From aa29e9e46c30e8af9984dec30dc5e821af8f0168 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 25 Dec 2013 15:12:34 +0100
Subject: [PATCH 1/4] openvpn: Fix verify script.

Former versions of openvpn called the script where the arguments
in the certificate's common name where separated by /.
Now, those are separated by ", " (comma, space).
---
 config/ovpn/verify | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/ovpn/verify b/config/ovpn/verify
index 44ed1105d..1a1fcb501 100644
--- a/config/ovpn/verify
+++ b/config/ovpn/verify
@@ -30,8 +30,8 @@ my $CN    = $ARGV[1];
 exit 0 unless ($DEPTH eq "0");
 
 # Strip the CN from the X509 identifier.
-$CN =~ /\/CN=(.*)$/i;
-$CN = $1;
+$CN =~ /(\/|,\ )CN=(.*)$/i;
+$CN = $2;
 
 my %confighash = ();
 if (-f "${General::swroot}/ovpn/ovpnconfig"){

From d58c41f1ef6aa5bc0178f4351ddc110dc6159b2d Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 28 Dec 2013 17:06:38 +0100
Subject: [PATCH 2/4] pakfire: Prevent an infinite loop with empty server list.

---
 src/pakfire/lib/functions.pl | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl
index 133b4950f..d14e0314d 100644
--- a/src/pakfire/lib/functions.pl
+++ b/src/pakfire/lib/functions.pl
@@ -305,7 +305,12 @@ sub selectmirror {
 		}
 	}
 	logger("MIRROR INFO: $scount servers found in list");
-	
+
+	if ($scount eq 0) {
+		logger("MIRROR INFO: Could not find any servers. Falling back to main server $Conf::mainserver");
+		return ("HTTP", $Conf::mainserver, "/$Conf::version");
+	}
+
 	### Choose a random server and test if it is online
 	#   If the check fails try a new server.
 	#   This will never give up.

From 4f2aca6d2b1bd49b1fc090af657726f2ce011086 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 29 Dec 2013 20:41:25 +0100
Subject: [PATCH 3/4] Create core update 75.

---
 config/rootfiles/core/75/exclude         | 17 ++++++++
 config/rootfiles/core/75/filelists/files |  6 +++
 config/rootfiles/core/75/meta            |  1 +
 config/rootfiles/core/75/update.sh       | 54 ++++++++++++++++++++++++
 make.sh                                  |  2 +-
 5 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 config/rootfiles/core/75/exclude
 create mode 100644 config/rootfiles/core/75/filelists/files
 create mode 100644 config/rootfiles/core/75/meta
 create mode 100644 config/rootfiles/core/75/update.sh

diff --git a/config/rootfiles/core/75/exclude b/config/rootfiles/core/75/exclude
new file mode 100644
index 000000000..321a931ca
--- /dev/null
+++ b/config/rootfiles/core/75/exclude
@@ -0,0 +1,17 @@
+srv/web/ipfire/html/proxy.pac
+boot/config.txt
+etc/udev/rules.d/30-persistent-network.rules
+etc/collectd.custom
+etc/shadow
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+var/log/cache
+var/updatecache
+etc/localtime
+var/ipfire/ovpn
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
+var/state/dhcp/dhcpd.leases
diff --git a/config/rootfiles/core/75/filelists/files b/config/rootfiles/core/75/filelists/files
new file mode 100644
index 000000000..46af05486
--- /dev/null
+++ b/config/rootfiles/core/75/filelists/files
@@ -0,0 +1,6 @@
+etc/system-release
+etc/issue
+opt/pakfire/lib/functions.pl
+var/ipfire/header.pl
+var/ipfire/langs
+var/ipfire/ovpn/verify
diff --git a/config/rootfiles/core/75/meta b/config/rootfiles/core/75/meta
new file mode 100644
index 000000000..d547fa86f
--- /dev/null
+++ b/config/rootfiles/core/75/meta
@@ -0,0 +1 @@
+DEPS=""
diff --git a/config/rootfiles/core/75/update.sh b/config/rootfiles/core/75/update.sh
new file mode 100644
index 000000000..05e2de3e6
--- /dev/null
+++ b/config/rootfiles/core/75/update.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2013 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+# Remove old core updates from pakfire cache to save space...
+core=75
+for (( i=1; i<=$core; i++ ))
+do
+	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+
+# Extract files
+extract_files
+
+# Start services
+
+# Update Language cache
+perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
+
+sync
+
+# This update need a reboot...
+#touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Don't report the exitcode last command
+exit 0
diff --git a/make.sh b/make.sh
index 37fa1c805..6cebdd1a0 100755
--- a/make.sh
+++ b/make.sh
@@ -25,7 +25,7 @@
 NAME="IPFire"							# Software name
 SNAME="ipfire"							# Short name
 VERSION="2.13"							# Version number
-CORE="74"							# Core Level (Filename)
+CORE="75"							# Core Level (Filename)
 PAKFIRE_CORE="74"						# Core Level (PAKFIRE)
 GIT_BRANCH=`git status | head -n1 | cut -d" " -f4`		# Git Branch
 SLOGAN="www.ipfire.org"						# Software slogan

From 1d0a260a8b804e43037a2c0aa3ef9bae1ddca656 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 29 Dec 2013 21:13:55 +0100
Subject: [PATCH 4/4] openvpn: Move verify script out of configuration
 directory.

---
 config/rootfiles/common/openvpn          | 2 +-
 config/rootfiles/core/75/filelists/files | 2 +-
 config/rootfiles/core/75/update.sh       | 6 ++++++
 html/cgi-bin/ovpnmain.cgi                | 2 +-
 lfs/openvpn                              | 3 ++-
 5 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index ae6d6eee6..d1b836a1b 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -5,6 +5,7 @@
 usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
 #usr/lib/openvpn/plugins/openvpn-plugin-down-root.la
 usr/lib/openvpn/plugins/openvpn-plugin-down-root.so
+usr/lib/openvpn/verify
 usr/sbin/openvpn
 #usr/share/doc/openvpn
 #usr/share/doc/openvpn/COPYING
@@ -31,4 +32,3 @@ var/ipfire/ovpn/ovpn-leases.db
 var/ipfire/ovpn/ovpnconfig
 var/ipfire/ovpn/scripts
 var/ipfire/ovpn/settings
-var/ipfire/ovpn/verify
diff --git a/config/rootfiles/core/75/filelists/files b/config/rootfiles/core/75/filelists/files
index 46af05486..647eb2660 100644
--- a/config/rootfiles/core/75/filelists/files
+++ b/config/rootfiles/core/75/filelists/files
@@ -1,6 +1,6 @@
 etc/system-release
 etc/issue
 opt/pakfire/lib/functions.pl
+usr/lib/openvpn/verify
 var/ipfire/header.pl
 var/ipfire/langs
-var/ipfire/ovpn/verify
diff --git a/config/rootfiles/core/75/update.sh b/config/rootfiles/core/75/update.sh
index 05e2de3e6..3fd00fe3b 100644
--- a/config/rootfiles/core/75/update.sh
+++ b/config/rootfiles/core/75/update.sh
@@ -38,6 +38,12 @@ extract_files
 
 # Start services
 
+# Replace path to verify script.
+if [ -r "/var/ipfire/ovpn/server.conf" ]; then
+	sed -e "s@^tls-verify.*@tls-verify /usr/lib/openvpn/verify@g" \
+		-i /var/ipfire/ovpn/server.conf
+fi
+
 # Update Language cache
 perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
 
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 73e610bfd..2f3ac4d55 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -425,7 +425,7 @@ sub writeserverconf {
     if ($sovpnsettings{DHCP_WINS} ne '') {
 	print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
     }	
-    print CONF "tls-verify /var/ipfire/ovpn/verify\n";
+    print CONF "tls-verify /usr/lib/openvpn/verify\n";
     print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
     print CONF "user nobody\n";
     print CONF "group nobody\n";
diff --git a/lfs/openvpn b/lfs/openvpn
index 87daf07eb..727d3741f 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -93,8 +93,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	chown -R root:root /var/ipfire/ovpn/scripts
 	chown -R nobody:nobody /var/ipfire/ovpn
 	chown root.nobody /var/log/ovpnserver.log
-	chmod 755 /var/ipfire/ovpn/verify
 	chmod 660 /var/log/ovpnserver.log
 	chmod 700 /var/ipfire/ovpn/certs
+	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
+	chmod 755 /usr/lib/openvpn/verify
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)