aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/starter/Makefile.am4
-rw-r--r--src/starter/starter.c80
2 files changed, 46 insertions, 38 deletions
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 638f206a0..6f7f2882b 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -46,6 +46,10 @@ if USE_LOAD_WARNING
AM_CFLAGS += -DLOAD_WARNING
endif
+if USE_TOOLS
+ AM_CFLAGS += -DGENERATE_SELFCERT
+endif
+
keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h
$(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 814713cda..659122a7a 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -161,61 +161,63 @@ static void fsig(int signal)
}
}
+#ifdef GENERATE_SELFCERT
static void generate_selfcert()
{
struct stat stb;
- /* if ipsec.secrets file is missing then generate RSA default key pair */
- if (stat(SECRETS_FILE, &stb) != 0)
- {
- mode_t oldmask;
- FILE *f;
- uid_t uid = 0;
- gid_t gid = 0;
+ /* if ipsec.secrets file is missing then generate RSA default key pair */
+ if (stat(SECRETS_FILE, &stb) != 0)
+ {
+ mode_t oldmask;
+ FILE *f;
+ uid_t uid = 0;
+ gid_t gid = 0;
#ifdef IPSEC_GROUP
- {
- char buf[1024];
- struct group group, *grp;
+ {
+ char buf[1024];
+ struct group group, *grp;
- if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp)
- {
- gid = grp->gr_gid;
- }
+ if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp)
+ {
+ gid = grp->gr_gid;
}
+ }
#endif
#ifdef IPSEC_USER
- {
- char buf[1024];
- struct passwd passwd, *pwp;
+ {
+ char buf[1024];
+ struct passwd passwd, *pwp;
- if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp)
- {
- uid = pwp->pw_uid;
- }
+ if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp)
+ {
+ uid = pwp->pw_uid;
}
+ }
#endif
- setegid(gid);
- seteuid(uid);
- ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
- seteuid(0);
- setegid(0);
+ setegid(gid);
+ seteuid(uid);
+ ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
+ seteuid(0);
+ setegid(0);
- /* ipsec.secrets is root readable only */
- oldmask = umask(0066);
+ /* ipsec.secrets is root readable only */
+ oldmask = umask(0066);
- f = fopen(SECRETS_FILE, "w");
- if (f)
- {
- fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
- fprintf(f, "\n");
- fprintf(f, ": RSA myKey.der\n");
- fclose(f);
- }
- ignore_result(chown(SECRETS_FILE, uid, gid));
- umask(oldmask);
+ f = fopen(SECRETS_FILE, "w");
+ if (f)
+ {
+ fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
+ fprintf(f, "\n");
+ fprintf(f, ": RSA myKey.der\n");
+ fclose(f);
}
+ ignore_result(chown(SECRETS_FILE, uid, gid));
+ umask(oldmask);
+ }
}
+#endif /* GENERATE_SELFCERT */
static bool check_pid(char *pid_file)
{
@@ -414,7 +416,9 @@ int main (int argc, char **argv)
exit(LSB_RC_SUCCESS);
}
+#ifdef GENERATE_SELFCERT
generate_selfcert();
+#endif
/* fork if we're not debugging stuff */
if (!no_fork)