diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index d01d98039..28619be00 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ocserv PKG_VERSION:=0.8.9 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz diff --git a/net/ocserv/files/ocserv.conf.template b/net/ocserv/files/ocserv.conf.template index 494b1e7b9..92083f02a 100644 --- a/net/ocserv/files/ocserv.conf.template +++ b/net/ocserv/files/ocserv.conf.template @@ -65,8 +65,8 @@ try-mtu-discovery = false # # There may be multiple certificate and key pairs and each key # should correspond to the preceding certificate. -server-cert = /etc/ocserv/server-cert.pem -server-key = /etc/ocserv/server-key.pem +server-cert = /etc/config/ocserv-dir/server-cert.pem +server-key = /etc/config/ocserv-dir/server-key.pem # Diffie-Hellman parameters. Only needed if you require support # for the DHE ciphersuites (by default this server supports ECDHE). @@ -92,7 +92,7 @@ server-key = /etc/ocserv/server-key.pem # The Certificate Authority that will be used to verify # client certificates (public keys) if certificate authentication # is set. -#ca-cert = /etc/ocserv/ca.pem +#ca-cert = /etc/config/ocserv-dir/ca.pem # The object identifier that will be used to read the user ID in the client # certificate. The object identifier should be part of the certificate's DN @@ -107,7 +107,7 @@ server-key = /etc/ocserv/server-key.pem #cert-group-oid = 2.5.4.11 # The revocation list of the certificates issued by the 'ca-cert' above. -#crl = /etc/ocserv/crl.pem +#crl = /etc/config/ocserv-dir/crl.pem # GnuTLS priority string tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" @@ -277,14 +277,14 @@ ping-leases = false # based on a user or group. The syntax depends on the input accepted # by the commands route-add-cmd and route-del-cmd (see below). -#config-per-user = /etc/ocserv/config-per-user/ -#config-per-group = /etc/ocserv/config-per-group/ +#config-per-user = /etc/config/ocserv-dir/config-per-user/ +#config-per-group = /etc/config/ocserv-dir/config-per-group/ # When config-per-xxx is specified and there is no group or user that # matches, then utilize the following configuration. -#default-user-config = /etc/ocserv/defaults/user.conf -#default-group-config = /etc/ocserv/defaults/group.conf +#default-user-config = /etc/config/ocserv-dir/defaults/user.conf +#default-group-config = /etc/config/ocserv-dir/defaults/group.conf # Groups that a client is allowed to select from. # A client may belong in multiple groups, and in certain use-cases diff --git a/net/ocserv/files/ocserv.init b/net/ocserv/files/ocserv.init index 05ab34d2f..15dbb6868 100644 --- a/net/ocserv/files/ocserv.init +++ b/net/ocserv/files/ocserv.init @@ -94,35 +94,41 @@ start() { hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2` [ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname` - [ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && { + [ -d /etc/config/ocserv-dir ] || mkdir -p /etc/config/ocserv-dir + [ -f /etc/ocserv/ca-key.pem ] && mv /etc/ocserv/ca-key.pem /etc/config/ocserv-dir/ca-key.pem + [ -f /etc/ocserv/ca.pem ] && mv /etc/ocserv/ca.pem /etc/config/ocserv-dir/ca.pem + [ -f /etc/ocserv/server-key.pem ] && mv /etc/ocserv/server-key.pem /etc/config/ocserv-dir/server-key.pem + [ -f /etc/ocserv/server-cert.pem ] && mv /etc/ocserv/server-cert.pem /etc/config/ocserv-dir/server-cert.pem + + [ ! -f /etc/config/ocserv-dir/ca-key.pem ] && [ -x /usr/bin/certtool ] && { logger -t ocserv "Generating CA certificate..." - mkdir -p /etc/ocserv/pki/ - certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1 - echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl - echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl - echo "serial=1" >>/etc/ocserv/pki/ca.tmpl - echo "ca" >>/etc/ocserv/pki/ca.tmpl - echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl - - certtool --template /etc/ocserv/pki/ca.tmpl \ - --generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \ - --outfile /etc/ocserv/ca.pem >/dev/null 2>&1 + mkdir -p /tmp/ocserv-pki/ + certtool --bits 2048 --generate-privkey --outfile /etc/config/ocserv-dir/ca-key.pem >/dev/null 2>&1 + echo "cn=$hostname CA" >/tmp/ocserv-pki/ca.tmpl + echo "expiration_days=-1" >>/tmp/ocserv-pki/ca.tmpl + echo "serial=1" >>/tmp/ocserv-pki/ca.tmpl + echo "ca" >>/tmp/ocserv-pki/ca.tmpl + echo "cert_signing_key" >>/tmp/ocserv-pki/ca.tmpl + + certtool --template /tmp/ocserv-pki/ca.tmpl \ + --generate-self-signed --load-privkey /etc/config/ocserv-dir/ca-key.pem \ + --outfile /etc/config/ocserv-dir/ca.pem >/dev/null 2>&1 } #generate server certificate/key - [ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && { + [ ! -f /etc/config/ocserv-dir/server-key.pem ] && [ -x /usr/bin/certtool ] && { logger -t ocserv "Generating server certificate..." - mkdir -p /etc/ocserv/pki/ - certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1 - echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl - echo "serial=2" >>/etc/ocserv/pki/server.tmpl - echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl - echo "signing_key" >>/etc/ocserv/pki/server.tmpl - echo "encryption_key" >>/etc/ocserv/pki/server.tmpl - certtool --template /etc/ocserv/pki/server.tmpl \ - --generate-certificate --load-privkey /etc/ocserv/server-key.pem \ - --load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \ - /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1 + mkdir -p /tmp/ocserv-pki/ + certtool --bits 2048 --generate-privkey --outfile /etc/config/ocserv-dir/server-key.pem >/dev/null 2>&1 + echo "cn=$hostname" >/tmp/ocserv-pki/server.tmpl + echo "serial=2" >>/tmp/ocserv-pki/server.tmpl + echo "expiration_days=-1" >>/tmp/ocserv-pki/server.tmpl + echo "signing_key" >>/tmp/ocserv-pki/server.tmpl + echo "encryption_key" >>/tmp/ocserv-pki/server.tmpl + certtool --template /tmp/ocserv-pki/server.tmpl \ + --generate-certificate --load-privkey /etc/config/ocserv-dir/server-key.pem \ + --load-ca-certificate /etc/config/ocserv-dir/ca.pem --load-ca-privkey \ + /etc/config/ocserv-dir/ca-key.pem --outfile /etc/config/ocserv-dir/server-cert.pem >/dev/null 2>&1 } [ -f /var/run/ocserv.pid ] || {