e290e36e726b99bbfa81968263eefa38ff0b076e
[strongswan.git] / src / pluto / server.c
1 /* get-next-event loop
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <stddef.h>
19 #include <string.h>
20 #include <errno.h>
21 #include <signal.h>
22 #include <ctype.h>
23 #include <sys/types.h>
24 #include <sys/stat.h>
25 #include <sys/socket.h>
26 #include <sys/un.h>
27 #ifdef SOLARIS
28 # include <sys/sockio.h> /* for Solaris 2.6: defines SIOCGIFCONF */
29 #endif
30 #include <netinet/in.h>
31 #include <arpa/inet.h>
32 #include <sys/time.h>
33 #include <netdb.h>
34 #include <unistd.h>
35 #include <fcntl.h>
36 #include <net/if.h>
37 #include <sys/ioctl.h>
38 #include <resolv.h>
39 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
40 #include <sys/queue.h>
41
42 #include <freeswan.h>
43
44 #include "constants.h"
45 #include "defs.h"
46 #include "state.h"
47 #include "connections.h"
48 #include "kernel.h"
49 #include "log.h"
50 #include "server.h"
51 #include "timer.h"
52 #include "packet.h"
53 #include "demux.h" /* needs packet.h */
54 #include "rcv_whack.h"
55 #include "keys.h"
56 #include "adns.h" /* needs <resolv.h> */
57 #include "dnskey.h" /* needs keys.h and adns.h */
58 #include "whack.h" /* for RC_LOG_SERIOUS */
59 #include "pluto.h"
60
61 #include <pfkeyv2.h>
62 #include <pfkey.h>
63 #include "kameipsec.h"
64 #include "nat_traversal.h"
65
66 /*
67 * Server main loop and socket initialization routines.
68 */
69
70 static const int on = TRUE; /* by-reference parameter; constant, we hope */
71
72 /* control (whack) socket */
73 int ctl_fd = NULL_FD; /* file descriptor of control (whack) socket */
74 struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
75
76 /* info (showpolicy) socket */
77 int policy_fd = NULL_FD;
78 struct sockaddr_un info_addr= { AF_UNIX, DEFAULT_CTLBASE INFO_SUFFIX };
79
80 /* Initialize the control socket.
81 * Note: this is called very early, so little infrastructure is available.
82 * It is important that the socket is created before the original
83 * Pluto process returns.
84 */
85 err_t
86 init_ctl_socket(void)
87 {
88 err_t failed = NULL;
89
90 delete_ctl_socket(); /* preventative medicine */
91 ctl_fd = socket(AF_UNIX, SOCK_STREAM, 0);
92 if (ctl_fd == -1)
93 failed = "create";
94 else if (fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1)
95 failed = "fcntl FD+CLOEXEC";
96 else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
97 failed = "setsockopt";
98 else
99 {
100 /* to keep control socket secure, use umask */
101 mode_t ou = umask(~S_IRWXU);
102
103 if (bind(ctl_fd, (struct sockaddr *)&ctl_addr
104 , offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
105 failed = "bind";
106 umask(ou);
107 }
108
109 /* 5 is a haphazardly chosen limit for the backlog.
110 * Rumour has it that this is the max on BSD systems.
111 */
112 if (failed == NULL && listen(ctl_fd, 5) < 0)
113 failed = "listen() on";
114
115 return failed == NULL? NULL : builddiag("could not %s control socket: %d %s"
116 , failed, errno, strerror(errno));
117 }
118
119 void
120 delete_ctl_socket(void)
121 {
122 /* Is noting failure useful? Not when used as preventative medicine. */
123 unlink(ctl_addr.sun_path);
124 }
125
126 bool listening = FALSE; /* should we pay attention to IKE messages? */
127
128 struct iface *interfaces = NULL; /* public interfaces */
129
130 /* Initialize the interface sockets. */
131
132 static void
133 mark_ifaces_dead(void)
134 {
135 struct iface *p;
136
137 for (p = interfaces; p != NULL; p = p->next)
138 p->change = IFN_DELETE;
139 }
140
141 static void
142 free_dead_ifaces(void)
143 {
144 struct iface *p;
145 bool some_dead = FALSE
146 , some_new = FALSE;
147
148 for (p = interfaces; p != NULL; p = p->next)
149 {
150 if (p->change == IFN_DELETE)
151 {
152 plog("shutting down interface %s/%s %s"
153 , p->vname, p->rname, ip_str(&p->addr));
154 some_dead = TRUE;
155 }
156 else if (p->change == IFN_ADD)
157 {
158 some_new = TRUE;
159 }
160 }
161
162 if (some_dead)
163 {
164 struct iface **pp;
165
166 release_dead_interfaces();
167 for (pp = &interfaces; (p = *pp) != NULL; )
168 {
169 if (p->change == IFN_DELETE)
170 {
171 *pp = p->next; /* advance *pp */
172 free(p->vname);
173 free(p->rname);
174 close(p->fd);
175 free(p);
176 }
177 else
178 {
179 pp = &p->next; /* advance pp */
180 }
181 }
182 }
183
184 /* this must be done after the release_dead_interfaces
185 * in case some to the newly unoriented connections can
186 * become oriented here.
187 */
188 if (some_dead || some_new)
189 check_orientations();
190 }
191
192 void
193 free_ifaces(void)
194 {
195 mark_ifaces_dead();
196 free_dead_ifaces();
197 }
198
199 struct raw_iface {
200 ip_address addr;
201 char name[IFNAMSIZ + 20]; /* what would be a safe size? */
202 struct raw_iface *next;
203 };
204
205 /* Called to handle --interface <ifname>
206 * Semantics: if specified, only these (real) interfaces are considered.
207 */
208 static const char *pluto_ifn[10];
209 static int pluto_ifn_roof = 0;
210
211 bool
212 use_interface(const char *rifn)
213 {
214 if (pluto_ifn_roof >= (int)countof(pluto_ifn))
215 {
216 return FALSE;
217 }
218 else
219 {
220 pluto_ifn[pluto_ifn_roof++] = rifn;
221 return TRUE;
222 }
223 }
224
225 #ifndef IPSECDEVPREFIX
226 # define IPSECDEVPREFIX "ipsec"
227 #endif
228
229 static struct raw_iface *
230 find_raw_ifaces4(void)
231 {
232 int j; /* index into buf */
233 struct ifconf ifconf;
234 struct ifreq buf[300]; /* for list of interfaces -- arbitrary limit */
235 struct raw_iface *rifaces = NULL;
236 int master_sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); /* Get a UDP socket */
237
238 /* get list of interfaces with assigned IPv4 addresses from system */
239
240 if (master_sock == -1)
241 exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
242
243 if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR
244 , (const void *)&on, sizeof(on)) < 0)
245 exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
246
247 /* bind the socket */
248 {
249 ip_address any;
250
251 happy(anyaddr(AF_INET, &any));
252 setportof(htons(pluto_port), &any);
253 if (bind(master_sock, sockaddrof(&any), sockaddrlenof(&any)) < 0)
254 exit_log_errno((e, "bind() failed in find_raw_ifaces4()"));
255 }
256
257 /* Get local interfaces. See netdevice(7). */
258 ifconf.ifc_len = sizeof(buf);
259 ifconf.ifc_buf = (void *) buf;
260 zero(buf);
261
262 if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
263 exit_log_errno((e, "ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
264
265 /* Add an entry to rifaces for each interesting interface. */
266 for (j = 0; (j+1) * sizeof(*buf) <= (size_t)ifconf.ifc_len; j++)
267 {
268 struct raw_iface ri;
269 const struct sockaddr_in *rs = (struct sockaddr_in *) &buf[j].ifr_addr;
270 struct ifreq auxinfo;
271
272 /* ignore all but AF_INET interfaces */
273 if (rs->sin_family != AF_INET)
274 continue; /* not interesting */
275
276 /* build a NUL-terminated copy of the rname field */
277 memcpy(ri.name, buf[j].ifr_name, IFNAMSIZ);
278 ri.name[IFNAMSIZ] = '\0';
279
280 /* ignore if our interface names were specified, and this isn't one */
281 if (pluto_ifn_roof != 0)
282 {
283 int i;
284
285 for (i = 0; i != pluto_ifn_roof; i++)
286 if (streq(ri.name, pluto_ifn[i]))
287 break;
288 if (i == pluto_ifn_roof)
289 continue; /* not found -- skip */
290 }
291
292 /* Find out stuff about this interface. See netdevice(7). */
293 zero(&auxinfo); /* paranoia */
294 memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
295 if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
296 exit_log_errno((e
297 , "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
298 , ri.name));
299 if (!(auxinfo.ifr_flags & IFF_UP))
300 continue; /* ignore an interface that isn't UP */
301
302 /* ignore unconfigured interfaces */
303 if (rs->sin_addr.s_addr == 0)
304 continue;
305
306 happy(initaddr((const void *)&rs->sin_addr, sizeof(struct in_addr)
307 , AF_INET, &ri.addr));
308
309 DBG(DBG_CONTROL, DBG_log("found %s with address %s"
310 , ri.name, ip_str(&ri.addr)));
311 ri.next = rifaces;
312 rifaces = clone_thing(ri);
313 }
314
315 close(master_sock);
316
317 return rifaces;
318 }
319
320 static struct raw_iface *
321 find_raw_ifaces6(void)
322 {
323
324 /* Get list of interfaces with IPv6 addresses from system from /proc/net/if_inet6).
325 *
326 * Documentation of format?
327 * RTFS: linux-2.2.16/net/ipv6/addrconf.c:iface_proc_info()
328 * linux-2.4.9-13/net/ipv6/addrconf.c:iface_proc_info()
329 *
330 * Sample from Gerhard's laptop:
331 * 00000000000000000000000000000001 01 80 10 80 lo
332 * 30490009000000000000000000010002 02 40 00 80 ipsec0
333 * 30490009000000000000000000010002 07 40 00 80 eth0
334 * fe80000000000000025004fffefd5484 02 0a 20 80 ipsec0
335 * fe80000000000000025004fffefd5484 07 0a 20 80 eth0
336 *
337 * Each line contains:
338 * - IPv6 address: 16 bytes, in hex, no punctuation
339 * - ifindex: 1 byte, in hex
340 * - prefix_len: 1 byte, in hex
341 * - scope (e.g. global, link local): 1 byte, in hex
342 * - flags: 1 byte, in hex
343 * - device name: string, followed by '\n'
344 */
345 struct raw_iface *rifaces = NULL;
346 static const char proc_name[] = "/proc/net/if_inet6";
347 FILE *proc_sock = fopen(proc_name, "r");
348
349 if (proc_sock == NULL)
350 {
351 DBG(DBG_CONTROL, DBG_log("could not open %s", proc_name));
352 }
353 else
354 {
355 for (;;)
356 {
357 struct raw_iface ri;
358 unsigned short xb[8]; /* IPv6 address as 8 16-bit chunks */
359 char sb[8*5]; /* IPv6 address as string-with-colons */
360 unsigned int if_idx; /* proc field, not used */
361 unsigned int plen; /* proc field, not used */
362 unsigned int scope; /* proc field, used to exclude link-local */
363 unsigned int dad_status; /* proc field, not used */
364 /* ??? I hate and distrust scanf -- DHR */
365 int r = fscanf(proc_sock
366 , "%4hx%4hx%4hx%4hx%4hx%4hx%4hx%4hx"
367 " %02x %02x %02x %02x %20s\n"
368 , xb+0, xb+1, xb+2, xb+3, xb+4, xb+5, xb+6, xb+7
369 , &if_idx, &plen, &scope, &dad_status, ri.name);
370
371 /* ??? we should diagnose any problems */
372 if (r != 13)
373 break;
374
375 /* ignore addresses with link local scope.
376 * From linux-2.4.9-13/include/net/ipv6.h:
377 * IPV6_ADDR_LINKLOCAL 0x0020U
378 * IPV6_ADDR_SCOPE_MASK 0x00f0U
379 */
380 if ((scope & 0x00f0U) == 0x0020U)
381 continue;
382
383 snprintf(sb, sizeof(sb)
384 , "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
385 , xb[0], xb[1], xb[2], xb[3], xb[4], xb[5], xb[6], xb[7]);
386
387 happy(ttoaddr(sb, 0, AF_INET6, &ri.addr));
388
389 if (!isunspecaddr(&ri.addr))
390 {
391 DBG(DBG_CONTROL
392 , DBG_log("found %s with address %s"
393 , ri.name, sb));
394 ri.next = rifaces;
395 rifaces = clone_thing(ri);
396 }
397 }
398 fclose(proc_sock);
399 }
400
401 return rifaces;
402 }
403
404 #if 1
405 static int
406 create_socket(struct raw_iface *ifp, const char *v_name, int port)
407 {
408 int fd = socket(addrtypeof(&ifp->addr), SOCK_DGRAM, IPPROTO_UDP);
409 int fcntl_flags;
410
411 if (fd < 0)
412 {
413 log_errno((e, "socket() in process_raw_ifaces()"));
414 return -1;
415 }
416
417 #if 1
418 /* Set socket Nonblocking */
419 if ((fcntl_flags=fcntl(fd, F_GETFL)) >= 0) {
420 if (!(fcntl_flags & O_NONBLOCK)) {
421 fcntl_flags |= O_NONBLOCK;
422 fcntl(fd, F_SETFL, fcntl_flags);
423 }
424 }
425 #endif
426
427 if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
428 {
429 log_errno((e, "fcntl(,, FD_CLOEXEC) in process_raw_ifaces()"));
430 close(fd);
431 return -1;
432 }
433
434 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR
435 , (const void *)&on, sizeof(on)) < 0)
436 {
437 log_errno((e, "setsockopt SO_REUSEADDR in process_raw_ifaces()"));
438 close(fd);
439 return -1;
440 }
441
442 /* To improve error reporting. See ip(7). */
443 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
444 if (setsockopt(fd, SOL_IP, IP_RECVERR
445 , (const void *)&on, sizeof(on)) < 0)
446 {
447 log_errno((e, "setsockopt IP_RECVERR in process_raw_ifaces()"));
448 close(fd);
449 return -1;
450 }
451 #endif
452
453 /* With IPv6, there is no fragmentation after
454 * it leaves our interface. PMTU discovery
455 * is mandatory but doesn't work well with IKE (why?).
456 * So we must set the IPV6_USE_MIN_MTU option.
457 * See draft-ietf-ipngwg-rfc2292bis-01.txt 11.1
458 */
459 #ifdef IPV6_USE_MIN_MTU /* YUCK: not always defined */
460 if (addrtypeof(&ifp->addr) == AF_INET6
461 && setsockopt(fd, SOL_SOCKET, IPV6_USE_MIN_MTU
462 , (const void *)&on, sizeof(on)) < 0)
463 {
464 log_errno((e, "setsockopt IPV6_USE_MIN_MTU in process_raw_ifaces()"));
465 close(fd);
466 return -1;
467 }
468 #endif
469
470 #if defined(linux) && defined(KERNEL26_SUPPORT)
471 {
472 struct sadb_x_policy policy;
473 int level, opt;
474
475 policy.sadb_x_policy_len = sizeof(policy) / IPSEC_PFKEYv2_ALIGN;
476 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
477 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
478 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
479 policy.sadb_x_policy_reserved = 0;
480 policy.sadb_x_policy_id = 0;
481 policy.sadb_x_policy_reserved2 = 0;
482
483 if (addrtypeof(&ifp->addr) == AF_INET6)
484 {
485 level = IPPROTO_IPV6;
486 opt = IPV6_IPSEC_POLICY;
487 }
488 else
489 {
490 level = IPPROTO_IP;
491 opt = IP_IPSEC_POLICY;
492 }
493
494 if (setsockopt(fd, level, opt
495 , &policy, sizeof(policy)) < 0)
496 {
497 log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
498 close(fd);
499 return -1;
500 }
501
502 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
503
504 if (setsockopt(fd, level, opt
505 , &policy, sizeof(policy)) < 0)
506 {
507 log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
508 close(fd);
509 return -1;
510 }
511 }
512 #endif
513
514 setportof(htons(port), &ifp->addr);
515 if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
516 {
517 log_errno((e, "bind() for %s/%s %s:%u in process_raw_ifaces()"
518 , ifp->name, v_name
519 , ip_str(&ifp->addr), (unsigned) port));
520 close(fd);
521 return -1;
522 }
523 setportof(htons(pluto_port), &ifp->addr);
524 return fd;
525 }
526 #endif
527
528 static void
529 process_raw_ifaces(struct raw_iface *rifaces)
530 {
531 struct raw_iface *ifp;
532
533 /* Find all virtual/real interface pairs.
534 * For each real interface...
535 */
536 for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
537 {
538 struct raw_iface *v = NULL; /* matching ipsecX interface */
539 bool after = FALSE; /* has vfp passed ifp on the list? */
540 bool bad = FALSE;
541 struct raw_iface *vfp;
542
543 /* ignore if virtual (ipsec*) interface */
544 if (strneq(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1))
545 {
546 continue;
547 }
548
549 for (vfp = rifaces; vfp != NULL; vfp = vfp->next)
550 {
551 if (vfp == ifp)
552 {
553 after = TRUE;
554 }
555 else if (sameaddr(&ifp->addr, &vfp->addr))
556 {
557 /* Different entries with matching IP addresses.
558 * Many interesting cases.
559 */
560 if (strneq(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1))
561 {
562 if (v != NULL && !streq(v->name, vfp->name))
563 {
564 loglog(RC_LOG_SERIOUS
565 , "ipsec interfaces %s and %s share same address %s"
566 , v->name, vfp->name, ip_str(&ifp->addr));
567 bad = TRUE;
568 }
569 else
570 {
571 v = vfp; /* current winner */
572 }
573 }
574 else
575 {
576 /* ugh: a second real interface with the same IP address
577 * "after" allows us to avoid double reporting.
578 */
579 #if defined(linux) && defined(KERNEL26_SUPPORT)
580 {
581 if (after)
582 {
583 bad = TRUE;
584 break;
585 }
586 continue;
587 }
588 #endif
589 if (after)
590 {
591 loglog(RC_LOG_SERIOUS
592 , "IP interfaces %s and %s share address %s!"
593 , ifp->name, vfp->name, ip_str(&ifp->addr));
594 }
595 bad = TRUE;
596 }
597 }
598 }
599
600 if (bad)
601 continue;
602
603 #if defined(linux) && defined(KERNEL26_SUPPORT)
604 {
605 v = ifp;
606 goto add_entry;
607 }
608 #endif
609
610 /* what if we didn't find a virtual interface? */
611 if (v == NULL)
612 {
613 DBG(DBG_CONTROL,
614 DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
615 , ifp->name, ip_str(&ifp->addr)));
616 continue;
617 }
618
619 /* We've got all we need; see if this is a new thing:
620 * search old interfaces list.
621 */
622 #if defined(linux) && defined(KERNEL26_SUPPORT)
623 add_entry:
624 #endif
625 {
626 struct iface **p = &interfaces;
627
628 for (;;)
629 {
630 struct iface *q = *p;
631
632 /* search is over if at end of list */
633 if (q == NULL)
634 {
635 /* matches nothing -- create a new entry */
636 int fd = create_socket(ifp, v->name, pluto_port);
637
638 if (fd < 0)
639 break;
640
641 if (nat_traversal_support_non_ike
642 && addrtypeof(&ifp->addr) == AF_INET)
643 {
644 nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
645 }
646
647 q = malloc_thing(struct iface);
648 zero(q);
649 q->rname = clone_str(ifp->name);
650 q->vname = clone_str(v->name);
651 q->addr = ifp->addr;
652 q->fd = fd;
653 q->next = interfaces;
654 q->change = IFN_ADD;
655 interfaces = q;
656 plog("adding interface %s/%s %s:%d"
657 , q->vname, q->rname, ip_str(&q->addr), pluto_port);
658
659 if (nat_traversal_support_port_floating
660 && addrtypeof(&ifp->addr) == AF_INET)
661 {
662 fd = create_socket(ifp, v->name, NAT_T_IKE_FLOAT_PORT);
663 if (fd < 0)
664 break;
665 nat_traversal_espinudp_socket(fd,
666 ESPINUDP_WITH_NON_ESP);
667 q = malloc_thing(struct iface);
668 zero(q);
669 q->rname = clone_str(ifp->name);
670 q->vname = clone_str(v->name);
671 q->addr = ifp->addr;
672 setportof(htons(NAT_T_IKE_FLOAT_PORT), &q->addr);
673 q->fd = fd;
674 q->next = interfaces;
675 q->change = IFN_ADD;
676 q->ike_float = TRUE;
677 interfaces = q;
678 plog("adding interface %s/%s %s:%d",
679 q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
680 }
681 break;
682 }
683
684 /* search over if matching old entry found */
685 if (streq(q->rname, ifp->name)
686 && streq(q->vname, v->name)
687 && sameaddr(&q->addr, &ifp->addr))
688 {
689 /* matches -- rejuvinate old entry */
690 q->change = IFN_KEEP;
691
692 /* look for other interfaces to keep (due to NAT-T) */
693 for (q = q->next ; q ; q = q->next)
694 {
695 if (streq(q->rname, ifp->name)
696 && streq(q->vname, v->name)
697 && sameaddr(&q->addr, &ifp->addr))
698 {
699 q->change = IFN_KEEP;
700 }
701 }
702 break;
703 }
704
705 /* try again */
706 p = &q->next;
707 } /* for (;;) */
708 }
709 }
710
711 /* delete the raw interfaces list */
712 while (rifaces != NULL)
713 {
714 struct raw_iface *t = rifaces;
715
716 rifaces = t->next;
717 free(t);
718 }
719 }
720
721 void
722 find_ifaces(void)
723 {
724 mark_ifaces_dead();
725 process_raw_ifaces(find_raw_ifaces4());
726 process_raw_ifaces(find_raw_ifaces6());
727
728 free_dead_ifaces(); /* ditch remaining old entries */
729
730 if (interfaces == NULL)
731 loglog(RC_LOG_SERIOUS, "no public interfaces found");
732 }
733
734 void
735 show_ifaces_status(void)
736 {
737 struct iface *p;
738
739 for (p = interfaces; p != NULL; p = p->next)
740 whack_log(RC_COMMENT, "interface %s/%s %s:%d"
741 , p->vname, p->rname, ip_str(&p->addr), ntohs(portof(&p->addr)));
742 }
743
744 void
745 show_debug_status(void)
746 {
747 #ifdef DEBUG
748 whack_log(RC_COMMENT, "debug options: %s"
749 , bitnamesof(debug_bit_names, cur_debugging));
750 #endif
751 }
752
753 static volatile sig_atomic_t sighupflag = FALSE;
754
755 static void
756 huphandler(int sig UNUSED)
757 {
758 sighupflag = TRUE;
759 }
760
761 static volatile sig_atomic_t sigtermflag = FALSE;
762
763 static void
764 termhandler(int sig UNUSED)
765 {
766 sigtermflag = TRUE;
767 }
768
769 /* call_server listens for incoming ISAKMP packets and Whack messages,
770 * and handles timer events.
771 */
772 void
773 call_server(void)
774 {
775 struct iface *ifp;
776
777 /* catch SIGHUP and SIGTERM */
778 {
779 int r;
780 struct sigaction act;
781
782 act.sa_handler = &huphandler;
783 sigemptyset(&act.sa_mask);
784 act.sa_flags = 0; /* no SA_ONESHOT, no SA_RESTART, no nothing */
785 r = sigaction(SIGHUP, &act, NULL);
786 passert(r == 0);
787
788 act.sa_handler = &termhandler;
789 r = sigaction(SIGTERM, &act, NULL);
790 r = sigaction(SIGINT, &act, NULL);
791 passert(r == 0);
792 }
793
794 for (;;)
795 {
796 fd_set readfds;
797 fd_set writefds;
798 int ndes, events_fd;
799
800 /* wait for next interesting thing */
801
802 for (;;)
803 {
804 long next_time = next_event(); /* time to any pending timer event */
805 int maxfd = ctl_fd;
806
807 if (sigtermflag)
808 exit_pluto(0);
809
810 if (sighupflag)
811 {
812 /* Ignorant folks think poking any daemon with SIGHUP
813 * is polite. We catch it and tell them otherwise.
814 * There is one use: unsticking a hung recvfrom.
815 * This sticking happens sometimes -- kernel bug?
816 */
817 sighupflag = FALSE;
818 plog("Pluto ignores SIGHUP -- perhaps you want \"whack --listen\"");
819 }
820
821 FD_ZERO(&readfds);
822 FD_ZERO(&writefds);
823 FD_SET(ctl_fd, &readfds);
824
825 /* the only write file-descriptor of interest */
826 if (adns_qfd != NULL_FD && unsent_ADNS_queries)
827 {
828 if (maxfd < adns_qfd)
829 maxfd = adns_qfd;
830 FD_SET(adns_qfd, &writefds);
831 }
832
833 if (adns_afd != NULL_FD)
834 {
835 if (maxfd < adns_afd)
836 maxfd = adns_afd;
837 FD_SET(adns_afd, &readfds);
838 }
839
840 events_fd = pluto->events->get_event_fd(pluto->events);
841 if (maxfd < events_fd)
842 maxfd = events_fd;
843 FD_SET(events_fd, &readfds);
844
845 if (listening)
846 {
847 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
848 {
849 if (maxfd < ifp->fd)
850 maxfd = ifp->fd;
851 passert(!FD_ISSET(ifp->fd, &readfds));
852 FD_SET(ifp->fd, &readfds);
853 }
854 }
855
856 if (next_time == -1)
857 {
858 /* select without timer */
859
860 ndes = select(maxfd + 1, &readfds, &writefds, NULL, NULL);
861 }
862 else if (next_time == 0)
863 {
864 /* timer without select: there is a timer event pending,
865 * and it should fire now so don't bother to do the select.
866 */
867 ndes = 0; /* signify timer expiration */
868 }
869 else
870 {
871 /* select with timer */
872
873 struct timeval tm;
874
875 tm.tv_sec = next_time;
876 tm.tv_usec = 0;
877 ndes = select(maxfd + 1, &readfds, &writefds, NULL, &tm);
878 }
879
880 if (ndes != -1)
881 break; /* success */
882
883 if (errno != EINTR)
884 exit_log_errno((e, "select() failed in call_server()"));
885
886 /* retry if terminated by signal */
887 }
888
889 /* figure out what is interesting */
890
891 if (ndes == 0)
892 {
893 /* timer event */
894
895 DBG(DBG_CONTROL,
896 DBG_log(BLANK_FORMAT);
897 DBG_log("*time to handle event"));
898
899 handle_timer_event();
900 passert(GLOBALS_ARE_RESET());
901 }
902 else
903 {
904 /* at least one file descriptor is ready */
905
906 if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
907 {
908 passert(ndes > 0);
909 send_unsent_ADNS_queries();
910 passert(GLOBALS_ARE_RESET());
911 ndes--;
912 }
913
914 if (adns_afd != NULL_FD && FD_ISSET(adns_afd, &readfds))
915 {
916 passert(ndes > 0);
917 DBG(DBG_CONTROL,
918 DBG_log(BLANK_FORMAT);
919 DBG_log("*received adns message"));
920 handle_adns_answer();
921 passert(GLOBALS_ARE_RESET());
922 ndes--;
923 }
924
925 if (FD_ISSET(events_fd, &readfds))
926 {
927 passert(ndes > 0);
928 DBG(DBG_CONTROL,
929 DBG_log(BLANK_FORMAT);
930 DBG_log("*handling asynchronous events"));
931 pluto->events->handle(pluto->events);
932 passert(GLOBALS_ARE_RESET());
933 ndes--;
934 }
935
936 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
937 {
938 if (FD_ISSET(ifp->fd, &readfds))
939 {
940 /* comm_handle will print DBG_CONTROL intro,
941 * with more info than we have here.
942 */
943
944 passert(ndes > 0);
945 comm_handle(ifp);
946 passert(GLOBALS_ARE_RESET());
947 ndes--;
948 }
949 }
950
951 if (FD_ISSET(ctl_fd, &readfds))
952 {
953 passert(ndes > 0);
954 DBG(DBG_CONTROL,
955 DBG_log(BLANK_FORMAT);
956 DBG_log("*received whack message"));
957 whack_handle(ctl_fd);
958 passert(GLOBALS_ARE_RESET());
959 ndes--;
960 }
961
962 passert(ndes == 0);
963 }
964 }
965 }
966
967 /*
968 * Local Variables:
969 * c-basic-offset: 4
970 * End Variables:
971 */