sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-08 00:02:03 -04:00
Code Issues Projects Releases Wiki Activity

stroke: Allow specifying the ipsec.secrets location in strongswan.conf

Browse Source
This commit is contained in:
Shea Levy 2014-09-30 15:11:03 -04:00 committed by Tobias Brunner
parent 5fea45506e
commit 213e02b872
3 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
conf/plugins/stroke.opt
View File

@ -8,6 +8,9 @@ charon.plugins.stroke.max_concurrent = 4
charon.plugins.stroke.prevent_loglevel_changes = no charon.plugins.stroke.prevent_loglevel_changes = no
If enabled log level changes via stroke socket are not allowed. If enabled log level changes via stroke socket are not allowed.
charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets
Location of the ipsec.secrets file
charon.plugins.stroke.socket = unix://${piddir}/charon.ctl charon.plugins.stroke.socket = unix://${piddir}/charon.ctl
Socket provided by the stroke plugin. Socket provided by the stroke plugin.

12
src/libcharon/plugins/stroke/stroke_cred.c
View File

@ -64,6 +64,11 @@ struct private_stroke_cred_t {
*/ */
stroke_cred_t public; stroke_cred_t public;
/**
* secrets file with credential information
*/
char *secrets_file;
/** /**
* credentials * credentials
*/ */
@ -1297,7 +1302,7 @@ METHOD(stroke_cred_t, reread, void,
if (msg->reread.flags & REREAD_SECRETS) if (msg->reread.flags & REREAD_SECRETS)
{ {
DBG1(DBG_CFG, "rereading secrets"); DBG1(DBG_CFG, "rereading secrets");
load_secrets(this, NULL, SECRETS_FILE, 0, prompt); load_secrets(this, NULL, this->secrets_file, 0, prompt);
} }
if (msg->reread.flags & REREAD_CACERTS) if (msg->reread.flags & REREAD_CACERTS)
{ {
@ -1370,6 +1375,9 @@ stroke_cred_t *stroke_cred_create()
.cachecrl = _cachecrl, .cachecrl = _cachecrl,
.destroy = _destroy, .destroy = _destroy,
}, },
.secrets_file = lib->settings->get_str(lib->settings,
"%s.plugins.stroke.secrets_file", SECRETS_FILE,
lib->ns),
.creds = mem_cred_create(), .creds = mem_cred_create(),
); );
@ -1380,7 +1388,7 @@ stroke_cred_t *stroke_cred_create()
FALSE, lib->ns); FALSE, lib->ns);
load_certs(this); load_certs(this);
load_secrets(this, NULL, SECRETS_FILE, 0, NULL); load_secrets(this, NULL, this->secrets_file, 0, NULL);
return &this->public; return &this->public;
} }

10
src/starter/starter.c
View File

@ -261,10 +261,14 @@ static void fatal_signal_handler(int signal)
#ifdef GENERATE_SELFCERT #ifdef GENERATE_SELFCERT
static void generate_selfcert() static void generate_selfcert()
{ {
const char *secrets_file;
struct stat stb; struct stat stb;
secrets_file = lib->settings->get_str(lib->settings,
"charon.plugins.stroke.secrets_file", SECRETS_FILE);
/* if ipsec.secrets file is missing then generate RSA default key pair */ /* if ipsec.secrets file is missing then generate RSA default key pair */
if (stat(SECRETS_FILE, &stb) != 0) if (stat(secrets_file, &stb) != 0)
{ {
mode_t oldmask; mode_t oldmask;
FILE *f; FILE *f;
@ -302,7 +306,7 @@ static void generate_selfcert()
/* ipsec.secrets is root readable only */ /* ipsec.secrets is root readable only */
oldmask = umask(0066); oldmask = umask(0066);
f = fopen(SECRETS_FILE, "w"); f = fopen(secrets_file, "w");
if (f) if (f)
{ {
fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n"); fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
@ -310,7 +314,7 @@ static void generate_selfcert()
fprintf(f, ": RSA myKey.der\n"); fprintf(f, ": RSA myKey.der\n");
fclose(f); fclose(f);
} }
ignore_result(chown(SECRETS_FILE, uid, gid)); ignore_result(chown(secrets_file, uid, gid));
umask(oldmask); umask(oldmask);
} }
} }