summaryrefslogtreecommitdiff
path: root/src/starter/invokecharon.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/starter/invokecharon.c')
-rw-r--r--src/starter/invokecharon.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index e97c8388b..48cb4151b 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -100,6 +100,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
{
int pid, i;
struct stat stb;
+ char buffer[BUF_LEN], buffer1[BUF_LEN];
int argc = 1;
char *arg[] = {
CHARON_CMD, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
@@ -115,6 +116,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
if (cfg->setup.strictcrlpolicy)
{
arg[argc++] = "--strictcrlpolicy";
+ arg[argc++] = cfg->setup.strictcrlpolicy == STRICT_IFURI ? "2":"1";
}
if (cfg->setup.cachecrls)
{
@@ -122,11 +124,9 @@ starter_start_charon (starter_config_t *cfg, bool debug)
}
if (cfg->setup.crlcheckinterval > 0)
{
- char buffer[BUF_LEN];
-
- snprintf(buffer, BUF_LEN, "%u", cfg->setup.crlcheckinterval);
+ snprintf(buffer1, BUF_LEN, "%u", cfg->setup.crlcheckinterval);
arg[argc++] = "--crlcheckinterval";
- arg[argc++] = buffer;
+ arg[argc++] = buffer1;
}
if (cfg->setup.eapdir)
{
@@ -135,7 +135,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
}
{ /* parse debug string */
- char *pos, *level, *buf_pos, type[4], buffer[BUF_LEN];
+ char *pos, *level, *buf_pos, type[4];
pos = cfg->setup.charondebug;
buf_pos = buffer;
while (pos && sscanf(pos, "%4s %d,", type, &level) == 2)
@@ -181,7 +181,11 @@ starter_start_charon (starter_config_t *cfg, bool debug)
FILE *f;
plog("no %s file, generating RSA key", SECRETS_FILE);
+ seteuid(IPSEC_UID);
+ setegid(IPSEC_GID);
system("ipsec scepclient --out pkcs1 --out cert-self --quiet");
+ seteuid(0);
+ setegid(0);
/* ipsec.secrets is root readable only */
oldmask = umask(0066);
@@ -194,6 +198,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
fprintf(f, ": RSA myKey.der\n");
fclose(f);
}
+ chown(SECRETS_FILE, IPSEC_UID, IPSEC_GID);
umask(oldmask);
}
@@ -207,6 +212,8 @@ starter_start_charon (starter_config_t *cfg, bool debug)
/* child */
setsid();
sigprocmask(SIG_SETMASK, 0, NULL);
+ /* disable glibc's malloc checker, conflicts with leak detective */
+ setenv("MALLOC_CHECK_", "0", 1);
execv(arg[0], arg);
plog("can't execv(%s,...): %s", arg[0], strerror(errno));
exit(1);