err_t ipsec_policy_cgilookup(struct ipsec_policy_cmd_query *result)
{
err_t ret;
char *us, *them;
/* clear it all out */
memset(result, 0, sizeof(*result));
/* setup it up */
result->head.ipm_version = IPSEC_POLICY_MSG_REVISION;
result->head.ipm_msg_len = sizeof(*result);
result->head.ipm_msg_type = IPSEC_CMD_QUERY_HOSTPAIR;
result->head.ipm_msg_seq = ipsec_policy_seq();
us = getenv("SERVER_ADDR");
them = getenv("REMOTE_ADDR");
if(!us || !them) {
return "$SERVER_ADDR and $REMOTE_ADDR must be set";
}
ret = ttoaddr(us, 0, AF_INET, &result->query_local);
if(ret != NULL) {
return ret;
}
ret = ttoaddr(them, 0, AF_INET, &result->query_remote);
if(ret != NULL) {
return ret;
}
return ipsec_policy_sendrecv((unsigned char *)result, sizeof(*result));
}
int
main(int argc, char *argv[])
{
ip_address high;
ip_address low;
char bh[100],bl[100];
const char *oops;
int n;
int af;
int i;
if (argc == 2 && strcmp(argv[1], "-r") == 0) {
regress();
fprintf(stderr, "regress() returned?!?\n");
exit(1);
}
if (argc < 3) {
fprintf(stderr, "Usage: %s [-6] high low\n", argv[0]);
fprintf(stderr, " or: %s -r\n", argv[0]);
exit(2);
}
af = AF_INET;
i = 1;
if (strcmp(argv[i], "-6") == 0) {
af = AF_INET6;
i++;
}
oops = ttoaddr(argv[i], 0, af, &high);
if (oops != NULL) {
fprintf(stderr, "%s: high conversion failed: %s\n", argv[0], oops);
exit(1);
}
oops = ttoaddr(argv[i+1], 0, af, &low);
if (oops != NULL) {
fprintf(stderr, "%s: low conversion failed: %s\n", argv[0], oops);
exit(1);
}
n = ikev2_calc_iprangediff(high, low);
addrtot(&high, 0, bh, sizeof(bh));
addrtot(&low, 0, bl, sizeof(bl));
printf("iprange between %s and %s => %d\n", bh, bl, n);
exit(0);
}
int main(int argc, char *argv[])
{
int opt = 0;
struct starter_config *cfg = NULL;
err_t err = NULL;
char *confdir = NULL;
char *configfile = NULL;
struct starter_conn *conn = NULL;
progname = argv[0];
tool_init_log();
starter_use_log(verbose, 1, verbose ? 0 : 1);
cfg = (struct starter_config *)malloc(sizeof(struct starter_config));
if (!cfg) {
fprintf(stderr, "can't allocate mem in %s\n", progname);
exit(10);
}
memset(cfg, 0, sizeof(*cfg));
/**
* Set default values
*/
ipsecconf_default_values(cfg);
conn = alloc_add_conn(cfg, "mytestconn", &err);
conn->connalias = xstrdup("anotheralias");
conn->options[KBF_DPDDELAY] = 60;
conn->options_set[KBF_DPDDELAY] = 1;
conn->policy = POLICY_ENCRYPT | POLICY_PFS | POLICY_COMPRESS;
conn->left.rsakey1 = "0sabcdabcdabcd";
conn->left.rsakey2 = "0s23489234ba28934243";
conn->left.cert = "/my/cert/file";
ttoaddr("192.168.2.102", 0, AF_INET, &conn->left.sourceip);
ttoaddr("192.168.1.101", 0, AF_INET, &conn->left.addr);
conn->left.addr_family = AF_INET;
conn->left.addrtype = KH_IPADDR;
conn->right.addrtype = KH_DEFAULTROUTE;
confwrite(cfg, stdout);
exit(0);
}
int main(int argc, char *argv[])
{
rpl_debug *deb = new rpl_debug(true, stdout);
deb->want_time_log = false;
struct network_interface_init nii;
nii.debug = deb;
nii.setup = false;
dag_network *dag = new dag_network("ripple", deb);
dag->set_active();
dag->set_interval(5000);
dag->set_interface_wildcard("acp*");
dag->set_interface_filter("fd01::/16");
dag->set_ignore_pio(true);
/* add interface: acp0 with IPv6: fd01:0203:0405:0607::1111/128 */
unsigned char hwaddr1[6];
hwaddr1[0]=0x00; hwaddr1[1]=0x11;
hwaddr1[2]=0x22; hwaddr1[3]=0x33;
hwaddr1[4]=0x44; hwaddr1[5]=0x45;
pcap_network_interface::fake_linkinfo("acp0", 10, &nii, hwaddr1, ARPHRD_ETHER, IFF_BROADCAST);
ip_address a1;
ttoaddr("fd01:0203:0405:0607::1111", 0, AF_INET6, &a1);
pcap_network_interface::fake_addrinfo(10, RT_SCOPE_UNIVERSE, &nii, a1.u.v6.sin6_addr.s6_addr);
/* no other work here: no processing: no packets should be emitted */
network_interface::terminating();
while(network_interface::force_next_event());
exit(0);
}
void
regress()
{
struct rtab *r;
int status = 0;
ip_address high;
ip_address low;
const char *oops;
int n;
int af;
for (r = rtab; r->high != NULL; r++) {
af = (r->family == 4) ? AF_INET : AF_INET6;
oops = ttoaddr(r->high, 0, af, &high);
if (oops != NULL) {
printf("surprise failure converting `%s'\n", r->high);
exit(1);
}
oops = ttoaddr(r->low, 0, af, &low);
if (oops != NULL) {
printf("surprise failure converting `%s'\n", r->low);
exit(1);
}
n = ikev2_calc_iprangediff(high, low);
if (n != -1 && r->range == -1)
{} /* okay, error expected */
else if (n == -1) {
printf("`%s'-`%s' iprangediff failed.\n",
r->high, r->low);
status = 1;
} else if (r->range == -1) {
printf("`%s'-`%s' iprangediff succeeded unexpectedly\n",
r->high, r->low);
status = 1;
} else if (r->range != n) {
printf("`%s'-`%s' gave `%d', expected `%d'\n",
r->high, r->low, n, r->range);
status = 1;
}
}
exit(status);
}
int
main(int argc, char **argv)
{
int lockfd;
int nhelpers = -1;
char *coredir;
const struct lsw_conf_options *oco;
/*
* We read the intentions for how to log from command line options
* and the config file. Then we prepare to be able to log, but until
* then log to stderr (better then nothing). Once we are ready to
* actually do loggin according to the methods desired, we set the
* variables for those methods
*/
bool log_to_stderr_desired = FALSE;
bool log_to_file_desired = FALSE;
coredir = NULL;
/* set up initial defaults that need a cast */
pluto_shared_secrets_file =
DISCARD_CONST(char *, SHARED_SECRETS_FILE);
#ifdef NAT_TRAVERSAL
/** Overridden by nat_traversal= in ipsec.conf */
bool nat_traversal = FALSE;
bool nat_t_spf = TRUE; /* support port floating */
unsigned int keep_alive = 0;
bool force_keepalive = FALSE;
#endif
/** Overridden by virtual_private= in ipsec.conf */
char *virtual_private = NULL;
#ifdef LEAK_DETECTIVE
leak_detective=1;
#else
leak_detective=0;
#endif
#ifdef HAVE_LIBCAP_NG
/* Drop capabilities */
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
CAP_IPC_LOCK, CAP_AUDIT_WRITE,
-1);
/* our children must be able to CAP_NET_ADMIN to change routes.
*/
capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET,
CAP_NET_ADMIN, -1);
capng_apply(CAPNG_SELECT_BOTH);
#endif
#ifdef DEBUG
libreswan_passert_fail = passert_fail;
#endif
if(getenv("PLUTO_WAIT_FOR_GDB")) {
sleep(120);
}
/* handle arguments */
for (;;)
{
# define DBG_OFFSET 256
static const struct option long_opts[] = {
/* name, has_arg, flag, val */
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "config", required_argument, NULL, 'z' },
{ "nofork", no_argument, NULL, 'd' },
{ "stderrlog", no_argument, NULL, 'e' },
{ "logfile", required_argument, NULL, 'g' },
{ "plutostderrlogtime", no_argument, NULL, 't' },
{ "noklips", no_argument, NULL, 'n' },
{ "use-nostack", no_argument, NULL, 'n' },
{ "use-none", no_argument, NULL, 'n' },
{ "force_busy", no_argument, NULL, 'D' },
{ "strictcrlpolicy", no_argument, NULL, 'r' },
{ "crlcheckinterval", required_argument, NULL, 'x'},
{ "uniqueids", no_argument, NULL, 'u' },
{ "useklips", no_argument, NULL, 'k' },
{ "use-klips", no_argument, NULL, 'k' },
{ "use-auto", no_argument, NULL, 'G' },
{ "usenetkey", no_argument, NULL, 'K' },
{ "use-netkey", no_argument, NULL, 'K' },
{ "use-mast", no_argument, NULL, 'M' },
{ "use-mastklips", no_argument, NULL, 'M' },
{ "use-bsdkame", no_argument, NULL, 'F' },
{ "interface", required_argument, NULL, 'i' },
{ "listen", required_argument, NULL, 'L' },
{ "ikeport", required_argument, NULL, 'p' },
{ "natikeport", required_argument, NULL, 'q' },
{ "ctlbase", required_argument, NULL, 'b' },
{ "secretsfile", required_argument, NULL, 's' },
{ "perpeerlogbase", required_argument, NULL, 'P' },
{ "perpeerlog", no_argument, NULL, 'l' },
{ "noretransmits", no_argument, NULL, 'R' },
{ "coredir", required_argument, NULL, 'C' },
{ "ipsecdir", required_argument, NULL, 'f' },
{ "ipsec_dir", required_argument, NULL, 'f' },
{ "foodgroupsdir", required_argument, NULL, 'f' },
{ "adns", required_argument, NULL, 'a' },
#ifdef NAT_TRAVERSAL
{ "nat_traversal", no_argument, NULL, '1' },
{ "keep_alive", required_argument, NULL, '2' },
{ "force_keepalive", no_argument, NULL, '3' },
{ "disable_port_floating", no_argument, NULL, '4' },
{ "debug-nat_t", no_argument, NULL, '5' },
{ "debug-nattraversal", no_argument, NULL, '5' },
{ "debug-nat-t", no_argument, NULL, '5' },
#endif
{ "virtual_private", required_argument, NULL, '6' },
{ "nhelpers", required_argument, NULL, 'j' },
#ifdef HAVE_LABELED_IPSEC
{ "secctx_attr_value", required_argument, NULL, 'w' },
#endif
#ifdef DEBUG
{ "debug-none", no_argument, NULL, 'N' },
{ "debug-all", no_argument, NULL, 'A' },
{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
{ "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
{ "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET },
{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
{ "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
{ "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET },
{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
{ "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET },
{ "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET },
{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
{ "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET },
{ "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
{ "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
{ "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
{ "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
{ "impair-sa-creation", no_argument, NULL, IMPAIR_SA_CREATION + DBG_OFFSET },
{ "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO + DBG_OFFSET },
{ "impair-jacob-two-two", no_argument, NULL, IMPAIR_JACOB_TWO_TWO + DBG_OFFSET },
{ "impair-major-version-bump", no_argument, NULL, IMPAIR_MAJOR_VERSION_BUMP + DBG_OFFSET },
{ "impair-minor-version-bump", no_argument, NULL, IMPAIR_MINOR_VERSION_BUMP + DBG_OFFSET },
{ "impair-retransmits", no_argument, NULL, IMPAIR_RETRANSMITS + DBG_OFFSET },
{ "impair-send-bogus-isakmp-flag", no_argument, NULL, IMPAIR_SEND_BOGUS_ISAKMP_FLAG + DBG_OFFSET },
#endif
{ 0,0,0,0 }
};
/* Note: we don't like the way short options get parsed
* by getopt_long, so we simply pass an empty string as
* the list. It could be "hvdenp:l:s:" "NARXPECK".
*/
int c = getopt_long(argc, argv, "", long_opts, NULL);
/** Note: "breaking" from case terminates loop */
switch (c)
{
case EOF: /* end of flags */
break;
case 0: /* long option already handled */
continue;
case ':': /* diagnostic already printed by getopt_long */
case '?': /* diagnostic already printed by getopt_long */
usage("");
break; /* not actually reached */
case 'h': /* --help */
usage(NULL);
break; /* not actually reached */
case 'C':
coredir = clone_str(optarg, "coredir");
continue;
case 'v': /* --version */
{
printf("%s%s\n", ipsec_version_string(),
compile_time_interop_options);
}
exit(0); /* not exit_pluto because we are not initialized yet */
break; /* not actually reached */
case 'j': /* --nhelpers */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing number of pluto helpers");
{
char *endptr;
long count = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| count < -1)
usage("<nhelpers> must be a positive number, 0 or -1");
nhelpers = count;
}
continue;
#ifdef HAVE_LABELED_IPSEC
case 'w': /* --secctx_attr_value*/
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing (positive integer) value of secctx_attr_value (needed only if using labeled ipsec)");
{
char *endptr;
long value = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| (value != SECCTX && value !=10) )
usage("<secctx_attr_value> must be a positive number (32001 by default, 10 for backward compatibility, or any other future number assigned by IANA)");
secctx_attr_value = (u_int16_t)value;
}
continue;
#endif
case 'd': /* --nofork*/
fork_desired = FALSE;
continue;
case 'e': /* --stderrlog */
log_to_stderr_desired = TRUE;
continue;
case 'g': /* --logfile */
pluto_log_file = optarg;
log_to_file_desired = TRUE;
continue;
case 't': /* --plutostderrlogtime */
log_with_timestamp = TRUE;
continue;
case 'G': /* --use-auto */
libreswan_log("The option --use-auto is obsoleted, falling back to --use-netkey\n");
kern_interface = USE_NETKEY;
continue;
case 'k': /* --use-klips */
kern_interface = USE_KLIPS;
continue;
case 'L': /* --listen ip_addr */
{
ip_address lip;
err_t e = ttoaddr(optarg,0,0,&lip);
if(e) {
libreswan_log("invalid listen argument ignored: %s\n",e);
} else {
pluto_listen = clone_str(optarg, "pluto_listen");
libreswan_log("bind() will be filtered for %s\n",pluto_listen);
}
}
continue;
case 'M': /* --use-mast */
kern_interface = USE_MASTKLIPS;
continue;
case 'F': /* --use-bsdkame */
kern_interface = USE_BSDKAME;
continue;
case 'K': /* --use-netkey */
kern_interface = USE_NETKEY;
continue;
case 'n': /* --use-nostack */
kern_interface = NO_KERNEL;
continue;
case 'D': /* --force_busy */
force_busy = TRUE;
continue
;
case 'r': /* --strictcrlpolicy */
strict_crl_policy = TRUE;
continue
;
case 'R':
no_retransmits = TRUE;
continue;
case 'x': /* --crlcheckinterval <time>*/
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing interval time");
{
char *endptr;
long interval = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| interval <= 0)
usage("<interval-time> must be a positive number");
crl_check_interval = interval;
}
continue
;
case 'u': /* --uniqueids */
uniqueIDs = TRUE;
continue;
case 'i': /* --interface <ifname|ifaddr> */
if (!use_interface(optarg))
usage("too many --interface specifications");
continue;
/*
* This option does not really work, as this is the "left"
* site only, you also need --to --ikeport again later on
* It will result in: yourport -> 500, still not bypassing filters
*/
case 'p': /* --ikeport <portnumber> */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing port number");
{
char *endptr;
long port = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| port <= 0 || port > 0x10000)
usage("<port-number> must be a number between 1 and 65535");
pluto_port = port;
}
continue;
#ifdef NAT_TRAVERSAL
case 'q': /* --natikeport <portnumber> */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing port number");
{
char *endptr;
long port = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| port <= 0 || port > 0x10000)
usage("<port-number> must be a number between 1 and 65535");
pluto_natt_float_port = port;
}
continue;
#endif
case 'b': /* --ctlbase <path> */
ctlbase = optarg;
if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
, "%s%s", ctlbase, CTL_SUFFIX) == -1)
usage("<path>" CTL_SUFFIX " too long for sun_path");
if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
, "%s%s", ctlbase, INFO_SUFFIX) == -1)
usage("<path>" INFO_SUFFIX " too long for sun_path");
if (snprintf(pluto_lock, sizeof(pluto_lock)
, "%s%s", ctlbase, LOCK_SUFFIX) == -1)
usage("<path>" LOCK_SUFFIX " must fit");
continue;
case 's': /* --secretsfile <secrets-file> */
pluto_shared_secrets_file = optarg;
continue;
case 'f': /* --ipsecdir <ipsec-dir> */
(void)lsw_init_ipsecdir(optarg);
continue;
case 'a': /* --adns <pathname> */
pluto_adns_option = optarg;
continue;
#ifdef DEBUG
case 'N': /* --debug-none */
base_debugging = DBG_NONE;
continue;
case 'A': /* --debug-all */
base_debugging = DBG_ALL;
continue;
#endif
case 'P': /* --perpeerlogbase */
base_perpeer_logdir = optarg;
continue;
case 'l':
log_to_perpeer = TRUE;
continue;
#ifdef NAT_TRAVERSAL
case '1': /* --nat_traversal */
nat_traversal = TRUE;
continue;
case '2': /* --keep_alive */
keep_alive = atoi(optarg);
continue;
case '3': /* --force_keepalive */
force_keepalive = TRUE;
continue;
case '4': /* --disable_port_floating */
nat_t_spf = FALSE;
continue;
#ifdef DEBUG
case '5': /* --debug-nat_t */
base_debugging |= DBG_NATT;
continue;
#endif
#endif
case '6': /* --virtual_private */
virtual_private = optarg;
continue;
case 'z': /* --config */
;
/* Config struct to variables mapper. This will overwrite */
/* all previously set options. Keep this in the same order than */
/* long_opts[] is. */
struct starter_config *cfg = read_cfg_file(optarg);
set_cfg_string(&pluto_log_file, cfg->setup.strings[KSF_PLUTOSTDERRLOG]);
fork_desired = cfg->setup.options[KBF_PLUTOFORK]; /* plutofork= */
log_with_timestamp =
cfg->setup.options[KBF_PLUTOSTDERRLOGTIME];
force_busy = cfg->setup.options[KBF_FORCEBUSY];
strict_crl_policy = cfg->setup.options[KBF_STRICTCRLPOLICY];
crl_check_interval = cfg->setup.options[KBF_CRLCHECKINTERVAL];
uniqueIDs = cfg->setup.options[KBF_UNIQUEIDS];
/*
* We don't check interfaces= here because that part has been dealt
* with in _stackmanager before we started
*/
set_cfg_string(&pluto_listen, cfg->setup.strings[KSF_LISTEN]);
pluto_port = cfg->setup.options[KBF_IKEPORT]; /* --ikeport */
/* no config option: ctlbase */
set_cfg_string(&pluto_shared_secrets_file, cfg->setup.strings[KSF_SECRETSFILE]); /* --secrets */
if(cfg->setup.strings[KSF_IPSECDIR] != NULL &&
*cfg->setup.strings[KSF_IPSECDIR] != 0) {
lsw_init_ipsecdir(cfg->setup.strings[KSF_IPSECDIR]); /* --ipsecdir */
}
set_cfg_string(&base_perpeer_logdir, cfg->setup.strings[KSF_PERPEERDIR]); /* --perpeerlogbase */
log_to_perpeer = cfg->setup.options[KBF_PERPEERLOG]; /* --perpeerlog */
no_retransmits = !cfg->setup.options[KBF_RETRANSMITS]; /* --noretransmits */
set_cfg_string(&coredir, cfg->setup.strings[KSF_DUMPDIR]); /* --dumpdir */
/* no config option: pluto_adns_option */
#ifdef NAT_TRAVERSAL
pluto_natt_float_port = cfg->setup.options[KBF_NATIKEPORT];
nat_traversal = cfg->setup.options[KBF_NATTRAVERSAL];
keep_alive = cfg->setup.options[KBF_KEEPALIVE];
force_keepalive = cfg->setup.options[KBF_FORCE_KEEPALIVE];
nat_t_spf = !cfg->setup.options[KBF_DISABLEPORTFLOATING];
#endif
set_cfg_string(&virtual_private,
cfg->setup.strings[KSF_VIRTUALPRIVATE]);
nhelpers = cfg->setup.options[KBF_NHELPERS];
#ifdef HAVE_LABELED_IPSEC
secctx_attr_value = cfg->setup.options[KBF_SECCTX];
#endif
#ifdef DEBUG
base_debugging = cfg->setup.options[KBF_PLUTODEBUG];
#endif
char *protostack = cfg->setup.strings[KSF_PROTOSTACK];
if (protostack == NULL || *protostack == 0)
kern_interface = USE_NETKEY;
else if (strcmp(protostack, "none") == 0)
kern_interface = NO_KERNEL;
else if (strcmp(protostack, "auto") == 0)
{
libreswan_log("The option protostack=auto is obsoleted, falling back to protostack=netkey\n");
kern_interface = USE_NETKEY;
}
else if (strcmp(protostack, "klips") == 0)
kern_interface = USE_KLIPS;
else if (strcmp(protostack, "mast") == 0)
kern_interface = USE_MASTKLIPS;
else if (strcmp(protostack, "netkey") == 0 ||
strcmp(protostack, "native") == 0)
kern_interface = USE_NETKEY;
else if (strcmp(protostack, "bsd") == 0 ||
strcmp(protostack, "kame") == 0 ||
strcmp(protostack, "bsdkame") == 0)
kern_interface = USE_BSDKAME;
else if (strcmp(protostack, "win2k") == 0)
kern_interface = USE_WIN2K;
confread_free(cfg);
continue;
default:
#ifdef DEBUG
if (c >= DBG_OFFSET)
{
base_debugging |= c - DBG_OFFSET;
continue;
}
# undef DBG_OFFSET
#endif
bad_case(c);
}
break;
}
if (optind != argc)
usage("unexpected argument");
reset_debugging();
#ifdef HAVE_NO_FORK
fork_desired = FALSE;
nhelpers = 0;
#endif
/* default coredir to location compatible with SElinux */
if(!coredir) {
coredir = clone_str("/var/run/pluto", "coredir");
}
if(chdir(coredir) == -1) {
int e = errno;
libreswan_log("pluto: chdir() do dumpdir failed (%d: %s)\n",
e, strerror(e));
}
oco = lsw_init_options();
lockfd = create_lock();
/* select between logging methods */
if (log_to_stderr_desired || log_to_file_desired) {
log_to_syslog = FALSE;
}
if (!log_to_stderr_desired)
log_to_stderr = FALSE;
#ifdef DEBUG
#if 0
if(kernel_ops->set_debug) {
(*kernel_ops->set_debug)(cur_debugging, DBG_log, DBG_log);
}
#endif
#endif
/** create control socket.
* We must create it before the parent process returns so that
* there will be no race condition in using it. The easiest
* place to do this is before the daemon fork.
*/
{
err_t ugh = init_ctl_socket();
if (ugh != NULL)
{
fprintf(stderr, "pluto: %s", ugh);
exit_pluto(1);
}
}
/* If not suppressed, do daemon fork */
if (fork_desired)
{
{
pid_t pid = fork();
if (pid < 0)
{
int e = errno;
fprintf(stderr, "pluto: fork failed (%d %s)\n",
errno, strerror(e));
exit_pluto(1);
}
if (pid != 0)
{
/* parent: die, after filling PID into lock file.
* must not use exit_pluto: lock would be removed!
*/
exit(fill_lock(lockfd, pid)? 0 : 1);
}
}
if (setsid() < 0)
{
int e = errno;
fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
errno, strerror(e));
exit_pluto(1);
}
}
else
{
/* no daemon fork: we have to fill in lock file */
(void) fill_lock(lockfd, getpid());
if (isatty(fileno(stdout)))
{
fprintf(stdout, "Pluto initialized\n");
fflush(stdout);
}
}
/** Close everything but ctl_fd and (if needed) stderr.
* There is some danger that a library that we don't know
* about is using some fd that we don't know about.
* I guess we'll soon find out.
*/
{
int i;
for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
if ((!log_to_stderr || i != 2)
&& i != ctl_fd)
close(i);
/* make sure that stdin, stdout, stderr are reserved */
if (open("/dev/null", O_RDONLY) != 0)
lsw_abort();
if (dup2(0, 1) != 1)
lsw_abort();
if (!log_to_stderr && dup2(0, 2) != 2)
lsw_abort();
}
init_constants();
pluto_init_log();
pluto_init_nss(oco->confddir);
#ifdef FIPS_CHECK
const char *package_files[]= { IPSECLIBDIR"/setup",
IPSECLIBDIR"/addconn",
IPSECLIBDIR"/auto",
IPSECLIBDIR"/barf",
IPSECLIBDIR"/eroute",
IPSECLIBDIR"/ikeping",
IPSECLIBDIR"/readwriteconf",
IPSECLIBDIR"/_keycensor",
IPSECLIBDIR"/klipsdebug",
IPSECLIBDIR"/look",
IPSECLIBDIR"/newhostkey",
IPSECLIBDIR"/pf_key",
IPSECLIBDIR"/_pluto_adns",
IPSECLIBDIR"/_plutorun",
IPSECLIBDIR"/ranbits",
IPSECLIBDIR"/_realsetup",
IPSECLIBDIR"/rsasigkey",
IPSECLIBDIR"/pluto",
IPSECLIBDIR"/_secretcensor",
IPSECLIBDIR"/secrets",
IPSECLIBDIR"/showhostkey",
IPSECLIBDIR"/spi",
IPSECLIBDIR"/spigrp",
IPSECLIBDIR"/_stackmanager",
IPSECLIBDIR"/tncfg",
IPSECLIBDIR"/_updown",
IPSECLIBDIR"/_updown.klips",
IPSECLIBDIR"/_updown.mast",
IPSECLIBDIR"/_updown.netkey",
IPSECLIBDIR"/verify",
IPSECLIBDIR"/whack",
IPSECSBINDIR"/ipsec",
NULL
};
if (Pluto_IsFIPS() && !FIPSCHECK_verify_files(package_files)) {
loglog(RC_LOG_SERIOUS, "FATAL: FIPS integrity verification test failed");
exit_pluto(10);
}
#else
libreswan_log("FIPS integrity support [disabled]");
#endif
#ifdef HAVE_LIBCAP_NG
libreswan_log("libcap-ng support [enabled]");
#else
libreswan_log("libcap-ng support [disabled]");
#endif
#ifdef USE_LINUX_AUDIT
libreswan_log("Linux audit support [enabled]");
/* test and log if audit is enabled on the system */
int audit_fd, rc;
audit_fd = audit_open();
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
{
loglog(RC_LOG_SERIOUS, "Warning: kernel has no audit support");
} else {
loglog(RC_LOG_SERIOUS, "FATAL (SOON): audit_open() failed : %s", strerror(errno));
/* temp disabled exit_pluto(10); */
}
}
rc = audit_log_acct_message(audit_fd, AUDIT_USER_START, NULL,
"starting pluto daemon", NULL, -1, NULL, NULL, NULL, 1);
close(audit_fd);
if (rc < 0) {
loglog(RC_LOG_SERIOUS, "FATAL: audit_log_acct_message failed: %s", strerror(errno));
exit_pluto(10);
}
#else
libreswan_log("Linux audit support [disabled]");
#endif
/* Note: some scripts may look for this exact message -- don't change
* ipsec barf was one, but it no longer does.
*/
{
const char *vc = ipsec_version_code();
#ifdef PLUTO_SENDS_VENDORID
const char *v = init_pluto_vendorid();
libreswan_log("Starting Pluto (Libreswan Version %s%s; Vendor ID %s) pid:%u"
, vc, compile_time_interop_options, v, getpid());
#else
libreswan_log("Starting Pluto (Libreswan Version %s%s) pid:%u"
, vc, compile_time_interop_options, getpid());
#endif
if(Pluto_IsFIPS()) {
libreswan_log("Pluto is running in FIPS mode");
} else {
libreswan_log("Pluto is NOT running in FIPS mode");
}
if((vc[0]=='c' && vc[1]=='v' && vc[2]=='s') ||
(vc[2]=='g' && vc[3]=='i' && vc[4]=='t')) {
/*
* when people build RPMs from CVS or GIT, make sure they
* get blamed appropriately, and that we get some way to
* identify who did it, and when they did it. Use string concat,
* so that strings the binary can or classic SCCS "what", will find
* stuff too.
*/
libreswan_log("@(#) built on "__DATE__":" __TIME__ " by " BUILDER);
}
#if defined(USE_1DES)
libreswan_log("WARNING: 1DES is enabled");
#endif
}
if(coredir) {
libreswan_log("core dump dir: %s", coredir);
}
if(pluto_shared_secrets_file) {
libreswan_log("secrets file: %s", pluto_shared_secrets_file);
}
#ifdef LEAK_DETECTIVE
libreswan_log("LEAK_DETECTIVE support [enabled]");
#else
libreswan_log("LEAK_DETECTIVE support [disabled]");
#endif
#ifdef HAVE_OCF
{
struct stat buf;
errno=0;
if( stat("/dev/crypto",&buf) != -1)
libreswan_log("OCF support for IKE via /dev/crypto [enabled]");
else
libreswan_log("OCF support for IKE via /dev/crypto [failed:%s]", strerror(errno));
}
#else
libreswan_log("OCF support for IKE [disabled]");
#endif
/* Check for SAREF support */
#ifdef KLIPS_MAST
#include <ipsec_saref.h>
{
int e, sk, saref;
saref = 1;
errno=0;
sk = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_REFINFO, &saref, sizeof(saref));
if (e == -1 ) {
libreswan_log("SAref support [disabled]: %s" , strerror(errno));
}
else {
libreswan_log("SAref support [enabled]");
}
errno=0;
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_BINDREF, &saref, sizeof(saref));
if (e == -1 ) {
libreswan_log("SAbind support [disabled]: %s" , strerror(errno));
}
else {
libreswan_log("SAbind support [enabled]");
}
close(sk);
}
#endif
libreswan_log("NSS crypto [enabled]");
#ifdef XAUTH_HAVE_PAM
libreswan_log("XAUTH PAM support [enabled]");
#else
libreswan_log("XAUTH PAM support [disabled]");
#endif
#ifdef HAVE_STATSD
libreswan_log("HAVE_STATSD notification via /bin/libreswan-statsd enabled");
#else
libreswan_log("HAVE_STATSD notification support [disabled]");
#endif
/** Log various impair-* functions if they were enabled */
if(DBGP(IMPAIR_BUST_MI2))
libreswan_log("Warning: IMPAIR_BUST_MI2 enabled");
if(DBGP(IMPAIR_BUST_MR2))
libreswan_log("Warning: IMPAIR_BUST_MR2 enabled");
if(DBGP(IMPAIR_SA_CREATION))
libreswan_log("Warning: IMPAIR_SA_CREATION enabled");
if(DBGP(IMPAIR_JACOB_TWO_TWO))
libreswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
if(DBGP(IMPAIR_DIE_ONINFO))
libreswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
if(DBGP(IMPAIR_MAJOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MAJOR_VERSION_BUMP enabled");
if(DBGP(IMPAIR_MINOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MINOR_VERSION_BUMP enabled");
if(DBGP(IMPAIR_RETRANSMITS))
libreswan_log("Warning: IMPAIR_RETRANSMITS enabled");
if(DBGP(IMPAIR_SEND_BOGUS_ISAKMP_FLAG))
libreswan_log("Warning: IMPAIR_SEND_BOGUS_ISAKMP_FLAG enabled");
if(DBGP(IMPAIR_DELAY_ADNS_KEY_ANSWER))
libreswan_log("Warning: IMPAIR_DELAY_ADNS_KEY_ANSWER enabled");
if(DBGP(IMPAIR_DELAY_ADNS_TXT_ANSWER))
libreswan_log("Warning: IMPAIR_DELAY_ADNS_TXT_ANSWER enabled");
/** Initialize all of the various features */
#ifdef NAT_TRAVERSAL
init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
#endif
init_virtual_ip(virtual_private);
/* obsoletd by nss code init_rnd_pool(); */
init_timer();
init_secret();
init_states();
init_connections();
init_crypto();
init_crypto_helpers(nhelpers);
load_lswcrypto();
init_demux();
init_kernel();
init_adns();
init_id();
#ifdef TPM
init_tpm();
#endif
#if defined(LIBCURL) || defined(LDAP_VER)
init_fetch();
#endif
/* loading X.509 CA certificates */
load_authcerts("CA cert", oco->cacerts_dir, AUTH_CA);
#if 0
/* unused */
/* loading X.509 AA certificates */
load_authcerts("AA cert", oco->aacerts_dir, AUTH_AA);
#endif
/* loading X.509 CRLs */
load_crls();
/* loading attribute certificates (experimental) */
load_acerts();
/*Loading CA certs from NSS DB*/
load_authcerts_from_nss("CA cert", AUTH_CA);
#ifdef HAVE_LABELED_IPSEC
init_avc();
#endif
daily_log_event();
call_server();
return -1; /* Shouldn't ever reach this */
}
struct raw_iface *
find_raw_ifaces6(void)
{
/* Get list of interfaces with IPv6 addresses from system from /proc/net/if_inet6).
*
* Documentation of format?
* RTFS: linux-2.2.16/net/ipv6/addrconf.c:iface_proc_info()
* linux-2.4.9-13/net/ipv6/addrconf.c:iface_proc_info()
*
* Sample from Gerhard's laptop:
* 00000000000000000000000000000001 01 80 10 80 lo
* 30490009000000000000000000010002 02 40 00 80 ipsec0
* 30490009000000000000000000010002 07 40 00 80 eth0
* fe80000000000000025004fffefd5484 02 0a 20 80 ipsec0
* fe80000000000000025004fffefd5484 07 0a 20 80 eth0
*
* Each line contains:
* - IPv6 address: 16 bytes, in hex, no punctuation
* - ifindex: 1 byte, in hex
* - prefix_len: 1 byte, in hex
* - scope (e.g. global, link local): 1 byte, in hex
* - flags: 1 byte, in hex
* - device name: string, followed by '\n'
*/
struct raw_iface *rifaces = NULL;
static const char proc_name[] = "/proc/net/if_inet6";
FILE *proc_sock = fopen(proc_name, "r");
if (proc_sock == NULL)
{
DBG(DBG_CONTROL, DBG_log("could not open %s", proc_name));
}
else
{
for (;;)
{
struct raw_iface ri;
unsigned short xb[8]; /* IPv6 address as 8 16-bit chunks */
char sb[8*5]; /* IPv6 address as string-with-colons */
unsigned int if_idx; /* proc field, not used */
unsigned int plen; /* proc field, not used */
unsigned int scope; /* proc field, used to exclude link-local */
unsigned int dad_status; /* proc field, not used */
/* ??? I hate and distrust scanf -- DHR */
int r = fscanf(proc_sock
, "%4hx%4hx%4hx%4hx%4hx%4hx%4hx%4hx"
" %02x %02x %02x %02x %20s\n"
, xb+0, xb+1, xb+2, xb+3, xb+4, xb+5, xb+6, xb+7
, &if_idx, &plen, &scope, &dad_status, ri.name);
/* ??? we should diagnose any problems */
if (r != 13)
break;
/* ignore addresses with link local scope.
* From linux-2.4.9-13/include/net/ipv6.h:
* IPV6_ADDR_LINKLOCAL 0x0020U
* IPV6_ADDR_SCOPE_MASK 0x00f0U
*/
if ((scope & 0x00f0U) == 0x0020U)
continue;
snprintf(sb, sizeof(sb)
, "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
, xb[0], xb[1], xb[2], xb[3], xb[4], xb[5], xb[6], xb[7]);
happy(ttoaddr(sb, 0, AF_INET6, &ri.addr));
if (!isunspecaddr(&ri.addr))
{
DBG(DBG_CONTROL
, DBG_log("found %s with address %s"
, ri.name, sb));
ri.next = rifaces;
rifaces = clone_thing(ri, "struct raw_iface");
}
}
fclose(proc_sock);
}
return rifaces;
}
static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
kw_list_t *kw, char *conn_name, starter_config_t *cfg)
{
err_t ugh = NULL;
bool assigned = FALSE;
bool has_port_wildcard; /* set if port is %any */
char *name = kw->entry->name;
char *value = kw->value;
if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
goto err;
/* post processing of some keywords that were assigned automatically */
switch (token)
{
case KW_SUBNET:
if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
|| (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
{
/* used by pluto only */
end->has_virt = TRUE;
}
else
{
ip_subnet net;
char *pos;
int len = 0;
end->has_client = TRUE;
conn->tunnel_addr_family = ip_version(value);
pos = strchr(value, ',');
if (pos)
{
len = pos - value;
}
ugh = ttosubnet(value, len, ip_version(value), &net);
if (ugh != NULL)
{
plog("# bad subnet: %s=%s [%s]", name, value, ugh);
goto err;
}
}
break;
case KW_SOURCEIP:
if (end->has_natip)
{
plog("# natip and sourceip cannot be defined at the same time");
goto err;
}
if (value[0] == '%')
{
if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
streq(value, "%config") || streq(value, "%cfg"))
{
/* request ip via config payload */
free(end->sourceip);
end->sourceip = NULL;
end->sourceip_mask = 1;
}
else
{ /* %poolname, strip %, serve ip requests */
free(end->sourceip);
end->sourceip = clone_str(value+1);
end->sourceip_mask = 0;
}
end->modecfg = TRUE;
}
else
{
char *pos;
ip_address addr;
ip_subnet net;
conn->tunnel_addr_family = ip_version(value);
pos = strchr(value, '/');
if (pos)
{ /* CIDR notation, address pool */
ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net);
if (ugh != NULL)
{
plog("# bad subnet: %s=%s [%s]", name, value, ugh);
goto err;
}
*pos = '\0';
free(end->sourceip);
end->sourceip = clone_str(value);
end->sourceip_mask = atoi(pos + 1);
}
else
{ /* fixed srcip */
ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
if (ugh != NULL)
{
plog("# bad addr: %s=%s [%s]", name, value, ugh);
goto err;
}
end->sourceip_mask = (conn->tunnel_addr_family == AF_INET) ?
32 : 128;
}
}
conn->policy |= POLICY_TUNNEL;
break;
case KW_SENDCERT:
if (end->sendcert == CERT_YES_SEND)
{
end->sendcert = CERT_ALWAYS_SEND;
}
else if (end->sendcert == CERT_NO_SEND)
{
end->sendcert = CERT_NEVER_SEND;
}
break;
default:
break;
}
if (assigned)
return;
/* individual processing of keywords that were not assigned automatically */
switch (token)
{
case KW_HOST:
if (streq(value, "%defaultroute"))
{
if (cfg->defaultroute.defined)
{
end->addr = cfg->defaultroute.addr;
end->nexthop = cfg->defaultroute.nexthop;
}
else if (!cfg->defaultroute.supported)
{
plog("%%defaultroute not supported, fallback to %%any");
}
else
{
plog("# default route not known: %s=%s", name, value);
goto err;
}
}
else if (streq(value, "%any") || streq(value, "%any4"))
{
anyaddr(conn->addr_family, &end->addr);
}
else if (streq(value, "%any6"))
{
conn->addr_family = AF_INET6;
anyaddr(conn->addr_family, &end->addr);
}
else if (streq(value, "%group"))
{
ip_address any;
conn->policy |= POLICY_GROUP | POLICY_TUNNEL;
anyaddr(conn->addr_family, &end->addr);
anyaddr(conn->tunnel_addr_family, &any);
end->has_client = TRUE;
}
else
{
/* check for allow_any prefix */
if (value[0] == '%')
{
end->allow_any = TRUE;
value++;
}
conn->addr_family = ip_version(value);
ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
if (ugh != NULL)
{
plog("# bad addr: %s=%s [%s]", name, value, ugh);
if (streq(ugh, "does not look numeric and name lookup failed"))
{
end->dns_failed = TRUE;
anyaddr(conn->addr_family, &end->addr);
}
else
{
goto err;
}
}
}
break;
case KW_NEXTHOP:
if (streq(value, "%defaultroute"))
{
if (cfg->defaultroute.defined)
{
end->nexthop = cfg->defaultroute.nexthop;
}
else
{
plog("# default route not known: %s=%s", name, value);
goto err;
}
}
else if (streq(value, "%direct"))
{
ugh = anyaddr(conn->addr_family, &end->nexthop);
}
else
{
conn->addr_family = ip_version(value);
ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
}
if (ugh != NULL)
{
plog("# bad addr: %s=%s [%s]", name, value, ugh);
goto err;
}
break;
case KW_SUBNETWITHIN:
{
ip_subnet net;
end->has_client = TRUE;
end->has_client_wildcard = TRUE;
conn->tunnel_addr_family = ip_version(value);
ugh = ttosubnet(value, 0, ip_version(value), &net);
if (ugh != NULL)
{
plog("# bad subnet: %s=%s [%s]", name, value, ugh);
goto err;
}
end->subnet = clone_str(value);
break;
}
case KW_PROTOPORT:
ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
end->has_port_wildcard = has_port_wildcard;
break;
case KW_NATIP:
if (end->sourceip)
{
plog("# natip and sourceip cannot be defined at the same time");
goto err;
}
if (streq(value, "%defaultroute"))
{
char buf[64];
if (cfg->defaultroute.defined)
{
addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
end->sourceip = clone_str(buf);
}
else
{
plog("# default route not known: %s=%s", name, value);
goto err;
}
}
else
{
ip_address addr;
conn->tunnel_addr_family = ip_version(value);
ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
if (ugh != NULL)
{
plog("# bad addr: %s=%s [%s]", name, value, ugh);
goto err;
}
end->sourceip = clone_str(value);
}
end->has_natip = TRUE;
conn->policy |= POLICY_TUNNEL;
break;
default:
break;
}
return;
err:
plog(" bad argument value in conn '%s'", conn_name);
cfg->err++;
}
/*
- ttosubnet - convert text "addr/mask" to address and mask
* Mask can be integer bit count.
*/
err_t
ttosubnet(const char *src, size_t srclen,int af,ip_subnet *dst)
{
const char *slash;
const char *colon;
const char *mask;
size_t mlen;
const char *oops;
unsigned long bc;
static char def[] = DEFAULTSUBNET;
# define DEFLEN (sizeof(def) - 1) /* -1 for NUL */
static char defis4[] = "0/0";
# define DEFIS4LEN (sizeof(defis4) - 1)
static char defis6[] = "::/0";
# define DEFIS6LEN (sizeof(defis6) - 1)
ip_address addrtmp;
ip_address masktmp;
int nbits;
int i;
if (srclen == 0)
srclen = strlen(src);
if (srclen == 0)
return "empty string";
switch (af) {
case AF_INET:
nbits = 32;
break;
case AF_INET6:
nbits = 128;
break;
default:
return "unknown address family in ttosubnet";
break;
}
if (srclen == DEFLEN && strncmp(src, def, srclen) == 0) {
src = (af == AF_INET) ? defis4 : defis6;
srclen = (af == AF_INET) ? DEFIS4LEN : DEFIS6LEN;
}
slash = memchr(src, '/', srclen);
if (slash == NULL)
return "no / in subnet specification";
mask = slash + 1;
mlen = srclen - (mask - src);
oops = ttoaddr(src, slash-src, af, &addrtmp);
if (oops != NULL)
return oops;
/* extract port, as last : */
colon = memchr(mask, ':', mlen);
if (colon == 0)
{
setportof(0, &addrtmp);
}
else
{
unsigned long port;
oops = ttoul(colon+1, mlen-(colon-mask+1), 0, &port);
if (oops != NULL)
return oops;
setportof(htons(port), &addrtmp);
mlen = colon - mask;
}
/*extract mask */
oops = ttoul(mask, mlen, 10, &bc);
if (oops == NULL) {
/* ttoul succeeded, it's a bit-count mask */
if (bc > nbits)
return "subnet mask bit count too large";
i = bc;
} else if(af == AF_INET) {
oops = ttoaddr(mask, mlen, af, &masktmp);
if (oops != NULL)
return oops;
i = masktocount(&masktmp);
if (i < 0)
return "non-contiguous or otherwise erroneous mask";
} else {
return "masks are not permitted for IPv6 addresses";
}
return initsubnet(&addrtmp, i, '0', dst);
}
int
main(int argc, char **argv)
{
bool fork_desired = TRUE;
int lockfd;
char* ocspuri = NULL;
int nhelpers = -1;
char *coredir;
const struct osw_conf_options *oco;
#ifdef NAT_TRAVERSAL
/** Overridden by nat_traversal= in ipsec.conf */
bool nat_traversal = FALSE;
bool nat_t_spf = TRUE; /* support port floating */
unsigned int keep_alive = 0;
bool force_keepalive = FALSE;
#endif
/** Overridden by virtual_private= in ipsec.conf */
char *virtual_private = NULL;
#ifdef LEAK_DETECTIVE
leak_detective=1;
#else
leak_detective=0;
#endif
#ifdef HAVE_LIBCAP_NG
/* Drop capabilities */
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
CAP_IPC_LOCK, -1);
/* our children must be able to CAP_NET_ADMIN to change routes.
*/
capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET,
CAP_NET_ADMIN, -1);
capng_apply(CAPNG_SELECT_BOTH);
#endif
global_argv = argv;
global_argc = argc;
#ifdef DEBUG
openswan_passert_fail = passert_fail;
#endif
/* see if there is an environment variable */
coredir = getenv("PLUTO_CORE_DIR");
if(getenv("PLUTO_WAIT_FOR_GDB")) {
sleep(120);
}
/* handle arguments */
for (;;)
{
# define DBG_OFFSET 256
static const struct option long_opts[] = {
/* name, has_arg, flag, val */
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "optionsfrom", required_argument, NULL, '+' },
{ "nofork", no_argument, NULL, 'd' },
{ "stderrlog", no_argument, NULL, 'e' },
{ "noklips", no_argument, NULL, 'n' },
{ "use-nostack", no_argument, NULL, 'n' },
{ "use-none", no_argument, NULL, 'n' },
{ "force_busy", no_argument, NULL, 'D' },
{ "nocrsend", no_argument, NULL, 'c' },
{ "strictcrlpolicy", no_argument, NULL, 'r' },
{ "crlcheckinterval", required_argument, NULL, 'x'},
{ "ocsprequestcert", required_argument, NULL, 'q'},
{ "ocspuri", required_argument, NULL, 'o'},
{ "uniqueids", no_argument, NULL, 'u' },
{ "useklips", no_argument, NULL, 'k' },
{ "use-klips", no_argument, NULL, 'k' },
{ "use-auto", no_argument, NULL, 'G' },
{ "usenetkey", no_argument, NULL, 'K' },
{ "use-netkey", no_argument, NULL, 'K' },
{ "use-mast", no_argument, NULL, 'M' },
{ "use-mastklips", no_argument, NULL, 'M' },
{ "use-bsdkame", no_argument, NULL, 'F' },
{ "interface", required_argument, NULL, 'i' },
{ "listen", required_argument, NULL, 'L' },
{ "ikeport", required_argument, NULL, 'p' },
{ "ctlbase", required_argument, NULL, 'b' },
{ "secretsfile", required_argument, NULL, 's' },
{ "foodgroupsdir", required_argument, NULL, 'f' },
{ "perpeerlogbase", required_argument, NULL, 'P' },
{ "perpeerlog", no_argument, NULL, 'l' },
{ "noretransmits", no_argument, NULL, 'R' },
{ "coredir", required_argument, NULL, 'C' },
{ "ipsecdir", required_argument, NULL, 'f' },
{ "ipsec_dir", required_argument, NULL, 'f' },
#ifdef USE_LWRES
{ "lwdnsq", required_argument, NULL, 'a' },
#else /* !USE_LWRES */
{ "adns", required_argument, NULL, 'a' },
#endif /* !USE_LWRES */
#ifdef NAT_TRAVERSAL
{ "nat_traversal", no_argument, NULL, '1' },
{ "keep_alive", required_argument, NULL, '2' },
{ "force_keepalive", no_argument, NULL, '3' },
{ "disable_port_floating", no_argument, NULL, '4' },
{ "debug-nat_t", no_argument, NULL, '5' },
{ "debug-nattraversal", no_argument, NULL, '5' },
{ "debug-nat-t", no_argument, NULL, '5' },
#endif
{ "virtual_private", required_argument, NULL, '6' },
{ "nhelpers", required_argument, NULL, 'j' },
#ifdef DEBUG
{ "debug-none", no_argument, NULL, 'N' },
{ "debug-all", no_argument, NULL, 'A' },
{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
{ "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
{ "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET },
{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
{ "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
{ "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET },
{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
{ "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET },
{ "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET },
{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
{ "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET },
{ "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
{ "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
{ "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
{ "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
{ "impair-sa-creation", no_argument, NULL, IMPAIR_SA_CREATION + DBG_OFFSET },
{ "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO + DBG_OFFSET },
{ "impair-jacob-two-two", no_argument, NULL, IMPAIR_JACOB_TWO_TWO + DBG_OFFSET },
#endif
{ 0,0,0,0 }
};
/* Note: we don't like the way short options get parsed
* by getopt_long, so we simply pass an empty string as
* the list. It could be "hvdenp:l:s:" "NARXPECK".
*/
int c = getopt_long(argc, argv, "", long_opts, NULL);
/** Note: "breaking" from case terminates loop */
switch (c)
{
case EOF: /* end of flags */
break;
case 0: /* long option already handled */
continue;
case ':': /* diagnostic already printed by getopt_long */
case '?': /* diagnostic already printed by getopt_long */
usage("");
break; /* not actually reached */
case 'h': /* --help */
usage(NULL);
break; /* not actually reached */
case 'C':
coredir = clone_str(optarg, "coredir");
break;
case 'v': /* --version */
{
const char **sp = ipsec_copyright_notice();
printf("%s%s\n", ipsec_version_string(),
compile_time_interop_options);
for (; *sp != NULL; sp++)
puts(*sp);
}
exit(0); /* not exit_pluto because we are not initialized yet */
break; /* not actually reached */
case '+': /* --optionsfrom <filename> */
optionsfrom(optarg, &argc, &argv, optind, stderr);
/* does not return on error */
continue;
case 'j': /* --nhelpers */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing number of pluto helpers");
{
char *endptr;
long count = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| count < -1)
usage("<nhelpers> must be a positive number, 0 or -1");
nhelpers = count;
}
continue;
case 'd': /* --nofork*/
fork_desired = FALSE;
continue;
case 'e': /* --stderrlog */
log_to_stderr_desired = TRUE;
continue;
case 'G': /* --use-auto */
kern_interface = AUTO_PICK;
continue;
case 'k': /* --use-klips */
kern_interface = USE_KLIPS;
continue;
case 'L': /* --listen ip_addr */
{
ip_address lip;
err_t e = ttoaddr(optarg,0,0,&lip);
if(e) {
openswan_log("invalid listen argument ignored: %s\n",e);
} else {
pluto_listen = clone_str(optarg, "pluto_listen");
openswan_log("bind() will be filtered for %s\n",pluto_listen);
}
}
continue;
case 'M': /* --use-mast */
kern_interface = USE_MASTKLIPS;
continue;
case 'F': /* --use-bsdkame */
kern_interface = USE_BSDKAME;
continue;
case 'K': /* --use-netkey */
kern_interface = USE_NETKEY;
continue;
case 'n': /* --use-nostack */
kern_interface = NO_KERNEL;
continue;
case 'D': /* --force_busy */
force_busy = TRUE;
continue
;
case 'c': /* --nocrsend */
no_cr_send = TRUE;
continue
;
case 'r': /* --strictcrlpolicy */
strict_crl_policy = TRUE;
continue
;
case 'R':
no_retransmits = TRUE;
continue;
case 'x': /* --crlcheckinterval <time>*/
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing interval time");
{
char *endptr;
long interval = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| interval <= 0)
usage("<interval-time> must be a positive number");
crl_check_interval = interval;
}
continue
;
case 'o': /* --ocspuri */
ocspuri = optarg;
continue;
case 'u': /* --uniqueids */
uniqueIDs = TRUE;
continue;
case 'i': /* --interface <ifname|ifaddr> */
if (!use_interface(optarg))
usage("too many --interface specifications");
continue;
/*
* This option does not really work, as this is the "left"
* site only, you also need --to --ikeport again later on
* It will result in: yourport -> 500, still not bypassing filters
*/
case 'p': /* --ikeport <portnumber> */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing port number");
{
char *endptr;
long port = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| port <= 0 || port > 0x10000)
usage("<port-number> must be a number between 1 and 65535");
pluto_port = port;
}
continue;
case 'b': /* --ctlbase <path> */
ctlbase = optarg;
if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
, "%s%s", ctlbase, CTL_SUFFIX) == -1)
usage("<path>" CTL_SUFFIX " too long for sun_path");
if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
, "%s%s", ctlbase, INFO_SUFFIX) == -1)
usage("<path>" INFO_SUFFIX " too long for sun_path");
if (snprintf(pluto_lock, sizeof(pluto_lock)
, "%s%s", ctlbase, LOCK_SUFFIX) == -1)
usage("<path>" LOCK_SUFFIX " must fit");
continue;
case 's': /* --secretsfile <secrets-file> */
pluto_shared_secrets_file = optarg;
continue;
case 'f': /* --ipsecdir <ipsec-dir> */
(void)osw_init_ipsecdir(optarg);
continue;
case 'a': /* --adns <pathname> */
pluto_adns_option = optarg;
continue;
#ifdef DEBUG
case 'N': /* --debug-none */
base_debugging = DBG_NONE;
continue;
case 'A': /* --debug-all */
base_debugging = DBG_ALL;
continue;
#endif
case 'P': /* --perpeerlogbase */
base_perpeer_logdir = optarg;
continue;
case 'l':
log_to_perpeer = TRUE;
continue;
#ifdef NAT_TRAVERSAL
case '1': /* --nat_traversal */
nat_traversal = TRUE;
continue;
case '2': /* --keep_alive */
keep_alive = atoi(optarg);
continue;
case '3': /* --force_keepalive */
force_keepalive = TRUE;
continue;
case '4': /* --disable_port_floating */
nat_t_spf = FALSE;
continue;
#ifdef DEBUG
case '5': /* --debug-nat_t */
base_debugging |= DBG_NATT;
continue;
#endif
#endif
case '6': /* --virtual_private */
virtual_private = optarg;
continue;
default:
#ifdef DEBUG
if (c >= DBG_OFFSET)
{
base_debugging |= c - DBG_OFFSET;
continue;
}
# undef DBG_OFFSET
#endif
bad_case(c);
}
break;
}
if (optind != argc)
usage("unexpected argument");
reset_debugging();
#ifdef HAVE_NO_FORK
fork_desired = FALSE;
nhelpers = 0;
#endif
/* if a core dir was set, chdir there */
if(coredir)
if(chdir(coredir) == -1) {
int e = errno;
openswan_log("pluto: chdir() do dumpdir failed (%d %s)\n",
e, strerror(e));
}
oco = osw_init_options();
lockfd = create_lock();
/* select between logging methods */
if (log_to_stderr_desired)
log_to_syslog = FALSE;
else
log_to_stderr = FALSE;
#ifdef DEBUG
#if 0
if(kernel_ops->set_debug) {
(*kernel_ops->set_debug)(cur_debugging, DBG_log, DBG_log);
}
#endif
#endif
/** create control socket.
* We must create it before the parent process returns so that
* there will be no race condition in using it. The easiest
* place to do this is before the daemon fork.
*/
{
err_t ugh = init_ctl_socket();
if (ugh != NULL)
{
fprintf(stderr, "pluto: %s", ugh);
exit_pluto(1);
}
}
#ifdef IPSECPOLICY
/* create info socket. */
{
err_t ugh = init_info_socket();
if (ugh != NULL)
{
fprintf(stderr, "pluto: %s", ugh);
exit_pluto(1);
}
}
#endif
/* If not suppressed, do daemon fork */
if (fork_desired)
{
{
pid_t pid = fork();
if (pid < 0)
{
int e = errno;
fprintf(stderr, "pluto: fork failed (%d %s)\n",
errno, strerror(e));
exit_pluto(1);
}
if (pid != 0)
{
/* parent: die, after filling PID into lock file.
* must not use exit_pluto: lock would be removed!
*/
exit(fill_lock(lockfd, pid)? 0 : 1);
}
}
if (setsid() < 0)
{
int e = errno;
fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
errno, strerror(e));
exit_pluto(1);
}
}
else
{
/* no daemon fork: we have to fill in lock file */
(void) fill_lock(lockfd, getpid());
fprintf(stdout, "Pluto initialized\n");
fflush(stdout);
}
/** Close everything but ctl_fd and (if needed) stderr.
* There is some danger that a library that we don't know
* about is using some fd that we don't know about.
* I guess we'll soon find out.
*/
{
int i;
for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
if ((!log_to_stderr || i != 2)
#ifdef IPSECPOLICY
&& i != info_fd
#endif
&& i != ctl_fd)
close(i);
/* make sure that stdin, stdout, stderr are reserved */
if (open("/dev/null", O_RDONLY) != 0)
osw_abort();
if (dup2(0, 1) != 1)
osw_abort();
if (!log_to_stderr && dup2(0, 2) != 2)
osw_abort();
}
init_constants();
pluto_init_log();
#ifdef HAVE_LIBNSS
char buf[100];
snprintf(buf, sizeof(buf), "%s",oco->confddir);
loglog(RC_LOG_SERIOUS,"nss directory plutomain: %s",buf);
SECStatus nss_init_status= NSS_InitReadWrite(buf);
if (nss_init_status != SECSuccess) {
loglog(RC_LOG_SERIOUS, "NSS initialization failed (err %d)\n", PR_GetError());
exit_pluto(10);
} else {
loglog(RC_LOG_SERIOUS, "NSS Initialized");
PK11_SetPasswordFunc(getNSSPassword);
#ifdef FIPS_CHECK
const char *package_files[]= { IPSECLIBDIR"/setup",
IPSECLIBDIR"/addconn",
IPSECLIBDIR"/auto",
IPSECLIBDIR"/barf",
IPSECLIBDIR"/_copyright",
IPSECLIBDIR"/eroute",
IPSECLIBDIR"/ikeping",
IPSECLIBDIR"/_include",
IPSECLIBDIR"/_keycensor",
IPSECLIBDIR"/klipsdebug",
IPSECLIBDIR"/look",
IPSECLIBDIR"/newhostkey",
IPSECLIBDIR"/pf_key",
IPSECLIBDIR"/_pluto_adns",
IPSECLIBDIR"/_plutoload",
IPSECLIBDIR"/_plutorun",
IPSECLIBDIR"/ranbits",
IPSECLIBDIR"/_realsetup",
IPSECLIBDIR"/rsasigkey",
IPSECLIBDIR"/pluto",
IPSECLIBDIR"/_secretcensor",
IPSECLIBDIR"/secrets",
IPSECLIBDIR"/showdefaults",
IPSECLIBDIR"/showhostkey",
IPSECLIBDIR"/showpolicy",
IPSECLIBDIR"/spi",
IPSECLIBDIR"/spigrp",
IPSECLIBDIR"/_startklips",
IPSECLIBDIR"/_startnetkey",
IPSECLIBDIR"/tncfg",
IPSECLIBDIR"/_updown",
IPSECLIBDIR"/_updown.klips",
IPSECLIBDIR"/_updown.mast",
IPSECLIBDIR"/_updown.netkey",
IPSECLIBDIR"/verify",
IPSECLIBDIR"/whack",
IPSECSBINDIR"/ipsec",
NULL
};
if (Pluto_IsFIPS() && !FIPSCHECK_verify_files(package_files)) {
loglog(RC_LOG_SERIOUS, "FIPS integrity verification test failed");
exit_pluto(10);
}
#endif
}
#endif
/* Note: some scripts may look for this exact message -- don't change
* ipsec barf was one, but it no longer does.
*/
{
const char *vc = ipsec_version_code();
#ifdef PLUTO_SENDS_VENDORID
const char *v = init_pluto_vendorid();
openswan_log("Starting Pluto (Openswan Version %s%s; Vendor ID %s) pid:%u"
, vc, compile_time_interop_options, v, getpid());
#else
openswan_log("Starting Pluto (Openswan Version %s%s) pid:%u"
, vc, compile_time_interop_options, getpid());
#endif
#ifdef HAVE_LIBNSS
if(Pluto_IsFIPS()) {
openswan_log("Pluto is running in FIPS mode");
}
#endif
if((vc[0]=='c' && vc[1]=='v' && vc[2]=='s') ||
(vc[2]=='g' && vc[3]=='i' && vc[4]=='t')) {
/*
* when people build RPMs from CVS or GIT, make sure they
* get blamed appropriately, and that we get some way to
* identify who did it, and when they did it. Use string concat,
* so that strings the binary can or classic SCCS "what", will find
* stuff too.
*/
openswan_log("@(#) built on "__DATE__":" __TIME__ " by " BUILDER);
}
#if defined(USE_1DES)
openswan_log("WARNING: 1DES is enabled");
#endif
}
if(coredir) {
openswan_log("core dump dir: %s", coredir);
}
#ifdef LEAK_DETECTIVE
openswan_log("LEAK_DETECTIVE support [enabled]");
#else
openswan_log("LEAK_DETECTIVE support [disabled]");
#endif
#ifdef HAVE_OCF
{
struct stat buf;
errno=0;
if( stat("/dev/crypto",&buf) != -1)
openswan_log("OCF support for IKE via /dev/crypto [enabled]");
else
openswan_log("OCF support for IKE via /dev/crypto [failed:%s]", strerror(errno));
}
#else
openswan_log("OCF support for IKE [disabled]");
#endif
/* Check for SAREF support */
#ifdef KLIPS_MAST
#include <ipsec_saref.h>
{
int e, sk, saref;
saref = 1;
errno=0;
sk = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_REFINFO, &saref, sizeof(saref));
if (e == -1 ) {
openswan_log("SAref support [disabled]: %s" , strerror(errno));
}
else {
openswan_log("SAref support [enabled]");
}
errno=0;
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_BINDREF, &saref, sizeof(saref));
if (e == -1 ) {
openswan_log("SAbind support [disabled]: %s" , strerror(errno));
}
else {
openswan_log("SAbind support [enabled]");
}
close(sk);
}
#endif
#ifdef HAVE_LIBNSS
openswan_log("NSS support [enabled]");
#else
openswan_log("NSS support [disabled]");
#endif
#ifdef HAVE_STATSD
openswan_log("HAVE_STATSD notification via /bin/openswan-statsd enabled");
#else
openswan_log("HAVE_STATSD notification support not compiled in");
#endif
/** Log various impair-* functions if they were enabled */
if(DBGP(IMPAIR_BUST_MI2))
openswan_log("Warning: IMPAIR_BUST_MI2 enabled");
if(DBGP(IMPAIR_BUST_MR2))
openswan_log("Warning: IMPAIR_BUST_MR2 enabled");
if(DBGP(IMPAIR_SA_CREATION))
openswan_log("Warning: IMPAIR_SA_CREATION enabled");
if(DBGP(IMPAIR_JACOB_TWO_TWO))
openswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
if(DBGP(IMPAIR_DIE_ONINFO))
openswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
if(DBGP(IMPAIR_DELAY_ADNS_KEY_ANSWER))
openswan_log("Warning: IMPAIR_DELAY_ADNS_KEY_ANSWER enabled");
if(DBGP(IMPAIR_DELAY_ADNS_TXT_ANSWER))
openswan_log("Warning: IMPAIR_DELAY_ADNS_TXT_ANSWER enabled");
/** Initialize all of the various features */
#ifdef NAT_TRAVERSAL
init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
#endif
init_virtual_ip(virtual_private);
init_rnd_pool();
init_timer();
init_secret();
init_states();
init_connections();
init_crypto();
init_crypto_helpers(nhelpers);
load_oswcrypto();
init_demux();
init_kernel();
init_adns();
init_id();
#ifdef TPM
init_tpm();
#endif
#ifdef HAVE_THREADS
init_fetch();
#endif
ocsp_set_default_uri(ocspuri);
/* loading X.509 CA certificates */
load_authcerts("CA cert", oco->cacerts_dir, AUTH_CA);
/* loading X.509 AA certificates */
load_authcerts("AA cert", oco->aacerts_dir, AUTH_AA);
/* loading X.509 OCSP certificates */
load_authcerts("OCSP cert", oco->ocspcerts_dir, AUTH_OCSP);
/* loading X.509 CRLs */
load_crls();
/* loading attribute certificates (experimental) */
load_acerts();
#ifdef HAVE_LIBNSS
/*Loading CA certs from NSS DB*/
load_authcerts_from_nss("CA cert", AUTH_CA);
#endif
daily_log_event();
call_server();
return -1; /* Shouldn't ever reach this */
}
/*
* See if left->addr or left->next is %defaultroute and change it to IP.
*
* Returns:
* -1: failure
* 0: done
* 1: please call again: more to do
*/
static int resolve_defaultroute_one(struct starter_end *host,
struct starter_end *peer)
{
/*
* "left=" == host->addrtype and host->addr
* "leftnexthop=" == host->nexttype and host->nexthop
*/
/* What kind of result are we seeking? */
bool seeking_src = (host->addrtype == KH_DEFAULTROUTE);
bool seeking_gateway = (host->nexttype == KH_DEFAULTROUTE);
bool has_peer = (peer->addrtype == KH_IPADDR || peer->addrtype == KH_IPHOSTNAME);
if (verbose)
printf("\nseeking_src = %d, seeking_gateway = %d, has_peer = %d\n",
seeking_src, seeking_gateway, has_peer);
char msgbuf[RTNL_BUFSIZE];
bool has_dst = FALSE;
int query_again = 0;
if (!seeking_src && !seeking_gateway)
return 0; /* this end already figured out */
/* Fill netlink request */
netlink_query_init(msgbuf, host->addr_family);
if (host->nexttype == KH_IPADDR) {
/*
* My nexthop (gateway) is specified.
* We need to figure out our source IP to get there.
*/
netlink_query_add(msgbuf, RTA_DST, &host->nexthop);
has_dst = TRUE;
} else if (has_peer) {
/*
* Peer IP is specified.
* We may need to figure out source IP
* and gateway IP to get there.
*/
if (peer->addrtype == KH_IPHOSTNAME) {
err_t er = ttoaddr(peer->strings[KSCF_IP], 0,
AF_UNSPEC, &peer->addr);
if (er != NULL)
return -1;
}
netlink_query_add(msgbuf, RTA_DST, &peer->addr);
has_dst = TRUE;
if (seeking_src && seeking_gateway &&
host->addr_family == AF_INET) {
/*
* If we have only peer IP and no gateway/src we must
* do two queries:
* 1) find out gateway for dst
* 2) find out src for that gateway
* Doing both in one query returns src for dst.
*
* (IPv6 returns link-local for gateway so we can and
* do seek both in one query.)
*/
seeking_src = FALSE;
query_again = 1;
}
}
if (has_dst && host->addrtype == KH_IPADDR) {
/* SRC works only with DST */
netlink_query_add(msgbuf, RTA_SRC, &host->addr);
}
/*
* If we have for example host=%defaultroute + peer=%any
* (no destination) the netlink reply will be full routing table.
* We must do two queries:
* 1) find out default gateway
* 2) find out src for that default gateway
*/
if (!has_dst && seeking_src && seeking_gateway) {
seeking_src = FALSE;
query_again = 1;
}
if (seeking_gateway) {
struct nlmsghdr *nlmsg = (struct nlmsghdr *)msgbuf;
nlmsg->nlmsg_flags |= NLM_F_DUMP;
}
if (verbose)
printf("seeking_src = %d, seeking_gateway = %d, has_dst = %d\n",
seeking_src, seeking_gateway, has_dst);
/* Send netlink get_route request */
ssize_t len = netlink_query(msgbuf);
if (len < 0)
return -1;
/* Parse reply */
struct nlmsghdr *nlmsg = (struct nlmsghdr *)msgbuf;
/*
* The cast to unsigned short is to dodge an error in
* netlink.h:NLMSG_OK() which triggers a GCC warning in recent
* versions of GCC (2014 August):
* error: comparison between signed and unsigned integer expressions
* Note: as long as RTNL_BUFSIZE <= USHRT_MAX, this is safe.
*/
for (; NLMSG_OK(nlmsg, (unsigned short)len); nlmsg = NLMSG_NEXT(nlmsg, len)) {
char r_interface[IF_NAMESIZE+1];
char r_source[ADDRTOT_BUF];
char r_gateway[ADDRTOT_BUF];
char r_destination[ADDRTOT_BUF];
if (nlmsg->nlmsg_type == NLMSG_DONE)
break;
if (nlmsg->nlmsg_type == NLMSG_ERROR) {
printf("netlink error\n");
return -1;
}
/* ignore all but IPv4 and IPv6 */
struct rtmsg *rtmsg = (struct rtmsg *) NLMSG_DATA(nlmsg);
if (rtmsg->rtm_family != AF_INET &&
rtmsg->rtm_family != AF_INET6)
continue;
/* Parse one route entry */
zero(&r_interface);
r_source[0] = r_gateway[0] = r_destination[0] = '\0';
struct rtattr *rtattr = (struct rtattr *) RTM_RTA(rtmsg);
int rtlen = RTM_PAYLOAD(nlmsg);
while (RTA_OK(rtattr, rtlen)) {
switch (rtattr->rta_type) {
case RTA_OIF:
if_indextoname(*(int *)RTA_DATA(rtattr),
r_interface);
break;
case RTA_PREFSRC:
inet_ntop(rtmsg->rtm_family, RTA_DATA(rtattr),
r_source, sizeof(r_source));
break;
case RTA_GATEWAY:
inet_ntop(rtmsg->rtm_family, RTA_DATA(rtattr),
r_gateway, sizeof(r_gateway));
break;
case RTA_DST:
inet_ntop(rtmsg->rtm_family, RTA_DATA(rtattr),
r_destination,
sizeof(r_destination));
break;
}
rtattr = RTA_NEXT(rtattr, rtlen);
}
/*
* Ignore if not main table.
* Ignore ipsecX or mastX interfaces.
*/
bool ignore = rtmsg->rtm_table != RT_TABLE_MAIN ||
startswith(r_interface, "ipsec") ||
startswith(r_interface, "mast");
if (verbose) {
printf("dst %s via %s dev %s src %s table %d%s\n",
r_destination,
r_gateway,
r_interface,
r_source, rtmsg->rtm_table,
ignore ? " (ignored)" : "");
}
if (ignore)
continue;
if (seeking_src && r_source[0] != '\0') {
err_t err = tnatoaddr(r_source, 0, rtmsg->rtm_family,
&host->addr);
if (err == NULL) {
host->addrtype = KH_IPADDR;
seeking_src = FALSE;
if (verbose)
printf("set addr: %s\n", r_source);
} else if (verbose) {
printf("unknown source results from kernel (%s): %s\n",
r_source, err);
}
}
if (seeking_gateway && r_destination[0] == '\0' &&
(has_dst || r_source[0] == '\0')) {
if (r_gateway[0] == '\0' && r_interface[0] != '\0') {
/*
* Point-to-Point default gw without "via IP"
* Attempt to find r_gateway as the IP address
* on the interface.
*/
resolve_ppp_peer(r_interface, host->addr_family,
r_gateway);
}
if (r_gateway[0] != '\0') {
err_t err = tnatoaddr(r_gateway, 0,
rtmsg->rtm_family,
&host->nexthop);
if (err != NULL) {
printf("unknown gateway results from kernel: %s\n",
err);
} else {
/* Note: Use first even if multiple */
host->nexttype = KH_IPADDR;
seeking_gateway = FALSE;
if (verbose)
printf("set nexthop: %s\n",
r_gateway);
}
}
}
}
return query_again;
}
int main(int argc, char **argv)
{
int lockfd;
bool restore_vrf_pluto = 0;
/*此开关必须放在所有动态内存分配之前*/
leak_detective=0;
debug_info_control* dic=alloc_bytes(sizeof(debug_info_control), "malloc debug_info_control in main");
openswan_passert_fail = passert_fail;
/*设备类型初始化*/
ipsec_device_type_init();
{
u32 pseudo_start_pluto = 0;
for (;;)
{
#define DBG_OFFSET 256
static const struct option long_opts[] = {
/* name, has_arg, flag, val */
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "start", no_argument, NULL, 'B' },
{ "quit", no_argument, NULL, 'D' },
{ "user", no_argument, NULL, 'u' },
{ "krl", no_argument, NULL, 'K' },
{ "debug-nat", no_argument, NULL, '5' },
{ "debug-none", no_argument, NULL, 'N' },
{ "debug-all", no_argument, NULL, 'A' },
{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
{ "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
{ "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET },
{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
{ "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET },
{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
{ "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET },
{ "debug-xauth", no_argument, NULL, DBG_XAUTH+ DBG_OFFSET },
{ "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET },
{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
{ "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET },
{ "debug-ifchange", no_argument, NULL, DBG_IF_CHANGE + DBG_OFFSET },
{ "log-openinfo", no_argument, NULL, 'i' },
{ "log-openwar", no_argument, NULL, 'w' },
{ "log-openerr", no_argument, NULL, 'r' },
{ "log-openuserlog", no_argument, NULL, 'e' },
{ "log-openradiuslog", no_argument, NULL, 'c' },
{ "log-openpri", no_argument, NULL, 'p' },
{ "log-opensyserr", no_argument, NULL, 'q' },
{ "log-closeall", no_argument, NULL, 'a' },
{ "debug-connection", required_argument, NULL, 'O' },
{ "debug-host", required_argument, NULL, 'H' },
{ "debug-stop", no_argument, NULL, 'S' },
{ "counter", no_argument, NULL, 'b' },
{ "isa-counter", no_argument, NULL, 'x' },
{ "krc", no_argument, NULL, 'E'},
{ "kss", required_argument, NULL, 'F'},
{ "kpc", no_argument, NULL, 'G'},
{ "kprt", required_argument, NULL, 'L'},
{ "kspi", required_argument, NULL, 'M' },
{ "kdst", required_argument, NULL, 'P' },
{ "kdnet", required_argument, NULL, 'R' },
{ "kid", required_argument, NULL, 'Q' },
{ "restore-vrf", no_argument, NULL, 'V' },
{ 0,0,0,0 }
};
int c = getopt_long(argc, argv, "", long_opts, NULL);
ip_address dst_tmp;
ip_subnet subnet_tmp;
switch (c)
{
case EOF: /* end of flags */
break;
case 0: /* long option already handled */
continue;
case ':': /* diagnostic already printed by getopt_long */
case '?': /* diagnostic already printed by getopt_long */
usage("");
break;
case 'h':
usage(NULL);
break;
case 'v':
{
const char **sp = ipsec_copyright_notice();
printf("%s%s\n", ipsec_version_string(),compile_time_interop_options);
for (; *sp != NULL; sp++)
{
puts(*sp);
}
}
exit(0);
break;
case 'i':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_INFO;
continue;
case 'w':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_WARNING;
continue;
case 'r':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_ERROR;
continue;
case 'e':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_USER_LOG;
continue;
case 'c':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_RADIUS_LOG;
continue;
case 'p':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_PRIVATE;
continue;
case 'q':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_SYSERROR;
continue;
case 'a':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info=IPSEC_LOGLEVEL_CLOSE;
continue;
case 'B':
dic->com_type=IPSEC_DEBUG_STAR_HANDLE;
continue;
case 'D':
dic->com_type=IPSEC_DEBUG_QUIT_HANDLE;
continue;
case 'u':
dic->com_type=IPSEC_DEBUG_USER_HANDLE;
continue;
case 'K':
dic->com_type=IPSEC_DEBUG_KERNEL_HANDLE;
continue;
case 'N': /* --debug-none */
dic->public_info.public_info_flag=1;
dic->public_info.public_info_value=DBG_NONE;
continue;
case 'A': /* --debug-all */
dic->public_info.public_info_flag=1;
dic->public_info.public_info_value=DBG_ALL;
continue;
case 'O':
if(optarg != NULL)
{
strcpy(dic->child_info.child_info_optarg,optarg);
dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_CON_NAME;
}
else
{
return 0;
}
break;
case 'H':
if(optarg != NULL)
{
strcpy(dic->child_info.child_info_optarg,optarg);
dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_HOST;
}
else
{
return 0;
}
break;
case 'S':
dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_STOP;
break;
case 'b':
dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_PRINT_COUNTER;
break;
case 'x':
dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_PRINT_ISA_COUNTER;
break;
case 'E':
pseudo_start_pluto = 1;
dic->kernel_info.flag= IPSEC_RESET_COUNTER;
continue;
case 'F':
pseudo_start_pluto = 1;
dic->kernel_info.flag = IPSEC_SET_DEBUG_SIP;
dic->kernel_info.sip =inet_addr(optarg);
continue;
case 'G':
pseudo_start_pluto = 1;
dic->kernel_info.flag = IPSEC_DUMP_COUNTER;
continue;
case 'L':
pseudo_start_pluto = 1;
dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
if_get_index_by_name(optarg, (s32*)(&dic->kernel_info.ifindex));
continue;
case 'M':
pseudo_start_pluto = 1;
dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
dic->kernel_info.spi = (u32)chartoint(optarg,strlen(optarg));
if((int)dic->kernel_info.spi < 0)
{
fprintf(stderr,"%s IS ERROR INPUT(For Example:0x123...)\n",optarg);
pfree(dic);
return 0;
}
continue;
case 'P':
pseudo_start_pluto = 1;
dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
if(ttoaddr(optarg, 0, AF_INET, &dst_tmp))
{
fprintf(stderr,"you must input right IP\n");
pfree(dic);
return 0;
}
else{
dic->kernel_info.dsc.a4 = dst_tmp.u.v4.sin_addr.s_addr;
continue;
}
case 'R':
pseudo_start_pluto = 1;
dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
if(ttosubnet(optarg, 0, AF_INET, &subnet_tmp))
{
fprintf(stderr,"you must input right subnet\n");
pfree(dic);
return 0;
}
else{
dic->kernel_info.net.a4 = subnet_tmp.addr.u.v4.sin_addr.s_addr;
continue;
}
case 'Q':
pseudo_start_pluto = 1;
dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
dic->kernel_info.connid = atoi(optarg);
continue;
case 'V':
{
restore_vrf_pluto = 1;
}
continue;
default:
if (c >= DBG_OFFSET)
{
dic->public_info.public_info_flag=1;
dic->public_info.public_info_value |= c - DBG_OFFSET;
}
continue;
bad_case(c);
}
break;
}
/**
if(restore_vrf_pluto)
{
ipsec_restore_vrf_pluto();
}
**/
ipsec_restore_vrf_pluto();
{
u32 err;
conplat_syscall(MODULEID_OSBASIC, OSBASIC_GET_VRF_ID, &g_ipsec_vrf_id, sizeof(g_ipsec_vrf_id), (s32*)(&err));
if(err != 0)
{
g_ipsec_vrf_id = 0;
}
sprintf(pluto_lock + strlen(pluto_lock), "_%d", g_ipsec_vrf_id);
sprintf(ctl_addr.sun_path+ strlen(ctl_addr.sun_path), "_%d", g_ipsec_vrf_id);
sprintf(ws_ctl_addr.sun_path+ strlen(ws_ctl_addr.sun_path), "_%d", g_ipsec_vrf_id);
}
switch(dic->com_type)
{
case IPSEC_DEBUG_STAR_HANDLE:
if(dic->public_info.public_info_flag)
{
cur_debugging = dic->public_info.public_info_value;
}
if(dic->public_info.log_falg)
{
g_log_level = dic->public_info.log_level_info;
}
break;
case IPSEC_DEBUG_USER_HANDLE:
send_connection_debug(dic, IPSEC_DEBUG_USER_HANDLE);
pfree(dic);
return 0;
case IPSEC_DEBUG_KERNEL_HANDLE:
if(pseudo_start_pluto == 1)
{
u32 syscall_result = 0;
if((dic->kernel_info.flag==IPSEC_PRINT_INTERFACE_TEMP)&&(0 == dic->kernel_info.ifindex))
{
fprintf(stderr,"you must input the if name\n");
pfree(dic);
return 0;
}
conplat_syscall(MODULEID_IPSEC_POLICY, IPSEC_MODULE_DEBUG_PART, (void *)(&dic->kernel_info), sizeof(struct ipsec_user_debug_info), (s32 *)(&syscall_result));
if(g_ipsec_device_is_dpx)
{
(u32)conplat_syscall(FW_MODULEID_IPSEC | FW_BOARD, IPSEC_MODULE_DEBUG_PART, (void *)(&dic->kernel_info), sizeof(struct ipsec_user_debug_info), (s32 *)(&syscall_result));
}
}
else
{
fprintf(stderr,"after --kernel ,you must input the right command\n");
}
pfree(dic);
return 0;
case IPSEC_DEBUG_QUIT_HANDLE:
send_connection_debug(dic, IPSEC_DEBUG_QUIT_HANDLE);
pfree(dic);
return 0;
default:
fprintf(stderr,"you must input --start --quit --user or --kernel\n");
exit(0);
}
pfree(dic);
}
if (optind != argc)
{
usage("unexpected argument");
}
//如果你想再重启设备后默认打开调试开关
#if 0
cur_debugging = DBG_ALL;
#endif
lockfd = create_lock();
g_log_level |= ws_get_log_level(); //获得显示级别
g_ipsec_multiout = ws_get_multiOut(); //获取多接口转发标志位
if(g_ipsec_multiout)
{
int res;
conplat_syscall(MODULEID_IPSEC_POLICY, IPSEC_MODULE_MULTI_OUT, &(g_ipsec_multiout), sizeof(g_ipsec_multiout), &res);
}
ipsec_restore_tunnel_ipsec();
ipsec_init_lv2_switch();
ipsec_init_route_mode();
ipsec_init_user_syn();
ipsec_init_compress_enable();
ipsec_init_udp_checksum_switch();
ipsec_init_cookie();
ipsec_esp_alg_init();
init_vendorid();
//daemon之前销毁缓冲池中的数据库句柄,使用make_daemon不用加此函数
sqlite3_clear_buffer_ex();
{
{
pid_t pid = fork();
if (pid < 0)
{
int e = errno;
fprintf(stderr, "pluto: fork failed (%d %s)\n",errno, strerror(e));
exit_pluto(1);
}
if (pid != 0)
{
/* parent: die, after filling PID into lock file.
* must not use exit_pluto: lock would be removed!
*/
exit(fill_lock(lockfd, pid)? 0 : 1);
}
}
if (setsid() < 0)
{
int e = errno;
fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",errno, strerror(e));
exit_pluto(1);
}
}
/** Close everything but and (if needed) stderr.
* There is some danger that a library that we don't know
* about is using some fd that we don't know about.
* I guess we'll soon find out.
*/
{
int i;
for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
{
close(i);
}
/* make sure that stdin, stdout, stderr are reserved */
if (open("/dev/null", O_RDONLY) != 0)
{
IPSEC_abort();
}
if (dup2(0, 1) != 1)
{
IPSEC_abort();
}
}
init_constants();
init_pluto_vendorid();
ipsec_version_code();
ipsec_get_slot_bit(); // 需要放在ipsec_template_delete_all 前面
ipsec_template_delete_all();
ipsec_enable_flag(1);
ipsec_init_nat_traversal();
init_rnd_pool();
init_states();
init_connections();//添加到elist链中phase2 pending timer
init_crypto();
ipsec_drv_rsa_para_init(); //初始化使用硬件模幂运算时的固定参数
load_oswcrypto();
init_demux();
/* loading X.509 CA certificates */
load_authcerts("CA cert", "/config/sys/certificate/cacerts", AUTH_CA);
/* loading X.509 CRLs */
load_crls();
fflush(stderr);
fflush(stdout);
IPSEC_dbg("listening for IKE messages");
init_ws_ctl_socket();
/*初始化dpdns守护进程*/
ipsec_dpdns_init_helper();
/*读取DPVPN相关配置并初始化*/
//ipsec_dpvpn_init_cfg();
/*该操作放在操作数据库之后的主进程处理不能再数据操作*/
sqlite3_clear_buffer_ex();
/*初始化子进程*/
ipsec_child_init_helpers();
ipsec_main_call_server();
return -1; /* Shouldn't ever reach this */
}
int
main(int argc, char *argv[])
{
int opt = 0;
int all = 0;
int search = 0;
int typeexport = 0;
int checkconfig = 0;
int listroute=0, liststart=0;
struct starter_config *cfg = NULL;
err_t err = NULL;
char *confdir = NULL;
char *configfile = NULL;
char *varprefix = "";
int exit_status = 0;
struct starter_conn *conn = NULL;
char *defaultroute = NULL;
char *defaultnexthop = NULL;
char *ctlbase = NULL;
bool resolvip = FALSE;
#if 0
/* efence settings */
extern int EF_PROTECT_BELOW;
extern int EF_PROTECT_FREE;
EF_PROTECT_BELOW=1;
EF_PROTECT_FREE=1;
#endif
progname = argv[0];
rootdir[0]='\0';
tool_init_log();
while((opt = getopt_long(argc, argv, "", longopts, 0)) != EOF) {
switch(opt) {
case 'h':
/* usage: */
usage();
break;
case 'a':
all=1;
break;
case 'D':
verbose++;
break;
case 'W':
warningsarefatal++;
break;
case 'S':
search++;
break;
case 'T':
typeexport++;
break;
case 'K':
checkconfig++;
break;
case 'C':
configfile = clone_str(optarg, "config file name");
break;
case 'c':
ctlbase = clone_str(optarg, "control base");
break;
case 'A':
all=1;
break;
case 'r':
listroute=1;
break;
case 's':
liststart=1;
break;
case 'P':
varprefix=optarg;
break;
case 'R':
printf("setting rootdir=%s\n", optarg);
strncat(rootdir, optarg, sizeof(rootdir)-1);
break;
case 'd':
defaultroute=optarg;
break;
case 'n':
defaultnexthop=optarg;
break;
default:
usage();
}
}
/* if nothing to add, then complain */
if(optind == argc && !all && !listroute && !liststart && !search && !typeexport && !checkconfig) {
usage();
}
if(verbose > 3) {
extern int yydebug;
yydebug=1;
}
/* find config file */
confdir = getenv(IPSEC_CONFDIR_VAR);
if(confdir == NULL)
{
confdir = IPSEC_CONFDIR;
}
if(!configfile) {
configfile = alloc_bytes(strlen(confdir)+sizeof("/ipsec.conf")+2,"conf file");
/* calculate default value for configfile */
configfile[0]='\0';
strcpy(configfile, confdir);
if(configfile[strlen(configfile)-1]!='/')
{
strcat(configfile, "/");
}
strcat(configfile, "ipsec.conf");
}
if(verbose) {
printf("opening file: %s\n", configfile);
}
starter_use_log (verbose, 1, verbose ? 0 : 1);
err = NULL; /* reset to no error */
resolvip=TRUE; /* default to looking up names */
if(typeexport || checkconfig || listroute || liststart || search) {
/* but not if we have no use for them... might cause delays too! */
resolvip=FALSE;
}
cfg = confread_load(configfile, &err, resolvip, ctlbase,typeexport);
if(cfg == NULL) {
fprintf(stderr, "can not load config '%s': %s\n",
configfile, err);
exit(3);
}
else if(checkconfig) {
confread_free(cfg);
exit(0);
}
if(defaultroute) {
err_t e;
char b[ADDRTOT_BUF];
e = ttoaddr(defaultroute, strlen(defaultroute), AF_INET, &cfg->dr);
if(e) {
printf("ignoring invalid defaultroute: %s\n", e);
defaultroute = NULL;
/* exit(4); */
} else
if(verbose) {
addrtot(&cfg->dr, 0, b, sizeof(b));
printf("default route is: %s\n", b);
}
}
if(defaultnexthop) {
err_t e;
char b[ADDRTOT_BUF];
e = ttoaddr(defaultnexthop, strlen(defaultnexthop), AF_INET, &cfg->dnh);
if(e) {
printf("ignoring invalid defaultnexthop: %s\n", e);
defaultnexthop = NULL;
/* exit(4); */
} else
if(verbose) {
addrtot(&cfg->dnh, 0, b, sizeof(b));
printf("default nexthop is: %s\n", b);
}
}
if(all)
{
if(verbose) {
printf("loading all conns:");
}
/* load all conns marked as auto=add or better */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
if (conn->desired_state == STARTUP_ADD
|| conn->desired_state == STARTUP_START
|| conn->desired_state == STARTUP_ROUTE) {
if(verbose) printf(" %s", conn->name);
starter_whack_add_conn(cfg, conn);
}
}
if(verbose) printf("\n");
} else if(listroute) {
if(verbose) {
printf("listing all conns marked as auto=start\n");
}
/* list all conns marked as auto=route or start or better */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
if (conn->desired_state == STARTUP_START
|| conn->desired_state == STARTUP_ROUTE) {
printf("%s ", conn->name);
}
}
printf("\n");
} else if(liststart) {
/* list all conns marked as auto=start */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
if (conn->desired_state == STARTUP_START) {
printf("%s ", conn->name);
}
}
printf("\n");
} else if(search) {
char *sep="";
if((argc-optind) < 2 ) {
printf("%s_confreadstatus=failed\n", varprefix);
confread_free(cfg);
exit(3);
}
printf("%s_confreadstatus=\n", varprefix);
printf("%s_confreadnames=\"",varprefix);
/* find conn names that have value set */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
/* we recognize a limited set of values */
if(strcasecmp(argv[optind],"auto")==0 &&
strcasecmp(argv[optind+1],"manual")==0) {
if(conn->manualkey) {
printf("%s%s", sep, conn->name);
sep=" ";
}
}
}
printf("\"\n");
confread_free(cfg);
exit(0);
} else if(typeexport) {
struct keyword_def *kd;
printf("export %sconfreadstatus=''\n", varprefix);
for(kd=ipsec_conf_keywords_v2; kd->keyname != NULL; kd++) {
if((kd->validity & kv_config)==0) continue;
switch(kd->type) {
case kt_string:
case kt_filename:
case kt_dirname:
case kt_loose_enum:
if(cfg->setup.strings[kd->field]) {
printf("export %s%s='%s'\n",
varprefix, kd->keyname,
cfg->setup.strings[kd->field]);
}
break;
case kt_bool:
printf("export %s%s='%s'\n",
varprefix, kd->keyname,
cfg->setup.options[kd->field] ? "yes" : "no");
break;
case kt_list:
printf("export %s%s='",
varprefix, kd->keyname);
confwrite_list(stdout, "", cfg->setup.options[kd->field], kd);
printf("'\n");
break;
case kt_obsolete:
printf("# obsolete option '%s%s' ignored\n", varprefix, kd->keyname);
break;
default:
if(cfg->setup.options[kd->field] || cfg->setup.options_set[kd->field]) {
printf("export %s%s='%d'\n",
varprefix, kd->keyname,
cfg->setup.options[kd->field]);
}
break;
}
}
confread_free(cfg);
exit(0);
} else {
/* load named conns, regardless of their state */
int connum;
if(verbose) {
printf("loading named conns:");
}
for(connum = optind; connum<argc; connum++) {
char *connname = argv[connum];
if(verbose) {
printf(" %s", connname);
}
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
/* yes, let's make it case-insensitive */
if(strcasecmp(conn->name, connname)==0) {
if(conn->state == STATE_ADDED) {
printf("\nconn %s already added\n", conn->name);
} else if(conn->state == STATE_FAILED) {
printf("\nconn %s did not load properly\n", conn->name);
} else {
exit_status = starter_whack_add_conn(cfg, conn);
conn->state = STATE_ADDED;
}
break;
}
}
if(conn == NULL) {
/* only if we don't find it, do we now look for aliases */
for(conn = cfg->conns.tqh_first;
conn != NULL;
conn = conn->link.tqe_next)
{
if(conn->strings_set[KSF_CONNALIAS]
&& osw_alias_cmp(connname
, conn->strings[KSF_CONNALIAS])) {
if(conn->state == STATE_ADDED) {
printf("\nalias: %s conn %s already added\n", connname, conn->name);
} else if(conn->state == STATE_FAILED) {
printf("\nalias: %s conn %s did not load properly\n", connname, conn->name);
} else {
exit_status = starter_whack_add_conn(cfg, conn);
conn->state = STATE_ADDED;
}
break;
}
}
}
if(conn == NULL) {
exit_status++;
if(!verbose) {
printf("conn '%s': not found (tried aliases)\n", connname);
} else {
printf("(notfound)");
}
}
}
if(verbose) printf("\n");
}
confread_free(cfg);
exit(exit_status);
}
int
main(int argc, char **argv)
{
int i, nspis;
char *endptr;
int said_opt = 0;
const char* error_s = NULL;
char ipaddr_txt[ADDRTOT_BUF];
int j;
struct said_af said_af_array[4];
int error = 0;
struct stat sts;
struct sadb_ext *extensions[K_SADB_EXT_MAX + 1];
struct sadb_msg *pfkey_msg;
#if 0
ip_address pfkey_address_s_ska;
#endif
progname = argv[0];
for(i = 0; i < 4; i++) {
memset(&said_af_array[i], 0, sizeof(struct said_af));
}
if(argc > 1 && strcmp(argv[1], "--debug") == 0) {
debug = 1;
if(debug) {
fprintf(stdout, "\"--debug\" option requested.\n");
}
argv += 1;
argc -= 1;
pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
}
if(debug) {
fprintf(stdout, "argc=%d (%d incl. --debug option).\n",
argc,
argc + 1);
}
if(argc > 1 && strcmp(argv[1], "--label") == 0) {
if(argc > 2) {
progname = malloc(strlen(argv[0])
+ 10 /* update this when changing the sprintf() */
+ strlen(argv[2]));
sprintf(progname, "%s --label %s",
argv[0],
argv[2]);
if(debug) {
fprintf(stdout, "using \"%s\" as a label.\n", progname);
}
argv += 2;
argc -= 2;
} else {
fprintf(stderr, "%s: --label option requires an argument.\n",
progname);
exit(1);
}
}
if(debug) {
fprintf(stdout, "...After check for --label option.\n");
}
if ( ((stat ("/proc/net/pfkey", &sts)) == 0) ) {
fprintf(stderr, "%s: NETKEY does not use the ipsec spigrp command. Use 'ip xfrm' instead.\n",progname);
exit(1);
}
if(argc == 1) {
int ret = 1;
if ((stat ("/proc/net/ipsec_spigrp", &sts)) != 0) {
fprintf(stderr, "%s: No spigrp - no IPsec support in kernel (are the modules loaded?)\n", progname);
} else {
ret = system("cat /proc/net/ipsec_spigrp");
ret = ret != -1 && WIFEXITED(ret) ? WEXITSTATUS(ret) : 1;
}
exit(ret);
}
if(debug) {
fprintf(stdout, "...After check for no option to print /proc/net/ipsec_spigrp.\n");
}
if(strcmp(argv[1], "--help") == 0) {
if(debug) {
fprintf(stdout, "\"--help\" option requested.\n");
}
usage(progname);
exit(1);
}
if(debug) {
fprintf(stdout, "...After check for --help option.\n");
}
if(strcmp(argv[1], "--version") == 0) {
if(debug) {
fprintf(stdout, "\"--version\" option requested.\n");
}
fprintf(stderr, "%s, %s\n", progname, ipsec_version_code());
exit(1);
}
if(debug) {
fprintf(stdout, "...After check for --version option.\n");
}
if(strcmp(argv[1], "--said") == 0) {
if(debug) {
fprintf(stdout, "processing %d args with --said flag.\n", argc);
}
said_opt = 1;
}
if(debug) {
fprintf(stdout, "...After check for --said option.\n");
}
if(said_opt) {
if (argc < 3 /*|| argc > 5*/) {
fprintf(stderr, "expecting 3 or more args with --said, got %d.\n", argc);
usage(progname);
exit(1);
}
nspis = argc - 2;
} else {
if ((argc < 5) || (argc > 17) || ((argc % 4) != 1)) {
fprintf(stderr, "expecting 5 or more args without --said, got %d.\n", argc);
usage(progname);
exit(1);
}
nspis = argc / 4;
}
if(debug) {
fprintf(stdout, "processing %d nspis.\n", nspis);
}
for(i = 0; i < nspis; i++) {
if(debug) {
fprintf(stdout, "processing spi #%d.\n", i);
}
if(said_opt) {
error_s = ttosa((const char *)argv[i+2], 0, (ip_said*)&(said_af_array[i].said));
if(error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n",
progname, error_s, argv[i+2]);
exit (1);
}
said_af_array[i].af = addrtypeof(&(said_af_array[i].said.dst));
if(debug) {
addrtot(&said_af_array[i].said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stdout, "said[%d].dst=%s.\n", i, ipaddr_txt);
}
} else {
if(!strcmp(argv[i*4+4], "ah")) {
said_af_array[i].said.proto = SA_AH;
}
if(!strcmp(argv[i*4+4], "esp")) {
said_af_array[i].said.proto = SA_ESP;
}
if(!strcmp(argv[i*4+4], "tun")) {
said_af_array[i].said.proto = SA_IPIP;
}
if(!strcmp(argv[i*4+4], "comp")) {
said_af_array[i].said.proto = SA_COMP;
}
if(said_af_array[i].said.proto == 0) {
fprintf(stderr, "%s: Badly formed proto: %s\n",
progname, argv[i*4+4]);
exit(1);
}
said_af_array[i].said.spi = htonl(strtoul(argv[i*4+3], &endptr, 0));
if(!(endptr == argv[i*4+3] + strlen(argv[i*4+3]))) {
fprintf(stderr, "%s: Badly formed spi: %s\n",
progname, argv[i*4+3]);
exit(1);
}
if(!strcmp(argv[i*4+1], "inet")) {
said_af_array[i].af = AF_INET;
}
if(!strcmp(argv[i*4+1], "inet6")) {
said_af_array[i].af = AF_INET6;
}
if((said_af_array[i].af != AF_INET) && (said_af_array[i].af != AF_INET6)) {
fprintf(stderr, "%s: Address family %s not supported\n",
progname, argv[i*4+1]);
exit(1);
}
error_s = ttoaddr(argv[i*4+2], 0, said_af_array[i].af, &(said_af_array[i].said.dst));
if(error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting %dth address argument:%s\n",
progname, error_s, i, argv[i*4+2]);
exit (1);
}
}
if(debug) {
fprintf(stdout, "SA %d contains: ", i+1);
fprintf(stdout, "\n");
fprintf(stdout, "proto = %d\n", said_af_array[i].said.proto);
fprintf(stdout, "spi = %08x\n", said_af_array[i].said.spi);
addrtot(&said_af_array[i].said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stdout, "edst = %s\n", ipaddr_txt);
}
}
if(debug) {
fprintf(stdout, "Opening pfkey socket.\n");
}
pfkey_sock = pfkey_open_sock_with_error();
if(pfkey_sock < 0) {
exit(1);
}
for(i = 0; i < (((nspis - 1) < 2) ? 1 : (nspis - 1)); i++) {
if(debug) {
fprintf(stdout, "processing %dth pfkey message.\n", i);
}
pfkey_extensions_init(extensions);
for(j = 0; j < ((nspis == 1) ? 1 : 2); j++) {
if(debug) {
fprintf(stdout, "processing %dth said of %dth pfkey message.\n", j, i);
}
/* Build an SADB_X_GRPSA message to send down. */
/* It needs <base, SA, SA2, address(D,D2) > minimum. */
if(!j) {
if((error = pfkey_msg_hdr_build(&extensions[0],
K_SADB_X_GRPSA,
proto2satype(said_af_array[i].said.proto),
0,
++pfkey_seq,
getpid()))) {
fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
} else {
if(debug) {
fprintf(stdout, "setting x_satype proto=%d satype=%d\n",
said_af_array[i+j].said.proto,
proto2satype(said_af_array[i+j].said.proto)
);
}
if((error = pfkey_x_satype_build(&extensions[K_SADB_X_EXT_SATYPE2],
proto2satype(said_af_array[i+j].said.proto)
))) {
fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
}
if((error = pfkey_sa_build(&extensions[!j ? K_SADB_EXT_SA : K_SADB_X_EXT_SA2],
!j ? K_SADB_EXT_SA : K_SADB_X_EXT_SA2,
said_af_array[i+j].said.spi, /* in network order */
0,
0,
0,
0,
0))) {
fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
#if 0
if(!j) {
anyaddr(said_af_array[i].af, &pfkey_address_s_ska); /* Is the address family correct ?? */
if((error = pfkey_address_build(&extensions[K_SADB_EXT_ADDRESS_SRC],
K_SADB_EXT_ADDRESS_SRC,
0,
0,
sockaddrof(&pfkey_address_s_ska)))) {
addrtot(&pfkey_address_s_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
}
#endif
if((error = pfkey_address_build(&extensions[!j ? SADB_EXT_ADDRESS_DST : SADB_X_EXT_ADDRESS_DST2],
!j ? SADB_EXT_ADDRESS_DST : SADB_X_EXT_ADDRESS_DST2,
0,
0,
sockaddrof(&said_af_array[i+j].said.dst)))) {
addrtot(&said_af_array[i+j].said.dst,
0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
}
if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
exit(1);
}
if((error = write(pfkey_sock,
pfkey_msg,
pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) !=
(ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
fprintf(stderr, "%s: pfkey write failed, returning %d with errno=%d.\n",
progname, error, errno);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
pfkey_write_error(error, errno);
}
if(pfkey_msg) {
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
}
}
(void) close(pfkey_sock); /* close the socket */
exit(0);
}
int main(int argc, char *argv[])
{
__u32 spi = 0;
int c;
ip_said said;
const char *error_s;
char ipsaid_txt[SATOT_BUF];
int outif = 0;
int error = 0;
ssize_t io_error;
int argcount = argc;
pid_t mypid;
int listenreply = 0;
unsigned char authalg, encryptalg;
struct sadb_ext *extensions[K_SADB_EXT_MAX + 1];
struct sadb_msg *pfkey_msg;
char *edst_opt, *spi_opt, *proto_opt, *af_opt, *said_opt, *dst_opt,
*src_opt;
u_int32_t natt;
u_int16_t sport, dport;
uint32_t life[life_maxsever][life_maxtype];
char *life_opt[life_maxsever][life_maxtype];
struct stat sts;
struct sadb_builds sab;
progname = argv[0];
mypid = getpid();
natt = 0;
sport = 0;
dport = 0;
tool_init_log();
zero(&said); /* OK: no pointer fields */
edst_opt = spi_opt = proto_opt = af_opt = said_opt = dst_opt =
src_opt = NULL;
{
int i, j;
for (i = 0; i < life_maxsever; i++) {
for (j = 0; j < life_maxtype; j++) {
life_opt[i][j] = NULL;
life[i][j] = 0;
}
}
}
while ((c = getopt_long(argc, argv,
"" /*"H:P:Z:46dcA:E:e:s:a:w:i:D:S:hvgl:+:f:"*/,
longopts, 0)) != EOF) {
unsigned long u;
err_t ugh;
switch (c) {
case 'g':
debug = TRUE;
pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
/* paul: this is a plutoism? cur_debugging = 0xffffffff; */
argcount--;
break;
case 'R':
listenreply = 1;
argcount--;
break;
case 'r':
dumpsaref = 1;
argcount--;
break;
case 'b': /* set the SAref to use */
ugh = ttoulb(optarg, 0, 0, INT_MAX, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid SAREFi parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
saref_me = u;
argcount--;
break;
case 'B': /* set the SAref to use for outgoing packets */
ugh = ttoulb(optarg, 0, 0, INT_MAX, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid SAREFo parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
saref_him = u;
argcount--;
break;
case 'O': /* set interface from which packet should arrive */
ugh = ttoulb(optarg, 0, 0, INT_MAX, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid outif parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
outif = u;
argcount--;
break;
case 'l':
{
static const char combine_fmt[] = "%s --label %s";
size_t room = strlen(argv[0]) +
sizeof(combine_fmt) +
strlen(optarg);
progname = malloc(room);
snprintf(progname, room, combine_fmt,
argv[0],
optarg);
tool_close_log();
tool_init_log();
argcount -= 2;
break;
}
case 'H':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
if (streq(optarg, "hmac-md5-96")) {
alg = XF_AHHMACMD5;
} else if (streq(optarg, "hmac-sha1-96")) {
alg = XF_AHHMACSHA1;
} else {
fprintf(stderr,
"%s: Unknown authentication algorithm '%s' follows '--ah' option.\n",
progname, optarg);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case 'P':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
alg = decode_esp(optarg);
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case 'Z':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
if (streq(optarg, "deflate")) {
alg = XF_COMPDEFLATE;
} else if (streq(optarg, "lzs")) {
alg = XF_COMPLZS;
} else {
fprintf(stderr,
"%s: Unknown compression algorithm '%s' follows '--comp' option.\n",
progname, optarg);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case '4':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
alg = XF_IP4;
address_family = AF_INET;
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case '6':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
alg = XF_IP6;
address_family = AF_INET6;
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case 'd':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
alg = XF_DEL;
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case 'c':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
alg = XF_CLR;
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case 'e':
if (said_opt) {
fprintf(stderr,
"%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit(1);
}
if (edst_opt) {
fprintf(stderr,
"%s: Error, EDST parameter redefined:%s, already defined as:%s\n",
progname, optarg, edst_opt);
exit(1);
}
error_s = ttoaddr(optarg, 0, address_family, &edst);
if (error_s != NULL) {
if (error_s) {
fprintf(stderr,
"%s: Error, %s converting --edst argument:%s\n",
progname, error_s, optarg);
exit(1);
}
}
edst_opt = optarg;
if (debug) {
ipstr_buf b;
fprintf(stdout, "%s: edst=%s.\n",
progname,
ipstr(&edst, &b));
}
break;
case 's':
if (said_opt != NULL) {
fprintf(stderr,
"%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit(1);
}
if (spi_opt != NULL) {
fprintf(stderr,
"%s: Error, SPI parameter redefined:%s, already defined as:%s\n",
progname, optarg, spi_opt);
exit(1);
}
ugh = ttoulb(optarg, 0, 0, 0xFFFFFFFFul, &u);
if (ugh == NULL && u < 0x100)
ugh = "0 - 0xFF are reserved";
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid SPI parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
spi = u;
spi_opt = optarg;
break;
case 'p':
if (said_opt != NULL) {
fprintf(stderr,
"%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit(1);
}
if (proto_opt != NULL) {
fprintf(stderr,
"%s: Error, PROTO parameter redefined:%s, already defined as:%s\n",
progname, optarg, proto_opt);
exit(1);
}
if (streq(optarg, "ah")) {
proto = SA_AH;
} else if (streq(optarg, "esp")) {
proto = SA_ESP;
} else if (streq(optarg, "tun")) {
proto = SA_IPIP;
} else if (streq(optarg, "comp")) {
proto = SA_COMP;
} else {
fprintf(stderr,
"%s: Invalid PROTO parameter: %s\n",
progname, optarg);
exit(1);
}
proto_opt = optarg;
break;
case 'a':
if (said_opt) {
fprintf(stderr,
"%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit(1);
}
if (af_opt) {
fprintf(stderr,
"%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined as:%s\n",
progname, optarg, af_opt);
exit(1);
}
if (streq(optarg, "inet")) {
address_family = AF_INET;
/* currently we ensure that all addresses belong to the same address family */
anyaddr(address_family, &dst);
anyaddr(address_family, &edst);
anyaddr(address_family, &src);
} else if (streq(optarg, "inet6")) {
address_family = AF_INET6;
/* currently we ensure that all addresses belong to the same address family */
anyaddr(address_family, &dst);
anyaddr(address_family, &edst);
anyaddr(address_family, &src);
} else {
fprintf(stderr,
"%s: Invalid ADDRESS FAMILY parameter: %s.\n",
progname, optarg);
exit(1);
}
af_opt = optarg;
break;
case 'I':
if (said_opt) {
fprintf(stderr,
"%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit(1);
}
if (proto_opt) {
fprintf(stderr,
"%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, proto_opt);
exit(1);
}
if (edst_opt) {
fprintf(stderr,
"%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, edst_opt);
exit(1);
}
if (spi_opt) {
fprintf(stderr,
"%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, spi_opt);
exit(1);
}
error_s = ttosa(optarg, 0, &said);
if (error_s != NULL) {
fprintf(stderr,
"%s: Error, %s converting --sa argument:%s\n",
progname, error_s, optarg);
exit(1);
}
if (debug) {
satot(&said, 0, ipsaid_txt,
sizeof(ipsaid_txt));
fprintf(stdout, "%s: said=%s.\n",
progname,
ipsaid_txt);
}
/* init the src and dst with the same address family */
if (address_family == 0) {
address_family = addrtypeof(&said.dst);
} else if (address_family != addrtypeof(&said.dst)) {
fprintf(stderr,
"%s: Error, specified address family (%d) is different that of SAID: %s\n",
progname, address_family, optarg);
exit(1);
}
anyaddr(address_family, &dst);
anyaddr(address_family, &edst);
anyaddr(address_family, &src);
said_opt = optarg;
break;
case 'A':
decode_blob(optarg, "Authentication Key", &authkey, &authkeylen);
break;
case 'E':
decode_blob(optarg, "Encryption Key", &enckey, &enckeylen);
break;
case 'w':
{
err_t ugh = ttoul(optarg, 0, 0, &replay_window);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid replay_window parameter: %s\n",
progname, ugh);
exit(1);
}
if (!(1 <= replay_window && replay_window <= 64)) {
fprintf(stderr,
"%s: Failed -- Illegal window size: arg=%s, replay_window=%lu, must be 1 <= size <= 64.\n",
progname, optarg, replay_window);
exit(1);
}
}
break;
case 'i':
decode_blob(optarg, "IV", &iv, &ivlen);
break;
case 'D':
if (dst_opt) {
fprintf(stderr,
"%s: Error, DST parameter redefined:%s, already defined as:%s\n",
progname, optarg, dst_opt);
exit(1);
}
error_s = ttoaddr(optarg, 0, address_family, &dst);
if (error_s != NULL) {
fprintf(stderr,
"%s: Error, %s converting --dst argument:%s\n",
progname, error_s, optarg);
exit(1);
}
dst_opt = optarg;
if (debug) {
ipstr_buf b;
fprintf(stdout, "%s: dst=%s.\n",
progname,
ipstr(&dst, &b));
}
break;
case 'F': /* src port */
{
unsigned long u;
err_t ugh = ttoulb(optarg, 0, 0, 0xFFFF, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid source port parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
sport = u;
}
break;
case 'G': /* dst port */
{
unsigned long u;
err_t ugh = ttoulb(optarg, 0, 0, 0xFFFF, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid destination port parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
dport = u;
}
break;
case 'N': /* nat-type */
if (strcaseeq(optarg, "nonesp")) {
natt = ESPINUDP_WITH_NON_ESP;
} else if (strcaseeq(optarg, "none")) {
natt = 0;
} else {
/* ??? what does this do? Where is it documented? */
unsigned long u;
err_t ugh = ttoulb(optarg, 0, 0, 0xFFFFFFFFul, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid character in natt parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
natt = u;
}
break;
case 'S':
if (src_opt) {
fprintf(stderr,
"%s: Error, SRC parameter redefined:%s, already defined as:%s\n",
progname, optarg, src_opt);
exit(1);
}
error_s = ttoaddr(optarg, 0, address_family, &src);
if (error_s != NULL) {
fprintf(stderr,
"%s: Error, %s converting --src argument:%s\n",
progname, error_s, optarg);
exit(1);
}
src_opt = optarg;
if (debug) {
ipstr_buf b;
fprintf(stdout, "%s: src=%s.\n",
progname,
ipstr(&src, &b));
}
break;
case 'h':
usage(progname, stdout);
exit(0);
case '?':
usage(progname, stderr);
exit(1);
case 'v':
fprintf(stdout, "%s, %s\n", progname,
ipsec_version_code());
exit(1);
case 'f':
if (parse_life_options(life,
life_opt,
optarg) != 0)
exit(1);
break;
default:
fprintf(stderr,
"%s: unrecognized option '%c', update option processing.\n",
progname, c);
exit(1);
}
}
if (debug) {
fprintf(stdout, "%s: All options processed.\n",
progname);
}
if (stat("/proc/net/pfkey", &sts) == 0) {
fprintf(stderr,
"%s: NETKEY does not use the ipsec spi command. Use 'ip xfrm' instead.\n",
progname);
exit(1);
}
if (argcount == 1) {
int ret = 1;
if ((stat("/proc/net/ipsec_spi", &sts)) != 0) {
fprintf(stderr,
"%s: No spi - no IPsec support in kernel (are the modules loaded?)\n",
progname);
} else {
ret = system("cat /proc/net/ipsec_spi");
ret = ret != -1 &&
WIFEXITED(ret) ? WEXITSTATUS(ret) : 1;
}
exit(ret);
}
switch (alg) {
case XF_OTHER_ALG:
/* validate keysizes */
if (proc_read_ok) {
const struct sadb_alg *alg_p;
size_t keylen, minbits, maxbits;
alg_p = kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,
SADB_EXT_SUPPORTED_ENCRYPT,
esp_info->encryptalg);
assert(alg_p != NULL);
keylen = enckeylen * 8;
minbits = alg_p->sadb_alg_minbits;
maxbits = alg_p->sadb_alg_maxbits;
/*
* if explicit keylen told in encrypt algo, eg "aes128"
* check actual keylen "equality"
*/
if (esp_info->enckeylen &&
esp_info->enckeylen != keylen) {
fprintf(stderr, "%s: invalid encryption keylen=%d, "
"required %d by encrypt algo string=\"%s\"\n",
progname,
(int)keylen,
(int)esp_info->enckeylen,
alg_string);
exit(1);
}
/* thanks DES for this sh*t */
if (minbits > keylen || maxbits < keylen) {
fprintf(stderr, "%s: invalid encryption keylen=%d, "
"must be between %d and %d bits\n",
progname,
(int)keylen,
(int)minbits,
(int)maxbits);
exit(1);
}
alg_p = kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,
SADB_EXT_SUPPORTED_AUTH,
esp_info->authalg);
assert(alg_p);
keylen = authkeylen * 8;
minbits = alg_p->sadb_alg_minbits;
maxbits = alg_p->sadb_alg_maxbits;
if (minbits > keylen || maxbits < keylen) {
fprintf(stderr, "%s: invalid auth keylen=%d, "
"must be between %d and %d bits\n",
progname,
(int)keylen,
(int)minbits,
(int)maxbits);
exit(1);
}
}
/*
* ??? this break was added in a2791fda77a5cfcc6bc992fbc5019f4448112f88
* It is likely correct, but we're not sure.
* Luckily this code is probably never used.
*/
break;
case XF_IP4:
case XF_IP6:
case XF_DEL:
case XF_COMPDEFLATE:
case XF_COMPLZS:
if (!said_opt) {
if (isanyaddr(&edst)) {
fprintf(stderr,
"%s: SA destination not specified.\n",
progname);
exit(1);
}
if (!spi) {
fprintf(stderr, "%s: SA SPI not specified.\n",
progname);
exit(1);
}
if (!proto) {
fprintf(stderr,
"%s: SA PROTO not specified.\n",
progname);
exit(1);
}
initsaid(&edst, htonl(spi), proto, &said);
} else {
proto = said.proto;
spi = ntohl(said.spi);
edst = said.dst;
}
if ((address_family != 0) &&
(address_family != addrtypeof(&said.dst))) {
fprintf(stderr,
"%s: Defined address family and address family of SA missmatch.\n",
progname);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: SA valid.\n",
progname);
}
break;
case XF_CLR:
break;
default:
fprintf(stderr,
"%s: No action chosen. See '%s --help' for usage.\n",
progname, progname);
exit(1);
}
switch (alg) {
case XF_CLR:
case XF_DEL:
case XF_IP4:
case XF_IP6:
case XF_COMPDEFLATE:
case XF_COMPLZS:
case XF_OTHER_ALG:
break;
default:
fprintf(stderr,
"%s: No action chosen. See '%s --help' for usage.\n",
progname, progname);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: Algorithm ok.\n",
progname);
}
pfkey_sock = pfkey_open_sock_with_error();
if (pfkey_sock < 0)
exit(1);
/* Build an SADB_ADD message to send down. */
/* It needs <base, SA, address(SD), key(AE)> minimum. */
/* Lifetime(HS) could be added before addresses. */
pfkey_extensions_init(extensions);
error = pfkey_msg_hdr_build(&extensions[0],
alg == XF_DEL ? SADB_DELETE :
alg == XF_CLR ? SADB_FLUSH :
SADB_ADD,
proto2satype(proto),
0,
++pfkey_seq,
mypid);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building message header, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
switch (alg) {
case XF_OTHER_ALG:
authalg = esp_info->authalg;
if (debug) {
fprintf(stdout, "%s: debug: authalg=%d\n",
progname, authalg);
}
break;
default:
authalg = SADB_AALG_NONE;
}
switch (alg) {
case XF_COMPDEFLATE:
encryptalg = SADB_X_CALG_DEFLATE;
break;
case XF_COMPLZS:
encryptalg = SADB_X_CALG_LZS;
break;
case XF_OTHER_ALG:
encryptalg = esp_info->encryptalg;
if (debug) {
fprintf(stdout, "%s: debug: encryptalg=%d\n",
progname, encryptalg);
}
break;
default:
encryptalg = SADB_EALG_NONE;
}
/* IE: pfkey_msg->sadb_msg_type == SADB_FLUSH */
if (!(alg == XF_CLR)) {
sab.sa_base.sadb_sa_len = 0;
sab.sa_base.sadb_sa_exttype = SADB_EXT_SA;
sab.sa_base.sadb_sa_spi = htonl(spi);
sab.sa_base.sadb_sa_replay = replay_window;
sab.sa_base.sadb_sa_state = K_SADB_SASTATE_MATURE;
sab.sa_base.sadb_sa_auth = authalg;
sab.sa_base.sadb_sa_encrypt = encryptalg;
sab.sa_base.sadb_sa_flags = 0;
sab.sa_base.sadb_x_sa_ref = IPSEC_SAREF_NULL;
sab.sa_base.sadb_x_reserved[0] = 0;
sab.sa_base.sadb_x_reserved[1] = 0;
sab.sa_base.sadb_x_reserved[2] = 0;
sab.sa_base.sadb_x_reserved[3] = 0;
error = pfkey_sa_builds(&extensions[SADB_EXT_SA], sab);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building sa extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
if (saref_me || saref_him) {
error = pfkey_saref_build(&extensions[
K_SADB_X_EXT_SAREF],
saref_me, saref_him);
if (error) {
fprintf(stderr,
"%s: Trouble building saref extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
}
if (outif != 0) {
error = pfkey_outif_build(&extensions[
SADB_X_EXT_PLUMBIF],
outif);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building outif extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
}
if (debug) {
fprintf(stdout,
"%s: extensions[0]=0p%p previously set with msg_hdr.\n",
progname,
extensions[0]);
}
if (debug) {
fprintf(stdout,
"%s: assembled SA extension, pfkey msg authalg=%d encalg=%d.\n",
progname,
authalg,
encryptalg);
}
if (debug) {
int i, j;
for (i = 0; i < life_maxsever; i++) {
for (j = 0; j < life_maxtype; j++) {
fprintf(stdout,
"%s: i=%d, j=%d, life_opt[%d][%d]=0p%p, life[%d][%d]=%d\n",
progname,
i, j, i, j, life_opt[i][j], i, j,
life[i][j]);
}
}
}
emit_lifetime("lifetime_s", SADB_EXT_LIFETIME_SOFT, extensions, life_opt[life_soft], life[life_soft]);
emit_lifetime("lifetime_h", SADB_EXT_LIFETIME_HARD, extensions, life_opt[life_hard], life[life_hard]);
if (debug) {
ipstr_buf b;
fprintf(stdout,
"%s: assembling address_s extension (%s).\n",
progname, ipstr(&src, &b));
}
error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
SADB_EXT_ADDRESS_SRC,
0,
0,
sockaddrof(&src));
if (error != 0) {
ipstr_buf b;
fprintf(stderr,
"%s: Trouble building address_s extension (%s), error=%d.\n",
progname, ipstr(&src, &b), error);
pfkey_extensions_free(extensions);
exit(1);
}
error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
SADB_EXT_ADDRESS_DST,
0,
0,
sockaddrof(&edst));
if (error != 0) {
ipstr_buf b;
fprintf(stderr,
"%s: Trouble building address_d extension (%s), error=%d.\n",
progname, ipstr(&edst, &b), error);
pfkey_extensions_free(extensions);
exit(1);
}
switch (alg) {
/* Allow no auth ... after all is local root decision 8) */
case XF_OTHER_ALG:
if (!authalg)
break;
error = pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH],
SADB_EXT_KEY_AUTH,
authkeylen * 8,
authkey);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building key_a extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
if (debug) {
fprintf(stdout,
"%s: key_a extension assembled.\n",
progname);
}
break;
default:
break;
}
switch (alg) {
case XF_OTHER_ALG:
if (enckeylen == 0) {
if (debug)
fprintf(stdout, "%s: key not provided (NULL alg?).\n",
progname);
break;
}
error = pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT],
SADB_EXT_KEY_ENCRYPT,
enckeylen * 8,
enckey);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building key_e extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
if (debug) {
fprintf(stdout,
"%s: key_e extension assembled.\n",
progname);
}
break;
default:
break;
}
}
if (natt != 0) {
bool success;
int err;
err = pfkey_x_nat_t_type_build(&extensions[
K_SADB_X_EXT_NAT_T_TYPE],
natt);
success = pfkey_build(err,
"pfkey_nat_t_type Add ESP SA",
ipsaid_txt, extensions);
if (!success)
return FALSE;
if (debug)
fprintf(stderr, "setting natt_type to %d\n", natt);
if (sport != 0) {
err = pfkey_x_nat_t_port_build(
&extensions[K_SADB_X_EXT_NAT_T_SPORT],
K_SADB_X_EXT_NAT_T_SPORT,
sport);
success = pfkey_build(err,
"pfkey_nat_t_sport Add ESP SA",
ipsaid_txt, extensions);
if (debug)
fprintf(stderr, "setting natt_sport to %d\n",
sport);
if (!success)
return FALSE;
}
if (dport != 0) {
err = pfkey_x_nat_t_port_build(
&extensions[K_SADB_X_EXT_NAT_T_DPORT],
K_SADB_X_EXT_NAT_T_DPORT,
dport);
success = pfkey_build(err,
"pfkey_nat_t_dport Add ESP SA",
ipsaid_txt, extensions);
if (debug)
fprintf(stderr, "setting natt_dport to %d\n",
dport);
if (!success)
return FALSE;
}
#if 0
/* not yet implemented */
if (natt != 0 && !isanyaddr(&natt_oa)) {
ip_str_buf b;
success = pfkeyext_address(SADB_X_EXT_NAT_T_OA,
&natt_oa,
"pfkey_nat_t_oa Add ESP SA",
ipsaid_txt, extensions);
if (debug)
fprintf(stderr, "setting nat_oa to %s\n",
ipstr(&natt_oa, &b));
if (!success)
return FALSE;
}
#endif
}
if (debug) {
fprintf(stdout, "%s: assembling pfkey msg....\n",
progname);
}
error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building pfkey message, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: assembled.\n",
progname);
}
if (debug) {
fprintf(stdout, "%s: writing pfkey msg.\n",
progname);
}
io_error = write(pfkey_sock,
pfkey_msg,
pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
if (io_error < 0) {
fprintf(stderr, "%s: pfkey write failed (errno=%d): ",
progname, errno);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
switch (errno) {
case EACCES:
fprintf(stderr, "access denied. ");
if (getuid() == 0)
fprintf(stderr,
"Check permissions. Should be 600.\n");
else
fprintf(stderr,
"You must be root to open this file.\n");
break;
case EUNATCH:
fprintf(stderr,
"Netlink not enabled OR KLIPS not loaded.\n");
break;
case EBUSY:
fprintf(stderr,
"KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n");
break;
case EINVAL:
fprintf(stderr,
"Invalid argument, check kernel log messages for specifics.\n");
break;
case ENODEV:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
fprintf(stderr, "No device?!?\n");
break;
case ENOBUFS:
fprintf(stderr, "No kernel memory to allocate SA.\n");
break;
case ESOCKTNOSUPPORT:
fprintf(stderr,
"Algorithm support not available in the kernel. Please compile in support.\n");
break;
case EEXIST:
fprintf(stderr,
"SA already in use. Delete old one first.\n");
break;
case ENOENT:
fprintf(stderr,
"device does not exist. See Libreswan installation procedure.\n");
break;
case ENXIO:
case ESRCH:
fprintf(stderr,
"SA does not exist. Cannot delete.\n");
break;
case ENOSPC:
fprintf(stderr,
"no room in kernel SAref table. Cannot process request.\n");
break;
case ESPIPE:
fprintf(stderr,
"kernel SAref table internal error. Cannot process request.\n");
break;
default:
fprintf(stderr,
"Unknown socket write error %d (%s). Please report as much detail as possible to development team.\n",
errno, strerror(errno));
}
exit(1);
} else if (io_error !=
(ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
fprintf(stderr, "%s: pfkey write truncated to %d bytes\n",
progname, (int)io_error);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: pfkey command written to socket.\n",
progname);
}
if (pfkey_msg != NULL) {
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
}
if (debug) {
fprintf(stdout, "%s: pfkey message buffer freed.\n",
progname);
}
if (authkey != NULL) {
memset(authkey, 0, authkeylen);
free(authkey);
}
if (enckey != NULL) {
memset(enckey, 0, enckeylen);
free(enckey);
}
if (iv != NULL) {
memset(iv, 0, ivlen);
free(iv);
}
if (listenreply || saref_me || dumpsaref) {
ssize_t readlen;
unsigned char pfkey_buf[PFKEYv2_MAX_MSGSIZE];
while ((readlen = read(pfkey_sock, pfkey_buf,
sizeof(pfkey_buf))) > 0) {
struct sadb_ext *extensions[K_SADB_EXT_MAX + 1];
pfkey_extensions_init(extensions);
pfkey_msg = (struct sadb_msg *)pfkey_buf;
/* first, see if we got enough for an sadb_msg */
if ((size_t)readlen < sizeof(struct sadb_msg)) {
if (debug) {
printf("%s: runt packet of size: %ld (<%lu)\n",
progname, (long)readlen,
(unsigned long)sizeof(struct
sadb_msg));
}
continue;
}
/* okay, we got enough for a message, print it out */
if (debug) {
printf("%s: pfkey v%d msg received. type=%d(%s) seq=%d len=%d pid=%d errno=%d satype=%d(%s)\n",
progname,
pfkey_msg->sadb_msg_version,
pfkey_msg->sadb_msg_type,
pfkey_v2_sadb_type_string(pfkey_msg->
sadb_msg_type),
pfkey_msg->sadb_msg_seq,
pfkey_msg->sadb_msg_len,
pfkey_msg->sadb_msg_pid,
pfkey_msg->sadb_msg_errno,
pfkey_msg->sadb_msg_satype,
satype2name(pfkey_msg->sadb_msg_satype));
}
if (readlen !=
(ssize_t)(pfkey_msg->sadb_msg_len *
IPSEC_PFKEYv2_ALIGN)) {
if (debug) {
printf("%s: packet size read from socket=%d doesn't equal sadb_msg_len %u * %u; message not decoded\n",
progname,
(int)readlen,
(unsigned)pfkey_msg->sadb_msg_len,
(unsigned)IPSEC_PFKEYv2_ALIGN);
}
continue;
}
if (pfkey_msg_parse(pfkey_msg, NULL, extensions,
EXT_BITS_OUT)) {
if (debug) {
printf("%s: unparseable PF_KEY message.\n",
progname);
}
continue;
}
if (debug) {
printf("%s: parseable PF_KEY message.\n",
progname);
}
if ((pid_t)pfkey_msg->sadb_msg_pid == mypid) {
if (saref_me || dumpsaref) {
struct sadb_x_saref *s =
(struct sadb_x_saref *)
extensions[
K_SADB_X_EXT_SAREF];
if (s != NULL) {
printf("%s: saref=%d/%d\n",
progname,
s->sadb_x_saref_me,
s->sadb_x_saref_him);
}
}
break;
}
}
}
(void) close(pfkey_sock); /* close the socket */
if (debug || listenreply)
printf("%s: exited normally\n", progname);
exit(0);
}
/**
* Validate that yes in fact we are one side of the tunnel
*
* The function checks that IP addresses are valid, nexthops are
* present (if needed) as well as policies, and sets the leftID
* from the left= if it isn't set.
*
* @param conn_st a connection definition
* @param end a connection end
* @param left boolean (are we 'left'? 1 = yes, 0 = no)
* @param perr pointer to char containing error value
* @return bool TRUE if failed
*/
static bool validate_end(struct starter_conn *conn_st
, struct starter_end *end
, bool left
, bool resolvip UNUSED
, err_t *perr)
{
err_t er = NULL;
char *err_str = NULL;
const char *leftright=(left ? "left" : "right");
int family = conn_st->options[KBF_CONNADDRFAMILY];
bool err = FALSE;
#define ERR_FOUND(args...) do { err += error_append(&err_str, ##args); } while(0)
if(!end->options_set[KNCF_IP]) {
conn_st->state = STATE_INCOMPLETE;
}
end->addrtype=end->options[KNCF_IP];
end->addr_family = family;
/* validate the KSCF_IP/KNCF_IP */
switch(end->addrtype) {
case KH_ANY:
anyaddr(family, &(end->addr));
break;
case KH_IFACE:
/* generally, this doesn't show up at this stage */
break;
case KH_IPADDR:
/* right=/left= */
assert(end->strings[KSCF_IP] != NULL);
if (end->strings[KSCF_IP][0]=='%') {
if (end->iface) pfree(end->iface);
end->iface = clone_str(end->strings[KSCF_IP] + 1, "KH_IPADDR end->iface");
if (starter_iface_find(end->iface, family, &(end->addr),
&(end->nexthop)) == -1) {
conn_st->state = STATE_INVALID;
}
/* not numeric, so set the type to the iface type */
end->addrtype = KH_IFACE;
break;
}
er = ttoaddr_num(end->strings[KNCF_IP], 0, family, &(end->addr));
if(er) {
/* not numeric, so set the type to the string type */
end->addrtype = KH_IPHOSTNAME;
}
if(end->id == NULL) {
char idbuf[ADDRTOT_BUF];
addrtot(&end->addr, 0, idbuf, sizeof(idbuf));
end->id= clone_str(idbuf, "end id");
}
break;
case KH_OPPO:
conn_st->policy |= POLICY_OPPO;
break;
case KH_OPPOGROUP:
conn_st->policy |= POLICY_OPPO|POLICY_GROUP;
break;
case KH_GROUP:
conn_st->policy |= POLICY_GROUP;
break;
case KH_IPHOSTNAME:
/* XXX */
break;
case KH_DEFAULTROUTE:
break;
case KH_NOTSET:
break;
}
/* validate the KSCF_SUBNET */
if(end->strings_set[KSCF_SUBNET])
{
char *value = end->strings[KSCF_SUBNET];
if ( ((strlen(value)>=6) && (strncmp(value,"vhost:",6)==0)) ||
((strlen(value)>=5) && (strncmp(value,"vnet:",5)==0)) ) {
er = NULL;
end->virt = clone_str(value, "end->virt");
}
else {
end->has_client = TRUE;
er = ttosubnet(value, 0, 0, &(end->subnet));
}
if (er) ERR_FOUND("bad subnet %ssubnet=%s [%s] family=%s", leftright, value, er, family2str(family));
}
/* set nexthop address to something consistent, by default */
anyaddr(family, &end->nexthop);
anyaddr(addrtypeof(&end->addr), &end->nexthop);
/* validate the KSCF_NEXTHOP */
if(end->strings_set[KSCF_NEXTHOP])
{
char *value = end->strings[KSCF_NEXTHOP];
if(strcasecmp(value, "%defaultroute")==0) {
end->nexttype=KH_DEFAULTROUTE;
} else {
if (tnatoaddr(value, strlen(value), AF_INET,
&(end->nexthop)) != NULL &&
tnatoaddr(value, strlen(value), AF_INET6,
&(end->nexthop)) != NULL) {
er = ttoaddr(value, 0, family, &(end->nexthop));
if (er) ERR_FOUND("bad addr %snexthop=%s [%s]", leftright, value, er);
}
end->nexttype = KH_IPADDR;
}
} else {
if (end->addrtype == KH_DEFAULTROUTE) {
end->nexttype = KH_DEFAULTROUTE;
}
anyaddr(family, &end->nexthop);
}
/* validate the KSCF_ID */
if(end->strings_set[KSCF_ID])
{
char *value = end->strings[KSCF_ID];
pfreeany(end->id);
end->id = clone_str(value, "end->id");
}
if(end->options_set[KSCF_RSAKEY1]) {
end->rsakey1_type = end->options[KSCF_RSAKEY1];
end->rsakey2_type = end->options[KSCF_RSAKEY2];
switch(end->rsakey1_type) {
case PUBKEY_DNS:
case PUBKEY_DNSONDEMAND:
end->key_from_DNS_on_demand = TRUE;
break;
default:
end->key_from_DNS_on_demand = FALSE;
/* validate the KSCF_RSAKEY1/RSAKEY2 */
if(end->strings[KSCF_RSAKEY1] != NULL)
{
char *value = end->strings[KSCF_RSAKEY1];
pfreeany(end->rsakey1);
end->rsakey1 = (unsigned char *)clone_str(value,"end->rsakey1");
}
if(end->strings[KSCF_RSAKEY2] != NULL)
{
char *value = end->strings[KSCF_RSAKEY2];
pfreeany(end->rsakey2);
end->rsakey2 = (unsigned char *)clone_str(value,"end->rsakey2");
}
}
}
/* validate the KSCF_SOURCEIP, if any, and if set,
* set the subnet to same value, if not set.
*/
if(end->strings_set[KSCF_SOURCEIP])
{
char *value = end->strings[KSCF_SOURCEIP];
if (tnatoaddr(value, strlen(value), AF_INET, &(end->sourceip)) != NULL
&& tnatoaddr(value, strlen(value), AF_INET6, &(end->sourceip)) != NULL) {
er = ttoaddr(value, 0, 0, &(end->sourceip));
if (er) ERR_FOUND("bad addr %ssourceip=%s [%s]", leftright, value, er);
} else {
er = tnatoaddr(value, 0, 0, &(end->sourceip));
if (er) ERR_FOUND("bad numerical addr %ssourceip=%s [%s]", leftright, value, er);
}
if(!end->has_client) {
starter_log(LOG_LEVEL_INFO, "defaulting %ssubnet to %s\n", leftright, value);
er = addrtosubnet(&end->sourceip, &end->subnet);
if (er) ERR_FOUND("attempt to default %ssubnet from %s failed: %s", leftright, value, er);
end->has_client = TRUE;
end->has_client_wildcard = FALSE;
}
}
/* copy certificate path name */
if(end->strings_set[KSCF_CERT]) {
end->cert = clone_str(end->strings[KSCF_CERT], "KSCF_CERT");
}
if(end->strings_set[KSCF_CA]) {
end->ca = clone_str(end->strings[KSCF_CA], "KSCF_CA");
}
if(end->strings_set[KSCF_UPDOWN]) {
end->updown = clone_str(end->strings[KSCF_UPDOWN], "KSCF_UPDOWN");
}
if(end->strings_set[KSCF_PROTOPORT]) {
err_t ugh;
char *value = end->strings[KSCF_PROTOPORT];
ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &end->has_port_wildcard);
if (ugh) ERR_FOUND("bad %sprotoport=%s [%s]", leftright, value, ugh);
}
if (end->options_set[KNCF_XAUTHSERVER] ||
end->options_set[KNCF_XAUTHCLIENT]) {
conn_st->policy |= POLICY_XAUTH;
}
/*
KSCF_SUBNETWITHIN --- not sure what to do with it.
KSCF_ESPENCKEY --- todo (manual keying)
KSCF_ESPAUTHKEY --- todo (manual keying)
KSCF_SOURCEIP = 16,
KSCF_MAX = 19
*/
if(err) *perr = err_str;
return err;
# undef ERR_FOUND
}
int
main(int argc, char **argv)
{
int i, nspis;
char *endptr;
int said_opt = 0;
const char* error_s = NULL;
char ipaddr_txt[ADDRTOT_BUF];
int debug = 0;
int j;
struct said_af said_af_array[4];
int error = 0;
struct sadb_ext *extensions[SADB_EXT_MAX + 1];
struct sadb_msg *pfkey_msg;
#if 0
ip_address pfkey_address_s_ska;
#endif
program_name = argv[0];
for(i = 0; i < 4; i++) {
memset(&said_af_array[i], 0, sizeof(struct said_af));
}
if(argc > 1 && strcmp(argv[1], "--debug") == 0) {
debug = 1;
if(debug) {
fprintf(stdout, "\"--debug\" option requested.\n");
}
argv += 1;
argc -= 1;
pfkey_lib_debug = 1;
}
if(debug) {
fprintf(stdout, "argc=%d (%d incl. --debug option).\n",
argc,
argc + 1);
}
if(argc > 1 && strcmp(argv[1], "--label") == 0) {
if(argc > 2) {
program_name = malloc(strlen(argv[0])
+ 10 /* update this when changing the sprintf() */
+ strlen(argv[2]));
sprintf(program_name, "%s --label %s",
argv[0],
argv[2]);
if(debug) {
fprintf(stdout, "using \"%s\" as a label.\n", program_name);
}
argv += 2;
argc -= 2;
} else {
fprintf(stderr, "%s: --label option requires an argument.\n",
program_name);
exit(1);
}
}
if(debug) {
fprintf(stdout, "...After check for --label option.\n");
}
if(argc == 1) {
system("cat /proc/net/ipsec_spigrp");
exit(0);
}
if(debug) {
fprintf(stdout, "...After check for no option to print /proc/net/ipsec_spigrp.\n");
}
if(strcmp(argv[1], "--help") == 0) {
if(debug) {
fprintf(stdout, "\"--help\" option requested.\n");
}
usage(program_name);
exit(1);
}
if(debug) {
fprintf(stdout, "...After check for --help option.\n");
}
if(strcmp(argv[1], "--version") == 0) {
if(debug) {
fprintf(stdout, "\"--version\" option requested.\n");
}
fprintf(stdout, "%s %s\n", me, ipsec_version_code());
fprintf(stdout, "See `ipsec --copyright' for copyright information.\n");
exit(1);
}
if(debug) {
fprintf(stdout, "...After check for --version option.\n");
}
if(strcmp(argv[1], "--said") == 0) {
if(debug) {
fprintf(stdout, "processing %d args with --said flag.\n", argc);
}
said_opt = 1;
}
if(debug) {
fprintf(stdout, "...After check for --said option.\n");
}
if(said_opt) {
if (argc < 3 /*|| argc > 5*/) {
fprintf(stderr, "expecting 3 or more args with --said, got %d.\n", argc);
usage(program_name);
exit(1);
}
nspis = argc - 2;
} else {
if ((argc < 5) || (argc > 17) || ((argc % 4) != 1)) {
fprintf(stderr, "expecting 5 or more args without --said, got %d.\n", argc);
usage(program_name);
exit(1);
}
nspis = argc / 4;
}
if(debug) {
fprintf(stdout, "processing %d nspis.\n", nspis);
}
for(i = 0; i < nspis; i++) {
if(debug) {
fprintf(stdout, "processing spi #%d.\n", i);
}
if(said_opt) {
error_s = ttosa((const char *)argv[i+2], 0, (ip_said*)&(said_af_array[i].said));
if(error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n",
program_name, error_s, argv[i+2]);
exit (1);
}
said_af_array[i].af = addrtypeof(&(said_af_array[i].said.dst));
if(debug) {
addrtot(&said_af_array[i].said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stdout, "said[%d].dst=%s.\n", i, ipaddr_txt);
}
} else {
if(!strcmp(argv[i*4+4], "ah")) {
said_af_array[i].said.proto = SA_AH;
}
if(!strcmp(argv[i*4+4], "esp")) {
said_af_array[i].said.proto = SA_ESP;
}
if(!strcmp(argv[i*4+4], "tun")) {
said_af_array[i].said.proto = SA_IPIP;
}
if(!strcmp(argv[i*4+4], "comp")) {
said_af_array[i].said.proto = SA_COMP;
}
if(said_af_array[i].said.proto == 0) {
fprintf(stderr, "%s: Badly formed proto: %s\n",
program_name, argv[i*4+4]);
exit(1);
}
said_af_array[i].said.spi = htonl(strtoul(argv[i*4+3], &endptr, 0));
if(!(endptr == argv[i*4+3] + strlen(argv[i*4+3]))) {
fprintf(stderr, "%s: Badly formed spi: %s\n",
program_name, argv[i*4+3]);
exit(1);
}
if(!strcmp(argv[i*4+1], "inet")) {
said_af_array[i].af = AF_INET;
}
if(!strcmp(argv[i*4+1], "inet6")) {
said_af_array[i].af = AF_INET6;
}
if((said_af_array[i].af != AF_INET) && (said_af_array[i].af != AF_INET6)) {
fprintf(stderr, "%s: Address family %s not supported\n",
program_name, argv[i*4+1]);
exit(1);
}
error_s = ttoaddr(argv[i*4+2], 0, said_af_array[i].af, &(said_af_array[i].said.dst));
if(error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting %dth address argument:%s\n",
program_name, error_s, i, argv[i*4+2]);
exit (1);
}
}
if(debug) {
fprintf(stdout, "SA %d contains: ", i+1);
fprintf(stdout, "\n");
fprintf(stdout, "proto = %d\n", said_af_array[i].said.proto);
fprintf(stdout, "spi = %08x\n", said_af_array[i].said.spi);
addrtot(&said_af_array[i].said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stdout, "edst = %s\n", ipaddr_txt);
}
}
if(debug) {
fprintf(stdout, "Opening pfkey socket.\n");
}
if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: ",
program_name);
switch(errno) {
case ENOENT:
fprintf(stderr, "device does not exist. See FreeS/WAN installation procedure.\n");
break;
case EACCES:
fprintf(stderr, "access denied. ");
if(getuid() == 0) {
fprintf(stderr, "Check permissions. Should be 600.\n");
} else {
fprintf(stderr, "You must be root to open this file.\n");
}
break;
case EUNATCH:
fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
break;
case ENODEV:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
break;
case EBUSY:
fprintf(stderr, "KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n");
break;
case EINVAL:
fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
break;
case ENOBUFS:
fprintf(stderr, "No kernel memory to allocate SA.\n");
break;
case ESOCKTNOSUPPORT:
fprintf(stderr, "Algorithm support not available in the kernel. Please compile in support.\n");
break;
case EEXIST:
fprintf(stderr, "SA already in use. Delete old one first.\n");
break;
case ENXIO:
fprintf(stderr, "SA does not exist. Cannot delete.\n");
break;
case EAFNOSUPPORT:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
break;
default:
fprintf(stderr, "Unknown file open error %d. Please report as much detail as possible to development team.\n", errno);
}
exit(1);
}
for(i = 0; i < (((nspis - 1) < 2) ? 1 : (nspis - 1)); i++) {
if(debug) {
fprintf(stdout, "processing %dth pfkey message.\n", i);
}
pfkey_extensions_init(extensions);
for(j = 0; j < ((nspis == 1) ? 1 : 2); j++) {
if(debug) {
fprintf(stdout, "processing %dth said of %dth pfkey message.\n", j, i);
}
/* Build an SADB_X_GRPSA message to send down. */
/* It needs <base, SA, SA2, address(D,D2) > minimum. */
if(!j) {
if((error = pfkey_msg_hdr_build(&extensions[0],
SADB_X_GRPSA,
proto2satype(said_af_array[i].said.proto),
0,
++pfkey_seq,
getpid()))) {
fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
program_name, error);
pfkey_extensions_free(extensions);
exit(1);
}
} else {
if(debug) {
fprintf(stdout, "setting x_satype proto=%d satype=%d\n",
said_af_array[i+j].said.proto,
proto2satype(said_af_array[i+j].said.proto)
);
}
if((error = pfkey_x_satype_build(&extensions[SADB_X_EXT_SATYPE2],
proto2satype(said_af_array[i+j].said.proto)
))) {
fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
program_name, error);
pfkey_extensions_free(extensions);
exit(1);
}
}
if((error = pfkey_sa_build(&extensions[!j ? SADB_EXT_SA : SADB_X_EXT_SA2],
!j ? SADB_EXT_SA : SADB_X_EXT_SA2,
said_af_array[i+j].said.spi, /* in network order */
0,
0,
0,
0,
0))) {
fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n",
program_name, error);
pfkey_extensions_free(extensions);
exit(1);
}
#if 0
if(!j) {
anyaddr(said_af_array[i].af, &pfkey_address_s_ska); /* Is the address family correct ?? */
if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
SADB_EXT_ADDRESS_SRC,
0,
0,
sockaddrof(&pfkey_address_s_ska)))) {
addrtot(&pfkey_address_s_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n",
program_name, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
}
#endif
if((error = pfkey_address_build(&extensions[!j ? SADB_EXT_ADDRESS_DST : SADB_X_EXT_ADDRESS_DST2],
!j ? SADB_EXT_ADDRESS_DST : SADB_X_EXT_ADDRESS_DST2,
0,
0,
sockaddrof(&said_af_array[i+j].said.dst)))) {
addrtot(&said_af_array[i+j].said.dst,
0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n",
program_name, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
}
if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
program_name, error);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
exit(1);
}
if((error = write(pfkey_sock,
pfkey_msg,
pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) !=
pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) {
fprintf(stderr, "%s: pfkey write failed, returning %d with errno=%d.\n",
program_name, error, errno);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
switch(errno) {
case EACCES:
fprintf(stderr, "access denied. ");
if(getuid() == 0) {
fprintf(stderr, "Check permissions. Should be 600.\n");
} else {
fprintf(stderr, "You must be root to open this file.\n");
}
break;
case EUNATCH:
fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
break;
case EBUSY:
fprintf(stderr, "KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n");
break;
case EINVAL:
fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
break;
case ENODEV:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
fprintf(stderr, "No device?!?\n");
break;
case ENOBUFS:
fprintf(stderr, "No kernel memory to allocate SA.\n");
break;
case ESOCKTNOSUPPORT:
fprintf(stderr, "Algorithm support not available in the kernel. Please compile in support.\n");
break;
case EEXIST:
fprintf(stderr, "SA already in use. Delete old one first.\n");
break;
case ENOENT:
fprintf(stderr, "device does not exist. See FreeS/WAN installation procedure.\n");
break;
case ENXIO:
fprintf(stderr, "SA does not exist. Cannot delete.\n");
break;
default:
fprintf(stderr, "Unknown socket write error %d. Please report as much detail as possible to development team.\n", errno);
}
exit(1);
}
if(pfkey_msg) {
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
}
}
(void) close(pfkey_sock); /* close the socket */
exit(0);
}
static bool validate_end(struct ub_ctx *dnsctx ,
#endif
struct starter_conn *conn_st,
struct starter_end *end,
const char *leftright,
bool resolvip UNUSED,
err_t *perr)
{
err_t er = NULL;
char *err_str = NULL;
int family = conn_st->options[KBF_CONNADDRFAMILY];
bool err = FALSE;
# define ERR_FOUND(...) { err |= error_append(&err_str, __VA_ARGS__); }
if (!end->options_set[KNCF_IP])
conn_st->state = STATE_INCOMPLETE;
end->addrtype = end->options[KNCF_IP];
end->addr_family = family;
/* validate the KSCF_IP/KNCF_IP */
switch (end->addrtype) {
case KH_ANY:
anyaddr(family, &(end->addr));
break;
case KH_IFACE:
/* generally, this doesn't show up at this stage */
starter_log(LOG_LEVEL_DEBUG, "starter: %s is KH_IFACE", leftright);
break;
case KH_IPADDR:
assert(end->strings[KSCF_IP] != NULL);
if (end->strings[KSCF_IP][0] == '%') {
pfree(end->iface);
end->iface = clone_str(end->strings[KSCF_IP] + 1, "KH_IPADDR end->iface");
if (!starter_iface_find(end->iface, family,
&end->addr,
&end->nexthop))
conn_st->state = STATE_INVALID;
/* not numeric, so set the type to the iface type */
end->addrtype = KH_IFACE;
break;
}
er = ttoaddr_num(end->strings[KNCF_IP], 0, family,
&(end->addr));
if (er != NULL) {
/* not numeric, so set the type to the string type */
end->addrtype = KH_IPHOSTNAME;
}
if (end->id == NULL) {
ipstr_buf b;
end->id = clone_str(ipstr(&end->addr, &b), "end if");
}
break;
case KH_OPPO:
conn_st->policy |= POLICY_OPPORTUNISTIC;
break;
case KH_OPPOGROUP:
conn_st->policy |= POLICY_OPPORTUNISTIC | POLICY_GROUP;
break;
case KH_GROUP:
conn_st->policy |= POLICY_GROUP;
break;
case KH_IPHOSTNAME:
/* generally, this doesn't show up at this stage */
starter_log(LOG_LEVEL_DEBUG,
"starter: %s is KH_IPHOSTNAME", leftright);
break;
case KH_DEFAULTROUTE:
starter_log(LOG_LEVEL_DEBUG,
"starter: %s is KH_DEFAULTROUTE", leftright);
break;
case KH_NOTSET:
starter_log(LOG_LEVEL_DEBUG, "starter: %s is KH_NOTSET", leftright);
break;
}
/* validate the KSCF_SUBNET */
if (end->strings_set[KSCF_SUBNET]) {
char *value = end->strings[KSCF_SUBNET];
if (end->strings_set[KSCF_ADDRESSPOOL]) {
ERR_FOUND("cannot specify both %ssubnet= and %saddresspool=", leftright,
leftright);
}
if (startswith(value, "vhost:") || startswith(value, "vnet:")) {
er = NULL;
end->virt = clone_str(value, "validate_end item");
} else {
end->has_client = TRUE;
er = ttosubnet(value, 0, family, &(end->subnet));
}
if (er != NULL)
ERR_FOUND("bad subnet %ssubnet=%s [%s]", leftright,
value, er);
}
/* set nexthop address to something consistent, by default */
anyaddr(family, &end->nexthop);
anyaddr(addrtypeof(&end->addr), &end->nexthop);
/* validate the KSCF_NEXTHOP */
if (end->strings_set[KSCF_NEXTHOP]) {
char *value = end->strings[KSCF_NEXTHOP];
if (strcaseeq(value, "%defaultroute")) {
end->nexttype = KH_DEFAULTROUTE;
} else {
if (tnatoaddr(value, strlen(value), AF_INET,
&(end->nexthop)) != NULL &&
tnatoaddr(value, strlen(value), AF_INET6,
&(end->nexthop)) != NULL) {
#ifdef DNSSEC
starter_log(LOG_LEVEL_DEBUG,
"Calling unbound_resolve() for %snexthop value",
leftright);
if (!unbound_resolve(dnsctx, value,
strlen(value), AF_INET,
&(end->nexthop)) &&
!unbound_resolve(dnsctx, value,
strlen(value), AF_INET6,
&(end->nexthop)))
ERR_FOUND("bad value for %snexthop=%s\n",
leftright, value);
#else
er = ttoaddr(value, 0, family,
&(end->nexthop));
if (er != NULL)
ERR_FOUND("bad value for %snexthop=%s [%s]",
leftright, value,
er);
#endif
}
end->nexttype = KH_IPADDR;
}
} else {
#if 0
if (conn_st->policy & POLICY_OPPORTUNISTIC)
end->nexttype = KH_DEFAULTROUTE;
#endif
anyaddr(family, &end->nexthop);
if (end->addrtype == KH_DEFAULTROUTE) {
end->nexttype = KH_DEFAULTROUTE;
}
}
/* validate the KSCF_ID */
if (end->strings_set[KSCF_ID]) {
char *value = end->strings[KSCF_ID];
pfreeany(end->id);
end->id = clone_str(value, "end->id");
}
if (end->options_set[KSCF_RSAKEY1]) {
end->rsakey1_type = end->options[KSCF_RSAKEY1];
end->rsakey2_type = end->options[KSCF_RSAKEY2];
switch (end->options[KSCF_RSAKEY1]) {
case PUBKEY_DNS:
case PUBKEY_DNSONDEMAND:
end->key_from_DNS_on_demand = TRUE;
break;
default:
end->key_from_DNS_on_demand = FALSE;
/* validate the KSCF_RSAKEY1/RSAKEY2 */
if (end->strings[KSCF_RSAKEY1] != NULL) {
char *value = end->strings[KSCF_RSAKEY1];
pfreeany(end->rsakey1);
end->rsakey1 = (unsigned char *)clone_str(value,"end->rsakey1");
}
if (end->strings[KSCF_RSAKEY2] != NULL) {
char *value = end->strings[KSCF_RSAKEY2];
pfreeany(end->rsakey2);
end->rsakey2 = (unsigned char *)clone_str(value,"end->rsakey2");
}
}
}
/* validate the KSCF_SOURCEIP, if any, and if set,
* set the subnet to same value, if not set.
*/
if (end->strings_set[KSCF_SOURCEIP]) {
char *value = end->strings[KSCF_SOURCEIP];
if (tnatoaddr(value, strlen(value), AF_INET,
&(end->sourceip)) != NULL &&
tnatoaddr(value, strlen(value), AF_INET6,
&(end->sourceip)) != NULL) {
#ifdef DNSSEC
starter_log(LOG_LEVEL_DEBUG,
"Calling unbound_resolve() for %ssourceip value",
leftright);
if (!unbound_resolve(dnsctx, value,
strlen(value), AF_INET,
&(end->sourceip)) &&
!unbound_resolve(dnsctx, value,
strlen(value), AF_INET6,
&(end->sourceip)))
ERR_FOUND("bad value for %ssourceip=%s\n",
leftright, value);
#else
er = ttoaddr(value, 0, family, &(end->sourceip));
if (er != NULL)
ERR_FOUND("bad addr %ssourceip=%s [%s]",
leftright, value, er);
#endif
} else {
er = tnatoaddr(value, 0, family, &(end->sourceip));
if (er != NULL)
ERR_FOUND("bad numerical addr %ssourceip=%s [%s]",
leftright, value, er);
}
if (!end->has_client) {
starter_log(LOG_LEVEL_INFO,
"%ssourceip= used but not %ssubnet= defined, defaulting %ssubnet to %s",
leftright, leftright, leftright, value);
er = addrtosubnet(&end->sourceip, &end->subnet);
if (er != NULL) {
ERR_FOUND("attempt to default %ssubnet from %s failed: %s",
leftright, value, er);
}
end->has_client = TRUE;
end->has_client_wildcard = FALSE;
}
}
/* copy certificate path name */
if (end->strings_set[KSCF_CERT])
end->cert = clone_str(end->strings[KSCF_CERT], "KSCF_CERT");
if (end->strings_set[KSCF_CA])
end->ca = clone_str(end->strings[KSCF_CA], "KSCF_CA");
if (end->strings_set[KSCF_UPDOWN])
end->updown = clone_str(end->strings[KSCF_UPDOWN], "KSCF_UPDOWN");
if (end->strings_set[KSCF_PROTOPORT]) {
err_t ugh;
char *value = end->strings[KSCF_PROTOPORT];
ugh = ttoprotoport(value, 0, &end->protocol, &end->port,
&end->has_port_wildcard);
if (ugh != NULL)
ERR_FOUND("bad %sprotoport=%s [%s]", leftright, value,
ugh);
}
if (end->strings_set[KSCF_ADDRESSPOOL]) {
char *addresspool = end->strings[KSCF_ADDRESSPOOL];
if (end->strings_set[KSCF_SUBNET])
ERR_FOUND("cannot specify both %ssubnet= and %saddresspool=",
leftright, leftright);
starter_log(LOG_LEVEL_DEBUG,
"connection's %saddresspool set to: %s",
leftright, end->strings[KSCF_ADDRESSPOOL] );
er = ttorange(addresspool, 0, AF_INET, &end->pool_range, TRUE);
if (er != NULL)
ERR_FOUND("bad %saddresspool=%s [%s]", leftright,
addresspool, er);
}
if (end->options_set[KNCF_XAUTHSERVER] ||
end->options_set[KNCF_XAUTHCLIENT])
conn_st->policy |= POLICY_XAUTH;
/*
KSCF_SUBNETWITHIN --- not sure what to do with it.
KSCF_ESPENCKEY --- todo (manual keying)
KSCF_ESPAUTHKEY --- todo (manual keying)
KSCF_SOURCEIP = 16,
KSCF_MAX = 19
*/
if (err)
*perr = err_str;
return err;
# undef ERR_FOUND
}
int
main(int argc, char **argv)
{
char *foo;
const char *errstr;
int s;
int listen_only;
int lport,dport;
int afamily;
int pfamily;
int c;
int numSenders, numReceived;
int natt;
int waitTime;
int verbose;
ip_address laddr, raddr;
char *afam = "";
progname = argv[0];
afamily=AF_INET;
pfamily=PF_INET;
lport=500;
dport=500;
waitTime=3*1000;
verbose=0;
natt=0;
listen_only=0;
bzero(&laddr, sizeof(laddr));
while((c = getopt_long(argc, argv, "hVvsp:b:46E:w:", long_opts, 0))!=EOF) {
switch (c) {
case 'h': /* --help */
help();
return 0; /* GNU coding standards say to stop here */
case 'V': /* --version */
fprintf(stderr, "Openswan %s\n", ipsec_version_code());
return 0; /* GNU coding standards say to stop here */
case 'v': /* --label <string> */
verbose++;
continue;
case 'T':
natt++;
break;
case 'E':
exchange_number=strtol(optarg, &foo, 0);
if(optarg==foo || exchange_number < 1 || exchange_number>255) {
fprintf(stderr, "Invalid exchange number '%s' (should be 1<=x<255)\n",
optarg);
exit(1);
}
continue;
case 's':
listen_only++;
continue;
case 'p':
lport=strtol(optarg, &foo, 0);
if(optarg==foo || lport <0 || lport>65535) {
fprintf(stderr, "Invalid port number '%s' (should be 0<=x<65536)\n",
optarg);
exit(1);
}
fprintf(stderr, "setting source port to %u\n", lport);
continue;
case 'w':
/* convert msec to sec */
waitTime=strtol(optarg, &foo, 0)*500;
if(optarg==foo || waitTime < 0) {
fprintf(stderr, "Invalid waittime number '%s' (should be 0<=x)\n",
optarg);
exit(1);
}
continue;
case 'b':
errstr = ttoaddr(optarg, strlen(optarg), afamily, &laddr);
if(errstr!=NULL) {
fprintf(stderr, "Invalid local address '%s': %s\n",
optarg, errstr);
exit(1);
}
continue;
case '4':
afamily=AF_INET;
pfamily=PF_INET;
afam = "IPv4";
continue;
case '6':
afamily=AF_INET6;
pfamily=PF_INET6;
afam = "IPv6";
continue;
default:
help();
}
}
s=safe_socket(pfamily, SOCK_DGRAM, IPPROTO_UDP);
if(s < 0) {
perror("socket");
exit(3);
}
switch(afamily) {
case AF_INET:
laddr.u.v4.sin_family= AF_INET;
laddr.u.v4.sin_port = htons(lport);
if(bind(s, (struct sockaddr *)&laddr.u.v4, sizeof(laddr.u.v4)) < 0) {
fprintf(stderr, "warning, unable to bind v4 socket port %u: %s"
, lport, strerror(errno));
}
break;
case AF_INET6:
laddr.u.v6.sin6_family= AF_INET6;
laddr.u.v6.sin6_port = htons(lport);
if(bind(s, (struct sockaddr *)&laddr.u.v6, sizeof(laddr.u.v6)) < 0) {
fprintf(stderr, "warning, unable to bind v6 socket to port %u: %s"
, lport, strerror(errno));
}
break;
}
if(natt) {
int r;
/* only support RFC method */
int type = ESPINUDP_WITH_NON_ESP;
r = setsockopt(s, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
if ((r<0) && (errno == ENOPROTOOPT)) {
fprintf(stderr,
"NAT-Traversal: ESPINUDP(%d) not supported by kernel for family %s"
, type, afam);
}
}
numSenders = 0;
if(!listen_only) {
while(optind < argc) {
char *port;
char *host;
char namebuf[128];
host = argv[optind];
port = strchr(host, '/');
dport=500;
if(port) {
*port='\0';
port++;
dport= strtol(port, &foo, 0);
if(port==foo || dport < 0 || dport > 65535) {
fprintf(stderr, "Invalid port number '%s' "
"(should be 0<=x<65536)\n",
port);
exit(1);
}
}
errstr = ttoaddr(host, strlen(host),
afamily, &raddr);
if(errstr!=NULL) {
fprintf(stderr, "Invalid remote address '%s': %s\n",
host, errstr);
exit(1);
}
addrtot(&raddr, 0, namebuf, sizeof(namebuf));
printf("Sending packet to %s/%d\n", namebuf, dport);
send_ping(afamily, s, &raddr, dport);
numSenders++;
optind++;
}
}
numReceived=0;
/* really should catch ^C and print stats on exit */
while(numSenders > 0 || listen_only) {
struct pollfd ready;
int n;
ready.fd = s;
ready.events = POLLIN;
n = poll(&ready, 1, waitTime);
if(n < 0) {
if(errno != EINTR) {
perror("poll");
exit(1);
}
}
if(n == 0 && !listen_only) {
break;
}
if(n == 1) {
numReceived++;
receive_ping(afamily, s, listen_only, natt);
}
}
printf("%d packets sent, %d packets received. %d%% packet loss\n",
numSenders,
numReceived,
numSenders > 0 ? 100-numReceived*100/numSenders : 0);
exit(numSenders - numReceived);
}
int main(int argc, char **argv)
{
#if 0
NSS_NoDB_Init(".");
if (!test_aes_cbc(&algo_aes_cbc)) {
printf("aes-cbc failed\n");
}
if (!test_camellia_cbc(&algo_camellia_cbc)) {
printf("camellia-cbc failed\n");
}
if (!test_aes_ctr(&algo_aes_ctr)) {
printf("aes-ctr failed\n");
}
exit(0);
#endif
int lockfd;
/*
* We read the intentions for how to log from command line options
* and the config file. Then we prepare to be able to log, but until
* then log to stderr (better then nothing). Once we are ready to
* actually do loggin according to the methods desired, we set the
* variables for those methods
*/
bool log_to_stderr_desired = FALSE;
bool log_to_file_desired = FALSE;
{
int i;
/* MUST BE BEFORE ANY allocs */
for (i = 1; i < argc; ++i) {
if (streq(argv[i], "--leak-detective"))
leak_detective = TRUE;
}
}
pluto_name = argv[0];
coredir = clone_str("/var/run/pluto", "coredir in main()");
pluto_vendorid = clone_str(ipsec_version_vendorid(), "vendorid in main()");
unsigned int keep_alive = 0;
/* Overridden by virtual_private= in ipsec.conf */
char *virtual_private = NULL;
libreswan_passert_fail = passert_fail;
/* handle arguments */
for (;; ) {
/*
* Note: we don't like the way short options get parsed
* by getopt_long, so we simply pass an empty string as
* the list. It could be "hvdenp:l:s:" "NARXPECK".
*/
int longindex = -1;
int c = getopt_long(argc, argv, "", long_opts, &longindex);
const char *optname = NULL;
err_t ugh = NULL; /* complaint from case */
unsigned long u = 0; /* scratch for case */
if (longindex != -1) {
const char *optmeta;
optname = long_opts[longindex].name;
optmeta = optname + strlen(optname) + 1; /* after '\0' */
switch (optmeta[0]) {
case '_':
libreswan_log("warning: option \"--%s\" with '_' in its name is obsolete; use '-'",
optname);
break;
case '>':
libreswan_log("warning: option \"--%s\" is obsolete; use \"--%s\"",
optname, optmeta + 1);
break;
case '!':
libreswan_log("warning: option \"--%s\" is obsolete; ignored",
optname);
continue; /* ignore it! */
}
}
/* Note: "breaking" from case terminates loop */
switch (c) {
case EOF: /* end of flags */
break;
case 0:
/*
* Long option already handled by getopt_long.
* Not currently used since we always set flag to NULL.
*/
continue;
case ':': /* diagnostic already printed by getopt_long */
case '?': /* diagnostic already printed by getopt_long */
invocation_fail(NULL);
break;
case 'h': /* --help */
usage();
break; /* not actually reached */
case 'X': /* --leak-detective */
/*
* This flag was already processed at the start of main()
* because leak_detective must be immutable from before
* the first alloc().
* If this option is specified, we must have already
* set it at the start of main(), so assert it.
*/
passert(leak_detective);
continue;
case 'C': /* --coredir */
pfree(coredir);
coredir = clone_str(optarg, "coredir via getopt");
continue;
case 'V': /* --vendorid */
pfree(pluto_vendorid);
coredir = clone_str(optarg, "pluto_vendorid via getopt");
continue;
case 'S': /* --statsdir */
pfreeany(pluto_stats_binary);
pluto_stats_binary = clone_str(optarg, "statsbin");
continue;
case 'v': /* --version */
printf("%s%s\n", ipsec_version_string(),
compile_time_interop_options);
/* not exit_pluto because we are not initialized yet */
exit(0);
break; /* not actually reached */
case 'j': /* --nhelpers */
if (streq(optarg, "-1")) {
nhelpers = -1;
} else {
ugh = ttoulb(optarg, 0, 10, 1000, &u);
if (ugh != NULL)
break;
nhelpers = u;
}
continue;
case 'c': /* --seedbits */
pluto_nss_seedbits = atoi(optarg);
if (pluto_nss_seedbits == 0) {
printf("pluto: seedbits must be an integer > 0");
/* not exit_pluto because we are not initialized yet */
exit(PLUTO_EXIT_NSS_FAIL);
}
continue;
#ifdef HAVE_LABELED_IPSEC
case 'w': /* --secctx-attr-type */
ugh = ttoulb(optarg, 0, 0, 0xFFFF, &u);
if (ugh != NULL)
break;
if (u != SECCTX && u != ECN_TUNNEL_or_old_SECCTX) {
ugh = "must be a positive 32001 (default) or 10 (for backward compatibility)";
break;
}
secctx_attr_type = u;
continue;
#endif
case 'd': /* --nofork*/
fork_desired = FALSE;
continue;
case 'e': /* --stderrlog */
log_to_stderr_desired = TRUE;
continue;
case 'g': /* --logfile */
pluto_log_file = optarg;
log_to_file_desired = TRUE;
continue;
case 't': /* --log-no-time */
log_with_timestamp = FALSE;
continue;
case '7': /* --log-no-append */
log_append = FALSE;
continue;
case '8': /* --drop-oppo-null */
pluto_drop_oppo_null = TRUE;
continue;
case '9': /* --expire-bare-shunt <interval> */
ugh = ttoulb(optarg, 0, 10, 1000, &u);
if (ugh != NULL)
break;
bare_shunt_interval = u;
continue;
case 'k': /* --use-klips */
kern_interface = USE_KLIPS;
continue;
case 'L': /* --listen ip_addr */
{
ip_address lip;
err_t e = ttoaddr(optarg, 0, AF_UNSPEC, &lip);
if (e != NULL) {
/*
*??? should we continue on failure?
* If not, use ugh mechanism.
*/
libreswan_log(
"invalid listen argument ignored: %s\n",
e);
} else {
pluto_listen =
clone_str(optarg, "pluto_listen");
libreswan_log(
"bind() will be filtered for %s\n",
pluto_listen);
}
}
continue;
case 'M': /* --use-mast */
kern_interface = USE_MASTKLIPS;
continue;
case 'F': /* --use-bsdkame */
kern_interface = USE_BSDKAME;
continue;
case 'K': /* --use-netkey */
kern_interface = USE_NETKEY;
continue;
case 'n': /* --use-nostack */
kern_interface = NO_KERNEL;
continue;
case 'D': /* --force-busy */
pluto_ddos_mode = DDOS_FORCE_BUSY;
continue;
case 'U': /* --force-unlimited */
pluto_ddos_mode = DDOS_FORCE_UNLIMITED;
continue;
case 'Z': /* --curl-iface */
curl_iface = optarg;
continue;
case 'I': /* --curl-timeout */
ugh = ttoulb(optarg, 0, 10, 0xFFFF, &u);
if (ugh != NULL)
break;
if (u <= 0) {
ugh = "must not be < 1";
break;
}
curl_timeout = u;
continue;
case 'r': /* --strictcrlpolicy */
strict_crl_policy = TRUE;
continue;
case 'o':
strict_ocsp_policy = TRUE;
continue;
case 'O':
ocsp_enable = TRUE;
continue;
case 'Y':
ocsp_default_uri = optarg;
continue;
case 'J':
ocsp_trust_name = optarg;
continue;
case 'T': /* --ocsp_timeout <seconds> */
ugh = ttoulb(optarg, 0, 10, 0xFFFF, &u);
if (ugh != NULL)
break;
if (u == 0) {
ugh = "must not be 0";
break;
}
ocsp_timeout = u;
continue;
case 'x': /* --crlcheckinterval <seconds> */
ugh = ttoulb(optarg, 0, 10, TIME_T_MAX, &u);
if (ugh != NULL)
break;
crl_check_interval = deltatime(u);
continue;
case 'u': /* --uniqueids */
uniqueIDs = TRUE;
continue;
case 'i': /* --interface <ifname|ifaddr> */
if (!use_interface(optarg)) {
ugh = "too many --interface specifications";
break;
}
continue;
/*
* This option does not really work, as this is the "left"
* site only, you also need --to --ikeport again later on
* It will result in: yourport -> 500, still not bypassing
* filters
*/
case 'p': /* --ikeport <portnumber> */
ugh = ttoulb(optarg, 0, 10, 0xFFFF, &u);
if (ugh != NULL)
break;
if (u == 0) {
ugh = "must not be 0";
break;
}
pluto_port = u;
continue;
case 'q': /* --natikeport <portnumber> */
ugh = ttoulb(optarg, 0, 10, 0xFFFF, &u);
if (ugh != NULL)
break;
if (u == 0) {
ugh = "must not be 0";
break;
}
pluto_nat_port = u;
continue;
case 'b': /* --ctlbase <path> */
/*
* ??? work to be done here:
*
* snprintf returns the required space if there
* isn't enough, not -1.
* -1 indicates another kind of error.
*
* This appears to be the only place where the
* ctlbase value is used yet it is set elsewhere.
* (This isn't clear -- it may be OK.)
*/
ctlbase = optarg;
if (snprintf(ctl_addr.sun_path,
sizeof(ctl_addr.sun_path),
"%s%s", ctlbase, CTL_SUFFIX) == -1) {
ugh = "<path>" CTL_SUFFIX " too long for sun_path";
break;
}
if (snprintf(info_addr.sun_path,
sizeof(info_addr.sun_path),
"%s%s", ctlbase, INFO_SUFFIX) == -1) {
ugh = "<path>" INFO_SUFFIX " too long for sun_path";
break;
}
if (snprintf(pluto_lock, sizeof(pluto_lock),
"%s%s", ctlbase, LOCK_SUFFIX) == -1) {
ugh = "<path>" LOCK_SUFFIX " must fit";
break;
}
continue;
case 's': /* --secretsfile <secrets-file> */
lsw_conf_secretsfile(optarg);
continue;
case 'f': /* --ipsecdir <ipsec-dir> */
lsw_init_ipsecdir(optarg);
continue;
case 'N': /* --debug-none */
base_debugging = DBG_NONE;
continue;
case 'A': /* --debug-all */
base_debugging = DBG_ALL;
continue;
case 'P': /* --perpeerlogbase */
base_perpeer_logdir = optarg;
continue;
case 'l': /* --perpeerlog */
log_to_perpeer = TRUE;
continue;
case '2': /* --keep-alive <delay_secs> */
ugh = ttoulb(optarg, 0, 10, secs_per_day, &u);
if (ugh != NULL)
break;
keep_alive = u;
continue;
case '5': /* --debug-nat-t */
base_debugging |= DBG_NATT;
continue;
case '6': /* --virtual-private */
virtual_private = optarg;
continue;
case 'z': /* --config */
{
/*
* Config struct to variables mapper. This will
* overwrite all previously set options. Keep this
* in the same order as long_opts[] is.
*/
struct starter_config *cfg = read_cfg_file(optarg);
/* leak */
set_cfg_string(&pluto_log_file,
cfg->setup.strings[KSF_PLUTOSTDERRLOG]);
if (pluto_log_file != NULL)
log_to_syslog = FALSE;
/* plutofork= no longer supported via config file */
log_with_timestamp =
cfg->setup.options[KBF_PLUTOSTDERRLOGTIME];
log_append = cfg->setup.options[KBF_PLUTOSTDERRLOGAPPEND];
pluto_drop_oppo_null = cfg->setup.options[KBF_DROP_OPPO_NULL];
pluto_ddos_mode = cfg->setup.options[KBF_DDOS_MODE];
if (cfg->setup.options[KBF_FORCEBUSY]) {
/* force-busy is obsoleted, translate to ddos-mode= */
pluto_ddos_mode = cfg->setup.options[KBF_DDOS_MODE] = DDOS_FORCE_BUSY;
}
/* ddos-ike-threshold and max-halfopen-ike */
pluto_ddos_threshold = cfg->setup.options[KBF_DDOS_IKE_THRESHOLD];
pluto_max_halfopen = cfg->setup.options[KBF_MAX_HALFOPEN_IKE];
strict_crl_policy =
cfg->setup.options[KBF_STRICTCRLPOLICY];
pluto_shunt_lifetime = deltatime(cfg->setup.options[KBF_SHUNTLIFETIME]);
strict_ocsp_policy =
cfg->setup.options[KBF_STRICTOCSPPOLICY];
ocsp_enable = cfg->setup.options[KBF_OCSPENABLE];
set_cfg_string(&ocsp_default_uri,
cfg->setup.strings[KSF_OCSPURI]);
ocsp_timeout = cfg->setup.options[KBF_OCSPTIMEOUT];
set_cfg_string(&ocsp_trust_name,
cfg->setup.strings[KSF_OCSPTRUSTNAME]);
crl_check_interval = deltatime(
cfg->setup.options[KBF_CRLCHECKINTERVAL]);
uniqueIDs = cfg->setup.options[KBF_UNIQUEIDS];
/*
* We don't check interfaces= here because that part
* has been dealt with in _stackmanager before we
* started
*/
set_cfg_string(&pluto_listen,
cfg->setup.strings[KSF_LISTEN]);
/* --ikeport */
pluto_port = cfg->setup.options[KBF_IKEPORT];
/* --nflog-all */
/* only causes nflog nmber to show in ipsec status */
pluto_nflog_group = cfg->setup.options[KBF_NFLOG_ALL];
/* only causes nflog nmber to show in ipsec status */
pluto_xfrmlifetime = cfg->setup.options[KBF_XFRMLIFETIME];
/* no config option: ctlbase */
/* --secrets */
if (cfg->setup.strings[KSF_SECRETSFILE] &&
*cfg->setup.strings[KSF_SECRETSFILE]) {
lsw_conf_secretsfile(cfg->setup.strings[KSF_SECRETSFILE]);
}
if (cfg->setup.strings[KSF_IPSECDIR] != NULL &&
*cfg->setup.strings[KSF_IPSECDIR] != 0) {
/* --ipsecdir */
lsw_init_ipsecdir(cfg->setup.strings[KSF_IPSECDIR]);
}
/* --perpeerlog */
log_to_perpeer = cfg->setup.options[KBF_PERPEERLOG];
if (log_to_perpeer) {
/* --perpeerlogbase */
if (cfg->setup.strings[KSF_PERPEERDIR]) {
set_cfg_string(&base_perpeer_logdir,
cfg->setup.strings[KSF_PERPEERDIR]);
} else {
base_perpeer_logdir = clone_str("/var/log/pluto/", "perpeer_logdir");
}
}
if (cfg->setup.strings[KSF_CURLIFACE]) {
pfreeany(curl_iface);
/* curl-iface= */
curl_iface = clone_str(cfg->setup.strings[KSF_CURLIFACE],
"curl-iface= via --config");
}
if (cfg->setup.options[KBF_CURLTIMEOUT])
curl_timeout = cfg->setup.options[KBF_CURLTIMEOUT];
if (cfg->setup.strings[KSF_DUMPDIR]) {
pfree(coredir);
/* dumpdir= */
coredir = clone_str(cfg->setup.strings[KSF_DUMPDIR],
"coredir via --config");
}
/* --vendorid */
if (cfg->setup.strings[KSF_MYVENDORID]) {
pfree(pluto_vendorid);
pluto_vendorid = clone_str(cfg->setup.strings[KSF_MYVENDORID],
"pluto_vendorid via --config");
}
/* no config option: pluto_adns_option */
if (cfg->setup.strings[KSF_STATSBINARY] != NULL) {
if (access(cfg->setup.strings[KSF_STATSBINARY], X_OK) == 0) {
pfreeany(pluto_stats_binary);
/* statsbin= */
pluto_stats_binary = clone_str(cfg->setup.strings[KSF_STATSBINARY], "statsbin via --config");
libreswan_log("statsbinary set to %s", pluto_stats_binary);
} else {
libreswan_log("statsbinary= '%s' ignored - file does not exist or is not executable",
pluto_stats_binary);
}
}
pluto_nss_seedbits = cfg->setup.options[KBF_SEEDBITS];
pluto_nat_port =
cfg->setup.options[KBF_NATIKEPORT];
keep_alive = cfg->setup.options[KBF_KEEPALIVE];
set_cfg_string(&virtual_private,
cfg->setup.strings[KSF_VIRTUALPRIVATE]);
nhelpers = cfg->setup.options[KBF_NHELPERS];
#ifdef HAVE_LABELED_IPSEC
secctx_attr_type = cfg->setup.options[KBF_SECCTX];
#endif
base_debugging = cfg->setup.options[KBF_PLUTODEBUG];
char *protostack = cfg->setup.strings[KSF_PROTOSTACK];
if (protostack == NULL || *protostack == '\0') {
kern_interface = USE_NETKEY;
} else if (streq(protostack, "none")) {
kern_interface = NO_KERNEL;
} else if (streq(protostack, "auto")) {
libreswan_log(
"The option protostack=auto is obsoleted, falling back to protostack=netkey\n");
kern_interface = USE_NETKEY;
} else if (streq(protostack, "klips")) {
kern_interface = USE_KLIPS;
} else if (streq(protostack, "mast")) {
kern_interface = USE_MASTKLIPS;
} else if (streq(protostack, "netkey") ||
streq(protostack, "native")) {
kern_interface = USE_NETKEY;
} else if (streq(protostack, "bsd") ||
streq(protostack, "kame") ||
streq(protostack, "bsdkame")) {
kern_interface = USE_BSDKAME;
} else if (streq(protostack, "win2k")) {
kern_interface = USE_WIN2K;
}
confread_free(cfg);
continue;
}
default:
if (DBG_OFFSET <= c &&
c < DBG_OFFSET + IMPAIR_roof_IX) {
base_debugging |= LELEM(c - DBG_OFFSET);
continue;
}
bad_case(c);
}
/* if ugh is set, bail with diagnostic */
if (ugh != NULL) {
char mess[200];
if (longindex == -1) {
snprintf(mess, sizeof(mess), "unknown option: %s",
ugh);
} else if (optarg == NULL) {
snprintf(mess, sizeof(mess), "--%s option: %s",
optname, ugh);
} else {
snprintf(mess, sizeof(mess), "--%s \"%s\" option: %s",
optname, optarg, ugh);
}
invocation_fail(mess);
}
break;
}
if (optind != argc)
invocation_fail("unexpected argument");
reset_debugging();
if (chdir(coredir) == -1) {
int e = errno;
libreswan_log("pluto: warning: chdir(\"%s\") to dumpdir failed (%d: %s)",
coredir, e, strerror(e));
}
oco = lsw_init_options();
lockfd = create_lock();
/* select between logging methods */
if (log_to_stderr_desired || log_to_file_desired)
log_to_syslog = FALSE;
if (!log_to_stderr_desired)
log_to_stderr = FALSE;
#if 0
if (kernel_ops->set_debug != NULL)
(*kernel_ops->set_debug)(cur_debugging, DBG_log, DBG_log);
#endif
/*
* create control socket.
* We must create it before the parent process returns so that
* there will be no race condition in using it. The easiest
* place to do this is before the daemon fork.
*/
{
err_t ugh = init_ctl_socket();
if (ugh != NULL) {
fprintf(stderr, "pluto: FATAL: %s", ugh);
exit_pluto(PLUTO_EXIT_SOCKET_FAIL);
}
}
/* If not suppressed, do daemon fork */
if (fork_desired) {
#if USE_DAEMON
if (daemon(TRUE, TRUE) < 0) {
fprintf(stderr, "pluto: FATAL: daemon failed (%d %s)\n",
errno, strerror(errno));
exit_pluto(PLUTO_EXIT_FORK_FAIL);
}
/*
* Parent just exits, so need to fill in our own PID
* file. This is racy, since the file won't be
* created until after the parent has exited.
*
* Since "ipsec start" invokes pluto with --nofork, it
* is probably safer to leave this feature disabled
* then implement it using the daemon call.
*/
(void) fill_lock(lockfd, getpid());
#elif USE_FORK
{
pid_t pid = fork();
if (pid < 0) {
int e = errno;
fprintf(stderr, "pluto: FATAL: fork failed (%d %s)\n",
errno, strerror(e));
exit_pluto(PLUTO_EXIT_FORK_FAIL);
}
if (pid != 0) {
/*
* parent: die, after filling PID into lock
* file.
* must not use exit_pluto: lock would be
* removed!
*/
exit(fill_lock(lockfd, pid) ? 0 : 1);
}
}
#else
fprintf(stderr, "pluto: FATAL: fork/daemon not supported\n");
exit_pluto(PLUTO_EXIT_FORK_FAIL);
#endif
if (setsid() < 0) {
int e = errno;
fprintf(stderr,
"FATAL: setsid() failed in main(). Errno %d: %s\n",
errno, strerror(e));
exit_pluto(PLUTO_EXIT_FAIL);
}
} else {
/* no daemon fork: we have to fill in lock file */
(void) fill_lock(lockfd, getpid());
if (isatty(fileno(stdout))) {
fprintf(stdout, "Pluto initialized\n");
fflush(stdout);
}
}
/*
* Close everything but ctl_fd and (if needed) stderr.
* There is some danger that a library that we don't know
* about is using some fd that we don't know about.
* I guess we'll soon find out.
*/
{
int i;
for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
if ((!log_to_stderr || i != 2) &&
i != ctl_fd)
close(i);
/* make sure that stdin, stdout, stderr are reserved */
if (open("/dev/null", O_RDONLY) != 0)
lsw_abort();
if (dup2(0, 1) != 1)
lsw_abort();
if (!log_to_stderr && dup2(0, 2) != 2)
lsw_abort();
}
init_constants();
init_pluto_constants();
pluto_init_log();
if (!pluto_init_nss(oco->nssdb)) {
loglog(RC_LOG_SERIOUS, "FATAL: NSS initialization failure");
exit_pluto(PLUTO_EXIT_NSS_FAIL);
}
libreswan_log("NSS crypto library initialized");
if (ocsp_enable) {
if (!init_nss_ocsp(ocsp_default_uri, ocsp_trust_name,
ocsp_timeout,
strict_ocsp_policy)) {
loglog(RC_LOG_SERIOUS, "Initializing NSS OCSP failed");
exit_pluto(PLUTO_EXIT_NSS_FAIL);
} else {
libreswan_log("NSS OCSP Enabled");
}
}
#ifdef HAVE_LIBCAP_NG
/*
* Drop capabilities - this generates a false positive valgrind warning
* See: http://marc.info/?l=linux-security-module&m=125895232029657
*
* We drop these after creating the pluto socket or else we can't
* create a socket if the parent dir is non-root (eg openstack)
*/
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
CAP_IPC_LOCK, CAP_AUDIT_WRITE,
/* for google authenticator pam */
CAP_SETGID, CAP_SETUID,
CAP_DAC_READ_SEARCH,
-1);
/*
* We need to retain some capabilities for our children (updown):
* CAP_NET_ADMIN to change routes
* CAP_NET_RAW for iptables -t mangle
* CAP_DAC_READ_SEARCH for pam / google authenticator
*/
capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_NET_RAW,
CAP_DAC_READ_SEARCH, -1);
capng_apply(CAPNG_SELECT_BOTH);
libreswan_log("libcap-ng support [enabled]");
#else
libreswan_log("libcap-ng support [disabled]");
#endif
#ifdef FIPS_CHECK
libreswan_log("FIPS HMAC integrity support [enabled]");
/*
* FIPS mode requires two conditions to be true:
* - FIPS Kernel mode: fips=1 kernel boot parameter
* - FIPS Product mode: See FIPSPRODUCTCHECK in Makefile.inc
* (in RHEL/Fedora, dracut-fips installs $FIPSPRODUCTCHECK)
*
* When FIPS mode, abort on self-check hmac failure. Otherwise, complain
*/
{
if (DBGP(IMPAIR_FORCE_FIPS)) {
libreswan_log("Forcing FIPS checks to true to emulate FIPS mode");
lsw_set_fips_mode(LSW_FIPS_ON);
}
enum lsw_fips_mode pluto_fips_mode = lsw_get_fips_mode();
bool nss_fips_mode = PK11_IsFIPS();
/*
* Now verify the consequences. Always run the tests
* as combinations such as NSS in fips mode but as out
* of it could be bad.
*/
switch (pluto_fips_mode) {
case LSW_FIPS_UNKNOWN:
loglog(RC_LOG_SERIOUS, "ABORT: pluto FIPS mode could not be determined");
exit_pluto(PLUTO_EXIT_FIPS_FAIL);
break;
case LSW_FIPS_ON:
libreswan_log("FIPS mode enabled for pluto daemon");
if (nss_fips_mode) {
libreswan_log("NSS library is running in FIPS mode");
} else {
loglog(RC_LOG_SERIOUS, "ABORT: pluto in FIPS mode but NSS library is not");
exit_pluto(PLUTO_EXIT_FIPS_FAIL);
}
break;
case LSW_FIPS_OFF:
libreswan_log("FIPS mode disabled for pluto daemon");
if (nss_fips_mode) {
loglog(RC_LOG_SERIOUS, "Warning: NSS library is running in FIPS mode");
}
break;
case LSW_FIPS_UNSET:
default:
bad_case(pluto_fips_mode);
}
/* always run hmac check so we can print diagnostic */
bool fips_files = FIPSCHECK_verify_files(fips_package_files);
if (fips_files) {
libreswan_log("FIPS HMAC integrity verification self-test passed");
} else {
loglog(RC_LOG_SERIOUS, "FIPS HMAC integrity verification self-test FAILED");
}
if (pluto_fips_mode == LSW_FIPS_ON && !fips_files) {
exit_pluto(PLUTO_EXIT_FIPS_FAIL);
}
}
#else
libreswan_log("FIPS HMAC integrity support [disabled]");
#endif
#ifdef USE_LINUX_AUDIT
linux_audit_init();
#else
libreswan_log("Linux audit support [disabled]");
#endif
{
const char *vc = ipsec_version_code();
libreswan_log("Starting Pluto (Libreswan Version %s%s) pid:%u",
vc, compile_time_interop_options, getpid());
}
libreswan_log("core dump dir: %s", coredir);
if (oco->secretsfile && *oco->secretsfile)
libreswan_log("secrets file: %s", oco->secretsfile);
libreswan_log(leak_detective ?
"leak-detective enabled" : "leak-detective disabled");
/* Check for SAREF support */
#ifdef KLIPS_MAST
#include <ipsec_saref.h>
{
int e, sk, saref;
saref = 1;
errno = 0;
sk = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_REFINFO, &saref,
sizeof(saref));
if (e == -1 )
libreswan_log("SAref support [disabled]: %s",
strerror(errno));
else
libreswan_log("SAref support [enabled]");
errno = 0;
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_BINDREF, &saref,
sizeof(saref));
if (e == -1 )
libreswan_log("SAbind support [disabled]: %s",
strerror(errno));
else
libreswan_log("SAbind support [enabled]");
close(sk);
}
#endif
libreswan_log("NSS crypto [enabled]");
#ifdef XAUTH_HAVE_PAM
libreswan_log("XAUTH PAM support [enabled]");
#else
libreswan_log("XAUTH PAM support [disabled]");
#endif
/* Log various impair-* functions if they were enabled */
if (DBGP(IMPAIR_BUST_MI2))
libreswan_log("Warning: IMPAIR_BUST_MI2 enabled");
if (DBGP(IMPAIR_BUST_MR2))
libreswan_log("Warning: IMPAIR_BUST_MR2 enabled");
if (DBGP(IMPAIR_SA_CREATION))
libreswan_log("Warning: IMPAIR_SA_CREATION enabled");
if (DBGP(IMPAIR_JACOB_TWO_TWO))
libreswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
if (DBGP(IMPAIR_DIE_ONINFO))
libreswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
if (DBGP(IMPAIR_MAJOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MAJOR_VERSION_BUMP enabled");
if (DBGP(IMPAIR_MINOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MINOR_VERSION_BUMP enabled");
if (DBGP(IMPAIR_RETRANSMITS))
libreswan_log("Warning: IMPAIR_RETRANSMITS enabled");
if (DBGP(IMPAIR_SEND_BOGUS_ISAKMP_FLAG))
libreswan_log("Warning: IMPAIR_SEND_BOGUS_ISAKMP_FLAG enabled");
if (DBGP(IMPAIR_SEND_BOGUS_PAYLOAD_FLAG))
libreswan_log("Warning: IMPAIR_SEND_BOGUS_PAYLOAD_FLAG enabled");
if (DBGP(IMPAIR_SEND_IKEv2_KE))
libreswan_log("Warning: IMPAIR_SEND_IKEv2_KE enabled");
if (DBGP(IMPAIR_SEND_KEY_SIZE_CHECK))
libreswan_log("Warning: IMPAIR_SEND_KEY_SIZE_CHECK enabled");
if (DBGP(IMPAIR_SEND_NO_DELETE))
libreswan_log("Warning: IMPAIR_SEND_NO_DELETE enabled");
if (DBGP(IMPAIR_FORCE_FIPS))
libreswan_log("Warning: IMPAIR_FORCE_FIPS enabled");
if (DBGP(IMPAIR_SEND_NO_IKEV2_AUTH))
libreswan_log("Warning: IMPAIR_SEND_NO_IKEV2_AUTH enabled");
if (DBGP(IMPAIR_SEND_ZERO_GX))
libreswan_log("Warning: IMPAIR_SEND_ZERO_GX enabled");
if (DBGP(IMPAIR_SEND_BOGUS_DCOOKIE))
libreswan_log("Warning: IMPAIR_SEND_BOGUS_DCOOKIE enabled");
/* Initialize all of the various features */
init_nat_traversal(keep_alive);
init_virtual_ip(virtual_private);
/* obsoleted by nss code init_rnd_pool(); */
init_event_base();
init_secret();
init_states();
init_connections();
init_crypto();
init_crypto_helpers(nhelpers);
init_demux();
init_kernel();
init_id();
init_vendorid();
#if defined(LIBCURL) || defined(LDAP_VER)
init_fetch();
#endif
load_crls();
#ifdef HAVE_LABELED_IPSEC
init_avc();
#endif
daily_log_event();
#ifdef USE_SYSTEMD_WATCHDOG
pluto_sd_init();
#endif
call_server();
return -1; /* Shouldn't ever reach this */
}
/*
* discover the default route via /proc/net/route
*/
void
get_defaultroute(defaultroute_t *defaultroute)
{
FILE *fd;
char line[BUF_LEN];
bool first = TRUE;
init_defaultroute(defaultroute);
fd = fopen("/proc/net/route", "r");
if (!fd)
{
plog("could not open 'proc/net/route'");
return;
}
while (fgets(line, sizeof(line), fd) != 0)
{
char iface[11];
char destination[9];
char gateway[11];
char flags[5];
char mask[9];
int refcnt;
int use;
int metric;
int items;
/* proc/net/route returns IP addresses in host order */
strcpy(gateway, "0h");
/* skip the header line */
if (first)
{
first = FALSE;
continue;
}
/* parsing a single line of proc/net/route */
items = sscanf(line, "%10s\t%8s\t%8s\t%5s\t%d\t%d\t%d\t%8s\t"
, iface, destination, gateway+2, flags, &refcnt, &use, &metric, mask);
if (items < 8)
{
plog("parsing error while scanning /proc/net/route");
continue;
}
/* check for defaultroute (destination 0.0.0.0 and mask 0.0.0.0) */
if (streq(destination, "00000000") && streq(mask, "00000000"))
{
if (defaultroute->defined)
{
plog("multiple default routes - cannot cope with %%defaultroute!!!");
defaultroute->defined = FALSE;
fclose(fd);
return;
}
ttoaddr(gateway, strlen(gateway), AF_INET, &defaultroute->nexthop);
strncpy(defaultroute->iface, iface, IFNAMSIZ);
defaultroute->defined = TRUE;
}
}
fclose(fd);
if (!defaultroute->defined)
{
plog("no default route - cannot cope with %%defaultroute!!!");
}
else
{
char addr_buf[20], nexthop_buf[20];
struct ifreq physreq;
int sock = socket(AF_INET, SOCK_DGRAM, 0);
/* determine IP address of iface */
if (sock < 0)
{
plog("could not open SOCK_DGRAM socket");
defaultroute->defined = FALSE;
return;
}
memset ((void*)&physreq, 0, sizeof(physreq));
strncpy(physreq.ifr_name, defaultroute->iface, IFNAMSIZ);
ioctl(sock, SIOCGIFADDR, &physreq);
close(sock);
defaultroute->addr.u.v4 = *((struct sockaddr_in *)&physreq.ifr_addr);
addrtot(&defaultroute->addr, 0, addr_buf, sizeof(addr_buf));
addrtot(&defaultroute->nexthop, 0, nexthop_buf, sizeof(nexthop_buf));
DBG(DBG_CONTROL,
DBG_log("Default route found: iface=%s, addr=%s, nexthop=%s"
, defaultroute->iface, addr_buf, nexthop_buf)
)
/* for backwards-compatibility with the awk shell scripts
* store the defaultroute in /var/run/ipsec.info
*/
fd = fopen(INFO_FILE, "w");
if (fd)
{
fprintf(fd, "defaultroutephys=%s\n", defaultroute->iface );
fprintf(fd, "defaultroutevirt=ipsec0\n");
fprintf(fd, "defaultrouteaddr=%s\n", addr_buf);
fprintf(fd, "defaultroutenexthop=%s\n", nexthop_buf);
fclose(fd);
}
}
return;
}
/* Convert textual form of id into a (temporary) struct id.
* Note that if the id is to be kept, unshare_id_content will be necessary.
*/
err_t
atoid(char *src, struct id *id, bool myid_ok)
{
err_t ugh = NULL;
*id = empty_id;
if (myid_ok && streq("%myid", src))
{
id->kind = ID_MYID;
}
else if (streq("%fromcert", src))
{
id->kind = ID_FROMCERT;
}
else if (streq("%none", src))
{
id->kind = ID_NONE;
}
else if (strchr(src, '=') != NULL)
{
/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN */
id->kind = ID_DER_ASN1_DN;
id->name.ptr = temporary_cyclic_buffer(); /* assign temporary buffer */
id->name.len = 0;
/* convert from LDAP style or openssl x509 -subject style to ASN.1 DN
* discard optional @ character in front of DN
*/
ugh = atodn((*src == '@')?src+1:src, &id->name);
}
else if (strchr(src, '@') == NULL)
{
if (streq(src, "%any") || streq(src, "0.0.0.0"))
{
/* any ID will be accepted */
id->kind = ID_NONE;
}
else
{
/* !!! this test is not sufficient for distinguishing address families.
* We need a notation to specify that a FQDN is to be resolved to IPv6.
*/
const struct af_info *afi = strchr(src, ':') == NULL
? &af_inet4_info: &af_inet6_info;
id->kind = afi->id_addr;
ugh = ttoaddr(src, 0, afi->af, &id->ip_addr);
}
}
else
{
if (*src == '@')
{
if (*(src+1) == '#')
{
/* if there is a second specifier (#) on the line
* we interprete this as ID_KEY_ID
*/
id->kind = ID_KEY_ID;
id->name.ptr = (unsigned char *)src;
/* discard @~, convert from hex to bin */
ugh = ttodata(src+2, 0, 16, (char *)id->name.ptr
, strlen(src), &id->name.len);
}
else if (*(src+1) == '~')
{
/* if there is a second specifier (~) on the line
* we interprete this as a binary ID_DER_ASN1_DN
*/
id->kind = ID_DER_ASN1_DN;
id->name.ptr = (unsigned char *)src;
/* discard @~, convert from hex to bin */
ugh = ttodata(src+2, 0, 16, (char *)id->name.ptr
, strlen(src), &id->name.len);
}
else if (*(src+1) == '[')
{
/* if there is a second specifier ([) on the line
* we interprete this as a text ID_KEY_ID, and we remove
* a trailing ", if there is one.
*/
int len = strlen(src+2);
id->kind = ID_KEY_ID;
id->name.ptr = (unsigned char *)src+2;
if(src[len+2]==']')
{
src[len+2-1]='\0';
len--;
}
id->name.len = len;
}
else
{
id->kind = ID_FQDN;
id->name.ptr = (unsigned char *)src+1; /* discard @ */
id->name.len = strlen(src)-1;
}
}
else
{
/* We leave in @, as per DOI 4.6.2.4
* (but DNS wants . instead).
*/
id->kind = ID_USER_FQDN;
id->name.ptr = (unsigned char *)src;
id->name.len = strlen(src);
}
}
return ugh;
}
static void klips_process_raw_ifaces(struct raw_iface *rifaces)
{
struct raw_iface *ifp;
/* Find all virtual/real interface pairs.
* For each real interface...
*/
for (ifp = rifaces; ifp != NULL; ifp = ifp->next) {
struct raw_iface *v = NULL; /* matching ipsecX interface */
struct raw_iface fake_v;
bool after = FALSE; /* has vfp passed ifp on the list? */
bool bad = FALSE;
struct raw_iface *vfp;
ip_address lip;
if (pluto_listen) {
err_t e;
e = ttoaddr(pluto_listen, 0, 0, &lip);
if (e) {
DBG_log("invalid listen= option ignored: %s\n",
e);
pluto_listen = NULL;
}
}
/* ignore if virtual (ipsec*) interface */
if (strncmp(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX) -
1) == 0)
continue;
/* ignore if virtual (mast*) interface */
if (strncmp(ifp->name, MASTDEVPREFIX, sizeof(MASTDEVPREFIX) -
1) == 0)
continue;
for (vfp = rifaces; vfp != NULL; vfp = vfp->next) {
if (vfp == ifp) {
after = TRUE;
} else if (sameaddr(&ifp->addr, &vfp->addr)) {
/* Different entries with matching IP addresses.
* Many interesting cases.
*/
if (strncmp(vfp->name, IPSECDEVPREFIX,
sizeof(IPSECDEVPREFIX) - 1) == 0) {
if (v != NULL) {
loglog(RC_LOG_SERIOUS,
"ipsec interfaces %s and %s share same address %s",
v->name, vfp->name,
ip_str(&ifp->addr));
bad = TRUE;
} else {
v = vfp; /* current winner */
}
} else {
/* ugh: a second real interface with the same IP address
* "after" allows us to avoid double reporting.
*/
#if defined(linux) && defined(NETKEY_SUPPORT)
if (kern_interface == USE_NETKEY) {
if (after) {
bad = TRUE;
break;
}
continue;
}
#endif
if (after) {
loglog(RC_LOG_SERIOUS,
"IP interfaces %s and %s share address %s!",
ifp->name, vfp->name,
ip_str(&ifp->addr));
}
bad = TRUE;
}
}
}
if (bad)
continue;
#if defined(linux) && defined(NETKEY_SUPPORT)
if (kern_interface == USE_NETKEY) {
v = ifp;
goto add_entry;
}
#endif
/* what if we didn't find a virtual interface? */
if (v == NULL) {
if (kern_interface == NO_KERNEL) {
/* kludge for testing: invent a virtual device */
static const char fvp[] = "virtual";
fake_v = *ifp;
passert(sizeof(fake_v.name) > sizeof(fvp));
strcpy(fake_v.name, fvp);
addrtot(&ifp->addr, 0,
fake_v.name + sizeof(fvp) - 1,
sizeof(fake_v.name) -
(sizeof(fvp) - 1));
v = &fake_v;
} else {
DBG(DBG_CONTROL,
DBG_log(
"IP interface %s %s has no matching ipsec* interface -- ignored",
ifp->name, ip_str(&ifp->addr)));
continue;
}
}
/* ignore if --listen is specified and we do not match */
if (pluto_listen != NULL) {
if (!sameaddr(&lip, &ifp->addr)) {
libreswan_log("skipping interface %s with %s",
ifp->name, ip_str(&ifp->addr));
continue;
}
}
/* We've got all we need; see if this is a new thing:
* search old interfaces list.
*/
#if defined(linux) && defined(NETKEY_SUPPORT)
add_entry:
#endif
{
struct iface_port **p = &interfaces;
for (;; ) {
struct iface_port *q = *p;
struct iface_dev *id = NULL;
/* search is over if at end of list */
if (q == NULL) {
/* matches nothing -- create a new entry */
int fd = create_socket(ifp, v->name,
pluto_port);
if (fd < 0)
break;
DBG(DBG_NATT,
DBG_log(
"NAT-T KLIPS: checking for nat_traversal_support_non_ike for IPv4"));
if (nat_traversal_support_non_ike &&
addrtypeof(&ifp->addr) ==
AF_INET) {
DBG(DBG_NATT,
DBG_log(
"NAT-T KLIPS: found, calling nat_traversal_espinudp_socket"));
nat_traversal_espinudp_socket(
fd, "IPv4",
ESPINUDP_WITH_NON_IKE);
} else {
DBG(DBG_NATT,
DBG_log(
"NAT-T KLIPS: support not found, nat_traversal_support_non_ike = %s",
nat_traversal_support_non_ike
?
"TRUE" : "FALSE"));
}
q = alloc_thing(struct iface_port,
"struct iface_port");
id = alloc_thing(struct iface_dev,
"struct iface_dev");
LIST_INSERT_HEAD(&interface_dev, id,
id_entry);
q->ip_dev = id;
id->id_rname = clone_str(ifp->name,
"real device name");
id->id_vname = clone_str(v->name,
"virtual device name klips");
id->id_count++;
q->ip_addr = ifp->addr;
q->fd = fd;
q->next = interfaces;
q->change = IFN_ADD;
q->port = pluto_port;
q->ike_float = FALSE;
interfaces = q;
libreswan_log(
"adding interface %s/%s %s:%d",
q->ip_dev->id_vname,
q->ip_dev->id_rname,
ip_str(&q->ip_addr),
q->port);
/*
* right now, we do not support NAT-T on IPv6, because
* the kernel did not support it, and gave an error
* it one tried to turn it on.
*/
if (nat_traversal_support_port_floating
&&
addrtypeof(&ifp->addr) ==
AF_INET) {
DBG(DBG_NATT,
DBG_log(
"NAT-T KLIPS: found floating port, calling nat_traversal_espinudp_socket"));
fd = create_socket(ifp,
v->name,
pluto_natt_float_port);
if (fd < 0)
break;
nat_traversal_espinudp_socket(
fd, "IPv4",
ESPINUDP_WITH_NON_ESP);
q = alloc_thing(
struct iface_port,
"struct iface_port");
q->ip_dev = id;
id->id_count++;
q->ip_addr = ifp->addr;
setportof(htons(
pluto_natt_float_port),
&q->ip_addr);
q->port =
pluto_natt_float_port;
q->fd = fd;
q->next = interfaces;
q->change = IFN_ADD;
q->ike_float = TRUE;
interfaces = q;
libreswan_log(
"adding interface %s/%s %s:%d",
q->ip_dev->id_vname, q->ip_dev->id_rname,
ip_str(&q->
ip_addr),
q->port);
}
break;
}
/* search over if matching old entry found */
if (streq(q->ip_dev->id_rname, ifp->name) &&
streq(q->ip_dev->id_vname, v->name) &&
sameaddr(&q->ip_addr, &ifp->addr)) {
/* matches -- rejuvinate old entry */
q->change = IFN_KEEP;
/* look for other interfaces to keep (due to NAT-T) */
for (q = q->next; q; q = q->next) {
if (streq(q->ip_dev->id_rname,
ifp->name) &&
streq(q->ip_dev->id_vname,
v->name) &&
sameaddr(&q->ip_addr,
&ifp->addr))
q->change = IFN_KEEP;
}
break;
}
/* try again */
p = &q->next;
} /* for (;;) */
}
int
main(int argc, char **argv)
{
/* int fd; */
char *endptr;
/* int ret; */
int c;
const char* error_s;
int error = 0;
char ipaddr_txt[ADDRTOT_BUF];
struct sadb_ext *extensions[K_SADB_EXT_MAX + 1];
struct sadb_msg *pfkey_msg;
ip_address pfkey_address_s_ska;
/*struct sockaddr_in pfkey_address_d_ska;*/
ip_address pfkey_address_sflow_ska;
ip_address pfkey_address_dflow_ska;
ip_address pfkey_address_smask_ska;
ip_address pfkey_address_dmask_ska;
int transport_proto = 0;
int src_port = 0;
int dst_port = 0;
ip_said said;
ip_subnet s_subnet, d_subnet;
int eroute_af = 0;
int said_af = 0;
int sa_flags=0;
int argcount = argc;
progname = argv[0];
memset(&pfkey_address_s_ska, 0, sizeof(ip_address));
memset(&pfkey_address_sflow_ska, 0, sizeof(ip_address));
memset(&pfkey_address_dflow_ska, 0, sizeof(ip_address));
memset(&pfkey_address_smask_ska, 0, sizeof(ip_address));
memset(&pfkey_address_dmask_ska, 0, sizeof(ip_address));
memset(&said, 0, sizeof(ip_said));
memset(&s_subnet, 0, sizeof(ip_subnet));
memset(&d_subnet, 0, sizeof(ip_subnet));
eroute_af_opt = said_af_opt = edst_opt = spi_opt = proto_opt = said_opt = dst_opt = src_opt = NULL;
while((c = getopt_long(argc, argv, ""/*"acdD:e:i:hprs:S:f:vl:+:g"*/, longopts, 0)) != EOF) {
switch(c) {
case 'g':
debug = 1;
pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
argcount--;
break;
case 'a':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--replacein', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_SETEROUTE;
break;
case 'A':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--replacein', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_INEROUTE;
break;
case 'r':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--replacein', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_REPLACEROUTE;
break;
case 'E':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--replacein', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_INREPLACEROUTE;
break;
case 'c':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_CLREROUTE;
break;
case 'd':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_DELEROUTE;
break;
case 'e':
if(said_opt) {
fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit (1);
}
if(edst_opt) {
fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined as:%s\n",
progname, optarg, edst_opt);
exit (1);
}
error_s = ttoaddr(optarg, 0, said_af, &said.dst);
if(error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting --edst argument:%s\n",
progname, error_s, optarg);
exit (1);
}
edst_opt = optarg;
break;
case 'h':
case '?':
usage(progname);
exit(1);
case 's':
if(said_opt) {
fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit (1);
}
if(spi_opt) {
fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined as:%s\n",
progname, optarg, spi_opt);
exit (1);
}
said.spi = htonl(strtoul(optarg, &endptr, 0));
if(!(endptr == optarg + strlen(optarg))) {
fprintf(stderr, "%s: Invalid character in SPI parameter: %s\n",
progname, optarg);
exit (1);
}
if(ntohl(said.spi) < 0x100) {
fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than 0x100.\n",
progname, optarg, ntohl(said.spi));
exit(1);
}
spi_opt = optarg;
break;
case 'p':
if(said_opt) {
fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit (1);
}
if(proto_opt) {
fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined as:%s\n",
progname, optarg, proto_opt);
exit (1);
}
#if 0
if(said.proto) {
fprintf(stderr, "%s: Warning, PROTO parameter redefined:%s\n",
progname, optarg);
exit (1);
}
#endif
if(!strcmp(optarg, "ah"))
said.proto = SA_AH;
if(!strcmp(optarg, "esp"))
said.proto = SA_ESP;
if(!strcmp(optarg, "tun"))
said.proto = SA_IPIP;
if(!strcmp(optarg, "comp"))
said.proto = SA_COMP;
if(said.proto == 0) {
fprintf(stderr, "%s: Invalid PROTO parameter: %s\n",
progname, optarg);
exit (1);
}
proto_opt = optarg;
break;
case 'I':
if(said_opt) {
fprintf(stderr, "%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit (1);
}
if(proto_opt) {
fprintf(stderr, "%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, proto_opt);
exit (1);
}
if(edst_opt) {
fprintf(stderr, "%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, edst_opt);
exit (1);
}
if(spi_opt) {
fprintf(stderr, "%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, spi_opt);
exit (1);
}
if(said_af_opt) {
fprintf(stderr, "%s: Error, address family parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, said_af_opt);
exit (1);
}
error_s = ttosa(optarg, 0, &said);
if(error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n",
progname, error_s, optarg);
exit (1);
} else if(ntohl(said.spi) < 0x100){
fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than or equal to 0x100.\n",
progname, optarg, said.spi);
exit(1);
}
said_af = addrtypeof(&said.dst);
said_opt = optarg;
break;
case 'v':
fprintf(stdout, "%s %s\n", me, ipsec_version_code());
fprintf(stdout, "See `ipsec --copyright' for copyright information.\n");
exit(1);
case 'D':
if(dst_opt) {
fprintf(stderr, "%s: Error, --dst parameter redefined:%s, already defined as:%s\n",
progname, optarg, dst_opt);
exit (1);
}
error_s = ttosubnet(optarg, 0, eroute_af, &d_subnet);
if (error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting --dst argument: %s\n",
progname, error_s, optarg);
exit (1);
}
dst_opt = optarg;
break;
case 'S':
if(src_opt) {
fprintf(stderr, "%s: Error, --src parameter redefined:%s, already defined as:%s\n",
progname, optarg, src_opt);
exit (1);
}
error_s = ttosubnet(optarg, 0, eroute_af, &s_subnet);
if (error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting --src argument: %s\n",
progname, error_s, optarg);
exit (1);
}
src_opt = optarg;
break;
case 'P':
if (transport_proto_opt) {
fprintf(stderr, "%s: Error, --transport-proto"
" parameter redefined:%s, "
"already defined as:%s\n",
progname, optarg,
transport_proto_opt);
exit(1);
}
transport_proto_opt = optarg;
break;
case 'Q':
if (src_port_opt) {
fprintf(stderr, "%s: Error, --src-port"
" parameter redefined:%s, "
"already defined as:%s\n",
progname, optarg, src_port_opt);
exit(1);
}
src_port_opt = optarg;
break;
case 'R':
if (dst_port_opt) {
fprintf(stderr, "%s: Error, --dst-port"
" parameter redefined:%s, "
"already defined as:%s\n",
progname, optarg, dst_port_opt);
exit(1);
}
dst_port_opt = optarg;
break;
case 'l':
progname = malloc(strlen(argv[0])
+ 10 /* update this when changing the sprintf() */
+ strlen(optarg));
sprintf(progname, "%s --label %s",
argv[0],
optarg);
argcount -= 2;
break;
case 'i': /* specifies the address family of the SAID, stored in said_af */
if(said_af_opt) {
fprintf(stderr, "%s: Error, address family of SAID redefined:%s, already defined as:%s\n",
progname, optarg, said_af_opt);
exit (1);
}
if(!strcmp(optarg, "inet"))
said_af = AF_INET;
if(!strcmp(optarg, "inet6"))
said_af = AF_INET6;
if(said_af == 0) {
fprintf(stderr, "%s: Invalid address family parameter for SAID: %s\n",
progname, optarg);
exit (1);
}
said_af_opt = optarg;
break;
case 'f': /* specifies the address family of the eroute, stored in eroute_af */
if(eroute_af_opt) {
fprintf(stderr, "%s: Error, address family of eroute redefined:%s, already defined as:%s\n",
progname, optarg, eroute_af_opt);
exit (1);
}
if(!strcmp(optarg, "inet"))
eroute_af = AF_INET;
if(!strcmp(optarg, "inet6"))
eroute_af = AF_INET6;
if(eroute_af == 0) {
fprintf(stderr, "%s: Invalid address family parameter for eroute: %s\n",
progname, optarg);
exit (1);
}
eroute_af_opt = optarg;
break;
case '+': /* optionsfrom */
optionsfrom(optarg, &argc, &argv, optind, stderr);
/* no return on error */
break;
default:
break;
}
}
if(debug) {
fprintf(stdout, "%s: DEBUG: argc=%d\n", progname, argc);
}
if(argcount == 1) {
struct stat sts;
if ( ((stat ("/proc/net/pfkey", &sts)) == 0) ) {
fprintf(stderr, "%s: NETKEY does not support eroute table.\n",progname);
exit(1);
}
else {
int ret = 1;
if ((stat ("/proc/net/ipsec_eroute", &sts)) != 0) {
fprintf(stderr, "%s: No eroute table - no IPsec support in kernel (are the modules loaded?)\n", progname);
} else {
ret = system("cat /proc/net/ipsec_eroute");
ret = ret != -1 && WIFEXITED(ret) ? WEXITSTATUS(ret) : 1;
}
exit(ret);
}
}
/* Sanity checks */
if(debug) {
fprintf(stdout, "%s: DEBUG: action_type=%d\n", progname, action_type);
}
if (transport_proto_opt != 0) {
struct protoent * proto = getprotobyname(transport_proto_opt);
if (proto != 0) {
transport_proto = proto->p_proto;
} else {
transport_proto = strtoul(transport_proto_opt, &endptr, 0);
if ((*endptr != '\0')
|| (transport_proto == 0 && endptr == transport_proto_opt)) {
fprintf(stderr, "%s: Invalid character in --transport-proto parameter: %s\n",
progname, transport_proto_opt);
exit (1);
}
if (transport_proto > 255) {
fprintf(stderr, "%s: --transport-proto parameter: %s must be in the range 0 to 255 inclusive\n",
progname, transport_proto_opt);
exit (1);
}
}
}
if (src_port_opt != 0 || dst_port_opt != 0) {
switch (transport_proto) {
case IPPROTO_UDP:
case IPPROTO_TCP:
break;
default:
fprintf(stderr, "%s: --transport-proto with either UDP or TCP must be specified if --src-port or --dst-port is used\n", progname);
exit(1);
}
}
if (src_port_opt) {
struct servent * ent = getservbyname(src_port_opt, 0);
if (ent != 0) {
src_port = ent->s_port;
} else {
src_port = strtoul(src_port_opt, &endptr, 0);
if ((*endptr != '\0')
|| (src_port == 0 && endptr == src_port_opt)) {
fprintf(stderr, "%s: Invalid character in --src-port parameter: %s\n",
progname, src_port_opt);
exit (1);
}
if (src_port > 65535) {
fprintf(stderr, "%s: --src-port parameter: %s must be in the range 0 to 65535 inclusive\n",
progname, src_port_opt);
}
src_port = htons(src_port);
}
}
if (dst_port_opt) {
struct servent * ent = getservbyname(dst_port_opt, 0);
if (ent != 0) {
dst_port = ent->s_port;
} else {
dst_port = strtoul(dst_port_opt, &endptr, 0);
if ((*endptr != '\0')
|| (dst_port == 0 && endptr == dst_port_opt)) {
fprintf(stderr, "%s: Invalid character in --dst-port parameter: %s\n",
progname, dst_port_opt);
exit (1);
}
if (dst_port > 65535) {
fprintf(stderr, "%s: --dst-port parameter: %s must be in the range 0 to 65535 inclusive\n",
progname, dst_port_opt);
}
dst_port = htons(dst_port);
}
}
switch(action_type) {
case EMT_SETEROUTE:
case EMT_REPLACEROUTE:
case EMT_INEROUTE:
case EMT_INREPLACEROUTE:
if(!(said_af_opt && edst_opt && spi_opt && proto_opt) && !(said_opt)) {
fprintf(stderr, "%s: add and addin options must have SA specified.\n",
progname);
exit(1);
}
case EMT_DELEROUTE:
if(!src_opt) {
fprintf(stderr, "%s: Error -- %s option '--src' is required.\n",
progname, (action_type == EMT_SETEROUTE) ? "add" : "del");
exit(1);
}
if(!dst_opt) {
fprintf(stderr, "%s: Error -- %s option '--dst' is required.\n",
progname, (action_type == EMT_SETEROUTE) ? "add" : "del");
exit(1);
}
case EMT_CLREROUTE:
break;
default:
fprintf(stderr, "%s: exactly one of '--add', '--addin', '--replace', '--del' or '--clear' options must be specified.\n"
"Try %s --help' for usage information.\n",
progname, progname);
exit(1);
}
pfkey_sock = pfkey_open_sock_with_error();
if(pfkey_sock == -1) {
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: PFKEYv2 socket successfully openned=%d.\n", progname, pfkey_sock);
}
/* Build an SADB_X_ADDFLOW or SADB_X_DELFLOW message to send down. */
/* It needs <base, SA, address(SD), flow(SD), mask(SD)> minimum. */
pfkey_extensions_init(extensions);
if((error = pfkey_msg_hdr_build(&extensions[0],
(action_type == EMT_SETEROUTE
|| action_type == EMT_REPLACEROUTE
|| action_type == EMT_INREPLACEROUTE
|| action_type == EMT_INEROUTE)
? SADB_X_ADDFLOW : SADB_X_DELFLOW,
proto2satype(said.proto),
0,
++pfkey_seq,
getpid()))) {
fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_msg_hdr_build successfull.\n", progname);
}
switch(action_type) {
case EMT_CLREROUTE:
sa_flags = SADB_X_SAFLAGS_CLEARFLOW;
goto sa_build;
case EMT_REPLACEROUTE:
sa_flags = SADB_X_SAFLAGS_REPLACEFLOW;
goto sa_build;
case EMT_INREPLACEROUTE:
sa_flags = SADB_X_SAFLAGS_REPLACEFLOW | SADB_X_SAFLAGS_INFLOW;
goto sa_build;
case EMT_INEROUTE:
sa_flags = SADB_X_SAFLAGS_INFLOW;
goto sa_build;
case EMT_SETEROUTE:
sa_build:
if((error = pfkey_sa_build(&extensions[SADB_EXT_SA],
SADB_EXT_SA,
said.spi, /* in network order */
0,
0,
0,
0,
sa_flags))) {
fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_sa_build successful.\n", progname);
}
default:
break;
}
switch(action_type) {
case EMT_SETEROUTE:
case EMT_REPLACEROUTE:
case EMT_INEROUTE:
case EMT_INREPLACEROUTE:
anyaddr(said_af, &pfkey_address_s_ska);
if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
SADB_EXT_ADDRESS_SRC,
0,
0,
sockaddrof(&pfkey_address_s_ska)))) {
addrtot(&pfkey_address_s_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src.\n", progname);
}
if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
SADB_EXT_ADDRESS_DST,
0,
0,
sockaddrof(&said.dst)))) {
addrtot(&said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst.\n", progname);
}
default:
break;
}
switch(action_type) {
case EMT_SETEROUTE:
case EMT_REPLACEROUTE:
case EMT_INEROUTE:
case EMT_INREPLACEROUTE:
case EMT_DELEROUTE:
networkof(&s_subnet, &pfkey_address_sflow_ska); /* src flow */
add_port(eroute_af, &pfkey_address_sflow_ska, src_port);
if((error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_SRC_FLOW],
SADB_X_EXT_ADDRESS_SRC_FLOW,
0,
0,
sockaddrof(&pfkey_address_sflow_ska)))) {
addrtot(&pfkey_address_sflow_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_sflow extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src flow.\n", progname);
}
networkof(&d_subnet, &pfkey_address_dflow_ska); /* dst flow */
add_port(eroute_af, &pfkey_address_dflow_ska, dst_port);
if((error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_DST_FLOW],
SADB_X_EXT_ADDRESS_DST_FLOW,
0,
0,
sockaddrof(&pfkey_address_dflow_ska)))) {
addrtot(&pfkey_address_dflow_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_dflow extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst flow.\n", progname);
}
maskof(&s_subnet, &pfkey_address_smask_ska); /* src mask */
add_port(eroute_af, &pfkey_address_smask_ska, src_port ? ~0:0);
if((error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_SRC_MASK],
SADB_X_EXT_ADDRESS_SRC_MASK,
0,
0,
sockaddrof(&pfkey_address_smask_ska)))) {
addrtot(&pfkey_address_smask_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_smask extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src mask.\n", progname);
}
maskof(&d_subnet, &pfkey_address_dmask_ska); /* dst mask */
add_port(eroute_af, &pfkey_address_dmask_ska, dst_port ? ~0:0);
if((error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_DST_MASK],
SADB_X_EXT_ADDRESS_DST_MASK,
0,
0,
sockaddrof(&pfkey_address_dmask_ska)))) {
addrtot(&pfkey_address_dmask_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_dmask extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst mask.\n", progname);
}
}
if (transport_proto != 0) {
if ((error = pfkey_x_protocol_build(&extensions[SADB_X_EXT_PROTOCOL],
transport_proto))) {
fprintf(stderr, "%s: Trouble building transport"
" protocol extension, error=%d.\n",
progname, error);
exit(1);
}
}
if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_msg_build successful.\n", progname);
}
if((error = write(pfkey_sock,
pfkey_msg,
pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) !=
(ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
fprintf(stderr, "%s: pfkey write failed, returning %d with errno=%d.\n",
progname, error, errno);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
switch(errno) {
case EINVAL:
fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
break;
case ENXIO:
if((action_type == EMT_SETEROUTE) ||
(action_type == EMT_REPLACEROUTE)) {
fprintf(stderr, "Invalid mask.\n");
break;
}
if(action_type == EMT_DELEROUTE) {
fprintf(stderr, "Mask not found.\n");
break;
}
case EFAULT:
if((action_type == EMT_SETEROUTE) ||
(action_type == EMT_REPLACEROUTE)) {
fprintf(stderr, "Invalid address.\n");
break;
}
if(action_type == EMT_DELEROUTE) {
fprintf(stderr, "Address not found.\n");
break;
}
case EACCES:
fprintf(stderr, "access denied. ");
if(getuid() == 0) {
fprintf(stderr, "Check permissions. Should be 600.\n");
} else {
fprintf(stderr, "You must be root to open this file.\n");
}
break;
case EUNATCH:
fprintf(stderr, "KLIPS not loaded.\n");
break;
case EBUSY:
fprintf(stderr, "KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n");
break;
case ENODEV:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
fprintf(stderr, "No device?!?\n");
break;
case ENOBUFS:
fprintf(stderr, "No kernel memory to allocate SA.\n");
break;
case ESOCKTNOSUPPORT:
fprintf(stderr, "Algorithm support not available in the kernel. Please compile in support.\n");
break;
case EEXIST:
fprintf(stderr, "eroute already in use. Delete old one first.\n");
break;
case ENOENT:
if(action_type == EMT_INEROUTE || action_type == EMT_INREPLACEROUTE) {
fprintf(stderr, "non-existant IPIP SA.\n");
break;
}
fprintf(stderr, "eroute doesn't exist. Can't delete.\n");
break;
case ENOSPC:
fprintf(stderr, "no room in kernel SAref table. Cannot process request.\n");
break;
case ESPIPE:
fprintf(stderr, "kernel SAref table internal error. Cannot process request.\n");
break;
default:
fprintf(stderr, "Unknown socket write error %d. Please report as much detail as possible to development team.\n", errno);
}
/* fprintf(stderr, "%s: socket write returned errno %d\n",
progname, errno);*/
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey write successful.\n", progname);
}
if(pfkey_msg) {
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
}
(void) close(pfkey_sock); /* close the socket */
if(debug) {
fprintf(stdout, "%s: DEBUG: write ok\n", progname);
}
exit(0);
}
err_t parse_redirect_payload(pb_stream *input_pbs,
const char *allowed_targets_list,
const chunk_t *nonce,
ip_address *redirect_ip /* result */)
{
struct ikev2_redirect_part gw_info;
if (!in_struct(&gw_info, &ikev2_redirect_desc, input_pbs, NULL))
return "received deformed REDIRECT payload";
int af;
switch (gw_info.gw_identity_type) {
case GW_IPV4:
af = AF_INET;
break;
case GW_IPV6:
af = AF_INET6;
break;
case GW_FQDN:
af = AF_UNSPEC;
break;
default:
return "bad GW Ident Type";
}
/* in_raw() actual GW Identity */
switch (af) {
case AF_UNSPEC:
{
/*
* The FQDN string isn't NUL-terminated.
*
* The length is stored in a byte so it cannot be
* larger than 0xFF.
* Some helpful compilers moan about this test being always true
* so I eliminated it:
* passert(gw_info.gw_identity_len <= 0xFF);
*/
unsigned char gw_str[0xFF];
if (!in_raw(&gw_str, gw_info.gw_identity_len, input_pbs, "GW Identity"))
return "error while extracting GW Identity from variable part of IKEv2_REDIRECT Notify payload";
err_t ugh = ttoaddr((char *) gw_str, gw_info.gw_identity_len,
AF_UNSPEC, redirect_ip);
if (ugh != NULL)
return ugh;
break;
}
case AF_INET:
case AF_INET6:
{
if (pbs_left(input_pbs) < gw_info.gw_identity_len)
return "variable part of payload is smaller than transfered GW Identity Length";
/* parse address directly to redirect_ip */
err_t ugh = initaddr(input_pbs->cur, gw_info.gw_identity_len, af, redirect_ip);
if (ugh != NULL)
return ugh;
DBG(DBG_PARSING, {
ip_address_buf b;
DBG_log(" GW Identity IP: %s", ipstr(redirect_ip, &b));
});
input_pbs->cur += gw_info.gw_identity_len;
break;
}
}
