From dfb1bfaf7b88a914ae2a384a0f30bdafaebc9125 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 11 Dec 2013 21:59:22 +0100
Subject: [PATCH 1/6] Always create squid.conf.

In some cases, /var/ipfire/proxy/squid.conf does not belong to
nobody:nobody, so we do this explicitely.
---
 config/rootfiles/common/configroot | 1 +
 lfs/configroot                     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
index 8965ff70e..5a169d8d8 100644
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -144,6 +144,7 @@ var/ipfire/proxy
 #var/ipfire/proxy/calamaris
 #var/ipfire/proxy/calamaris/bin
 #var/ipfire/proxy/settings
+#var/ipfire/proxy/squid.conf
 var/ipfire/qos
 #var/ipfire/qos/bin
 #var/ipfire/qos/bin/RRD-func.pl
diff --git a/lfs/configroot b/lfs/configroot
index 118523685..1260ceb61 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -67,7 +67,7 @@ $(TARGET) :
 	    ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \
 	    isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \
 	    ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
-	    ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
+	    ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
 	    qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
 	    vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \
 	        touch $(CONFIG_ROOT)/$$i; \

From cfb00625b8224e929ecc4a2610bbe153f7ead475 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 12 Dec 2013 21:15:24 +0100
Subject: [PATCH 2/6] strongswan: Disable rdrand plugin.

Disabled because of security concerns.
---
 config/rootfiles/common/i586/strongswan-padlock | 1 -
 lfs/strongswan                                  | 6 ++----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/config/rootfiles/common/i586/strongswan-padlock b/config/rootfiles/common/i586/strongswan-padlock
index 4ebfc75b9..02aa457d3 100644
--- a/config/rootfiles/common/i586/strongswan-padlock
+++ b/config/rootfiles/common/i586/strongswan-padlock
@@ -1,2 +1 @@
 usr/lib/ipsec/plugins/libstrongswan-padlock.so
-usr/lib/ipsec/plugins/libstrongswan-rdrand.so
diff --git a/lfs/strongswan b/lfs/strongswan
index c7abf7a4d..495d03599 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -34,12 +34,10 @@ TARGET     = $(DIR_INFO)/$(THISAPP)
 
 ifeq "$(MACHINE)" "i586"
 	CONFIGURE_OPTIONS = \
-		--enable-padlock \
-		--enable-rdrand
+		--enable-padlock
 else
 	CONFIGURE_OPTIONS = \
-		--disable-padlock \
-		--disable-rdrand
+		--disable-padlock
 endif
 
 ###############################################################################

From a1365ee37ccffa2be499d483ff1356d9f71013de Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 12 Dec 2013 21:17:53 +0100
Subject: [PATCH 3/6] httpscert: Use regular random source.

Previous to this patch, the kernel image file and internal
configuration settings have been used as a source for random
data, which is not random at all.
---
 src/scripts/httpscert | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/src/scripts/httpscert b/src/scripts/httpscert
index fb2d64bac..ff48b602e 100644
--- a/src/scripts/httpscert
+++ b/src/scripts/httpscert
@@ -6,13 +6,9 @@
 # See how we were called.
 case "$1" in
   new)
-	# set temporary random file
-	export RANDFILE=/root/.rnd
 	if [ ! -f /etc/httpd/server.key ]; then
 		echo "Generating https server key."
-		/usr/bin/openssl genrsa -rand \
-			/boot/vmlinuz:CONFIG_ROOT/ethernet/settings -out \
-			/etc/httpd/server.key 1024
+		/usr/bin/openssl genrsa -out /etc/httpd/server.key 1024
 	fi
 	echo "Generating CSR"
 	/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
@@ -21,9 +17,6 @@ case "$1" in
 	/usr/bin/openssl x509 -req -days 999999 -in \
 		/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
 		/etc/httpd/server.crt
-	# unset and remove random file
-	export -n RANDFILE
-	rm -f /root/.rnd
  	;;
   read)
 	if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then

From 325aa1e1f4b1948fe3dbd1bb6c65d056b1bebe29 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 12 Dec 2013 21:18:56 +0100
Subject: [PATCH 4/6] httpscert: Increase size of the RSA key to 4096.

RSA keys with length of 1024 bits are considered weak.
---
 src/scripts/httpscert | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/scripts/httpscert b/src/scripts/httpscert
index ff48b602e..d0e23fa7f 100644
--- a/src/scripts/httpscert
+++ b/src/scripts/httpscert
@@ -8,7 +8,7 @@ case "$1" in
   new)
 	if [ ! -f /etc/httpd/server.key ]; then
 		echo "Generating https server key."
-		/usr/bin/openssl genrsa -out /etc/httpd/server.key 1024
+		/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
 	fi
 	echo "Generating CSR"
 	/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \

From 6c859e038223d4c6ec8535b7b7e635d9ef7fac1f Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 12 Dec 2013 21:20:56 +0100
Subject: [PATCH 5/6] core74: Add httpscert script.

---
 config/rootfiles/core/74/filelists/files | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/rootfiles/core/74/filelists/files b/config/rootfiles/core/74/filelists/files
index 5a874e7b3..52d01785d 100644
--- a/config/rootfiles/core/74/filelists/files
+++ b/config/rootfiles/core/74/filelists/files
@@ -2,5 +2,6 @@ etc/system-release
 etc/issue
 srv/web/ipfire/cgi-bin/dnsforward.cgi
 srv/web/ipfire/cgi-bin/proxy.cgi
+usr/local/bin/httpscert
 var/ipfire/header.pl
 var/ipfire/langs

From 5cd3a05bf0653726834489c87b80064584e6073b Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Sat, 14 Dec 2013 22:01:16 +0100
Subject: [PATCH 6/6] finalize core 74.

---
 make.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/make.sh b/make.sh
index c90e89d4a..37fa1c805 100755
--- a/make.sh
+++ b/make.sh
@@ -26,7 +26,7 @@ NAME="IPFire"							# Software name
 SNAME="ipfire"							# Short name
 VERSION="2.13"							# Version number
 CORE="74"							# Core Level (Filename)
-PAKFIRE_CORE="73"						# Core Level (PAKFIRE)
+PAKFIRE_CORE="74"						# Core Level (PAKFIRE)
 GIT_BRANCH=`git status | head -n1 | cut -d" " -f4`		# Git Branch
 SLOGAN="www.ipfire.org"						# Software slogan
 CONFIG_ROOT=/var/ipfire						# Configuration rootdir