stroke: Allow specifying the ipsec.secrets location in strongswan.conf

2025-10-06 00:00:47 -04:00 · 2014-09-30 15:11:03 -04:00 · 2014-09-30 15:11:03 -04:00 · 213e02b872
commit 213e02b872
parent 5fea45506e
3 changed files with 20 additions and 5 deletions
--- a/conf/plugins/stroke.opt
+++ b/conf/plugins/stroke.opt
@ -8,6 +8,9 @@ charon.plugins.stroke.max_concurrent = 4
 charon.plugins.stroke.prevent_loglevel_changes = no
 	If enabled log level changes via stroke socket are not allowed.

+charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets
+	Location of the ipsec.secrets file
+
 charon.plugins.stroke.socket = unix://${piddir}/charon.ctl
 	Socket provided by the stroke plugin.

--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@ -64,6 +64,11 @@ struct private_stroke_cred_t {
 	 */
 	stroke_cred_t public;

+	/**
+	 * secrets file with credential information
+	 */
+	char *secrets_file;
+
 	/**
 	 * credentials
 	 */
@ -1297,7 +1302,7 @@ METHOD(stroke_cred_t, reread, void,
 	if (msg->reread.flags & REREAD_SECRETS)
 	{
 		DBG1(DBG_CFG, "rereading secrets");
-		load_secrets(this, NULL, SECRETS_FILE, 0, prompt);
+		load_secrets(this, NULL, this->secrets_file, 0, prompt);
 	}
 	if (msg->reread.flags & REREAD_CACERTS)
 	{
@ -1370,6 +1375,9 @@ stroke_cred_t *stroke_cred_create()
 			.cachecrl = _cachecrl,
 			.destroy = _destroy,
 		},
+		.secrets_file = lib->settings->get_str(lib->settings,
+								"%s.plugins.stroke.secrets_file", SECRETS_FILE,
+								lib->ns),
 		.creds = mem_cred_create(),
 	);

@ -1380,7 +1388,7 @@ stroke_cred_t *stroke_cred_create()
 						FALSE, lib->ns);

 	load_certs(this);
-	load_secrets(this, NULL, SECRETS_FILE, 0, NULL);
+	load_secrets(this, NULL, this->secrets_file, 0, NULL);

 	return &this->public;
 }
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@ -261,10 +261,14 @@ static void fatal_signal_handler(int signal)
 #ifdef GENERATE_SELFCERT
 static void generate_selfcert()
 {
+	const char *secrets_file;
 	struct stat stb;

+	secrets_file = lib->settings->get_str(lib->settings,
+							"charon.plugins.stroke.secrets_file", SECRETS_FILE);
+
 	/* if ipsec.secrets file is missing then generate RSA default key pair */
-	if (stat(SECRETS_FILE, &stb) != 0)
+	if (stat(secrets_file, &stb) != 0)
 	{
 		mode_t oldmask;
 		FILE *f;
@ -302,7 +306,7 @@ static void generate_selfcert()
 		/* ipsec.secrets is root readable only */
 		oldmask = umask(0066);

-		f = fopen(SECRETS_FILE, "w");
+		f = fopen(secrets_file, "w");
 		if (f)
 		{
 			fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
@ -310,7 +314,7 @@ static void generate_selfcert()
 			fprintf(f, ": RSA myKey.der\n");
 			fclose(f);
 		}
-		ignore_result(chown(SECRETS_FILE, uid, gid));
+		ignore_result(chown(secrets_file, uid, gid));
 		umask(oldmask);
 	}
 }