Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

config/cfgroot/lang.pl

@@ -169,6 +169,9 @@ sub FindWebLanguage() {
 	my ($language, $country) = split(/_/, $shortlang);
 	push(@options, $language);
 
+	# Add English as fallback
+	push(@options, "en");
+
 	foreach my $option (@options) {
 		return $option if (-e "${General::swroot}/langs/$option.pl");
 	}

config/rootfiles/common/armv5tel/initscripts

@@ -34,6 +34,7 @@ etc/rc.d/init.d/firstsetup
 etc/rc.d/init.d/functions
 #etc/rc.d/init.d/gnump3d
 etc/rc.d/init.d/halt
+#etc/rc.d/init.d/haproxy
 #etc/rc.d/init.d/hostapd
 #etc/rc.d/init.d/imspector
 etc/rc.d/init.d/ipsec

config/rootfiles/common/i586/initscripts

@@ -36,6 +36,7 @@ etc/rc.d/init.d/firstsetup
 etc/rc.d/init.d/functions
 #etc/rc.d/init.d/gnump3d
 etc/rc.d/init.d/halt
+#etc/rc.d/init.d/haproxy
 #etc/rc.d/init.d/hostapd
 #etc/rc.d/init.d/imspector
 etc/rc.d/init.d/ipsec

config/rootfiles/core/88/filelists/files

@@ -1,6 +1,2 @@
 etc/system-release
 etc/issue
-srv/web/ipfire/cgi-bin/fwhosts.cgi
-srv/web/ipfire/cgi-bin/ovpnmain.cgi
-var/ipfire/backup/bin/backup.pl
-var/ipfire/langs

config/rootfiles/core/88/filelists/openssh

@@ -0,0 +1 @@
+../../../common/openssh

config/rootfiles/core/88/filelists/openssl

@@ -0,0 +1 @@
+../../../common/openssl

config/rootfiles/core/88/filelists/openssl-compat

@@ -0,0 +1 @@
+../../../common/openssl-compat

config/rootfiles/core/88/update.sh

@@ -41,15 +41,8 @@ extract_files
 # Start services
 
 # Update Language cache
-perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
+#perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
 
-# Uninstall the sqlite package.
-rm -f \
-	/opt/pakfire/db/installed/meta-sqlite \
-	/opt/pakfire/db/rootfiles/sqlite
-
-# Fix #10625
-mkdir -p /etc/logrotate.d
 
 sync
 

config/rootfiles/core/89/exclude

@@ -0,0 +1,20 @@
+boot/config.txt
+etc/collectd.custom
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/ovpn
+var/log/cache
+var/state/dhcp/dhcpd.leases
+var/updatecache

config/rootfiles/core/89/filelists/collectd

@@ -0,0 +1 @@
+../../../common/collectd

config/rootfiles/core/89/filelists/files

@@ -0,0 +1,18 @@
+etc/system-release
+etc/issue
+etc/collectd.conf
+etc/collectd.vpn
+etc/rc.d/init.d/dnsmasq
+srv/web/ipfire/cgi-bin/ddns.cgi
+srv/web/ipfire/cgi-bin/firewall.cgi
+srv/web/ipfire/cgi-bin/fwhosts.cgi
+srv/web/ipfire/cgi-bin/ids.cgi
+srv/web/ipfire/cgi-bin/netovpnrw.cgi
+srv/web/ipfire/cgi-bin/netovpnsrv.cgi
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
+var/ipfire/backup/bin/backup.pl
+var/ipfire/graphs.pl
+var/ipfire/langs
+var/ipfire/lang.pl
+var/ipfire/menu.d/20-status.menu

config/rootfiles/core/89/filelists/fuse

@@ -0,0 +1 @@
+../../../common/fuse

config/rootfiles/core/89/filelists/ntfs-3g

@@ -0,0 +1 @@
+../../../common/ntfs-3g

config/rootfiles/core/89/filelists/openssh

@@ -0,0 +1 @@
+../../../common/openssh

config/rootfiles/core/89/filelists/openssl

@@ -0,0 +1 @@
+../../../common/openssl

config/rootfiles/core/89/filelists/openssl-compat

@@ -0,0 +1 @@
+../../../common/openssl-compat

config/rootfiles/core/89/filelists/setup

@@ -0,0 +1 @@
+../../../common/setup

config/rootfiles/core/89/filelists/strongswan

@@ -0,0 +1 @@
+../../../common/strongswan

config/rootfiles/core/89/filelists/tzdata

@@ -0,0 +1 @@
+../../../common/tzdata

config/rootfiles/core/89/meta

@@ -0,0 +1 @@
+DEPS=""

config/rootfiles/core/89/update.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2014 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+# Remove old core updates from pakfire cache to save space...
+core=89
+for (( i=1; i<=$core; i++ ))
+do
+	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+/etc/init.d/ipsec stop
+
+# Remove old files
+
+# Extract files
+extract_files
+
+# Generate ddns configuration file
+sudo -u nobody /srv/web/ipfire/cgi-bin/ddns.cgi
+
+# Start services
+/etc/init.d/dnsmasq restart
+if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then
+	/etc/init.d/ipsec start
+fi
+
+# Update Language cache
+perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
+
+# Prevent uninstall sqlite (now common package).
+rm -f \
+	/opt/pakfire/db/*/meta-sqlite \
+	/opt/pakfire/db/rootfiles/sqlite
+
+# Fix #10625
+mkdir -p /etc/logrotate.d
+
+sync
+
+# This update need a reboot...
+#touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Don't report the exitcode last command
+exit 0

html/cgi-bin/ddns.cgi

@@ -667,7 +667,8 @@ sub GenerateDDNSConfigFile {
 		my $use_token = 0;
 
 		# Handle token based auth for various providers.
-		if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.com", "spdns.de"] && $username eq "token") {
+		if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.com",
+				  "spdns.de", "zzzz.io"] && $username eq "token") {
 			$use_token = 1;
 
 		# Handle token auth for freedns.afraid.org and regfish.com.

lfs/crda

@@ -71,7 +71,6 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/crda-3.13-crypto_use_optional.patch
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
 	@rm -rf $(DIR_APP)

lfs/openssl

@@ -86,6 +86,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-cryptodev.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_parallel_build-1.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-weak-ciphers.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch
 
 	cd $(DIR_APP) && find crypto/ -name Makefile -exec \
 		sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
@@ -105,8 +106,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		no-mdc2 \
 		no-rc5 \
 		no-srp \
-		no-ssl2 \
-		no-ssl3 \
 		$(CONFIGURE_ARGS) \
 		-DSSL_FORBID_ENULL \
 		-DHAVE_CRYPTODEV \

lfs/openssl-compat

@@ -72,6 +72,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
 
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-0.9.8u-cryptodev.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch
 
 	cd $(DIR_APP) && sed -i -e 's/mcpu/march/' config
 	cd $(DIR_APP) && sed -i -e 's/-O3/-O2/' -e 's/-march=i486/-march=i586/' Configure

make.sh

@@ -25,8 +25,8 @@
 NAME="IPFire"							# Software name
 SNAME="ipfire"							# Short name
 VERSION="2.17"							# Version number
-CORE="87"							# Core Level (Filename)
-PAKFIRE_CORE="87"						# Core Level (PAKFIRE)
+CORE="88"							# Core Level (Filename)
+PAKFIRE_CORE="88"						# Core Level (PAKFIRE)
 GIT_BRANCH=`git rev-parse --abbrev-ref HEAD`			# Git Branch
 SLOGAN="www.ipfire.org"						# Software slogan
 CONFIG_ROOT=/var/ipfire						# Configuration rootdir

src/patches/crda-3.13-crypto_use_optional.patch

@@ -1,22 +0,0 @@
-Submitted By: hauke from OpenWRT
-Date: 2009-04-17
-Initial Package Version: 1.0.2
-Origin: https://dev.openwrt.org/changeset/15405/trunk/package/crda/patches/101-make_crypto_use_optional.patch
-Description: The patch was modified for version crda-3.13 by Erik Kapfer <erik.kapfer@ipfire.org>..
-This patch provides the following improvements:
-    * Crypto usage is optional.
-
-diff -Nur crda-3.13.orig/Makefile crda-3.13/Makefile
---- crda-3.13.orig/Makefile	2015-01-12 07:55:08.791183765 +0100
-+++ crda-3.13/Makefile	2015-01-12 07:56:35.437381029 +0100
-@@ -43,7 +43,9 @@
- 
- $(LIBREG): keys-ssl.c
- 
--else
-+endif
-+
-+ifeq ($(USE_GCRYPT),1)
- CFLAGS += -DUSE_GCRYPT
- LDLIBS += -lgcrypt
- 

src/patches/openssl-disable-sslv2-sslv3.patch

@@ -0,0 +1,13 @@
+diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
+--- openssl-1.0.1h/ssl/ssl_lib.c.v2v3	2014-06-11 16:02:52.000000000 +0200
++++ openssl-1.0.1h/ssl/ssl_lib.c	2014-06-30 14:18:04.290248080 +0200
+@@ -1875,6 +1875,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ 	 */
+ 	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+ 
++	/* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */
++	ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++
+ 	return(ret);
+ err:
+ 	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);