${EDITOR} `pwd`/merge/new/${F} < /dev/tty + + if ! grep -qE '^(<<<<<<<|=======|>>>>>>>)([[:space:]].*)?$' $(pwd)/merge/new/${F} ; then + break + fi + cat <<-EOF + +Merge conflict markers remain in: ${F} +These must be resolved for the system to be functional. + +Press Enter to return to editing this file, or type "ACCEPT" to carry on with +these lines remaining in the file. + EOF + done + done < failed.merges + rm failed.merges + + # Ask the user to confirm that he likes how the result + # of merging files. + while read F; do + # Skip files which haven't changed except possibly + # in their RCS tags. + if [ -f merge/old/${F} ] && [ -f merge/new/${F} ] && + samef merge/old/${F} merge/new/${F}; then + continue + fi + + # Skip files where the installed file differs from + # the old file only due to RCS tags. + if [ -f merge/old/${F} ] && + [ -f merge/${OLDRELNUM}/${F} ] && + samef merge/old/${F} merge/${OLDRELNUM}/${F}; then + continue + fi + + # Warn about files which are ceasing to exist. + if ! [ -f merge/new/${F} ]; then + cat <<-EOF + +The following file will be removed, as it no longer exists in +FreeBSD ${RELNUM}: ${F} + EOF + continuep < /dev/tty || return 1 + continue + fi + + # Print changes for the user's approval. + cat <<-EOF + +The following changes, which occurred between FreeBSD ${OLDRELNUM} and +FreeBSD ${RELNUM} have been merged into ${F}: +EOF + diff -U 5 -L "current version" -L "new version" \ + merge/old/${F} merge/new/${F} || true + continuep < /dev/tty || return 1 + done < $1-paths + + # Store merged files. + while read F; do + if [ -f merge/new/${F} ]; then + V=`${SHA256} -q merge/new/${F}` + + gzip -c < merge/new/${F} > files/${V}.gz + echo "${F}|${V}" + fi + done < $1-paths > newhashes + + # Pull lines out from $3 which need to be updated to + # reflect merged files. + while read F; do + look "${F}|" $3 + done < $1-paths > $3-oldlines + + # Update lines to reflect merged files + join -t '|' -o 1.1,1.2,1.3,1.4,1.5,1.6,2.2,1.8 \ + $3-oldlines newhashes > $3-newlines + + # Remove old lines from $3 and add new lines. + sort $3-oldlines | + comm -13 - $3 | + sort - $3-newlines > $3.tmp + mv $3.tmp $3 + + # Clean up + rm $1-paths newhashes $3-oldlines $3-newlines + rm -rf merge/ + fi + + # We're done with merging files. + rm $1 +} + +# Do the work involved in fetching upgrades to a new release +upgrade_run () { + workdir_init || return 1 + + # Prepare the mirror list. + fetch_pick_server_init && fetch_pick_server + + # Try to fetch the public key until we run out of servers. + while ! fetch_key; do + fetch_pick_server || return 1 + done + + # Try to fetch the metadata index signature ("tag") until we run + # out of available servers; and sanity check the downloaded tag. + while ! fetch_tag; do + fetch_pick_server || return 1 + done + fetch_tagsanity || return 1 + + # Fetch the INDEX-OLD and INDEX-ALL. + fetch_metadata INDEX-OLD INDEX-ALL || return 1 + + # If StrictComponents is not "yes", generate a new components list + # with only the components which appear to be installed. + upgrade_guess_components INDEX-ALL || return 1 + + # Generate filtered INDEX-OLD and INDEX-ALL files containing only + # the components we want and without anything marked as "Ignore". + fetch_filter_metadata INDEX-OLD || return 1 + fetch_filter_metadata INDEX-ALL || return 1 + + # Merge the INDEX-OLD and INDEX-ALL files into INDEX-OLD. + sort INDEX-OLD INDEX-ALL > INDEX-OLD.tmp + mv INDEX-OLD.tmp INDEX-OLD + rm INDEX-ALL + + # Adjust variables for fetching files from the new release. + OLDRELNUM=${RELNUM} + RELNUM=${TARGETRELEASE} + OLDFETCHDIR=${FETCHDIR} + FETCHDIR=${RELNUM}/${ARCH} + + # Try to fetch the NEW metadata index signature ("tag") until we run + # out of available servers; and sanity check the downloaded tag. + while ! fetch_tag; do + fetch_pick_server || return 1 + done + + # Fetch the new INDEX-ALL. + fetch_metadata INDEX-ALL || return 1 + + # If StrictComponents is not "yes", COMPONENTS contains an entry + # corresponding to the currently running kernel, and said kernel + # does not exist in the new release, add "kernel/generic" to the + # list of components. + upgrade_guess_new_kernel INDEX-ALL || return 1 + + # Filter INDEX-ALL to contain only the components we want and without + # anything marked as "Ignore". + fetch_filter_metadata INDEX-ALL || return 1 + + # Convert INDEX-OLD (last release) and INDEX-ALL (new release) into + # INDEX-OLD and INDEX-NEW files (in the sense of normal upgrades). + upgrade_oldall_to_oldnew INDEX-OLD INDEX-ALL INDEX-NEW + + # Translate /boot/${KERNCONF} or /boot/${NKERNCONF} into ${KERNELDIR} + fetch_filter_kernel_names INDEX-NEW ${NKERNCONF} + fetch_filter_kernel_names INDEX-OLD ${KERNCONF} + + # For all paths appearing in INDEX-OLD or INDEX-NEW, inspect the + # system and generate an INDEX-PRESENT file. + fetch_inspect_system INDEX-OLD INDEX-PRESENT INDEX-NEW || return 1 + + # Based on ${MERGECHANGES}, generate a file tomerge-old with the + # paths and hashes of old versions of files to merge. + fetch_filter_mergechanges INDEX-OLD INDEX-PRESENT INDEX-NEW tomerge-old + + # Based on ${UPDATEIFUNMODIFIED}, remove lines from INDEX-* which + # correspond to lines in INDEX-PRESENT with hashes not appearing + # in INDEX-OLD or INDEX-NEW. Also remove lines where the entry in + # INDEX-PRESENT has type - and there isn't a corresponding entry in + # INDEX-OLD with type -. + fetch_filter_unmodified_notpresent \ + INDEX-OLD INDEX-PRESENT INDEX-NEW tomerge-old + + # For each entry in INDEX-PRESENT of type -, remove any corresponding + # entry from INDEX-NEW if ${ALLOWADD} != "yes". Remove all entries + # of type - from INDEX-PRESENT. + fetch_filter_allowadd INDEX-PRESENT INDEX-NEW + + # If ${ALLOWDELETE} != "yes", then remove any entries from + # INDEX-PRESENT which don't correspond to entries in INDEX-NEW. + fetch_filter_allowdelete INDEX-PRESENT INDEX-NEW + + # If ${KEEPMODIFIEDMETADATA} == "yes", then for each entry in + # INDEX-PRESENT with metadata not matching any entry in INDEX-OLD, + # replace the corresponding line of INDEX-NEW with one having the + # same metadata as the entry in INDEX-PRESENT. + fetch_filter_modified_metadata INDEX-OLD INDEX-PRESENT INDEX-NEW + + # Remove lines from INDEX-PRESENT and INDEX-NEW which are identical; + # no need to update a file if it isn't changing. + fetch_filter_uptodate INDEX-PRESENT INDEX-NEW + + # Fetch "clean" files from the old release for merging changes. + fetch_files_premerge tomerge-old + + # Prepare to fetch files: Generate a list of the files we need, + # copy the unmodified files we have into /files/, and generate + # a list of patches to download. + fetch_files_prepare INDEX-OLD INDEX-PRESENT INDEX-NEW || return 1 + + # Fetch patches from to-${RELNUM}/${ARCH}/bp/ + PATCHDIR=to-${RELNUM}/${ARCH}/bp + fetch_files || return 1 + + # Merge configuration file changes. + upgrade_merge tomerge-old INDEX-PRESENT INDEX-NEW || return 1 + + # Create and populate install manifest directory; and report what + # updates are available. + fetch_create_manifest || return 1 + + # Leave a note behind to tell the "install" command that the kernel + # needs to be installed before the world. + touch ${BDHASH}-install/kernelfirst + + # Remind the user that they need to run "freebsd-update install" + # to install the downloaded bits, in case they didn't RTFM. + echo "To install the downloaded upgrades, run \"$0 install\"." +} + +# Make sure that all the file hashes mentioned in $@ have corresponding +# gzipped files stored in /files/. +install_verify () { + # Generate a list of hashes + cat $@ | + cut -f 2,7 -d '|' | + grep -E '^f' | + cut -f 2 -d '|' | + sort -u > filelist + + # Make sure all the hashes exist + while read HASH; do + if ! [ -f files/${HASH}.gz ]; then + echo -n "Update files missing -- " + echo "this should never happen." + echo "Re-run '$0 fetch'." + return 1 + fi + done < filelist + + # Clean up + rm filelist +} + +# Remove the system immutable flag from files +install_unschg () { + # Generate file list + cat $@ | + cut -f 1 -d '|' > filelist + + # Remove flags + while read F; do + if ! [ -e ${BASEDIR}/${F} ]; then + continue + else + echo ${BASEDIR}/${F} + fi + done < filelist | xargs chflags noschg || return 1 + + # Clean up + rm filelist +} + +# Decide which directory name to use for kernel backups. +backup_kernel_finddir () { + CNT=0 + while true ; do + # Pathname does not exist, so it is OK use that name + # for backup directory. + if [ ! -e $BASEDIR/$BACKUPKERNELDIR ]; then + return 0 + fi + + # If directory do exist, we only use if it has our + # marker file. + if [ -d $BASEDIR/$BACKUPKERNELDIR -a \ + -e $BASEDIR/$BACKUPKERNELDIR/.freebsd-update ]; then + return 0 + fi + + # We could not use current directory name, so add counter to + # the end and try again. + CNT=$((CNT + 1)) + if [ $CNT -gt 9 ]; then + echo "Could not find valid backup dir ($BASEDIR/$BACKUPKERNELDIR)" + exit 1 + fi + BACKUPKERNELDIR="`echo $BACKUPKERNELDIR | sed -Ee 's/[0-9]\$//'`" + BACKUPKERNELDIR="${BACKUPKERNELDIR}${CNT}" + done +} + +# Backup the current kernel using hardlinks, if not disabled by user. +# Since we delete all files in the directory used for previous backups +# we create a marker file called ".freebsd-update" in the directory so +# we can determine on the next run that the directory was created by +# freebsd-update and we then do not accidentally remove user files in +# the unlikely case that the user has created a directory with a +# conflicting name. +backup_kernel () { + # Only make kernel backup is so configured. + if [ $BACKUPKERNEL != yes ]; then + return 0 + fi + + # Decide which directory name to use for kernel backups. + backup_kernel_finddir + + # Remove old kernel backup files. If $BACKUPKERNELDIR was + # "not ours", backup_kernel_finddir would have exited, so + # deleting the directory content is as safe as we can make it. + if [ -d $BASEDIR/$BACKUPKERNELDIR ]; then + rm -fr $BASEDIR/$BACKUPKERNELDIR + fi + + # Create directories for backup. + mkdir -p $BASEDIR/$BACKUPKERNELDIR + mtree -cdn -p "${BASEDIR}/${KERNELDIR}" | \ + mtree -Ue -p "${BASEDIR}/${BACKUPKERNELDIR}" > /dev/null + + # Mark the directory as having been created by freebsd-update. + touch $BASEDIR/$BACKUPKERNELDIR/.freebsd-update + if [ $? -ne 0 ]; then + echo "Could not create kernel backup directory" + exit 1 + fi + + # Disable pathname expansion to be sure *.symbols is not + # expanded. + set -f + + # Use find to ignore symbol files, unless disabled by user. + if [ $BACKUPKERNELSYMBOLFILES = yes ]; then + FINDFILTER="" + else + FINDFILTER="-a ! -name *.debug -a ! -name *.symbols" + fi + + # Backup all the kernel files using hardlinks. + (cd ${BASEDIR}/${KERNELDIR} && find . -type f $FINDFILTER -exec \ + cp -pl '{}' ${BASEDIR}/${BACKUPKERNELDIR}/'{}' \;) + + # Re-enable patchname expansion. + set +f +} + +# Check for and remove an existing directory that conflicts with the file or +# symlink that we are going to install. +dir_conflict () { + if [ -d "$1" ]; then + echo "Removing conflicting directory $1" + rm -rf -- "$1" + fi +} + +# Install new files +install_from_index () { + # First pass: Do everything apart from setting file flags. We + # can't set flags yet, because schg inhibits hard linking. + sort -k 1,1 -t '|' $1 | + tr '|' ' ' | + while read FPATH TYPE OWNER GROUP PERM FLAGS HASH LINK; do + case ${TYPE} in + d) + # Create a directory. A file may change to a directory + # on upgrade (PR273661). If that happens, remove the + # file first. + if [ -e "${BASEDIR}/${FPATH}" ] && \ + ! [ -d "${BASEDIR}/${FPATH}" ]; then + rm -f -- "${BASEDIR}/${FPATH}" + fi + install -d -o ${OWNER} -g ${GROUP} \ + -m ${PERM} ${BASEDIR}/${FPATH} + ;; + f) + dir_conflict "${BASEDIR}/${FPATH}" + if [ -z "${LINK}" ]; then + # Create a file, without setting flags. + gunzip < files/${HASH}.gz > ${HASH} + install -S -o ${OWNER} -g ${GROUP} \ + -m ${PERM} ${HASH} ${BASEDIR}/${FPATH} + rm ${HASH} + else + # Create a hard link. + ln -f ${BASEDIR}/${LINK} ${BASEDIR}/${FPATH} + fi + ;; + L) + dir_conflict "${BASEDIR}/${FPATH}" + # Create a symlink + ln -sfh ${HASH} ${BASEDIR}/${FPATH} + ;; + esac + done + + # Perform a second pass, adding file flags. + tr '|' ' ' < $1 | + while read FPATH TYPE OWNER GROUP PERM FLAGS HASH LINK; do + if [ ${TYPE} = "f" ] && + ! [ ${FLAGS} = "0" ]; then + chflags ${FLAGS} ${BASEDIR}/${FPATH} + fi + done +} + +# Remove files which we want to delete +install_delete () { + # Generate list of new files + cut -f 1 -d '|' < $2 | + sort > newfiles + + # Generate subindex of old files we want to nuke + sort -k 1,1 -t '|' $1 | + join -t '|' -v 1 - newfiles | + sort -r -k 1,1 -t '|' | + cut -f 1,2 -d '|' | + tr '|' ' ' > killfiles + + # Remove the offending bits + while read FPATH TYPE; do + case ${TYPE} in + d) + rmdir ${BASEDIR}/${FPATH} + ;; + f) + if [ -f "${BASEDIR}/${FPATH}" ]; then + rm "${BASEDIR}/${FPATH}" + fi + ;; + L) + if [ -L "${BASEDIR}/${FPATH}" ]; then + rm "${BASEDIR}/${FPATH}" + fi + ;; + esac + done < killfiles + + # Clean up + rm newfiles killfiles +} + +# Install new files, delete old files, and update generated files +install_files () { + # If we haven't already dealt with the kernel, deal with it. + if ! [ -f $1/kerneldone ]; then + grep -E '^/boot/' $1/INDEX-OLD > INDEX-OLD + grep -E '^/boot/' $1/INDEX-NEW > INDEX-NEW + + # Backup current kernel before installing a new one + backup_kernel || return 1 + + # Install new files + install_from_index INDEX-NEW || return 1 + + # Remove files which need to be deleted + install_delete INDEX-OLD INDEX-NEW || return 1 + + # Update linker.hints if necessary + if [ -s INDEX-OLD -o -s INDEX-NEW ]; then + kldxref -R ${BASEDIR}/boot/ 2>/dev/null + fi + + # We've finished updating the kernel. + touch $1/kerneldone + + # Do we need to ask for a reboot now? + if [ -f $1/kernelfirst ] && + [ -s INDEX-OLD -o -s INDEX-NEW ]; then + cat <<-EOF + +Kernel updates have been installed. Please reboot and run +"$0 install" again to finish installing updates. + EOF + exit 0 + fi + fi + + # If we haven't already dealt with the world, deal with it. + if ! [ -f $1/worlddone ]; then + # Create any necessary directories first + grep -vE '^/boot/' $1/INDEX-NEW | + grep -E '^[^|]+\|d\|' > INDEX-NEW + install_from_index INDEX-NEW || return 1 + + # Install new runtime linker + grep -vE '^/boot/' $1/INDEX-NEW | + grep -vE '^[^|]+\|d\|' | + grep -E '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' > INDEX-NEW + install_from_index INDEX-NEW || return 1 + + # Install new shared libraries next + grep -vE '^/boot/' $1/INDEX-NEW | + grep -vE '^[^|]+\|d\|' | + grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' | + grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-NEW + install_from_index INDEX-NEW || return 1 + + # Deal with everything else + grep -vE '^/boot/' $1/INDEX-OLD | + grep -vE '^[^|]+\|d\|' | + grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' | + grep -vE '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-OLD + grep -vE '^/boot/' $1/INDEX-NEW | + grep -vE '^[^|]+\|d\|' | + grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' | + grep -vE '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-NEW + install_from_index INDEX-NEW || return 1 + install_delete INDEX-OLD INDEX-NEW || return 1 + + # Restart host sshd if running (PR263489). Note that this does + # not affect child sshd processes handling existing sessions. + if [ "$BASEDIR" = / ] && \ + service sshd status >/dev/null 2>/dev/null; then + echo + echo "Restarting sshd after upgrade" + service sshd restart + fi + + # Rehash certs if we actually have certctl installed. + if which certctl>/dev/null; then + env DESTDIR=${BASEDIR} certctl rehash + fi + + # Rebuild generated pwd files and /etc/login.conf.db. + pwd_mkdb -d ${BASEDIR}/etc -p ${BASEDIR}/etc/master.passwd + cap_mkdb ${BASEDIR}/etc/login.conf + + # Rebuild man page databases, if necessary. + for D in /usr/share/man /usr/share/openssl/man; do + if [ ! -d ${BASEDIR}/$D ]; then + continue + fi + if [ -f ${BASEDIR}/$D/mandoc.db ] && \ + [ -z "$(find ${BASEDIR}/$D -type f -newer ${BASEDIR}/$D/mandoc.db)" ]; then + continue; + fi + makewhatis ${BASEDIR}/$D + done + + # We've finished installing the world and deleting old files + # which are not shared libraries. + touch $1/worlddone + + # Do we need to ask the user to portupgrade now? + grep -vE '^/boot/' $1/INDEX-NEW | + grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' | + cut -f 1 -d '|' | + sort > newfiles + if grep -vE '^/boot/' $1/INDEX-OLD | + grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' | + cut -f 1 -d '|' | + sort | + join -v 1 - newfiles | + grep -q .; then + cat <<-EOF + +Completing this upgrade requires removing old shared object files. +Please rebuild all installed 3rd party software (e.g., programs +installed from the ports tree) and then run "$0 install" +again to finish installing updates. + EOF + rm newfiles + exit 0 + fi + rm newfiles + fi + + # Remove old shared libraries + grep -vE '^/boot/' $1/INDEX-NEW | + grep -vE '^[^|]+\|d\|' | + grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-NEW + grep -vE '^/boot/' $1/INDEX-OLD | + grep -vE '^[^|]+\|d\|' | + grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-OLD + install_delete INDEX-OLD INDEX-NEW || return 1 + + # Remove old directories + grep -vE '^/boot/' $1/INDEX-NEW | + grep -E '^[^|]+\|d\|' > INDEX-NEW + grep -vE '^/boot/' $1/INDEX-OLD | + grep -E '^[^|]+\|d\|' > INDEX-OLD + install_delete INDEX-OLD INDEX-NEW || return 1 + + # Remove temporary files + rm INDEX-OLD INDEX-NEW +} + +# Rearrange bits to allow the installed updates to be rolled back +install_setup_rollback () { + # Remove the "reboot after installing kernel", "kernel updated", and + # "finished installing the world" flags if present -- they are + # irrelevant when rolling back updates. + if [ -f ${BDHASH}-install/kernelfirst ]; then + rm ${BDHASH}-install/kernelfirst + rm ${BDHASH}-install/kerneldone + fi + if [ -f ${BDHASH}-install/worlddone ]; then + rm ${BDHASH}-install/worlddone + fi + + if [ -L ${BDHASH}-rollback ]; then + mv ${BDHASH}-rollback ${BDHASH}-install/rollback + fi + + mv ${BDHASH}-install ${BDHASH}-rollback +} + +# Actually install updates +install_run () { + echo -n "Installing updates..." + + # Make sure we have all the files we should have + install_verify ${BDHASH}-install/INDEX-OLD \ + ${BDHASH}-install/INDEX-NEW || return 1 + + # Remove system immutable flag from files + install_unschg ${BDHASH}-install/INDEX-OLD \ + ${BDHASH}-install/INDEX-NEW || return 1 + + # Install new files, delete old files, and update linker.hints + install_files ${BDHASH}-install || return 1 + + # Rearrange bits to allow the installed updates to be rolled back + install_setup_rollback + + echo " done." +} + +# Rearrange bits to allow the previous set of updates to be rolled back next. +rollback_setup_rollback () { + if [ -L ${BDHASH}-rollback/rollback ]; then + mv ${BDHASH}-rollback/rollback rollback-tmp + rm -r ${BDHASH}-rollback/ + rm ${BDHASH}-rollback + mv rollback-tmp ${BDHASH}-rollback + else + rm -r ${BDHASH}-rollback/ + rm ${BDHASH}-rollback + fi +} + +# Install old files, delete new files, and update linker.hints +rollback_files () { + # Create directories first. They may be needed by files we will + # install in subsequent steps (PR273950). + awk -F \| '{if ($2 == "d") print }' $1/INDEX-OLD > INDEX-OLD + install_from_index INDEX-OLD || return 1 + + # Install old shared library files which don't have the same path as + # a new shared library file. + grep -vE '^/boot/' $1/INDEX-NEW | + grep -E '/lib/.*\.so\.[0-9]+\|' | + cut -f 1 -d '|' | + sort > INDEX-NEW.libs.flist + grep -vE '^/boot/' $1/INDEX-OLD | + grep -E '/lib/.*\.so\.[0-9]+\|' | + sort -k 1,1 -t '|' - | + join -t '|' -v 1 - INDEX-NEW.libs.flist > INDEX-OLD + install_from_index INDEX-OLD || return 1 + + # Deal with files which are neither kernel nor shared library + grep -vE '^/boot/' $1/INDEX-OLD | + grep -vE '/lib/.*\.so\.[0-9]+\|' > INDEX-OLD + grep -vE '^/boot/' $1/INDEX-NEW | + grep -vE '/lib/.*\.so\.[0-9]+\|' > INDEX-NEW + install_from_index INDEX-OLD || return 1 + install_delete INDEX-NEW INDEX-OLD || return 1 + + # Install any old shared library files which we didn't install above. + grep -vE '^/boot/' $1/INDEX-OLD | + grep -E '/lib/.*\.so\.[0-9]+\|' | + sort -k 1,1 -t '|' - | + join -t '|' - INDEX-NEW.libs.flist > INDEX-OLD + install_from_index INDEX-OLD || return 1 + + # Delete unneeded shared library files + grep -vE '^/boot/' $1/INDEX-OLD | + grep -E '/lib/.*\.so\.[0-9]+\|' > INDEX-OLD + grep -vE '^/boot/' $1/INDEX-NEW | + grep -E '/lib/.*\.so\.[0-9]+\|' > INDEX-NEW + install_delete INDEX-NEW INDEX-OLD || return 1 + + # Deal with kernel files + grep -E '^/boot/' $1/INDEX-OLD > INDEX-OLD + grep -E '^/boot/' $1/INDEX-NEW > INDEX-NEW + install_from_index INDEX-OLD || return 1 + install_delete INDEX-NEW INDEX-OLD || return 1 + if [ -s INDEX-OLD -o -s INDEX-NEW ]; then + kldxref -R /boot/ 2>/dev/null + fi + + # Remove temporary files + rm INDEX-OLD INDEX-NEW INDEX-NEW.libs.flist +} + +# Actually rollback updates +rollback_run () { + echo -n "Uninstalling updates..." + + # If there are updates waiting to be installed, remove them; we + # want the user to re-run 'fetch' after rolling back updates. + if [ -L ${BDHASH}-install ]; then + rm -r ${BDHASH}-install/ + rm ${BDHASH}-install + fi + + # Make sure we have all the files we should have + install_verify ${BDHASH}-rollback/INDEX-NEW \ + ${BDHASH}-rollback/INDEX-OLD || return 1 + + # Remove system immutable flag from files + install_unschg ${BDHASH}-rollback/INDEX-NEW \ + ${BDHASH}-rollback/INDEX-OLD || return 1 + + # Install old files, delete new files, and update linker.hints + rollback_files ${BDHASH}-rollback || return 1 + + # Remove the rollback directory and the symlink pointing to it; and + # rearrange bits to allow the previous set of updates to be rolled + # back next. + rollback_setup_rollback + + echo " done." +} + +# Compare INDEX-ALL and INDEX-PRESENT and print warnings about differences. +IDS_compare () { + # Get all the lines which mismatch in something other than file + # flags. We ignore file flags because sysinstall doesn't seem to + # set them when it installs FreeBSD; warning about these adds a + # very large amount of noise. + cut -f 1-5,7-8 -d '|' $1 > $1.noflags + sort -k 1,1 -t '|' $1.noflags > $1.sorted + cut -f 1-5,7-8 -d '|' $2 | + comm -13 $1.noflags - | + fgrep -v '|-|||||' | + sort -k 1,1 -t '|' | + join -t '|' $1.sorted - > INDEX-NOTMATCHING + + # Ignore files which match IDSIGNOREPATHS. + for X in ${IDSIGNOREPATHS}; do + grep -E "^${X}" INDEX-NOTMATCHING + done | + sort -u | + comm -13 - INDEX-NOTMATCHING > INDEX-NOTMATCHING.tmp + mv INDEX-NOTMATCHING.tmp INDEX-NOTMATCHING + + # Go through the lines and print warnings. + local IFS='|' + while read FPATH TYPE OWNER GROUP PERM HASH LINK P_TYPE P_OWNER P_GROUP P_PERM P_HASH P_LINK; do + # Warn about different object types. + if ! [ "${TYPE}" = "${P_TYPE}" ]; then + echo -n "${FPATH} is a " + case "${P_TYPE}" in + f) echo -n "regular file, " + ;; + d) echo -n "directory, " + ;; + L) echo -n "symlink, " + ;; + esac + echo -n "but should be a " + case "${TYPE}" in + f) echo -n "regular file." + ;; + d) echo -n "directory." + ;; + L) echo -n "symlink." + ;; + esac + echo + + # Skip other tests, since they don't make sense if + # we're comparing different object types. + continue + fi + + # Warn about different owners. + if ! [ "${OWNER}" = "${P_OWNER}" ]; then + echo -n "${FPATH} is owned by user id ${P_OWNER}, " + echo "but should be owned by user id ${OWNER}." + fi + + # Warn about different groups. + if ! [ "${GROUP}" = "${P_GROUP}" ]; then + echo -n "${FPATH} is owned by group id ${P_GROUP}, " + echo "but should be owned by group id ${GROUP}." + fi + + # Warn about different permissions. We do not warn about + # different permissions on symlinks, since some archivers + # don't extract symlink permissions correctly and they are + # ignored anyway. + if ! [ "${PERM}" = "${P_PERM}" ] && + ! [ "${TYPE}" = "L" ]; then + echo -n "${FPATH} has ${P_PERM} permissions, " + echo "but should have ${PERM} permissions." + fi + + # Warn about different file hashes / symlink destinations. + if ! [ "${HASH}" = "${P_HASH}" ]; then + if [ "${TYPE}" = "L" ]; then + echo -n "${FPATH} is a symlink to ${P_HASH}, " + echo "but should be a symlink to ${HASH}." + fi + if [ "${TYPE}" = "f" ]; then + echo -n "${FPATH} has SHA256 hash ${P_HASH}, " + echo "but should have SHA256 hash ${HASH}." + fi + fi + + # We don't warn about different hard links, since some + # some archivers break hard links, and as long as the + # underlying data is correct they really don't matter. + done < INDEX-NOTMATCHING + + # Clean up + rm $1 $1.noflags $1.sorted $2 INDEX-NOTMATCHING +} + +# Do the work involved in comparing the system to a "known good" index +IDS_run () { + workdir_init || return 1 + + # Prepare the mirror list. + fetch_pick_server_init && fetch_pick_server + + # Try to fetch the public key until we run out of servers. + while ! fetch_key; do + fetch_pick_server || return 1 + done + + # Try to fetch the metadata index signature ("tag") until we run + # out of available servers; and sanity check the downloaded tag. + while ! fetch_tag; do + fetch_pick_server || return 1 + done + fetch_tagsanity || return 1 + + # Fetch INDEX-OLD and INDEX-ALL. + fetch_metadata INDEX-OLD INDEX-ALL || return 1 + + # Generate filtered INDEX-OLD and INDEX-ALL files containing only + # the components we want and without anything marked as "Ignore". + fetch_filter_metadata INDEX-OLD || return 1 + fetch_filter_metadata INDEX-ALL || return 1 + + # Merge the INDEX-OLD and INDEX-ALL files into INDEX-ALL. + sort INDEX-OLD INDEX-ALL > INDEX-ALL.tmp + mv INDEX-ALL.tmp INDEX-ALL + rm INDEX-OLD + + # Translate /boot/${KERNCONF} to ${KERNELDIR} + fetch_filter_kernel_names INDEX-ALL ${KERNCONF} + + # Inspect the system and generate an INDEX-PRESENT file. + fetch_inspect_system INDEX-ALL INDEX-PRESENT /dev/null || return 1 + + # Compare INDEX-ALL and INDEX-PRESENT and print warnings about any + # differences. + IDS_compare INDEX-ALL INDEX-PRESENT +} + +#### Main functions -- call parameter-handling and core functions + +# Using the command line, configuration file, and defaults, +# set all the parameters which are needed later. +get_params () { + init_params + parse_cmdline $@ + parse_conffile + default_params +} + +# Fetch command. Make sure that we're being called +# interactively, then run fetch_check_params and fetch_run +cmd_fetch () { + finalize_components_config ${COMPONENTS} + if [ ! -t 0 -a $NOTTYOK -eq 0 ]; then + echo -n "`basename $0` fetch should not " + echo "be run non-interactively." + echo "Run `basename $0` cron instead." + exit 1 + fi + fetch_check_params + fetch_run || exit 1 + ISFETCHED=1 +} + +# Cron command. Make sure the parameters are sensible; wait +# rand(3600) seconds; then fetch updates. While fetching updates, +# send output to a temporary file; only print that file if the +# fetching failed. +cmd_cron () { + fetch_check_params + sleep `jot -r 1 0 3600` + + TMPFILE=`mktemp /tmp/freebsd-update.XXXXXX` || exit 1 + finalize_components_config ${COMPONENTS} >> ${TMPFILE} + if ! fetch_run >> ${TMPFILE} || + ! grep -q "No updates needed" ${TMPFILE} || + [ ${VERBOSELEVEL} = "debug" ]; then + mail -s "`hostname` security updates" ${MAILTO} < ${TMPFILE} + fi + + rm ${TMPFILE} +} + +# Fetch files for upgrading to a new release. +cmd_upgrade () { + finalize_components_config ${COMPONENTS} + upgrade_check_params + upgrade_run || exit 1 +} + +# Check if there are fetched updates ready to install. +# Chdir into the working directory. +cmd_updatesready () { + finalize_components_config ${COMPONENTS} + # Check if working directory exists (if not, no updates pending) + if ! [ -e "${WORKDIR}" ]; then + echo "No updates are available to install." + exit 2 + fi + + # Change into working directory (fail if no permission/directory etc.) + cd ${WORKDIR} || exit 1 + + # Construct a unique name from ${BASEDIR} + BDHASH=`echo ${BASEDIR} | sha256 -q` + + # Check that we have updates ready to install + if ! [ -L ${BDHASH}-install ]; then + echo "No updates are available to install." + exit 2 + fi + + echo "There are updates available to install." + echo "Run '$0 install' to proceed." +} + +# Install downloaded updates. +cmd_install () { + finalize_components_config ${COMPONENTS} + install_check_params + install_create_be + install_run || exit 1 +} + +# Rollback most recently installed updates. +cmd_rollback () { + finalize_components_config ${COMPONENTS} + rollback_check_params + rollback_run || exit 1 +} + +# Compare system against a "known good" index. +cmd_IDS () { + finalize_components_config ${COMPONENTS} + IDS_check_params + IDS_run || exit 1 +} + +# Output configuration. +cmd_showconfig () { + finalize_components_config ${COMPONENTS} + for X in ${CONFIGOPTIONS}; do + echo $X=$(eval echo \$${X}) + done +} + +#### Entry point + +# Make sure we find utilities from the base system +export PATH=/sbin:/bin:/usr/sbin:/usr/bin:${PATH} + +# Set a pager if the user doesn't +if [ -z "$PAGER" ]; then + PAGER=/usr/bin/less +fi + +# Set LC_ALL in order to avoid problems with character ranges like [A-Z]. +export LC_ALL=C + +# Clear environment variables that may affect operation of tools that we use. +unset GREP_OPTIONS + +get_params $@ +for COMMAND in ${COMMANDS}; do + cmd_${COMMAND} +done diff --git a/conf/system/freebsd-update/13.3/freebsd-update.conf b/conf/system/freebsd-update/13.3/freebsd-update.conf new file mode 100644 index 0000000..08cf512 --- /dev/null +++ b/conf/system/freebsd-update/13.3/freebsd-update.conf @@ -0,0 +1,78 @@ + +# Trusted keyprint. Changing this is a Bad Idea unless you've received +# a PGP-signed email from telling you to +# change it and explaining why. +KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5 + +# Server or server pool from which to fetch updates. You can change +# this to point at a specific server if you want, but in most cases +# using a "nearby" server won't provide a measurable improvement in +# performance. +ServerName update.FreeBSD.org + +# Components of the base system which should be kept updated. +Components src world kernel + +# Example for updating the userland and the kernel source code only: +# Components src/base src/sys world + +# Paths which start with anything matching an entry in an IgnorePaths +# statement will be ignored. +IgnorePaths + +# Paths which start with anything matching an entry in an IDSIgnorePaths +# statement will be ignored by "freebsd-update IDS". +IDSIgnorePaths /usr/share/man/cat +IDSIgnorePaths /usr/share/man/whatis +IDSIgnorePaths /var/db/locate.database +IDSIgnorePaths /var/log + +# Paths which start with anything matching an entry in an UpdateIfUnmodified +# statement will only be updated if the contents of the file have not been +# modified by the user (unless changes are merged; see below). +UpdateIfUnmodified /etc/ /var/ /root/ /.cshrc /.profile + +# When upgrading to a new FreeBSD release, files which match MergeChanges +# will have any local changes merged into the version from the new release. +MergeChanges /etc/ /boot/device.hints + +### Default configuration options: + +# Directory in which to store downloaded updates and temporary +# files used by FreeBSD Update. +# WorkDir /var/db/freebsd-update + +# Destination to send output of "freebsd-update cron" if an error +# occurs or updates have been downloaded. +# MailTo root + +# Is FreeBSD Update allowed to create new files? +# AllowAdd yes + +# Is FreeBSD Update allowed to delete files? +# AllowDelete yes + +# If the user has modified file ownership, permissions, or flags, should +# FreeBSD Update retain this modified metadata when installing a new version +# of that file? +# KeepModifiedMetadata yes + +# When upgrading between releases, should the list of Components be +# read strictly (StrictComponents yes) or merely as a list of components +# which *might* be installed of which FreeBSD Update should figure out +# which actually are installed and upgrade those (StrictComponents no)? +# StrictComponents no + +# When installing a new kernel perform a backup of the old one first +# so it is possible to boot the old kernel in case of problems. +# BackupKernel yes + +# If BackupKernel is enabled, the backup kernel is saved to this +# directory. +# BackupKernelDir /boot/kernel.old + +# When backing up a kernel also back up debug symbol files? +# BackupKernelSymbolFiles no + +# Create a new boot environment when installing patches +# CreateBootEnv yes diff --git a/conf/system/include/13.3/ar b/conf/system/include/13.3/ar new file mode 100755 index 0000000..f664b7d Binary files /dev/null and b/conf/system/include/13.3/ar differ diff --git a/conf/system/include/13.3/diff3 b/conf/system/include/13.3/diff3 new file mode 100755 index 0000000..8a91658 Binary files /dev/null and b/conf/system/include/13.3/diff3 differ diff --git a/conf/system/include/13.3/jib b/conf/system/include/13.3/jib new file mode 100644 index 0000000..55d9084 --- /dev/null +++ b/conf/system/include/13.3/jib @@ -0,0 +1,417 @@ +#!/bin/sh +#- +# Copyright (c) 2016 Devin Teske +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# +############################################################ IDENT(1) +# +# $Title: if_bridge(4) management script for vnet jails $ +# +############################################################ INFORMATION +# +# Use this tool with jail.conf(5) (or rc.conf(5) ``legacy'' configuration) to +# manage `vnet' interfaces for jails. Designed to automate the creation of vnet +# interface(s) during jail `prestart' and destroy said interface(s) during jail +# `poststop'. +# +# In jail.conf(5) format: +# +# ### BEGIN EXCERPT ### +# +# xxx { +# host.hostname = "xxx.yyy"; +# path = "/vm/xxx"; +# +# # +# # NB: Below 2-lines required +# # NB: The number of eNb_xxx interfaces should match the number of +# # arguments given to `jib addm xxx' in exec.prestart value. +# # +# vnet; +# vnet.interface = e0b_xxx, e1b_xxx, ...; +# +# exec.clean; +# exec.system_user = "root"; +# exec.jail_user = "root"; +# +# # +# # NB: Below 2-lines required +# # NB: The number of arguments after `jib addm xxx' should match +# # the number of eNb_xxx arguments in vnet.interface value. +# # +# exec.prestart += "jib addm xxx em0 em1 ..."; +# exec.poststop += "jib destroy xxx"; +# +# # Standard recipe +# exec.start += "/bin/sh /etc/rc"; +# exec.stop = "/bin/sh /etc/rc.shutdown jail"; +# exec.consolelog = "/var/log/jail_xxx_console.log"; +# mount.devfs; +# +# # Optional (default off) +# #allow.mount; +# #allow.set_hostname = 1; +# #allow.sysvipc = 1; +# #devfs_ruleset = "11"; # rule to unhide bpf for DHCP +# } +# +# ### END EXCERPT ### +# +# In rc.conf(5) ``legacy'' format (used when /etc/jail.conf does not exist): +# +# ### BEGIN EXCERPT ### +# +# jail_enable="YES" +# jail_list="xxx" +# +# # +# # Global presets for all jails +# # +# jail_devfs_enable="YES" # mount devfs +# +# # +# # Global options (default off) +# # +# #jail_mount_enable="YES" # mount /etc/fstab.{name} +# #jail_set_hostname_allow="YES" # Allow hostname to change +# #jail_sysvipc_allow="YES" # Allow SysV Interprocess Comm. +# +# # xxx +# jail_xxx_hostname="xxx.shxd.cx" # hostname +# jail_xxx_rootdir="/vm/xxx" # root directory +# jail_xxx_vnet_interfaces="e0b_xxx e1bxxx ..." # vnet interface(s) +# jail_xxx_exec_prestart0="jib addm xxx em0 em1 ..." # bridge interface(s) +# jail_xxx_exec_poststop0="jib destroy xxx" # destroy interface(s) +# #jail_xxx_mount_enable="YES" # mount /etc/fstab.xxx +# #jail_xxx_devfs_ruleset="11" # rule to unhide bpf for DHCP +# +# ### END EXCERPT ### +# +# Note that the legacy rc.conf(5) format is converted to +# /var/run/jail.{name}.conf by /etc/rc.d/jail if jail.conf(5) is missing. +# +# ASIDE: dhclient(8) inside a vnet jail... +# +# To allow dhclient(8) to work inside a vnet jail, make sure the following +# appears in /etc/devfs.rules (which should be created if it doesn't exist): +# +# [devfsrules_jail=11] +# add include $devfsrules_hide_all +# add include $devfsrules_unhide_basic +# add include $devfsrules_unhide_login +# add path 'bpf*' unhide +# +# And set ether devfs.ruleset="11" (jail.conf(5)) or +# jail_{name}_devfs_ruleset="11" (rc.conf(5)). +# +# NB: While this tool can't create every type of desirable topology, it should +# handle most setups, minus some which considered exotic or purpose-built. +# +############################################################ GLOBALS + +pgm="${0##*/}" # Program basename + +# +# Global exit status +# +SUCCESS=0 +FAILURE=1 + +############################################################ FUNCTIONS + +usage() +{ + local action usage descr + exec >&2 + echo "Usage: $pgm action [arguments]" + echo "Actions:" + for action in \ + addm \ + show \ + show1 \ + destroy \ + ; do + eval usage=\"\$jib_${action}_usage\" + [ "$usage" ] || continue + eval descr=\"\$jib_${action}_descr\" + printf "\t%s\n\t\t%s\n" "$usage" "$descr" + done + exit $FAILURE +} + +action_usage() +{ + local usage descr action="$1" + eval usage=\"\$jib_${action}_usage\" + echo "Usage: $pgm $usage" >&2 + eval descr=\"\$jib_${action}_descr\" + printf "\t%s\n" "$descr" + exit $FAILURE +} + +derive_mac() +{ + local OPTIND=1 OPTARG __flag + local __mac_num= __make_pair= + while getopts 2n: __flag; do + case "$__flag" in + 2) __make_pair=1 ;; + n) __mac_num=${OPTARG%%[^0-9]*} ;; + esac + done + shift $(( $OPTIND - 1 )) + + if [ ! "$__mac_num" ]; then + eval __mac_num=\${_${iface}_num:--1} + __mac_num=$(( $__mac_num + 1 )) + eval _${iface}_num=\$__mac_num + fi + + local __iface="$1" __name="$2" __var_to_set="$3" __var_to_set_b="$4" + local __iface_devid __new_devid __num __new_devid_b + # + # Calculate MAC address derived from given iface. + # + # The formula I'm using is ``NP:SS:SS:II:II:II'' where: + # + N denotes 4 bits used as a counter to support branching + # each parent interface up to 15 times under the same jail + # name (see S below). + # + P denotes the special nibble whose value, if one of + # 2, 6, A, or E (but usually 2) denotes a privately + # administered MAC address (while remaining routable). + # + S denotes 16 bits, the sum(1) value of the jail name. + # + I denotes bits that are inherited from parent interface. + # + # The S bits are a CRC-16 checksum of NAME, allowing the jail + # to change link numbers in ng_bridge(4) without affecting the + # MAC address. Meanwhile, if... + # + the jail NAME changes (e.g., it was duplicated and given + # a new name with no other changes) + # + the underlying network interface changes + # + the jail is moved to another host + # the MAC address will be recalculated to a new, similarly + # unique value preventing conflict. + # + __iface_devid=$( ifconfig $__iface ether | awk '/ether/,$0=$2' ) + # ??:??:??:II:II:II + __new_devid=${__iface_devid#??:??:??} # => :II:II:II + # => :SS:SS:II:II:II + __num=$( set -- `echo -n "$__name" | sum` && echo $1 ) + __new_devid=$( printf :%02x:%02x \ + $(( $__num >> 8 & 255 )) $(( $__num & 255 )) )$__new_devid + # => P:SS:SS:II:II:II + case "$__iface_devid" in + ?2:*) __new_devid=a$__new_devid __new_devid_b=e$__new_devid ;; + ?[Ee]:*) __new_devid=2$__new_devid __new_devid_b=6$__new_devid ;; + *) __new_devid=2$__new_devid __new_devid_b=e$__new_devid + esac + # => NP:SS:SS:II:II:II + __new_devid=$( printf %x $(( $__mac_num & 15 )) )$__new_devid + __new_devid_b=$( printf %x $(( $__mac_num & 15 )) )$__new_devid_b + + # + # Return derivative MAC address(es) + # + if [ "$__make_pair" ]; then + if [ "$__var_to_set" -a "$__var_to_set_b" ]; then + eval $__var_to_set=\$__new_devid + eval $__var_to_set_b=\$__new_devid_b + else + echo $__new_devid $__new_devid_b + fi + else + if [ "$__var_to_set" ]; then + eval $__var_to_set=\$__new_devid + else + echo $__new_devid + fi + fi +} + +mustberoot_to_continue() +{ + if [ "$( id -u )" -ne 0 ]; then + echo "Must run as root!" >&2 + exit $FAILURE + fi +} + +jib_addm_usage="addm [-b BRIDGE_NAME] NAME [!]iface0 [[!]iface1 ...]" +jib_addm_descr="Creates e0b_NAME [e1b_NAME ...]" +jib_addm() +{ + local OPTIND=1 OPTARG flag bridge=bridge + while getopts b: flag; do + case "$flag" in + b) bridge="${OPTARG:-bridge}" ;; + *) action_usage addm # NOTREACHED + esac + done + shift $(( $OPTIND - 1 )) + + local name="$1" + [ "${name:-x}" = "${name#*[!0-9a-zA-Z_]}" -a $# -gt 1 ] || + action_usage addm # NOTREACHED + shift 1 # name + + mustberoot_to_continue + + local iface eiface_devid_a eiface_devid_b + local new no_derive num quad i=0 + for iface in $*; do + + no_derive= + case "$iface" in + !*) iface=${iface#!} no_derive=1 ;; + esac + + # Make sure the interface doesn't exist already + if ifconfig "e${i}a_$name" > /dev/null 2>&1; then + i=$(( $i + 1 )) + continue + fi + + # Bring the interface up + ifconfig $iface up || return + + # Make sure the interface has been bridged + if ! ifconfig "$iface$bridge" > /dev/null 2>&1; then + new=$( ifconfig bridge create ) || return + ifconfig $new addm $iface || return + ifconfig $new name "$iface$bridge" || return + ifconfig "$iface$bridge" up || return + fi + + # Create a new interface to the bridge + new=$( ifconfig epair create ) || return + ifconfig "$iface$bridge" addm $new || return + + # Rename the new interface + ifconfig $new name "e${i}a_$name" || return + ifconfig ${new%a}b name "e${i}b_$name" || return + ifconfig "e${i}a_$name" up || return + ifconfig "e${i}b_$name" up || return + + # + # Set the MAC address of the new interface using a sensible + # algorithm to prevent conflicts on the network. + # + eiface_devid_a= eiface_devid_b= + [ "$no_derive" ] || derive_mac -2 $iface "$name" \ + eiface_devid_a eiface_devid_b + if [ "$eiface_devid_a" -a "$eiface_devid_b" ]; then + ifconfig "e${i}a_$name" ether $eiface_devid_a + ifconfig "e${i}b_$name" ether $eiface_devid_b + fi > /dev/null 2>&1 + + i=$(( $i + 1 )) + done # for iface +} + +jib_show_usage="show" +jib_show_descr="List possible NAME values for \`show NAME'" +jib_show1_usage="show NAME" +jib_show1_descr="Lists e0b_NAME [e1b_NAME ...]" +jib_show2_usage="show [NAME]" +jib_show() +{ + local OPTIND=1 OPTARG flag + while getopts "" flag; do + case "$flag" in + *) action_usage show2 # NOTREACHED + esac + done + shift $(( $OPTIND - 1 )) + if [ $# -eq 0 ]; then + ifconfig | awk ' + /^[^:[:space:]]+:/ { + iface = $1 + sub(/:.*/, "", iface) + next + } + $1 == "groups:" { + for (n = split($0, group); n > 1; n--) { + if (group[n] != "bridge") continue + print iface + next + } + }' | + xargs -rn1 ifconfig | + awk '$1 == "member:" && + sub(/^e[[:digit:]]+a_/, "", $2), $0 = $2' | + sort -u + return + fi + ifconfig | awk -v name="$1" ' + match($0, /^e[[:digit:]]+a_/) && sub(/:.*/, "") && + substr($1, RSTART + RLENGTH) == name + ' | sort +} + +jib_destroy_usage="destroy NAME" +jib_destroy_descr="Destroy e0b_NAME [e1b_NAME ...]" +jib_destroy() +{ + local OPTIND=1 OPTARG flag + while getopts "" flag; do + case "$flag" in + *) action_usage destroy # NOTREACHED + esac + done + shift $(( $OPTIND -1 )) + local name="$1" + [ "${name:-x}" = "${name#*[!0-9a-zA-Z_]}" -a $# -eq 1 ] || + action_usage destroy # NOTREACHED + mustberoot_to_continue + jib_show "$name" | xargs -rn1 -I eiface ifconfig eiface destroy +} + +############################################################ MAIN + +# +# Command-line arguments +# +action="$1" +[ "$action" ] || usage # NOTREACHED + +# +# Validate action argument +# +if [ "$BASH_VERSION" ]; then + type="$( type -t "jib_$action" )" || usage # NOTREACHED +else + type="$( type "jib_$action" 2> /dev/null )" || usage # NOTREACHED +fi +case "$type" in +*function) + shift 1 # action + eval "jib_$action" \"\$@\" + ;; +*) usage # NOTREACHED +esac + +################################################################################ +# END +################################################################################ diff --git a/conf/system/include/13.3/makewhatis b/conf/system/include/13.3/makewhatis new file mode 100755 index 0000000..1db97a7 Binary files /dev/null and b/conf/system/include/13.3/makewhatis differ diff --git a/conf/system/include/13.3/pf.os b/conf/system/include/13.3/pf.os new file mode 100644 index 0000000..e131d1b --- /dev/null +++ b/conf/system/include/13.3/pf.os @@ -0,0 +1,708 @@ +# $OpenBSD: pf.os,v 1.27 2016/09/03 17:08:57 sthen Exp $ +# passive OS fingerprinting +# ------------------------- +# +# SYN signatures. Those signatures work for SYN packets only (duh!). +# +# (C) Copyright 2000-2003 by Michal Zalewski +# (C) Copyright 2003 by Mike Frantzen +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# +# +# This fingerprint database is adapted from Michal Zalewski's p0f passive +# operating system package. The last database sync was from a Nov 3 2003 +# p0f.fp. +# +# +# Each line in this file specifies a single fingerprint. Please read the +# information below carefully before attempting to append any signatures +# reported as UNKNOWN to this file to avoid mistakes. +# +# We use the following set metrics for fingerprinting: +# +# - Window size (WSS) - a highly OS dependent setting used for TCP/IP +# performance control (max. amount of data to be sent without ACK). +# Some systems use a fixed value for initial packets. On other +# systems, it is a multiple of MSS or MTU (MSS+40). In some rare +# cases, the value is just arbitrary. +# +# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number +# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' +# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the +# value of nn is not fixed (unlikely), just copy the Snn or Tnn token +# literally. If you know this device has a simple stack and a fixed +# MTU, you can however multiply S value by MSS, or T value by MSS+40, +# and put it instead of Snn or Tnn. +# +# If WSS otherwise looks like a fixed value (for example a multiple +# of two), or if you can confirm the value is fixed, please quote +# it literally. If there's no apparent pattern in WSS chosen, you +# should consider wildcarding this value. +# +# - Overall packet size - a function of all IP and TCP options and bugs. +# +# NEW SIGNATURE: Copy this value literally. +# +# - Initial TTL - We check the actual TTL of a received packet. It can't +# be higher than the initial TTL, and also shouldn't be dramatically +# lower (maximum distance is defined as 40 hops). +# +# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. +# You need to determine the initial TTL. The best way to do it is to +# check the documentation for a remote system, or check its settings. +# A fairly good method is to simply round the observed TTL up to +# 32, 64, 128, or 255, but it should be noted that some obscure devices +# might not use round TTLs (in particular, some shoddy appliances use +# "original" initial TTL settings). If not sure, you can see how many +# hops you're away from the remote party with traceroute or mtr. +# +# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU +# discovery. Others do not bother. +# +# NEW SIGNATURE: Copy this value literally. +# +# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f +# uses it to determine link type of the remote host. +# +# NEW SIGNATURE: Always wildcard this value, except for rare cases when +# you have an appliance with a fixed value, know the system supports only +# a very limited number of network interface types, or know the system +# is using a value it pulled out of nowhere. Specific unique MSS +# can be used to tell Google crawlbots from the rest of the population. +# +# - Window scaling (WSCALE) - this feature is used to scale WSS. +# It extends the size of a TCP/IP window to 32 bits. Some modern +# systems implement this feature. +# +# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set +# to zero or other low value. There's usually no need to wildcard this +# parameter. +# +# - Timestamp - some systems that implement timestamps set them to +# zero in the initial SYN. This case is detected and handled appropriately. +# +# - Selective ACK permitted - a flag set by systems that implement +# selective ACK functionality. +# +# - The sequence of TCP all options (MSS, window scaling, selective ACK +# permitted, timestamp, NOP). Other than the options previously +# discussed, p0f also checks for timestamp option (a silly +# extension to broadcast your uptime ;-), NOP options (used for +# header padding) and sackOK option (selective ACK feature). +# +# NEW SIGNATURE: Copy the sequence literally. +# +# To wildcard any value (except for initial TTL or TCP options), replace +# it with '*'. You can also use a modulo operator to match any values +# that divide by nnn - '%nnn'. +# +# Fingerprint entry format: +# +# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details +# +# wwww - window size (can be *, %nnn, Snn or Tnn). The special values +# "S" and "T" which are a multiple of MSS or a multiple of MTU +# respectively. +# ttt - initial TTL +# D - don't fragment bit (0 - not set, 1 - set) +# ss - overall SYN packet size +# OOO - option value and order specification (see below) +# OS - OS genre (Linux, Solaris, Windows) +# Version - OS Version (2.0.27 on x86, etc) +# Subtype - OS subtype or patchlevel (SP3, lo0) +# details - Generic OS details +# +# If OS genre starts with '*', p0f will not show distance, link type +# and timestamp data. It is useful for userland TCP/IP stacks of +# network scanners and so on, where many settings are randomized or +# bogus. +# +# If OS genre starts with @, it denotes an approximate hit for a group +# of operating systems (signature reporting still enabled in this case). +# Use this feature at the end of this file to catch cases for which +# you don't have a precise match, but can tell it's Windows or FreeBSD +# or whatnot by looking at, say, flag layout alone. +# +# Option block description is a list of comma or space separated +# options in the order they appear in the packet: +# +# N - NOP option +# Wnnn - window scaling option, value nnn (or * or %nnn) +# Mnnn - maximum segment size option, value nnn (or * or %nnn) +# S - selective ACK OK +# T - timestamp +# T0 - timestamp with a zero value +# +# To denote no TCP options, use a single '.'. +# +# Please report any additions to this file, or any inaccuracies or +# problems spotted, to the maintainers: lcamtuf@coredump.cx, +# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet +# capture of the relevant SYN packet(s) +# +# A test and submission page is available at +# http://lcamtuf.coredump.cx/p0f-help/ +# +# +# WARNING WARNING WARNING +# ----------------------- +# +# Do not add a system X as OS Y just because NMAP says so. It is often +# the case that X is a NAT firewall. While nmap is talking to the +# device itself, p0f is fingerprinting the guy behind the firewall +# instead. +# +# When in doubt, use common sense, don't add something that looks like +# a completely different system as Linux or FreeBSD or LinkSys router. +# Check DNS name, establish a connection to the remote host and look +# at SYN+ACK - does it look similar? +# +# Some users tweak their TCP/IP settings - enable or disable RFC1323 +# functionality, enable or disable timestamps or selective ACK, +# disable PMTU discovery, change MTU and so on. Always compare a new rule +# to other fingerprints for this system, and verify the system isn't +# "customized" before adding it. It is OK to add signature variants +# caused by a commonly used software (personal firewalls, security +# packages, etc), but it makes no sense to try to add every single +# possible /proc/sys/net/ipv4 tweak on Linux or so. +# +# KEEP IN MIND: Some packet firewalls configured to normalize outgoing +# traffic (OpenBSD pf with "scrub" enabled, for example) will, well, +# normalize packets. Signatures will not correspond to the originating +# system (and probably not quite to the firewall either). +# +# NOTE: Try to keep this file in some reasonable order, from most to +# least likely systems. This will speed up operation. Also keep most +# generic and broad rules near the end. +# + +########################## +# Standard OS signatures # +########################## + +# ----------------- AIX --------------------- + +# AIX is first because its signatures are close to NetBSD, MacOS X and +# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes... +# This is a shoddy hack, though. + +45046:64:0:44:M*: AIX:4.3::AIX 4.3 +16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier + +16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 +16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 +32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 +32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 +65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 +65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 +65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1 + +# ----------------- Linux ------------------- + +# S1:64:0:44:M*:A: Linux:1.2::Linux 1.2.x (XXX quirks support) +512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x +16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x + +# Endian snafu! Nelson says "ha-ha": +2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac +64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac + + +S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot) + +S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy) +S3:64:1:60:M*,S,T,N,W0: Linux:2.4:.18-21:Linux 2.4.18 and newer +S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 <= 2.6.7 +S4:64:1:60:M*,S,T,N,W0: Linux:2.6:.1-7:Linux 2.4/2.6 <= 2.6.7 + +S4:64:1:60:M*,S,T,N,W5: Linux:2.6::Linux 2.6 (newer, 1) +S4:64:1:60:M*,S,T,N,W6: Linux:2.6::Linux 2.6 (newer, 2) +S4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 3) +T4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 4) + +S10:64:1:60:M*,S,T,N,W4: Linux:3.0::Linux 3.0 + +S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4) +S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6 +S3:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4) +S4:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4) + +S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer +S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 +S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 + +# Popular cluster config scripts disable timestamps and +# selective ACK: +S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster + +# This needs to be investigated. On some systems, WSS +# is selected as a multiple of MTU instead of MSS. I got +# many submissions for this for many late versions of 2.4: +T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon) + +# This happens only over loopback, but let's make folks happy: +32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local) +S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local) + +# Opera visitors: +16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?) +32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?) + +# Some fairly common mods: +S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps +S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps + + +# ----------------- FreeBSD ----------------- + +16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.2 +16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.2 +16384:64:1:44:M*: FreeBSD:4.0-4.2::FreeBSD 2.0-4.2 +16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 + +1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 + +57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323) +57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.9::FreeBSD 4.6-4.9 + +32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.1 (or MacOS X) +32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) +65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.2 (or MacOS X) +65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.8-5.2 (or MacOS X) +65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2 +65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2 + +# XXX need quirks support +# 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1) +# 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2) +# 65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (3) +# 65535:64:1:44:M*:Z:FreeBSD:5.2::FreeBSD 5.2 (no RFC1323) + +# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps) + +# ----------------- NetBSD ------------------ + +16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3 +65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera) +16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6 +16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF) +65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF) +65535:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6X (DF) +32768:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:randomization:NetBSD 1.6ZH-current (w/ ip_id randomization) + +# ----------------- OpenBSD ----------------- + +16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6) +16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8::OpenBSD 3.0-4.8 +16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8:no-df:OpenBSD 3.0-4.8 (scrub no-df) +57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0::OpenBSD 3.3-4.0 +57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0:no-df:OpenBSD 3.3-4.0 (scrub no-df) + +65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:opera:OpenBSD 3.0-4.0 (Opera) + +16384:64:1:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9::OpenBSD 4.9 +16384:64:0:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9:no-df:OpenBSD 4.9 (scrub no-df) + +16384:64:1:64:M*,N,N,S,N,W6,N,N,T: OpenBSD:6.1::OpenBSD 6.1 +16384:64:0:64:M*,N,N,S,N,W6,N,N,T: OpenBSD:6.1:no-df:OpenBSD 6.1 (scrub no-df) + +# ----------------- DragonFly BSD ----------------- + +57344:64:1:60:M*,N,W0,N,N,T: DragonFly:1.0:A:DragonFly 1.0A +57344:64:0:64:M*,N,W0,N,N,S,N,N,T: DragonFly:1.2-1.12::DragonFly 1.2-1.12 +5840:64:1:60:M*,S,T,N,W4: DragonFly:2.0-2.1::DragonFly 2.0-2.1 +57344:64:0:64:M*,N,W0,N,N,S,N,N,T: DragonFly:2.2-2.3::DragonFly 2.2-2.3 +57344:64:0:64:M*,N,W5,N,N,S,N,N,T: DragonFly:2.4-2.7::DragonFly 2.4-2.7 + +# ----------------- Solaris ----------------- + +S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323 +S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8 +S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7 + +S6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7 +S23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1 +S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9 +S44:255:1:44:M*: Solaris:2.7::Solaris 7 + +4096:64:0:44:M1460: SunOS:4.1::SunOS 4.1.x + +S34:64:1:52:M*,N,W0,N,N,S: Solaris:10:beta:Solaris 10 (beta) +32850:64:1:64:M*,N,N,T,N,W1,N,N,S: Solaris:10::Solaris 10 1203 + +# ----------------- IRIX -------------------- + +49152:64:0:44:M*: IRIX:6.4::IRIX 6.4 +61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5 +49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) +49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) + +61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21 +49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21 + +49152:60:0:64:M*,N,W2,N,N,T,N,N,S: IRIX:6.5:IP27:IRIX 6.5 IP27 + + +# ----------------- Tru64 ------------------- + +32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 (or OS/2 Warp 4) +32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0 +8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6) +61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack) + +# ----------------- OpenVMS ----------------- + +6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack) + +# ----------------- MacOS ------------------- + +# XXX Need EOL tcp opt support +# S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic + +# XXX some of these use EOL too +16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP) +16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP) +16616:255:1:48:M*,N,N,N: MacOS:8.1-8.6:OTTCP:MacOS 8.1-8.6 (OTTCP) +32768:255:1:48:M*,W0,N: MacOS:9.0-9.2::MacOS 9.0-9.2 +65535:255:1:48:M*,N,N,N,N: MacOS:9.1::MacOS 9.1 (OT 2.7.4) + + +# ----------------- Windows ----------------- + +# Windows TCP/IP stack is a mess. For most recent XP, 2000 and +# even 98, the patchlevel, not the actual OS version, is more +# relevant to the signature. They share the same code, so it would +# seem. Luckily for us, almost all Windows 9x boxes have an +# awkward MSS of 536, which I use to tell one from another +# in most difficult cases. + +8192:32:1:44:M*: Windows:3.11::Windows 3.11 (Tucows) +S44:64:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95::Windows 95 +8192:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95:b:Windows 95b + +# There were so many tweaking tools and so many stack versions for +# Windows 98 it is no longer possible to tell them from each other +# without some very serious research. Until then, there's an insane +# number of signatures, for your amusement: + +S44:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL) +8192:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL) +%8192:64:1:48:M536,N,N,S: Windows:98::Windows 98 +%8192:128:1:48:M536,N,N,S: Windows:98::Windows 98 +S4:64:1:48:M*,N,N,S: Windows:98::Windows 98 +S6:64:1:48:M*,N,N,S: Windows:98::Windows 98 +S12:64:1:48:M*,N,N,S: Windows:98::Windows 98 +T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 +32767:64:1:48:M*,N,N,S: Windows:98::Windows 98 +37300:64:1:48:M*,N,N,S: Windows:98::Windows 98 +46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323) +65535:64:1:44:M*: Windows:98:noSack:Windows 98 (no sack) +S16:128:1:48:M*,N,N,S: Windows:98::Windows 98 +S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 +S26:128:1:48:M*,N,N,S: Windows:98::Windows 98 +T30:128:1:48:M*,N,N,S: Windows:98::Windows 98 +32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98 +60352:128:1:48:M*,N,N,S: Windows:98::Windows 98 +60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98 + +# What's with 1414 on NT? +T31:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a +64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a +8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older) + +# Windows XP and 2000. Most of the signatures that were +# either dubious or non-specific (no service pack data) +# were deleted and replaced with generics at the end. + +65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 +65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 +%8192:128:1:48:M*,N,N,S: Windows:2000:SP2+:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222) +%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222) +S20:128:1:48:M*,N,N,S: Windows:2000::Windows 2000/XP SP3 +S20:128:1:48:M*,N,N,S: Windows:XP:SP3:Windows 2000/XP SP3 +S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP 1 +S45:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP 1 +40320:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4 + +S6:128:1:48:M*,N,N,S: Windows:2000:SP2:Windows XP, 2000 SP2+ +S6:128:1:48:M*,N,N,S: Windows:XP::Windows XP, 2000 SP2+ +S12:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1 +S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows Pro SP1, 2000 SP3 +S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows Pro SP1, 2000 SP3 +64512:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows SP1, 2000 SP3 +64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP3 +32767:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows SP1, 2000 SP4 +32767:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP4 + +8192:128:1:52:M*,N,W2,N,N,S: Windows:Vista::Windows Vista/7 + +# Odds, ends, mods: + +S52:128:1:48:M1260,N,N,S: Windows:2000:cisco:Windows XP/2000 via Cisco +S52:128:1:48:M1260,N,N,S: Windows:XP:cisco:Windows XP/2000 via Cisco +65520:128:1:48:M*,N,N,S: Windows:XP::Windows XP bare-bone +16384:128:1:52:M536,N,W0,N,N,S: Windows:2000:ZoneAlarm:Windows 2000 w/ZoneAlarm? +2048:255:0:40:.: Windows:.NET::Windows .NET Enterprise Server + +44620:64:0:48:M*,N,N,S: Windows:ME::Windows ME no SP (?) +S6:255:1:48:M536,N,N,S: Windows:95:winsock2:Windows 95 winsock 2 +32768:32:1:52:M1460,N,W0,N,N,S: Windows:2003:AS:Windows 2003 AS + + +# No need to be more specific, it passes: +# *:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) XXX quirk +# there is an equiv similar generic sig w/o the quirk + +# ----------------- HP/UX ------------------- + +32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20 +32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0 +32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11 +32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11 + +# Whoa. Hardcore WSS. +0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323) + +# ----------------- RiscOS ------------------ + +# We don't yet support the ?12 TCP option +#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36 +12288:32:0:44:M536: RISC OS:3.70:4.10:RISC OS 3.70 inet 4.10 + +# XXX quirk +# 4096:64:1:56:M1460,N,N,T:T: RISC OS:3.70:freenet:RISC OS 3.70 freenet 2.00 + + + +# ----------------- BSD/OS ------------------ + +# Once again, power of two WSS is also shared by MacOS X with DF set +8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF) +8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2) + + +# ---------------- NewtonOS ----------------- + +4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1 + +# ---------------- NeXTSTEP ----------------- + +S4:64:0:44:M1024: NeXTSTEP:3.3::NeXTSTEP 3.3 +S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3 + +# ------------------ BeOS ------------------- + +1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1 +12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x + +# ------------------ OS/400 ----------------- + +8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5 +8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5 +4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032 + +# XXX quirk +# 28672:64:0:44:M1460:A:OS/390:? + +# ------------------ ULTRIX ----------------- + +16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5 + +# ------------------- QNX ------------------- + +S16:64:0:44:M512: QNX:::QNX demodisk + +# ------------------ Novell ----------------- + +16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0 +6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11 +6144:128:1:44:M1368: Novell:BorderManager::Novell BorderManager ? + +6144:128:1:52:M*,W0,N,S,N,N: Novell:Netware:6:Novell Netware 6 SP3 + + +# ----------------- SCO ------------------ +S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1 +S17:64:1:60:M1380,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1.3 MP3 +S23:64:1:44:M1380: SCO:OpenServer:5.0:SCO OpenServer 5.0 + +# ------------------- DOS ------------------- + +2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05 +T2:255:0:44:M984: DOS:WATTCP:1.05Arachne:Arachne via WATTCP/1.05 (eepro) + +# ------------------ OS/2 ------------------- + +S56:64:0:44:M512: OS/2:4::OS/2 4 +28672:64:0:44:M1460: OS/2:4::OS/2 Warp 4.0 + +# ----------------- TOPS-20 ----------------- + +# Another hardcore MSS, one of the ACK leakers hunted down. +# XXX QUIRK 0:64:0:44:M1460:A:TOPS-20:version 7 +0:64:0:44:M1460: TOPS-20:7::TOPS-20 version 7 + +# ----------------- FreeMiNT ---------------- + +S44:255:0:44:M536: FreeMiNT:1:16A:FreeMiNT 1 patch 16A (Atari) + +# ------------------ AMIGA ------------------ + +# XXX TCP option 12 +# S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack + +# ------------------ Plan9 ------------------ + +65535:255:0:48:M1460,W0,N: Plan9:4::Plan9 edition 4 + +# ----------------- AMIGAOS ----------------- + +16384:64:1:48:M1560,N,N,S: AMIGAOS:3.9::AMIGAOS 3.9 BB2 MiamiDX + +########################################### +# Appliance / embedded / other signatures # +########################################### + +# ---------- Firewalls / routers ------------ + +S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1) +S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2) +4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x + +# XXX TCP option 12 +# S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3 +# S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026 + +S4:64:1:60:W0,N,S,T,M1460: FortiNet:FortiGate:50:FortiNet FortiGate 50 + +8192:64:1:44:M1460: Eagle:::Eagle Secure Gateway + +S52:128:1:48:M1260,N,N,N,N: LinkSys:WRV54G::LinkSys WRV54G VPN router + + + +# ------- Switches and other stuff ---------- + +4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc +S8:255:0:44:M*: Cisco:12008::Cisco 12008 +60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch +64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client + + +# ---------- Caches and whatnots ------------ + +S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache + +32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x +16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1 +65535:64:0:64:M1460,N,N,S,N,W*,N,N,T: NetApp:5.3-5.5::NetApp 5.3-5.5 +65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow +8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1 +20480:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:4.1::NetApp NetCache4.1 + +65535:64:0:60:M1460,N,W0,N,N,T: CacheFlow:4.1::CacheFlow CacheOS 4.1 +8192:64:0:60:M1380,N,N,N,N,N,N,T: CacheFlow:1.1::CacheFlow CacheOS 1.1 + +S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine + +27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based) + +65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler +S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg + +16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?) + +65535:255:0:48:M*,N,N,S: Redline:::Redline T|X 2200 + +32696:128:0:40:M1460: Spirent:Avalanche::Spirent Web Avalanche HTTP benchmarking engine + +# ----------- Embedded systems -------------- + +S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C +S5:255:0:44:M536: PalmOS:3::PalmOS 3/4 +S5:255:0:44:M536: PalmOS:4::PalmOS 3/4 +S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5 +2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera) +S29:255:0:44:M536: PalmOS:5::PalmOS 5.0 +16384:255:0:44:M1398: PalmOS:5.2:Clie:PalmOS 5.2 (Clie) +S14:255:0:44:M1350: PalmOS:5.2:Treo:PalmOS 5.2.1 (Treo) + +S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7 + +8192:255:0:44:M1460: SymbianOS:6048::Symbian OS 6048 (Nokia 7650?) +8192:255:0:44:M536: SymbianOS:9210::Symbian OS (Nokia 9210?) +S22:64:1:56:M1460,T,S: SymbianOS:P800::Symbian OS ? (SE P800?) +S36:64:1:56:M1360,T,S: SymbianOS:6600::Symbian OS 60xx (Nokia 6600?) + + +# Perhaps S4? +5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10 + +32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002 + +S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0 + +4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0 +T5:64:0:44:M536: Sega:Dreamcast:HKT-3020:Sega Dreamcast HKT-3020 (browser disc 51027) +S22:64:1:44:M1460: Sony:PS2::Sony Playstation 2 (SOCOM?) + +S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64 + +3100:32:1:44:M1460: Windows:CE:2.0:Windows CE 2.0 + +#################### +# Fancy signatures # +#################### + +1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1) +2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2) +3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3) +4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4) + +# Requires quirks support +# 1024:64:0:40:.:A:*NMAP:TCP sweep probe (1) +# 2048:64:0:40:.:A:*NMAP:TCP sweep probe (2) +# 3072:64:0:40:.:A:*NMAP:TCP sweep probe (3) +# 4096:64:0:40:.:A:*NMAP:TCP sweep probe (4) + +1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1) +2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2) +3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3) +4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4) + +32767:64:0:40:.: *NAST:::NASTsyn scan + +# Requires quirks support +# 12345:255:0:40:.:A:-p0f:sendsyn utility + + +##################################### +# Generic signatures - just in case # +##################################### + +#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x +#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x + +*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) +*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) +*:128:1:52:M*,N,W*,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) +*:128:1:52:M*,N,W*,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) +*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323) +*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323) +*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+) +*:128:1:48:M536,N,N,S: @Windows:98::Windows 98 +*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000 +*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000 + + diff --git a/conf/system/include/13.3/pfctl b/conf/system/include/13.3/pfctl new file mode 100755 index 0000000..07fca24 Binary files /dev/null and b/conf/system/include/13.3/pfctl differ diff --git a/conf/system/include/13.3/pfilctl b/conf/system/include/13.3/pfilctl new file mode 100755 index 0000000..5ac2439 Binary files /dev/null and b/conf/system/include/13.3/pfilctl differ diff --git a/conf/system/include/13.3/pflogd b/conf/system/include/13.3/pflogd new file mode 100755 index 0000000..04a4c05 Binary files /dev/null and b/conf/system/include/13.3/pflogd differ diff --git a/conf/system/include/13.3/setfib b/conf/system/include/13.3/setfib new file mode 100755 index 0000000..36874cb Binary files /dev/null and b/conf/system/include/13.3/setfib differ diff --git a/conf/system/include/13.3/sum b/conf/system/include/13.3/sum new file mode 100755 index 0000000..9cd45d3 Binary files /dev/null and b/conf/system/include/13.3/sum differ diff --git a/gui/bastille_manager_tarballs.php b/gui/bastille_manager_tarballs.php index 8d5d9c3..4b97083 100644 --- a/gui/bastille_manager_tarballs.php +++ b/gui/bastille_manager_tarballs.php @@ -72,6 +72,7 @@ $sphere_array = $rel_list; if ($linux_compat_support == "YES"): $a_action = [ + '13.3-RELEASE' => gettext('13.3-RELEASE'), '13.2-RELEASE' => gettext('13.2-RELEASE'), '13.1-RELEASE' => gettext('13.1-RELEASE'), '13.0-RELEASE' => gettext('13.0-RELEASE'), @@ -91,6 +92,7 @@ if ($linux_compat_support == "YES"): ]; else: $a_action = [ + '13.3-RELEASE' => gettext('13.3-RELEASE'), '13.2-RELEASE' => gettext('13.2-RELEASE'), '13.1-RELEASE' => gettext('13.1-RELEASE'), '13.0-RELEASE' => gettext('13.0-RELEASE'), diff --git a/version b/version index c1847bf..ba7b2f7 100644 --- a/version +++ b/version @@ -1 +1 @@ -1.1.31 +1.1.32