From 961d444762c70cdae2cd710234765c29b2d3873e Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Tue, 30 Sep 2014 21:28:04 -0400 Subject: Remove hard-coded /etc from strongswan --- pkgs/tools/networking/strongswan/default.nix | 4 +- .../strongswan/no-hardcoded-sysconfdir.patch | 145 +++++++++++++++++++++ 2 files changed, 147 insertions(+), 2 deletions(-) create mode 100644 pkgs/tools/networking/strongswan/no-hardcoded-sysconfdir.patch (limited to 'pkgs/tools/networking/strongswan') diff --git a/pkgs/tools/networking/strongswan/default.nix b/pkgs/tools/networking/strongswan/default.nix index 56ecdb904e29..9358b9aaa2fb 100644 --- a/pkgs/tools/networking/strongswan/default.nix +++ b/pkgs/tools/networking/strongswan/default.nix @@ -8,11 +8,11 @@ stdenv.mkDerivation rec { sha256 = "1ki6v9c54ykppqnj3prgh62na97yajnvnm2zr1gjxzv05syk035h"; }; - patches = [ ./respect-path.patch ./no-sysconfdir-write.patch ]; + patches = [ ./respect-path.patch ./no-hardcoded-sysconfdir.patch ]; buildInputs = [ gmp autoreconfHook gettext pkgconfig ]; - configureFlags = [ "--enable-swanctl" "--sysconfdir=/etc" ]; + configureFlags = [ "--enable-swanctl" ]; meta = { maintainers = [ stdenv.lib.maintainers.shlevy ]; diff --git a/pkgs/tools/networking/strongswan/no-hardcoded-sysconfdir.patch b/pkgs/tools/networking/strongswan/no-hardcoded-sysconfdir.patch new file mode 100644 index 000000000000..b186b21a5dd9 --- /dev/null +++ b/pkgs/tools/networking/strongswan/no-hardcoded-sysconfdir.patch @@ -0,0 +1,145 @@ +commit 8e2b65ebf597a4d48daa3308aa032962110ad8f6 +Author: Shea Levy +Date: Tue Sep 30 15:14:47 2014 -0400 + + Allow specifying the ipsec.conf location in strongswan.conf + +diff --git a/conf/options/starter.opt b/conf/options/starter.opt +index 4e6574d..6d7162a 100644 +--- a/conf/options/starter.opt ++++ b/conf/options/starter.opt +@@ -3,3 +3,6 @@ starter.load = + + starter.load_warning = yes + Disable charon plugin load option warning. ++ ++starter.config_file = ${sysconfdir}/ipsec.conf ++ Location of the ipsec.conf conf file +diff --git a/src/starter/starter.c b/src/starter/starter.c +index 5c84593..1f365cc 100644 +--- a/src/starter/starter.c ++++ b/src/starter/starter.c +@@ -488,7 +488,8 @@ int main (int argc, char **argv) + } + if (!config_file) + { +- config_file = CONFIG_FILE; ++ config_file = lib->settings->get_str(lib->settings, "starter.config_file", ++ CONFIG_FILE); + } + + init_log("ipsec_starter"); + +commit 8b839cec684e26ed96f3d891b3ae3565558b2cff +Author: Shea Levy +Date: Tue Sep 30 15:11:03 2014 -0400 + + Allow specifying the ipsec.secrets location in strongswan.conf + +diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt +index 2cfc2c6..b3ca2b7 100644 +--- a/conf/plugins/stroke.opt ++++ b/conf/plugins/stroke.opt +@@ -11,5 +11,8 @@ charon.plugins.stroke.prevent_loglevel_changes = no + charon.plugins.stroke.socket = unix://${piddir}/charon.ctl + Socket provided by the stroke plugin. + ++charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets ++ Location of the ipsec.secrets conf file ++ + charon.plugins.stroke.timeout = 0 + Timeout in ms for any stroke command. Use 0 to disable the timeout. +diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c +index f908219..673e492 100644 +--- a/src/libcharon/plugins/stroke/stroke_cred.c ++++ b/src/libcharon/plugins/stroke/stroke_cred.c +@@ -67,6 +67,7 @@ struct private_stroke_cred_t { + /** + * credentials + */ ++ char *secrets_file; + mem_cred_t *creds; + + /** +@@ -1297,7 +1298,7 @@ METHOD(stroke_cred_t, reread, void, + if (msg->reread.flags & REREAD_SECRETS) + { + DBG1(DBG_CFG, "rereading secrets"); +- load_secrets(this, NULL, SECRETS_FILE, 0, prompt); ++ load_secrets(this, NULL, this->secrets_file, 0, prompt); + } + if (msg->reread.flags & REREAD_CACERTS) + { +@@ -1370,6 +1371,9 @@ stroke_cred_t *stroke_cred_create() + .cachecrl = _cachecrl, + .destroy = _destroy, + }, ++ .secrets_file = lib->settings->get_str(lib->settings, ++ "%s.plugins.stroke.secrets_file", SECRETS_FILE, ++ lib->ns), + .creds = mem_cred_create(), + ); + +@@ -1380,7 +1384,7 @@ stroke_cred_t *stroke_cred_create() + FALSE, lib->ns); + + load_certs(this); +- load_secrets(this, NULL, SECRETS_FILE, 0, NULL); ++ load_secrets(this, NULL, this->secrets_file, 0, NULL); + + return &this->public; + } +diff --git a/src/starter/starter.c b/src/starter/starter.c +index 71f33ae..5c84593 100644 +--- a/src/starter/starter.c ++++ b/src/starter/starter.c +@@ -263,8 +263,11 @@ static void generate_selfcert() + { + struct stat stb; + ++ const char *secrets_file = lib->settings->get_str(lib->settings, ++ "charon.plugins.stroke.secrets_file", SECRETS_FILE); ++ + /* if ipsec.secrets file is missing then generate RSA default key pair */ +- if (stat(SECRETS_FILE, &stb) != 0) ++ if (stat(secrets_file, &stb) != 0) + { + mode_t oldmask; + FILE *f; +@@ -302,7 +305,7 @@ static void generate_selfcert() + /* ipsec.secrets is root readable only */ + oldmask = umask(0066); + +- f = fopen(SECRETS_FILE, "w"); ++ f = fopen(secrets_file, "w"); + if (f) + { + fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n"); +@@ -310,7 +313,7 @@ static void generate_selfcert() + fprintf(f, ": RSA myKey.der\n"); + fclose(f); + } +- ignore_result(chown(SECRETS_FILE, uid, gid)); ++ ignore_result(chown(secrets_file, uid, gid)); + umask(oldmask); + } + } + +commit 5f2ca3b99b40c47a9b59c7cc75655e5dd041787e +Author: Shea Levy +Date: Tue Sep 30 14:31:50 2014 -0400 + + Allow specifying the path to strongswan.conf in the STRONGSWAN_CONF env var + +diff -Naur a/src/libstrongswan/library.c b/src/libstrongswan/library.c +--- a/src/libstrongswan/library.c 2014-06-05 03:50:30.000000000 -0400 ++++ b/src/libstrongswan/library.c 2014-09-30 15:25:27.927757711 -0400 +@@ -307,7 +307,7 @@ + #ifdef STRONGSWAN_CONF + if (!settings) + { +- settings = STRONGSWAN_CONF; ++ settings = getenv("STRONGSWAN_CONF") ?: STRONGSWAN_CONF; + } + #endif + this->public.settings = settings_create(settings); -- cgit 1.4.1