Beispiel #1
0
int main(int argc, char *argv[])
{
    bool  recalculate = FALSE;
    int   len;
    err_t err = NULL;
    char *infile;
    char *conn_name;
    int  lineno=0;
    struct connection *c1 = NULL;

#ifdef HAVE_EFENCE
    EF_PROTECT_FREE=1;
#endif

    progname = argv[0];
    leak_detective = 1;

    if(argc != 3 && argc!=4) {
	fprintf(stderr, "Usage: %s [-r] <whackrecord> <conn-name>\n", progname);
	exit(10);
    }
    /* skip argv0 */
    argc--; argv++;

    if(strcmp(argv[0], "-r")==0) {
        recalculate = 1;    /* do all crypto */
        argc--; argv++;
    }

    tool_init_log();
    load_oswcrypto();
    init_fake_vendorid();
    init_fake_secrets();
    init_local_interface();

    infile = argv[0];
    conn_name = argv[1];

    cur_debugging = DBG_CONTROL|DBG_CONTROLMORE;
    if(readwhackmsg(infile) == 0) exit(11);

    send_packet_setup_pcap("OUTPUT/" TESTNAME ".pcap");

    c1 = con_by_name(conn_name, TRUE);
    assert(c1 != NULL);

    //list_public_keys(FALSE, FALSE);
    assert(orient(c1, 500));
    show_one_connection(c1, whack_log);

    kick_adns_connection_lookup(c1, &c1->spd.that, TRUE);

    report_leaks();

    tool_close_log();
    exit(0);
}
Beispiel #2
0
int main(int argc, char *argv[])
{
    int   len;
    char *infile;
    char *conn_name;
    int  lineno=0;
    int  regression = 0;
    struct connection *c1;
    struct state *st;

#ifdef HAVE_EFENCE
    EF_PROTECT_FREE=1;
#endif

    progname = argv[0];
    leak_detective = 1;

    if(argc != 3 && argc!=4) {
	fprintf(stderr, "Usage: %s [-r] <whackrecord>\n", progname);
	exit(10);
    }
    /* skip argv0 */
    argc--; argv++;

    if(strcmp(argv[0], "-r")==0) {
        regression = 1;
        argc--; argv++;
    }

    tool_init_log();
    load_oswcrypto();
    init_fake_vendorid();
    init_fake_secrets();
    init_local_interface();

    infile = argv[0];

    cur_debugging = DBG_CONTROL|DBG_CONTROLMORE;
    if(readwhackmsg(infile) == 0) exit(11);

    hostpair_list();
    report_leaks();

    tool_close_log();
    exit(0);
}
Beispiel #3
0
int main(int argc, char *argv[])
{
	struct state st1;

	progname = argv[0];
	cur_debugging = DBG_CRYPT|DBG_KLIPS|DBG_PARSING;

	memset(&st1, 0, sizeof(st1));
	pluto_shared_secrets_file = "../../baseconfigs/east/etc/ipsec.secrets";

	osw_init_ipsecdir("../../baseconfigs/east/etc/ipsec.d");
	osw_init_rootdir("../../baseconfigs/east");

	/* initialize list of moduli */
	init_crypto();
	load_oswcrypto();

	init_seam_kernelalgs();

	/* now derive the keys for the CHILD_SA */
	{
		struct ipsec_proto_info *ipi;
		
		setchunk(st1.st_skey_d, tc3_results_skey_d, sizeof(tc3_results_skey_d));

		ipi = &st1.st_esp;
		ipi->attrs.transattrs.encrypt   = IKEv2_ENCR_AES_CBC;
		ipi->attrs.transattrs.enckeylen = 128;
		ipi->attrs.transattrs.integ_hash= alg_info_esp_v2tov1aa(IKEv2_AUTH_HMAC_SHA1_96);

		ikev2_derive_child_keys(&st1);

		DBG_dump("our  keymat: "
			 , ipi->our_keymat
			 , ipi->keymat_len);

		DBG_dump("peer keymat: "
			 , ipi->peer_keymat
			 , ipi->keymat_len);
	}
		

	exit(0);
}
Beispiel #4
0
int
main(int argc, char **argv)
{
    bool fork_desired = TRUE;
    int lockfd;
    char* ocspuri = NULL;
    int nhelpers = -1;
    char *coredir;
    const struct osw_conf_options *oco;

#ifdef NAT_TRAVERSAL
    /** Overridden by nat_traversal= in ipsec.conf */
    bool nat_traversal = FALSE;
    bool nat_t_spf = TRUE;  /* support port floating */
    unsigned int keep_alive = 0;
    bool force_keepalive = FALSE;
#endif
    /** Overridden by virtual_private= in ipsec.conf */
    char *virtual_private = NULL;
#ifdef LEAK_DETECTIVE
    leak_detective=1;
#else
    leak_detective=0;
#endif

#ifdef HAVE_LIBCAP_NG
	/* Drop capabilities */
	capng_clear(CAPNG_SELECT_BOTH);
	capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
			CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
			CAP_IPC_LOCK, -1);
	/* our children must be able to CAP_NET_ADMIN to change routes.
	 */
	capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET,
			CAP_NET_ADMIN, -1);
	capng_apply(CAPNG_SELECT_BOTH);
#endif


    global_argv = argv;
    global_argc = argc;
#ifdef DEBUG
    openswan_passert_fail = passert_fail;
#endif

    /* see if there is an environment variable */
    coredir = getenv("PLUTO_CORE_DIR");

    if(getenv("PLUTO_WAIT_FOR_GDB")) {
	sleep(120);
    }

    /* handle arguments */
    for (;;)
    {
#	define DBG_OFFSET 256
	static const struct option long_opts[] = {
	    /* name, has_arg, flag, val */
	    { "help", no_argument, NULL, 'h' },
	    { "version", no_argument, NULL, 'v' },
	    { "optionsfrom", required_argument, NULL, '+' },
	    { "nofork", no_argument, NULL, 'd' },
	    { "stderrlog", no_argument, NULL, 'e' },
	    { "noklips", no_argument, NULL, 'n' },
	    { "use-nostack",  no_argument, NULL, 'n' },
	    { "use-none",     no_argument, NULL, 'n' },
	    { "force_busy", no_argument, NULL, 'D' },
	    { "nocrsend", no_argument, NULL, 'c' },
	    { "strictcrlpolicy", no_argument, NULL, 'r' },
	    { "crlcheckinterval", required_argument, NULL, 'x'},
	    { "ocsprequestcert", required_argument, NULL, 'q'},
	    { "ocspuri", required_argument, NULL, 'o'},
	    { "uniqueids", no_argument, NULL, 'u' },
	    { "useklips",  no_argument, NULL, 'k' },
	    { "use-klips",  no_argument, NULL, 'k' },
	    { "use-auto",  no_argument, NULL, 'G' },
	    { "usenetkey", no_argument, NULL, 'K' },
	    { "use-netkey", no_argument, NULL, 'K' },
	    { "use-mast",   no_argument, NULL, 'M' },
	    { "use-mastklips",   no_argument, NULL, 'M' },
	    { "use-bsdkame",   no_argument, NULL, 'F' },
	    { "interface", required_argument, NULL, 'i' },
	    { "listen", required_argument, NULL, 'L' },
	    { "ikeport", required_argument, NULL, 'p' },
	    { "ctlbase", required_argument, NULL, 'b' },
	    { "secretsfile", required_argument, NULL, 's' },
	    { "foodgroupsdir", required_argument, NULL, 'f' },
	    { "perpeerlogbase", required_argument, NULL, 'P' },
	    { "perpeerlog", no_argument, NULL, 'l' },
	    { "noretransmits", no_argument, NULL, 'R' },
	    { "coredir", required_argument, NULL, 'C' },
	    { "ipsecdir", required_argument, NULL, 'f' },
	    { "ipsec_dir", required_argument, NULL, 'f' },
#ifdef USE_LWRES
	    { "lwdnsq", required_argument, NULL, 'a' },
#else /* !USE_LWRES */
	    { "adns", required_argument, NULL, 'a' },
#endif /* !USE_LWRES */
#ifdef NAT_TRAVERSAL
	    { "nat_traversal", no_argument, NULL, '1' },
	    { "keep_alive", required_argument, NULL, '2' },
	    { "force_keepalive", no_argument, NULL, '3' },
	    { "disable_port_floating", no_argument, NULL, '4' },
	    { "debug-nat_t", no_argument, NULL, '5' },
	    { "debug-nattraversal", no_argument, NULL, '5' },
	    { "debug-nat-t", no_argument, NULL, '5' },
#endif
	    { "virtual_private", required_argument, NULL, '6' },
	    { "nhelpers", required_argument, NULL, 'j' },
#ifdef DEBUG
	    { "debug-none", no_argument, NULL, 'N' },
	    { "debug-all", no_argument, NULL, 'A' },

	    { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
	    { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
	    { "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
	    { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
	    { "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
	    { "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
	    { "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
	    { "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
	    { "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET },
	    { "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
	    { "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
	    { "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET },
	    { "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
	    { "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET },
            { "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET },
	    { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
	    { "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET },

	    { "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
	    { "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
	    { "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
	    { "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
	    { "impair-sa-creation", no_argument, NULL, IMPAIR_SA_CREATION + DBG_OFFSET },
	    { "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO + DBG_OFFSET },
	    { "impair-jacob-two-two", no_argument, NULL, IMPAIR_JACOB_TWO_TWO + DBG_OFFSET },
#endif
	    { 0,0,0,0 }
	    };
	/* Note: we don't like the way short options get parsed
	 * by getopt_long, so we simply pass an empty string as
	 * the list.  It could be "hvdenp:l:s:" "NARXPECK".
	 */
	int c = getopt_long(argc, argv, "", long_opts, NULL);

	/** Note: "breaking" from case terminates loop */
	switch (c)
	{
	case EOF:	/* end of flags */
	    break;

	case 0: /* long option already handled */
	    continue;

	case ':':	/* diagnostic already printed by getopt_long */
	case '?':	/* diagnostic already printed by getopt_long */
	    usage("");
	    break;   /* not actually reached */

	case 'h':	/* --help */
	    usage(NULL);
	    break;	/* not actually reached */

	case 'C':
	    coredir = clone_str(optarg, "coredir");
	    break;

	case 'v':	/* --version */
	    {
		const char **sp = ipsec_copyright_notice();

		printf("%s%s\n", ipsec_version_string(),
				 compile_time_interop_options);
		for (; *sp != NULL; sp++)
		    puts(*sp);
	    }
	    exit(0);	/* not exit_pluto because we are not initialized yet */
	    break;	/* not actually reached */

	case '+':	/* --optionsfrom <filename> */
	    optionsfrom(optarg, &argc, &argv, optind, stderr);
	    /* does not return on error */
	    continue;

	case 'j':	/* --nhelpers */
            if (optarg == NULL || !isdigit(optarg[0]))
                usage("missing number of pluto helpers");

            {
                char *endptr;
                long count = strtol(optarg, &endptr, 0);

                if (*endptr != '\0' || endptr == optarg
		    || count < -1)
                    usage("<nhelpers> must be a positive number, 0 or -1");
                nhelpers = count;
            }
	    continue;

	case 'd':	/* --nofork*/
	    fork_desired = FALSE;
	    continue;

	case 'e':	/* --stderrlog */
	    log_to_stderr_desired = TRUE;
	    continue;

	case 'G':       /* --use-auto */
	    kern_interface = AUTO_PICK;
	    continue;

	case 'k':       /* --use-klips */
	    kern_interface = USE_KLIPS;
	    continue;

	case 'L':	/* --listen ip_addr */
	    {
	    ip_address lip;
	     err_t e = ttoaddr(optarg,0,0,&lip);
	    if(e) {
		openswan_log("invalid listen argument ignored: %s\n",e);
	    } else {
		pluto_listen = clone_str(optarg, "pluto_listen");
		openswan_log("bind() will be filtered for %s\n",pluto_listen);
	    }
            }
	   continue;

	case 'M':       /* --use-mast */
	    kern_interface = USE_MASTKLIPS;
	    continue;

	case 'F':       /* --use-bsdkame */
	    kern_interface = USE_BSDKAME;
	    continue;

	case 'K':       /* --use-netkey */
	    kern_interface = USE_NETKEY;
	    continue;

	case 'n':	/* --use-nostack */
	    kern_interface = NO_KERNEL;
	    continue;

	case 'D':	/* --force_busy */
	    force_busy = TRUE;
	    continue
	    ;

	case 'c':	/* --nocrsend */
	    no_cr_send = TRUE;
	    continue
	    ;

	case 'r':	/* --strictcrlpolicy */
	    strict_crl_policy = TRUE;
	    continue
	    ;

	case 'R':
	    no_retransmits = TRUE;
	    continue;

	case 'x':	/* --crlcheckinterval <time>*/
            if (optarg == NULL || !isdigit(optarg[0]))
                usage("missing interval time");

            {
                char *endptr;
                long interval = strtol(optarg, &endptr, 0);

                if (*endptr != '\0' || endptr == optarg
                || interval <= 0)
                    usage("<interval-time> must be a positive number");
                crl_check_interval = interval;
            }
	    continue
	    ;

	case 'o':	/* --ocspuri */
	    ocspuri = optarg;
	    continue;

	case 'u':	/* --uniqueids */
	    uniqueIDs = TRUE;
	    continue;

	case 'i':	/* --interface <ifname|ifaddr> */
	    if (!use_interface(optarg))
		usage("too many --interface specifications");
	    continue;

	/* 
	 * This option does not really work, as this is the "left"
	 * site only, you also need --to --ikeport again later on
	 * It will result in: yourport -> 500, still not bypassing filters
	 */
	case 'p':	/* --ikeport <portnumber> */
	    if (optarg == NULL || !isdigit(optarg[0]))
		usage("missing port number");
	    {
		char *endptr;
		long port = strtol(optarg, &endptr, 0);

		if (*endptr != '\0' || endptr == optarg
		|| port <= 0 || port > 0x10000)
		    usage("<port-number> must be a number between 1 and 65535");
		pluto_port = port;
	    }
	    continue;

	case 'b':	/* --ctlbase <path> */
	    ctlbase = optarg;
	    if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
			 , "%s%s", ctlbase, CTL_SUFFIX) == -1)
		usage("<path>" CTL_SUFFIX " too long for sun_path");
	    if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
			 , "%s%s", ctlbase, INFO_SUFFIX) == -1)
		usage("<path>" INFO_SUFFIX " too long for sun_path");
	    if (snprintf(pluto_lock, sizeof(pluto_lock)
			 , "%s%s", ctlbase, LOCK_SUFFIX) == -1)
		usage("<path>" LOCK_SUFFIX " must fit");
	    continue;

	case 's':	/* --secretsfile <secrets-file> */
	    pluto_shared_secrets_file = optarg;
	    continue;

	case 'f':	/* --ipsecdir <ipsec-dir> */
	    (void)osw_init_ipsecdir(optarg);
	    continue;

	case 'a':	/* --adns <pathname> */
	    pluto_adns_option = optarg;
	    continue;

#ifdef DEBUG
	case 'N':	/* --debug-none */
	    base_debugging = DBG_NONE;
	    continue;

	case 'A':	/* --debug-all */
	    base_debugging = DBG_ALL;
	    continue;
#endif

	case 'P':       /* --perpeerlogbase */
	    base_perpeer_logdir = optarg;
	    continue;

	case 'l':
	    log_to_perpeer = TRUE;
	    continue;

#ifdef NAT_TRAVERSAL
	case '1':	/* --nat_traversal */
	    nat_traversal = TRUE;
	    continue;
	case '2':	/* --keep_alive */
	    keep_alive = atoi(optarg);
	    continue;
	case '3':	/* --force_keepalive */
	    force_keepalive = TRUE;
	    continue;
	case '4':	/* --disable_port_floating */
	    nat_t_spf = FALSE;
	    continue;
#ifdef DEBUG
	case '5':	/* --debug-nat_t */
	    base_debugging |= DBG_NATT;
	    continue;
#endif
#endif
	case '6':	/* --virtual_private */
	    virtual_private = optarg;
	    continue;

	default:
#ifdef DEBUG
	    if (c >= DBG_OFFSET)
	    {
		base_debugging |= c - DBG_OFFSET;
		continue;
	    }
#	undef DBG_OFFSET
#endif
	    bad_case(c);
	}
	break;
    }
    if (optind != argc)
	usage("unexpected argument");
    reset_debugging();

#ifdef HAVE_NO_FORK
	fork_desired = FALSE;
	nhelpers = 0;
#endif

    /* if a core dir was set, chdir there */
    if(coredir) 
	if(chdir(coredir) == -1) {
	   int e = errno;
	   openswan_log("pluto: chdir() do dumpdir failed (%d %s)\n",
                    e, strerror(e));
    }

    oco = osw_init_options();
    lockfd = create_lock();

    /* select between logging methods */

    if (log_to_stderr_desired)
	log_to_syslog = FALSE;
    else
	log_to_stderr = FALSE;

#ifdef DEBUG
#if 0
    if(kernel_ops->set_debug) {
	(*kernel_ops->set_debug)(cur_debugging, DBG_log, DBG_log);
    }
#endif
#endif

    /** create control socket.
     * We must create it before the parent process returns so that
     * there will be no race condition in using it.  The easiest
     * place to do this is before the daemon fork.
     */
    {
	err_t ugh = init_ctl_socket();

	if (ugh != NULL)
	{
	    fprintf(stderr, "pluto: %s", ugh);
	    exit_pluto(1);
	}
    }

#ifdef IPSECPOLICY
    /* create info socket. */
    {
	err_t ugh = init_info_socket();

	if (ugh != NULL)
	{
	    fprintf(stderr, "pluto: %s", ugh);
	    exit_pluto(1);
	}
    }
#endif

    /* If not suppressed, do daemon fork */

    if (fork_desired)
    {
	{
	    pid_t pid = fork();

	    if (pid < 0)
	    {
		int e = errno;

		fprintf(stderr, "pluto: fork failed (%d %s)\n",
		    errno, strerror(e));
		exit_pluto(1);
	    }

	    if (pid != 0)
	    {
		/* parent: die, after filling PID into lock file.
		 * must not use exit_pluto: lock would be removed!
		 */
		exit(fill_lock(lockfd, pid)? 0 : 1);
	    }
	}

	if (setsid() < 0)
	{
	    int e = errno;

	    fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
		errno, strerror(e));
	    exit_pluto(1);
	}
    }
    else
    {
	/* no daemon fork: we have to fill in lock file */
	(void) fill_lock(lockfd, getpid());
	fprintf(stdout, "Pluto initialized\n");
	fflush(stdout);
    }

    /** Close everything but ctl_fd and (if needed) stderr.
     * There is some danger that a library that we don't know
     * about is using some fd that we don't know about.
     * I guess we'll soon find out.
     */
    {
	int i;

	for (i = getdtablesize() - 1; i >= 0; i--)  /* Bad hack */
	    if ((!log_to_stderr || i != 2)
#ifdef IPSECPOLICY
	    && i != info_fd
#endif
	    && i != ctl_fd)
		close(i);

	/* make sure that stdin, stdout, stderr are reserved */
	if (open("/dev/null", O_RDONLY) != 0)
	    osw_abort();
	if (dup2(0, 1) != 1)
	    osw_abort();
	if (!log_to_stderr && dup2(0, 2) != 2)
	    osw_abort();
    }

    init_constants();
    pluto_init_log();

#ifdef HAVE_LIBNSS
	char buf[100];
	snprintf(buf, sizeof(buf), "%s",oco->confddir);
	loglog(RC_LOG_SERIOUS,"nss directory plutomain: %s",buf);
	SECStatus nss_init_status= NSS_InitReadWrite(buf);
	if (nss_init_status != SECSuccess) {
	    loglog(RC_LOG_SERIOUS, "NSS initialization failed (err %d)\n", PR_GetError());
        exit_pluto(10);
	} else {
	    loglog(RC_LOG_SERIOUS, "NSS Initialized");
	    PK11_SetPasswordFunc(getNSSPassword);

#ifdef FIPS_CHECK
	const char *package_files[]= { IPSECLIBDIR"/setup",
				        IPSECLIBDIR"/addconn",
				        IPSECLIBDIR"/auto",
				        IPSECLIBDIR"/barf",
				        IPSECLIBDIR"/_copyright",
				        IPSECLIBDIR"/eroute",
  				        IPSECLIBDIR"/ikeping",
				        IPSECLIBDIR"/_include",
					IPSECLIBDIR"/_keycensor",
					IPSECLIBDIR"/klipsdebug",
					IPSECLIBDIR"/look",
					IPSECLIBDIR"/newhostkey",
					IPSECLIBDIR"/pf_key",
					IPSECLIBDIR"/_pluto_adns",
					IPSECLIBDIR"/_plutoload",
					IPSECLIBDIR"/_plutorun",
					IPSECLIBDIR"/ranbits",
					IPSECLIBDIR"/_realsetup",
					IPSECLIBDIR"/rsasigkey",
					IPSECLIBDIR"/pluto",
					IPSECLIBDIR"/_secretcensor",
					IPSECLIBDIR"/secrets",
					IPSECLIBDIR"/showdefaults",
					IPSECLIBDIR"/showhostkey",
					IPSECLIBDIR"/showpolicy",
					IPSECLIBDIR"/spi",
					IPSECLIBDIR"/spigrp",
					IPSECLIBDIR"/_startklips",
					IPSECLIBDIR"/_startnetkey",
					IPSECLIBDIR"/tncfg",
					IPSECLIBDIR"/_updown",
					IPSECLIBDIR"/_updown.klips",
					IPSECLIBDIR"/_updown.mast",
					IPSECLIBDIR"/_updown.netkey", 
					IPSECLIBDIR"/verify",
					IPSECLIBDIR"/whack",
					IPSECSBINDIR"/ipsec",
					NULL
					};

       if (Pluto_IsFIPS() && !FIPSCHECK_verify_files(package_files)) {
             loglog(RC_LOG_SERIOUS, "FIPS integrity verification test failed");
             exit_pluto(10);
        }
#endif

      }
#endif

    /* Note: some scripts may look for this exact message -- don't change
     * ipsec barf was one, but it no longer does.
     */
    {
	const char *vc = ipsec_version_code();
#ifdef PLUTO_SENDS_VENDORID
	const char *v = init_pluto_vendorid();
	openswan_log("Starting Pluto (Openswan Version %s%s; Vendor ID %s) pid:%u"
		     , vc, compile_time_interop_options, v, getpid());
#else
	openswan_log("Starting Pluto (Openswan Version %s%s) pid:%u"
		     , vc, compile_time_interop_options, getpid());
#endif
#ifdef HAVE_LIBNSS
	if(Pluto_IsFIPS()) {
		openswan_log("Pluto is running in FIPS mode");
	}
#endif

	if((vc[0]=='c' && vc[1]=='v' && vc[2]=='s') ||
	   (vc[2]=='g' && vc[3]=='i' && vc[4]=='t')) {
	    /*
	     * when people build RPMs from CVS or GIT, make sure they
	     * get blamed appropriately, and that we get some way to
	     * identify who did it, and when they did it. Use string concat,
	     * so that strings the binary can or classic SCCS "what", will find
	     * stuff too.
	     */
	    openswan_log("@(#) built on "__DATE__":" __TIME__ " by " BUILDER);
	}
#if defined(USE_1DES)
	openswan_log("WARNING: 1DES is enabled");
#endif
    }

    if(coredir) {
	openswan_log("core dump dir: %s", coredir);
    }

#ifdef LEAK_DETECTIVE
	openswan_log("LEAK_DETECTIVE support [enabled]");
#else
	openswan_log("LEAK_DETECTIVE support [disabled]");
#endif

#ifdef HAVE_OCF
       {
        struct stat buf;
	errno=0;

	if( stat("/dev/crypto",&buf) != -1) 
		openswan_log("OCF support for IKE via /dev/crypto [enabled]");
	else 
		openswan_log("OCF support for IKE via /dev/crypto [failed:%s]", strerror(errno));
       }
#else
	openswan_log("OCF support for IKE [disabled]");
#endif

   /* Check for SAREF support */
#ifdef KLIPS_MAST
#include <ipsec_saref.h>
    {
	int e, sk, saref;
	saref = 1;
	errno=0;

	sk = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
	e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_REFINFO, &saref, sizeof(saref));
	if (e == -1 ) {
		openswan_log("SAref support [disabled]: %s" , strerror(errno));
	}
	else {
		openswan_log("SAref support [enabled]");
	}
	errno=0;
	e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_BINDREF, &saref, sizeof(saref));
	if (e == -1 ) {
		openswan_log("SAbind support [disabled]: %s" , strerror(errno));
	}
	else {
		openswan_log("SAbind support [enabled]");
	}


	close(sk);
    }
#endif

#ifdef HAVE_LIBNSS
	openswan_log("NSS support [enabled]");
#else
	openswan_log("NSS support [disabled]");
#endif

#ifdef HAVE_STATSD
	openswan_log("HAVE_STATSD notification via /bin/openswan-statsd enabled");
#else
	openswan_log("HAVE_STATSD notification support not compiled in");
#endif


/** Log various impair-* functions if they were enabled */

    if(DBGP(IMPAIR_BUST_MI2))
	openswan_log("Warning: IMPAIR_BUST_MI2 enabled");
    if(DBGP(IMPAIR_BUST_MR2))
	openswan_log("Warning: IMPAIR_BUST_MR2 enabled");
    if(DBGP(IMPAIR_SA_CREATION))
	openswan_log("Warning: IMPAIR_SA_CREATION enabled");
    if(DBGP(IMPAIR_JACOB_TWO_TWO))
	openswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
    if(DBGP(IMPAIR_DIE_ONINFO))
	openswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
    if(DBGP(IMPAIR_DELAY_ADNS_KEY_ANSWER))
	openswan_log("Warning: IMPAIR_DELAY_ADNS_KEY_ANSWER enabled");
    if(DBGP(IMPAIR_DELAY_ADNS_TXT_ANSWER))
	openswan_log("Warning: IMPAIR_DELAY_ADNS_TXT_ANSWER enabled");

/** Initialize all of the various features */

#ifdef NAT_TRAVERSAL
    init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
#endif

    init_virtual_ip(virtual_private);
    init_rnd_pool();
    init_timer();
    init_secret();
    init_states();
    init_connections();
    init_crypto();
    init_crypto_helpers(nhelpers);
    load_oswcrypto();
    init_demux();
    init_kernel();
    init_adns();
    init_id();

#ifdef TPM
    init_tpm();
#endif

#ifdef HAVE_THREADS
    init_fetch();
#endif

    ocsp_set_default_uri(ocspuri);

    /* loading X.509 CA certificates */
    load_authcerts("CA cert", oco->cacerts_dir, AUTH_CA);
    /* loading X.509 AA certificates */
    load_authcerts("AA cert", oco->aacerts_dir, AUTH_AA);
    /* loading X.509 OCSP certificates */
    load_authcerts("OCSP cert", oco->ocspcerts_dir, AUTH_OCSP);

    /* loading X.509 CRLs */
    load_crls();
    /* loading attribute certificates (experimental) */
    load_acerts();

#ifdef HAVE_LIBNSS
    /*Loading CA certs from NSS DB*/
    load_authcerts_from_nss("CA cert",  AUTH_CA);
#endif

    daily_log_event();
    call_server();
    return -1;	/* Shouldn't ever reach this */
}
Beispiel #5
0
main(int argc, char *argv[])
{
    int   len;
    char *infile;
    char *conn_name;
    int  lineno=0;
    int  regression = 0;
    struct connection *c1;
    struct state *st;

#ifdef HAVE_EFENCE
    EF_PROTECT_FREE=1;
#endif

    progname = argv[0];
    leak_detective = 1;

    if(argc != 3 && argc!=4) {
	fprintf(stderr, "Usage: %s [-r] <whackrecord> <conn-name>\n", progname);
	exit(10);
    }
    /* skip argv0 */
    argc--; argv++;

    if(strcmp(argv[0], "-r")==0) {
        regression = 1;
        argc--; argv++;
    }

    tool_init_log();
    load_oswcrypto();
    init_fake_vendorid();
    init_fake_secrets();
    init_local_interface();

    infile = argv[0];
    conn_name = argv[1];

    cur_debugging = DBG_CONTROL|DBG_CONTROLMORE;
    if(readwhackmsg(infile) == 0) exit(11);

    send_packet_setup_pcap("OUTPUT/" TESTNAME ".pcap");

    c1 = con_by_name(conn_name, TRUE);
    assert(c1 != NULL);

    //list_public_keys(FALSE, FALSE);
#ifndef SKIP_ORIENT_ASSERT
    assert(orient(c1, 500));
#endif
    show_one_connection(c1);

#ifndef SKIP_INITIATE
    /* do calculation if not -r for regression */
    st = sendI1(c1, DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE, regression == 0);

    st = state_with_serialno(1);
    if(st!=NULL) {
        delete_state(st);
        free_state(st);
    }
#endif

    delete_connection(c1, TRUE);

    report_leaks();

    tool_close_log();
    exit(0);
}
main(int argc, char *argv[])
{
    int   len;
    char *infile;
    char *conn_name;
    int  lineno=0;
    int  regression = 0;
    struct connection *c1;
    struct state *st;

#ifdef HAVE_EFENCE
    EF_PROTECT_FREE=1;
#endif

    progname = argv[0];
    leak_detective = 1;

    /* skip argv0 */
    argc--; argv++;

    if(strcmp(argv[0], "-r")==0) {
        regression = 1;
        argc--; argv++;
    }
    if(argc != 4) {
	fprintf(stderr, "Usage: %s [-r] <whackrecord> <conn-name> <pcapfile> <pcapout>\n", progname);
	exit(10);
    }

    tool_init_log();
    init_crypto();
    load_oswcrypto();
    init_fake_vendorid();
    init_parker_interface();

    infile = argv[0];
    conn_name = argv[1];

    cur_debugging = DBG_CONTROL|DBG_CONTROLMORE;
    if(readwhackmsg(infile) == 0) exit(10);

    /* input packets */
    recv_pcap_setup(argv[2]);

    /* output first packets to /dev/null */
    send_packet_setup_pcap("/dev/null");

    c1 = con_by_name(conn_name, TRUE);
    assert(c1 != NULL);

    assert(orient(c1, 500));
    show_one_connection(c1);

    st = sendI1(c1, DBG_CONTROL, regression == 0);

    /* now accept the reply packet */
    cur_debugging = DBG_CONTROL|DBG_PARSING;

    /* now output interesting packet to capture file */
    send_packet_setup_pcap(argv[3]);

    pcap_dispatch(pt, 1, recv_pcap_packet, NULL);
    pcap_close(pt);
    recv_pcap_setup(argv[2]);
    pcap_dispatch(pt, 1, recv_pcap_packet, NULL);

    /* dump the delete message that comes out */
    send_packet_setup_pcap("/dev/null");
    delete_connection(c1, TRUE);

    st = state_with_serialno(1);
    if(st!=NULL) {
        free_state(st);
    }

    report_leaks();

    tool_close_log();
    exit(0);
}
Beispiel #7
0
int main(int argc, char **argv)
{
	int lockfd;
    bool restore_vrf_pluto = 0;
	
	/*此开关必须放在所有动态内存分配之前*/
	leak_detective=0;
	
	debug_info_control* dic=alloc_bytes(sizeof(debug_info_control), "malloc debug_info_control in main");

	openswan_passert_fail = passert_fail;

	/*设备类型初始化*/
	ipsec_device_type_init();
	{
		u32 pseudo_start_pluto = 0;

		for (;;)
		{
#define DBG_OFFSET 256
			static const struct option long_opts[] = {
				/* name, has_arg, flag, val */
				{ "help", no_argument, NULL, 'h' },
				{ "version", no_argument, NULL, 'v' },
				{ "start", no_argument, NULL, 'B' },
                { "quit", no_argument, NULL, 'D' },    
				{ "user", no_argument, NULL, 'u' },
				{ "krl", no_argument, NULL, 'K' },
				{ "debug-nat", no_argument, NULL, '5' },
				{ "debug-none", no_argument, NULL, 'N' },
				{ "debug-all", no_argument, NULL, 'A' },
				{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },	
				{ "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
				{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
				{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
				{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
				{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
				{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
				{ "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET },
				{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
				{ "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET },
				{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
				{ "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET },
				{ "debug-xauth", no_argument, NULL, DBG_XAUTH+ DBG_OFFSET },
				{ "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET },
				{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
				{ "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET },
                { "debug-ifchange", no_argument, NULL, DBG_IF_CHANGE + DBG_OFFSET },
                
				{ "log-openinfo", no_argument, NULL, 'i' },
				{ "log-openwar", no_argument, NULL, 'w' },
				{ "log-openerr", no_argument, NULL, 'r' },
				{ "log-openuserlog", no_argument, NULL, 'e' },				
				{ "log-openradiuslog", no_argument, NULL, 'c' },
				{ "log-openpri", no_argument, NULL, 'p' },
				{ "log-opensyserr", no_argument, NULL, 'q' },
				{ "log-closeall", no_argument, NULL, 'a' },

				{ "debug-connection", required_argument, NULL, 'O' },
				{ "debug-host", required_argument, NULL, 'H' },
				{ "debug-stop", no_argument, NULL, 'S' },
				{ "counter", no_argument, NULL, 'b' },				
				{ "isa-counter", no_argument, NULL, 'x' },

				{ "krc", no_argument, NULL, 'E'},
				{ "kss", required_argument, NULL, 'F'},
				{ "kpc", no_argument, NULL, 'G'},
				{ "kprt", required_argument, NULL, 'L'},
				{ "kspi", required_argument, NULL, 'M' },
				{ "kdst", required_argument, NULL, 'P' },
				{ "kdnet", required_argument, NULL, 'R' },
				{ "kid",  required_argument, NULL, 'Q' },
				{ "restore-vrf", no_argument, NULL, 'V' },	
				{ 0,0,0,0 }
			};

			int c = getopt_long(argc, argv, "", long_opts, NULL);
			ip_address dst_tmp;
			ip_subnet subnet_tmp;

			switch (c)
			{
				case EOF:	/* end of flags */
					break;

				case 0: /* long option already handled */
					continue;

				case ':':	/* diagnostic already printed by getopt_long */
				case '?':	/* diagnostic already printed by getopt_long */
					usage("");
					break;   

				case 'h':	
					usage(NULL);
					break;	

				case 'v':	
				{
					const char **sp = ipsec_copyright_notice();

					printf("%s%s\n", ipsec_version_string(),compile_time_interop_options);
					for (; *sp != NULL; sp++)
					{
						puts(*sp);
					}
				}
					exit(0);	
					break;	

				case 'i':
					dic->public_info.log_falg = 1;
					dic->public_info.log_level_info |= IPSEC_LOGLEVEL_INFO;
					continue;

				case 'w':
					dic->public_info.log_falg = 1;
					dic->public_info.log_level_info |= IPSEC_LOGLEVEL_WARNING;
					continue;

				case 'r':
					dic->public_info.log_falg = 1;
					dic->public_info.log_level_info |= IPSEC_LOGLEVEL_ERROR;
					continue;

				case 'e':
					dic->public_info.log_falg = 1;
					dic->public_info.log_level_info |= IPSEC_LOGLEVEL_USER_LOG;
					continue;
					
				case 'c':
					dic->public_info.log_falg = 1;
					dic->public_info.log_level_info |= IPSEC_LOGLEVEL_RADIUS_LOG;
					continue;
					
				case 'p':
					dic->public_info.log_falg = 1;
					dic->public_info.log_level_info |= IPSEC_LOGLEVEL_PRIVATE;
					continue;
					
				case 'q':
					dic->public_info.log_falg = 1;
					dic->public_info.log_level_info |= IPSEC_LOGLEVEL_SYSERROR;
					continue;

				case 'a':
					dic->public_info.log_falg = 1;
					dic->public_info.log_level_info=IPSEC_LOGLEVEL_CLOSE;
					continue;
                    
				case 'B': 				    
					dic->com_type=IPSEC_DEBUG_STAR_HANDLE;
					continue;                   

                case 'D':
                    dic->com_type=IPSEC_DEBUG_QUIT_HANDLE;
					continue;

				case 'u':                    
					dic->com_type=IPSEC_DEBUG_USER_HANDLE;
					continue;

				case 'K':	
					dic->com_type=IPSEC_DEBUG_KERNEL_HANDLE;
					continue;

				case 'N':	/* --debug-none */
					dic->public_info.public_info_flag=1;
					dic->public_info.public_info_value=DBG_NONE;
					continue;

				case 'A':	/* --debug-all */
					dic->public_info.public_info_flag=1;
					dic->public_info.public_info_value=DBG_ALL;
					continue;

				case 'O':
					if(optarg != NULL)
					{
						strcpy(dic->child_info.child_info_optarg,optarg);
						dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_CON_NAME;
					}
					else
					{
						return 0;
					}
					break;

				case 'H':
					if(optarg != NULL)
					{
						strcpy(dic->child_info.child_info_optarg,optarg);
						dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_HOST;
					}
					else
					{
						return 0;
					}
					break;

				case 'S':
					dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_STOP;
					break;
				case 'b':
					dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_PRINT_COUNTER;
					break;
                case 'x':
					dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_PRINT_ISA_COUNTER;
					break;
				case 'E':	
					pseudo_start_pluto = 1;
					dic->kernel_info.flag= IPSEC_RESET_COUNTER;
					continue;

				case 'F':
					pseudo_start_pluto = 1;
					dic->kernel_info.flag = IPSEC_SET_DEBUG_SIP;
					dic->kernel_info.sip =inet_addr(optarg);
					continue;

				case 'G':
					pseudo_start_pluto = 1;
					dic->kernel_info.flag = IPSEC_DUMP_COUNTER;
					continue;
					
				case 'L':
					pseudo_start_pluto = 1;
					dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
					if_get_index_by_name(optarg, (s32*)(&dic->kernel_info.ifindex));
					continue;	
					
				case 'M':	
					pseudo_start_pluto = 1;
					dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;

				    dic->kernel_info.spi = (u32)chartoint(optarg,strlen(optarg));
					if((int)dic->kernel_info.spi < 0)
					{
						fprintf(stderr,"%s IS ERROR INPUT(For Example:0x123...)\n",optarg);
						pfree(dic);
						return 0;
					}
				    continue;
					
				case 'P':
					pseudo_start_pluto = 1;
					dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
					if(ttoaddr(optarg, 0, AF_INET, &dst_tmp))
					{
					    fprintf(stderr,"you must input right IP\n");
						pfree(dic);
						return 0;					    
					}
					else{
						dic->kernel_info.dsc.a4 = dst_tmp.u.v4.sin_addr.s_addr;
					    continue;
					}
				case 'R':
					pseudo_start_pluto = 1;
					dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
					if(ttosubnet(optarg, 0, AF_INET, &subnet_tmp))
					{
					    fprintf(stderr,"you must input right subnet\n");
						pfree(dic);
						return 0;					    
					}
					else{
					    dic->kernel_info.net.a4 = subnet_tmp.addr.u.v4.sin_addr.s_addr;
					    continue;
					}

				case 'Q':	
					pseudo_start_pluto = 1;
					dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
					dic->kernel_info.connid = atoi(optarg);
					continue;

				case 'V':
		        {
					restore_vrf_pluto = 1;
			    }		
				continue;
				
				default:
					if (c >= DBG_OFFSET)
					{
                        dic->public_info.public_info_flag=1;
						dic->public_info.public_info_value |= c - DBG_OFFSET;						
					}
					continue;
				bad_case(c);
			}
			break;

		}
		/**
		if(restore_vrf_pluto)
   	    {
   		   ipsec_restore_vrf_pluto();	   
   	    }
   	    **/
   		ipsec_restore_vrf_pluto();

	{
		u32 err;
		conplat_syscall(MODULEID_OSBASIC, OSBASIC_GET_VRF_ID, &g_ipsec_vrf_id, sizeof(g_ipsec_vrf_id), (s32*)(&err));	
		if(err != 0)
		{
			g_ipsec_vrf_id = 0;
		}

		sprintf(pluto_lock + strlen(pluto_lock), "_%d", g_ipsec_vrf_id);
		sprintf(ctl_addr.sun_path+ strlen(ctl_addr.sun_path), "_%d", g_ipsec_vrf_id);	
		sprintf(ws_ctl_addr.sun_path+ strlen(ws_ctl_addr.sun_path), "_%d", g_ipsec_vrf_id);			
	}

		switch(dic->com_type)
		{
			case IPSEC_DEBUG_STAR_HANDLE:
				if(dic->public_info.public_info_flag)
				{
					cur_debugging = dic->public_info.public_info_value;
				}

				if(dic->public_info.log_falg)
				{				    
					g_log_level = dic->public_info.log_level_info;					
				}
				break;

			case IPSEC_DEBUG_USER_HANDLE:
				send_connection_debug(dic, IPSEC_DEBUG_USER_HANDLE);
				pfree(dic);
				return 0;

			case IPSEC_DEBUG_KERNEL_HANDLE:
				if(pseudo_start_pluto == 1)
				{
					u32 syscall_result = 0;
					if((dic->kernel_info.flag==IPSEC_PRINT_INTERFACE_TEMP)&&(0 == dic->kernel_info.ifindex))
					{
						fprintf(stderr,"you must input the if name\n");
						pfree(dic);
						return 0;
					}
					
					conplat_syscall(MODULEID_IPSEC_POLICY, IPSEC_MODULE_DEBUG_PART, (void *)(&dic->kernel_info), sizeof(struct ipsec_user_debug_info), (s32 *)(&syscall_result));

					if(g_ipsec_device_is_dpx)
					{
						(u32)conplat_syscall(FW_MODULEID_IPSEC | FW_BOARD, IPSEC_MODULE_DEBUG_PART, (void *)(&dic->kernel_info), sizeof(struct ipsec_user_debug_info), (s32 *)(&syscall_result));
					}

				}
				else
				{
					fprintf(stderr,"after --kernel ,you must input the right command\n");
				}
				pfree(dic);
				return 0;
             case IPSEC_DEBUG_QUIT_HANDLE:
                send_connection_debug(dic, IPSEC_DEBUG_QUIT_HANDLE);
                pfree(dic);
                return 0;
			default:
				fprintf(stderr,"you must input --start --quit --user or --kernel\n");
				exit(0);
		}
		pfree(dic);
	}
	
	if (optind != argc)
	{
		usage("unexpected argument");
	}


	//如果你想再重启设备后默认打开调试开关
#if 0
	cur_debugging = DBG_ALL;
#endif

	lockfd = create_lock();
		

    g_log_level |= ws_get_log_level(); //获得显示级别

    g_ipsec_multiout = ws_get_multiOut(); //获取多接口转发标志位

	if(g_ipsec_multiout)
	{
	    int res;
	    conplat_syscall(MODULEID_IPSEC_POLICY, IPSEC_MODULE_MULTI_OUT, &(g_ipsec_multiout), sizeof(g_ipsec_multiout), &res);
	}

	ipsec_restore_tunnel_ipsec();

	ipsec_init_lv2_switch();
	ipsec_init_route_mode();
	ipsec_init_user_syn();
	ipsec_init_compress_enable();
	
	ipsec_init_udp_checksum_switch();

	ipsec_init_cookie();

	ipsec_esp_alg_init();
	
	init_vendorid();
	//daemon之前销毁缓冲池中的数据库句柄,使用make_daemon不用加此函数
	sqlite3_clear_buffer_ex();  
	{
		{
			pid_t pid = fork();

			if (pid < 0)
			{
				int e = errno;
				fprintf(stderr, "pluto: fork failed (%d %s)\n",errno, strerror(e));
				exit_pluto(1);
			}

			if (pid != 0)
			{
				/* parent: die, after filling PID into lock file.
				* must not use exit_pluto: lock would be removed!
				*/
				exit(fill_lock(lockfd, pid)? 0 : 1);
			}
		}

		if (setsid() < 0)
		{
			int e = errno;
			fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",errno, strerror(e));
			exit_pluto(1);	
		}
	}

	/** Close everything but  and (if needed) stderr.
	* There is some danger that a library that we don't know
	* about is using some fd that we don't know about.
	* I guess we'll soon find out.
	*/
	{
		int i;

		for (i = getdtablesize() - 1; i >= 0; i--)  /* Bad hack */
		{
			close(i);
		}

		/* make sure that stdin, stdout, stderr are reserved */
		if (open("/dev/null", O_RDONLY) != 0)
		{
			IPSEC_abort();
		}

		if (dup2(0, 1) != 1)
		{
			IPSEC_abort();
		}
	}
	init_constants();	

	init_pluto_vendorid();
	ipsec_version_code();

    ipsec_get_slot_bit();   // 需要放在ipsec_template_delete_all 前面
    
    ipsec_template_delete_all();    
    
    ipsec_enable_flag(1);
	ipsec_init_nat_traversal();

	init_rnd_pool();

	init_states();
	init_connections();//添加到elist链中phase2 pending timer
	init_crypto();
	ipsec_drv_rsa_para_init();   //初始化使用硬件模幂运算时的固定参数
	load_oswcrypto();
	init_demux();

	/* loading X.509 CA certificates */
	load_authcerts("CA cert", "/config/sys/certificate/cacerts", AUTH_CA);
	/* loading X.509 CRLs */
	load_crls();   
    
	fflush(stderr);
	fflush(stdout);
	
	IPSEC_dbg("listening for IKE messages");	

    init_ws_ctl_socket(); 
    
    /*初始化dpdns守护进程*/
    ipsec_dpdns_init_helper();   

    /*读取DPVPN相关配置并初始化*/
    //ipsec_dpvpn_init_cfg();

    /*该操作放在操作数据库之后的主进程处理不能再数据操作*/
	sqlite3_clear_buffer_ex();      
	/*初始化子进程*/
	ipsec_child_init_helpers();  	

	ipsec_main_call_server();

	return -1;	/* Shouldn't ever reach this */
}
Beispiel #8
0
/*
 * initialize a helper.
 */
static void init_crypto_helper(struct pluto_crypto_worker *w, int n)
{
    int fds[2];
#ifndef HAVE_LIBNSS
    int errno2;
#endif

    /* reset this */
    w->pcw_pid = -1;

    if(socketpair(PF_UNIX, SOCK_STREAM, 0, fds) != 0) {
	loglog(RC_LOG_SERIOUS, "could not create socketpair for helpers: %s",
	       strerror(errno));
	return;
    }

    w->pcw_helpernum = n;
    w->pcw_pipe = fds[0];
#ifdef HAVE_LIBNSS
    w->pcw_helper_pipe = fds[1];
#endif
    w->pcw_maxbasicwork  = 2;
    w->pcw_maxcritwork   = 4;
    w->pcw_work     = 0;
    w->pcw_reaped = FALSE;
    w->pcw_dead   = FALSE;
    TAILQ_INIT(&w->pcw_active);

    /* set the send/received queue length to be at least maxcritwork
     * times sizeof(pluto_crypto_req) in size
     */
    {
	int qlen = w->pcw_maxcritwork * sizeof(struct pluto_crypto_req) + 10;

	if(setsockopt(fds[0], SOL_SOCKET, SO_SNDBUF,&qlen, sizeof(qlen))==-1
	   || setsockopt(fds[0],SOL_SOCKET,SO_SNDBUF,&qlen,sizeof(qlen))==-1
	   || setsockopt(fds[1],SOL_SOCKET,SO_RCVBUF,&qlen,sizeof(qlen))==-1
	   || setsockopt(fds[1],SOL_SOCKET,SO_RCVBUF,&qlen,sizeof(qlen))==-1) {
	    loglog(RC_LOG_SERIOUS, "could not set socket queue to %d", qlen);
	    return;
	}
    }

    /* flush various descriptors so that they don't get written twice */
#ifndef HAVE_LIBNSS
    fflush(stdout);
    fflush(stderr);
    close_log();
    close_peerlog();
#endif

    /* set local so that child inheirits it */
    pc_helper_num = n;

#ifdef HAVE_LIBNSS
    int thread_status;

    thread_status = pthread_create((pthread_t*)&w->pcw_pid, NULL, pluto_helper_thread, (void*)w);
    if(thread_status!=0) {
	loglog(RC_LOG_SERIOUS, "failed to start child, error = %d" , thread_status);
	w->pcw_pid= -1;
	close(fds[1]);
	close(fds[0]);
	w->pcw_dead   = TRUE;
	return;
    }
    else{
	openswan_log("started helper (thread) pid=%ld (fd:%d)", w->pcw_pid,  w->pcw_pipe);
    }
#else
    w->pcw_pid = fork();
    errno2 = errno;
    if(w->pcw_pid == 0) {

	/* this is the CHILD */
	int fd;
	int maxfd;
	struct rlimit nf;
	int i, arg_len = 0;

	/* diddle with our proc title */
	memset(global_argv[0], '\0', strlen(global_argv[0])+1);
	arg_len += strlen(global_argv[0]);
	for(i = 1; i < global_argc; i++) {
	    if(global_argv[i]) {
		int l = strlen(global_argv[i]);
		memset(global_argv[i], '\0', l);
		arg_len += l;
	    }
	    global_argv[i]=NULL;
	}
	snprintf(global_argv[0], arg_len, "pluto helper %s #%3d "
			, pluto_ifn_inst, n);

	if(getenv("PLUTO_CRYPTO_HELPER_DEBUG")) {
	    snprintf(global_argv[0], arg_len,
	    	    "pluto helper %s #%3d (waiting for GDB) ",
		    pluto_ifn_inst, n);
	    sleep(60); /* for debugger to attach */
	    sprintf(global_argv[0], "pluto helper %s #%3d                   "
		    , pluto_ifn_inst, n);
	}

	if(getrlimit(RLIMIT_NOFILE, &nf) == -1) {
	    maxfd = 256;
	} else {
	    maxfd = nf.rlim_max;
	}

	/* in child process, close all non-essential fds */
	for(fd = 3; fd < maxfd; fd++) {
	    if(fd != fds[1]) close(fd);
	}

	pluto_init_log();


	init_rnd_pool();
	load_oswcrypto();
	free_preshared_secrets();
#ifdef DEBUG
	openswan_passert_fail = helper_passert_fail;
	debug_prefix='!';
#endif

	pluto_crypto_helper(fds[1], n);

	exit(0);
	/* NOTREACHED */
    }

    /* open the log files again */
    pluto_init_log();

    if(w->pcw_pid == -1) {
	loglog(RC_LOG_SERIOUS, "failed to start child, error = %s"
	       , strerror(errno2));
	close(fds[1]);
	close(fds[0]);
	w->pcw_dead   = TRUE;
	return;
    }

    /* PARENT */
    openswan_log("started helper pid=%d (fd:%d)", w->pcw_pid,  w->pcw_pipe);

    /* close client side of socket pair in parent */
    close(fds[1]);
#endif
}
Beispiel #9
0
main(int argc, char *argv[])
{
    int   len;
    char *infile;
    char *conn_name;
    char *pcap1in;
    char *pcap2in;
    char *pcap_out;
    int  lineno=0;
    int regression;
    struct connection *c1;
    struct state *st;

    EF_PROTECT_FREE=1;

    progname = argv[0];
    leak_detective = 1;

    /* skip argv0 */
    argc--; argv++;

    if(strcmp(argv[0], "-r")==0) {
        regression = 1;
        argc--; argv++;
    }

    if(argc != 5) {
	fprintf(stderr, "Usage: %s <whackrecord> <conn-name> <pcapin1> <pcapin2> <pcapout>\n", progname);
	exit(10);
    }

    tool_init_log();
    init_crypto();
    load_oswcrypto();
    init_fake_vendorid();
    init_jamesjohnson_interface();
    init_seam_kernelalgs();

    infile = argv[0];
    conn_name = argv[1];
    pcap1in   = argv[2];
    pcap2in   = argv[3];
    pcap_out  = argv[4];

    cur_debugging = DBG_CONTROL|DBG_CONTROLMORE;
    if(readwhackmsg(infile) == 0) exit(10);
    c1 = con_by_name(conn_name, TRUE);
    assert(c1 != NULL);

    assert(orient(c1, 500));
    show_one_connection(c1);

    /* omit the R1 reply */
    send_packet_setup_pcap("/dev/null");

    /* setup to process the I1 packet */
    recv_pcap_setup(pcap1in);

    /* process first I1 packet */
    cur_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE;
    pcap_dispatch(pt, 1, recv_pcap_packet, NULL);

    /* set up output file */
    send_packet_setup_pcap(pcap_out);
    pcap_close(pt);

    /* now process the I2 packet */
    recv_pcap_setup(pcap2in);

    cur_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE;
    pcap_dispatch(pt, 1, recv_pcap_packet2, NULL);

    /* clean up so that we can see any leaks */
    st = state_with_serialno(1);
    if(st!=NULL) {
        free_state(st);
    }

    report_leaks();

    tool_close_log();
    exit(0);
}
Beispiel #10
0
main(int argc, char *argv[])
{
    int i;
    chunk_t blob, crl_uri;
    err_t e;
    cert_t cacert,t1;
    time_t until;

    /* sadly, this is actually too late */
    EF_DISABLE_BANNER = 1;
    progname = argv[0];
    leak_detective=1;

    tool_init_log();
    load_oswcrypto();

    set_debugging(DBG_X509|DBG_PARSING|DBG_CONTROL);
    until =1421896274;
    set_fake_x509_time(until);  /* Wed Jan 21 22:11:14 2015 */

#ifdef HAVE_LIBNSS
    {
	SECStatus nss_init_status= NSS_InitReadWrite("nss.d");
	if (nss_init_status != SECSuccess) {
	    fprintf(stderr, "NSS initialization failed (err %d)\n", PR_GetError());
            exit(10);
	} else {
	    printf("NSS Initialized\n");
	    PK11_SetPasswordFunc(getNSSPassword);
        }
    }
#endif

    if(argc < 3) {
        fprintf(stderr, "Usage: nsscert CAcertfile.pem cert1.pem cert2.pem...\n");
        exit(5);
    }

    /* skip argv0 */
    argc--;
    argv++;

    /* load CAcert */
    if(!load_cert(CERT_NONE, argv[0], TRUE, "cacert", &cacert)) {
        printf("could not load CA cert file: %s\n", argv[0]);
        exit(1);
    }
    add_authcert(cacert.u.x509, AUTH_CA);

    argc--;
    argv++;

    while(argc-- > 0) {
        char *file = *argv++;
        /* load target cert */
        if(!load_cert(CERT_NONE, file, TRUE, "test1", &t1)) {
            printf("could not load cert file: %s\n", file);
            exit(1);
        }


        until += 86400;
        if(verify_x509cert(t1.u.x509, FALSE, &until) == FALSE) {
            printf("verify x509 failed\n");
            exit(3);
        }
        printf("cert: %s is valid\n", file);
        free_x509cert(t1.u.x509);
    }
    free_x509cert(cacert.u.x509);

    report_leaks();
    tool_close_log();
    exit(0);
}
Beispiel #11
0
main(int argc, char *argv[])
{
    int   len;
    char *infile;
    char *conn_name;
    int  lineno=0;
    int  regression = 0;
    struct connection *c1;
    struct state *st;

    EF_PROTECT_FREE=1;

    progname = argv[0];
    leak_detective = 1;

    if(argc != 4 && argc != 5) {
	fprintf(stderr, "Usage: %s [-r] <whackrecord> <conn-name> <pcapfile>\n", progname);
	exit(10);
    }
    /* skip argv0 */
    argc--; argv++;

    if(strcmp(argv[0], "-r")==0) {
        regression = 1;
        argc--; argv++;
    }

    tool_init_log();
    load_oswcrypto();
    init_fake_vendorid();
    init_parker_interface();

    infile = argv[0];
    conn_name = argv[1];

    cur_debugging = DBG_CONTROL|DBG_CONTROLMORE;
    if(readwhackmsg(infile) == 0) exit(10);

    /* input packets */
    recv_pcap_setup(argv[2]);

    /* output packets */
    send_packet_setup_pcap("OUTPUT/parentI2.pcap");

    c1 = con_by_name(conn_name, TRUE);
    assert(c1 != NULL);

    assert(orient(c1, 500));
    show_one_connection(c1);

    st = sendI1(c1, DBG_CONTROL, regression == 0);

    /* now accept the reply packet */
    cur_debugging = DBG_CONTROL|DBG_PARSING;
    pcap_dispatch(pt, 1, recv_pcap_packet, NULL);

    st = state_with_serialno(1);
    if(st!=NULL) {
        delete_state(st);
        free_state(st);
    }

    report_leaks();

    tool_close_log();
    exit(0);
}