Remove hard-coded /etc from strongswan

This commit is contained in:
Shea Levy 2014-09-30 21:28:04 -04:00
parent 1c0d37a038
commit 961d444762
2 changed files with 147 additions and 2 deletions

View File

@ -8,11 +8,11 @@ stdenv.mkDerivation rec {
sha256 = "1ki6v9c54ykppqnj3prgh62na97yajnvnm2zr1gjxzv05syk035h";
};
patches = [ ./respect-path.patch ./no-sysconfdir-write.patch ];
patches = [ ./respect-path.patch ./no-hardcoded-sysconfdir.patch ];
buildInputs = [ gmp autoreconfHook gettext pkgconfig ];
configureFlags = [ "--enable-swanctl" "--sysconfdir=/etc" ];
configureFlags = [ "--enable-swanctl" ];
meta = {
maintainers = [ stdenv.lib.maintainers.shlevy ];

View File

@ -0,0 +1,145 @@
commit 8e2b65ebf597a4d48daa3308aa032962110ad8f6
Author: Shea Levy <shea@shealevy.com>
Date: Tue Sep 30 15:14:47 2014 -0400
Allow specifying the ipsec.conf location in strongswan.conf
diff --git a/conf/options/starter.opt b/conf/options/starter.opt
index 4e6574d..6d7162a 100644
--- a/conf/options/starter.opt
+++ b/conf/options/starter.opt
@@ -3,3 +3,6 @@ starter.load =
starter.load_warning = yes
Disable charon plugin load option warning.
+
+starter.config_file = ${sysconfdir}/ipsec.conf
+ Location of the ipsec.conf conf file
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 5c84593..1f365cc 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -488,7 +488,8 @@ int main (int argc, char **argv)
}
if (!config_file)
{
- config_file = CONFIG_FILE;
+ config_file = lib->settings->get_str(lib->settings, "starter.config_file",
+ CONFIG_FILE);
}
init_log("ipsec_starter");
commit 8b839cec684e26ed96f3d891b3ae3565558b2cff
Author: Shea Levy <shea@shealevy.com>
Date: Tue Sep 30 15:11:03 2014 -0400
Allow specifying the ipsec.secrets location in strongswan.conf
diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt
index 2cfc2c6..b3ca2b7 100644
--- a/conf/plugins/stroke.opt
+++ b/conf/plugins/stroke.opt
@@ -11,5 +11,8 @@ charon.plugins.stroke.prevent_loglevel_changes = no
charon.plugins.stroke.socket = unix://${piddir}/charon.ctl
Socket provided by the stroke plugin.
+charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets
+ Location of the ipsec.secrets conf file
+
charon.plugins.stroke.timeout = 0
Timeout in ms for any stroke command. Use 0 to disable the timeout.
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index f908219..673e492 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -67,6 +67,7 @@ struct private_stroke_cred_t {
/**
* credentials
*/
+ char *secrets_file;
mem_cred_t *creds;
/**
@@ -1297,7 +1298,7 @@ METHOD(stroke_cred_t, reread, void,
if (msg->reread.flags & REREAD_SECRETS)
{
DBG1(DBG_CFG, "rereading secrets");
- load_secrets(this, NULL, SECRETS_FILE, 0, prompt);
+ load_secrets(this, NULL, this->secrets_file, 0, prompt);
}
if (msg->reread.flags & REREAD_CACERTS)
{
@@ -1370,6 +1371,9 @@ stroke_cred_t *stroke_cred_create()
.cachecrl = _cachecrl,
.destroy = _destroy,
},
+ .secrets_file = lib->settings->get_str(lib->settings,
+ "%s.plugins.stroke.secrets_file", SECRETS_FILE,
+ lib->ns),
.creds = mem_cred_create(),
);
@@ -1380,7 +1384,7 @@ stroke_cred_t *stroke_cred_create()
FALSE, lib->ns);
load_certs(this);
- load_secrets(this, NULL, SECRETS_FILE, 0, NULL);
+ load_secrets(this, NULL, this->secrets_file, 0, NULL);
return &this->public;
}
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 71f33ae..5c84593 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -263,8 +263,11 @@ static void generate_selfcert()
{
struct stat stb;
+ const char *secrets_file = lib->settings->get_str(lib->settings,
+ "charon.plugins.stroke.secrets_file", SECRETS_FILE);
+
/* if ipsec.secrets file is missing then generate RSA default key pair */
- if (stat(SECRETS_FILE, &stb) != 0)
+ if (stat(secrets_file, &stb) != 0)
{
mode_t oldmask;
FILE *f;
@@ -302,7 +305,7 @@ static void generate_selfcert()
/* ipsec.secrets is root readable only */
oldmask = umask(0066);
- f = fopen(SECRETS_FILE, "w");
+ f = fopen(secrets_file, "w");
if (f)
{
fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
@@ -310,7 +313,7 @@ static void generate_selfcert()
fprintf(f, ": RSA myKey.der\n");
fclose(f);
}
- ignore_result(chown(SECRETS_FILE, uid, gid));
+ ignore_result(chown(secrets_file, uid, gid));
umask(oldmask);
}
}
commit 5f2ca3b99b40c47a9b59c7cc75655e5dd041787e
Author: Shea Levy <shea@shealevy.com>
Date: Tue Sep 30 14:31:50 2014 -0400
Allow specifying the path to strongswan.conf in the STRONGSWAN_CONF env var
diff -Naur a/src/libstrongswan/library.c b/src/libstrongswan/library.c
--- a/src/libstrongswan/library.c 2014-06-05 03:50:30.000000000 -0400
+++ b/src/libstrongswan/library.c 2014-09-30 15:25:27.927757711 -0400
@@ -307,7 +307,7 @@
#ifdef STRONGSWAN_CONF
if (!settings)
{
- settings = STRONGSWAN_CONF;
+ settings = getenv("STRONGSWAN_CONF") ?: STRONGSWAN_CONF;
}
#endif
this->public.settings = settings_create(settings);