starter: INFO_FILE is not used anymore.
[strongswan.git] / src / starter / starter.c
1 /* strongSwan IPsec starter
2 * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #include <sys/types.h>
16 #include <sys/wait.h>
17 #include <sys/stat.h>
18 #include <stdlib.h>
19 #include <stdio.h>
20 #include <signal.h>
21 #include <unistd.h>
22 #include <sys/time.h>
23 #include <time.h>
24 #include <string.h>
25 #include <errno.h>
26 #include <fcntl.h>
27 #include <pwd.h>
28 #include <grp.h>
29
30 #include <freeswan.h>
31 #include <library.h>
32
33 #include "../pluto/constants.h"
34 #include "../pluto/defs.h"
35 #include "../pluto/log.h"
36
37 #include "confread.h"
38 #include "files.h"
39 #include "starterwhack.h"
40 #include "starterstroke.h"
41 #include "invokepluto.h"
42 #include "invokecharon.h"
43 #include "netkey.h"
44 #include "klips.h"
45 #include "cmp.h"
46 #include "interfaces.h"
47
48 /**
49 * Return codes defined by Linux Standard Base Core Specification 3.1
50 * in section 20.2. Init Script Actions
51 */
52 #define LSB_RC_SUCCESS 0 /* success */
53 #define LSB_RC_FAILURE 1 /* generic or unspecified error */
54 #define LSB_RC_INVALID_ARGUMENT 2 /* invalid or excess argument(s) */
55 #define LSB_RC_NOT_IMPLEMENTED 3 /* unimplemented feature (reload) */
56 #define LSB_RC_NOT_ALLOWED 4 /* user had insufficient privilege */
57 #define LSB_RC_NOT_INSTALLED 5 /* program is not installed */
58 #define LSB_RC_NOT_CONFIGURED 6 /* program is not configured */
59 #define LSB_RC_NOT_RUNNING 7 /* program is not running */
60
61 #define FLAG_ACTION_START_PLUTO 0x01
62 #define FLAG_ACTION_UPDATE 0x02
63 #define FLAG_ACTION_RELOAD 0x04
64 #define FLAG_ACTION_QUIT 0x08
65 #define FLAG_ACTION_LISTEN 0x10
66 #define FLAG_ACTION_START_CHARON 0x20
67
68 static unsigned int _action_ = 0;
69
70 static void fsig(int signal)
71 {
72 switch (signal)
73 {
74 case SIGCHLD:
75 {
76 int status, exit_status = 0;
77 pid_t pid;
78 char *name = NULL;
79
80 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
81 {
82 if (pid == starter_pluto_pid())
83 {
84 name = " (Pluto)";
85 }
86 if (pid == starter_charon_pid())
87 {
88 name = " (Charon)";
89 }
90 if (WIFSIGNALED(status))
91 {
92 DBG(DBG_CONTROL,
93 DBG_log("child %d%s has been killed by sig %d\n",
94 pid, name?name:"", WTERMSIG(status))
95 )
96 }
97 else if (WIFSTOPPED(status))
98 {
99 DBG(DBG_CONTROL,
100 DBG_log("child %d%s has been stopped by sig %d\n",
101 pid, name?name:"", WSTOPSIG(status))
102 )
103 }
104 else if (WIFEXITED(status))
105 {
106 exit_status = WEXITSTATUS(status);
107 if (exit_status >= SS_RC_FIRST && exit_status <= SS_RC_LAST)
108 {
109 _action_ = FLAG_ACTION_QUIT;
110 }
111 DBG(DBG_CONTROL,
112 DBG_log("child %d%s has quit (exit code %d)\n",
113 pid, name?name:"", exit_status)
114 )
115 }
116 else
117 {
118 DBG(DBG_CONTROL,
119 DBG_log("child %d%s has quit", pid, name?name:"")
120 )
121 }
122 if (pid == starter_pluto_pid())
123 {
124 starter_pluto_sigchild(pid, exit_status);
125 }
126 if (pid == starter_charon_pid())
127 {
128 starter_charon_sigchild(pid, exit_status);
129 }
130 }
131 }
132 break;
133
134 case SIGPIPE:
135 /** ignore **/
136 break;
137
138 case SIGALRM:
139 _action_ |= FLAG_ACTION_START_PLUTO;
140 _action_ |= FLAG_ACTION_START_CHARON;
141 break;
142
143 case SIGHUP:
144 _action_ |= FLAG_ACTION_UPDATE;
145 break;
146
147 case SIGTERM:
148 case SIGQUIT:
149 case SIGINT:
150 _action_ |= FLAG_ACTION_QUIT;
151 break;
152
153 case SIGUSR1:
154 _action_ |= FLAG_ACTION_RELOAD;
155 _action_ |= FLAG_ACTION_UPDATE;
156 break;
157
158 default:
159 plog("fsig(): unknown signal %d -- investigate", signal);
160 break;
161 }
162 }
163
164 #ifdef GENERATE_SELFCERT
165 static void generate_selfcert()
166 {
167 struct stat stb;
168
169 /* if ipsec.secrets file is missing then generate RSA default key pair */
170 if (stat(SECRETS_FILE, &stb) != 0)
171 {
172 mode_t oldmask;
173 FILE *f;
174 uid_t uid = 0;
175 gid_t gid = 0;
176
177 #ifdef IPSEC_GROUP
178 {
179 char buf[1024];
180 struct group group, *grp;
181
182 if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp)
183 {
184 gid = grp->gr_gid;
185 }
186 }
187 #endif
188 #ifdef IPSEC_USER
189 {
190 char buf[1024];
191 struct passwd passwd, *pwp;
192
193 if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp)
194 {
195 uid = pwp->pw_uid;
196 }
197 }
198 #endif
199 setegid(gid);
200 seteuid(uid);
201 ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
202 seteuid(0);
203 setegid(0);
204
205 /* ipsec.secrets is root readable only */
206 oldmask = umask(0066);
207
208 f = fopen(SECRETS_FILE, "w");
209 if (f)
210 {
211 fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
212 fprintf(f, "\n");
213 fprintf(f, ": RSA myKey.der\n");
214 fclose(f);
215 }
216 ignore_result(chown(SECRETS_FILE, uid, gid));
217 umask(oldmask);
218 }
219 }
220 #endif /* GENERATE_SELFCERT */
221
222 static bool check_pid(char *pid_file)
223 {
224 struct stat stb;
225 FILE *pidfile;
226
227 if (stat(pid_file, &stb) == 0)
228 {
229 pidfile = fopen(pid_file, "r");
230 if (pidfile)
231 {
232 char buf[64];
233 pid_t pid = 0;
234 memset(buf, 0, sizeof(buf));
235 if (fread(buf, 1, sizeof(buf), pidfile))
236 {
237 buf[sizeof(buf) - 1] = '\0';
238 pid = atoi(buf);
239 }
240 fclose(pidfile);
241 if (pid && kill(pid, 0) == 0)
242 { /* such a process is running */
243 return TRUE;
244 }
245 }
246 plog("removing pidfile '%s', process not running", pid_file);
247 unlink(pid_file);
248 }
249 return FALSE;
250 }
251
252 static void usage(char *name)
253 {
254 fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
255 "[--debug|--debug-more|--debug-all]\n");
256 exit(LSB_RC_INVALID_ARGUMENT);
257 }
258
259 int main (int argc, char **argv)
260 {
261 starter_config_t *cfg = NULL;
262 starter_config_t *new_cfg;
263 starter_conn_t *conn, *conn2;
264 starter_ca_t *ca, *ca2;
265
266 struct stat stb;
267
268 int i;
269 int id = 1;
270 struct timeval tv;
271 unsigned long auto_update = 0;
272 time_t last_reload;
273 bool no_fork = FALSE;
274 bool attach_gdb = FALSE;
275 bool load_warning = FALSE;
276
277 /* global variables defined in log.h */
278 log_to_stderr = TRUE;
279 base_debugging = DBG_NONE;
280
281 library_init(NULL);
282 atexit(library_deinit);
283
284 /* parse command line */
285 for (i = 1; i < argc; i++)
286 {
287 if (streq(argv[i], "--debug"))
288 {
289 base_debugging |= DBG_CONTROL;
290 }
291 else if (streq(argv[i], "--debug-more"))
292 {
293 base_debugging |= DBG_CONTROLMORE;
294 }
295 else if (streq(argv[i], "--debug-all"))
296 {
297 base_debugging |= DBG_ALL;
298 }
299 else if (streq(argv[i], "--nofork"))
300 {
301 no_fork = TRUE;
302 }
303 else if (streq(argv[i], "--attach-gdb"))
304 {
305 no_fork = TRUE;
306 attach_gdb = TRUE;
307 }
308 else if (streq(argv[i], "--auto-update") && i+1 < argc)
309 {
310 auto_update = atoi(argv[++i]);
311 if (!auto_update)
312 usage(argv[0]);
313 }
314 else
315 {
316 usage(argv[0]);
317 }
318 }
319
320 /* Init */
321 init_log("ipsec_starter");
322 cur_debugging = base_debugging;
323
324 signal(SIGHUP, fsig);
325 signal(SIGCHLD, fsig);
326 signal(SIGPIPE, fsig);
327 signal(SIGINT, fsig);
328 signal(SIGTERM, fsig);
329 signal(SIGQUIT, fsig);
330 signal(SIGALRM, fsig);
331 signal(SIGUSR1, fsig);
332
333 plog("Starting strongSwan "VERSION" IPsec [starter]...");
334
335 #ifdef LOAD_WARNING
336 load_warning = TRUE;
337 #endif
338
339 if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning))
340 {
341 if (lib->settings->get_str(lib->settings, "charon.load", NULL) ||
342 lib->settings->get_str(lib->settings, "pluto.load", NULL))
343 {
344 plog("!! Your strongswan.conf contains manual plugin load options for");
345 plog("!! pluto and/or charon. This is recommended for experts only, see");
346 plog("!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad");
347 }
348 }
349
350 /* verify that we can start */
351 if (getuid() != 0)
352 {
353 plog("permission denied (must be superuser)");
354 exit(LSB_RC_NOT_ALLOWED);
355 }
356
357 if (check_pid(PLUTO_PID_FILE))
358 {
359 plog("pluto is already running (%s exists) -- skipping pluto start",
360 PLUTO_PID_FILE);
361 }
362 else
363 {
364 _action_ |= FLAG_ACTION_START_PLUTO;
365 }
366 if (check_pid(CHARON_PID_FILE))
367 {
368 plog("charon is already running (%s exists) -- skipping charon start",
369 CHARON_PID_FILE);
370 }
371 else
372 {
373 _action_ |= FLAG_ACTION_START_CHARON;
374 }
375 if (stat(DEV_RANDOM, &stb) != 0)
376 {
377 plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
378 exit(LSB_RC_FAILURE);
379 }
380
381 if (stat(DEV_URANDOM, &stb)!= 0)
382 {
383 plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
384 exit(LSB_RC_FAILURE);
385 }
386
387 cfg = confread_load(CONFIG_FILE);
388 if (cfg == NULL || cfg->err > 0)
389 {
390 plog("unable to start strongSwan -- fatal errors in config");
391 if (cfg)
392 {
393 confread_free(cfg);
394 }
395 exit(LSB_RC_INVALID_ARGUMENT);
396 }
397
398 /* determine if we have a native netkey IPsec stack */
399 if (!starter_netkey_init())
400 {
401 plog("no netkey IPsec stack detected");
402 if (!starter_klips_init())
403 {
404 plog("no KLIPS IPsec stack detected");
405 plog("no known IPsec stack detected, ignoring!");
406 }
407 }
408
409 last_reload = time_monotonic(NULL);
410
411 if (check_pid(STARTER_PID_FILE))
412 {
413 plog("starter is already running (%s exists) -- no fork done",
414 STARTER_PID_FILE);
415 confread_free(cfg);
416 exit(LSB_RC_SUCCESS);
417 }
418
419 #ifdef GENERATE_SELFCERT
420 generate_selfcert();
421 #endif
422
423 /* fork if we're not debugging stuff */
424 if (!no_fork)
425 {
426 log_to_stderr = FALSE;
427
428 switch (fork())
429 {
430 case 0:
431 {
432 int fnull;
433
434 closefrom(3);
435
436 fnull = open("/dev/null", O_RDWR);
437 if (fnull >= 0)
438 {
439 dup2(fnull, STDIN_FILENO);
440 dup2(fnull, STDOUT_FILENO);
441 dup2(fnull, STDERR_FILENO);
442 close(fnull);
443 }
444
445 setsid();
446 }
447 break;
448 case -1:
449 plog("can't fork: %s", strerror(errno));
450 break;
451 default:
452 confread_free(cfg);
453 exit(LSB_RC_SUCCESS);
454 }
455 }
456
457 /* save pid file in /var/run/starter.pid */
458 {
459 FILE *fd = fopen(STARTER_PID_FILE, "w");
460
461 if (fd)
462 {
463 fprintf(fd, "%u\n", getpid());
464 fclose(fd);
465 }
466 }
467
468 for (;;)
469 {
470 /*
471 * Stop pluto/charon (if started) and exit
472 */
473 if (_action_ & FLAG_ACTION_QUIT)
474 {
475 if (starter_pluto_pid())
476 {
477 starter_stop_pluto();
478 }
479 if (starter_charon_pid())
480 {
481 starter_stop_charon();
482 }
483 starter_netkey_cleanup();
484 confread_free(cfg);
485 unlink(STARTER_PID_FILE);
486 plog("ipsec starter stopped");
487 close_log();
488 exit(LSB_RC_SUCCESS);
489 }
490
491 /*
492 * Delete all connections. Will be added below
493 */
494 if (_action_ & FLAG_ACTION_RELOAD)
495 {
496 if (starter_pluto_pid() || starter_charon_pid())
497 {
498 for (conn = cfg->conn_first; conn; conn = conn->next)
499 {
500 if (conn->state == STATE_ADDED)
501 {
502 if (starter_charon_pid())
503 {
504 starter_stroke_del_conn(conn);
505 }
506 if (starter_pluto_pid())
507 {
508 starter_whack_del_conn(conn);
509 }
510 conn->state = STATE_TO_ADD;
511 }
512 }
513 for (ca = cfg->ca_first; ca; ca = ca->next)
514 {
515 if (ca->state == STATE_ADDED)
516 {
517 if (starter_charon_pid())
518 {
519 starter_stroke_del_ca(ca);
520 }
521 if (starter_pluto_pid())
522 {
523 starter_whack_del_ca(ca);
524 }
525 ca->state = STATE_TO_ADD;
526 }
527 }
528 }
529 _action_ &= ~FLAG_ACTION_RELOAD;
530 }
531
532 /*
533 * Update configuration
534 */
535 if (_action_ & FLAG_ACTION_UPDATE)
536 {
537 DBG(DBG_CONTROL,
538 DBG_log("Reloading config...")
539 );
540 new_cfg = confread_load(CONFIG_FILE);
541
542 if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
543 {
544 /* Switch to new config. New conn will be loaded below */
545 if (!starter_cmp_defaultroute(&new_cfg->defaultroute
546 , &cfg->defaultroute))
547 {
548 _action_ |= FLAG_ACTION_LISTEN;
549 }
550
551 if (!starter_cmp_pluto(cfg, new_cfg))
552 {
553 plog("Pluto has changed");
554 if (starter_pluto_pid())
555 starter_stop_pluto();
556 _action_ &= ~FLAG_ACTION_LISTEN;
557 _action_ |= FLAG_ACTION_START_PLUTO;
558 }
559 else
560 {
561 /* Only reload conn and ca sections if pluto is not killed */
562
563 /* Look for new connections that are already loaded */
564 for (conn = cfg->conn_first; conn; conn = conn->next)
565 {
566 if (conn->state == STATE_ADDED)
567 {
568 for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
569 {
570 if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
571 {
572 conn->state = STATE_REPLACED;
573 conn2->state = STATE_ADDED;
574 conn2->id = conn->id;
575 break;
576 }
577 }
578 }
579 }
580
581 /* Remove conn sections that have become unused */
582 for (conn = cfg->conn_first; conn; conn = conn->next)
583 {
584 if (conn->state == STATE_ADDED)
585 {
586 if (starter_charon_pid())
587 {
588 starter_stroke_del_conn(conn);
589 }
590 if (starter_pluto_pid())
591 {
592 starter_whack_del_conn(conn);
593 }
594 }
595 }
596
597 /* Look for new ca sections that are already loaded */
598 for (ca = cfg->ca_first; ca; ca = ca->next)
599 {
600 if (ca->state == STATE_ADDED)
601 {
602 for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
603 {
604 if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
605 {
606 ca->state = STATE_REPLACED;
607 ca2->state = STATE_ADDED;
608 break;
609 }
610 }
611 }
612 }
613
614 /* Remove ca sections that have become unused */
615 for (ca = cfg->ca_first; ca; ca = ca->next)
616 {
617 if (ca->state == STATE_ADDED)
618 {
619 if (starter_charon_pid())
620 {
621 starter_stroke_del_ca(ca);
622 }
623 if (starter_pluto_pid())
624 {
625 starter_whack_del_ca(ca);
626 }
627 }
628 }
629 }
630 confread_free(cfg);
631 cfg = new_cfg;
632 }
633 else
634 {
635 plog("can't reload config file due to errors -- keeping old one");
636 if (new_cfg)
637 {
638 confread_free(new_cfg);
639 }
640 }
641 _action_ &= ~FLAG_ACTION_UPDATE;
642 last_reload = time_monotonic(NULL);
643 }
644
645 /*
646 * Start pluto
647 */
648 if (_action_ & FLAG_ACTION_START_PLUTO)
649 {
650 if (cfg->setup.plutostart && !starter_pluto_pid())
651 {
652 DBG(DBG_CONTROL,
653 DBG_log("Attempting to start pluto...")
654 );
655
656 if (starter_start_pluto(cfg, no_fork, attach_gdb) == 0)
657 {
658 starter_whack_listen();
659 }
660 else
661 {
662 /* schedule next try */
663 alarm(PLUTO_RESTART_DELAY);
664 }
665 }
666 _action_ &= ~FLAG_ACTION_START_PLUTO;
667
668 for (ca = cfg->ca_first; ca; ca = ca->next)
669 {
670 if (ca->state == STATE_ADDED)
671 ca->state = STATE_TO_ADD;
672 }
673
674 for (conn = cfg->conn_first; conn; conn = conn->next)
675 {
676 if (conn->state == STATE_ADDED)
677 conn->state = STATE_TO_ADD;
678 }
679 }
680
681 /*
682 * Start charon
683 */
684 if (_action_ & FLAG_ACTION_START_CHARON)
685 {
686 if (cfg->setup.charonstart && !starter_charon_pid())
687 {
688 DBG(DBG_CONTROL,
689 DBG_log("Attempting to start charon...")
690 );
691 if (starter_start_charon(cfg, no_fork, attach_gdb))
692 {
693 /* schedule next try */
694 alarm(PLUTO_RESTART_DELAY);
695 }
696 starter_stroke_configure(cfg);
697 }
698 _action_ &= ~FLAG_ACTION_START_CHARON;
699 }
700
701 /*
702 * Tell pluto to reread its interfaces
703 */
704 if (_action_ & FLAG_ACTION_LISTEN)
705 {
706 if (starter_pluto_pid())
707 {
708 starter_whack_listen();
709 _action_ &= ~FLAG_ACTION_LISTEN;
710 }
711 }
712
713 /*
714 * Add stale conn and ca sections
715 */
716 if (starter_pluto_pid() || starter_charon_pid())
717 {
718 for (ca = cfg->ca_first; ca; ca = ca->next)
719 {
720 if (ca->state == STATE_TO_ADD)
721 {
722 if (starter_charon_pid())
723 {
724 starter_stroke_add_ca(ca);
725 }
726 if (starter_pluto_pid())
727 {
728 starter_whack_add_ca(ca);
729 }
730 ca->state = STATE_ADDED;
731 }
732 }
733
734 for (conn = cfg->conn_first; conn; conn = conn->next)
735 {
736 if (conn->state == STATE_TO_ADD)
737 {
738 if (conn->id == 0)
739 {
740 /* affect new unique id */
741 conn->id = id++;
742 }
743 if (starter_charon_pid())
744 {
745 starter_stroke_add_conn(cfg, conn);
746 }
747 if (starter_pluto_pid())
748 {
749 starter_whack_add_conn(conn);
750 }
751 conn->state = STATE_ADDED;
752
753 if (conn->startup == STARTUP_START)
754 {
755 if (conn->keyexchange != KEY_EXCHANGE_IKEV1)
756 {
757 if (starter_charon_pid())
758 {
759 starter_stroke_initiate_conn(conn);
760 }
761 }
762 else
763 {
764 if (starter_pluto_pid())
765 {
766 starter_whack_initiate_conn(conn);
767 }
768 }
769 }
770 else if (conn->startup == STARTUP_ROUTE)
771 {
772 if (conn->keyexchange != KEY_EXCHANGE_IKEV1)
773 {
774 if (starter_charon_pid())
775 {
776 starter_stroke_route_conn(conn);
777 }
778 }
779 else
780 {
781 if (starter_pluto_pid())
782 {
783 starter_whack_route_conn(conn);
784 }
785 }
786 }
787 }
788 }
789 }
790
791 /*
792 * If auto_update activated, when to stop select
793 */
794 if (auto_update)
795 {
796 time_t now = time_monotonic(NULL);
797
798 tv.tv_sec = (now < last_reload + auto_update)
799 ? (last_reload + auto_update-now) : 0;
800 tv.tv_usec = 0;
801 }
802
803 /*
804 * Wait for something to happen
805 */
806 if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
807 {
808 /* timeout -> auto_update */
809 _action_ |= FLAG_ACTION_UPDATE;
810 }
811 }
812 exit(LSB_RC_SUCCESS);
813 }
814