consistent display of strongSwan version
[strongswan.git] / src / pluto / plutomain.c
1 /* Pluto main program
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <unistd.h>
20 #include <ctype.h>
21 #include <errno.h>
22 #include <string.h>
23 #include <sys/types.h>
24 #include <sys/stat.h>
25 #include <sys/un.h>
26 #include <fcntl.h>
27 #include <getopt.h>
28 #include <resolv.h>
29 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
30 #include <sys/queue.h>
31 #include <sys/prctl.h>
32 #include <pwd.h>
33 #include <grp.h>
34
35 #ifdef CAPABILITIES
36 #include <sys/capability.h>
37 #endif /* CAPABILITIES */
38
39 #include <freeswan.h>
40
41 #include <library.h>
42 #include <debug.h>
43 #include <utils/enumerator.h>
44 #include <utils/optionsfrom.h>
45
46 #ifdef INTEGRITY_TEST
47 #include <fips/fips.h>
48 #include <fips/fips_signature.h>
49 #endif /* INTEGRITY_TEST */
50
51 #include <pfkeyv2.h>
52 #include <pfkey.h>
53
54 #include "constants.h"
55 #include "defs.h"
56 #include "id.h"
57 #include "ca.h"
58 #include "certs.h"
59 #include "ac.h"
60 #include "connections.h"
61 #include "foodgroups.h"
62 #include "packet.h"
63 #include "demux.h" /* needs packet.h */
64 #include "server.h"
65 #include "kernel.h"
66 #include "log.h"
67 #include "keys.h"
68 #include "adns.h" /* needs <resolv.h> */
69 #include "dnskey.h" /* needs keys.h and adns.h */
70 #include "state.h"
71 #include "ipsec_doi.h" /* needs demux.h and state.h */
72 #include "ocsp.h"
73 #include "crl.h"
74 #include "fetch.h"
75 #include "xauth.h"
76 #include "crypto.h"
77 #include "nat_traversal.h"
78 #include "virtual.h"
79 #include "timer.h"
80 #include "vendor.h"
81
82 static void usage(const char *mess)
83 {
84 if (mess != NULL && *mess != '\0')
85 fprintf(stderr, "%s\n", mess);
86 fprintf(stderr
87 , "Usage: pluto"
88 " [--help]"
89 " [--version]"
90 " [--optionsfrom <filename>]"
91 " \\\n\t"
92 "[--nofork]"
93 " [--stderrlog]"
94 " [--noklips]"
95 " [--nocrsend]"
96 " \\\n\t"
97 "[--strictcrlpolicy]"
98 " [--crlcheckinterval <interval>]"
99 " [--cachecrls]"
100 " [--uniqueids]"
101 " \\\n\t"
102 "[--interface <ifname>]"
103 " [--ikeport <port-number>]"
104 " \\\n\t"
105 "[--ctlbase <path>]"
106 " \\\n\t"
107 "[--perpeerlogbase <path>] [--perpeerlog]"
108 " \\\n\t"
109 "[--secretsfile <secrets-file>]"
110 " [--policygroupsdir <policygroups-dir>]"
111 " \\\n\t"
112 "[--adns <pathname>]"
113 "[--pkcs11module <path>]"
114 "[--pkcs11keepstate]"
115 "[--pkcs11initargs <string>]"
116 #ifdef DEBUG
117 " \\\n\t"
118 "[--debug-none]"
119 " [--debug-all]"
120 " \\\n\t"
121 "[--debug-raw]"
122 " [--debug-crypt]"
123 " [--debug-parsing]"
124 " [--debug-emitting]"
125 " \\\n\t"
126 "[--debug-control]"
127 " [--debug-lifecycle]"
128 " [--debug-klips]"
129 " [--debug-dns]"
130 " \\\n\t"
131 "[--debug-oppo]"
132 " [--debug-controlmore]"
133 " [--debug-private]"
134 " [--debug-natt]"
135 #endif
136 " \\\n\t"
137 "[--nat_traversal] [--keep_alive <delay_sec>]"
138 " \\\n\t"
139 "[--force_keepalive] [--disable_port_floating]"
140 " \\\n\t"
141 "[--virtual_private <network_list>]"
142 "\n"
143 "strongSwan "VERSION"\n");
144 exit_pluto(mess == NULL? 0 : 1);
145 }
146
147
148 /* lock file support
149 * - provides convenient way for scripts to find Pluto's pid
150 * - prevents multiple Plutos competing for the same port
151 * - same basename as unix domain control socket
152 * NOTE: will not take account of sharing LOCK_DIR with other systems.
153 */
154
155 static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX;
156 static bool pluto_lock_created = FALSE;
157
158 /* create lockfile, or die in the attempt */
159 static int create_lock(void)
160 {
161 int fd = open(pluto_lock, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC
162 , S_IRUSR | S_IRGRP | S_IROTH);
163
164 if (fd < 0)
165 {
166 if (errno == EEXIST)
167 {
168 fprintf(stderr, "pluto: lock file \"%s\" already exists\n"
169 , pluto_lock);
170 exit_pluto(10);
171 }
172 else
173 {
174 fprintf(stderr
175 , "pluto: unable to create lock file \"%s\" (%d %s)\n"
176 , pluto_lock, errno, strerror(errno));
177 exit_pluto(1);
178 }
179 }
180 pluto_lock_created = TRUE;
181 return fd;
182 }
183
184 static bool fill_lock(int lockfd, pid_t pid)
185 {
186 char buf[30]; /* holds "<pid>\n" */
187 int len = snprintf(buf, sizeof(buf), "%u\n", (unsigned int) pid);
188 bool ok = len > 0 && write(lockfd, buf, len) == len;
189
190 close(lockfd);
191 return ok;
192 }
193
194 static void delete_lock(void)
195 {
196 if (pluto_lock_created)
197 {
198 delete_ctl_socket();
199 unlink(pluto_lock); /* is noting failure useful? */
200 }
201 }
202
203
204 /* by default pluto sends certificate requests to its peers */
205 bool no_cr_send = FALSE;
206
207 /* by default the CRL policy is lenient */
208 bool strict_crl_policy = FALSE;
209
210 /* by default CRLs are cached locally as files */
211 bool cache_crls = FALSE;
212
213 /* by default pluto does not check crls dynamically */
214 long crl_check_interval = 0;
215
216 /* path to the PKCS#11 module */
217 char *pkcs11_module_path = NULL;
218
219 /* by default pluto logs out after every smartcard use */
220 bool pkcs11_keep_state = FALSE;
221
222 /* by default pluto does not allow pkcs11 proxy access via whack */
223 bool pkcs11_proxy = FALSE;
224
225 /* argument string to pass to PKCS#11 module.
226 * Not used for compliant modules, just for NSS softoken
227 */
228 static const char *pkcs11_init_args = NULL;
229
230 /* options read by optionsfrom */
231 options_t *options;
232
233 /**
234 * Log loaded plugins
235 */
236 static void print_plugins()
237 {
238 char buf[BUF_LEN], *plugin;
239 int len = 0;
240 enumerator_t *enumerator;
241
242 buf[0] = '\0';
243 enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
244 while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
245 {
246 len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
247 }
248 enumerator->destroy(enumerator);
249 DBG1("loaded plugins: %s", buf);
250 }
251
252 int main(int argc, char **argv)
253 {
254 bool fork_desired = TRUE;
255 bool log_to_stderr_desired = FALSE;
256 bool nat_traversal = FALSE;
257 bool nat_t_spf = TRUE; /* support port floating */
258 unsigned int keep_alive = 0;
259 bool force_keepalive = FALSE;
260 char *virtual_private = NULL;
261 int lockfd;
262 #ifdef CAPABILITIES
263 cap_t caps;
264 int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
265 #endif /* CAPABILITIES */
266
267 /* initialize library and optionsfrom */
268 library_init(STRONGSWAN_CONF);
269 options = options_create();
270
271 /* handle arguments */
272 for (;;)
273 {
274 # define DBG_OFFSET 256
275 static const struct option long_opts[] = {
276 /* name, has_arg, flag, val */
277 { "help", no_argument, NULL, 'h' },
278 { "version", no_argument, NULL, 'v' },
279 { "optionsfrom", required_argument, NULL, '+' },
280 { "nofork", no_argument, NULL, 'd' },
281 { "stderrlog", no_argument, NULL, 'e' },
282 { "noklips", no_argument, NULL, 'n' },
283 { "nocrsend", no_argument, NULL, 'c' },
284 { "strictcrlpolicy", no_argument, NULL, 'r' },
285 { "crlcheckinterval", required_argument, NULL, 'x'},
286 { "cachecrls", no_argument, NULL, 'C' },
287 { "uniqueids", no_argument, NULL, 'u' },
288 { "interface", required_argument, NULL, 'i' },
289 { "ikeport", required_argument, NULL, 'p' },
290 { "ctlbase", required_argument, NULL, 'b' },
291 { "secretsfile", required_argument, NULL, 's' },
292 { "foodgroupsdir", required_argument, NULL, 'f' },
293 { "perpeerlogbase", required_argument, NULL, 'P' },
294 { "perpeerlog", no_argument, NULL, 'l' },
295 { "policygroupsdir", required_argument, NULL, 'f' },
296 #ifdef USE_LWRES
297 { "lwdnsq", required_argument, NULL, 'a' },
298 #else /* !USE_LWRES */
299 { "adns", required_argument, NULL, 'a' },
300 #endif /* !USE_LWRES */
301 { "pkcs11module", required_argument, NULL, 'm' },
302 { "pkcs11keepstate", no_argument, NULL, 'k' },
303 { "pkcs11initargs", required_argument, NULL, 'z' },
304 { "pkcs11proxy", no_argument, NULL, 'y' },
305 { "nat_traversal", no_argument, NULL, '1' },
306 { "keep_alive", required_argument, NULL, '2' },
307 { "force_keepalive", no_argument, NULL, '3' },
308 { "disable_port_floating", no_argument, NULL, '4' },
309 { "debug-natt", no_argument, NULL, '5' },
310 { "virtual_private", required_argument, NULL, '6' },
311 #ifdef DEBUG
312 { "debug-none", no_argument, NULL, 'N' },
313 { "debug-all", no_argument, NULL, 'A' },
314 { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
315 { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
316 { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
317 { "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
318 { "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
319 { "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
320 { "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
321 { "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
322 { "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
323 { "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
324 { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
325
326 { "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
327 { "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
328 { "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
329 { "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
330 #endif
331 { 0,0,0,0 }
332 };
333 /* Note: we don't like the way short options get parsed
334 * by getopt_long, so we simply pass an empty string as
335 * the list. It could be "hvdenp:l:s:" "NARXPECK".
336 */
337 int c = getopt_long(argc, argv, "", long_opts, NULL);
338
339 /* Note: "breaking" from case terminates loop */
340 switch (c)
341 {
342 case EOF: /* end of flags */
343 break;
344
345 case 0: /* long option already handled */
346 continue;
347
348 case ':': /* diagnostic already printed by getopt_long */
349 case '?': /* diagnostic already printed by getopt_long */
350 usage("");
351 break; /* not actually reached */
352
353 case 'h': /* --help */
354 usage(NULL);
355 break; /* not actually reached */
356
357 case 'v': /* --version */
358 {
359 const char **sp = ipsec_copyright_notice();
360
361 printf("strongSwan "VERSION"%s\n", compile_time_interop_options);
362 for (; *sp != NULL; sp++)
363 puts(*sp);
364 }
365 exit_pluto(0);
366 break; /* not actually reached */
367
368 case '+': /* --optionsfrom <filename> */
369 if (!options->from(options, optarg, &argc, &argv, optind))
370 {
371 exit_pluto(1);
372 }
373 continue;
374
375 case 'd': /* --nofork*/
376 fork_desired = FALSE;
377 continue;
378
379 case 'e': /* --stderrlog */
380 log_to_stderr_desired = TRUE;
381 continue;
382
383 case 'n': /* --noklips */
384 no_klips = TRUE;
385 continue;
386
387 case 'c': /* --nocrsend */
388 no_cr_send = TRUE;
389 continue;
390
391 case 'r': /* --strictcrlpolicy */
392 strict_crl_policy = TRUE;
393 continue;
394
395 case 'x': /* --crlcheckinterval <time>*/
396 if (optarg == NULL || !isdigit(optarg[0]))
397 usage("missing interval time");
398
399 {
400 char *endptr;
401 long interval = strtol(optarg, &endptr, 0);
402
403 if (*endptr != '\0' || endptr == optarg
404 || interval <= 0)
405 usage("<interval-time> must be a positive number");
406 crl_check_interval = interval;
407 }
408 continue;
409
410 case 'C': /* --cachecrls */
411 cache_crls = TRUE;
412 continue;
413
414 case 'u': /* --uniqueids */
415 uniqueIDs = TRUE;
416 continue;
417
418 case 'i': /* --interface <ifname> */
419 if (!use_interface(optarg))
420 usage("too many --interface specifications");
421 continue;
422
423 case 'p': /* --port <portnumber> */
424 if (optarg == NULL || !isdigit(optarg[0]))
425 usage("missing port number");
426
427 {
428 char *endptr;
429 long port = strtol(optarg, &endptr, 0);
430
431 if (*endptr != '\0' || endptr == optarg
432 || port <= 0 || port > 0x10000)
433 usage("<port-number> must be a number between 1 and 65535");
434 pluto_port = port;
435 }
436 continue;
437
438 case 'b': /* --ctlbase <path> */
439 if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
440 , "%s%s", optarg, CTL_SUFFIX) == -1)
441 usage("<path>" CTL_SUFFIX " too long for sun_path");
442 if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
443 , "%s%s", optarg, INFO_SUFFIX) == -1)
444 usage("<path>" INFO_SUFFIX " too long for sun_path");
445 if (snprintf(pluto_lock, sizeof(pluto_lock)
446 , "%s%s", optarg, LOCK_SUFFIX) == -1)
447 usage("<path>" LOCK_SUFFIX " must fit");
448 continue;
449
450 case 's': /* --secretsfile <secrets-file> */
451 shared_secrets_file = optarg;
452 continue;
453
454 case 'f': /* --policygroupsdir <policygroups-dir> */
455 policygroups_dir = optarg;
456 continue;
457
458 case 'a': /* --adns <pathname> */
459 pluto_adns_option = optarg;
460 continue;
461
462 case 'm': /* --pkcs11module <pathname> */
463 pkcs11_module_path = optarg;
464 continue;
465
466 case 'k': /* --pkcs11keepstate */
467 pkcs11_keep_state = TRUE;
468 continue;
469
470 case 'y': /* --pkcs11proxy */
471 pkcs11_proxy = TRUE;
472 continue;
473
474 case 'z': /* --pkcs11initargs */
475 pkcs11_init_args = optarg;
476 continue;
477
478 #ifdef DEBUG
479 case 'N': /* --debug-none */
480 base_debugging = DBG_NONE;
481 continue;
482
483 case 'A': /* --debug-all */
484 base_debugging = DBG_ALL;
485 continue;
486 #endif
487
488 case 'P': /* --perpeerlogbase */
489 base_perpeer_logdir = optarg;
490 continue;
491
492 case 'l':
493 log_to_perpeer = TRUE;
494 continue;
495
496 case '1': /* --nat_traversal */
497 nat_traversal = TRUE;
498 continue;
499 case '2': /* --keep_alive */
500 keep_alive = atoi(optarg);
501 continue;
502 case '3': /* --force_keepalive */
503 force_keepalive = TRUE;
504 continue;
505 case '4': /* --disable_port_floating */
506 nat_t_spf = FALSE;
507 continue;
508 case '5': /* --debug-nat_t */
509 base_debugging |= DBG_NATT;
510 continue;
511 case '6': /* --virtual_private */
512 virtual_private = optarg;
513 continue;
514
515 default:
516 #ifdef DEBUG
517 if (c >= DBG_OFFSET)
518 {
519 base_debugging |= c - DBG_OFFSET;
520 continue;
521 }
522 # undef DBG_OFFSET
523 #endif
524 bad_case(c);
525 }
526 break;
527 }
528 if (optind != argc)
529 usage("unexpected argument");
530 reset_debugging();
531 lockfd = create_lock();
532
533 /* select between logging methods */
534
535 if (log_to_stderr_desired)
536 {
537 log_to_syslog = FALSE;
538 }
539 else
540 {
541 log_to_stderr = FALSE;
542 }
543
544 /* set the logging function of pfkey debugging */
545 #ifdef DEBUG
546 pfkey_debug_func = DBG_log;
547 #else
548 pfkey_debug_func = NULL;
549 #endif
550
551 /* create control socket.
552 * We must create it before the parent process returns so that
553 * there will be no race condition in using it. The easiest
554 * place to do this is before the daemon fork.
555 */
556 {
557 err_t ugh = init_ctl_socket();
558
559 if (ugh != NULL)
560 {
561 fprintf(stderr, "pluto: %s", ugh);
562 exit_pluto(1);
563 }
564 }
565
566 /* If not suppressed, do daemon fork */
567
568 if (fork_desired)
569 {
570 {
571 pid_t pid = fork();
572
573 if (pid < 0)
574 {
575 int e = errno;
576
577 fprintf(stderr, "pluto: fork failed (%d %s)\n",
578 errno, strerror(e));
579 exit_pluto(1);
580 }
581
582 if (pid != 0)
583 {
584 /* parent: die, after filling PID into lock file.
585 * must not use exit_pluto: lock would be removed!
586 */
587 exit(fill_lock(lockfd, pid)? 0 : 1);
588 }
589 }
590
591 if (setsid() < 0)
592 {
593 int e = errno;
594
595 fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
596 errno, strerror(e));
597 exit_pluto(1);
598 }
599 }
600 else
601 {
602 /* no daemon fork: we have to fill in lock file */
603 (void) fill_lock(lockfd, getpid());
604 fprintf(stdout, "Pluto initialized\n");
605 fflush(stdout);
606 }
607
608 /* Close everything but ctl_fd and (if needed) stderr.
609 * There is some danger that a library that we don't know
610 * about is using some fd that we don't know about.
611 * I guess we'll soon find out.
612 */
613 {
614 int i;
615
616 for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
617 {
618 if ((!log_to_stderr || i != 2) && i != ctl_fd)
619 close(i);
620 }
621
622 /* make sure that stdin, stdout, stderr are reserved */
623 if (open("/dev/null", O_RDONLY) != 0)
624 abort();
625 if (dup2(0, 1) != 1)
626 abort();
627 if (!log_to_stderr && dup2(0, 2) != 2)
628 abort();
629 }
630
631 init_constants();
632 init_log("pluto");
633
634 /* Note: some scripts may look for this exact message -- don't change
635 * ipsec barf was one, but it no longer does.
636 */
637 plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s",
638 compile_time_interop_options);
639
640 /* load plugins, further infrastructure may need it */
641 lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
642 lib->settings->get_str(lib->settings, "pluto.load", PLUGINS));
643 print_plugins();
644
645 #ifdef INTEGRITY_TEST
646 DBG1("integrity test of libstrongswan code");
647 if (fips_verify_hmac_signature(hmac_key, hmac_signature))
648 {
649 DBG1(" integrity test passed");
650 }
651 else
652 {
653 DBG1(" integrity test failed");
654 abort();
655 }
656 #endif /* INTEGRITY_TEST */
657
658 init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
659 init_virtual_ip(virtual_private);
660 scx_init(pkcs11_module_path, pkcs11_init_args);
661 xauth_init();
662 init_secret();
663 init_states();
664 init_crypto();
665 init_demux();
666 init_kernel();
667 init_adns();
668 init_id();
669 init_fetch();
670
671 /* drop unneeded capabilities and change UID/GID */
672 prctl(PR_SET_KEEPCAPS, 1);
673
674 #ifdef IPSEC_GROUP
675 {
676 struct group group, *grp;
677 char buf[1024];
678
679 if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
680 grp == NULL || setgid(grp->gr_gid) != 0)
681 {
682 plog("unable to change daemon group");
683 abort();
684 }
685 }
686 #endif
687 #ifdef IPSEC_USER
688 {
689 struct passwd passwd, *pwp;
690 char buf[1024];
691
692 if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
693 pwp == NULL || setuid(pwp->pw_uid) != 0)
694 {
695 plog("unable to change daemon user");
696 abort();
697 }
698 }
699 #endif
700
701 #ifdef CAPABILITIES
702 caps = cap_init();
703 cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET);
704 cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET);
705 cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET);
706 if (cap_set_proc(caps) != 0)
707 {
708 plog("unable to drop daemon capabilities");
709 abort();
710 }
711 cap_free(caps);
712 #endif /* CAPABILITIES */
713
714 /* loading X.509 CA certificates */
715 load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
716 /* loading X.509 AA certificates */
717 load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
718 /* loading X.509 OCSP certificates */
719 load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
720 /* loading X.509 CRLs */
721 load_crls();
722 /* loading attribute certificates (experimental) */
723 load_acerts();
724
725 daily_log_event();
726 call_server();
727 return -1; /* Shouldn't ever reach this */
728 }
729
730 /* leave pluto, with status.
731 * Once child is launched, parent must not exit this way because
732 * the lock would be released.
733 *
734 * 0 OK
735 * 1 general discomfort
736 * 10 lock file exists
737 */
738 void exit_pluto(int status)
739 {
740 reset_globals(); /* needed because we may be called in odd state */
741 free_preshared_secrets();
742 free_remembered_public_keys();
743 delete_every_connection();
744 free_crl_fetch(); /* free chain of crl fetch requests */
745 free_ocsp_fetch(); /* free chain of ocsp fetch requests */
746 free_authcerts(); /* free chain of X.509 authority certificates */
747 free_crls(); /* free chain of X.509 CRLs */
748 free_acerts(); /* free chain of X.509 attribute certificates */
749 free_ca_infos(); /* free chain of X.509 CA information records */
750 free_ocsp(); /* free ocsp cache */
751 free_ifaces();
752 scx_finalize(); /* finalize and unload PKCS #11 module */
753 xauth_finalize(); /* finalize and unload XAUTH module */
754 stop_adns();
755 free_md_pool();
756 free_crypto();
757 free_id(); /* free myids */
758 free_events(); /* free remaining events */
759 free_vendorid(); /* free all vendor id records */
760 delete_lock();
761 options->destroy(options);
762 library_deinit();
763 close_log();
764 exit(status);
765 }
766
767 /*
768 * Local Variables:
769 * c-basic-offset:4
770 * c-style: pluto
771 * End:
772 */