(no commit message)
[strongswan.git] / src / pluto / server.c
1 /* get-next-event loop
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * RCSID $Id: server.c,v 1.9 2005/09/09 14:15:35 as Exp $
16 */
17
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <stddef.h>
21 #include <string.h>
22 #include <errno.h>
23 #include <signal.h>
24 #include <ctype.h>
25 #include <sys/types.h>
26 #include <sys/stat.h>
27 #include <sys/socket.h>
28 #include <sys/un.h>
29 #ifdef SOLARIS
30 # include <sys/sockio.h> /* for Solaris 2.6: defines SIOCGIFCONF */
31 #endif
32 #include <netinet/in.h>
33 #include <arpa/inet.h>
34 #include <sys/time.h>
35 #include <netdb.h>
36 #include <unistd.h>
37 #include <fcntl.h>
38 #include <net/if.h>
39 #include <sys/ioctl.h>
40 #include <resolv.h>
41 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
42 #include <sys/queue.h>
43
44 #include <freeswan.h>
45
46 #include "constants.h"
47 #include "defs.h"
48 #include "state.h"
49 #include "connections.h"
50 #include "kernel.h"
51 #include "log.h"
52 #include "server.h"
53 #include "timer.h"
54 #include "packet.h"
55 #include "demux.h" /* needs packet.h */
56 #include "rcv_whack.h"
57 #include "rcv_info.h"
58 #include "keys.h"
59 #include "adns.h" /* needs <resolv.h> */
60 #include "dnskey.h" /* needs keys.h and adns.h */
61 #include "whack.h" /* for RC_LOG_SERIOUS */
62
63 #include <pfkeyv2.h>
64 #include <pfkey.h>
65 #include "kameipsec.h"
66
67 #ifdef NAT_TRAVERSAL
68 #include "nat_traversal.h"
69 #endif
70
71 /*
72 * Server main loop and socket initialization routines.
73 */
74
75 static const int on = TRUE; /* by-reference parameter; constant, we hope */
76
77 /* control (whack) socket */
78 int ctl_fd = NULL_FD; /* file descriptor of control (whack) socket */
79 struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
80
81 /* info (showpolicy) socket */
82 int policy_fd = NULL_FD;
83 struct sockaddr_un info_addr= { AF_UNIX, DEFAULT_CTLBASE INFO_SUFFIX };
84
85 /* Initialize the control socket.
86 * Note: this is called very early, so little infrastructure is available.
87 * It is important that the socket is created before the original
88 * Pluto process returns.
89 */
90 err_t
91 init_ctl_socket(void)
92 {
93 err_t failed = NULL;
94
95 delete_ctl_socket(); /* preventative medicine */
96 ctl_fd = socket(AF_UNIX, SOCK_STREAM, 0);
97 if (ctl_fd == -1)
98 failed = "create";
99 else if (fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1)
100 failed = "fcntl FD+CLOEXEC";
101 else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
102 failed = "setsockopt";
103 else
104 {
105 /* to keep control socket secure, use umask */
106 mode_t ou = umask(~S_IRWXU);
107
108 if (bind(ctl_fd, (struct sockaddr *)&ctl_addr
109 , offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
110 failed = "bind";
111 umask(ou);
112 }
113
114 /* 5 is a haphazardly chosen limit for the backlog.
115 * Rumour has it that this is the max on BSD systems.
116 */
117 if (failed == NULL && listen(ctl_fd, 5) < 0)
118 failed = "listen() on";
119
120 return failed == NULL? NULL : builddiag("could not %s control socket: %d %s"
121 , failed, errno, strerror(errno));
122 }
123
124 void
125 delete_ctl_socket(void)
126 {
127 /* Is noting failure useful? Not when used as preventative medicine. */
128 unlink(ctl_addr.sun_path);
129 }
130
131 #ifdef IPSECPOLICY
132 /* Initialize the info socket.
133 */
134 err_t
135 init_info_socket(void)
136 {
137 err_t failed = NULL;
138
139 delete_info_socket(); /* preventative medicine */
140 info_fd = socket(AF_UNIX, SOCK_STREAM, 0);
141 if (info_fd == -1)
142 failed = "create";
143 else if (fcntl(info_fd, F_SETFD, FD_CLOEXEC) == -1)
144 failed = "fcntl FD+CLOEXEC";
145 else if (setsockopt(info_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
146 failed = "setsockopt";
147 else
148 {
149 /* this socket should be openable by all proceses */
150 mode_t ou = umask(0);
151
152 if (bind(info_fd, (struct sockaddr *)&info_addr
153 , offsetof(struct sockaddr_un, sun_path) + strlen(info_addr.sun_path)) < 0)
154 failed = "bind";
155 umask(ou);
156 }
157
158 /* 64 might be big enough, and the system may limit us anyway.
159 */
160 if (failed == NULL && listen(info_fd, 64) < 0)
161 failed = "listen() on";
162
163 return failed == NULL? NULL : builddiag("could not %s info socket: %d %s"
164 , failed, errno, strerror(errno));
165 }
166
167 void
168 delete_info_socket(void)
169 {
170 unlink(info_addr.sun_path);
171 }
172 #endif /* IPSECPOLICY */
173
174
175 bool listening = FALSE; /* should we pay attention to IKE messages? */
176
177 struct iface *interfaces = NULL; /* public interfaces */
178
179 /* Initialize the interface sockets. */
180
181 static void
182 mark_ifaces_dead(void)
183 {
184 struct iface *p;
185
186 for (p = interfaces; p != NULL; p = p->next)
187 p->change = IFN_DELETE;
188 }
189
190 static void
191 free_dead_ifaces(void)
192 {
193 struct iface *p;
194 bool some_dead = FALSE
195 , some_new = FALSE;
196
197 for (p = interfaces; p != NULL; p = p->next)
198 {
199 if (p->change == IFN_DELETE)
200 {
201 plog("shutting down interface %s/%s %s"
202 , p->vname, p->rname, ip_str(&p->addr));
203 some_dead = TRUE;
204 }
205 else if (p->change == IFN_ADD)
206 {
207 some_new = TRUE;
208 }
209 }
210
211 if (some_dead)
212 {
213 struct iface **pp;
214
215 release_dead_interfaces();
216 for (pp = &interfaces; (p = *pp) != NULL; )
217 {
218 if (p->change == IFN_DELETE)
219 {
220 *pp = p->next; /* advance *pp */
221 pfree(p->vname);
222 pfree(p->rname);
223 close(p->fd);
224 pfree(p);
225 }
226 else
227 {
228 pp = &p->next; /* advance pp */
229 }
230 }
231 }
232
233 /* this must be done after the release_dead_interfaces
234 * in case some to the newly unoriented connections can
235 * become oriented here.
236 */
237 if (some_dead || some_new)
238 check_orientations();
239 }
240
241 void
242 free_ifaces(void)
243 {
244 mark_ifaces_dead();
245 free_dead_ifaces();
246 }
247
248 struct raw_iface {
249 ip_address addr;
250 char name[IFNAMSIZ + 20]; /* what would be a safe size? */
251 struct raw_iface *next;
252 };
253
254 /* Called to handle --interface <ifname>
255 * Semantics: if specified, only these (real) interfaces are considered.
256 */
257 static const char *pluto_ifn[10];
258 static int pluto_ifn_roof = 0;
259
260 bool
261 use_interface(const char *rifn)
262 {
263 if (pluto_ifn_roof >= (int)elemsof(pluto_ifn))
264 {
265 return FALSE;
266 }
267 else
268 {
269 pluto_ifn[pluto_ifn_roof++] = rifn;
270 return TRUE;
271 }
272 }
273
274 #ifndef IPSECDEVPREFIX
275 # define IPSECDEVPREFIX "ipsec"
276 #endif
277
278 static struct raw_iface *
279 find_raw_ifaces4(void)
280 {
281 int j; /* index into buf */
282 struct ifconf ifconf;
283 struct ifreq buf[300]; /* for list of interfaces -- arbitrary limit */
284 struct raw_iface *rifaces = NULL;
285 int master_sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); /* Get a UDP socket */
286
287 /* get list of interfaces with assigned IPv4 addresses from system */
288
289 if (master_sock == -1)
290 exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
291
292 if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR
293 , (const void *)&on, sizeof(on)) < 0)
294 exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
295
296 /* bind the socket */
297 {
298 ip_address any;
299
300 happy(anyaddr(AF_INET, &any));
301 setportof(htons(pluto_port), &any);
302 if (bind(master_sock, sockaddrof(&any), sockaddrlenof(&any)) < 0)
303 exit_log_errno((e, "bind() failed in find_raw_ifaces4()"));
304 }
305
306 /* Get local interfaces. See netdevice(7). */
307 ifconf.ifc_len = sizeof(buf);
308 ifconf.ifc_buf = (void *) buf;
309 zero(buf);
310
311 if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
312 exit_log_errno((e, "ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
313
314 /* Add an entry to rifaces for each interesting interface. */
315 for (j = 0; (j+1) * sizeof(*buf) <= (size_t)ifconf.ifc_len; j++)
316 {
317 struct raw_iface ri;
318 const struct sockaddr_in *rs = (struct sockaddr_in *) &buf[j].ifr_addr;
319 struct ifreq auxinfo;
320
321 /* ignore all but AF_INET interfaces */
322 if (rs->sin_family != AF_INET)
323 continue; /* not interesting */
324
325 /* build a NUL-terminated copy of the rname field */
326 memcpy(ri.name, buf[j].ifr_name, IFNAMSIZ);
327 ri.name[IFNAMSIZ] = '\0';
328
329 /* ignore if our interface names were specified, and this isn't one */
330 if (pluto_ifn_roof != 0)
331 {
332 int i;
333
334 for (i = 0; i != pluto_ifn_roof; i++)
335 if (streq(ri.name, pluto_ifn[i]))
336 break;
337 if (i == pluto_ifn_roof)
338 continue; /* not found -- skip */
339 }
340
341 /* Find out stuff about this interface. See netdevice(7). */
342 zero(&auxinfo); /* paranoia */
343 memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
344 if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
345 exit_log_errno((e
346 , "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
347 , ri.name));
348 if (!(auxinfo.ifr_flags & IFF_UP))
349 continue; /* ignore an interface that isn't UP */
350
351 /* ignore unconfigured interfaces */
352 if (rs->sin_addr.s_addr == 0)
353 continue;
354
355 happy(initaddr((const void *)&rs->sin_addr, sizeof(struct in_addr)
356 , AF_INET, &ri.addr));
357
358 DBG(DBG_CONTROL, DBG_log("found %s with address %s"
359 , ri.name, ip_str(&ri.addr)));
360 ri.next = rifaces;
361 rifaces = clone_thing(ri, "struct raw_iface");
362 }
363
364 close(master_sock);
365
366 return rifaces;
367 }
368
369 static struct raw_iface *
370 find_raw_ifaces6(void)
371 {
372
373 /* Get list of interfaces with IPv6 addresses from system from /proc/net/if_inet6).
374 *
375 * Documentation of format?
376 * RTFS: linux-2.2.16/net/ipv6/addrconf.c:iface_proc_info()
377 * linux-2.4.9-13/net/ipv6/addrconf.c:iface_proc_info()
378 *
379 * Sample from Gerhard's laptop:
380 * 00000000000000000000000000000001 01 80 10 80 lo
381 * 30490009000000000000000000010002 02 40 00 80 ipsec0
382 * 30490009000000000000000000010002 07 40 00 80 eth0
383 * fe80000000000000025004fffefd5484 02 0a 20 80 ipsec0
384 * fe80000000000000025004fffefd5484 07 0a 20 80 eth0
385 *
386 * Each line contains:
387 * - IPv6 address: 16 bytes, in hex, no punctuation
388 * - ifindex: 1 byte, in hex
389 * - prefix_len: 1 byte, in hex
390 * - scope (e.g. global, link local): 1 byte, in hex
391 * - flags: 1 byte, in hex
392 * - device name: string, followed by '\n'
393 */
394 struct raw_iface *rifaces = NULL;
395 static const char proc_name[] = "/proc/net/if_inet6";
396 FILE *proc_sock = fopen(proc_name, "r");
397
398 if (proc_sock == NULL)
399 {
400 DBG(DBG_CONTROL, DBG_log("could not open %s", proc_name));
401 }
402 else
403 {
404 for (;;)
405 {
406 struct raw_iface ri;
407 unsigned short xb[8]; /* IPv6 address as 8 16-bit chunks */
408 char sb[8*5]; /* IPv6 address as string-with-colons */
409 unsigned int if_idx; /* proc field, not used */
410 unsigned int plen; /* proc field, not used */
411 unsigned int scope; /* proc field, used to exclude link-local */
412 unsigned int dad_status; /* proc field, not used */
413 /* ??? I hate and distrust scanf -- DHR */
414 int r = fscanf(proc_sock
415 , "%4hx%4hx%4hx%4hx%4hx%4hx%4hx%4hx"
416 " %02x %02x %02x %02x %20s\n"
417 , xb+0, xb+1, xb+2, xb+3, xb+4, xb+5, xb+6, xb+7
418 , &if_idx, &plen, &scope, &dad_status, ri.name);
419
420 /* ??? we should diagnose any problems */
421 if (r != 13)
422 break;
423
424 /* ignore addresses with link local scope.
425 * From linux-2.4.9-13/include/net/ipv6.h:
426 * IPV6_ADDR_LINKLOCAL 0x0020U
427 * IPV6_ADDR_SCOPE_MASK 0x00f0U
428 */
429 if ((scope & 0x00f0U) == 0x0020U)
430 continue;
431
432 snprintf(sb, sizeof(sb)
433 , "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
434 , xb[0], xb[1], xb[2], xb[3], xb[4], xb[5], xb[6], xb[7]);
435
436 happy(ttoaddr(sb, 0, AF_INET6, &ri.addr));
437
438 if (!isunspecaddr(&ri.addr))
439 {
440 DBG(DBG_CONTROL
441 , DBG_log("found %s with address %s"
442 , ri.name, sb));
443 ri.next = rifaces;
444 rifaces = clone_thing(ri, "struct raw_iface");
445 }
446 }
447 fclose(proc_sock);
448 }
449
450 return rifaces;
451 }
452
453 #if 1
454 static int
455 create_socket(struct raw_iface *ifp, const char *v_name, int port)
456 {
457 int fd = socket(addrtypeof(&ifp->addr), SOCK_DGRAM, IPPROTO_UDP);
458 int fcntl_flags;
459
460 if (fd < 0)
461 {
462 log_errno((e, "socket() in process_raw_ifaces()"));
463 return -1;
464 }
465
466 #if 1
467 /* Set socket Nonblocking */
468 if ((fcntl_flags=fcntl(fd, F_GETFL)) >= 0) {
469 if (!(fcntl_flags & O_NONBLOCK)) {
470 fcntl_flags |= O_NONBLOCK;
471 fcntl(fd, F_SETFL, fcntl_flags);
472 }
473 }
474 #endif
475
476 if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
477 {
478 log_errno((e, "fcntl(,, FD_CLOEXEC) in process_raw_ifaces()"));
479 close(fd);
480 return -1;
481 }
482
483 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR
484 , (const void *)&on, sizeof(on)) < 0)
485 {
486 log_errno((e, "setsockopt SO_REUSEADDR in process_raw_ifaces()"));
487 close(fd);
488 return -1;
489 }
490
491 /* To improve error reporting. See ip(7). */
492 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
493 if (setsockopt(fd, SOL_IP, IP_RECVERR
494 , (const void *)&on, sizeof(on)) < 0)
495 {
496 log_errno((e, "setsockopt IP_RECVERR in process_raw_ifaces()"));
497 close(fd);
498 return -1;
499 }
500 #endif
501
502 /* With IPv6, there is no fragmentation after
503 * it leaves our interface. PMTU discovery
504 * is mandatory but doesn't work well with IKE (why?).
505 * So we must set the IPV6_USE_MIN_MTU option.
506 * See draft-ietf-ipngwg-rfc2292bis-01.txt 11.1
507 */
508 #ifdef IPV6_USE_MIN_MTU /* YUCK: not always defined */
509 if (addrtypeof(&ifp->addr) == AF_INET6
510 && setsockopt(fd, SOL_SOCKET, IPV6_USE_MIN_MTU
511 , (const void *)&on, sizeof(on)) < 0)
512 {
513 log_errno((e, "setsockopt IPV6_USE_MIN_MTU in process_raw_ifaces()"));
514 close(fd);
515 return -1;
516 }
517 #endif
518
519 #if defined(linux) && defined(KERNEL26_SUPPORT)
520 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
521 {
522 struct sadb_x_policy policy;
523 int level, opt;
524
525 policy.sadb_x_policy_len = sizeof(policy) / IPSEC_PFKEYv2_ALIGN;
526 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
527 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
528 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
529 policy.sadb_x_policy_reserved = 0;
530 policy.sadb_x_policy_id = 0;
531 policy.sadb_x_policy_reserved2 = 0;
532
533 if (addrtypeof(&ifp->addr) == AF_INET6)
534 {
535 level = IPPROTO_IPV6;
536 opt = IPV6_IPSEC_POLICY;
537 }
538 else
539 {
540 level = IPPROTO_IP;
541 opt = IP_IPSEC_POLICY;
542 }
543
544 if (setsockopt(fd, level, opt
545 , &policy, sizeof(policy)) < 0)
546 {
547 log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
548 close(fd);
549 return -1;
550 }
551
552 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
553
554 if (setsockopt(fd, level, opt
555 , &policy, sizeof(policy)) < 0)
556 {
557 log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
558 close(fd);
559 return -1;
560 }
561 }
562 #endif
563
564 setportof(htons(port), &ifp->addr);
565 if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
566 {
567 log_errno((e, "bind() for %s/%s %s:%u in process_raw_ifaces()"
568 , ifp->name, v_name
569 , ip_str(&ifp->addr), (unsigned) port));
570 close(fd);
571 return -1;
572 }
573 setportof(htons(pluto_port), &ifp->addr);
574 return fd;
575 }
576 #endif
577
578 static void
579 process_raw_ifaces(struct raw_iface *rifaces)
580 {
581 struct raw_iface *ifp;
582
583 /* Find all virtual/real interface pairs.
584 * For each real interface...
585 */
586 for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
587 {
588 struct raw_iface *v = NULL; /* matching ipsecX interface */
589 struct raw_iface fake_v;
590 bool after = FALSE; /* has vfp passed ifp on the list? */
591 bool bad = FALSE;
592 struct raw_iface *vfp;
593
594 /* ignore if virtual (ipsec*) interface */
595 if (strncmp(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
596 continue;
597
598 for (vfp = rifaces; vfp != NULL; vfp = vfp->next)
599 {
600 if (vfp == ifp)
601 {
602 after = TRUE;
603 }
604 else if (sameaddr(&ifp->addr, &vfp->addr))
605 {
606 /* Different entries with matching IP addresses.
607 * Many interesting cases.
608 */
609 if (strncmp(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
610 {
611 if (v != NULL && !streq(v->name, vfp->name))
612 {
613 loglog(RC_LOG_SERIOUS
614 , "ipsec interfaces %s and %s share same address %s"
615 , v->name, vfp->name, ip_str(&ifp->addr));
616 bad = TRUE;
617 }
618 else
619 {
620 v = vfp; /* current winner */
621 }
622 }
623 else
624 {
625 /* ugh: a second real interface with the same IP address
626 * "after" allows us to avoid double reporting.
627 */
628 #if defined(linux) && defined(KERNEL26_SUPPORT)
629 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
630 {
631 if (after)
632 {
633 bad = TRUE;
634 break;
635 }
636 continue;
637 }
638 #endif
639 if (after)
640 {
641 loglog(RC_LOG_SERIOUS
642 , "IP interfaces %s and %s share address %s!"
643 , ifp->name, vfp->name, ip_str(&ifp->addr));
644 }
645 bad = TRUE;
646 }
647 }
648 }
649
650 if (bad)
651 continue;
652
653 #if defined(linux) && defined(KERNEL26_SUPPORT)
654 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
655 {
656 v = ifp;
657 goto add_entry;
658 }
659 #endif
660
661 /* what if we didn't find a virtual interface? */
662 if (v == NULL)
663 {
664 if (no_klips)
665 {
666 /* kludge for testing: invent a virtual device */
667 static const char fvp[] = "virtual";
668 fake_v = *ifp;
669 passert(sizeof(fake_v.name) > sizeof(fvp));
670 strcpy(fake_v.name, fvp);
671 addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
672 , sizeof(fake_v.name) - (sizeof(fvp) - 1));
673 v = &fake_v;
674 }
675 else
676 {
677 DBG(DBG_CONTROL,
678 DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
679 , ifp->name, ip_str(&ifp->addr)));
680 continue;
681 }
682 }
683
684 /* We've got all we need; see if this is a new thing:
685 * search old interfaces list.
686 */
687 #if defined(linux) && defined(KERNEL26_SUPPORT)
688 add_entry:
689 #endif
690 {
691 struct iface **p = &interfaces;
692
693 for (;;)
694 {
695 struct iface *q = *p;
696
697 /* search is over if at end of list */
698 if (q == NULL)
699 {
700 /* matches nothing -- create a new entry */
701 int fd = create_socket(ifp, v->name, pluto_port);
702
703 if (fd < 0)
704 break;
705
706 #ifdef NAT_TRAVERSAL
707 if (nat_traversal_support_non_ike
708 && addrtypeof(&ifp->addr) == AF_INET)
709 {
710 nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
711 }
712 #endif
713
714 q = alloc_thing(struct iface, "struct iface");
715 q->rname = clone_str(ifp->name, "real device name");
716 q->vname = clone_str(v->name, "virtual device name");
717 q->addr = ifp->addr;
718 q->fd = fd;
719 q->next = interfaces;
720 q->change = IFN_ADD;
721 interfaces = q;
722 plog("adding interface %s/%s %s:%d"
723 , q->vname, q->rname, ip_str(&q->addr), pluto_port);
724 #ifdef NAT_TRAVERSAL
725 if (nat_traversal_support_port_floating
726 && addrtypeof(&ifp->addr) == AF_INET)
727 {
728 fd = create_socket(ifp, v->name, NAT_T_IKE_FLOAT_PORT);
729 if (fd < 0)
730 break;
731 nat_traversal_espinudp_socket(fd,
732 ESPINUDP_WITH_NON_ESP);
733 q = alloc_thing(struct iface, "struct iface");
734 q->rname = clone_str(ifp->name, "real device name");
735 q->vname = clone_str(v->name, "virtual device name");
736 q->addr = ifp->addr;
737 setportof(htons(NAT_T_IKE_FLOAT_PORT), &q->addr);
738 q->fd = fd;
739 q->next = interfaces;
740 q->change = IFN_ADD;
741 q->ike_float = TRUE;
742 interfaces = q;
743 plog("adding interface %s/%s %s:%d",
744 q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
745 }
746 #endif
747 break;
748 }
749
750 /* search over if matching old entry found */
751 if (streq(q->rname, ifp->name)
752 && streq(q->vname, v->name)
753 && sameaddr(&q->addr, &ifp->addr))
754 {
755 /* matches -- rejuvinate old entry */
756 q->change = IFN_KEEP;
757 #ifdef NAT_TRAVERSAL
758 /* look for other interfaces to keep (due to NAT-T) */
759 for (q = q->next ; q ; q = q->next) {
760 if (streq(q->rname, ifp->name)
761 && streq(q->vname, v->name)
762 && sameaddr(&q->addr, &ifp->addr)) {
763 q->change = IFN_KEEP;
764 }
765 }
766 #endif
767 break;
768 }
769
770 /* try again */
771 p = &q->next;
772 } /* for (;;) */
773 }
774 }
775
776 /* delete the raw interfaces list */
777 while (rifaces != NULL)
778 {
779 struct raw_iface *t = rifaces;
780
781 rifaces = t->next;
782 pfree(t);
783 }
784 }
785
786 void
787 find_ifaces(void)
788 {
789 mark_ifaces_dead();
790 process_raw_ifaces(find_raw_ifaces4());
791 process_raw_ifaces(find_raw_ifaces6());
792
793 free_dead_ifaces(); /* ditch remaining old entries */
794
795 if (interfaces == NULL)
796 loglog(RC_LOG_SERIOUS, "no public interfaces found");
797 }
798
799 void
800 show_ifaces_status(void)
801 {
802 struct iface *p;
803
804 for (p = interfaces; p != NULL; p = p->next)
805 whack_log(RC_COMMENT, "interface %s/%s %s:%d"
806 , p->vname, p->rname, ip_str(&p->addr), ntohs(portof(&p->addr)));
807 }
808
809 void
810 show_debug_status(void)
811 {
812 #ifdef DEBUG
813 whack_log(RC_COMMENT, "debug %s"
814 , bitnamesof(debug_bit_names, cur_debugging));
815 #endif
816 }
817
818 static volatile sig_atomic_t sighupflag = FALSE;
819
820 static void
821 huphandler(int sig UNUSED)
822 {
823 sighupflag = TRUE;
824 }
825
826 static volatile sig_atomic_t sigtermflag = FALSE;
827
828 static void
829 termhandler(int sig UNUSED)
830 {
831 sigtermflag = TRUE;
832 }
833
834 /* call_server listens for incoming ISAKMP packets and Whack messages,
835 * and handles timer events.
836 */
837 void
838 call_server(void)
839 {
840 struct iface *ifp;
841
842 /* catch SIGHUP and SIGTERM */
843 {
844 int r;
845 struct sigaction act;
846
847 act.sa_handler = &huphandler;
848 sigemptyset(&act.sa_mask);
849 act.sa_flags = 0; /* no SA_ONESHOT, no SA_RESTART, no nothing */
850 r = sigaction(SIGHUP, &act, NULL);
851 passert(r == 0);
852
853 act.sa_handler = &termhandler;
854 r = sigaction(SIGTERM, &act, NULL);
855 passert(r == 0);
856 }
857
858 for (;;)
859 {
860 fd_set readfds;
861 fd_set writefds;
862 int ndes;
863
864 /* wait for next interesting thing */
865
866 for (;;)
867 {
868 long next_time = next_event(); /* time to any pending timer event */
869 int maxfd = ctl_fd;
870
871 if (sigtermflag)
872 exit_pluto(0);
873
874 if (sighupflag)
875 {
876 /* Ignorant folks think poking any daemon with SIGHUP
877 * is polite. We catch it and tell them otherwise.
878 * There is one use: unsticking a hung recvfrom.
879 * This sticking happens sometimes -- kernel bug?
880 */
881 sighupflag = FALSE;
882 plog("Pluto ignores SIGHUP -- perhaps you want \"whack --listen\"");
883 }
884
885 FD_ZERO(&readfds);
886 FD_ZERO(&writefds);
887 FD_SET(ctl_fd, &readfds);
888 #ifdef IPSECPOLICY
889 FD_SET(info_fd, &readfds);
890 if (maxfd < info_fd)
891 maxfd = info_fd;
892 #endif
893
894 /* the only write file-descriptor of interest */
895 if (adns_qfd != NULL_FD && unsent_ADNS_queries)
896 {
897 if (maxfd < adns_qfd)
898 maxfd = adns_qfd;
899 FD_SET(adns_qfd, &writefds);
900 }
901
902 if (adns_afd != NULL_FD)
903 {
904 if (maxfd < adns_afd)
905 maxfd = adns_afd;
906 FD_SET(adns_afd, &readfds);
907 }
908
909 #ifdef KLIPS
910 if (!no_klips)
911 {
912 int fd = *kernel_ops->async_fdp;
913
914 if (kernel_ops->process_queue)
915 kernel_ops->process_queue();
916 if (maxfd < fd)
917 maxfd = fd;
918 passert(!FD_ISSET(fd, &readfds));
919 FD_SET(fd, &readfds);
920 }
921 #endif
922
923 if (listening)
924 {
925 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
926 {
927 if (maxfd < ifp->fd)
928 maxfd = ifp->fd;
929 passert(!FD_ISSET(ifp->fd, &readfds));
930 FD_SET(ifp->fd, &readfds);
931 }
932 }
933
934 if (next_time == -1)
935 {
936 /* select without timer */
937
938 ndes = select(maxfd + 1, &readfds, &writefds, NULL, NULL);
939 }
940 else if (next_time == 0)
941 {
942 /* timer without select: there is a timer event pending,
943 * and it should fire now so don't bother to do the select.
944 */
945 ndes = 0; /* signify timer expiration */
946 }
947 else
948 {
949 /* select with timer */
950
951 struct timeval tm;
952
953 tm.tv_sec = next_time;
954 tm.tv_usec = 0;
955 ndes = select(maxfd + 1, &readfds, &writefds, NULL, &tm);
956 }
957
958 if (ndes != -1)
959 break; /* success */
960
961 if (errno != EINTR)
962 exit_log_errno((e, "select() failed in call_server()"));
963
964 /* retry if terminated by signal */
965 }
966
967 /* figure out what is interesting */
968
969 if (ndes == 0)
970 {
971 /* timer event */
972
973 DBG(DBG_CONTROL,
974 DBG_log(BLANK_FORMAT);
975 DBG_log("*time to handle event"));
976
977 handle_timer_event();
978 passert(GLOBALS_ARE_RESET());
979 }
980 else
981 {
982 /* at least one file descriptor is ready */
983
984 if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
985 {
986 passert(ndes > 0);
987 send_unsent_ADNS_queries();
988 passert(GLOBALS_ARE_RESET());
989 ndes--;
990 }
991
992 if (adns_afd != NULL_FD && FD_ISSET(adns_afd, &readfds))
993 {
994 passert(ndes > 0);
995 DBG(DBG_CONTROL,
996 DBG_log(BLANK_FORMAT);
997 DBG_log("*received adns message"));
998 handle_adns_answer();
999 passert(GLOBALS_ARE_RESET());
1000 ndes--;
1001 }
1002
1003 #ifdef KLIPS
1004 if (!no_klips && FD_ISSET(*kernel_ops->async_fdp, &readfds))
1005 {
1006 passert(ndes > 0);
1007 DBG(DBG_CONTROL,
1008 DBG_log(BLANK_FORMAT);
1009 DBG_log("*received kernel message"));
1010 kernel_ops->process_msg();
1011 passert(GLOBALS_ARE_RESET());
1012 ndes--;
1013 }
1014 #endif
1015
1016 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
1017 {
1018 if (FD_ISSET(ifp->fd, &readfds))
1019 {
1020 /* comm_handle will print DBG_CONTROL intro,
1021 * with more info than we have here.
1022 */
1023
1024 passert(ndes > 0);
1025 comm_handle(ifp);
1026 passert(GLOBALS_ARE_RESET());
1027 ndes--;
1028 }
1029 }
1030
1031 if (FD_ISSET(ctl_fd, &readfds))
1032 {
1033 passert(ndes > 0);
1034 DBG(DBG_CONTROL,
1035 DBG_log(BLANK_FORMAT);
1036 DBG_log("*received whack message"));
1037 whack_handle(ctl_fd);
1038 passert(GLOBALS_ARE_RESET());
1039 ndes--;
1040 }
1041
1042 #ifdef IPSECPOLICY
1043 if (FD_ISSET(info_fd, &readfds))
1044 {
1045 passert(ndes > 0);
1046 DBG(DBG_CONTROL,
1047 DBG_log(BLANK_FORMAT);
1048 DBG_log("*received info message"));
1049 info_handle(info_fd);
1050 passert(GLOBALS_ARE_RESET());
1051 ndes--;
1052 }
1053 #endif
1054
1055 passert(ndes == 0);
1056 }
1057 }
1058 }
1059
1060 /*
1061 * Local Variables:
1062 * c-basic-offset: 4
1063 * End Variables:
1064 */