6ab1bfe8a6fcc3758a0d6dae81878fd105ea9661
[strongswan.git] / src / pluto / plutomain.c
1 /* Pluto main program
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <unistd.h>
20 #include <ctype.h>
21 #include <errno.h>
22 #include <string.h>
23 #include <sys/types.h>
24 #include <sys/stat.h>
25 #include <sys/un.h>
26 #include <fcntl.h>
27 #include <getopt.h>
28 #include <resolv.h>
29 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
30 #include <sys/queue.h>
31 #include <sys/prctl.h>
32 #include <pwd.h>
33 #include <grp.h>
34
35 #ifdef CAPABILITIES
36 #include <sys/capability.h>
37 #endif /* CAPABILITIES */
38
39 #include <freeswan.h>
40
41 #include <hydra.h>
42 #include <library.h>
43 #include <debug.h>
44 #include <utils/enumerator.h>
45 #include <utils/optionsfrom.h>
46
47 #include <pfkeyv2.h>
48 #include <pfkey.h>
49
50 #include "constants.h"
51 #include "defs.h"
52 #include "myid.h"
53 #include "ca.h"
54 #include "certs.h"
55 #include "ac.h"
56 #include "connections.h"
57 #include "foodgroups.h"
58 #include "packet.h"
59 #include "demux.h" /* needs packet.h */
60 #include "server.h"
61 #include "kernel.h"
62 #include "log.h"
63 #include "keys.h"
64 #include "adns.h" /* needs <resolv.h> */
65 #include "dnskey.h" /* needs keys.h and adns.h */
66 #include "state.h"
67 #include "ipsec_doi.h" /* needs demux.h and state.h */
68 #include "ocsp.h"
69 #include "crl.h"
70 #include "fetch.h"
71 #include "xauth.h"
72 #include "crypto.h"
73 #include "nat_traversal.h"
74 #include "virtual.h"
75 #include "timer.h"
76 #include "vendor.h"
77 #include "builder.h"
78 #include "whack_attribute.h"
79
80 static void usage(const char *mess)
81 {
82 if (mess != NULL && *mess != '\0')
83 fprintf(stderr, "%s\n", mess);
84 fprintf(stderr
85 , "Usage: pluto"
86 " [--help]"
87 " [--version]"
88 " [--optionsfrom <filename>]"
89 " \\\n\t"
90 "[--nofork]"
91 " [--stderrlog]"
92 " [--noklips]"
93 " [--nocrsend]"
94 " \\\n\t"
95 "[--strictcrlpolicy]"
96 " [--crlcheckinterval <interval>]"
97 " [--cachecrls]"
98 " [--uniqueids]"
99 " \\\n\t"
100 "[--interface <ifname>]"
101 " [--ikeport <port-number>]"
102 " \\\n\t"
103 "[--ctlbase <path>]"
104 " \\\n\t"
105 "[--perpeerlogbase <path>] [--perpeerlog]"
106 " \\\n\t"
107 "[--secretsfile <secrets-file>]"
108 " [--policygroupsdir <policygroups-dir>]"
109 " \\\n\t"
110 "[--adns <pathname>]"
111 "[--pkcs11module <path>]"
112 "[--pkcs11keepstate]"
113 "[--pkcs11initargs <string>]"
114 #ifdef DEBUG
115 " \\\n\t"
116 "[--debug-none]"
117 " [--debug-all]"
118 " \\\n\t"
119 "[--debug-raw]"
120 " [--debug-crypt]"
121 " [--debug-parsing]"
122 " [--debug-emitting]"
123 " \\\n\t"
124 "[--debug-control]"
125 " [--debug-lifecycle]"
126 " [--debug-klips]"
127 " [--debug-dns]"
128 " \\\n\t"
129 "[--debug-oppo]"
130 " [--debug-controlmore]"
131 " [--debug-private]"
132 " [--debug-natt]"
133 #endif
134 " \\\n\t"
135 "[--nat_traversal] [--keep_alive <delay_sec>]"
136 " \\\n\t"
137 "[--force_keepalive] [--disable_port_floating]"
138 " \\\n\t"
139 "[--virtual_private <network_list>]"
140 "\n"
141 "strongSwan "VERSION"\n");
142 exit_pluto(mess == NULL? 0 : 1);
143 }
144
145
146 /* lock file support
147 * - provides convenient way for scripts to find Pluto's pid
148 * - prevents multiple Plutos competing for the same port
149 * - same basename as unix domain control socket
150 * NOTE: will not take account of sharing LOCK_DIR with other systems.
151 */
152
153 static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX;
154 static bool pluto_lock_created = FALSE;
155
156 /* create lockfile, or die in the attempt */
157 static int create_lock(void)
158 {
159 int fd = open(pluto_lock, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC
160 , S_IRUSR | S_IRGRP | S_IROTH);
161
162 if (fd < 0)
163 {
164 if (errno == EEXIST)
165 {
166 fprintf(stderr, "pluto: lock file \"%s\" already exists\n"
167 , pluto_lock);
168 exit_pluto(10);
169 }
170 else
171 {
172 fprintf(stderr
173 , "pluto: unable to create lock file \"%s\" (%d %s)\n"
174 , pluto_lock, errno, strerror(errno));
175 exit_pluto(1);
176 }
177 }
178 pluto_lock_created = TRUE;
179 return fd;
180 }
181
182 static bool fill_lock(int lockfd, pid_t pid)
183 {
184 char buf[30]; /* holds "<pid>\n" */
185 int len = snprintf(buf, sizeof(buf), "%u\n", (unsigned int) pid);
186 bool ok = len > 0 && write(lockfd, buf, len) == len;
187
188 close(lockfd);
189 return ok;
190 }
191
192 static void delete_lock(void)
193 {
194 if (pluto_lock_created)
195 {
196 delete_ctl_socket();
197 unlink(pluto_lock); /* is noting failure useful? */
198 }
199 }
200
201
202 /* by default pluto sends certificate requests to its peers */
203 bool no_cr_send = FALSE;
204
205 /* by default the CRL policy is lenient */
206 bool strict_crl_policy = FALSE;
207
208 /* by default CRLs are cached locally as files */
209 bool cache_crls = FALSE;
210
211 /* by default pluto does not check crls dynamically */
212 long crl_check_interval = 0;
213
214 /* path to the PKCS#11 module */
215 char *pkcs11_module_path = NULL;
216
217 /* by default pluto logs out after every smartcard use */
218 bool pkcs11_keep_state = FALSE;
219
220 /* by default pluto does not allow pkcs11 proxy access via whack */
221 bool pkcs11_proxy = FALSE;
222
223 /* argument string to pass to PKCS#11 module.
224 * Not used for compliant modules, just for NSS softoken
225 */
226 static const char *pkcs11_init_args = NULL;
227
228 /* options read by optionsfrom */
229 options_t *options;
230
231 /**
232 * Log loaded plugins
233 */
234 static void print_plugins()
235 {
236 char buf[BUF_LEN], *plugin;
237 int len = 0;
238 enumerator_t *enumerator;
239
240 buf[0] = '\0';
241 enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
242 while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
243 {
244 len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
245 }
246 enumerator->destroy(enumerator);
247 DBG1(DBG_DMN, "loaded plugins: %s", buf);
248 }
249
250 int main(int argc, char **argv)
251 {
252 bool fork_desired = TRUE;
253 bool log_to_stderr_desired = FALSE;
254 bool nat_traversal = FALSE;
255 bool nat_t_spf = TRUE; /* support port floating */
256 unsigned int keep_alive = 0;
257 bool force_keepalive = FALSE;
258 char *virtual_private = NULL;
259 int lockfd;
260 #ifdef CAPABILITIES
261 cap_t caps;
262 int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
263 #endif /* CAPABILITIES */
264
265 /* initialize library and optionsfrom */
266 if (!library_init(NULL))
267 {
268 library_deinit();
269 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
270 }
271 if (lib->integrity &&
272 !lib->integrity->check_file(lib->integrity, "pluto", argv[0]))
273 {
274 fprintf(stderr, "integrity check of pluto failed\n");
275 library_deinit();
276 exit(SS_RC_DAEMON_INTEGRITY);
277 }
278 if (!libhydra_init("pluto"))
279 {
280 libhydra_deinit();
281 library_deinit();
282 exit(SS_RC_INITIALIZATION_FAILED);
283 }
284 options = options_create();
285
286 /* handle arguments */
287 for (;;)
288 {
289 # define DBG_OFFSET 256
290 static const struct option long_opts[] = {
291 /* name, has_arg, flag, val */
292 { "help", no_argument, NULL, 'h' },
293 { "version", no_argument, NULL, 'v' },
294 { "optionsfrom", required_argument, NULL, '+' },
295 { "nofork", no_argument, NULL, 'd' },
296 { "stderrlog", no_argument, NULL, 'e' },
297 { "noklips", no_argument, NULL, 'n' },
298 { "nocrsend", no_argument, NULL, 'c' },
299 { "strictcrlpolicy", no_argument, NULL, 'r' },
300 { "crlcheckinterval", required_argument, NULL, 'x'},
301 { "cachecrls", no_argument, NULL, 'C' },
302 { "uniqueids", no_argument, NULL, 'u' },
303 { "interface", required_argument, NULL, 'i' },
304 { "ikeport", required_argument, NULL, 'p' },
305 { "ctlbase", required_argument, NULL, 'b' },
306 { "secretsfile", required_argument, NULL, 's' },
307 { "foodgroupsdir", required_argument, NULL, 'f' },
308 { "perpeerlogbase", required_argument, NULL, 'P' },
309 { "perpeerlog", no_argument, NULL, 'l' },
310 { "policygroupsdir", required_argument, NULL, 'f' },
311 #ifdef USE_LWRES
312 { "lwdnsq", required_argument, NULL, 'a' },
313 #else /* !USE_LWRES */
314 { "adns", required_argument, NULL, 'a' },
315 #endif /* !USE_LWRES */
316 { "pkcs11module", required_argument, NULL, 'm' },
317 { "pkcs11keepstate", no_argument, NULL, 'k' },
318 { "pkcs11initargs", required_argument, NULL, 'z' },
319 { "pkcs11proxy", no_argument, NULL, 'y' },
320 { "nat_traversal", no_argument, NULL, '1' },
321 { "keep_alive", required_argument, NULL, '2' },
322 { "force_keepalive", no_argument, NULL, '3' },
323 { "disable_port_floating", no_argument, NULL, '4' },
324 { "debug-natt", no_argument, NULL, '5' },
325 { "virtual_private", required_argument, NULL, '6' },
326 #ifdef DEBUG
327 { "debug-none", no_argument, NULL, 'N' },
328 { "debug-all", no_argument, NULL, 'A' },
329 { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
330 { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
331 { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
332 { "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
333 { "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
334 { "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
335 { "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
336 { "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
337 { "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
338 { "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
339 { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
340
341 { "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
342 { "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
343 { "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
344 { "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
345 #endif
346 { 0,0,0,0 }
347 };
348 /* Note: we don't like the way short options get parsed
349 * by getopt_long, so we simply pass an empty string as
350 * the list. It could be "hvdenp:l:s:" "NARXPECK".
351 */
352 int c = getopt_long(argc, argv, "", long_opts, NULL);
353
354 /* Note: "breaking" from case terminates loop */
355 switch (c)
356 {
357 case EOF: /* end of flags */
358 break;
359
360 case 0: /* long option already handled */
361 continue;
362
363 case ':': /* diagnostic already printed by getopt_long */
364 case '?': /* diagnostic already printed by getopt_long */
365 usage("");
366 break; /* not actually reached */
367
368 case 'h': /* --help */
369 usage(NULL);
370 break; /* not actually reached */
371
372 case 'v': /* --version */
373 {
374 const char **sp = ipsec_copyright_notice();
375
376 printf("strongSwan "VERSION"%s\n", compile_time_interop_options);
377 for (; *sp != NULL; sp++)
378 puts(*sp);
379 }
380 exit_pluto(0);
381 break; /* not actually reached */
382
383 case '+': /* --optionsfrom <filename> */
384 if (!options->from(options, optarg, &argc, &argv, optind))
385 {
386 exit_pluto(1);
387 }
388 continue;
389
390 case 'd': /* --nofork*/
391 fork_desired = FALSE;
392 continue;
393
394 case 'e': /* --stderrlog */
395 log_to_stderr_desired = TRUE;
396 continue;
397
398 case 'n': /* --noklips */
399 no_klips = TRUE;
400 continue;
401
402 case 'c': /* --nocrsend */
403 no_cr_send = TRUE;
404 continue;
405
406 case 'r': /* --strictcrlpolicy */
407 strict_crl_policy = TRUE;
408 continue;
409
410 case 'x': /* --crlcheckinterval <time>*/
411 if (optarg == NULL || !isdigit(optarg[0]))
412 usage("missing interval time");
413
414 {
415 char *endptr;
416 long interval = strtol(optarg, &endptr, 0);
417
418 if (*endptr != '\0' || endptr == optarg
419 || interval <= 0)
420 usage("<interval-time> must be a positive number");
421 crl_check_interval = interval;
422 }
423 continue;
424
425 case 'C': /* --cachecrls */
426 cache_crls = TRUE;
427 continue;
428
429 case 'u': /* --uniqueids */
430 uniqueIDs = TRUE;
431 continue;
432
433 case 'i': /* --interface <ifname> */
434 if (!use_interface(optarg))
435 usage("too many --interface specifications");
436 continue;
437
438 case 'p': /* --port <portnumber> */
439 if (optarg == NULL || !isdigit(optarg[0]))
440 usage("missing port number");
441
442 {
443 char *endptr;
444 long port = strtol(optarg, &endptr, 0);
445
446 if (*endptr != '\0' || endptr == optarg
447 || port <= 0 || port > 0x10000)
448 usage("<port-number> must be a number between 1 and 65535");
449 pluto_port = port;
450 }
451 continue;
452
453 case 'b': /* --ctlbase <path> */
454 if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
455 , "%s%s", optarg, CTL_SUFFIX) == -1)
456 usage("<path>" CTL_SUFFIX " too long for sun_path");
457 if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
458 , "%s%s", optarg, INFO_SUFFIX) == -1)
459 usage("<path>" INFO_SUFFIX " too long for sun_path");
460 if (snprintf(pluto_lock, sizeof(pluto_lock)
461 , "%s%s", optarg, LOCK_SUFFIX) == -1)
462 usage("<path>" LOCK_SUFFIX " must fit");
463 continue;
464
465 case 's': /* --secretsfile <secrets-file> */
466 shared_secrets_file = optarg;
467 continue;
468
469 case 'f': /* --policygroupsdir <policygroups-dir> */
470 policygroups_dir = optarg;
471 continue;
472
473 case 'a': /* --adns <pathname> */
474 pluto_adns_option = optarg;
475 continue;
476
477 case 'm': /* --pkcs11module <pathname> */
478 pkcs11_module_path = optarg;
479 continue;
480
481 case 'k': /* --pkcs11keepstate */
482 pkcs11_keep_state = TRUE;
483 continue;
484
485 case 'y': /* --pkcs11proxy */
486 pkcs11_proxy = TRUE;
487 continue;
488
489 case 'z': /* --pkcs11initargs */
490 pkcs11_init_args = optarg;
491 continue;
492
493 #ifdef DEBUG
494 case 'N': /* --debug-none */
495 base_debugging = DBG_NONE;
496 continue;
497
498 case 'A': /* --debug-all */
499 base_debugging = DBG_ALL;
500 continue;
501 #endif
502
503 case 'P': /* --perpeerlogbase */
504 base_perpeer_logdir = optarg;
505 continue;
506
507 case 'l':
508 log_to_perpeer = TRUE;
509 continue;
510
511 case '1': /* --nat_traversal */
512 nat_traversal = TRUE;
513 continue;
514 case '2': /* --keep_alive */
515 keep_alive = atoi(optarg);
516 continue;
517 case '3': /* --force_keepalive */
518 force_keepalive = TRUE;
519 continue;
520 case '4': /* --disable_port_floating */
521 nat_t_spf = FALSE;
522 continue;
523 case '5': /* --debug-nat_t */
524 base_debugging |= DBG_NATT;
525 continue;
526 case '6': /* --virtual_private */
527 virtual_private = optarg;
528 continue;
529
530 default:
531 #ifdef DEBUG
532 if (c >= DBG_OFFSET)
533 {
534 base_debugging |= c - DBG_OFFSET;
535 continue;
536 }
537 # undef DBG_OFFSET
538 #endif
539 bad_case(c);
540 }
541 break;
542 }
543 if (optind != argc)
544 usage("unexpected argument");
545 reset_debugging();
546 lockfd = create_lock();
547
548 /* select between logging methods */
549
550 if (log_to_stderr_desired)
551 {
552 log_to_syslog = FALSE;
553 }
554 else
555 {
556 log_to_stderr = FALSE;
557 }
558
559 /* set the logging function of pfkey debugging */
560 #ifdef DEBUG
561 pfkey_debug_func = DBG_log;
562 #else
563 pfkey_debug_func = NULL;
564 #endif
565
566 /* create control socket.
567 * We must create it before the parent process returns so that
568 * there will be no race condition in using it. The easiest
569 * place to do this is before the daemon fork.
570 */
571 {
572 err_t ugh = init_ctl_socket();
573
574 if (ugh != NULL)
575 {
576 fprintf(stderr, "pluto: %s", ugh);
577 exit_pluto(1);
578 }
579 }
580
581 /* If not suppressed, do daemon fork */
582
583 if (fork_desired)
584 {
585 {
586 pid_t pid = fork();
587
588 if (pid < 0)
589 {
590 int e = errno;
591
592 fprintf(stderr, "pluto: fork failed (%d %s)\n",
593 errno, strerror(e));
594 exit_pluto(1);
595 }
596
597 if (pid != 0)
598 {
599 /* parent: die, after filling PID into lock file.
600 * must not use exit_pluto: lock would be removed!
601 */
602 exit(fill_lock(lockfd, pid)? 0 : 1);
603 }
604 }
605
606 if (setsid() < 0)
607 {
608 int e = errno;
609
610 fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
611 errno, strerror(e));
612 exit_pluto(1);
613 }
614 }
615 else
616 {
617 /* no daemon fork: we have to fill in lock file */
618 (void) fill_lock(lockfd, getpid());
619 fprintf(stdout, "Pluto initialized\n");
620 fflush(stdout);
621 }
622
623 /* Close everything but ctl_fd and (if needed) stderr.
624 * There is some danger that a library that we don't know
625 * about is using some fd that we don't know about.
626 * I guess we'll soon find out.
627 */
628 {
629 int i;
630
631 for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
632 {
633 if ((!log_to_stderr || i != 2) && i != ctl_fd)
634 close(i);
635 }
636
637 /* make sure that stdin, stdout, stderr are reserved */
638 if (open("/dev/null", O_RDONLY) != 0)
639 abort();
640 if (dup2(0, 1) != 1)
641 abort();
642 if (!log_to_stderr && dup2(0, 2) != 2)
643 abort();
644 }
645
646 init_constants();
647 init_log("pluto");
648
649 /* Note: some scripts may look for this exact message -- don't change
650 * ipsec barf was one, but it no longer does.
651 */
652 plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s",
653 compile_time_interop_options);
654
655 if (lib->integrity)
656 {
657 plog("integrity tests enabled:");
658 plog("lib 'libstrongswan': passed file and segment integrity tests");
659 plog("lib 'libhydra': passed file and segment integrity tests");
660 plog("daemon 'pluto': passed file integrity test");
661 }
662
663 /* load plugins, further infrastructure may need it */
664 if (!lib->plugins->load(lib->plugins, NULL,
665 lib->settings->get_str(lib->settings, "pluto.load", PLUGINS)))
666 {
667 exit(SS_RC_INITIALIZATION_FAILED);
668 }
669 print_plugins();
670
671 init_builder();
672 if (!init_secret() || !init_crypto())
673 {
674 plog("initialization failed - aborting pluto");
675 exit_pluto(SS_RC_INITIALIZATION_FAILED);
676 }
677 init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
678 init_virtual_ip(virtual_private);
679 scx_init(pkcs11_module_path, pkcs11_init_args);
680 xauth_init();
681 init_states();
682 init_demux();
683 init_kernel();
684 init_adns();
685 init_myid();
686 fetch_initialize();
687 ac_initialize();
688 whack_attribute_initialize();
689
690 /* drop unneeded capabilities and change UID/GID */
691 prctl(PR_SET_KEEPCAPS, 1);
692
693 #ifdef IPSEC_GROUP
694 {
695 struct group group, *grp;
696 char buf[1024];
697
698 if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
699 grp == NULL || setgid(grp->gr_gid) != 0)
700 {
701 plog("unable to change daemon group");
702 abort();
703 }
704 }
705 #endif
706 #ifdef IPSEC_USER
707 {
708 struct passwd passwd, *pwp;
709 char buf[1024];
710
711 if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
712 pwp == NULL || setuid(pwp->pw_uid) != 0)
713 {
714 plog("unable to change daemon user");
715 abort();
716 }
717 }
718 #endif
719
720 #ifdef CAPABILITIES
721 caps = cap_init();
722 cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET);
723 cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET);
724 cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET);
725 if (cap_set_proc(caps) != 0)
726 {
727 plog("unable to drop daemon capabilities");
728 abort();
729 }
730 cap_free(caps);
731 #endif /* CAPABILITIES */
732
733 /* loading X.509 CA certificates */
734 load_authcerts("ca", CA_CERT_PATH, X509_CA);
735 /* loading X.509 AA certificates */
736 load_authcerts("aa", AA_CERT_PATH, X509_AA);
737 /* loading X.509 OCSP certificates */
738 load_authcerts("ocsp", OCSP_CERT_PATH, X509_OCSP_SIGNER);
739 /* loading X.509 CRLs */
740 load_crls();
741 /* loading attribute certificates (experimental) */
742 ac_load_certs();
743
744 daily_log_event();
745 call_server();
746 return -1; /* Shouldn't ever reach this */
747 }
748
749 /* leave pluto, with status.
750 * Once child is launched, parent must not exit this way because
751 * the lock would be released.
752 *
753 * 0 OK
754 * 1 general discomfort
755 * 10 lock file exists
756 */
757 void exit_pluto(int status)
758 {
759 reset_globals(); /* needed because we may be called in odd state */
760 free_preshared_secrets();
761 free_remembered_public_keys();
762 delete_every_connection();
763 whack_attribute_finalize(); /* free in-memory pools */
764 fetch_finalize(); /* stop fetching thread */
765 free_crl_fetch(); /* free chain of crl fetch requests */
766 free_ocsp_fetch(); /* free chain of ocsp fetch requests */
767 free_authcerts(); /* free chain of X.509 authority certificates */
768 free_crls(); /* free chain of X.509 CRLs */
769 free_ca_infos(); /* free chain of X.509 CA information records */
770 free_ocsp(); /* free ocsp cache */
771 free_ifaces();
772 ac_finalize(); /* free X.509 attribute certificates */
773 scx_finalize(); /* finalize and unload PKCS #11 module */
774 xauth_finalize(); /* finalize and unload XAUTH module */
775 stop_adns();
776 free_md_pool();
777 free_crypto();
778 free_myid(); /* free myids */
779 free_events(); /* free remaining events */
780 free_vendorid(); /* free all vendor id records */
781 free_builder();
782 delete_lock();
783 options->destroy(options);
784 libhydra_deinit();
785 library_deinit();
786 close_log();
787 exit(status);
788 }
789
790 /*
791 * Local Variables:
792 * c-basic-offset:4
793 * c-style: pluto
794 * End:
795 */