stroke: Allow specifying the ipsec.secrets location in strongswan.conf
authorShea Levy <shea@shealevy.com>
Tue, 30 Sep 2014 19:11:03 +0000 (15:11 -0400)
committerTobias Brunner <tobias@strongswan.org>
Thu, 2 Oct 2014 12:31:00 +0000 (14:31 +0200)
conf/plugins/stroke.opt
src/libcharon/plugins/stroke/stroke_cred.c
src/starter/starter.c

index 2cfc2c6..4b49b1f 100644 (file)
@@ -8,6 +8,9 @@ charon.plugins.stroke.max_concurrent = 4
 charon.plugins.stroke.prevent_loglevel_changes = no
        If enabled log level changes via stroke socket are not allowed.
 
+charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets
+       Location of the ipsec.secrets file
+
 charon.plugins.stroke.socket = unix://${piddir}/charon.ctl
        Socket provided by the stroke plugin.
 
index f908219..83431d1 100644 (file)
@@ -65,6 +65,11 @@ struct private_stroke_cred_t {
        stroke_cred_t public;
 
        /**
+        * secrets file with credential information
+        */
+       char *secrets_file;
+
+       /**
         * credentials
         */
        mem_cred_t *creds;
@@ -1297,7 +1302,7 @@ METHOD(stroke_cred_t, reread, void,
        if (msg->reread.flags & REREAD_SECRETS)
        {
                DBG1(DBG_CFG, "rereading secrets");
-               load_secrets(this, NULL, SECRETS_FILE, 0, prompt);
+               load_secrets(this, NULL, this->secrets_file, 0, prompt);
        }
        if (msg->reread.flags & REREAD_CACERTS)
        {
@@ -1370,6 +1375,9 @@ stroke_cred_t *stroke_cred_create()
                        .cachecrl = _cachecrl,
                        .destroy = _destroy,
                },
+               .secrets_file = lib->settings->get_str(lib->settings,
+                                                               "%s.plugins.stroke.secrets_file", SECRETS_FILE,
+                                                               lib->ns),
                .creds = mem_cred_create(),
        );
 
@@ -1380,7 +1388,7 @@ stroke_cred_t *stroke_cred_create()
                                                FALSE, lib->ns);
 
        load_certs(this);
-       load_secrets(this, NULL, SECRETS_FILE, 0, NULL);
+       load_secrets(this, NULL, this->secrets_file, 0, NULL);
 
        return &this->public;
 }
index 71f33ae..ea8a999 100644 (file)
@@ -261,10 +261,14 @@ static void fatal_signal_handler(int signal)
 #ifdef GENERATE_SELFCERT
 static void generate_selfcert()
 {
+       const char *secrets_file;
        struct stat stb;
 
+       secrets_file = lib->settings->get_str(lib->settings,
+                                                       "charon.plugins.stroke.secrets_file", SECRETS_FILE);
+
        /* if ipsec.secrets file is missing then generate RSA default key pair */
-       if (stat(SECRETS_FILE, &stb) != 0)
+       if (stat(secrets_file, &stb) != 0)
        {
                mode_t oldmask;
                FILE *f;
@@ -302,7 +306,7 @@ static void generate_selfcert()
                /* ipsec.secrets is root readable only */
                oldmask = umask(0066);
 
-               f = fopen(SECRETS_FILE, "w");
+               f = fopen(secrets_file, "w");
                if (f)
                {
                        fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
@@ -310,7 +314,7 @@ static void generate_selfcert()
                        fprintf(f, ": RSA myKey.der\n");
                        fclose(f);
                }
-               ignore_result(chown(SECRETS_FILE, uid, gid));
+               ignore_result(chown(secrets_file, uid, gid));
                umask(oldmask);
        }
 }