projects / strongswan.git / blob
? search:


85632dfbb798116b5e2f8b2ee4763397e40609c4
[strongswan.git] / src / pluto / plutomain.c
1 /* Pluto main program
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * RCSID $Id: plutomain.c,v 1.16 2005/09/25 21:30:52 as Exp $
16 */
17
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <unistd.h>
21 #include <ctype.h>
22 #include <errno.h>
23 #include <string.h>
24 #include <sys/types.h>
25 #include <sys/stat.h>
26 #include <sys/un.h>
27 #include <fcntl.h>
28 #include <getopt.h>
29 #include <resolv.h>
30 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
31 #include <sys/queue.h>
32
33 #include <freeswan.h>
34
35 #include <pfkeyv2.h>
36 #include <pfkey.h>
37
38 #include "constants.h"
39 #include "defs.h"
40 #include "id.h"
41 #include "ca.h"
42 #include "certs.h"
43 #include "ac.h"
44 #include "connections.h"
45 #include "foodgroups.h"
46 #include "packet.h"
47 #include "demux.h" /* needs packet.h */
48 #include "server.h"
49 #include "kernel.h"
50 #include "log.h"
51 #include "keys.h"
52 #include "adns.h" /* needs <resolv.h> */
53 #include "dnskey.h" /* needs keys.h and adns.h */
54 #include "rnd.h"
55 #include "state.h"
56 #include "ipsec_doi.h" /* needs demux.h and state.h */
57 #include "ocsp.h"
58 #include "crl.h"
59 #include "fetch.h"
60 #include "xauth.h"
61 #include "sha1.h"
62 #include "md5.h"
63 #include "crypto.h" /* requires sha1.h and md5.h */
64 #include "nat_traversal.h"
65 #include "virtual.h"
66
67 static void
68 usage(const char *mess)
69 {
70 if (mess != NULL && *mess != '\0')
71 fprintf(stderr, "%s\n", mess);
72 fprintf(stderr
73 , "Usage: pluto"
74 " [--help]"
75 " [--version]"
76 " [--optionsfrom <filename>]"
77 " \\\n\t"
78 "[--nofork]"
79 " [--stderrlog]"
80 " [--noklips]"
81 " [--nocrsend]"
82 " \\\n\t"
83 "[--strictcrlpolicy]"
84 " [--crlcheckinterval]"
85 " [--cachecrls]"
86 " [--uniqueids]"
87 " \\\n\t"
88 "[--interface <ifname>]"
89 " [--ikeport <port-number>]"
90 " \\\n\t"
91 "[--ctlbase <path>]"
92 " \\\n\t"
93 "[--perpeerlogbase <path>] [--perpeerlog]"
94 " \\\n\t"
95 "[--secretsfile <secrets-file>]"
96 " [--policygroupsdir <policygroups-dir>]"
97 " \\\n\t"
98 "[--adns <pathname>]"
99 "[--pkcs11module <path>]"
100 "[--pkcs11keepstate"
101 #ifdef DEBUG
102 " \\\n\t"
103 "[--debug-none]"
104 " [--debug-all]"
105 " \\\n\t"
106 "[--debug-raw]"
107 " [--debug-crypt]"
108 " [--debug-parsing]"
109 " [--debug-emitting]"
110 " \\\n\t"
111 "[--debug-control]"
112 " [--debug-lifecycle]"
113 " [--debug-klips]"
114 " [--debug-dns]"
115 " \\\n\t"
116 "[--debug-oppo]"
117 " [--debug-controlmore]"
118 " [--debug-private]"
119 #endif
120 " [ --debug-natt]"
121 " \\\n\t"
122 "[--nat_traversal] [--keep_alive <delay_sec>]"
123 " \\\n\t"
124 "[--force_keepalive] [--disable_port_floating]"
125 " \\\n\t"
126 "[--virtual_private <network_list>]"
127 "\n"
128 "strongSwan %s\n"
129 , ipsec_version_code());
130 exit_pluto(mess == NULL? 0 : 1);
131 }
132
133
134 /* lock file support
135 * - provides convenient way for scripts to find Pluto's pid
136 * - prevents multiple Plutos competing for the same port
137 * - same basename as unix domain control socket
138 * NOTE: will not take account of sharing LOCK_DIR with other systems.
139 */
140
141 static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX;
142 static bool pluto_lock_created = FALSE;
143
144 /* create lockfile, or die in the attempt */
145 static int
146 create_lock(void)
147 {
148 int fd = open(pluto_lock, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC
149 , S_IRUSR | S_IRGRP | S_IROTH);
150
151 if (fd < 0)
152 {
153 if (errno == EEXIST)
154 {
155 fprintf(stderr, "pluto: lock file \"%s\" already exists\n"
156 , pluto_lock);
157 exit_pluto(10);
158 }
159 else
160 {
161 fprintf(stderr
162 , "pluto: unable to create lock file \"%s\" (%d %s)\n"
163 , pluto_lock, errno, strerror(errno));
164 exit_pluto(1);
165 }
166 }
167 pluto_lock_created = TRUE;
168 return fd;
169 }
170
171 static bool
172 fill_lock(int lockfd, pid_t pid)
173 {
174 char buf[30]; /* holds "<pid>\n" */
175 int len = snprintf(buf, sizeof(buf), "%u\n", (unsigned int) pid);
176 bool ok = len > 0 && write(lockfd, buf, len) == len;
177
178 close(lockfd);
179 return ok;
180 }
181
182 static void
183 delete_lock(void)
184 {
185 if (pluto_lock_created)
186 {
187 delete_ctl_socket();
188 unlink(pluto_lock); /* is noting failure useful? */
189 }
190 }
191
192 /* by default pluto sends certificate requests to its peers */
193 bool no_cr_send = FALSE;
194
195 /* by default the CRL policy is lenient */
196 bool strict_crl_policy = FALSE;
197
198 /* by default CRLs are cached locally as files */
199 bool cache_crls = FALSE;
200
201 /* by default pluto does not check crls dynamically */
202 long crl_check_interval = 0;
203
204 /* path to the PKCS#11 module */
205 char *pkcs11_module_path = NULL;
206
207 /* by default pluto logs out after every smartcard use */
208 bool pkcs11_keep_state = FALSE;
209
210 /* by default pluto does not allow pkcs11 proxy access via whack */
211 bool pkcs11_proxy = FALSE;
212
213 int
214 main(int argc, char **argv)
215 {
216 bool fork_desired = TRUE;
217 bool log_to_stderr_desired = FALSE;
218 bool nat_traversal = FALSE;
219 bool nat_t_spf = TRUE; /* support port floating */
220 unsigned int keep_alive = 0;
221 bool force_keepalive = FALSE;
222 char *virtual_private = NULL;
223 int lockfd;
224
225 /* handle arguments */
226 for (;;)
227 {
228 # define DBG_OFFSET 256
229 static const struct option long_opts[] = {
230 /* name, has_arg, flag, val */
231 { "help", no_argument, NULL, 'h' },
232 { "version", no_argument, NULL, 'v' },
233 { "optionsfrom", required_argument, NULL, '+' },
234 { "nofork", no_argument, NULL, 'd' },
235 { "stderrlog", no_argument, NULL, 'e' },
236 { "noklips", no_argument, NULL, 'n' },
237 { "nocrsend", no_argument, NULL, 'c' },
238 { "strictcrlpolicy", no_argument, NULL, 'r' },
239 { "crlcheckinterval", required_argument, NULL, 'x'},
240 { "cachecrls", no_argument, NULL, 'C' },
241 { "uniqueids", no_argument, NULL, 'u' },
242 { "interface", required_argument, NULL, 'i' },
243 { "ikeport", required_argument, NULL, 'p' },
244 { "ctlbase", required_argument, NULL, 'b' },
245 { "secretsfile", required_argument, NULL, 's' },
246 { "foodgroupsdir", required_argument, NULL, 'f' },
247 { "perpeerlogbase", required_argument, NULL, 'P' },
248 { "perpeerlog", no_argument, NULL, 'l' },
249 { "policygroupsdir", required_argument, NULL, 'f' },
250 #ifdef USE_LWRES
251 { "lwdnsq", required_argument, NULL, 'a' },
252 #else /* !USE_LWRES */
253 { "adns", required_argument, NULL, 'a' },
254 #endif /* !USE_LWRES */
255 { "pkcs11module", required_argument, NULL, 'm' },
256 { "pkcs11keepstate", no_argument, NULL, 'k' },
257 { "pkcs11proxy", no_argument, NULL, 'y' },
258 { "nat_traversal", no_argument, NULL, '1' },
259 { "keep_alive", required_argument, NULL, '2' },
260 { "force_keepalive", no_argument, NULL, '3' },
261 { "disable_port_floating", no_argument, NULL, '4' },
262 { "debug-natt", no_argument, NULL, '5' },
263 { "virtual_private", required_argument, NULL, '6' },
264 #ifdef DEBUG
265 { "debug-none", no_argument, NULL, 'N' },
266 { "debug-all", no_argument, NULL, 'A' },
267 { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
268 { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
269 { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
270 { "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
271 { "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
272 { "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
273 { "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
274 { "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
275 { "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
276 { "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
277 { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
278
279 { "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
280 { "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
281 { "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
282 { "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
283 #endif
284 { 0,0,0,0 }
285 };
286 /* Note: we don't like the way short options get parsed
287 * by getopt_long, so we simply pass an empty string as
288 * the list. It could be "hvdenp:l:s:" "NARXPECK".
289 */
290 int c = getopt_long(argc, argv, "", long_opts, NULL);
291
292 /* Note: "breaking" from case terminates loop */
293 switch (c)
294 {
295 case EOF: /* end of flags */
296 break;
297
298 case 0: /* long option already handled */
299 continue;
300
301 case ':': /* diagnostic already printed by getopt_long */
302 case '?': /* diagnostic already printed by getopt_long */
303 usage("");
304 break; /* not actually reached */
305
306 case 'h': /* --help */
307 usage(NULL);
308 break; /* not actually reached */
309
310 case 'v': /* --version */
311 {
312 const char **sp = ipsec_copyright_notice();
313
314 printf("%s%s\n", ipsec_version_string(),
315 compile_time_interop_options);
316 for (; *sp != NULL; sp++)
317 puts(*sp);
318 }
319 exit_pluto(0);
320 break; /* not actually reached */
321
322 case '+': /* --optionsfrom <filename> */
323 optionsfrom(optarg, &argc, &argv, optind, stderr);
324 /* does not return on error */
325 continue;
326
327 case 'd': /* --nofork*/
328 fork_desired = FALSE;
329 continue;
330
331 case 'e': /* --stderrlog */
332 log_to_stderr_desired = TRUE;
333 continue;
334
335 case 'n': /* --noklips */
336 no_klips = TRUE;
337 continue;
338
339 case 'c': /* --nocrsend */
340 no_cr_send = TRUE;
341 continue;
342
343 case 'r': /* --strictcrlpolicy */
344 strict_crl_policy = TRUE;
345 continue;
346
347 case 'x': /* --crlcheckinterval <time>*/
348 if (optarg == NULL || !isdigit(optarg[0]))
349 usage("missing interval time");
350
351 {
352 char *endptr;
353 long interval = strtol(optarg, &endptr, 0);
354
355 if (*endptr != '\0' || endptr == optarg
356 || interval <= 0)
357 usage("<interval-time> must be a positive number");
358 crl_check_interval = interval;
359 }
360 continue;
361
362 case 'C': /* --cachecrls */
363 cache_crls = TRUE;
364 continue;
365
366 case 'u': /* --uniqueids */
367 uniqueIDs = TRUE;
368 continue;
369
370 case 'i': /* --interface <ifname> */
371 if (!use_interface(optarg))
372 usage("too many --interface specifications");
373 continue;
374
375 case 'p': /* --port <portnumber> */
376 if (optarg == NULL || !isdigit(optarg[0]))
377 usage("missing port number");
378
379 {
380 char *endptr;
381 long port = strtol(optarg, &endptr, 0);
382
383 if (*endptr != '\0' || endptr == optarg
384 || port <= 0 || port > 0x10000)
385 usage("<port-number> must be a number between 1 and 65535");
386 pluto_port = port;
387 }
388 continue;
389
390 case 'b': /* --ctlbase <path> */
391 if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
392 , "%s%s", optarg, CTL_SUFFIX) == -1)
393 usage("<path>" CTL_SUFFIX " too long for sun_path");
394 if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
395 , "%s%s", optarg, INFO_SUFFIX) == -1)
396 usage("<path>" INFO_SUFFIX " too long for sun_path");
397 if (snprintf(pluto_lock, sizeof(pluto_lock)
398 , "%s%s", optarg, LOCK_SUFFIX) == -1)
399 usage("<path>" LOCK_SUFFIX " must fit");
400 continue;
401
402 case 's': /* --secretsfile <secrets-file> */
403 shared_secrets_file = optarg;
404 continue;
405
406 case 'f': /* --policygroupsdir <policygroups-dir> */
407 policygroups_dir = optarg;
408 continue;
409
410 case 'a': /* --adns <pathname> */
411 pluto_adns_option = optarg;
412 continue;
413
414 case 'm': /* --pkcs11module <pathname> */
415 pkcs11_module_path = optarg;
416 continue;
417
418 case 'k': /* --pkcs11keepstate */
419 pkcs11_keep_state = TRUE;
420 continue;
421
422 case 'y': /* --pkcs11proxy */
423 pkcs11_proxy = TRUE;
424 continue;
425
426 #ifdef DEBUG
427 case 'N': /* --debug-none */
428 base_debugging = DBG_NONE;
429 continue;
430
431 case 'A': /* --debug-all */
432 base_debugging = DBG_ALL;
433 continue;
434 #endif
435
436 case 'P': /* --perpeerlogbase */
437 base_perpeer_logdir = optarg;
438 continue;
439
440 case 'l':
441 log_to_perpeer = TRUE;
442 continue;
443
444 case '1': /* --nat_traversal */
445 nat_traversal = TRUE;
446 continue;
447 case '2': /* --keep_alive */
448 keep_alive = atoi(optarg);
449 continue;
450 case '3': /* --force_keepalive */
451 force_keepalive = TRUE;
452 continue;
453 case '4': /* --disable_port_floating */
454 nat_t_spf = FALSE;
455 continue;
456 case '5': /* --debug-nat_t */
457 base_debugging |= DBG_NATT;
458 continue;
459 case '6': /* --virtual_private */
460 virtual_private = optarg;
461 continue;
462
463 default:
464 #ifdef DEBUG
465 if (c >= DBG_OFFSET)
466 {
467 base_debugging |= c - DBG_OFFSET;
468 continue;
469 }
470 # undef DBG_OFFSET
471 #endif
472 bad_case(c);
473 }
474 break;
475 }
476 if (optind != argc)
477 usage("unexpected argument");
478 reset_debugging();
479 lockfd = create_lock();
480
481 /* select between logging methods */
482
483 if (log_to_stderr_desired)
484 log_to_syslog = FALSE;
485 else
486 log_to_stderr = FALSE;
487
488 /* set the logging function of pfkey debugging */
489 #ifdef DEBUG
490 pfkey_debug_func = DBG_log;
491 #else
492 pfkey_debug_func = NULL;
493 #endif
494
495 /* create control socket.
496 * We must create it before the parent process returns so that
497 * there will be no race condition in using it. The easiest
498 * place to do this is before the daemon fork.
499 */
500 {
501 err_t ugh = init_ctl_socket();
502
503 if (ugh != NULL)
504 {
505 fprintf(stderr, "pluto: %s", ugh);
506 exit_pluto(1);
507 }
508 }
509
510 #ifdef IPSECPOLICY
511 /* create info socket. */
512 {
513 err_t ugh = init_info_socket();
514
515 if (ugh != NULL)
516 {
517 fprintf(stderr, "pluto: %s", ugh);
518 exit_pluto(1);
519 }
520 }
521 #endif
522
523 /* If not suppressed, do daemon fork */
524
525 if (fork_desired)
526 {
527 {
528 pid_t pid = fork();
529
530 if (pid < 0)
531 {
532 int e = errno;
533
534 fprintf(stderr, "pluto: fork failed (%d %s)\n",
535 errno, strerror(e));
536 exit_pluto(1);
537 }
538
539 if (pid != 0)
540 {
541 /* parent: die, after filling PID into lock file.
542 * must not use exit_pluto: lock would be removed!
543 */
544 exit(fill_lock(lockfd, pid)? 0 : 1);
545 }
546 }
547
548 if (setsid() < 0)
549 {
550 int e = errno;
551
552 fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
553 errno, strerror(e));
554 exit_pluto(1);
555 }
556 }
557 else
558 {
559 /* no daemon fork: we have to fill in lock file */
560 (void) fill_lock(lockfd, getpid());
561 fprintf(stdout, "Pluto initialized\n");
562 fflush(stdout);
563 }
564
565 /* Close everything but ctl_fd and (if needed) stderr.
566 * There is some danger that a library that we don't know
567 * about is using some fd that we don't know about.
568 * I guess we'll soon find out.
569 */
570 {
571 int i;
572
573 for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
574 if ((!log_to_stderr || i != 2)
575 #ifdef IPSECPOLICY
576 && i != info_fd
577 #endif
578 && i != ctl_fd)
579 close(i);
580
581 /* make sure that stdin, stdout, stderr are reserved */
582 if (open("/dev/null", O_RDONLY) != 0)
583 abort();
584 if (dup2(0, 1) != 1)
585 abort();
586 if (!log_to_stderr && dup2(0, 2) != 2)
587 abort();
588 }
589
590 init_constants();
591 init_log("pluto");
592
593 /* Note: some scripts may look for this exact message -- don't change
594 * ipsec barf was one, but it no longer does.
595 */
596 plog("Starting Pluto (strongSwan Version %s%s)"
597 , ipsec_version_code()
598 , compile_time_interop_options);
599
600 init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
601 init_virtual_ip(virtual_private);
602 scx_init(pkcs11_module_path); /* load and initialize PKCS #11 module */
603 xauth_init(); /* load and initialize XAUTH module */
604 init_rnd_pool();
605 init_secret();
606 init_states();
607 init_crypto();
608 init_demux();
609 init_kernel();
610 init_adns();
611 init_id();
612 init_fetch();
613
614 /* loading X.509 CA certificates */
615 load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
616 /* loading X.509 AA certificates */
617 load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
618 /* loading X.509 OCSP certificates */
619 load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
620 /* loading X.509 CRLs */
621 load_crls();
622 /* loading attribute certificates (experimental) */
623 load_acerts();
624
625 daily_log_event();
626 call_server();
627 return -1; /* Shouldn't ever reach this */
628 }
629
630 /* leave pluto, with status.
631 * Once child is launched, parent must not exit this way because
632 * the lock would be released.
633 *
634 * 0 OK
635 * 1 general discomfort
636 * 10 lock file exists
637 */
638 void
639 exit_pluto(int status)
640 {
641 reset_globals(); /* needed because we may be called in odd state */
642 free_preshared_secrets();
643 free_remembered_public_keys();
644 delete_every_connection();
645 free_crl_fetch(); /* free chain of crl fetch requests */
646 free_ocsp_fetch(); /* free chain of ocsp fetch requests */
647 free_authcerts(); /* free chain of X.509 authority certificates */
648 free_crls(); /* free chain of X.509 CRLs */
649 free_acerts(); /* free chain of X.509 attribute certificates */
650 free_ca_infos(); /* free chain of X.509 CA information records */
651 free_ocsp(); /* free ocsp cache */
652 free_ifaces();
653 scx_finalize(); /* finalize and unload PKCS #11 module */
654 xauth_finalize(); /* finalize and unload XAUTH module */
655 stop_adns();
656 free_md_pool();
657 delete_lock();
658 #ifdef LEAK_DETECTIVE
659 report_leaks();
660 #endif /* LEAK_DETECTIVE */
661 close_log();
662 exit(status);
663 }
664
665 /*
666 * Local Variables:
667 * c-basic-offset:4
668 * c-style: pluto
669 * End:
670 */
strongSwan - IPsec VPN