From 1c40fc1022377e565b037df92391b2b5ade110c8 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Mon, 12 Jan 2015 19:50:13 +0100
Subject: [PATCH] ocserv: store permanent config files in /etc/config

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 net/ocserv/Makefile                   |  2 +-
 net/ocserv/files/ocserv.conf.template | 16 ++++----
 net/ocserv/files/ocserv.init          | 54 +++++++++++++++------------
 3 files changed, 39 insertions(+), 33 deletions(-)

diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile
index d01d980393..28619be00d 100644
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ocserv
 PKG_VERSION:=0.8.9
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
diff --git a/net/ocserv/files/ocserv.conf.template b/net/ocserv/files/ocserv.conf.template
index 494b1e7b94..92083f02a8 100644
--- a/net/ocserv/files/ocserv.conf.template
+++ b/net/ocserv/files/ocserv.conf.template
@@ -65,8 +65,8 @@ try-mtu-discovery = false
 #
 # There may be multiple certificate and key pairs and each key
 # should correspond to the preceding certificate.
-server-cert = /etc/ocserv/server-cert.pem
-server-key = /etc/ocserv/server-key.pem
+server-cert = /etc/config/ocserv-dir/server-cert.pem
+server-key = /etc/config/ocserv-dir/server-key.pem
 
 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
@@ -92,7 +92,7 @@ server-key = /etc/ocserv/server-key.pem
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
-#ca-cert = /etc/ocserv/ca.pem
+#ca-cert = /etc/config/ocserv-dir/ca.pem
 
 # The object identifier that will be used to read the user ID in the client 
 # certificate. The object identifier should be part of the certificate's DN
@@ -107,7 +107,7 @@ server-key = /etc/ocserv/server-key.pem
 #cert-group-oid = 2.5.4.11
 
 # The revocation list of the certificates issued by the 'ca-cert' above.
-#crl = /etc/ocserv/crl.pem
+#crl = /etc/config/ocserv-dir/crl.pem
 
 # GnuTLS priority string
 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
@@ -277,14 +277,14 @@ ping-leases = false
 # based on a user or group. The syntax depends on the input accepted
 # by the commands route-add-cmd and route-del-cmd (see below).
 
-#config-per-user = /etc/ocserv/config-per-user/
-#config-per-group = /etc/ocserv/config-per-group/
+#config-per-user = /etc/config/ocserv-dir/config-per-user/
+#config-per-group = /etc/config/ocserv-dir/config-per-group/
 
 # When config-per-xxx is specified and there is no group or user that
 # matches, then utilize the following configuration.
 
-#default-user-config = /etc/ocserv/defaults/user.conf
-#default-group-config = /etc/ocserv/defaults/group.conf
+#default-user-config = /etc/config/ocserv-dir/defaults/user.conf
+#default-group-config = /etc/config/ocserv-dir/defaults/group.conf
 
 # Groups that a client is allowed to select from.
 # A client may belong in multiple groups, and in certain use-cases
diff --git a/net/ocserv/files/ocserv.init b/net/ocserv/files/ocserv.init
index 05ab34d2ff..15dbb68686 100644
--- a/net/ocserv/files/ocserv.init
+++ b/net/ocserv/files/ocserv.init
@@ -94,35 +94,41 @@ start() {
 	hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2`
 	[ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname`
 
-	[ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
-		logger -t ocserv "Generating CA certificate..."
-		mkdir -p /etc/ocserv/pki/
-		certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1
-		echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl
-		echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
-		echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
-		echo "ca" >>/etc/ocserv/pki/ca.tmpl
-		echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl
+	[ -d /etc/config/ocserv-dir ] || mkdir -p /etc/config/ocserv-dir
+	[ -f /etc/ocserv/ca-key.pem ] && mv /etc/ocserv/ca-key.pem /etc/config/ocserv-dir/ca-key.pem
+	[ -f /etc/ocserv/ca.pem ] && mv /etc/ocserv/ca.pem /etc/config/ocserv-dir/ca.pem
+	[ -f /etc/ocserv/server-key.pem ] && mv /etc/ocserv/server-key.pem /etc/config/ocserv-dir/server-key.pem
+	[ -f /etc/ocserv/server-cert.pem ] && mv /etc/ocserv/server-cert.pem /etc/config/ocserv-dir/server-cert.pem
 
-		certtool --template /etc/ocserv/pki/ca.tmpl \
-			--generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \
-			--outfile /etc/ocserv/ca.pem >/dev/null 2>&1
+	[ ! -f /etc/config/ocserv-dir/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
+		logger -t ocserv "Generating CA certificate..."
+		mkdir -p /tmp/ocserv-pki/
+		certtool --bits 2048 --generate-privkey --outfile /etc/config/ocserv-dir/ca-key.pem >/dev/null 2>&1
+		echo "cn=$hostname CA" >/tmp/ocserv-pki/ca.tmpl
+		echo "expiration_days=-1" >>/tmp/ocserv-pki/ca.tmpl
+		echo "serial=1" >>/tmp/ocserv-pki/ca.tmpl
+		echo "ca" >>/tmp/ocserv-pki/ca.tmpl
+		echo "cert_signing_key" >>/tmp/ocserv-pki/ca.tmpl
+
+		certtool --template /tmp/ocserv-pki/ca.tmpl \
+			--generate-self-signed --load-privkey /etc/config/ocserv-dir/ca-key.pem \
+			--outfile /etc/config/ocserv-dir/ca.pem >/dev/null 2>&1
 	}
 
 	#generate server certificate/key
-	[ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
+	[ ! -f /etc/config/ocserv-dir/server-key.pem ] && [ -x /usr/bin/certtool ] && {
 		logger -t ocserv "Generating server certificate..."
-		mkdir -p /etc/ocserv/pki/
-		certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
-		echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
-		echo "serial=2" >>/etc/ocserv/pki/server.tmpl
-		echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
-		echo "signing_key" >>/etc/ocserv/pki/server.tmpl
-		echo "encryption_key" >>/etc/ocserv/pki/server.tmpl
-		certtool --template /etc/ocserv/pki/server.tmpl \
-			--generate-certificate --load-privkey /etc/ocserv/server-key.pem \
-			--load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \
-			/etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1
+		mkdir -p /tmp/ocserv-pki/
+		certtool --bits 2048 --generate-privkey --outfile /etc/config/ocserv-dir/server-key.pem >/dev/null 2>&1
+		echo "cn=$hostname" >/tmp/ocserv-pki/server.tmpl
+		echo "serial=2" >>/tmp/ocserv-pki/server.tmpl
+		echo "expiration_days=-1" >>/tmp/ocserv-pki/server.tmpl
+		echo "signing_key" >>/tmp/ocserv-pki/server.tmpl
+		echo "encryption_key" >>/tmp/ocserv-pki/server.tmpl
+		certtool --template /tmp/ocserv-pki/server.tmpl \
+			--generate-certificate --load-privkey /etc/config/ocserv-dir/server-key.pem \
+			--load-ca-certificate /etc/config/ocserv-dir/ca.pem --load-ca-privkey \
+			/etc/config/ocserv-dir/ca-key.pem --outfile /etc/config/ocserv-dir/server-cert.pem >/dev/null 2>&1
 	}
 
 	[ -f /var/run/ocserv.pid ] || {