From: Shea Levy Date: Tue, 30 Sep 2014 19:11:03 +0000 (-0400) Subject: stroke: Allow specifying the ipsec.secrets location in strongswan.conf X-Git-Tag: 5.2.1dr1~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=213e02b8725e5d1401d231a7de9d1cf30fcee2eb;p=thirdparty%2Fstrongswan.git stroke: Allow specifying the ipsec.secrets location in strongswan.conf --- diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt index 2cfc2c6fa3..4b49b1f042 100644 --- a/conf/plugins/stroke.opt +++ b/conf/plugins/stroke.opt @@ -8,6 +8,9 @@ charon.plugins.stroke.max_concurrent = 4 charon.plugins.stroke.prevent_loglevel_changes = no If enabled log level changes via stroke socket are not allowed. +charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets + Location of the ipsec.secrets file + charon.plugins.stroke.socket = unix://${piddir}/charon.ctl Socket provided by the stroke plugin. diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index f908219ed2..83431d17ca 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -64,6 +64,11 @@ struct private_stroke_cred_t { */ stroke_cred_t public; + /** + * secrets file with credential information + */ + char *secrets_file; + /** * credentials */ @@ -1297,7 +1302,7 @@ METHOD(stroke_cred_t, reread, void, if (msg->reread.flags & REREAD_SECRETS) { DBG1(DBG_CFG, "rereading secrets"); - load_secrets(this, NULL, SECRETS_FILE, 0, prompt); + load_secrets(this, NULL, this->secrets_file, 0, prompt); } if (msg->reread.flags & REREAD_CACERTS) { @@ -1370,6 +1375,9 @@ stroke_cred_t *stroke_cred_create() .cachecrl = _cachecrl, .destroy = _destroy, }, + .secrets_file = lib->settings->get_str(lib->settings, + "%s.plugins.stroke.secrets_file", SECRETS_FILE, + lib->ns), .creds = mem_cred_create(), ); @@ -1380,7 +1388,7 @@ stroke_cred_t *stroke_cred_create() FALSE, lib->ns); load_certs(this); - load_secrets(this, NULL, SECRETS_FILE, 0, NULL); + load_secrets(this, NULL, this->secrets_file, 0, NULL); return &this->public; } diff --git a/src/starter/starter.c b/src/starter/starter.c index 71f33ae914..ea8a999f0a 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -261,10 +261,14 @@ static void fatal_signal_handler(int signal) #ifdef GENERATE_SELFCERT static void generate_selfcert() { + const char *secrets_file; struct stat stb; + secrets_file = lib->settings->get_str(lib->settings, + "charon.plugins.stroke.secrets_file", SECRETS_FILE); + /* if ipsec.secrets file is missing then generate RSA default key pair */ - if (stat(SECRETS_FILE, &stb) != 0) + if (stat(secrets_file, &stb) != 0) { mode_t oldmask; FILE *f; @@ -302,7 +306,7 @@ static void generate_selfcert() /* ipsec.secrets is root readable only */ oldmask = umask(0066); - f = fopen(SECRETS_FILE, "w"); + f = fopen(secrets_file, "w"); if (f) { fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n"); @@ -310,7 +314,7 @@ static void generate_selfcert() fprintf(f, ": RSA myKey.der\n"); fclose(f); } - ignore_result(chown(SECRETS_FILE, uid, gid)); + ignore_result(chown(secrets_file, uid, gid)); umask(oldmask); } }