starter: Only create self-signed certificate if scepclient is built.

author Tobias Brunner <tobias@strongswan.org>

Wed, 12 Oct 2011 14:37:21 +0000 (16:37 +0200)

committer Tobias Brunner <tobias@strongswan.org>

Wed, 12 Oct 2011 14:37:21 +0000 (16:37 +0200)
author Tobias Brunner <tobias@strongswan.org>
Wed, 12 Oct 2011 14:37:21 +0000 (16:37 +0200)
committer Tobias Brunner <tobias@strongswan.org>
Wed, 12 Oct 2011 14:37:21 +0000 (16:37 +0200)
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am

index 638f206..6f7f288 100644 (file)
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -46,6 +46,10 @@ if USE_LOAD_WARNING
    AM_CFLAGS += -DLOAD_WARNING
  endif
  
+if USE_TOOLS
+  AM_CFLAGS += -DGENERATE_SELFCERT
+endif
+
  keywords.c:    $(srcdir)/keywords.txt $(srcdir)/keywords.h
                 $(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@
  
diff --git a/src/starter/starter.c b/src/starter/starter.c

index 814713c..659122a 100644 (file)
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -161,61 +161,63 @@ static void fsig(int signal)
         }
  }
  
+#ifdef GENERATE_SELFCERT
  static void generate_selfcert()
  {
         struct stat stb;
  
-               /* if ipsec.secrets file is missing then generate RSA default key pair */
-               if (stat(SECRETS_FILE, &stb) != 0)
-               {
-                       mode_t oldmask;
-                       FILE *f;
-                       uid_t uid = 0;
-                       gid_t gid = 0;
+       /* if ipsec.secrets file is missing then generate RSA default key pair */
+       if (stat(SECRETS_FILE, &stb) != 0)
+       {
+               mode_t oldmask;
+               FILE *f;
+               uid_t uid = 0;
+               gid_t gid = 0;
  
  #ifdef IPSEC_GROUP
-                       {
-                               char buf[1024];
-                               struct group group, *grp;
+               {
+                       char buf[1024];
+                       struct group group, *grp;
  
-                               if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 &&     grp)
-                               {
-                                       gid = grp->gr_gid;
-                               }
+                       if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 &&     grp)
+                       {
+                               gid = grp->gr_gid;
                         }
+               }
  #endif
  #ifdef IPSEC_USER
-                       {
-                               char buf[1024];
-                               struct passwd passwd, *pwp;
+               {
+                       char buf[1024];
+                       struct passwd passwd, *pwp;
  
-                               if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 &&     pwp)
-                               {
-                                       uid = pwp->pw_uid;
-                               }
+                       if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 &&     pwp)
+                       {
+                               uid = pwp->pw_uid;
                         }
+               }
  #endif
-                       setegid(gid);
-                       seteuid(uid);
-                       ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
-                       seteuid(0);
-                       setegid(0);
+               setegid(gid);
+               seteuid(uid);
+               ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
+               seteuid(0);
+               setegid(0);
  
-                       /* ipsec.secrets is root readable only */
-                       oldmask = umask(0066);
+               /* ipsec.secrets is root readable only */
+               oldmask = umask(0066);
  
-                       f = fopen(SECRETS_FILE, "w");
-                       if (f)
-                       {
-                               fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
-                               fprintf(f, "\n");
-                               fprintf(f, ": RSA myKey.der\n");
-                               fclose(f);
-                       }
-                       ignore_result(chown(SECRETS_FILE, uid, gid));
-                       umask(oldmask);
+               f = fopen(SECRETS_FILE, "w");
+               if (f)
+               {
+                       fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
+                       fprintf(f, "\n");
+                       fprintf(f, ": RSA myKey.der\n");
+                       fclose(f);
                 }
+               ignore_result(chown(SECRETS_FILE, uid, gid));
+               umask(oldmask);
+       }
  }
+#endif /* GENERATE_SELFCERT */
  
  static bool check_pid(char *pid_file)
  {
@@ -414,7 +416,9 @@ int main (int argc, char **argv)
                 exit(LSB_RC_SUCCESS);
         }
  
+#ifdef GENERATE_SELFCERT
         generate_selfcert();
+#endif
  
         /* fork if we're not debugging stuff */
         if (!no_fork)
author	Tobias Brunner <tobias@strongswan.org>
	Wed, 12 Oct 2011 14:37:21 +0000 (16:37 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Wed, 12 Oct 2011 14:37:21 +0000 (16:37 +0200)
src/starter/Makefile.am		patch \| blob \| history
src/starter/starter.c		patch \| blob \| history