main(int argc, char *argv[])
{
int len;
err_t err = NULL;
char *infile;
char *conn_name;
int lineno=0;
struct starter_config *cfg = NULL;
struct starter_conn *conn = NULL;
//EF_PROTECT_FREE=1;
progname = argv[0];
leak_detective = 1;
if(argc < 4) {
fprintf(stderr, "Usage: %s <cfgrootdir> <cfgfile> <conn-name>.. \n", progname);
exit(10);
}
/* argv[1] == "-r" */
tool_init_log();
//init_fake_vendorid();
rootdir[0]='\0';
strlcat(rootdir, argv[1], sizeof(rootdir));
starter_use_log(1, 1, 1);
cfg = confread_load(argv[2], &err, FALSE, NULL,FALSE);
argv+=3;
argc-=3;
/* load all conns marked as auto=add or better */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
for(; argc>0; argc--, argv++) {
conn_name = *argv;
printf("processing conn: %s\n", conn_name);
if(strcasecmp(conn->name, conn_name)==0) {
struct whack_message msg1;
if(starter_whack_build_basic_conn(cfg, &msg1, conn)==0) {
add_connection(&msg1);
}
}
}
}
confread_free(cfg);
report_leaks();
tool_close_log();
exit(0);
}
int main(int argc, char **argv)
{
#if 0
NSS_NoDB_Init(".");
if (!test_aes_cbc(&algo_aes_cbc)) {
printf("aes-cbc failed\n");
}
if (!test_camellia_cbc(&algo_camellia_cbc)) {
printf("camellia-cbc failed\n");
}
if (!test_aes_ctr(&algo_aes_ctr)) {
printf("aes-ctr failed\n");
}
exit(0);
#endif
int lockfd;
/*
* We read the intentions for how to log from command line options
* and the config file. Then we prepare to be able to log, but until
* then log to stderr (better then nothing). Once we are ready to
* actually do loggin according to the methods desired, we set the
* variables for those methods
*/
bool log_to_stderr_desired = FALSE;
bool log_to_file_desired = FALSE;
{
int i;
/* MUST BE BEFORE ANY allocs */
for (i = 1; i < argc; ++i) {
if (streq(argv[i], "--leak-detective"))
leak_detective = TRUE;
}
}
pluto_name = argv[0];
coredir = clone_str("/var/run/pluto", "coredir in main()");
pluto_vendorid = clone_str(ipsec_version_vendorid(), "vendorid in main()");
unsigned int keep_alive = 0;
/* Overridden by virtual_private= in ipsec.conf */
char *virtual_private = NULL;
libreswan_passert_fail = passert_fail;
/* handle arguments */
for (;; ) {
/*
* Note: we don't like the way short options get parsed
* by getopt_long, so we simply pass an empty string as
* the list. It could be "hvdenp:l:s:" "NARXPECK".
*/
int longindex = -1;
int c = getopt_long(argc, argv, "", long_opts, &longindex);
const char *optname = NULL;
err_t ugh = NULL; /* complaint from case */
unsigned long u = 0; /* scratch for case */
if (longindex != -1) {
const char *optmeta;
optname = long_opts[longindex].name;
optmeta = optname + strlen(optname) + 1; /* after '\0' */
switch (optmeta[0]) {
case '_':
libreswan_log("warning: option \"--%s\" with '_' in its name is obsolete; use '-'",
optname);
break;
case '>':
libreswan_log("warning: option \"--%s\" is obsolete; use \"--%s\"",
optname, optmeta + 1);
break;
case '!':
libreswan_log("warning: option \"--%s\" is obsolete; ignored",
optname);
continue; /* ignore it! */
}
}
/* Note: "breaking" from case terminates loop */
switch (c) {
case EOF: /* end of flags */
break;
case 0:
/*
* Long option already handled by getopt_long.
* Not currently used since we always set flag to NULL.
*/
continue;
case ':': /* diagnostic already printed by getopt_long */
case '?': /* diagnostic already printed by getopt_long */
invocation_fail(NULL);
break;
case 'h': /* --help */
usage();
break; /* not actually reached */
case 'X': /* --leak-detective */
/*
* This flag was already processed at the start of main()
* because leak_detective must be immutable from before
* the first alloc().
* If this option is specified, we must have already
* set it at the start of main(), so assert it.
*/
passert(leak_detective);
continue;
case 'C': /* --coredir */
pfree(coredir);
coredir = clone_str(optarg, "coredir via getopt");
continue;
case 'V': /* --vendorid */
pfree(pluto_vendorid);
coredir = clone_str(optarg, "pluto_vendorid via getopt");
continue;
case 'S': /* --statsdir */
pfreeany(pluto_stats_binary);
pluto_stats_binary = clone_str(optarg, "statsbin");
continue;
case 'v': /* --version */
printf("%s%s\n", ipsec_version_string(),
compile_time_interop_options);
/* not exit_pluto because we are not initialized yet */
exit(0);
break; /* not actually reached */
case 'j': /* --nhelpers */
if (streq(optarg, "-1")) {
nhelpers = -1;
} else {
ugh = ttoulb(optarg, 0, 10, 1000, &u);
if (ugh != NULL)
break;
nhelpers = u;
}
continue;
case 'c': /* --seedbits */
pluto_nss_seedbits = atoi(optarg);
if (pluto_nss_seedbits == 0) {
printf("pluto: seedbits must be an integer > 0");
/* not exit_pluto because we are not initialized yet */
exit(PLUTO_EXIT_NSS_FAIL);
}
continue;
#ifdef HAVE_LABELED_IPSEC
case 'w': /* --secctx-attr-type */
ugh = ttoulb(optarg, 0, 0, 0xFFFF, &u);
if (ugh != NULL)
break;
if (u != SECCTX && u != ECN_TUNNEL_or_old_SECCTX) {
ugh = "must be a positive 32001 (default) or 10 (for backward compatibility)";
break;
}
secctx_attr_type = u;
continue;
#endif
case 'd': /* --nofork*/
fork_desired = FALSE;
continue;
case 'e': /* --stderrlog */
log_to_stderr_desired = TRUE;
continue;
case 'g': /* --logfile */
pluto_log_file = optarg;
log_to_file_desired = TRUE;
continue;
case 't': /* --log-no-time */
log_with_timestamp = FALSE;
continue;
case '7': /* --log-no-append */
log_append = FALSE;
continue;
case '8': /* --drop-oppo-null */
pluto_drop_oppo_null = TRUE;
continue;
case '9': /* --expire-bare-shunt <interval> */
ugh = ttoulb(optarg, 0, 10, 1000, &u);
if (ugh != NULL)
break;
bare_shunt_interval = u;
continue;
case 'k': /* --use-klips */
kern_interface = USE_KLIPS;
continue;
case 'L': /* --listen ip_addr */
{
ip_address lip;
err_t e = ttoaddr(optarg, 0, AF_UNSPEC, &lip);
if (e != NULL) {
/*
*??? should we continue on failure?
* If not, use ugh mechanism.
*/
libreswan_log(
"invalid listen argument ignored: %s\n",
e);
} else {
pluto_listen =
clone_str(optarg, "pluto_listen");
libreswan_log(
"bind() will be filtered for %s\n",
pluto_listen);
}
}
continue;
case 'M': /* --use-mast */
kern_interface = USE_MASTKLIPS;
continue;
case 'F': /* --use-bsdkame */
kern_interface = USE_BSDKAME;
continue;
case 'K': /* --use-netkey */
kern_interface = USE_NETKEY;
continue;
case 'n': /* --use-nostack */
kern_interface = NO_KERNEL;
continue;
case 'D': /* --force-busy */
pluto_ddos_mode = DDOS_FORCE_BUSY;
continue;
case 'U': /* --force-unlimited */
pluto_ddos_mode = DDOS_FORCE_UNLIMITED;
continue;
case 'Z': /* --curl-iface */
curl_iface = optarg;
continue;
case 'I': /* --curl-timeout */
ugh = ttoulb(optarg, 0, 10, 0xFFFF, &u);
if (ugh != NULL)
break;
if (u <= 0) {
ugh = "must not be < 1";
break;
}
curl_timeout = u;
continue;
case 'r': /* --strictcrlpolicy */
strict_crl_policy = TRUE;
continue;
case 'o':
strict_ocsp_policy = TRUE;
continue;
case 'O':
ocsp_enable = TRUE;
continue;
case 'Y':
ocsp_default_uri = optarg;
continue;
case 'J':
ocsp_trust_name = optarg;
continue;
case 'T': /* --ocsp_timeout <seconds> */
ugh = ttoulb(optarg, 0, 10, 0xFFFF, &u);
if (ugh != NULL)
break;
if (u == 0) {
ugh = "must not be 0";
break;
}
ocsp_timeout = u;
continue;
case 'x': /* --crlcheckinterval <seconds> */
ugh = ttoulb(optarg, 0, 10, TIME_T_MAX, &u);
if (ugh != NULL)
break;
crl_check_interval = deltatime(u);
continue;
case 'u': /* --uniqueids */
uniqueIDs = TRUE;
continue;
case 'i': /* --interface <ifname|ifaddr> */
if (!use_interface(optarg)) {
ugh = "too many --interface specifications";
break;
}
continue;
/*
* This option does not really work, as this is the "left"
* site only, you also need --to --ikeport again later on
* It will result in: yourport -> 500, still not bypassing
* filters
*/
case 'p': /* --ikeport <portnumber> */
ugh = ttoulb(optarg, 0, 10, 0xFFFF, &u);
if (ugh != NULL)
break;
if (u == 0) {
ugh = "must not be 0";
break;
}
pluto_port = u;
continue;
case 'q': /* --natikeport <portnumber> */
ugh = ttoulb(optarg, 0, 10, 0xFFFF, &u);
if (ugh != NULL)
break;
if (u == 0) {
ugh = "must not be 0";
break;
}
pluto_nat_port = u;
continue;
case 'b': /* --ctlbase <path> */
/*
* ??? work to be done here:
*
* snprintf returns the required space if there
* isn't enough, not -1.
* -1 indicates another kind of error.
*
* This appears to be the only place where the
* ctlbase value is used yet it is set elsewhere.
* (This isn't clear -- it may be OK.)
*/
ctlbase = optarg;
if (snprintf(ctl_addr.sun_path,
sizeof(ctl_addr.sun_path),
"%s%s", ctlbase, CTL_SUFFIX) == -1) {
ugh = "<path>" CTL_SUFFIX " too long for sun_path";
break;
}
if (snprintf(info_addr.sun_path,
sizeof(info_addr.sun_path),
"%s%s", ctlbase, INFO_SUFFIX) == -1) {
ugh = "<path>" INFO_SUFFIX " too long for sun_path";
break;
}
if (snprintf(pluto_lock, sizeof(pluto_lock),
"%s%s", ctlbase, LOCK_SUFFIX) == -1) {
ugh = "<path>" LOCK_SUFFIX " must fit";
break;
}
continue;
case 's': /* --secretsfile <secrets-file> */
lsw_conf_secretsfile(optarg);
continue;
case 'f': /* --ipsecdir <ipsec-dir> */
lsw_init_ipsecdir(optarg);
continue;
case 'N': /* --debug-none */
base_debugging = DBG_NONE;
continue;
case 'A': /* --debug-all */
base_debugging = DBG_ALL;
continue;
case 'P': /* --perpeerlogbase */
base_perpeer_logdir = optarg;
continue;
case 'l': /* --perpeerlog */
log_to_perpeer = TRUE;
continue;
case '2': /* --keep-alive <delay_secs> */
ugh = ttoulb(optarg, 0, 10, secs_per_day, &u);
if (ugh != NULL)
break;
keep_alive = u;
continue;
case '5': /* --debug-nat-t */
base_debugging |= DBG_NATT;
continue;
case '6': /* --virtual-private */
virtual_private = optarg;
continue;
case 'z': /* --config */
{
/*
* Config struct to variables mapper. This will
* overwrite all previously set options. Keep this
* in the same order as long_opts[] is.
*/
struct starter_config *cfg = read_cfg_file(optarg);
/* leak */
set_cfg_string(&pluto_log_file,
cfg->setup.strings[KSF_PLUTOSTDERRLOG]);
if (pluto_log_file != NULL)
log_to_syslog = FALSE;
/* plutofork= no longer supported via config file */
log_with_timestamp =
cfg->setup.options[KBF_PLUTOSTDERRLOGTIME];
log_append = cfg->setup.options[KBF_PLUTOSTDERRLOGAPPEND];
pluto_drop_oppo_null = cfg->setup.options[KBF_DROP_OPPO_NULL];
pluto_ddos_mode = cfg->setup.options[KBF_DDOS_MODE];
if (cfg->setup.options[KBF_FORCEBUSY]) {
/* force-busy is obsoleted, translate to ddos-mode= */
pluto_ddos_mode = cfg->setup.options[KBF_DDOS_MODE] = DDOS_FORCE_BUSY;
}
/* ddos-ike-threshold and max-halfopen-ike */
pluto_ddos_threshold = cfg->setup.options[KBF_DDOS_IKE_THRESHOLD];
pluto_max_halfopen = cfg->setup.options[KBF_MAX_HALFOPEN_IKE];
strict_crl_policy =
cfg->setup.options[KBF_STRICTCRLPOLICY];
pluto_shunt_lifetime = deltatime(cfg->setup.options[KBF_SHUNTLIFETIME]);
strict_ocsp_policy =
cfg->setup.options[KBF_STRICTOCSPPOLICY];
ocsp_enable = cfg->setup.options[KBF_OCSPENABLE];
set_cfg_string(&ocsp_default_uri,
cfg->setup.strings[KSF_OCSPURI]);
ocsp_timeout = cfg->setup.options[KBF_OCSPTIMEOUT];
set_cfg_string(&ocsp_trust_name,
cfg->setup.strings[KSF_OCSPTRUSTNAME]);
crl_check_interval = deltatime(
cfg->setup.options[KBF_CRLCHECKINTERVAL]);
uniqueIDs = cfg->setup.options[KBF_UNIQUEIDS];
/*
* We don't check interfaces= here because that part
* has been dealt with in _stackmanager before we
* started
*/
set_cfg_string(&pluto_listen,
cfg->setup.strings[KSF_LISTEN]);
/* --ikeport */
pluto_port = cfg->setup.options[KBF_IKEPORT];
/* --nflog-all */
/* only causes nflog nmber to show in ipsec status */
pluto_nflog_group = cfg->setup.options[KBF_NFLOG_ALL];
/* only causes nflog nmber to show in ipsec status */
pluto_xfrmlifetime = cfg->setup.options[KBF_XFRMLIFETIME];
/* no config option: ctlbase */
/* --secrets */
if (cfg->setup.strings[KSF_SECRETSFILE] &&
*cfg->setup.strings[KSF_SECRETSFILE]) {
lsw_conf_secretsfile(cfg->setup.strings[KSF_SECRETSFILE]);
}
if (cfg->setup.strings[KSF_IPSECDIR] != NULL &&
*cfg->setup.strings[KSF_IPSECDIR] != 0) {
/* --ipsecdir */
lsw_init_ipsecdir(cfg->setup.strings[KSF_IPSECDIR]);
}
/* --perpeerlog */
log_to_perpeer = cfg->setup.options[KBF_PERPEERLOG];
if (log_to_perpeer) {
/* --perpeerlogbase */
if (cfg->setup.strings[KSF_PERPEERDIR]) {
set_cfg_string(&base_perpeer_logdir,
cfg->setup.strings[KSF_PERPEERDIR]);
} else {
base_perpeer_logdir = clone_str("/var/log/pluto/", "perpeer_logdir");
}
}
if (cfg->setup.strings[KSF_CURLIFACE]) {
pfreeany(curl_iface);
/* curl-iface= */
curl_iface = clone_str(cfg->setup.strings[KSF_CURLIFACE],
"curl-iface= via --config");
}
if (cfg->setup.options[KBF_CURLTIMEOUT])
curl_timeout = cfg->setup.options[KBF_CURLTIMEOUT];
if (cfg->setup.strings[KSF_DUMPDIR]) {
pfree(coredir);
/* dumpdir= */
coredir = clone_str(cfg->setup.strings[KSF_DUMPDIR],
"coredir via --config");
}
/* --vendorid */
if (cfg->setup.strings[KSF_MYVENDORID]) {
pfree(pluto_vendorid);
pluto_vendorid = clone_str(cfg->setup.strings[KSF_MYVENDORID],
"pluto_vendorid via --config");
}
/* no config option: pluto_adns_option */
if (cfg->setup.strings[KSF_STATSBINARY] != NULL) {
if (access(cfg->setup.strings[KSF_STATSBINARY], X_OK) == 0) {
pfreeany(pluto_stats_binary);
/* statsbin= */
pluto_stats_binary = clone_str(cfg->setup.strings[KSF_STATSBINARY], "statsbin via --config");
libreswan_log("statsbinary set to %s", pluto_stats_binary);
} else {
libreswan_log("statsbinary= '%s' ignored - file does not exist or is not executable",
pluto_stats_binary);
}
}
pluto_nss_seedbits = cfg->setup.options[KBF_SEEDBITS];
pluto_nat_port =
cfg->setup.options[KBF_NATIKEPORT];
keep_alive = cfg->setup.options[KBF_KEEPALIVE];
set_cfg_string(&virtual_private,
cfg->setup.strings[KSF_VIRTUALPRIVATE]);
nhelpers = cfg->setup.options[KBF_NHELPERS];
#ifdef HAVE_LABELED_IPSEC
secctx_attr_type = cfg->setup.options[KBF_SECCTX];
#endif
base_debugging = cfg->setup.options[KBF_PLUTODEBUG];
char *protostack = cfg->setup.strings[KSF_PROTOSTACK];
if (protostack == NULL || *protostack == '\0') {
kern_interface = USE_NETKEY;
} else if (streq(protostack, "none")) {
kern_interface = NO_KERNEL;
} else if (streq(protostack, "auto")) {
libreswan_log(
"The option protostack=auto is obsoleted, falling back to protostack=netkey\n");
kern_interface = USE_NETKEY;
} else if (streq(protostack, "klips")) {
kern_interface = USE_KLIPS;
} else if (streq(protostack, "mast")) {
kern_interface = USE_MASTKLIPS;
} else if (streq(protostack, "netkey") ||
streq(protostack, "native")) {
kern_interface = USE_NETKEY;
} else if (streq(protostack, "bsd") ||
streq(protostack, "kame") ||
streq(protostack, "bsdkame")) {
kern_interface = USE_BSDKAME;
} else if (streq(protostack, "win2k")) {
kern_interface = USE_WIN2K;
}
confread_free(cfg);
continue;
}
default:
if (DBG_OFFSET <= c &&
c < DBG_OFFSET + IMPAIR_roof_IX) {
base_debugging |= LELEM(c - DBG_OFFSET);
continue;
}
bad_case(c);
}
/* if ugh is set, bail with diagnostic */
if (ugh != NULL) {
char mess[200];
if (longindex == -1) {
snprintf(mess, sizeof(mess), "unknown option: %s",
ugh);
} else if (optarg == NULL) {
snprintf(mess, sizeof(mess), "--%s option: %s",
optname, ugh);
} else {
snprintf(mess, sizeof(mess), "--%s \"%s\" option: %s",
optname, optarg, ugh);
}
invocation_fail(mess);
}
break;
}
if (optind != argc)
invocation_fail("unexpected argument");
reset_debugging();
if (chdir(coredir) == -1) {
int e = errno;
libreswan_log("pluto: warning: chdir(\"%s\") to dumpdir failed (%d: %s)",
coredir, e, strerror(e));
}
oco = lsw_init_options();
lockfd = create_lock();
/* select between logging methods */
if (log_to_stderr_desired || log_to_file_desired)
log_to_syslog = FALSE;
if (!log_to_stderr_desired)
log_to_stderr = FALSE;
#if 0
if (kernel_ops->set_debug != NULL)
(*kernel_ops->set_debug)(cur_debugging, DBG_log, DBG_log);
#endif
/*
* create control socket.
* We must create it before the parent process returns so that
* there will be no race condition in using it. The easiest
* place to do this is before the daemon fork.
*/
{
err_t ugh = init_ctl_socket();
if (ugh != NULL) {
fprintf(stderr, "pluto: FATAL: %s", ugh);
exit_pluto(PLUTO_EXIT_SOCKET_FAIL);
}
}
/* If not suppressed, do daemon fork */
if (fork_desired) {
#if USE_DAEMON
if (daemon(TRUE, TRUE) < 0) {
fprintf(stderr, "pluto: FATAL: daemon failed (%d %s)\n",
errno, strerror(errno));
exit_pluto(PLUTO_EXIT_FORK_FAIL);
}
/*
* Parent just exits, so need to fill in our own PID
* file. This is racy, since the file won't be
* created until after the parent has exited.
*
* Since "ipsec start" invokes pluto with --nofork, it
* is probably safer to leave this feature disabled
* then implement it using the daemon call.
*/
(void) fill_lock(lockfd, getpid());
#elif USE_FORK
{
pid_t pid = fork();
if (pid < 0) {
int e = errno;
fprintf(stderr, "pluto: FATAL: fork failed (%d %s)\n",
errno, strerror(e));
exit_pluto(PLUTO_EXIT_FORK_FAIL);
}
if (pid != 0) {
/*
* parent: die, after filling PID into lock
* file.
* must not use exit_pluto: lock would be
* removed!
*/
exit(fill_lock(lockfd, pid) ? 0 : 1);
}
}
#else
fprintf(stderr, "pluto: FATAL: fork/daemon not supported\n");
exit_pluto(PLUTO_EXIT_FORK_FAIL);
#endif
if (setsid() < 0) {
int e = errno;
fprintf(stderr,
"FATAL: setsid() failed in main(). Errno %d: %s\n",
errno, strerror(e));
exit_pluto(PLUTO_EXIT_FAIL);
}
} else {
/* no daemon fork: we have to fill in lock file */
(void) fill_lock(lockfd, getpid());
if (isatty(fileno(stdout))) {
fprintf(stdout, "Pluto initialized\n");
fflush(stdout);
}
}
/*
* Close everything but ctl_fd and (if needed) stderr.
* There is some danger that a library that we don't know
* about is using some fd that we don't know about.
* I guess we'll soon find out.
*/
{
int i;
for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
if ((!log_to_stderr || i != 2) &&
i != ctl_fd)
close(i);
/* make sure that stdin, stdout, stderr are reserved */
if (open("/dev/null", O_RDONLY) != 0)
lsw_abort();
if (dup2(0, 1) != 1)
lsw_abort();
if (!log_to_stderr && dup2(0, 2) != 2)
lsw_abort();
}
init_constants();
init_pluto_constants();
pluto_init_log();
if (!pluto_init_nss(oco->nssdb)) {
loglog(RC_LOG_SERIOUS, "FATAL: NSS initialization failure");
exit_pluto(PLUTO_EXIT_NSS_FAIL);
}
libreswan_log("NSS crypto library initialized");
if (ocsp_enable) {
if (!init_nss_ocsp(ocsp_default_uri, ocsp_trust_name,
ocsp_timeout,
strict_ocsp_policy)) {
loglog(RC_LOG_SERIOUS, "Initializing NSS OCSP failed");
exit_pluto(PLUTO_EXIT_NSS_FAIL);
} else {
libreswan_log("NSS OCSP Enabled");
}
}
#ifdef HAVE_LIBCAP_NG
/*
* Drop capabilities - this generates a false positive valgrind warning
* See: http://marc.info/?l=linux-security-module&m=125895232029657
*
* We drop these after creating the pluto socket or else we can't
* create a socket if the parent dir is non-root (eg openstack)
*/
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
CAP_IPC_LOCK, CAP_AUDIT_WRITE,
/* for google authenticator pam */
CAP_SETGID, CAP_SETUID,
CAP_DAC_READ_SEARCH,
-1);
/*
* We need to retain some capabilities for our children (updown):
* CAP_NET_ADMIN to change routes
* CAP_NET_RAW for iptables -t mangle
* CAP_DAC_READ_SEARCH for pam / google authenticator
*/
capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_NET_RAW,
CAP_DAC_READ_SEARCH, -1);
capng_apply(CAPNG_SELECT_BOTH);
libreswan_log("libcap-ng support [enabled]");
#else
libreswan_log("libcap-ng support [disabled]");
#endif
#ifdef FIPS_CHECK
libreswan_log("FIPS HMAC integrity support [enabled]");
/*
* FIPS mode requires two conditions to be true:
* - FIPS Kernel mode: fips=1 kernel boot parameter
* - FIPS Product mode: See FIPSPRODUCTCHECK in Makefile.inc
* (in RHEL/Fedora, dracut-fips installs $FIPSPRODUCTCHECK)
*
* When FIPS mode, abort on self-check hmac failure. Otherwise, complain
*/
{
if (DBGP(IMPAIR_FORCE_FIPS)) {
libreswan_log("Forcing FIPS checks to true to emulate FIPS mode");
lsw_set_fips_mode(LSW_FIPS_ON);
}
enum lsw_fips_mode pluto_fips_mode = lsw_get_fips_mode();
bool nss_fips_mode = PK11_IsFIPS();
/*
* Now verify the consequences. Always run the tests
* as combinations such as NSS in fips mode but as out
* of it could be bad.
*/
switch (pluto_fips_mode) {
case LSW_FIPS_UNKNOWN:
loglog(RC_LOG_SERIOUS, "ABORT: pluto FIPS mode could not be determined");
exit_pluto(PLUTO_EXIT_FIPS_FAIL);
break;
case LSW_FIPS_ON:
libreswan_log("FIPS mode enabled for pluto daemon");
if (nss_fips_mode) {
libreswan_log("NSS library is running in FIPS mode");
} else {
loglog(RC_LOG_SERIOUS, "ABORT: pluto in FIPS mode but NSS library is not");
exit_pluto(PLUTO_EXIT_FIPS_FAIL);
}
break;
case LSW_FIPS_OFF:
libreswan_log("FIPS mode disabled for pluto daemon");
if (nss_fips_mode) {
loglog(RC_LOG_SERIOUS, "Warning: NSS library is running in FIPS mode");
}
break;
case LSW_FIPS_UNSET:
default:
bad_case(pluto_fips_mode);
}
/* always run hmac check so we can print diagnostic */
bool fips_files = FIPSCHECK_verify_files(fips_package_files);
if (fips_files) {
libreswan_log("FIPS HMAC integrity verification self-test passed");
} else {
loglog(RC_LOG_SERIOUS, "FIPS HMAC integrity verification self-test FAILED");
}
if (pluto_fips_mode == LSW_FIPS_ON && !fips_files) {
exit_pluto(PLUTO_EXIT_FIPS_FAIL);
}
}
#else
libreswan_log("FIPS HMAC integrity support [disabled]");
#endif
#ifdef USE_LINUX_AUDIT
linux_audit_init();
#else
libreswan_log("Linux audit support [disabled]");
#endif
{
const char *vc = ipsec_version_code();
libreswan_log("Starting Pluto (Libreswan Version %s%s) pid:%u",
vc, compile_time_interop_options, getpid());
}
libreswan_log("core dump dir: %s", coredir);
if (oco->secretsfile && *oco->secretsfile)
libreswan_log("secrets file: %s", oco->secretsfile);
libreswan_log(leak_detective ?
"leak-detective enabled" : "leak-detective disabled");
/* Check for SAREF support */
#ifdef KLIPS_MAST
#include <ipsec_saref.h>
{
int e, sk, saref;
saref = 1;
errno = 0;
sk = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_REFINFO, &saref,
sizeof(saref));
if (e == -1 )
libreswan_log("SAref support [disabled]: %s",
strerror(errno));
else
libreswan_log("SAref support [enabled]");
errno = 0;
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_BINDREF, &saref,
sizeof(saref));
if (e == -1 )
libreswan_log("SAbind support [disabled]: %s",
strerror(errno));
else
libreswan_log("SAbind support [enabled]");
close(sk);
}
#endif
libreswan_log("NSS crypto [enabled]");
#ifdef XAUTH_HAVE_PAM
libreswan_log("XAUTH PAM support [enabled]");
#else
libreswan_log("XAUTH PAM support [disabled]");
#endif
/* Log various impair-* functions if they were enabled */
if (DBGP(IMPAIR_BUST_MI2))
libreswan_log("Warning: IMPAIR_BUST_MI2 enabled");
if (DBGP(IMPAIR_BUST_MR2))
libreswan_log("Warning: IMPAIR_BUST_MR2 enabled");
if (DBGP(IMPAIR_SA_CREATION))
libreswan_log("Warning: IMPAIR_SA_CREATION enabled");
if (DBGP(IMPAIR_JACOB_TWO_TWO))
libreswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
if (DBGP(IMPAIR_DIE_ONINFO))
libreswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
if (DBGP(IMPAIR_MAJOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MAJOR_VERSION_BUMP enabled");
if (DBGP(IMPAIR_MINOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MINOR_VERSION_BUMP enabled");
if (DBGP(IMPAIR_RETRANSMITS))
libreswan_log("Warning: IMPAIR_RETRANSMITS enabled");
if (DBGP(IMPAIR_SEND_BOGUS_ISAKMP_FLAG))
libreswan_log("Warning: IMPAIR_SEND_BOGUS_ISAKMP_FLAG enabled");
if (DBGP(IMPAIR_SEND_BOGUS_PAYLOAD_FLAG))
libreswan_log("Warning: IMPAIR_SEND_BOGUS_PAYLOAD_FLAG enabled");
if (DBGP(IMPAIR_SEND_IKEv2_KE))
libreswan_log("Warning: IMPAIR_SEND_IKEv2_KE enabled");
if (DBGP(IMPAIR_SEND_KEY_SIZE_CHECK))
libreswan_log("Warning: IMPAIR_SEND_KEY_SIZE_CHECK enabled");
if (DBGP(IMPAIR_SEND_NO_DELETE))
libreswan_log("Warning: IMPAIR_SEND_NO_DELETE enabled");
if (DBGP(IMPAIR_FORCE_FIPS))
libreswan_log("Warning: IMPAIR_FORCE_FIPS enabled");
if (DBGP(IMPAIR_SEND_NO_IKEV2_AUTH))
libreswan_log("Warning: IMPAIR_SEND_NO_IKEV2_AUTH enabled");
if (DBGP(IMPAIR_SEND_ZERO_GX))
libreswan_log("Warning: IMPAIR_SEND_ZERO_GX enabled");
if (DBGP(IMPAIR_SEND_BOGUS_DCOOKIE))
libreswan_log("Warning: IMPAIR_SEND_BOGUS_DCOOKIE enabled");
/* Initialize all of the various features */
init_nat_traversal(keep_alive);
init_virtual_ip(virtual_private);
/* obsoleted by nss code init_rnd_pool(); */
init_event_base();
init_secret();
init_states();
init_connections();
init_crypto();
init_crypto_helpers(nhelpers);
init_demux();
init_kernel();
init_id();
init_vendorid();
#if defined(LIBCURL) || defined(LDAP_VER)
init_fetch();
#endif
load_crls();
#ifdef HAVE_LABELED_IPSEC
init_avc();
#endif
daily_log_event();
#ifdef USE_SYSTEMD_WATCHDOG
pluto_sd_init();
#endif
call_server();
return -1; /* Shouldn't ever reach this */
}
int main(int argc, char *argv[])
{
int opt = 0;
int autoall = 0;
int configsetup = 0;
int checkconfig = 0;
char *export = "export"; /* display export before the foo=bar or not */
int listroute = 0, liststart = 0, listignore = 0, listadd = 0,
listall = 0, dolist = 0, liststack = 0;
struct starter_config *cfg = NULL;
err_t err = NULL;
char *confdir = NULL;
char *configfile = NULL;
char *varprefix = "";
int exit_status = 0;
struct starter_conn *conn = NULL;
char *ctlbase = NULL;
bool resolvip = TRUE; /* default to looking up names */
#if 0
/* efence settings */
extern int EF_PROTECT_BELOW;
extern int EF_PROTECT_FREE;
EF_PROTECT_BELOW = 1;
EF_PROTECT_FREE = 1;
#endif
progname = argv[0];
rootdir[0] = '\0';
tool_init_log();
while ((opt = getopt_long(argc, argv, "", longopts, 0)) != EOF) {
switch (opt) {
case 'h':
/* usage: */
usage();
break;
case 'a':
autoall = 1;
break;
case 'D':
verbose++;
lex_verbosity++;
break;
case 'T':
configsetup++;
break;
case 'K':
checkconfig++;
break;
case 'N':
export = "";
break;
case 'C':
configfile = clone_str(optarg, "config file name");
break;
case 'c':
ctlbase = clone_str(optarg, "control base");
break;
case 'L':
listadd = 1;
dolist = 1;
break;
case 'r':
listroute = 1;
dolist = 1;
break;
case 's':
liststart = 1;
dolist = 1;
break;
case 'S':
liststack = 1;
dolist = 1;
break;
case 'i':
listignore = 1;
dolist = 1;
break;
case 'A':
listall = 1;
dolist = 1;
break;
case 'P':
varprefix = optarg;
break;
case 'R':
printf("setting rootdir=%s\n", optarg);
jam_str(rootdir, sizeof(rootdir), optarg);
break;
case 'd':
case 'n':
printf("Warning: options --defaultroute and --defaultroutenexthop are obsolete and were ignored\n");
break;
default:
usage();
}
}
/* if nothing to add, then complain */
if (optind == argc && !autoall && !dolist && !configsetup &&
!checkconfig)
usage();
if (verbose > 3) {
yydebug = 1;
}
/* find config file */
if (confdir == NULL)
confdir = IPSEC_CONFDIR;
if (configfile == NULL) {
/* ??? see code clone in programs/readwriteconf/readwriteconf.c */
configfile = alloc_bytes(strlen(confdir) +
sizeof("/ipsec.conf"),
"conf file");
/* calculate default value for configfile */
strcpy(configfile, confdir); /* safe: see allocation above */
if (configfile[0] != '\0' && configfile[strlen(configfile) - 1] != '/')
strcat(configfile, "/"); /* safe: see allocation above */
strcat(configfile, "ipsec.conf"); /* safe: see allocation above */
}
if (verbose)
printf("opening file: %s\n", configfile);
starter_use_log(verbose != 0, TRUE, verbose == 0);
err = NULL; /* reset to no error */
if (configsetup || checkconfig || dolist) {
/* skip if we have no use for them... causes delays */
resolvip = FALSE;
}
cfg = confread_load(configfile, &err, resolvip, ctlbase, configsetup);
if (cfg == NULL) {
fprintf(stderr, "cannot load config '%s': %s\n",
configfile, err);
exit(3);
} else if (checkconfig) {
confread_free(cfg);
exit(0);
}
if (autoall) {
if (verbose)
printf("loading all conns according to their auto= settings\n");
/*
* Load all conns marked as auto=add or better.
* First, do the auto=route and auto=add conns to quickly
* get routes in place, then do auto=start as these can be
* slower.
* This mimics behaviour of the old _plutoload
*/
if (verbose)
printf(" Pass #1: Loading auto=add, auto=route and auto=start connections\n");
for (conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next) {
if (conn->desired_state == STARTUP_ADD ||
conn->desired_state == STARTUP_ONDEMAND ||
conn->desired_state == STARTUP_START) {
if (verbose)
printf(" %s", conn->name);
starter_whack_add_conn(cfg, conn);
}
}
/*
* We loaded all connections. Now tell pluto to listen,
* then route the conns and resolve default route.
*/
starter_whack_listen(cfg);
if (verbose)
printf(" Pass #2: Routing auto=route and auto=start connections\n");
for (conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next) {
if (conn->desired_state == STARTUP_ADD ||
conn->desired_state == STARTUP_ONDEMAND ||
conn->desired_state == STARTUP_START) {
if (verbose)
printf(" %s", conn->name);
resolve_defaultroute(conn);
if (conn->desired_state == STARTUP_ONDEMAND ||
conn->desired_state == STARTUP_START) {
starter_whack_route_conn(cfg, conn);
}
}
}
if (verbose)
printf(" Pass #3: Initiating auto=start connections\n");
for (conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next) {
if (conn->desired_state == STARTUP_START) {
if (verbose)
printf(" %s", conn->name);
starter_whack_initiate_conn(cfg, conn);
}
}
if (verbose)
printf("\n");
} else {
/* load named conns, regardless of their state */
int connum;
if (verbose)
printf("loading named conns:");
for (connum = optind; connum < argc; connum++) {
char *connname = argv[connum];
if (verbose)
printf(" %s", connname);
for (conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next) {
if (streq(conn->name, connname)) {
if (conn->state == STATE_ADDED) {
printf("\nconn %s already added\n",
conn->name);
} else if (conn->state ==
STATE_FAILED) {
printf("\nconn %s did not load properly\n",
conn->name);
} else {
resolve_defaultroute(conn);
exit_status =
starter_whack_add_conn(
cfg,
conn);
conn->state = STATE_ADDED;
}
break;
}
}
if (conn == NULL) {
/*
* only if we don't find it, do we now look
* for aliases
*/
for (conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next) {
if (conn->strings_set[KSF_CONNALIAS] &&
lsw_alias_cmp(connname,
conn->
strings[KSF_CONNALIAS]
)) {
if (conn->state ==
STATE_ADDED) {
printf("\nalias: %s conn %s already added\n",
connname,
conn->name);
} else if (conn->state ==
STATE_FAILED) {
printf("\nalias: %s conn %s did not load properly\n",
connname,
conn->name);
} else {
resolve_defaultroute(
conn);
exit_status =
starter_whack_add_conn(
cfg,
conn);
conn->state =
STATE_ADDED;
}
break;
}
}
}
if (conn == NULL) {
exit_status++;
if (!verbose) {
printf("conn '%s': not found (tried aliases)\n",
connname);
} else {
printf(" (notfound)\n");
}
}
}
}
if (listall) {
if (verbose)
printf("listing all conns\n");
for (conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
printf("%s ", conn->name);
printf("\n");
} else {
if (listadd) {
if (verbose)
printf("listing all conns marked as auto=add\n");
/* list all conns marked as auto=add */
for (conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next) {
if (conn->desired_state == STARTUP_ADD)
printf("%s ", conn->name);
}
}
if (listroute) {
if (verbose)
printf("listing all conns marked as auto=route and auto=start\n");
/*
* list all conns marked as auto=route or start or
* better
*/
for (conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next) {
if (conn->desired_state == STARTUP_START ||
conn->desired_state == STARTUP_ONDEMAND)
printf("%s ", conn->name);
}
}
if (liststart && !listroute) {
if (verbose)
printf("listing all conns marked as auto=start\n");
/* list all conns marked as auto=start */
for (conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next) {
if (conn->desired_state == STARTUP_START)
printf("%s ", conn->name);
}
}
if (listignore) {
if (verbose)
printf("listing all conns marked as auto=ignore\n");
/* list all conns marked as auto=start */
for (conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next) {
if (conn->desired_state == STARTUP_IGNORE)
printf("%s ", conn->name);
}
printf("\n");
}
}
if (liststack) {
const struct keyword_def *kd;
for (kd = ipsec_conf_keywords_v2; kd->keyname != NULL; kd++) {
if (strstr(kd->keyname, "protostack")) {
if (cfg->setup.strings[kd->field])
printf("%s\n",
cfg->setup.strings[kd->field]);
else
/* implicit default */
printf("netkey\n");
}
}
confread_free(cfg);
exit(0);
}
if (configsetup) {
const struct keyword_def *kd;
printf("%s %sconfreadstatus=''\n", export, varprefix);
for (kd = ipsec_conf_keywords_v2; kd->keyname != NULL; kd++) {
if ((kd->validity & kv_config) == 0)
continue;
switch (kd->type) {
case kt_string:
case kt_filename:
case kt_dirname:
case kt_loose_enum:
if (cfg->setup.strings[kd->field]) {
printf("%s %s%s='%s'\n",
export, varprefix, kd->keyname,
cfg->setup.strings[kd->field]);
}
break;
case kt_bool:
printf("%s %s%s='%s'\n", export, varprefix,
kd->keyname,
cfg->setup.options[kd->field] ?
"yes" : "no");
break;
case kt_list:
printf("%s %s%s='",
export, varprefix, kd->keyname);
confwrite_list(stdout, "",
cfg->setup.options[kd->field],
kd);
printf("'\n");
break;
case kt_obsolete:
printf("# obsolete option '%s%s' ignored\n",
varprefix, kd->keyname);
break;
default:
if (cfg->setup.options[kd->field] ||
cfg->setup.options_set[kd->field]) {
printf("%s %s%s='%d'\n",
export, varprefix, kd->keyname,
cfg->setup.options[kd->field]);
}
break;
}
}
struct starter_config *confread_load(const char *file,
err_t *perr,
bool resolvip,
const char *ctlbase,
bool setuponly)
{
struct starter_config *cfg = NULL;
struct config_parsed *cfgp;
struct section_list *sconn;
bool err = FALSE;
bool connerr;
#ifdef DNSSEC
struct ub_ctx *dnsctx = ub_ctx_create();
unbound_init(dnsctx);
#else
struct ub_ctx *dnsctx = NULL;
#endif
/**
* Load file
*/
cfgp = parser_load_conf(file, perr);
if (!cfgp)
return NULL;
cfg = (struct starter_config *)alloc_bytes(sizeof(struct starter_config),"starter_config cfg");
/**
* Set default values
*/
ipsecconf_default_values(cfg);
if (ctlbase) {
pfree(cfg->ctlbase);
cfg->ctlbase = clone_str(ctlbase, "control socket");
}
/**
* Load setup
*/
err |= load_setup(cfg, cfgp);
if (err) {
parser_free_conf(cfgp);
confread_free(cfg);
return NULL;
}
if (!setuponly) {
/**
* Find %default and %oedefault conn
*
*/
for (sconn = cfgp->sections.tqh_first; (!err) && sconn != NULL;
sconn = sconn->link.tqe_next) {
if (streq(sconn->name, "%default")) {
starter_log(LOG_LEVEL_DEBUG,
"Loading default conn");
err |= load_conn(dnsctx,
&cfg->conn_default,
cfgp, sconn, FALSE,
/*default conn*/ TRUE,
resolvip, perr);
}
if (streq(sconn->name, "%oedefault")) {
starter_log(LOG_LEVEL_DEBUG,
"Loading oedefault conn");
err |= load_conn(dnsctx,
&cfg->conn_oedefault,
cfgp, sconn, FALSE,
/*default conn*/ TRUE,
resolvip, perr);
if (!err)
cfg->got_oedefault = TRUE;
}
}
/**
* Load other conns
*/
for (sconn = cfgp->sections.tqh_first; sconn != NULL;
sconn = sconn->link.tqe_next) {
if (streq(sconn->name, "%default"))
continue;
if (streq(sconn->name, "%oedefault"))
continue;
connerr = init_load_conn(dnsctx, cfg, cfgp, sconn,
FALSE,
resolvip, perr);
#if 0 /* ??? the following condition can never be true */
if (connerr == -1) {
parser_free_conf(cfgp);
confread_free(cfg);
return NULL;
}
#endif
err |= connerr;
}
/* if we have OE on, then create any missing OE conns! */
if (cfg->setup.options[KBF_OPPOENCRYPT]) {
starter_log(LOG_LEVEL_DEBUG, "Enabling OE conns");
add_any_oeconns(cfg, cfgp);
}
}
parser_free_conf(cfgp);
return cfg;
}
struct starter_config *confread_load(const char *file
, err_t *perr
, bool resolvip
, char *ctlbase
, bool setuponly)
{
struct starter_config *cfg = NULL;
struct config_parsed *cfgp;
struct section_list *sconn;
unsigned int err = 0, connerr;
/**
* Load file
*/
cfgp = parser_load_conf(file, perr);
if (!cfgp) return NULL;
cfg = (struct starter_config *)alloc_bytes(sizeof(struct starter_config),"starter_config cfg");
zero(cfg);
/**
* Set default values
*/
ipsecconf_default_values(cfg);
if(ctlbase) {
pfree(cfg->ctlbase);
cfg->ctlbase = clone_str(ctlbase, "control socket");
}
starter_whack_init_cfg(cfg); /* set default sender to send to socket */
/**
* Load setup
*/
err += load_setup(cfg, cfgp);
if(err) {
parser_free_conf(cfgp);
confread_free(cfg);
return NULL;
}
if(!setuponly) {
/**
* Find %default and %oedefault conn
*
*/
for(sconn = cfgp->sections.tqh_first; (!err) && sconn != NULL; sconn = sconn->link.tqe_next)
{
if (strcmp(sconn->name,"%default")==0) {
starter_log(LOG_LEVEL_DEBUG, "Loading default conn");
err += load_conn (cfg, &cfg->conn_default,
cfgp, sconn, FALSE,
/*default conn*/TRUE,
resolvip, perr);
}
if (strcmp(sconn->name,"%oedefault")==0) {
starter_log(LOG_LEVEL_DEBUG, "Loading oedefault conn");
err += load_conn (cfg, &cfg->conn_oedefault,
cfgp, sconn, FALSE,
/*default conn*/TRUE,
resolvip, perr);
if(err == 0) {
cfg->got_oedefault=TRUE;
}
}
}
/**
* Load other conns
*/
for(sconn = cfgp->sections.tqh_first; sconn != NULL; sconn = sconn->link.tqe_next)
{
if (strcmp(sconn->name,"%default")==0) continue;
if (strcmp(sconn->name,"%oedefault")==0) continue;
connerr = init_load_conn(cfg, cfgp, sconn, TRUE, FALSE,
resolvip, perr);
if(connerr == -1) {
parser_free_conf(cfgp);
confread_free(cfg);
return NULL;
}
err += connerr;
}
/* if we have OE on, then create any missing OE conns! */
if(cfg->setup.options[KBF_OPPOENCRYPT]) {
starter_log(LOG_LEVEL_DEBUG, "Enabling OE conns\n");
add_any_oeconns(cfg, cfgp);
}
}
parser_free_conf(cfgp);
return cfg;
}
int main(int argc, char *argv[])
{
int opt = 0;
struct starter_config *cfg = NULL;
err_t err = NULL;
char *confdir = NULL;
char *configfile = NULL;
struct starter_conn *conn = NULL;
progname = argv[0];
rootdir[0] = '\0';
rootdir2[0] = '\0';
tool_init_log();
while ((opt = getopt_long(argc, argv, "", longopts, 0)) != EOF) {
switch (opt) {
case 'h':
/* usage: */
usage();
break;
case 'D':
verbose++;
lex_verbosity++;
break;
case 'C':
configfile = clone_str(optarg, "config file name");
break;
case 'R':
printf("#setting rootdir=%s\n", optarg);
jam_str(rootdir, sizeof(rootdir), optarg);
break;
case 'S':
printf("#setting rootdir2=%s\n", optarg);
jam_str(rootdir2, sizeof(rootdir2), optarg);
break;
case '?':
exit(5);
default:
fprintf(stderr, "%s: getopt returned %d\n", progname, opt);
exit(6);
}
}
if (optind != argc) {
fprintf(stderr,"%s: unexpected arguments\n",
progname);
exit(4);
}
/* find config file */
if (confdir == NULL)
confdir = IPSEC_CONFDIR;
if (configfile == NULL) {
/* ??? see code clone in programs/addconn/addconn.c */
configfile = alloc_bytes(strlen(confdir) +
sizeof("/ipsec.conf"),
"conf file");
/* calculate default value for configfile */
strcpy(configfile, confdir); /* safe: see allocation above */
if (configfile[0] != '\0' && configfile[strlen(configfile) - 1] != '/')
strcat(configfile, "/"); /* safe: see allocation above */
strcat(configfile, "ipsec.conf"); /* safe: see allocation above */
}
if (verbose > 3) {
yydebug = 1;
}
if (verbose)
printf("opening file: %s\n", configfile);
starter_use_log(verbose != 0, TRUE, verbose == 0);
cfg = confread_load(configfile, &err, FALSE, NULL, FALSE);
if (cfg == NULL) {
fprintf(stderr, "%s: config file \"%s\" cannot be loaded: %s\n",
progname, configfile, err);
exit(3);
}
/* load all conns marked as auto=add or better */
for (conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
printf("#conn %s loaded\n", conn->name);
confwrite(cfg, stdout);
confread_free(cfg);
exit(0);
}
int
main(int argc, char **argv)
{
int lockfd;
int nhelpers = -1;
char *coredir;
const struct lsw_conf_options *oco;
/*
* We read the intentions for how to log from command line options
* and the config file. Then we prepare to be able to log, but until
* then log to stderr (better then nothing). Once we are ready to
* actually do loggin according to the methods desired, we set the
* variables for those methods
*/
bool log_to_stderr_desired = FALSE;
bool log_to_file_desired = FALSE;
coredir = NULL;
/* set up initial defaults that need a cast */
pluto_shared_secrets_file =
DISCARD_CONST(char *, SHARED_SECRETS_FILE);
#ifdef NAT_TRAVERSAL
/** Overridden by nat_traversal= in ipsec.conf */
bool nat_traversal = FALSE;
bool nat_t_spf = TRUE; /* support port floating */
unsigned int keep_alive = 0;
bool force_keepalive = FALSE;
#endif
/** Overridden by virtual_private= in ipsec.conf */
char *virtual_private = NULL;
#ifdef LEAK_DETECTIVE
leak_detective=1;
#else
leak_detective=0;
#endif
#ifdef HAVE_LIBCAP_NG
/* Drop capabilities */
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
CAP_IPC_LOCK, CAP_AUDIT_WRITE,
-1);
/* our children must be able to CAP_NET_ADMIN to change routes.
*/
capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET,
CAP_NET_ADMIN, -1);
capng_apply(CAPNG_SELECT_BOTH);
#endif
#ifdef DEBUG
libreswan_passert_fail = passert_fail;
#endif
if(getenv("PLUTO_WAIT_FOR_GDB")) {
sleep(120);
}
/* handle arguments */
for (;;)
{
# define DBG_OFFSET 256
static const struct option long_opts[] = {
/* name, has_arg, flag, val */
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "config", required_argument, NULL, 'z' },
{ "nofork", no_argument, NULL, 'd' },
{ "stderrlog", no_argument, NULL, 'e' },
{ "logfile", required_argument, NULL, 'g' },
{ "plutostderrlogtime", no_argument, NULL, 't' },
{ "noklips", no_argument, NULL, 'n' },
{ "use-nostack", no_argument, NULL, 'n' },
{ "use-none", no_argument, NULL, 'n' },
{ "force_busy", no_argument, NULL, 'D' },
{ "strictcrlpolicy", no_argument, NULL, 'r' },
{ "crlcheckinterval", required_argument, NULL, 'x'},
{ "uniqueids", no_argument, NULL, 'u' },
{ "useklips", no_argument, NULL, 'k' },
{ "use-klips", no_argument, NULL, 'k' },
{ "use-auto", no_argument, NULL, 'G' },
{ "usenetkey", no_argument, NULL, 'K' },
{ "use-netkey", no_argument, NULL, 'K' },
{ "use-mast", no_argument, NULL, 'M' },
{ "use-mastklips", no_argument, NULL, 'M' },
{ "use-bsdkame", no_argument, NULL, 'F' },
{ "interface", required_argument, NULL, 'i' },
{ "listen", required_argument, NULL, 'L' },
{ "ikeport", required_argument, NULL, 'p' },
{ "natikeport", required_argument, NULL, 'q' },
{ "ctlbase", required_argument, NULL, 'b' },
{ "secretsfile", required_argument, NULL, 's' },
{ "perpeerlogbase", required_argument, NULL, 'P' },
{ "perpeerlog", no_argument, NULL, 'l' },
{ "noretransmits", no_argument, NULL, 'R' },
{ "coredir", required_argument, NULL, 'C' },
{ "ipsecdir", required_argument, NULL, 'f' },
{ "ipsec_dir", required_argument, NULL, 'f' },
{ "foodgroupsdir", required_argument, NULL, 'f' },
{ "adns", required_argument, NULL, 'a' },
#ifdef NAT_TRAVERSAL
{ "nat_traversal", no_argument, NULL, '1' },
{ "keep_alive", required_argument, NULL, '2' },
{ "force_keepalive", no_argument, NULL, '3' },
{ "disable_port_floating", no_argument, NULL, '4' },
{ "debug-nat_t", no_argument, NULL, '5' },
{ "debug-nattraversal", no_argument, NULL, '5' },
{ "debug-nat-t", no_argument, NULL, '5' },
#endif
{ "virtual_private", required_argument, NULL, '6' },
{ "nhelpers", required_argument, NULL, 'j' },
#ifdef HAVE_LABELED_IPSEC
{ "secctx_attr_value", required_argument, NULL, 'w' },
#endif
#ifdef DEBUG
{ "debug-none", no_argument, NULL, 'N' },
{ "debug-all", no_argument, NULL, 'A' },
{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
{ "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
{ "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET },
{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
{ "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
{ "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET },
{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
{ "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET },
{ "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET },
{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
{ "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET },
{ "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
{ "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
{ "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
{ "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
{ "impair-sa-creation", no_argument, NULL, IMPAIR_SA_CREATION + DBG_OFFSET },
{ "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO + DBG_OFFSET },
{ "impair-jacob-two-two", no_argument, NULL, IMPAIR_JACOB_TWO_TWO + DBG_OFFSET },
{ "impair-major-version-bump", no_argument, NULL, IMPAIR_MAJOR_VERSION_BUMP + DBG_OFFSET },
{ "impair-minor-version-bump", no_argument, NULL, IMPAIR_MINOR_VERSION_BUMP + DBG_OFFSET },
{ "impair-retransmits", no_argument, NULL, IMPAIR_RETRANSMITS + DBG_OFFSET },
{ "impair-send-bogus-isakmp-flag", no_argument, NULL, IMPAIR_SEND_BOGUS_ISAKMP_FLAG + DBG_OFFSET },
#endif
{ 0,0,0,0 }
};
/* Note: we don't like the way short options get parsed
* by getopt_long, so we simply pass an empty string as
* the list. It could be "hvdenp:l:s:" "NARXPECK".
*/
int c = getopt_long(argc, argv, "", long_opts, NULL);
/** Note: "breaking" from case terminates loop */
switch (c)
{
case EOF: /* end of flags */
break;
case 0: /* long option already handled */
continue;
case ':': /* diagnostic already printed by getopt_long */
case '?': /* diagnostic already printed by getopt_long */
usage("");
break; /* not actually reached */
case 'h': /* --help */
usage(NULL);
break; /* not actually reached */
case 'C':
coredir = clone_str(optarg, "coredir");
continue;
case 'v': /* --version */
{
printf("%s%s\n", ipsec_version_string(),
compile_time_interop_options);
}
exit(0); /* not exit_pluto because we are not initialized yet */
break; /* not actually reached */
case 'j': /* --nhelpers */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing number of pluto helpers");
{
char *endptr;
long count = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| count < -1)
usage("<nhelpers> must be a positive number, 0 or -1");
nhelpers = count;
}
continue;
#ifdef HAVE_LABELED_IPSEC
case 'w': /* --secctx_attr_value*/
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing (positive integer) value of secctx_attr_value (needed only if using labeled ipsec)");
{
char *endptr;
long value = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| (value != SECCTX && value !=10) )
usage("<secctx_attr_value> must be a positive number (32001 by default, 10 for backward compatibility, or any other future number assigned by IANA)");
secctx_attr_value = (u_int16_t)value;
}
continue;
#endif
case 'd': /* --nofork*/
fork_desired = FALSE;
continue;
case 'e': /* --stderrlog */
log_to_stderr_desired = TRUE;
continue;
case 'g': /* --logfile */
pluto_log_file = optarg;
log_to_file_desired = TRUE;
continue;
case 't': /* --plutostderrlogtime */
log_with_timestamp = TRUE;
continue;
case 'G': /* --use-auto */
libreswan_log("The option --use-auto is obsoleted, falling back to --use-netkey\n");
kern_interface = USE_NETKEY;
continue;
case 'k': /* --use-klips */
kern_interface = USE_KLIPS;
continue;
case 'L': /* --listen ip_addr */
{
ip_address lip;
err_t e = ttoaddr(optarg,0,0,&lip);
if(e) {
libreswan_log("invalid listen argument ignored: %s\n",e);
} else {
pluto_listen = clone_str(optarg, "pluto_listen");
libreswan_log("bind() will be filtered for %s\n",pluto_listen);
}
}
continue;
case 'M': /* --use-mast */
kern_interface = USE_MASTKLIPS;
continue;
case 'F': /* --use-bsdkame */
kern_interface = USE_BSDKAME;
continue;
case 'K': /* --use-netkey */
kern_interface = USE_NETKEY;
continue;
case 'n': /* --use-nostack */
kern_interface = NO_KERNEL;
continue;
case 'D': /* --force_busy */
force_busy = TRUE;
continue
;
case 'r': /* --strictcrlpolicy */
strict_crl_policy = TRUE;
continue
;
case 'R':
no_retransmits = TRUE;
continue;
case 'x': /* --crlcheckinterval <time>*/
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing interval time");
{
char *endptr;
long interval = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| interval <= 0)
usage("<interval-time> must be a positive number");
crl_check_interval = interval;
}
continue
;
case 'u': /* --uniqueids */
uniqueIDs = TRUE;
continue;
case 'i': /* --interface <ifname|ifaddr> */
if (!use_interface(optarg))
usage("too many --interface specifications");
continue;
/*
* This option does not really work, as this is the "left"
* site only, you also need --to --ikeport again later on
* It will result in: yourport -> 500, still not bypassing filters
*/
case 'p': /* --ikeport <portnumber> */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing port number");
{
char *endptr;
long port = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| port <= 0 || port > 0x10000)
usage("<port-number> must be a number between 1 and 65535");
pluto_port = port;
}
continue;
#ifdef NAT_TRAVERSAL
case 'q': /* --natikeport <portnumber> */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing port number");
{
char *endptr;
long port = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| port <= 0 || port > 0x10000)
usage("<port-number> must be a number between 1 and 65535");
pluto_natt_float_port = port;
}
continue;
#endif
case 'b': /* --ctlbase <path> */
ctlbase = optarg;
if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
, "%s%s", ctlbase, CTL_SUFFIX) == -1)
usage("<path>" CTL_SUFFIX " too long for sun_path");
if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
, "%s%s", ctlbase, INFO_SUFFIX) == -1)
usage("<path>" INFO_SUFFIX " too long for sun_path");
if (snprintf(pluto_lock, sizeof(pluto_lock)
, "%s%s", ctlbase, LOCK_SUFFIX) == -1)
usage("<path>" LOCK_SUFFIX " must fit");
continue;
case 's': /* --secretsfile <secrets-file> */
pluto_shared_secrets_file = optarg;
continue;
case 'f': /* --ipsecdir <ipsec-dir> */
(void)lsw_init_ipsecdir(optarg);
continue;
case 'a': /* --adns <pathname> */
pluto_adns_option = optarg;
continue;
#ifdef DEBUG
case 'N': /* --debug-none */
base_debugging = DBG_NONE;
continue;
case 'A': /* --debug-all */
base_debugging = DBG_ALL;
continue;
#endif
case 'P': /* --perpeerlogbase */
base_perpeer_logdir = optarg;
continue;
case 'l':
log_to_perpeer = TRUE;
continue;
#ifdef NAT_TRAVERSAL
case '1': /* --nat_traversal */
nat_traversal = TRUE;
continue;
case '2': /* --keep_alive */
keep_alive = atoi(optarg);
continue;
case '3': /* --force_keepalive */
force_keepalive = TRUE;
continue;
case '4': /* --disable_port_floating */
nat_t_spf = FALSE;
continue;
#ifdef DEBUG
case '5': /* --debug-nat_t */
base_debugging |= DBG_NATT;
continue;
#endif
#endif
case '6': /* --virtual_private */
virtual_private = optarg;
continue;
case 'z': /* --config */
;
/* Config struct to variables mapper. This will overwrite */
/* all previously set options. Keep this in the same order than */
/* long_opts[] is. */
struct starter_config *cfg = read_cfg_file(optarg);
set_cfg_string(&pluto_log_file, cfg->setup.strings[KSF_PLUTOSTDERRLOG]);
fork_desired = cfg->setup.options[KBF_PLUTOFORK]; /* plutofork= */
log_with_timestamp =
cfg->setup.options[KBF_PLUTOSTDERRLOGTIME];
force_busy = cfg->setup.options[KBF_FORCEBUSY];
strict_crl_policy = cfg->setup.options[KBF_STRICTCRLPOLICY];
crl_check_interval = cfg->setup.options[KBF_CRLCHECKINTERVAL];
uniqueIDs = cfg->setup.options[KBF_UNIQUEIDS];
/*
* We don't check interfaces= here because that part has been dealt
* with in _stackmanager before we started
*/
set_cfg_string(&pluto_listen, cfg->setup.strings[KSF_LISTEN]);
pluto_port = cfg->setup.options[KBF_IKEPORT]; /* --ikeport */
/* no config option: ctlbase */
set_cfg_string(&pluto_shared_secrets_file, cfg->setup.strings[KSF_SECRETSFILE]); /* --secrets */
if(cfg->setup.strings[KSF_IPSECDIR] != NULL &&
*cfg->setup.strings[KSF_IPSECDIR] != 0) {
lsw_init_ipsecdir(cfg->setup.strings[KSF_IPSECDIR]); /* --ipsecdir */
}
set_cfg_string(&base_perpeer_logdir, cfg->setup.strings[KSF_PERPEERDIR]); /* --perpeerlogbase */
log_to_perpeer = cfg->setup.options[KBF_PERPEERLOG]; /* --perpeerlog */
no_retransmits = !cfg->setup.options[KBF_RETRANSMITS]; /* --noretransmits */
set_cfg_string(&coredir, cfg->setup.strings[KSF_DUMPDIR]); /* --dumpdir */
/* no config option: pluto_adns_option */
#ifdef NAT_TRAVERSAL
pluto_natt_float_port = cfg->setup.options[KBF_NATIKEPORT];
nat_traversal = cfg->setup.options[KBF_NATTRAVERSAL];
keep_alive = cfg->setup.options[KBF_KEEPALIVE];
force_keepalive = cfg->setup.options[KBF_FORCE_KEEPALIVE];
nat_t_spf = !cfg->setup.options[KBF_DISABLEPORTFLOATING];
#endif
set_cfg_string(&virtual_private,
cfg->setup.strings[KSF_VIRTUALPRIVATE]);
nhelpers = cfg->setup.options[KBF_NHELPERS];
#ifdef HAVE_LABELED_IPSEC
secctx_attr_value = cfg->setup.options[KBF_SECCTX];
#endif
#ifdef DEBUG
base_debugging = cfg->setup.options[KBF_PLUTODEBUG];
#endif
char *protostack = cfg->setup.strings[KSF_PROTOSTACK];
if (protostack == NULL || *protostack == 0)
kern_interface = USE_NETKEY;
else if (strcmp(protostack, "none") == 0)
kern_interface = NO_KERNEL;
else if (strcmp(protostack, "auto") == 0)
{
libreswan_log("The option protostack=auto is obsoleted, falling back to protostack=netkey\n");
kern_interface = USE_NETKEY;
}
else if (strcmp(protostack, "klips") == 0)
kern_interface = USE_KLIPS;
else if (strcmp(protostack, "mast") == 0)
kern_interface = USE_MASTKLIPS;
else if (strcmp(protostack, "netkey") == 0 ||
strcmp(protostack, "native") == 0)
kern_interface = USE_NETKEY;
else if (strcmp(protostack, "bsd") == 0 ||
strcmp(protostack, "kame") == 0 ||
strcmp(protostack, "bsdkame") == 0)
kern_interface = USE_BSDKAME;
else if (strcmp(protostack, "win2k") == 0)
kern_interface = USE_WIN2K;
confread_free(cfg);
continue;
default:
#ifdef DEBUG
if (c >= DBG_OFFSET)
{
base_debugging |= c - DBG_OFFSET;
continue;
}
# undef DBG_OFFSET
#endif
bad_case(c);
}
break;
}
if (optind != argc)
usage("unexpected argument");
reset_debugging();
#ifdef HAVE_NO_FORK
fork_desired = FALSE;
nhelpers = 0;
#endif
/* default coredir to location compatible with SElinux */
if(!coredir) {
coredir = clone_str("/var/run/pluto", "coredir");
}
if(chdir(coredir) == -1) {
int e = errno;
libreswan_log("pluto: chdir() do dumpdir failed (%d: %s)\n",
e, strerror(e));
}
oco = lsw_init_options();
lockfd = create_lock();
/* select between logging methods */
if (log_to_stderr_desired || log_to_file_desired) {
log_to_syslog = FALSE;
}
if (!log_to_stderr_desired)
log_to_stderr = FALSE;
#ifdef DEBUG
#if 0
if(kernel_ops->set_debug) {
(*kernel_ops->set_debug)(cur_debugging, DBG_log, DBG_log);
}
#endif
#endif
/** create control socket.
* We must create it before the parent process returns so that
* there will be no race condition in using it. The easiest
* place to do this is before the daemon fork.
*/
{
err_t ugh = init_ctl_socket();
if (ugh != NULL)
{
fprintf(stderr, "pluto: %s", ugh);
exit_pluto(1);
}
}
/* If not suppressed, do daemon fork */
if (fork_desired)
{
{
pid_t pid = fork();
if (pid < 0)
{
int e = errno;
fprintf(stderr, "pluto: fork failed (%d %s)\n",
errno, strerror(e));
exit_pluto(1);
}
if (pid != 0)
{
/* parent: die, after filling PID into lock file.
* must not use exit_pluto: lock would be removed!
*/
exit(fill_lock(lockfd, pid)? 0 : 1);
}
}
if (setsid() < 0)
{
int e = errno;
fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
errno, strerror(e));
exit_pluto(1);
}
}
else
{
/* no daemon fork: we have to fill in lock file */
(void) fill_lock(lockfd, getpid());
if (isatty(fileno(stdout)))
{
fprintf(stdout, "Pluto initialized\n");
fflush(stdout);
}
}
/** Close everything but ctl_fd and (if needed) stderr.
* There is some danger that a library that we don't know
* about is using some fd that we don't know about.
* I guess we'll soon find out.
*/
{
int i;
for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
if ((!log_to_stderr || i != 2)
&& i != ctl_fd)
close(i);
/* make sure that stdin, stdout, stderr are reserved */
if (open("/dev/null", O_RDONLY) != 0)
lsw_abort();
if (dup2(0, 1) != 1)
lsw_abort();
if (!log_to_stderr && dup2(0, 2) != 2)
lsw_abort();
}
init_constants();
pluto_init_log();
pluto_init_nss(oco->confddir);
#ifdef FIPS_CHECK
const char *package_files[]= { IPSECLIBDIR"/setup",
IPSECLIBDIR"/addconn",
IPSECLIBDIR"/auto",
IPSECLIBDIR"/barf",
IPSECLIBDIR"/eroute",
IPSECLIBDIR"/ikeping",
IPSECLIBDIR"/readwriteconf",
IPSECLIBDIR"/_keycensor",
IPSECLIBDIR"/klipsdebug",
IPSECLIBDIR"/look",
IPSECLIBDIR"/newhostkey",
IPSECLIBDIR"/pf_key",
IPSECLIBDIR"/_pluto_adns",
IPSECLIBDIR"/_plutorun",
IPSECLIBDIR"/ranbits",
IPSECLIBDIR"/_realsetup",
IPSECLIBDIR"/rsasigkey",
IPSECLIBDIR"/pluto",
IPSECLIBDIR"/_secretcensor",
IPSECLIBDIR"/secrets",
IPSECLIBDIR"/showhostkey",
IPSECLIBDIR"/spi",
IPSECLIBDIR"/spigrp",
IPSECLIBDIR"/_stackmanager",
IPSECLIBDIR"/tncfg",
IPSECLIBDIR"/_updown",
IPSECLIBDIR"/_updown.klips",
IPSECLIBDIR"/_updown.mast",
IPSECLIBDIR"/_updown.netkey",
IPSECLIBDIR"/verify",
IPSECLIBDIR"/whack",
IPSECSBINDIR"/ipsec",
NULL
};
if (Pluto_IsFIPS() && !FIPSCHECK_verify_files(package_files)) {
loglog(RC_LOG_SERIOUS, "FATAL: FIPS integrity verification test failed");
exit_pluto(10);
}
#else
libreswan_log("FIPS integrity support [disabled]");
#endif
#ifdef HAVE_LIBCAP_NG
libreswan_log("libcap-ng support [enabled]");
#else
libreswan_log("libcap-ng support [disabled]");
#endif
#ifdef USE_LINUX_AUDIT
libreswan_log("Linux audit support [enabled]");
/* test and log if audit is enabled on the system */
int audit_fd, rc;
audit_fd = audit_open();
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
{
loglog(RC_LOG_SERIOUS, "Warning: kernel has no audit support");
} else {
loglog(RC_LOG_SERIOUS, "FATAL (SOON): audit_open() failed : %s", strerror(errno));
/* temp disabled exit_pluto(10); */
}
}
rc = audit_log_acct_message(audit_fd, AUDIT_USER_START, NULL,
"starting pluto daemon", NULL, -1, NULL, NULL, NULL, 1);
close(audit_fd);
if (rc < 0) {
loglog(RC_LOG_SERIOUS, "FATAL: audit_log_acct_message failed: %s", strerror(errno));
exit_pluto(10);
}
#else
libreswan_log("Linux audit support [disabled]");
#endif
/* Note: some scripts may look for this exact message -- don't change
* ipsec barf was one, but it no longer does.
*/
{
const char *vc = ipsec_version_code();
#ifdef PLUTO_SENDS_VENDORID
const char *v = init_pluto_vendorid();
libreswan_log("Starting Pluto (Libreswan Version %s%s; Vendor ID %s) pid:%u"
, vc, compile_time_interop_options, v, getpid());
#else
libreswan_log("Starting Pluto (Libreswan Version %s%s) pid:%u"
, vc, compile_time_interop_options, getpid());
#endif
if(Pluto_IsFIPS()) {
libreswan_log("Pluto is running in FIPS mode");
} else {
libreswan_log("Pluto is NOT running in FIPS mode");
}
if((vc[0]=='c' && vc[1]=='v' && vc[2]=='s') ||
(vc[2]=='g' && vc[3]=='i' && vc[4]=='t')) {
/*
* when people build RPMs from CVS or GIT, make sure they
* get blamed appropriately, and that we get some way to
* identify who did it, and when they did it. Use string concat,
* so that strings the binary can or classic SCCS "what", will find
* stuff too.
*/
libreswan_log("@(#) built on "__DATE__":" __TIME__ " by " BUILDER);
}
#if defined(USE_1DES)
libreswan_log("WARNING: 1DES is enabled");
#endif
}
if(coredir) {
libreswan_log("core dump dir: %s", coredir);
}
if(pluto_shared_secrets_file) {
libreswan_log("secrets file: %s", pluto_shared_secrets_file);
}
#ifdef LEAK_DETECTIVE
libreswan_log("LEAK_DETECTIVE support [enabled]");
#else
libreswan_log("LEAK_DETECTIVE support [disabled]");
#endif
#ifdef HAVE_OCF
{
struct stat buf;
errno=0;
if( stat("/dev/crypto",&buf) != -1)
libreswan_log("OCF support for IKE via /dev/crypto [enabled]");
else
libreswan_log("OCF support for IKE via /dev/crypto [failed:%s]", strerror(errno));
}
#else
libreswan_log("OCF support for IKE [disabled]");
#endif
/* Check for SAREF support */
#ifdef KLIPS_MAST
#include <ipsec_saref.h>
{
int e, sk, saref;
saref = 1;
errno=0;
sk = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_REFINFO, &saref, sizeof(saref));
if (e == -1 ) {
libreswan_log("SAref support [disabled]: %s" , strerror(errno));
}
else {
libreswan_log("SAref support [enabled]");
}
errno=0;
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_BINDREF, &saref, sizeof(saref));
if (e == -1 ) {
libreswan_log("SAbind support [disabled]: %s" , strerror(errno));
}
else {
libreswan_log("SAbind support [enabled]");
}
close(sk);
}
#endif
libreswan_log("NSS crypto [enabled]");
#ifdef XAUTH_HAVE_PAM
libreswan_log("XAUTH PAM support [enabled]");
#else
libreswan_log("XAUTH PAM support [disabled]");
#endif
#ifdef HAVE_STATSD
libreswan_log("HAVE_STATSD notification via /bin/libreswan-statsd enabled");
#else
libreswan_log("HAVE_STATSD notification support [disabled]");
#endif
/** Log various impair-* functions if they were enabled */
if(DBGP(IMPAIR_BUST_MI2))
libreswan_log("Warning: IMPAIR_BUST_MI2 enabled");
if(DBGP(IMPAIR_BUST_MR2))
libreswan_log("Warning: IMPAIR_BUST_MR2 enabled");
if(DBGP(IMPAIR_SA_CREATION))
libreswan_log("Warning: IMPAIR_SA_CREATION enabled");
if(DBGP(IMPAIR_JACOB_TWO_TWO))
libreswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
if(DBGP(IMPAIR_DIE_ONINFO))
libreswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
if(DBGP(IMPAIR_MAJOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MAJOR_VERSION_BUMP enabled");
if(DBGP(IMPAIR_MINOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MINOR_VERSION_BUMP enabled");
if(DBGP(IMPAIR_RETRANSMITS))
libreswan_log("Warning: IMPAIR_RETRANSMITS enabled");
if(DBGP(IMPAIR_SEND_BOGUS_ISAKMP_FLAG))
libreswan_log("Warning: IMPAIR_SEND_BOGUS_ISAKMP_FLAG enabled");
if(DBGP(IMPAIR_DELAY_ADNS_KEY_ANSWER))
libreswan_log("Warning: IMPAIR_DELAY_ADNS_KEY_ANSWER enabled");
if(DBGP(IMPAIR_DELAY_ADNS_TXT_ANSWER))
libreswan_log("Warning: IMPAIR_DELAY_ADNS_TXT_ANSWER enabled");
/** Initialize all of the various features */
#ifdef NAT_TRAVERSAL
init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
#endif
init_virtual_ip(virtual_private);
/* obsoletd by nss code init_rnd_pool(); */
init_timer();
init_secret();
init_states();
init_connections();
init_crypto();
init_crypto_helpers(nhelpers);
load_lswcrypto();
init_demux();
init_kernel();
init_adns();
init_id();
#ifdef TPM
init_tpm();
#endif
#if defined(LIBCURL) || defined(LDAP_VER)
init_fetch();
#endif
/* loading X.509 CA certificates */
load_authcerts("CA cert", oco->cacerts_dir, AUTH_CA);
#if 0
/* unused */
/* loading X.509 AA certificates */
load_authcerts("AA cert", oco->aacerts_dir, AUTH_AA);
#endif
/* loading X.509 CRLs */
load_crls();
/* loading attribute certificates (experimental) */
load_acerts();
/*Loading CA certs from NSS DB*/
load_authcerts_from_nss("CA cert", AUTH_CA);
#ifdef HAVE_LABELED_IPSEC
init_avc();
#endif
daily_log_event();
call_server();
return -1; /* Shouldn't ever reach this */
}
int
main(int argc, char *argv[])
{
int opt = 0;
int textout = 1;
int whackout = 0; /* if true, write whack messages */
char *whackfile = NULL;
struct starter_config *cfg = NULL;
err_t err = NULL;
char *confdir = NULL;
char *configfile = NULL;
struct starter_conn *conn = NULL;
progname = argv[0];
rootdir[0]='\0';
tool_init_log();
while((opt = getopt_long(argc, argv, "", longopts, 0)) != EOF) {
switch(opt) {
case 'h':
/* usage: */
usage();
break;
case 'T':
textout = 1;
break;
case 'w':
whackfile = clone_str(optarg, "output file name");
whackout = 1;
textout = 0;
break;
case 'D':
verbose++;
break;
case 'W':
warningsarefatal++;
break;
case 'C':
configfile = clone_str(optarg, "config file name");
break;
case 'R':
if(verbose) printf("#setting rootdir=%s\n", optarg);
strlcat(rootdir, optarg, sizeof(rootdir));
break;
case 'S':
if(verbose) printf("#setting rootdir2=%s\n", optarg);
rootdir2[0]='\0';
strlcat(rootdir2, optarg, sizeof(rootdir2));
break;
}
}
/* find config file */
confdir = getenv(IPSEC_CONFDIR_VAR);
if(confdir == NULL)
{
confdir = IPSEC_CONFDIR;
}
if(!configfile) {
configfile = alloc_bytes(strlen(confdir)+sizeof("/ipsec.conf")+2,"conf file");
/* calculate default value for configfile */
configfile[0]='\0';
strcpy(configfile, confdir);
if(configfile[strlen(configfile)-1]!='/')
{
strcat(configfile, "/");
}
strcat(configfile, "ipsec.conf");
}
if(verbose > 3) {
extern int yydebug;
yydebug=1;
}
if(verbose) {
printf("opening file: %s\n", configfile);
}
starter_use_log (verbose, 1, verbose ? 0 : 1);
cfg = confread_load(configfile, &err, FALSE, NULL,FALSE);
if(!cfg) {
printf("config file: %s can not be loaded: %s\n", configfile, err);
exit(3);
}
if(textout) {
/* load all conns marked as auto=add or better */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
printf("#conn %s loaded\n", conn->name);
}
confwrite(cfg, stdout);
}
if(whackout && whackfile!=NULL) {
if(!openwhackrecordfile(whackfile)) {
perror(whackfile);
exit(5);
}
/* use file writer above */
cfg->send_whack_msg = send_whack_msg_to_file;
/* load all conns marked as auto=add or better, and save them. */
argv+=optind;
argc-=optind;
for(; argc>0; argc--, argv++) {
char *conn_name = *argv;
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
if(verbose) {
printf("processing conn: %s vs %s\n", conn_name, conn->name);
}
if(strcasecmp(conn->name, conn_name)==0) {
if(starter_whack_add_conn(cfg, conn) != 0) {
fprintf(stderr, "failed to load conn: %s\n", conn_name);
}
}
}
}
}
confread_free(cfg);
exit(0);
}
int
main(int argc, char *argv[])
{
int opt = 0;
int all = 0;
int search = 0;
int typeexport = 0;
int checkconfig = 0;
int listroute=0, liststart=0;
struct starter_config *cfg = NULL;
err_t err = NULL;
char *confdir = NULL;
char *configfile = NULL;
char *varprefix = "";
int exit_status = 0;
struct starter_conn *conn = NULL;
char *defaultroute = NULL;
char *defaultnexthop = NULL;
char *ctlbase = NULL;
bool resolvip = FALSE;
#if 0
/* efence settings */
extern int EF_PROTECT_BELOW;
extern int EF_PROTECT_FREE;
EF_PROTECT_BELOW=1;
EF_PROTECT_FREE=1;
#endif
progname = argv[0];
rootdir[0]='\0';
tool_init_log();
while((opt = getopt_long(argc, argv, "", longopts, 0)) != EOF) {
switch(opt) {
case 'h':
/* usage: */
usage();
break;
case 'a':
all=1;
break;
case 'D':
verbose++;
break;
case 'W':
warningsarefatal++;
break;
case 'S':
search++;
break;
case 'T':
typeexport++;
break;
case 'K':
checkconfig++;
break;
case 'C':
configfile = clone_str(optarg, "config file name");
break;
case 'c':
ctlbase = clone_str(optarg, "control base");
break;
case 'A':
all=1;
break;
case 'r':
listroute=1;
break;
case 's':
liststart=1;
break;
case 'P':
varprefix=optarg;
break;
case 'R':
printf("setting rootdir=%s\n", optarg);
strncat(rootdir, optarg, sizeof(rootdir)-1);
break;
case 'd':
defaultroute=optarg;
break;
case 'n':
defaultnexthop=optarg;
break;
default:
usage();
}
}
/* if nothing to add, then complain */
if(optind == argc && !all && !listroute && !liststart && !search && !typeexport && !checkconfig) {
usage();
}
if(verbose > 3) {
extern int yydebug;
yydebug=1;
}
/* find config file */
confdir = getenv(IPSEC_CONFDIR_VAR);
if(confdir == NULL)
{
confdir = IPSEC_CONFDIR;
}
if(!configfile) {
configfile = alloc_bytes(strlen(confdir)+sizeof("/ipsec.conf")+2,"conf file");
/* calculate default value for configfile */
configfile[0]='\0';
strcpy(configfile, confdir);
if(configfile[strlen(configfile)-1]!='/')
{
strcat(configfile, "/");
}
strcat(configfile, "ipsec.conf");
}
if(verbose) {
printf("opening file: %s\n", configfile);
}
starter_use_log (verbose, 1, verbose ? 0 : 1);
err = NULL; /* reset to no error */
resolvip=TRUE; /* default to looking up names */
if(typeexport || checkconfig || listroute || liststart || search) {
/* but not if we have no use for them... might cause delays too! */
resolvip=FALSE;
}
cfg = confread_load(configfile, &err, resolvip, ctlbase,typeexport);
if(cfg == NULL) {
fprintf(stderr, "can not load config '%s': %s\n",
configfile, err);
exit(3);
}
else if(checkconfig) {
confread_free(cfg);
exit(0);
}
if(defaultroute) {
err_t e;
char b[ADDRTOT_BUF];
e = ttoaddr(defaultroute, strlen(defaultroute), AF_INET, &cfg->dr);
if(e) {
printf("ignoring invalid defaultroute: %s\n", e);
defaultroute = NULL;
/* exit(4); */
} else
if(verbose) {
addrtot(&cfg->dr, 0, b, sizeof(b));
printf("default route is: %s\n", b);
}
}
if(defaultnexthop) {
err_t e;
char b[ADDRTOT_BUF];
e = ttoaddr(defaultnexthop, strlen(defaultnexthop), AF_INET, &cfg->dnh);
if(e) {
printf("ignoring invalid defaultnexthop: %s\n", e);
defaultnexthop = NULL;
/* exit(4); */
} else
if(verbose) {
addrtot(&cfg->dnh, 0, b, sizeof(b));
printf("default nexthop is: %s\n", b);
}
}
if(all)
{
if(verbose) {
printf("loading all conns:");
}
/* load all conns marked as auto=add or better */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
if (conn->desired_state == STARTUP_ADD
|| conn->desired_state == STARTUP_START
|| conn->desired_state == STARTUP_ROUTE) {
if(verbose) printf(" %s", conn->name);
starter_whack_add_conn(cfg, conn);
}
}
if(verbose) printf("\n");
} else if(listroute) {
if(verbose) {
printf("listing all conns marked as auto=start\n");
}
/* list all conns marked as auto=route or start or better */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
if (conn->desired_state == STARTUP_START
|| conn->desired_state == STARTUP_ROUTE) {
printf("%s ", conn->name);
}
}
printf("\n");
} else if(liststart) {
/* list all conns marked as auto=start */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
if (conn->desired_state == STARTUP_START) {
printf("%s ", conn->name);
}
}
printf("\n");
} else if(search) {
char *sep="";
if((argc-optind) < 2 ) {
printf("%s_confreadstatus=failed\n", varprefix);
confread_free(cfg);
exit(3);
}
printf("%s_confreadstatus=\n", varprefix);
printf("%s_confreadnames=\"",varprefix);
/* find conn names that have value set */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
/* we recognize a limited set of values */
if(strcasecmp(argv[optind],"auto")==0 &&
strcasecmp(argv[optind+1],"manual")==0) {
if(conn->manualkey) {
printf("%s%s", sep, conn->name);
sep=" ";
}
}
}
printf("\"\n");
confread_free(cfg);
exit(0);
} else if(typeexport) {
struct keyword_def *kd;
printf("export %sconfreadstatus=''\n", varprefix);
for(kd=ipsec_conf_keywords_v2; kd->keyname != NULL; kd++) {
if((kd->validity & kv_config)==0) continue;
switch(kd->type) {
case kt_string:
case kt_filename:
case kt_dirname:
case kt_loose_enum:
if(cfg->setup.strings[kd->field]) {
printf("export %s%s='%s'\n",
varprefix, kd->keyname,
cfg->setup.strings[kd->field]);
}
break;
case kt_bool:
printf("export %s%s='%s'\n",
varprefix, kd->keyname,
cfg->setup.options[kd->field] ? "yes" : "no");
break;
case kt_list:
printf("export %s%s='",
varprefix, kd->keyname);
confwrite_list(stdout, "", cfg->setup.options[kd->field], kd);
printf("'\n");
break;
case kt_obsolete:
printf("# obsolete option '%s%s' ignored\n", varprefix, kd->keyname);
break;
default:
if(cfg->setup.options[kd->field] || cfg->setup.options_set[kd->field]) {
printf("export %s%s='%d'\n",
varprefix, kd->keyname,
cfg->setup.options[kd->field]);
}
break;
}
}
confread_free(cfg);
exit(0);
} else {
/* load named conns, regardless of their state */
int connum;
if(verbose) {
printf("loading named conns:");
}
for(connum = optind; connum<argc; connum++) {
char *connname = argv[connum];
if(verbose) {
printf(" %s", connname);
}
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
/* yes, let's make it case-insensitive */
if(strcasecmp(conn->name, connname)==0) {
if(conn->state == STATE_ADDED) {
printf("\nconn %s already added\n", conn->name);
} else if(conn->state == STATE_FAILED) {
printf("\nconn %s did not load properly\n", conn->name);
} else {
exit_status = starter_whack_add_conn(cfg, conn);
conn->state = STATE_ADDED;
}
break;
}
}
if(conn == NULL) {
/* only if we don't find it, do we now look for aliases */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
if(conn->strings_set[KSF_CONNALIAS]
&& osw_alias_cmp(connname
, conn->strings[KSF_CONNALIAS])) {
if(conn->state == STATE_ADDED) {
printf("\nalias: %s conn %s already added\n", connname, conn->name);
} else if(conn->state == STATE_FAILED) {
printf("\nalias: %s conn %s did not load properly\n", connname, conn->name);
} else {
exit_status = starter_whack_add_conn(cfg, conn);
conn->state = STATE_ADDED;
}
break;
}
}
}
if(conn == NULL) {
exit_status++;
if(!verbose) {
printf("conn '%s': not found (tried aliases)\n", connname);
} else {
printf("(notfound)");
}
}
}
if(verbose) printf("\n");
}
confread_free(cfg);
exit(exit_status);
}
struct starter_config *confread_load(const char *file,
err_t *perr,
bool resolvip,
const char *ctlbase,
bool setuponly)
{
bool err = FALSE;
/**
* Load file
*/
struct config_parsed *cfgp = parser_load_conf(file, perr);
if (cfgp == NULL)
return NULL;
struct starter_config *cfg = alloc_thing(struct starter_config, "starter_config cfg");
/**
* Set default values
*/
ipsecconf_default_values(cfg);
if (ctlbase != NULL) {
pfree(cfg->ctlbase);
cfg->ctlbase = clone_str(ctlbase, "control socket");
}
/**
* Load setup
*/
err |= load_setup(cfg, cfgp);
if (err) {
parser_free_conf(cfgp);
confread_free(cfg);
return NULL;
}
#ifdef DNSSEC
struct ub_ctx *dnsctx = unbound_init();
if (dnsctx == NULL)
return NULL;
#endif
if (!setuponly) {
/**
* Find %default
*
*/
struct section_list *sconn;
for (sconn = cfgp->sections.tqh_first; (!err) && sconn != NULL;
sconn = sconn->link.tqe_next) {
if (streq(sconn->name, "%default")) {
starter_log(LOG_LEVEL_DEBUG,
"Loading default conn");
err |= load_conn(
#ifdef DNSSEC
dnsctx,
#endif
&cfg->conn_default,
cfgp, sconn, FALSE,
/*default conn*/ TRUE,
resolvip, perr);
}
}
/**
* Load other conns
*/
for (sconn = cfgp->sections.tqh_first; sconn != NULL;
sconn = sconn->link.tqe_next) {
if (streq(sconn->name, "%default"))
continue;
err |= init_load_conn(
#ifdef DNSSEC
dnsctx,
#endif
cfg, cfgp, sconn,
FALSE,
resolvip, perr);
}
}
parser_free_conf(cfgp);
#ifdef DNSSEC
ub_ctx_delete(dnsctx);
#endif
return cfg;
}
int
main(int argc, char *argv[])
{
int opt = 0;
struct starter_config *cfg = NULL;
err_t err = NULL;
char *confdir = NULL;
char *configfile = NULL;
struct starter_conn *conn = NULL;
progname = argv[0];
rootdir[0]='\0';
tool_init_log();
while((opt = getopt_long(argc, argv, "", longopts, 0)) != EOF) {
switch(opt) {
case 'h':
/* usage: */
usage();
break;
case 'D':
verbose++;
break;
case 'W':
warningsarefatal++;
break;
case 'C':
configfile = clone_str(optarg, "config file name");
break;
case 'R':
printf("#setting rootdir=%s\n", optarg);
strlcat(rootdir, optarg, sizeof(rootdir));
break;
case 'S':
printf("#setting rootdir2=%s\n", optarg);
rootdir2[0]='\0';
strlcat(rootdir2, optarg, sizeof(rootdir2));
break;
}
}
/* find config file */
confdir = getenv(IPSEC_CONFDIR_VAR);
if(confdir == NULL)
{
confdir = IPSEC_CONFDIR;
}
if(!configfile) {
configfile = alloc_bytes(strlen(confdir)+sizeof("/ipsec.conf")+2,"conf file");
/* calculate default value for configfile */
configfile[0]='\0';
strcpy(configfile, confdir);
if(configfile[strlen(configfile)-1]!='/')
{
strcat(configfile, "/");
}
strcat(configfile, "ipsec.conf");
}
if(verbose > 3) {
extern int yydebug;
yydebug=1;
}
if(verbose) {
printf("opening file: %s\n", configfile);
}
starter_use_log (verbose, 1, verbose ? 0 : 1);
cfg = confread_load(configfile, &err, FALSE, NULL,FALSE);
if(!cfg) {
printf("config file: %s can not be loaded: %s\n", configfile, err);
exit(3);
}
/* load all conns marked as auto=add or better */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
printf("#conn %s loaded\n", conn->name);
}
confwrite(cfg, stdout);
confread_free(cfg);
exit(0);
}
int main (int argc, char **argv)
{
starter_config_t *cfg = NULL;
starter_config_t *new_cfg;
starter_conn_t *conn, *conn2;
starter_ca_t *ca, *ca2;
struct sigaction action;
struct stat stb;
int i;
int id = 1;
struct timespec ts;
unsigned long auto_update = 0;
time_t last_reload;
bool no_fork = FALSE;
bool attach_gdb = FALSE;
bool load_warning = FALSE;
library_init(NULL);
atexit(library_deinit);
libhydra_init("starter");
atexit(libhydra_deinit);
/* parse command line */
for (i = 1; i < argc; i++)
{
if (streq(argv[i], "--debug"))
{
current_loglevel = 2;
}
else if (streq(argv[i], "--debug-more"))
{
current_loglevel = 3;
}
else if (streq(argv[i], "--debug-all"))
{
current_loglevel = 4;
}
else if (streq(argv[i], "--nolog"))
{
current_loglevel = 0;
}
else if (streq(argv[i], "--nofork"))
{
no_fork = TRUE;
}
else if (streq(argv[i], "--attach-gdb"))
{
no_fork = TRUE;
attach_gdb = TRUE;
}
else if (streq(argv[i], "--auto-update") && i+1 < argc)
{
auto_update = atoi(argv[++i]);
if (!auto_update)
usage(argv[0]);
}
else if (streq(argv[i], "--daemon") && i+1 < argc)
{
daemon_name = argv[++i];
}
else
{
usage(argv[0]);
}
}
if (!set_daemon_name())
{
DBG1(DBG_APP, "unable to set daemon name");
exit(LSB_RC_FAILURE);
}
init_log("ipsec_starter");
DBG1(DBG_APP, "Starting %sSwan "VERSION" IPsec [starter]...",
lib->settings->get_bool(lib->settings,
"charon.i_dont_care_about_security_and_use_aggressive_mode_psk",
FALSE) ? "weak" : "strong");
#ifdef LOAD_WARNING
load_warning = TRUE;
#endif
if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning))
{
if (lib->settings->get_str(lib->settings, "charon.load", NULL))
{
DBG1(DBG_APP, "!! Your strongswan.conf contains manual plugin load options for charon.");
DBG1(DBG_APP, "!! This is recommended for experts only, see");
DBG1(DBG_APP, "!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad");
}
}
/* verify that we can start */
if (getuid() != 0)
{
DBG1(DBG_APP, "permission denied (must be superuser)");
cleanup();
exit(LSB_RC_NOT_ALLOWED);
}
if (check_pid(pid_file))
{
DBG1(DBG_APP, "%s is already running (%s exists) -- skipping daemon start",
daemon_name, pid_file);
}
else
{
_action_ |= FLAG_ACTION_START_CHARON;
}
if (stat(DEV_RANDOM, &stb) != 0)
{
DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
cleanup();
exit(LSB_RC_FAILURE);
}
if (stat(DEV_URANDOM, &stb)!= 0)
{
DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
cleanup();
exit(LSB_RC_FAILURE);
}
cfg = confread_load(CONFIG_FILE);
if (cfg == NULL || cfg->err > 0)
{
DBG1(DBG_APP, "unable to start strongSwan -- fatal errors in config");
if (cfg)
{
confread_free(cfg);
}
cleanup();
exit(LSB_RC_INVALID_ARGUMENT);
}
/* determine if we have a native netkey IPsec stack */
if (!starter_netkey_init())
{
DBG1(DBG_APP, "no netkey IPsec stack detected");
if (!starter_klips_init())
{
DBG1(DBG_APP, "no KLIPS IPsec stack detected");
DBG1(DBG_APP, "no known IPsec stack detected, ignoring!");
}
}
last_reload = time_monotonic(NULL);
if (check_pid(starter_pid_file))
{
DBG1(DBG_APP, "starter is already running (%s exists) -- no fork done",
starter_pid_file);
confread_free(cfg);
cleanup();
exit(LSB_RC_SUCCESS);
}
#ifdef GENERATE_SELFCERT
generate_selfcert();
#endif
/* fork if we're not debugging stuff */
if (!no_fork)
{
log_to_stderr = FALSE;
switch (fork())
{
case 0:
{
int fnull;
close_log();
closefrom(3);
fnull = open("/dev/null", O_RDWR);
if (fnull >= 0)
{
dup2(fnull, STDIN_FILENO);
dup2(fnull, STDOUT_FILENO);
dup2(fnull, STDERR_FILENO);
close(fnull);
}
setsid();
init_log("ipsec_starter");
}
break;
case -1:
DBG1(DBG_APP, "can't fork: %s", strerror(errno));
break;
default:
confread_free(cfg);
cleanup();
exit(LSB_RC_SUCCESS);
}
}
/* save pid file in /var/run/starter[.daemon_name].pid */
{
FILE *fd = fopen(starter_pid_file, "w");
if (fd)
{
fprintf(fd, "%u\n", getpid());
fclose(fd);
}
}
/* we handle these signals only in pselect() */
memset(&action, 0, sizeof(action));
sigemptyset(&action.sa_mask);
sigaddset(&action.sa_mask, SIGHUP);
sigaddset(&action.sa_mask, SIGINT);
sigaddset(&action.sa_mask, SIGTERM);
sigaddset(&action.sa_mask, SIGQUIT);
sigaddset(&action.sa_mask, SIGALRM);
sigaddset(&action.sa_mask, SIGUSR1);
pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
/* install a handler for fatal signals */
action.sa_handler = fatal_signal_handler;
sigaction(SIGSEGV, &action, NULL);
sigaction(SIGILL, &action, NULL);
sigaction(SIGBUS, &action, NULL);
action.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &action, NULL);
/* install main signal handler */
action.sa_handler = signal_handler;
sigaction(SIGHUP, &action, NULL);
sigaction(SIGINT, &action, NULL);
sigaction(SIGTERM, &action, NULL);
sigaction(SIGQUIT, &action, NULL);
sigaction(SIGALRM, &action, NULL);
sigaction(SIGUSR1, &action, NULL);
/* this is not blocked above as we want to receive it asynchronously */
sigaction(SIGCHLD, &action, NULL);
/* empty mask for pselect() call below */
sigemptyset(&action.sa_mask);
for (;;)
{
/*
* Stop charon (if started) and exit
*/
if (_action_ & FLAG_ACTION_QUIT)
{
if (starter_charon_pid())
{
starter_stop_charon();
}
starter_netkey_cleanup();
confread_free(cfg);
unlink(starter_pid_file);
cleanup();
DBG1(DBG_APP, "ipsec starter stopped");
close_log();
exit(LSB_RC_SUCCESS);
}
/*
* Delete all connections. Will be added below
*/
if (_action_ & FLAG_ACTION_RELOAD)
{
if (starter_charon_pid())
{
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_ADDED)
{
if (starter_charon_pid())
{
if (conn->startup == STARTUP_ROUTE)
{
starter_stroke_unroute_conn(conn);
}
starter_stroke_del_conn(conn);
}
conn->state = STATE_TO_ADD;
}
}
for (ca = cfg->ca_first; ca; ca = ca->next)
{
if (ca->state == STATE_ADDED)
{
if (starter_charon_pid())
{
starter_stroke_del_ca(ca);
}
ca->state = STATE_TO_ADD;
}
}
}
_action_ &= ~FLAG_ACTION_RELOAD;
}
/*
* Update configuration
*/
if (_action_ & FLAG_ACTION_UPDATE)
{
DBG2(DBG_APP, "Reloading config...");
new_cfg = confread_load(CONFIG_FILE);
if (new_cfg && (new_cfg->err == 0))
{
/* Switch to new config. New conn will be loaded below */
/* Look for new connections that are already loaded */
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_ADDED)
{
for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
{
if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
{
conn->state = STATE_REPLACED;
conn2->state = STATE_ADDED;
conn2->id = conn->id;
break;
}
}
}
}
/* Remove conn sections that have become unused */
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_ADDED)
{
if (starter_charon_pid())
{
if (conn->startup == STARTUP_ROUTE)
{
starter_stroke_unroute_conn(conn);
}
starter_stroke_del_conn(conn);
}
}
}
/* Look for new ca sections that are already loaded */
for (ca = cfg->ca_first; ca; ca = ca->next)
{
if (ca->state == STATE_ADDED)
{
for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
{
if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
{
ca->state = STATE_REPLACED;
ca2->state = STATE_ADDED;
break;
}
}
}
}
/* Remove ca sections that have become unused */
for (ca = cfg->ca_first; ca; ca = ca->next)
{
if (ca->state == STATE_ADDED)
{
if (starter_charon_pid())
{
starter_stroke_del_ca(ca);
}
}
}
confread_free(cfg);
cfg = new_cfg;
}
else
{
DBG1(DBG_APP, "can't reload config file due to errors -- keeping old one");
if (new_cfg)
{
confread_free(new_cfg);
}
}
_action_ &= ~FLAG_ACTION_UPDATE;
last_reload = time_monotonic(NULL);
}
/*
* Start daemon
*/
if (_action_ & FLAG_ACTION_START_CHARON)
{
if (cfg->setup.charonstart && !starter_charon_pid())
{
DBG2(DBG_APP, "Attempting to start %s...", daemon_name);
if (starter_start_charon(cfg, no_fork, attach_gdb))
{
/* schedule next try */
alarm(CHARON_RESTART_DELAY);
}
starter_stroke_configure(cfg);
}
_action_ &= ~FLAG_ACTION_START_CHARON;
for (ca = cfg->ca_first; ca; ca = ca->next)
{
if (ca->state == STATE_ADDED)
{
ca->state = STATE_TO_ADD;
}
}
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_ADDED)
{
conn->state = STATE_TO_ADD;
}
}
}
/*
* Add stale conn and ca sections
*/
if (starter_charon_pid())
{
for (ca = cfg->ca_first; ca; ca = ca->next)
{
if (ca->state == STATE_TO_ADD)
{
if (starter_charon_pid())
{
starter_stroke_add_ca(ca);
}
ca->state = STATE_ADDED;
}
}
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_TO_ADD)
{
if (conn->id == 0)
{
/* affect new unique id */
conn->id = id++;
}
if (starter_charon_pid())
{
starter_stroke_add_conn(cfg, conn);
}
conn->state = STATE_ADDED;
if (conn->startup == STARTUP_START)
{
if (starter_charon_pid())
{
starter_stroke_initiate_conn(conn);
}
}
else if (conn->startup == STARTUP_ROUTE)
{
if (starter_charon_pid())
{
starter_stroke_route_conn(conn);
}
}
}
}
}
/*
* If auto_update activated, when to stop select
*/
if (auto_update)
{
time_t now = time_monotonic(NULL);
ts.tv_sec = (now < last_reload + auto_update) ?
(last_reload + auto_update - now) : 0;
ts.tv_nsec = 0;
}
/*
* Wait for something to happen
*/
if (!_action_ &&
pselect(0, NULL, NULL, NULL, auto_update ? &ts : NULL,
&action.sa_mask) == 0)
{
/* timeout -> auto_update */
_action_ |= FLAG_ACTION_UPDATE;
}
}
exit(LSB_RC_SUCCESS);
}
