Merge branch 'master' into next

config/ca-certificates/build.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -e
+
+# Create file layout.
+mkdir -pv certs certs/legacy-default certs/legacy-disable
+cp certdata.txt ipfire-ca.crt certs
+cd certs
+
+python ../certdata2pem.py
+
+cd ..
+cat <<EOF > ca-bundle.crt
+# This is a bundle of X.509 certificates of public Certificate
+# Authorities.  It was generated from the Mozilla root CA list.
+# 
+# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+#
+EOF
+
+cat <<EOF > ca-bundle.trust.crt
+# This is a bundle of X.509 certificates of public Certificate
+# Authorities.  It was generated from the Mozilla root CA list.
+# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
+# format and have trust bits set accordingly.
+#
+# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+#
+EOF
+
+for f in certs/*.crt; do 
+	[ -z "${f}" ] && continue
+
+	tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' ${f})
+	case "${tbits}" in
+		*serverAuth*)
+			openssl x509 -text -in "${f}" >> ca-bundle.crt
+			;;
+	esac
+
+	if [ -n "$tbits" ]; then
+		targs=""
+		for t in ${tbits}; do
+			targs="${targs} -addtrust ${t}"
+		done
+
+		openssl x509 -text -in "${f}" -trustout $targs >> ca-bundle.trust.crt
+	fi
+done
+
+exit 0

config/ca-certificates/certdata2pem.py

@@ -0,0 +1,243 @@
+#!/usr/bin/python
+# vim:set et sw=4:
+#
+# certdata2pem.py - splits certdata.txt into multiple files
+#
+# Copyright (C) 2009 Philipp Kern <pkern@debian.org>
+# Copyright (C) 2013 Kai Engert <kaie@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
+# USA.
+
+import base64
+import os.path
+import re
+import sys
+import textwrap
+import urllib
+
+objects = []
+
+def printable_serial(obj):
+  return ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER']))
+
+# Dirty file parser.
+in_data, in_multiline, in_obj = False, False, False
+field, type, value, obj = None, None, None, dict()
+for line in open('certdata.txt', 'r'):
+    # Ignore the file header.
+    if not in_data:
+        if line.startswith('BEGINDATA'):
+            in_data = True
+        continue
+    # Ignore comment lines.
+    if line.startswith('#'):
+        continue
+    # Empty lines are significant if we are inside an object.
+    if in_obj and len(line.strip()) == 0:
+        objects.append(obj)
+        obj = dict()
+        in_obj = False
+        continue
+    if len(line.strip()) == 0:
+        continue
+    if in_multiline:
+        if not line.startswith('END'):
+            if type == 'MULTILINE_OCTAL':
+                line = line.strip()
+                for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
+                    value += chr(int(i.group(1), 8))
+            else:
+                value += line
+            continue
+        obj[field] = value
+        in_multiline = False
+        continue
+    if line.startswith('CKA_CLASS'):
+        in_obj = True
+    line_parts = line.strip().split(' ', 2)
+    if len(line_parts) > 2:
+        field, type = line_parts[0:2]
+        value = ' '.join(line_parts[2:])
+    elif len(line_parts) == 2:
+        field, type = line_parts
+        value = None
+    else:
+        raise NotImplementedError, 'line_parts < 2 not supported.\n' + line
+    if type == 'MULTILINE_OCTAL':
+        in_multiline = True
+        value = ""
+        continue
+    obj[field] = value
+if len(obj.items()) > 0:
+    objects.append(obj)
+
+# Build up trust database.
+trustmap = dict()
+for obj in objects:
+    if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
+        continue
+    key = obj['CKA_LABEL'] + printable_serial(obj)
+    trustmap[key] = obj
+    print " added trust", key
+
+# Build up cert database.
+certmap = dict()
+for obj in objects:
+    if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
+        continue
+    key = obj['CKA_LABEL'] + printable_serial(obj)
+    certmap[key] = obj
+    print " added cert", key
+
+def obj_to_filename(obj):
+    label = obj['CKA_LABEL'][1:-1]
+    label = label.replace('/', '_')\
+        .replace(' ', '_')\
+        .replace('(', '=')\
+        .replace(')', '=')\
+        .replace(',', '_')
+    label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label)
+    serial = printable_serial(obj)
+    return label + ":" + serial
+
+trust_types = {
+  "CKA_TRUST_DIGITAL_SIGNATURE": "digital-signature",
+  "CKA_TRUST_NON_REPUDIATION": "non-repudiation",
+  "CKA_TRUST_KEY_ENCIPHERMENT": "key-encipherment",
+  "CKA_TRUST_DATA_ENCIPHERMENT": "data-encipherment",
+  "CKA_TRUST_KEY_AGREEMENT": "key-agreement",
+  "CKA_TRUST_KEY_CERT_SIGN": "cert-sign",
+  "CKA_TRUST_CRL_SIGN": "crl-sign",
+  "CKA_TRUST_SERVER_AUTH": "server-auth",
+  "CKA_TRUST_CLIENT_AUTH": "client-auth",
+  "CKA_TRUST_CODE_SIGNING": "code-signing",
+  "CKA_TRUST_EMAIL_PROTECTION": "email-protection",
+  "CKA_TRUST_IPSEC_END_SYSTEM": "ipsec-end-system",
+  "CKA_TRUST_IPSEC_TUNNEL": "ipsec-tunnel",
+  "CKA_TRUST_IPSEC_USER": "ipsec-user",
+  "CKA_TRUST_TIME_STAMPING": "time-stamping",
+  "CKA_TRUST_STEP_UP_APPROVED": "step-up-approved",
+}
+
+legacy_trust_types = {
+  "LEGACY_CKA_TRUST_SERVER_AUTH": "server-auth",
+  "LEGACY_CKA_TRUST_CODE_SIGNING": "code-signing",
+  "LEGACY_CKA_TRUST_EMAIL_PROTECTION": "email-protection",
+}
+
+legacy_to_real_trust_types = {
+  "LEGACY_CKA_TRUST_SERVER_AUTH": "CKA_TRUST_SERVER_AUTH",
+  "LEGACY_CKA_TRUST_CODE_SIGNING": "CKA_TRUST_CODE_SIGNING",
+  "LEGACY_CKA_TRUST_EMAIL_PROTECTION": "CKA_TRUST_EMAIL_PROTECTION",
+}
+
+openssl_trust = {
+  "CKA_TRUST_SERVER_AUTH": "serverAuth",
+  "CKA_TRUST_CLIENT_AUTH": "clientAuth",
+  "CKA_TRUST_CODE_SIGNING": "codeSigning",
+  "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
+}
+
+for tobj in objects:
+    if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
+        key = tobj['CKA_LABEL'] + printable_serial(tobj)
+        print "producing trust for " + key
+        trustbits = []
+        distrustbits = []
+        openssl_trustflags = []
+        openssl_distrustflags = []
+        legacy_trustbits = []
+        legacy_openssl_trustflags = []
+        for t in trust_types.keys():
+            if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
+                trustbits.append(t)
+                if t in openssl_trust:
+                    openssl_trustflags.append(openssl_trust[t])
+            if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
+                distrustbits.append(t)
+                if t in openssl_trust:
+                    openssl_distrustflags.append(openssl_trust[t])
+
+        for t in legacy_trust_types.keys():
+            if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
+                real_t = legacy_to_real_trust_types[t]
+                legacy_trustbits.append(real_t)
+                if real_t in openssl_trust:
+                    legacy_openssl_trustflags.append(openssl_trust[real_t])
+            if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
+                raise NotImplementedError, 'legacy distrust not supported.\n' + line
+
+        fname = obj_to_filename(tobj)
+        try:
+            obj = certmap[key]
+        except:
+            obj = None
+
+        if obj != None:
+            fname += ".crt"
+        else:
+            fname += ".p11-kit"
+
+        is_legacy = 0
+        if tobj.has_key('LEGACY_CKA_TRUST_SERVER_AUTH') or tobj.has_key('LEGACY_CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('LEGACY_CKA_TRUST_CODE_SIGNING'):
+            is_legacy = 1
+            if obj == None:
+                raise NotImplementedError, 'found legacy trust without certificate.\n' + line
+            legacy_fname = "legacy-default/" + fname
+            f = open(legacy_fname, 'w')
+            f.write("# alias=%s\n"%tobj['CKA_LABEL'])
+            f.write("# trust=" + " ".join(legacy_trustbits) + "\n")
+            if legacy_openssl_trustflags:
+                f.write("# openssl-trust=" + " ".join(legacy_openssl_trustflags) + "\n")
+            f.write("-----BEGIN CERTIFICATE-----\n")
+            f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+            f.write("\n-----END CERTIFICATE-----\n")
+            f.close()
+            if tobj.has_key('CKA_TRUST_SERVER_AUTH') or tobj.has_key('CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('CKA_TRUST_CODE_SIGNING'):
+                fname = "legacy-disable/" + fname
+            else:
+                continue
+
+        f = open(fname, 'w')
+        if obj != None:
+            f.write("# alias=%s\n"%tobj['CKA_LABEL'])
+            f.write("# trust=" + " ".join(trustbits) + "\n")
+            f.write("# distrust=" + " ".join(distrustbits) + "\n")
+            if openssl_trustflags:
+                f.write("# openssl-trust=" + " ".join(openssl_trustflags) + "\n")
+            if openssl_distrustflags:
+                f.write("# openssl-distrust=" + " ".join(openssl_distrustflags) + "\n")
+            f.write("-----BEGIN CERTIFICATE-----\n")
+            f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+            f.write("\n-----END CERTIFICATE-----\n")
+        else:
+            f.write("[p11-kit-object-v1]\n")
+            f.write("label: ");
+            f.write(tobj['CKA_LABEL']);
+            f.write("\n")
+            f.write("class: certificate\n")
+            f.write("certificate-type: x-509\n")
+            f.write("issuer: \"");
+            f.write(urllib.quote(tobj['CKA_ISSUER']));
+            f.write("\"\n")
+            f.write("serial-number: \"");
+            f.write(urllib.quote(tobj['CKA_SERIAL_NUMBER']));
+            f.write("\"\n")
+            if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
+              f.write("x-distrusted: true\n")
+            f.write("\n\n")
+        f.close()
+        print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)

config/ca-certificates/ipfire-ca.crt

@@ -0,0 +1,42 @@
+# alias="IPFire CA"
+# trust=CKA_TRUST_SERVER_AUTH
+# distrust=
+# openssl-trust=serverAuth
+-----BEGIN CERTIFICATE-----
+MIIGrDCCBJSgAwIBAgIJAJIvs+XE5h41MA0GCSqGSIb3DQEBDQUAMGgxCzAJBgNV
+BAYTAkRFMRcwFQYDVQQKDA5JUEZpcmUgUHJvamVjdDEaMBgGA1UEAwwRSVBGaXJl
+IFByb2plY3QgQ0ExJDAiBgkqhkiG9w0BCQEWFWNlcnRtYXN0ZXJAaXBmaXJlLm9y
+ZzAeFw0xNTAxMzExNzMyNDFaFw0yNTAxMjgxNzMyNDFaMGgxCzAJBgNVBAYTAkRF
+MRcwFQYDVQQKDA5JUEZpcmUgUHJvamVjdDEaMBgGA1UEAwwRSVBGaXJlIFByb2pl
+Y3QgQ0ExJDAiBgkqhkiG9w0BCQEWFWNlcnRtYXN0ZXJAaXBmaXJlLm9yZzCCAiIw
+DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANjqPsfhHX2Zg5nat3ZT0XdbWqVu
+z0G2Supepa8eWzPtxIC6NDt8gAPGQcbgqL2gIYrUISaNQ3R99/XCWdu398cliw+6
+z9W1dh/YHzjyHDqpV+C6ufNuw2n4D4E9TfgZzlMnk3iluYOXJXZUN8T0PQbP3oHV
+KfH0fIlrj7LVT9cewLjpe2XzuevyBxqK42ioR0ax+yaZPxS3eHWdPpqRitfGFIx9
+O9jgj465z6Y0S7n6Z3cV49IN5ZvSBTAZYuBNlW5bEgOpqC13CJZMbOLS8wUbh4Ql
+Mklpo0dF3yYZne4Za0pcRqQB4AfvZnrggLF/AyHQab9Kia5PBAkVNXW2ApCH14v7
+h9bQ7KMoxaZ9WFBKchFVu36CmJLPI1HsSqV/+6HnMOd5Rd8GAN2/2uLiUSFIrpAD
+3eXenr+CFEeq4P3UKSzMG3wTd3y1JWSCnvKaK0GTEOdvk4C7L8V4KO29w3NRI2a8
+NEUQ3xa15gT3dRtqBvq151Vzd+PmptyI5uzbTVqfbkiMRbeq4CvJ5HkI+l0kuest
+37CLNeqldHnsAe2ziTFE1UbnYk3r6r6KLn4xAraVntFCYpQavzwtE7UdHFeCMAlu
+zVrc3GyEigG+NqY2lp18JtUw1S1XAQGO7XGQTPfSDx2eRxrqQx/Voc4hxKsifSvQ
+kTVrQkP173khAfTtAgMBAAGjggFXMIIBUzAdBgNVHQ4EFgQUxl27sebgR5PcYCcA
+SrdiG1QiKogwgZoGA1UdIwSBkjCBj4AUxl27sebgR5PcYCcASrdiG1QiKoihbKRq
+MGgxCzAJBgNVBAYTAkRFMRcwFQYDVQQKDA5JUEZpcmUgUHJvamVjdDEaMBgGA1UE
+AwwRSVBGaXJlIFByb2plY3QgQ0ExJDAiBgkqhkiG9w0BCQEWFWNlcnRtYXN0ZXJA
+aXBmaXJlLm9yZ4IJAJIvs+XE5h41MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P
+BAQDAgEGMCAGA1UdEQQZMBeBFWNlcnRtYXN0ZXJAaXBmaXJlLm9yZzAgBgNVHRIE
+GTAXgRVjZXJ0bWFzdGVyQGlwZmlyZS5vcmcwMAYDVR0fBCkwJzAloCOgIYYfaHR0
+cDovL2NlcnRzLmlwZmlyZS5vcmcvY3JsLnBlbTANBgkqhkiG9w0BAQ0FAAOCAgEA
+HUXBFAC0AM/AhAp0mykBTY0QChI6YaXX1ki8Nb1sschcC53rnykHELPLMLKbSCLG
+cM7lJc1GJeDvQ9O46/Z7EWpFDACCstVn/hXUmj4ZxCSZ4B+L6Xt+GMdTksY434nS
+voM4fgc9a/OG6Tr2+YN9/rhnU3WdyMjpdApVFLs0qfzDHKmCTzC0h7itRSvitHOa
+p7yRQnErKy6GFSjSgSG1mhZbghJhGzrYRjCuAa59+R74IE+3ZWtpPUHro+S4kMcQ
+5NZLEwf0w5KzZcRF50UTSBxIUcBrtWRJElxRc9MncTaAS/uP6GBTkOM+f1WZ+zH0
+iRU5Sy4k/YfIxAU89QwMVW4GXktjIIXXbzbofaezKge3qc2v8dpI/V/U6I9mARja
+ltosmfE4lVBEJtQe6rNVUO55AiMnYpuC5hWjxhKjgeYQug+/nW9IIzCc5Ny7w8fb
+5NR0UqI/0TeS4Z1mNM8d6I5q41NuVSDU+6izUxDGgDL3ZWRkG6VWG1sRGxWMJb2L
+n3E6Zp51AY/l9e2gFqGFearanLw1w3lk2rEyYVHpZIKSjHEfUusOzuLFRaW95pgj
+HSJ0+XVE3cH/ppDBlxM0psrpOylXm3EaRnIPl2cGWjZwTIqga8PRJA9FefzMDGIX
+bQMywe8LR6okWvXhTV0wl0F6ynOiKE8LmbDf5si0EBU=
+-----END CERTIFICATE-----

config/rootfiles/common/ca-certificates

@@ -0,0 +1,4 @@
+etc/ssl/cert.pem
+#etc/ssl/certs
+etc/ssl/certs/ca-bundle.crt
+etc/ssl/certs/ca-bundle.trust.crt

config/rootfiles/core/92/filelists/ca-certificates

@@ -0,0 +1 @@
+../../../common/ca-certificates

config/rootfiles/core/92/filelists/openssh

@@ -0,0 +1 @@
+../../../common/openssh

config/rootfiles/core/92/filelists/openssl

@@ -0,0 +1 @@
+../../../common/openssl

config/rootfiles/core/92/update.sh

@@ -32,6 +32,7 @@ do
 done
 
 # Stop services
+/etc/init.d/squid stop
 /etc/init.d/ipsec stop
 
 # Extract files
@@ -44,19 +45,24 @@ extract_files
 sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi
 
 rm -f /bin/[
-sync
 
 # Start services
 if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then
 	/etc/init.d/ipsec start
 fi
+/etc/init.d/squid start
 
 # This update need a reboot...
-#touch /var/run/need_reboot
+touch /var/run/need_reboot
 
 # Finish
 /etc/init.d/fireinfo start
 sendprofile
+# Update grub config to display new core version
+if [ -e /boot/grub/grub.cfg ]; then
+	grub-mkconfig > /boot/grub/grub.cfg
+fi
+sync
 
 # Don't report the exitcode last command
 exit 0

lfs/ca-certificates

@@ -0,0 +1,61 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2015  IPFire Team  <info@ipfire.de>                           #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = 20150710
+
+THISAPP    = ca-certificates
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+install : $(TARGET)
+
+check : 
+
+download : 
+
+md5 : 
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+	@$(PREBUILD)
+	@rm -rf $(DIR_APP) && cp -av $(DIR_CONF)/$(THISAPP) $(DIR_APP)
+
+	cd $(DIR_APP) && sh ./build.sh
+
+	-mkdir -pv /etc/ssl/certs
+	cd $(DIR_APP) && install -p -m 644 ca-bundle.crt ca-bundle.trust.crt \
+		/etc/ssl/certs
+	ln -svf certs/ca-bundle.crt /etc/ssl/cert.pem
+
+	@rm -rf $(DIR_APP)
+	@$(POSTBUILD)

lfs/openssl

@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.0.2c
+VER        = 1.0.2d
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -82,7 +82,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 8c8d81a9ae7005276e486702edbcd4b6
+$(DL_FILE)_MD5 = 38dd619b2e77cbac69b99f52a053d25a
 
 install : $(TARGET)
 

lfs/python-optional-src

@@ -24,12 +24,12 @@
 
 include Config
 
-VER	   = 2.7.9
+VER	   = 2.7.10
 
 include python
 
 PROG	   = python-optional-src
-PAK_VER    = 3
+PAK_VER    = 4
 DEPS       =
 
 dist: 

make.sh

@@ -26,7 +26,7 @@ NAME="IPFire"							# Software name
 SNAME="ipfire"							# Short name
 VERSION="2.17"							# Version number
 CORE="92"							# Core Level (Filename)
-PAKFIRE_CORE="91"						# Core Level (PAKFIRE)
+PAKFIRE_CORE="92"						# Core Level (PAKFIRE)
 GIT_BRANCH=`git rev-parse --abbrev-ref HEAD`			# Git Branch
 SLOGAN="www.ipfire.org"						# Software slogan
 CONFIG_ROOT=/var/ipfire						# Configuration rootdir
@@ -483,6 +483,7 @@ buildipfire() {
   ipfiremake sqlite
   ipfiremake libffi
   ipfiremake python
+  ipfiremake ca-certificates
   ipfiremake fireinfo
   ipfiremake libnet
   ipfiremake libnl