a22b3709782df58d6b8b7a949760c401f62d7c3c
[strongswan.git] / src / pluto / plutomain.c
1 /* Pluto main program
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <unistd.h>
20 #include <ctype.h>
21 #include <errno.h>
22 #include <string.h>
23 #include <sys/types.h>
24 #include <sys/stat.h>
25 #include <sys/un.h>
26 #include <fcntl.h>
27 #include <getopt.h>
28 #include <resolv.h>
29 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
30 #include <sys/queue.h>
31 #include <sys/prctl.h>
32 #include <pwd.h>
33 #include <grp.h>
34
35 #ifdef CAPABILITIES
36 #include <sys/capability.h>
37 #endif /* CAPABILITIES */
38
39 #include <freeswan.h>
40
41 #include <library.h>
42 #include <debug.h>
43 #include <utils/enumerator.h>
44 #include <utils/optionsfrom.h>
45
46 #include <pfkeyv2.h>
47 #include <pfkey.h>
48
49 #include "constants.h"
50 #include "defs.h"
51 #include "id.h"
52 #include "ca.h"
53 #include "certs.h"
54 #include "ac.h"
55 #include "connections.h"
56 #include "foodgroups.h"
57 #include "packet.h"
58 #include "demux.h" /* needs packet.h */
59 #include "server.h"
60 #include "kernel.h"
61 #include "log.h"
62 #include "keys.h"
63 #include "adns.h" /* needs <resolv.h> */
64 #include "dnskey.h" /* needs keys.h and adns.h */
65 #include "state.h"
66 #include "ipsec_doi.h" /* needs demux.h and state.h */
67 #include "ocsp.h"
68 #include "crl.h"
69 #include "fetch.h"
70 #include "xauth.h"
71 #include "crypto.h"
72 #include "nat_traversal.h"
73 #include "virtual.h"
74 #include "timer.h"
75 #include "vendor.h"
76 #include "builder.h"
77
78 static void usage(const char *mess)
79 {
80 if (mess != NULL && *mess != '\0')
81 fprintf(stderr, "%s\n", mess);
82 fprintf(stderr
83 , "Usage: pluto"
84 " [--help]"
85 " [--version]"
86 " [--optionsfrom <filename>]"
87 " \\\n\t"
88 "[--nofork]"
89 " [--stderrlog]"
90 " [--noklips]"
91 " [--nocrsend]"
92 " \\\n\t"
93 "[--strictcrlpolicy]"
94 " [--crlcheckinterval <interval>]"
95 " [--cachecrls]"
96 " [--uniqueids]"
97 " \\\n\t"
98 "[--interface <ifname>]"
99 " [--ikeport <port-number>]"
100 " \\\n\t"
101 "[--ctlbase <path>]"
102 " \\\n\t"
103 "[--perpeerlogbase <path>] [--perpeerlog]"
104 " \\\n\t"
105 "[--secretsfile <secrets-file>]"
106 " [--policygroupsdir <policygroups-dir>]"
107 " \\\n\t"
108 "[--adns <pathname>]"
109 "[--pkcs11module <path>]"
110 "[--pkcs11keepstate]"
111 "[--pkcs11initargs <string>]"
112 #ifdef DEBUG
113 " \\\n\t"
114 "[--debug-none]"
115 " [--debug-all]"
116 " \\\n\t"
117 "[--debug-raw]"
118 " [--debug-crypt]"
119 " [--debug-parsing]"
120 " [--debug-emitting]"
121 " \\\n\t"
122 "[--debug-control]"
123 " [--debug-lifecycle]"
124 " [--debug-klips]"
125 " [--debug-dns]"
126 " \\\n\t"
127 "[--debug-oppo]"
128 " [--debug-controlmore]"
129 " [--debug-private]"
130 " [--debug-natt]"
131 #endif
132 " \\\n\t"
133 "[--nat_traversal] [--keep_alive <delay_sec>]"
134 " \\\n\t"
135 "[--force_keepalive] [--disable_port_floating]"
136 " \\\n\t"
137 "[--virtual_private <network_list>]"
138 "\n"
139 "strongSwan "VERSION"\n");
140 exit_pluto(mess == NULL? 0 : 1);
141 }
142
143
144 /* lock file support
145 * - provides convenient way for scripts to find Pluto's pid
146 * - prevents multiple Plutos competing for the same port
147 * - same basename as unix domain control socket
148 * NOTE: will not take account of sharing LOCK_DIR with other systems.
149 */
150
151 static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX;
152 static bool pluto_lock_created = FALSE;
153
154 /* create lockfile, or die in the attempt */
155 static int create_lock(void)
156 {
157 int fd = open(pluto_lock, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC
158 , S_IRUSR | S_IRGRP | S_IROTH);
159
160 if (fd < 0)
161 {
162 if (errno == EEXIST)
163 {
164 fprintf(stderr, "pluto: lock file \"%s\" already exists\n"
165 , pluto_lock);
166 exit_pluto(10);
167 }
168 else
169 {
170 fprintf(stderr
171 , "pluto: unable to create lock file \"%s\" (%d %s)\n"
172 , pluto_lock, errno, strerror(errno));
173 exit_pluto(1);
174 }
175 }
176 pluto_lock_created = TRUE;
177 return fd;
178 }
179
180 static bool fill_lock(int lockfd, pid_t pid)
181 {
182 char buf[30]; /* holds "<pid>\n" */
183 int len = snprintf(buf, sizeof(buf), "%u\n", (unsigned int) pid);
184 bool ok = len > 0 && write(lockfd, buf, len) == len;
185
186 close(lockfd);
187 return ok;
188 }
189
190 static void delete_lock(void)
191 {
192 if (pluto_lock_created)
193 {
194 delete_ctl_socket();
195 unlink(pluto_lock); /* is noting failure useful? */
196 }
197 }
198
199
200 /* by default pluto sends certificate requests to its peers */
201 bool no_cr_send = FALSE;
202
203 /* by default the CRL policy is lenient */
204 bool strict_crl_policy = FALSE;
205
206 /* by default CRLs are cached locally as files */
207 bool cache_crls = FALSE;
208
209 /* by default pluto does not check crls dynamically */
210 long crl_check_interval = 0;
211
212 /* path to the PKCS#11 module */
213 char *pkcs11_module_path = NULL;
214
215 /* by default pluto logs out after every smartcard use */
216 bool pkcs11_keep_state = FALSE;
217
218 /* by default pluto does not allow pkcs11 proxy access via whack */
219 bool pkcs11_proxy = FALSE;
220
221 /* argument string to pass to PKCS#11 module.
222 * Not used for compliant modules, just for NSS softoken
223 */
224 static const char *pkcs11_init_args = NULL;
225
226 /* options read by optionsfrom */
227 options_t *options;
228
229 /**
230 * Log loaded plugins
231 */
232 static void print_plugins()
233 {
234 char buf[BUF_LEN], *plugin;
235 int len = 0;
236 enumerator_t *enumerator;
237
238 buf[0] = '\0';
239 enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
240 while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
241 {
242 len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
243 }
244 enumerator->destroy(enumerator);
245 DBG1("loaded plugins: %s", buf);
246 }
247
248 int main(int argc, char **argv)
249 {
250 bool fork_desired = TRUE;
251 bool log_to_stderr_desired = FALSE;
252 bool nat_traversal = FALSE;
253 bool nat_t_spf = TRUE; /* support port floating */
254 unsigned int keep_alive = 0;
255 bool force_keepalive = FALSE;
256 char *virtual_private = NULL;
257 int lockfd;
258 #ifdef CAPABILITIES
259 cap_t caps;
260 int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
261 #endif /* CAPABILITIES */
262
263 /* initialize library and optionsfrom */
264 if (!library_init(STRONGSWAN_CONF))
265 {
266 library_deinit();
267 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
268 }
269 if (lib->integrity &&
270 !lib->integrity->check_file(lib->integrity, "pluto", argv[0]))
271 {
272 fprintf(stderr, "integrity check of pluto failed\n");
273 library_deinit();
274 exit(SS_RC_DAEMON_INTEGRITY);
275 }
276 options = options_create();
277
278 /* handle arguments */
279 for (;;)
280 {
281 # define DBG_OFFSET 256
282 static const struct option long_opts[] = {
283 /* name, has_arg, flag, val */
284 { "help", no_argument, NULL, 'h' },
285 { "version", no_argument, NULL, 'v' },
286 { "optionsfrom", required_argument, NULL, '+' },
287 { "nofork", no_argument, NULL, 'd' },
288 { "stderrlog", no_argument, NULL, 'e' },
289 { "noklips", no_argument, NULL, 'n' },
290 { "nocrsend", no_argument, NULL, 'c' },
291 { "strictcrlpolicy", no_argument, NULL, 'r' },
292 { "crlcheckinterval", required_argument, NULL, 'x'},
293 { "cachecrls", no_argument, NULL, 'C' },
294 { "uniqueids", no_argument, NULL, 'u' },
295 { "interface", required_argument, NULL, 'i' },
296 { "ikeport", required_argument, NULL, 'p' },
297 { "ctlbase", required_argument, NULL, 'b' },
298 { "secretsfile", required_argument, NULL, 's' },
299 { "foodgroupsdir", required_argument, NULL, 'f' },
300 { "perpeerlogbase", required_argument, NULL, 'P' },
301 { "perpeerlog", no_argument, NULL, 'l' },
302 { "policygroupsdir", required_argument, NULL, 'f' },
303 #ifdef USE_LWRES
304 { "lwdnsq", required_argument, NULL, 'a' },
305 #else /* !USE_LWRES */
306 { "adns", required_argument, NULL, 'a' },
307 #endif /* !USE_LWRES */
308 { "pkcs11module", required_argument, NULL, 'm' },
309 { "pkcs11keepstate", no_argument, NULL, 'k' },
310 { "pkcs11initargs", required_argument, NULL, 'z' },
311 { "pkcs11proxy", no_argument, NULL, 'y' },
312 { "nat_traversal", no_argument, NULL, '1' },
313 { "keep_alive", required_argument, NULL, '2' },
314 { "force_keepalive", no_argument, NULL, '3' },
315 { "disable_port_floating", no_argument, NULL, '4' },
316 { "debug-natt", no_argument, NULL, '5' },
317 { "virtual_private", required_argument, NULL, '6' },
318 #ifdef DEBUG
319 { "debug-none", no_argument, NULL, 'N' },
320 { "debug-all", no_argument, NULL, 'A' },
321 { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
322 { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
323 { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
324 { "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
325 { "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
326 { "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
327 { "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
328 { "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
329 { "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
330 { "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
331 { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
332
333 { "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
334 { "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
335 { "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
336 { "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
337 #endif
338 { 0,0,0,0 }
339 };
340 /* Note: we don't like the way short options get parsed
341 * by getopt_long, so we simply pass an empty string as
342 * the list. It could be "hvdenp:l:s:" "NARXPECK".
343 */
344 int c = getopt_long(argc, argv, "", long_opts, NULL);
345
346 /* Note: "breaking" from case terminates loop */
347 switch (c)
348 {
349 case EOF: /* end of flags */
350 break;
351
352 case 0: /* long option already handled */
353 continue;
354
355 case ':': /* diagnostic already printed by getopt_long */
356 case '?': /* diagnostic already printed by getopt_long */
357 usage("");
358 break; /* not actually reached */
359
360 case 'h': /* --help */
361 usage(NULL);
362 break; /* not actually reached */
363
364 case 'v': /* --version */
365 {
366 const char **sp = ipsec_copyright_notice();
367
368 printf("strongSwan "VERSION"%s\n", compile_time_interop_options);
369 for (; *sp != NULL; sp++)
370 puts(*sp);
371 }
372 exit_pluto(0);
373 break; /* not actually reached */
374
375 case '+': /* --optionsfrom <filename> */
376 if (!options->from(options, optarg, &argc, &argv, optind))
377 {
378 exit_pluto(1);
379 }
380 continue;
381
382 case 'd': /* --nofork*/
383 fork_desired = FALSE;
384 continue;
385
386 case 'e': /* --stderrlog */
387 log_to_stderr_desired = TRUE;
388 continue;
389
390 case 'n': /* --noklips */
391 no_klips = TRUE;
392 continue;
393
394 case 'c': /* --nocrsend */
395 no_cr_send = TRUE;
396 continue;
397
398 case 'r': /* --strictcrlpolicy */
399 strict_crl_policy = TRUE;
400 continue;
401
402 case 'x': /* --crlcheckinterval <time>*/
403 if (optarg == NULL || !isdigit(optarg[0]))
404 usage("missing interval time");
405
406 {
407 char *endptr;
408 long interval = strtol(optarg, &endptr, 0);
409
410 if (*endptr != '\0' || endptr == optarg
411 || interval <= 0)
412 usage("<interval-time> must be a positive number");
413 crl_check_interval = interval;
414 }
415 continue;
416
417 case 'C': /* --cachecrls */
418 cache_crls = TRUE;
419 continue;
420
421 case 'u': /* --uniqueids */
422 uniqueIDs = TRUE;
423 continue;
424
425 case 'i': /* --interface <ifname> */
426 if (!use_interface(optarg))
427 usage("too many --interface specifications");
428 continue;
429
430 case 'p': /* --port <portnumber> */
431 if (optarg == NULL || !isdigit(optarg[0]))
432 usage("missing port number");
433
434 {
435 char *endptr;
436 long port = strtol(optarg, &endptr, 0);
437
438 if (*endptr != '\0' || endptr == optarg
439 || port <= 0 || port > 0x10000)
440 usage("<port-number> must be a number between 1 and 65535");
441 pluto_port = port;
442 }
443 continue;
444
445 case 'b': /* --ctlbase <path> */
446 if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
447 , "%s%s", optarg, CTL_SUFFIX) == -1)
448 usage("<path>" CTL_SUFFIX " too long for sun_path");
449 if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
450 , "%s%s", optarg, INFO_SUFFIX) == -1)
451 usage("<path>" INFO_SUFFIX " too long for sun_path");
452 if (snprintf(pluto_lock, sizeof(pluto_lock)
453 , "%s%s", optarg, LOCK_SUFFIX) == -1)
454 usage("<path>" LOCK_SUFFIX " must fit");
455 continue;
456
457 case 's': /* --secretsfile <secrets-file> */
458 shared_secrets_file = optarg;
459 continue;
460
461 case 'f': /* --policygroupsdir <policygroups-dir> */
462 policygroups_dir = optarg;
463 continue;
464
465 case 'a': /* --adns <pathname> */
466 pluto_adns_option = optarg;
467 continue;
468
469 case 'm': /* --pkcs11module <pathname> */
470 pkcs11_module_path = optarg;
471 continue;
472
473 case 'k': /* --pkcs11keepstate */
474 pkcs11_keep_state = TRUE;
475 continue;
476
477 case 'y': /* --pkcs11proxy */
478 pkcs11_proxy = TRUE;
479 continue;
480
481 case 'z': /* --pkcs11initargs */
482 pkcs11_init_args = optarg;
483 continue;
484
485 #ifdef DEBUG
486 case 'N': /* --debug-none */
487 base_debugging = DBG_NONE;
488 continue;
489
490 case 'A': /* --debug-all */
491 base_debugging = DBG_ALL;
492 continue;
493 #endif
494
495 case 'P': /* --perpeerlogbase */
496 base_perpeer_logdir = optarg;
497 continue;
498
499 case 'l':
500 log_to_perpeer = TRUE;
501 continue;
502
503 case '1': /* --nat_traversal */
504 nat_traversal = TRUE;
505 continue;
506 case '2': /* --keep_alive */
507 keep_alive = atoi(optarg);
508 continue;
509 case '3': /* --force_keepalive */
510 force_keepalive = TRUE;
511 continue;
512 case '4': /* --disable_port_floating */
513 nat_t_spf = FALSE;
514 continue;
515 case '5': /* --debug-nat_t */
516 base_debugging |= DBG_NATT;
517 continue;
518 case '6': /* --virtual_private */
519 virtual_private = optarg;
520 continue;
521
522 default:
523 #ifdef DEBUG
524 if (c >= DBG_OFFSET)
525 {
526 base_debugging |= c - DBG_OFFSET;
527 continue;
528 }
529 # undef DBG_OFFSET
530 #endif
531 bad_case(c);
532 }
533 break;
534 }
535 if (optind != argc)
536 usage("unexpected argument");
537 reset_debugging();
538 lockfd = create_lock();
539
540 /* select between logging methods */
541
542 if (log_to_stderr_desired)
543 {
544 log_to_syslog = FALSE;
545 }
546 else
547 {
548 log_to_stderr = FALSE;
549 }
550
551 /* set the logging function of pfkey debugging */
552 #ifdef DEBUG
553 pfkey_debug_func = DBG_log;
554 #else
555 pfkey_debug_func = NULL;
556 #endif
557
558 /* create control socket.
559 * We must create it before the parent process returns so that
560 * there will be no race condition in using it. The easiest
561 * place to do this is before the daemon fork.
562 */
563 {
564 err_t ugh = init_ctl_socket();
565
566 if (ugh != NULL)
567 {
568 fprintf(stderr, "pluto: %s", ugh);
569 exit_pluto(1);
570 }
571 }
572
573 /* If not suppressed, do daemon fork */
574
575 if (fork_desired)
576 {
577 {
578 pid_t pid = fork();
579
580 if (pid < 0)
581 {
582 int e = errno;
583
584 fprintf(stderr, "pluto: fork failed (%d %s)\n",
585 errno, strerror(e));
586 exit_pluto(1);
587 }
588
589 if (pid != 0)
590 {
591 /* parent: die, after filling PID into lock file.
592 * must not use exit_pluto: lock would be removed!
593 */
594 exit(fill_lock(lockfd, pid)? 0 : 1);
595 }
596 }
597
598 if (setsid() < 0)
599 {
600 int e = errno;
601
602 fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
603 errno, strerror(e));
604 exit_pluto(1);
605 }
606 }
607 else
608 {
609 /* no daemon fork: we have to fill in lock file */
610 (void) fill_lock(lockfd, getpid());
611 fprintf(stdout, "Pluto initialized\n");
612 fflush(stdout);
613 }
614
615 /* Close everything but ctl_fd and (if needed) stderr.
616 * There is some danger that a library that we don't know
617 * about is using some fd that we don't know about.
618 * I guess we'll soon find out.
619 */
620 {
621 int i;
622
623 for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
624 {
625 if ((!log_to_stderr || i != 2) && i != ctl_fd)
626 close(i);
627 }
628
629 /* make sure that stdin, stdout, stderr are reserved */
630 if (open("/dev/null", O_RDONLY) != 0)
631 abort();
632 if (dup2(0, 1) != 1)
633 abort();
634 if (!log_to_stderr && dup2(0, 2) != 2)
635 abort();
636 }
637
638 init_constants();
639 init_log("pluto");
640
641 /* Note: some scripts may look for this exact message -- don't change
642 * ipsec barf was one, but it no longer does.
643 */
644 plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s",
645 compile_time_interop_options);
646
647 if (lib->integrity)
648 {
649 plog("integrity tests enabled:");
650 plog("lib 'libstrongswan': passed file and segment integrity tests");
651 plog("daemon 'pluto': passed file integrity test");
652 }
653
654 /* load plugins, further infrastructure may need it */
655 lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
656 lib->settings->get_str(lib->settings, "pluto.load", PLUGINS));
657 print_plugins();
658
659 init_builder();
660 if (!init_secret() || !init_crypto())
661 {
662 plog("initialization failed - aborting pluto");
663 exit_pluto(SS_RC_INITIALIZATION_FAILED);
664 }
665 init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
666 init_virtual_ip(virtual_private);
667 scx_init(pkcs11_module_path, pkcs11_init_args);
668 xauth_init();
669 init_states();
670 init_demux();
671 init_kernel();
672 init_adns();
673 init_id();
674 init_fetch();
675
676 /* drop unneeded capabilities and change UID/GID */
677 prctl(PR_SET_KEEPCAPS, 1);
678
679 #ifdef IPSEC_GROUP
680 {
681 struct group group, *grp;
682 char buf[1024];
683
684 if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
685 grp == NULL || setgid(grp->gr_gid) != 0)
686 {
687 plog("unable to change daemon group");
688 abort();
689 }
690 }
691 #endif
692 #ifdef IPSEC_USER
693 {
694 struct passwd passwd, *pwp;
695 char buf[1024];
696
697 if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
698 pwp == NULL || setuid(pwp->pw_uid) != 0)
699 {
700 plog("unable to change daemon user");
701 abort();
702 }
703 }
704 #endif
705
706 #ifdef CAPABILITIES
707 caps = cap_init();
708 cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET);
709 cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET);
710 cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET);
711 if (cap_set_proc(caps) != 0)
712 {
713 plog("unable to drop daemon capabilities");
714 abort();
715 }
716 cap_free(caps);
717 #endif /* CAPABILITIES */
718
719 /* loading X.509 CA certificates */
720 load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
721 /* loading X.509 AA certificates */
722 load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
723 /* loading X.509 OCSP certificates */
724 load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
725 /* loading X.509 CRLs */
726 load_crls();
727 /* loading attribute certificates (experimental) */
728 load_acerts();
729
730 daily_log_event();
731 call_server();
732 return -1; /* Shouldn't ever reach this */
733 }
734
735 /* leave pluto, with status.
736 * Once child is launched, parent must not exit this way because
737 * the lock would be released.
738 *
739 * 0 OK
740 * 1 general discomfort
741 * 10 lock file exists
742 */
743 void exit_pluto(int status)
744 {
745 reset_globals(); /* needed because we may be called in odd state */
746 free_preshared_secrets();
747 free_remembered_public_keys();
748 delete_every_connection();
749 free_crl_fetch(); /* free chain of crl fetch requests */
750 free_ocsp_fetch(); /* free chain of ocsp fetch requests */
751 free_authcerts(); /* free chain of X.509 authority certificates */
752 free_crls(); /* free chain of X.509 CRLs */
753 free_acerts(); /* free chain of X.509 attribute certificates */
754 free_ca_infos(); /* free chain of X.509 CA information records */
755 free_ocsp(); /* free ocsp cache */
756 free_ifaces();
757 scx_finalize(); /* finalize and unload PKCS #11 module */
758 xauth_finalize(); /* finalize and unload XAUTH module */
759 stop_adns();
760 free_md_pool();
761 free_crypto();
762 free_id(); /* free myids */
763 free_events(); /* free remaining events */
764 free_vendorid(); /* free all vendor id records */
765 free_builder();
766 delete_lock();
767 options->destroy(options);
768 library_deinit();
769 close_log();
770 exit(status);
771 }
772
773 /*
774 * Local Variables:
775 * c-basic-offset:4
776 * c-style: pluto
777 * End:
778 */