Warn about manual plugin load directives for pluto/charon
[strongswan.git] / src / starter / starter.c
1 /* strongSwan IPsec starter
2 * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #include <sys/types.h>
16 #include <sys/wait.h>
17 #include <sys/stat.h>
18 #include <stdlib.h>
19 #include <stdio.h>
20 #include <signal.h>
21 #include <unistd.h>
22 #include <sys/time.h>
23 #include <time.h>
24 #include <string.h>
25 #include <errno.h>
26 #include <fcntl.h>
27 #include <pwd.h>
28 #include <grp.h>
29
30 #include <freeswan.h>
31 #include <library.h>
32
33 #include "../pluto/constants.h"
34 #include "../pluto/defs.h"
35 #include "../pluto/log.h"
36
37 #include "confread.h"
38 #include "files.h"
39 #include "starterwhack.h"
40 #include "starterstroke.h"
41 #include "invokepluto.h"
42 #include "invokecharon.h"
43 #include "netkey.h"
44 #include "klips.h"
45 #include "cmp.h"
46 #include "interfaces.h"
47
48 /**
49 * Return codes defined by Linux Standard Base Core Specification 3.1
50 * in section 20.2. Init Script Actions
51 */
52 #define LSB_RC_SUCCESS 0 /* success */
53 #define LSB_RC_FAILURE 1 /* generic or unspecified error */
54 #define LSB_RC_INVALID_ARGUMENT 2 /* invalid or excess argument(s) */
55 #define LSB_RC_NOT_IMPLEMENTED 3 /* unimplemented feature (reload) */
56 #define LSB_RC_NOT_ALLOWED 4 /* user had insufficient privilege */
57 #define LSB_RC_NOT_INSTALLED 5 /* program is not installed */
58 #define LSB_RC_NOT_CONFIGURED 6 /* program is not configured */
59 #define LSB_RC_NOT_RUNNING 7 /* program is not running */
60
61 #define FLAG_ACTION_START_PLUTO 0x01
62 #define FLAG_ACTION_UPDATE 0x02
63 #define FLAG_ACTION_RELOAD 0x04
64 #define FLAG_ACTION_QUIT 0x08
65 #define FLAG_ACTION_LISTEN 0x10
66 #define FLAG_ACTION_START_CHARON 0x20
67
68 static unsigned int _action_ = 0;
69
70 static void fsig(int signal)
71 {
72 switch (signal)
73 {
74 case SIGCHLD:
75 {
76 int status, exit_status = 0;
77 pid_t pid;
78 char *name = NULL;
79
80 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
81 {
82 if (pid == starter_pluto_pid())
83 {
84 name = " (Pluto)";
85 }
86 if (pid == starter_charon_pid())
87 {
88 name = " (Charon)";
89 }
90 if (WIFSIGNALED(status))
91 {
92 DBG(DBG_CONTROL,
93 DBG_log("child %d%s has been killed by sig %d\n",
94 pid, name?name:"", WTERMSIG(status))
95 )
96 }
97 else if (WIFSTOPPED(status))
98 {
99 DBG(DBG_CONTROL,
100 DBG_log("child %d%s has been stopped by sig %d\n",
101 pid, name?name:"", WSTOPSIG(status))
102 )
103 }
104 else if (WIFEXITED(status))
105 {
106 exit_status = WEXITSTATUS(status);
107 if (exit_status >= SS_RC_FIRST && exit_status <= SS_RC_LAST)
108 {
109 _action_ = FLAG_ACTION_QUIT;
110 }
111 DBG(DBG_CONTROL,
112 DBG_log("child %d%s has quit (exit code %d)\n",
113 pid, name?name:"", exit_status)
114 )
115 }
116 else
117 {
118 DBG(DBG_CONTROL,
119 DBG_log("child %d%s has quit", pid, name?name:"")
120 )
121 }
122 if (pid == starter_pluto_pid())
123 {
124 starter_pluto_sigchild(pid, exit_status);
125 }
126 if (pid == starter_charon_pid())
127 {
128 starter_charon_sigchild(pid, exit_status);
129 }
130 }
131 }
132 break;
133
134 case SIGPIPE:
135 /** ignore **/
136 break;
137
138 case SIGALRM:
139 _action_ |= FLAG_ACTION_START_PLUTO;
140 _action_ |= FLAG_ACTION_START_CHARON;
141 break;
142
143 case SIGHUP:
144 _action_ |= FLAG_ACTION_UPDATE;
145 break;
146
147 case SIGTERM:
148 case SIGQUIT:
149 case SIGINT:
150 _action_ |= FLAG_ACTION_QUIT;
151 break;
152
153 case SIGUSR1:
154 _action_ |= FLAG_ACTION_RELOAD;
155 _action_ |= FLAG_ACTION_UPDATE;
156 break;
157
158 default:
159 plog("fsig(): unknown signal %d -- investigate", signal);
160 break;
161 }
162 }
163
164 static void generate_selfcert()
165 {
166 struct stat stb;
167
168 /* if ipsec.secrets file is missing then generate RSA default key pair */
169 if (stat(SECRETS_FILE, &stb) != 0)
170 {
171 mode_t oldmask;
172 FILE *f;
173 uid_t uid = 0;
174 gid_t gid = 0;
175
176 #ifdef IPSEC_GROUP
177 {
178 char buf[1024];
179 struct group group, *grp;
180
181 if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp)
182 {
183 gid = grp->gr_gid;
184 }
185 }
186 #endif
187 #ifdef IPSEC_USER
188 {
189 char buf[1024];
190 struct passwd passwd, *pwp;
191
192 if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp)
193 {
194 uid = pwp->pw_uid;
195 }
196 }
197 #endif
198 setegid(gid);
199 seteuid(uid);
200 ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
201 seteuid(0);
202 setegid(0);
203
204 /* ipsec.secrets is root readable only */
205 oldmask = umask(0066);
206
207 f = fopen(SECRETS_FILE, "w");
208 if (f)
209 {
210 fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
211 fprintf(f, "\n");
212 fprintf(f, ": RSA myKey.der\n");
213 fclose(f);
214 }
215 ignore_result(chown(SECRETS_FILE, uid, gid));
216 umask(oldmask);
217 }
218 }
219
220 static void usage(char *name)
221 {
222 fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
223 "[--debug|--debug-more|--debug-all]\n");
224 exit(LSB_RC_INVALID_ARGUMENT);
225 }
226
227 int main (int argc, char **argv)
228 {
229 starter_config_t *cfg = NULL;
230 starter_config_t *new_cfg;
231 starter_conn_t *conn, *conn2;
232 starter_ca_t *ca, *ca2;
233
234 struct stat stb;
235
236 char *err = NULL;
237 int i;
238 int id = 1;
239 struct timeval tv;
240 unsigned long auto_update = 0;
241 time_t last_reload;
242 bool no_fork = FALSE;
243 bool attach_gdb = FALSE;
244
245 /* global variables defined in log.h */
246 log_to_stderr = TRUE;
247 base_debugging = DBG_NONE;
248
249 library_init(NULL);
250 atexit(library_deinit);
251
252 /* parse command line */
253 for (i = 1; i < argc; i++)
254 {
255 if (streq(argv[i], "--debug"))
256 {
257 base_debugging |= DBG_CONTROL;
258 }
259 else if (streq(argv[i], "--debug-more"))
260 {
261 base_debugging |= DBG_CONTROLMORE;
262 }
263 else if (streq(argv[i], "--debug-all"))
264 {
265 base_debugging |= DBG_ALL;
266 }
267 else if (streq(argv[i], "--nofork"))
268 {
269 no_fork = TRUE;
270 }
271 else if (streq(argv[i], "--attach-gdb"))
272 {
273 no_fork = TRUE;
274 attach_gdb = TRUE;
275 }
276 else if (streq(argv[i], "--auto-update") && i+1 < argc)
277 {
278 auto_update = atoi(argv[++i]);
279 if (!auto_update)
280 usage(argv[0]);
281 }
282 else
283 {
284 usage(argv[0]);
285 }
286 }
287
288 /* Init */
289 init_log("ipsec_starter");
290 cur_debugging = base_debugging;
291
292 signal(SIGHUP, fsig);
293 signal(SIGCHLD, fsig);
294 signal(SIGPIPE, fsig);
295 signal(SIGINT, fsig);
296 signal(SIGTERM, fsig);
297 signal(SIGQUIT, fsig);
298 signal(SIGALRM, fsig);
299 signal(SIGUSR1, fsig);
300
301 plog("Starting strongSwan "VERSION" IPsec [starter]...");
302
303 if (lib->settings->get_bool(lib->settings, "starter.load_warning", TRUE))
304 {
305 if (lib->settings->get_str(lib->settings, "charon.load", NULL) ||
306 lib->settings->get_str(lib->settings, "pluto.load", NULL))
307 {
308 plog("!! Your strongswan.conf contains manual plugin load options for");
309 plog("!! pluto and/or charon. This is not recommended, see");
310 plog("!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad");
311 }
312 }
313
314 /* verify that we can start */
315 if (getuid() != 0)
316 {
317 plog("permission denied (must be superuser)");
318 exit(LSB_RC_NOT_ALLOWED);
319 }
320
321 if (stat(PLUTO_PID_FILE, &stb) == 0)
322 {
323 plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE);
324 }
325 else
326 {
327 _action_ |= FLAG_ACTION_START_PLUTO;
328 }
329 if (stat(CHARON_PID_FILE, &stb) == 0)
330 {
331 plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
332 }
333 else
334 {
335 _action_ |= FLAG_ACTION_START_CHARON;
336 }
337 if (stat(DEV_RANDOM, &stb) != 0)
338 {
339 plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
340 exit(LSB_RC_FAILURE);
341 }
342
343 if (stat(DEV_URANDOM, &stb)!= 0)
344 {
345 plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
346 exit(LSB_RC_FAILURE);
347 }
348
349 cfg = confread_load(CONFIG_FILE);
350 if (cfg == NULL || cfg->err > 0)
351 {
352 plog("unable to start strongSwan -- fatal errors in config");
353 if (cfg)
354 {
355 confread_free(cfg);
356 }
357 exit(LSB_RC_INVALID_ARGUMENT);
358 }
359
360 /* determine if we have a native netkey IPsec stack */
361 if (!starter_netkey_init())
362 {
363 plog("no netkey IPsec stack detected");
364 if (!starter_klips_init())
365 {
366 plog("no KLIPS IPsec stack detected");
367 plog("no known IPsec stack detected, ignoring!");
368 }
369 }
370
371 last_reload = time_monotonic(NULL);
372
373 if (stat(STARTER_PID_FILE, &stb) == 0)
374 {
375 plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
376 confread_free(cfg);
377 exit(LSB_RC_SUCCESS);
378 }
379
380 generate_selfcert();
381
382 /* fork if we're not debugging stuff */
383 if (!no_fork)
384 {
385 log_to_stderr = FALSE;
386
387 switch (fork())
388 {
389 case 0:
390 {
391 int fnull = open("/dev/null", O_RDWR);
392
393 if (fnull >= 0)
394 {
395 dup2(fnull, STDIN_FILENO);
396 dup2(fnull, STDOUT_FILENO);
397 dup2(fnull, STDERR_FILENO);
398 close(fnull);
399 }
400 setsid();
401 }
402 break;
403 case -1:
404 plog("can't fork: %s", strerror(errno));
405 break;
406 default:
407 confread_free(cfg);
408 exit(LSB_RC_SUCCESS);
409 }
410 }
411
412 /* save pid file in /var/run/starter.pid */
413 {
414 FILE *fd = fopen(STARTER_PID_FILE, "w");
415
416 if (fd)
417 {
418 fprintf(fd, "%u\n", getpid());
419 fclose(fd);
420 }
421 }
422
423 for (;;)
424 {
425 /*
426 * Stop pluto/charon (if started) and exit
427 */
428 if (_action_ & FLAG_ACTION_QUIT)
429 {
430 if (starter_pluto_pid())
431 {
432 starter_stop_pluto();
433 }
434 if (starter_charon_pid())
435 {
436 starter_stop_charon();
437 }
438 starter_netkey_cleanup();
439 confread_free(cfg);
440 unlink(STARTER_PID_FILE);
441 unlink(INFO_FILE);
442 plog("ipsec starter stopped");
443 close_log();
444 exit(LSB_RC_SUCCESS);
445 }
446
447 /*
448 * Delete all connections. Will be added below
449 */
450 if (_action_ & FLAG_ACTION_RELOAD)
451 {
452 if (starter_pluto_pid() || starter_charon_pid())
453 {
454 for (conn = cfg->conn_first; conn; conn = conn->next)
455 {
456 if (conn->state == STATE_ADDED)
457 {
458 if (starter_charon_pid())
459 {
460 starter_stroke_del_conn(conn);
461 }
462 if (starter_pluto_pid())
463 {
464 starter_whack_del_conn(conn);
465 }
466 conn->state = STATE_TO_ADD;
467 }
468 }
469 for (ca = cfg->ca_first; ca; ca = ca->next)
470 {
471 if (ca->state == STATE_ADDED)
472 {
473 if (starter_charon_pid())
474 {
475 starter_stroke_del_ca(ca);
476 }
477 if (starter_pluto_pid())
478 {
479 starter_whack_del_ca(ca);
480 }
481 ca->state = STATE_TO_ADD;
482 }
483 }
484 }
485 _action_ &= ~FLAG_ACTION_RELOAD;
486 }
487
488 /*
489 * Update configuration
490 */
491 if (_action_ & FLAG_ACTION_UPDATE)
492 {
493 err = NULL;
494 DBG(DBG_CONTROL,
495 DBG_log("Reloading config...")
496 );
497 new_cfg = confread_load(CONFIG_FILE);
498
499 if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
500 {
501 /* Switch to new config. New conn will be loaded below */
502 if (!starter_cmp_defaultroute(&new_cfg->defaultroute
503 , &cfg->defaultroute))
504 {
505 _action_ |= FLAG_ACTION_LISTEN;
506 }
507
508 if (!starter_cmp_pluto(cfg, new_cfg))
509 {
510 plog("Pluto has changed");
511 if (starter_pluto_pid())
512 starter_stop_pluto();
513 _action_ &= ~FLAG_ACTION_LISTEN;
514 _action_ |= FLAG_ACTION_START_PLUTO;
515 }
516 else
517 {
518 /* Only reload conn and ca sections if pluto is not killed */
519
520 /* Look for new connections that are already loaded */
521 for (conn = cfg->conn_first; conn; conn = conn->next)
522 {
523 if (conn->state == STATE_ADDED)
524 {
525 for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
526 {
527 if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
528 {
529 conn->state = STATE_REPLACED;
530 conn2->state = STATE_ADDED;
531 conn2->id = conn->id;
532 break;
533 }
534 }
535 }
536 }
537
538 /* Remove conn sections that have become unused */
539 for (conn = cfg->conn_first; conn; conn = conn->next)
540 {
541 if (conn->state == STATE_ADDED)
542 {
543 if (starter_charon_pid())
544 {
545 starter_stroke_del_conn(conn);
546 }
547 if (starter_pluto_pid())
548 {
549 starter_whack_del_conn(conn);
550 }
551 }
552 }
553
554 /* Look for new ca sections that are already loaded */
555 for (ca = cfg->ca_first; ca; ca = ca->next)
556 {
557 if (ca->state == STATE_ADDED)
558 {
559 for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
560 {
561 if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
562 {
563 ca->state = STATE_REPLACED;
564 ca2->state = STATE_ADDED;
565 break;
566 }
567 }
568 }
569 }
570
571 /* Remove ca sections that have become unused */
572 for (ca = cfg->ca_first; ca; ca = ca->next)
573 {
574 if (ca->state == STATE_ADDED)
575 {
576 if (starter_charon_pid())
577 {
578 starter_stroke_del_ca(ca);
579 }
580 if (starter_pluto_pid())
581 {
582 starter_whack_del_ca(ca);
583 }
584 }
585 }
586 }
587 confread_free(cfg);
588 cfg = new_cfg;
589 }
590 else
591 {
592 plog("can't reload config file due to errors -- keeping old one");
593 if (new_cfg)
594 {
595 confread_free(new_cfg);
596 }
597 }
598 _action_ &= ~FLAG_ACTION_UPDATE;
599 last_reload = time_monotonic(NULL);
600 }
601
602 /*
603 * Start pluto
604 */
605 if (_action_ & FLAG_ACTION_START_PLUTO)
606 {
607 if (cfg->setup.plutostart && !starter_pluto_pid())
608 {
609 DBG(DBG_CONTROL,
610 DBG_log("Attempting to start pluto...")
611 );
612
613 if (starter_start_pluto(cfg, no_fork, attach_gdb) == 0)
614 {
615 starter_whack_listen();
616 }
617 else
618 {
619 /* schedule next try */
620 alarm(PLUTO_RESTART_DELAY);
621 }
622 }
623 _action_ &= ~FLAG_ACTION_START_PLUTO;
624
625 for (ca = cfg->ca_first; ca; ca = ca->next)
626 {
627 if (ca->state == STATE_ADDED)
628 ca->state = STATE_TO_ADD;
629 }
630
631 for (conn = cfg->conn_first; conn; conn = conn->next)
632 {
633 if (conn->state == STATE_ADDED)
634 conn->state = STATE_TO_ADD;
635 }
636 }
637
638 /*
639 * Start charon
640 */
641 if (_action_ & FLAG_ACTION_START_CHARON)
642 {
643 if (cfg->setup.charonstart && !starter_charon_pid())
644 {
645 DBG(DBG_CONTROL,
646 DBG_log("Attempting to start charon...")
647 );
648 if (starter_start_charon(cfg, no_fork, attach_gdb))
649 {
650 /* schedule next try */
651 alarm(PLUTO_RESTART_DELAY);
652 }
653 starter_stroke_configure(cfg);
654 }
655 _action_ &= ~FLAG_ACTION_START_CHARON;
656 }
657
658 /*
659 * Tell pluto to reread its interfaces
660 */
661 if (_action_ & FLAG_ACTION_LISTEN)
662 {
663 if (starter_pluto_pid())
664 {
665 starter_whack_listen();
666 _action_ &= ~FLAG_ACTION_LISTEN;
667 }
668 }
669
670 /*
671 * Add stale conn and ca sections
672 */
673 if (starter_pluto_pid() || starter_charon_pid())
674 {
675 for (ca = cfg->ca_first; ca; ca = ca->next)
676 {
677 if (ca->state == STATE_TO_ADD)
678 {
679 if (starter_charon_pid())
680 {
681 starter_stroke_add_ca(ca);
682 }
683 if (starter_pluto_pid())
684 {
685 starter_whack_add_ca(ca);
686 }
687 ca->state = STATE_ADDED;
688 }
689 }
690
691 for (conn = cfg->conn_first; conn; conn = conn->next)
692 {
693 if (conn->state == STATE_TO_ADD)
694 {
695 if (conn->id == 0)
696 {
697 /* affect new unique id */
698 conn->id = id++;
699 }
700 if (starter_charon_pid())
701 {
702 starter_stroke_add_conn(cfg, conn);
703 }
704 if (starter_pluto_pid())
705 {
706 starter_whack_add_conn(conn);
707 }
708 conn->state = STATE_ADDED;
709
710 if (conn->startup == STARTUP_START)
711 {
712 if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
713 {
714 if (starter_charon_pid())
715 {
716 starter_stroke_initiate_conn(conn);
717 }
718 }
719 else
720 {
721 if (starter_pluto_pid())
722 {
723 starter_whack_initiate_conn(conn);
724 }
725 }
726 }
727 else if (conn->startup == STARTUP_ROUTE)
728 {
729 if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
730 {
731 if (starter_charon_pid())
732 {
733 starter_stroke_route_conn(conn);
734 }
735 }
736 else
737 {
738 if (starter_pluto_pid())
739 {
740 starter_whack_route_conn(conn);
741 }
742 }
743 }
744 }
745 }
746 }
747
748 /*
749 * If auto_update activated, when to stop select
750 */
751 if (auto_update)
752 {
753 time_t now = time_monotonic(NULL);
754
755 tv.tv_sec = (now < last_reload + auto_update)
756 ? (last_reload + auto_update-now) : 0;
757 tv.tv_usec = 0;
758 }
759
760 /*
761 * Wait for something to happen
762 */
763 if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
764 {
765 /* timeout -> auto_update */
766 _action_ |= FLAG_ACTION_UPDATE;
767 }
768 }
769 exit(LSB_RC_SUCCESS);
770 }
771