projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Init/deinit libhydra in charon and pluto.
[strongswan.git] / src / pluto / plutomain.c
1 /* Pluto main program
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <unistd.h>
20 #include <ctype.h>
21 #include <errno.h>
22 #include <string.h>
23 #include <sys/types.h>
24 #include <sys/stat.h>
25 #include <sys/un.h>
26 #include <fcntl.h>
27 #include <getopt.h>
28 #include <resolv.h>
29 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
30 #include <sys/queue.h>
31 #include <sys/prctl.h>
32 #include <pwd.h>
33 #include <grp.h>
34
35 #ifdef CAPABILITIES
36 #include <sys/capability.h>
37 #endif /* CAPABILITIES */
38
39 #include <freeswan.h>
40
41 #include <hydra.h>
42 #include <library.h>
43 #include <debug.h>
44 #include <utils/enumerator.h>
45 #include <utils/optionsfrom.h>
46
47 #include <pfkeyv2.h>
48 #include <pfkey.h>
49
50 #include "constants.h"
51 #include "defs.h"
52 #include "myid.h"
53 #include "ca.h"
54 #include "certs.h"
55 #include "ac.h"
56 #include "connections.h"
57 #include "foodgroups.h"
58 #include "packet.h"
59 #include "demux.h" /* needs packet.h */
60 #include "server.h"
61 #include "kernel.h"
62 #include "log.h"
63 #include "keys.h"
64 #include "adns.h" /* needs <resolv.h> */
65 #include "dnskey.h" /* needs keys.h and adns.h */
66 #include "state.h"
67 #include "ipsec_doi.h" /* needs demux.h and state.h */
68 #include "ocsp.h"
69 #include "crl.h"
70 #include "fetch.h"
71 #include "xauth.h"
72 #include "crypto.h"
73 #include "nat_traversal.h"
74 #include "virtual.h"
75 #include "timer.h"
76 #include "vendor.h"
77 #include "builder.h"
78
79 static void usage(const char *mess)
80 {
81 if (mess != NULL && *mess != '\0')
82 fprintf(stderr, "%s\n", mess);
83 fprintf(stderr
84 , "Usage: pluto"
85 " [--help]"
86 " [--version]"
87 " [--optionsfrom <filename>]"
88 " \\\n\t"
89 "[--nofork]"
90 " [--stderrlog]"
91 " [--noklips]"
92 " [--nocrsend]"
93 " \\\n\t"
94 "[--strictcrlpolicy]"
95 " [--crlcheckinterval <interval>]"
96 " [--cachecrls]"
97 " [--uniqueids]"
98 " \\\n\t"
99 "[--interface <ifname>]"
100 " [--ikeport <port-number>]"
101 " \\\n\t"
102 "[--ctlbase <path>]"
103 " \\\n\t"
104 "[--perpeerlogbase <path>] [--perpeerlog]"
105 " \\\n\t"
106 "[--secretsfile <secrets-file>]"
107 " [--policygroupsdir <policygroups-dir>]"
108 " \\\n\t"
109 "[--adns <pathname>]"
110 "[--pkcs11module <path>]"
111 "[--pkcs11keepstate]"
112 "[--pkcs11initargs <string>]"
113 #ifdef DEBUG
114 " \\\n\t"
115 "[--debug-none]"
116 " [--debug-all]"
117 " \\\n\t"
118 "[--debug-raw]"
119 " [--debug-crypt]"
120 " [--debug-parsing]"
121 " [--debug-emitting]"
122 " \\\n\t"
123 "[--debug-control]"
124 " [--debug-lifecycle]"
125 " [--debug-klips]"
126 " [--debug-dns]"
127 " \\\n\t"
128 "[--debug-oppo]"
129 " [--debug-controlmore]"
130 " [--debug-private]"
131 " [--debug-natt]"
132 #endif
133 " \\\n\t"
134 "[--nat_traversal] [--keep_alive <delay_sec>]"
135 " \\\n\t"
136 "[--force_keepalive] [--disable_port_floating]"
137 " \\\n\t"
138 "[--virtual_private <network_list>]"
139 "\n"
140 "strongSwan "VERSION"\n");
141 exit_pluto(mess == NULL? 0 : 1);
142 }
143
144
145 /* lock file support
146 * - provides convenient way for scripts to find Pluto's pid
147 * - prevents multiple Plutos competing for the same port
148 * - same basename as unix domain control socket
149 * NOTE: will not take account of sharing LOCK_DIR with other systems.
150 */
151
152 static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX;
153 static bool pluto_lock_created = FALSE;
154
155 /* create lockfile, or die in the attempt */
156 static int create_lock(void)
157 {
158 int fd = open(pluto_lock, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC
159 , S_IRUSR | S_IRGRP | S_IROTH);
160
161 if (fd < 0)
162 {
163 if (errno == EEXIST)
164 {
165 fprintf(stderr, "pluto: lock file \"%s\" already exists\n"
166 , pluto_lock);
167 exit_pluto(10);
168 }
169 else
170 {
171 fprintf(stderr
172 , "pluto: unable to create lock file \"%s\" (%d %s)\n"
173 , pluto_lock, errno, strerror(errno));
174 exit_pluto(1);
175 }
176 }
177 pluto_lock_created = TRUE;
178 return fd;
179 }
180
181 static bool fill_lock(int lockfd, pid_t pid)
182 {
183 char buf[30]; /* holds "<pid>\n" */
184 int len = snprintf(buf, sizeof(buf), "%u\n", (unsigned int) pid);
185 bool ok = len > 0 && write(lockfd, buf, len) == len;
186
187 close(lockfd);
188 return ok;
189 }
190
191 static void delete_lock(void)
192 {
193 if (pluto_lock_created)
194 {
195 delete_ctl_socket();
196 unlink(pluto_lock); /* is noting failure useful? */
197 }
198 }
199
200
201 /* by default pluto sends certificate requests to its peers */
202 bool no_cr_send = FALSE;
203
204 /* by default the CRL policy is lenient */
205 bool strict_crl_policy = FALSE;
206
207 /* by default CRLs are cached locally as files */
208 bool cache_crls = FALSE;
209
210 /* by default pluto does not check crls dynamically */
211 long crl_check_interval = 0;
212
213 /* path to the PKCS#11 module */
214 char *pkcs11_module_path = NULL;
215
216 /* by default pluto logs out after every smartcard use */
217 bool pkcs11_keep_state = FALSE;
218
219 /* by default pluto does not allow pkcs11 proxy access via whack */
220 bool pkcs11_proxy = FALSE;
221
222 /* argument string to pass to PKCS#11 module.
223 * Not used for compliant modules, just for NSS softoken
224 */
225 static const char *pkcs11_init_args = NULL;
226
227 /* options read by optionsfrom */
228 options_t *options;
229
230 /**
231 * Log loaded plugins
232 */
233 static void print_plugins()
234 {
235 char buf[BUF_LEN], *plugin;
236 int len = 0;
237 enumerator_t *enumerator;
238
239 buf[0] = '\0';
240 enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
241 while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
242 {
243 len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
244 }
245 enumerator->destroy(enumerator);
246 DBG1("loaded plugins: %s", buf);
247 }
248
249 int main(int argc, char **argv)
250 {
251 bool fork_desired = TRUE;
252 bool log_to_stderr_desired = FALSE;
253 bool nat_traversal = FALSE;
254 bool nat_t_spf = TRUE; /* support port floating */
255 unsigned int keep_alive = 0;
256 bool force_keepalive = FALSE;
257 char *virtual_private = NULL;
258 int lockfd;
259 #ifdef CAPABILITIES
260 cap_t caps;
261 int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
262 #endif /* CAPABILITIES */
263
264 /* initialize library and optionsfrom */
265 if (!library_init(NULL))
266 {
267 library_deinit();
268 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
269 }
270 if (lib->integrity &&
271 !lib->integrity->check_file(lib->integrity, "pluto", argv[0]))
272 {
273 fprintf(stderr, "integrity check of pluto failed\n");
274 library_deinit();
275 exit(SS_RC_DAEMON_INTEGRITY);
276 }
277 if (!libhydra_init())
278 {
279 libhydra_deinit();
280 library_deinit();
281 exit(SS_RC_INITIALIZATION_FAILED);
282 }
283 options = options_create();
284
285 /* handle arguments */
286 for (;;)
287 {
288 # define DBG_OFFSET 256
289 static const struct option long_opts[] = {
290 /* name, has_arg, flag, val */
291 { "help", no_argument, NULL, 'h' },
292 { "version", no_argument, NULL, 'v' },
293 { "optionsfrom", required_argument, NULL, '+' },
294 { "nofork", no_argument, NULL, 'd' },
295 { "stderrlog", no_argument, NULL, 'e' },
296 { "noklips", no_argument, NULL, 'n' },
297 { "nocrsend", no_argument, NULL, 'c' },
298 { "strictcrlpolicy", no_argument, NULL, 'r' },
299 { "crlcheckinterval", required_argument, NULL, 'x'},
300 { "cachecrls", no_argument, NULL, 'C' },
301 { "uniqueids", no_argument, NULL, 'u' },
302 { "interface", required_argument, NULL, 'i' },
303 { "ikeport", required_argument, NULL, 'p' },
304 { "ctlbase", required_argument, NULL, 'b' },
305 { "secretsfile", required_argument, NULL, 's' },
306 { "foodgroupsdir", required_argument, NULL, 'f' },
307 { "perpeerlogbase", required_argument, NULL, 'P' },
308 { "perpeerlog", no_argument, NULL, 'l' },
309 { "policygroupsdir", required_argument, NULL, 'f' },
310 #ifdef USE_LWRES
311 { "lwdnsq", required_argument, NULL, 'a' },
312 #else /* !USE_LWRES */
313 { "adns", required_argument, NULL, 'a' },
314 #endif /* !USE_LWRES */
315 { "pkcs11module", required_argument, NULL, 'm' },
316 { "pkcs11keepstate", no_argument, NULL, 'k' },
317 { "pkcs11initargs", required_argument, NULL, 'z' },
318 { "pkcs11proxy", no_argument, NULL, 'y' },
319 { "nat_traversal", no_argument, NULL, '1' },
320 { "keep_alive", required_argument, NULL, '2' },
321 { "force_keepalive", no_argument, NULL, '3' },
322 { "disable_port_floating", no_argument, NULL, '4' },
323 { "debug-natt", no_argument, NULL, '5' },
324 { "virtual_private", required_argument, NULL, '6' },
325 #ifdef DEBUG
326 { "debug-none", no_argument, NULL, 'N' },
327 { "debug-all", no_argument, NULL, 'A' },
328 { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
329 { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
330 { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
331 { "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
332 { "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
333 { "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
334 { "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
335 { "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
336 { "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
337 { "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
338 { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
339
340 { "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
341 { "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
342 { "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
343 { "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
344 #endif
345 { 0,0,0,0 }
346 };
347 /* Note: we don't like the way short options get parsed
348 * by getopt_long, so we simply pass an empty string as
349 * the list. It could be "hvdenp:l:s:" "NARXPECK".
350 */
351 int c = getopt_long(argc, argv, "", long_opts, NULL);
352
353 /* Note: "breaking" from case terminates loop */
354 switch (c)
355 {
356 case EOF: /* end of flags */
357 break;
358
359 case 0: /* long option already handled */
360 continue;
361
362 case ':': /* diagnostic already printed by getopt_long */
363 case '?': /* diagnostic already printed by getopt_long */
364 usage("");
365 break; /* not actually reached */
366
367 case 'h': /* --help */
368 usage(NULL);
369 break; /* not actually reached */
370
371 case 'v': /* --version */
372 {
373 const char **sp = ipsec_copyright_notice();
374
375 printf("strongSwan "VERSION"%s\n", compile_time_interop_options);
376 for (; *sp != NULL; sp++)
377 puts(*sp);
378 }
379 exit_pluto(0);
380 break; /* not actually reached */
381
382 case '+': /* --optionsfrom <filename> */
383 if (!options->from(options, optarg, &argc, &argv, optind))
384 {
385 exit_pluto(1);
386 }
387 continue;
388
389 case 'd': /* --nofork*/
390 fork_desired = FALSE;
391 continue;
392
393 case 'e': /* --stderrlog */
394 log_to_stderr_desired = TRUE;
395 continue;
396
397 case 'n': /* --noklips */
398 no_klips = TRUE;
399 continue;
400
401 case 'c': /* --nocrsend */
402 no_cr_send = TRUE;
403 continue;
404
405 case 'r': /* --strictcrlpolicy */
406 strict_crl_policy = TRUE;
407 continue;
408
409 case 'x': /* --crlcheckinterval <time>*/
410 if (optarg == NULL || !isdigit(optarg[0]))
411 usage("missing interval time");
412
413 {
414 char *endptr;
415 long interval = strtol(optarg, &endptr, 0);
416
417 if (*endptr != '\0' || endptr == optarg
418 || interval <= 0)
419 usage("<interval-time> must be a positive number");
420 crl_check_interval = interval;
421 }
422 continue;
423
424 case 'C': /* --cachecrls */
425 cache_crls = TRUE;
426 continue;
427
428 case 'u': /* --uniqueids */
429 uniqueIDs = TRUE;
430 continue;
431
432 case 'i': /* --interface <ifname> */
433 if (!use_interface(optarg))
434 usage("too many --interface specifications");
435 continue;
436
437 case 'p': /* --port <portnumber> */
438 if (optarg == NULL || !isdigit(optarg[0]))
439 usage("missing port number");
440
441 {
442 char *endptr;
443 long port = strtol(optarg, &endptr, 0);
444
445 if (*endptr != '\0' || endptr == optarg
446 || port <= 0 || port > 0x10000)
447 usage("<port-number> must be a number between 1 and 65535");
448 pluto_port = port;
449 }
450 continue;
451
452 case 'b': /* --ctlbase <path> */
453 if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
454 , "%s%s", optarg, CTL_SUFFIX) == -1)
455 usage("<path>" CTL_SUFFIX " too long for sun_path");
456 if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
457 , "%s%s", optarg, INFO_SUFFIX) == -1)
458 usage("<path>" INFO_SUFFIX " too long for sun_path");
459 if (snprintf(pluto_lock, sizeof(pluto_lock)
460 , "%s%s", optarg, LOCK_SUFFIX) == -1)
461 usage("<path>" LOCK_SUFFIX " must fit");
462 continue;
463
464 case 's': /* --secretsfile <secrets-file> */
465 shared_secrets_file = optarg;
466 continue;
467
468 case 'f': /* --policygroupsdir <policygroups-dir> */
469 policygroups_dir = optarg;
470 continue;
471
472 case 'a': /* --adns <pathname> */
473 pluto_adns_option = optarg;
474 continue;
475
476 case 'm': /* --pkcs11module <pathname> */
477 pkcs11_module_path = optarg;
478 continue;
479
480 case 'k': /* --pkcs11keepstate */
481 pkcs11_keep_state = TRUE;
482 continue;
483
484 case 'y': /* --pkcs11proxy */
485 pkcs11_proxy = TRUE;
486 continue;
487
488 case 'z': /* --pkcs11initargs */
489 pkcs11_init_args = optarg;
490 continue;
491
492 #ifdef DEBUG
493 case 'N': /* --debug-none */
494 base_debugging = DBG_NONE;
495 continue;
496
497 case 'A': /* --debug-all */
498 base_debugging = DBG_ALL;
499 continue;
500 #endif
501
502 case 'P': /* --perpeerlogbase */
503 base_perpeer_logdir = optarg;
504 continue;
505
506 case 'l':
507 log_to_perpeer = TRUE;
508 continue;
509
510 case '1': /* --nat_traversal */
511 nat_traversal = TRUE;
512 continue;
513 case '2': /* --keep_alive */
514 keep_alive = atoi(optarg);
515 continue;
516 case '3': /* --force_keepalive */
517 force_keepalive = TRUE;
518 continue;
519 case '4': /* --disable_port_floating */
520 nat_t_spf = FALSE;
521 continue;
522 case '5': /* --debug-nat_t */
523 base_debugging |= DBG_NATT;
524 continue;
525 case '6': /* --virtual_private */
526 virtual_private = optarg;
527 continue;
528
529 default:
530 #ifdef DEBUG
531 if (c >= DBG_OFFSET)
532 {
533 base_debugging |= c - DBG_OFFSET;
534 continue;
535 }
536 # undef DBG_OFFSET
537 #endif
538 bad_case(c);
539 }
540 break;
541 }
542 if (optind != argc)
543 usage("unexpected argument");
544 reset_debugging();
545 lockfd = create_lock();
546
547 /* select between logging methods */
548
549 if (log_to_stderr_desired)
550 {
551 log_to_syslog = FALSE;
552 }
553 else
554 {
555 log_to_stderr = FALSE;
556 }
557
558 /* set the logging function of pfkey debugging */
559 #ifdef DEBUG
560 pfkey_debug_func = DBG_log;
561 #else
562 pfkey_debug_func = NULL;
563 #endif
564
565 /* create control socket.
566 * We must create it before the parent process returns so that
567 * there will be no race condition in using it. The easiest
568 * place to do this is before the daemon fork.
569 */
570 {
571 err_t ugh = init_ctl_socket();
572
573 if (ugh != NULL)
574 {
575 fprintf(stderr, "pluto: %s", ugh);
576 exit_pluto(1);
577 }
578 }
579
580 /* If not suppressed, do daemon fork */
581
582 if (fork_desired)
583 {
584 {
585 pid_t pid = fork();
586
587 if (pid < 0)
588 {
589 int e = errno;
590
591 fprintf(stderr, "pluto: fork failed (%d %s)\n",
592 errno, strerror(e));
593 exit_pluto(1);
594 }
595
596 if (pid != 0)
597 {
598 /* parent: die, after filling PID into lock file.
599 * must not use exit_pluto: lock would be removed!
600 */
601 exit(fill_lock(lockfd, pid)? 0 : 1);
602 }
603 }
604
605 if (setsid() < 0)
606 {
607 int e = errno;
608
609 fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
610 errno, strerror(e));
611 exit_pluto(1);
612 }
613 }
614 else
615 {
616 /* no daemon fork: we have to fill in lock file */
617 (void) fill_lock(lockfd, getpid());
618 fprintf(stdout, "Pluto initialized\n");
619 fflush(stdout);
620 }
621
622 /* Close everything but ctl_fd and (if needed) stderr.
623 * There is some danger that a library that we don't know
624 * about is using some fd that we don't know about.
625 * I guess we'll soon find out.
626 */
627 {
628 int i;
629
630 for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
631 {
632 if ((!log_to_stderr || i != 2) && i != ctl_fd)
633 close(i);
634 }
635
636 /* make sure that stdin, stdout, stderr are reserved */
637 if (open("/dev/null", O_RDONLY) != 0)
638 abort();
639 if (dup2(0, 1) != 1)
640 abort();
641 if (!log_to_stderr && dup2(0, 2) != 2)
642 abort();
643 }
644
645 init_constants();
646 init_log("pluto");
647
648 /* Note: some scripts may look for this exact message -- don't change
649 * ipsec barf was one, but it no longer does.
650 */
651 plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s",
652 compile_time_interop_options);
653
654 if (lib->integrity)
655 {
656 plog("integrity tests enabled:");
657 plog("lib 'libstrongswan': passed file and segment integrity tests");
658 plog("lib 'libhydra': passed file and segment integrity tests");
659 plog("daemon 'pluto': passed file integrity test");
660 }
661
662 /* load plugins, further infrastructure may need it */
663 if (!lib->plugins->load(lib->plugins, NULL,
664 lib->settings->get_str(lib->settings, "pluto.load", PLUGINS)))
665 {
666 exit(SS_RC_INITIALIZATION_FAILED);
667 }
668 print_plugins();
669
670 init_builder();
671 if (!init_secret() || !init_crypto())
672 {
673 plog("initialization failed - aborting pluto");
674 exit_pluto(SS_RC_INITIALIZATION_FAILED);
675 }
676 init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
677 init_virtual_ip(virtual_private);
678 scx_init(pkcs11_module_path, pkcs11_init_args);
679 xauth_init();
680 init_states();
681 init_demux();
682 init_kernel();
683 init_adns();
684 init_myid();
685 fetch_initialize();
686 ac_initialize();
687
688 /* drop unneeded capabilities and change UID/GID */
689 prctl(PR_SET_KEEPCAPS, 1);
690
691 #ifdef IPSEC_GROUP
692 {
693 struct group group, *grp;
694 char buf[1024];
695
696 if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
697 grp == NULL || setgid(grp->gr_gid) != 0)
698 {
699 plog("unable to change daemon group");
700 abort();
701 }
702 }
703 #endif
704 #ifdef IPSEC_USER
705 {
706 struct passwd passwd, *pwp;
707 char buf[1024];
708
709 if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
710 pwp == NULL || setuid(pwp->pw_uid) != 0)
711 {
712 plog("unable to change daemon user");
713 abort();
714 }
715 }
716 #endif
717
718 #ifdef CAPABILITIES
719 caps = cap_init();
720 cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET);
721 cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET);
722 cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET);
723 if (cap_set_proc(caps) != 0)
724 {
725 plog("unable to drop daemon capabilities");
726 abort();
727 }
728 cap_free(caps);
729 #endif /* CAPABILITIES */
730
731 /* loading X.509 CA certificates */
732 load_authcerts("ca", CA_CERT_PATH, X509_CA);
733 /* loading X.509 AA certificates */
734 load_authcerts("aa", AA_CERT_PATH, X509_AA);
735 /* loading X.509 OCSP certificates */
736 load_authcerts("ocsp", OCSP_CERT_PATH, X509_OCSP_SIGNER);
737 /* loading X.509 CRLs */
738 load_crls();
739 /* loading attribute certificates (experimental) */
740 ac_load_certs();
741
742 daily_log_event();
743 call_server();
744 return -1; /* Shouldn't ever reach this */
745 }
746
747 /* leave pluto, with status.
748 * Once child is launched, parent must not exit this way because
749 * the lock would be released.
750 *
751 * 0 OK
752 * 1 general discomfort
753 * 10 lock file exists
754 */
755 void exit_pluto(int status)
756 {
757 reset_globals(); /* needed because we may be called in odd state */
758 free_preshared_secrets();
759 free_remembered_public_keys();
760 delete_every_connection();
761 fetch_finalize(); /* stop fetching thread */
762 free_crl_fetch(); /* free chain of crl fetch requests */
763 free_ocsp_fetch(); /* free chain of ocsp fetch requests */
764 free_authcerts(); /* free chain of X.509 authority certificates */
765 free_crls(); /* free chain of X.509 CRLs */
766 free_ca_infos(); /* free chain of X.509 CA information records */
767 free_ocsp(); /* free ocsp cache */
768 free_ifaces();
769 ac_finalize(); /* free X.509 attribute certificates */
770 scx_finalize(); /* finalize and unload PKCS #11 module */
771 xauth_finalize(); /* finalize and unload XAUTH module */
772 stop_adns();
773 free_md_pool();
774 free_crypto();
775 free_myid(); /* free myids */
776 free_events(); /* free remaining events */
777 free_vendorid(); /* free all vendor id records */
778 free_builder();
779 delete_lock();
780 options->destroy(options);
781 libhydra_deinit();
782 library_deinit();
783 close_log();
784 exit(status);
785 }
786
787 /*
788 * Local Variables:
789 * c-basic-offset:4
790 * c-style: pluto
791 * End:
792 */
strongSwan - IPsec VPN