72421ca9696efb3496b21bb00bd4473f2425760d
[strongswan.git] / src / starter / starter.c
1 /* strongSwan IPsec starter
2 * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #include <sys/types.h>
16 #include <sys/wait.h>
17 #include <sys/stat.h>
18 #include <stdlib.h>
19 #include <stdio.h>
20 #include <signal.h>
21 #include <unistd.h>
22 #include <sys/time.h>
23 #include <time.h>
24 #include <string.h>
25 #include <errno.h>
26 #include <fcntl.h>
27 #include <pwd.h>
28 #include <grp.h>
29
30 #include <freeswan.h>
31
32 #include "../pluto/constants.h"
33 #include "../pluto/defs.h"
34 #include "../pluto/log.h"
35
36 #include "confread.h"
37 #include "files.h"
38 #include "starterwhack.h"
39 #include "starterstroke.h"
40 #include "invokepluto.h"
41 #include "invokecharon.h"
42 #include "netkey.h"
43 #include "klips.h"
44 #include "cmp.h"
45 #include "interfaces.h"
46
47 /**
48 * Return codes defined by Linux Standard Base Core Specification 3.1
49 * in section 20.2. Init Script Actions
50 */
51 #define LSB_RC_SUCCESS 0 /* success */
52 #define LSB_RC_FAILURE 1 /* generic or unspecified error */
53 #define LSB_RC_INVALID_ARGUMENT 2 /* invalid or excess argument(s) */
54 #define LSB_RC_NOT_IMPLEMENTED 3 /* unimplemented feature (reload) */
55 #define LSB_RC_NOT_ALLOWED 4 /* user had insufficient privilege */
56 #define LSB_RC_NOT_INSTALLED 5 /* program is not installed */
57 #define LSB_RC_NOT_CONFIGURED 6 /* program is not configured */
58 #define LSB_RC_NOT_RUNNING 7 /* program is not running */
59
60 #define FLAG_ACTION_START_PLUTO 0x01
61 #define FLAG_ACTION_UPDATE 0x02
62 #define FLAG_ACTION_RELOAD 0x04
63 #define FLAG_ACTION_QUIT 0x08
64 #define FLAG_ACTION_LISTEN 0x10
65 #define FLAG_ACTION_START_CHARON 0x20
66
67 static unsigned int _action_ = 0;
68
69 static void fsig(int signal)
70 {
71 switch (signal)
72 {
73 case SIGCHLD:
74 {
75 int status, exit_status = 0;
76 pid_t pid;
77 char *name = NULL;
78
79 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
80 {
81 if (pid == starter_pluto_pid())
82 {
83 name = " (Pluto)";
84 }
85 if (pid == starter_charon_pid())
86 {
87 name = " (Charon)";
88 }
89 if (WIFSIGNALED(status))
90 {
91 DBG(DBG_CONTROL,
92 DBG_log("child %d%s has been killed by sig %d\n",
93 pid, name?name:"", WTERMSIG(status))
94 )
95 }
96 else if (WIFSTOPPED(status))
97 {
98 DBG(DBG_CONTROL,
99 DBG_log("child %d%s has been stopped by sig %d\n",
100 pid, name?name:"", WSTOPSIG(status))
101 )
102 }
103 else if (WIFEXITED(status))
104 {
105 exit_status = WEXITSTATUS(status);
106 if (exit_status >= SS_RC_LIBSTRONGSWAN_INTEGRITY &&
107 exit_status <= SS_RC_INITIALIZATION_FAILED)
108 {
109 _action_ = FLAG_ACTION_QUIT;
110 }
111 DBG(DBG_CONTROL,
112 DBG_log("child %d%s has quit (exit code %d)\n",
113 pid, name?name:"", exit_status)
114 )
115 }
116 else
117 {
118 DBG(DBG_CONTROL,
119 DBG_log("child %d%s has quit", pid, name?name:"")
120 )
121 }
122 if (pid == starter_pluto_pid())
123 {
124 starter_pluto_sigchild(pid, exit_status);
125 }
126 if (pid == starter_charon_pid())
127 {
128 starter_charon_sigchild(pid, exit_status);
129 }
130 }
131 }
132 break;
133
134 case SIGPIPE:
135 /** ignore **/
136 break;
137
138 case SIGALRM:
139 _action_ |= FLAG_ACTION_START_PLUTO;
140 _action_ |= FLAG_ACTION_START_CHARON;
141 break;
142
143 case SIGHUP:
144 _action_ |= FLAG_ACTION_UPDATE;
145 break;
146
147 case SIGTERM:
148 case SIGQUIT:
149 case SIGINT:
150 _action_ |= FLAG_ACTION_QUIT;
151 break;
152
153 case SIGUSR1:
154 _action_ |= FLAG_ACTION_RELOAD;
155 _action_ |= FLAG_ACTION_UPDATE;
156 break;
157
158 default:
159 plog("fsig(): unknown signal %d -- investigate", signal);
160 break;
161 }
162 }
163
164 static void generate_selfcert()
165 {
166 struct stat stb;
167
168 /* if ipsec.secrets file is missing then generate RSA default key pair */
169 if (stat(SECRETS_FILE, &stb) != 0)
170 {
171 mode_t oldmask;
172 FILE *f;
173 uid_t uid = 0;
174 gid_t gid = 0;
175
176 #ifdef IPSEC_GROUP
177 {
178 char buf[1024];
179 struct group group, *grp;
180
181 if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp)
182 {
183 gid = grp->gr_gid;
184 }
185 }
186 #endif
187 #ifdef IPSEC_USER
188 {
189 char buf[1024];
190 struct passwd passwd, *pwp;
191
192 if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp)
193 {
194 uid = pwp->pw_uid;
195 }
196 }
197 #endif
198 setegid(gid);
199 seteuid(uid);
200 ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
201 seteuid(0);
202 setegid(0);
203
204 /* ipsec.secrets is root readable only */
205 oldmask = umask(0066);
206
207 f = fopen(SECRETS_FILE, "w");
208 if (f)
209 {
210 fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
211 fprintf(f, "\n");
212 fprintf(f, ": RSA myKey.der\n");
213 fclose(f);
214 }
215 ignore_result(chown(SECRETS_FILE, uid, gid));
216 umask(oldmask);
217 }
218 }
219
220 static void usage(char *name)
221 {
222 fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
223 "[--debug|--debug-more|--debug-all]\n");
224 exit(LSB_RC_INVALID_ARGUMENT);
225 }
226
227 int main (int argc, char **argv)
228 {
229 starter_config_t *cfg = NULL;
230 starter_config_t *new_cfg;
231 starter_conn_t *conn, *conn2;
232 starter_ca_t *ca, *ca2;
233
234 struct stat stb;
235
236 char *err = NULL;
237 int i;
238 int id = 1;
239 struct timeval tv;
240 unsigned long auto_update = 0;
241 time_t last_reload;
242 bool no_fork = FALSE;
243 bool attach_gdb = FALSE;
244
245 /* global variables defined in log.h */
246 log_to_stderr = TRUE;
247 base_debugging = DBG_NONE;
248
249 /* parse command line */
250 for (i = 1; i < argc; i++)
251 {
252 if (streq(argv[i], "--debug"))
253 {
254 base_debugging |= DBG_CONTROL;
255 }
256 else if (streq(argv[i], "--debug-more"))
257 {
258 base_debugging |= DBG_CONTROLMORE;
259 }
260 else if (streq(argv[i], "--debug-all"))
261 {
262 base_debugging |= DBG_ALL;
263 }
264 else if (streq(argv[i], "--nofork"))
265 {
266 no_fork = TRUE;
267 }
268 else if (streq(argv[i], "--attach-gdb"))
269 {
270 no_fork = TRUE;
271 attach_gdb = TRUE;
272 }
273 else if (streq(argv[i], "--auto-update") && i+1 < argc)
274 {
275 auto_update = atoi(argv[++i]);
276 if (!auto_update)
277 usage(argv[0]);
278 }
279 else
280 {
281 usage(argv[0]);
282 }
283 }
284
285 /* Init */
286 init_log("ipsec_starter");
287 cur_debugging = base_debugging;
288
289 signal(SIGHUP, fsig);
290 signal(SIGCHLD, fsig);
291 signal(SIGPIPE, fsig);
292 signal(SIGINT, fsig);
293 signal(SIGTERM, fsig);
294 signal(SIGQUIT, fsig);
295 signal(SIGALRM, fsig);
296 signal(SIGUSR1, fsig);
297
298 plog("Starting strongSwan "VERSION" IPsec [starter]...");
299
300 /* verify that we can start */
301 if (getuid() != 0)
302 {
303 plog("permission denied (must be superuser)");
304 exit(LSB_RC_NOT_ALLOWED);
305 }
306
307 if (stat(PLUTO_PID_FILE, &stb) == 0)
308 {
309 plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE);
310 }
311 else
312 {
313 _action_ |= FLAG_ACTION_START_PLUTO;
314 }
315 if (stat(CHARON_PID_FILE, &stb) == 0)
316 {
317 plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
318 }
319 else
320 {
321 _action_ |= FLAG_ACTION_START_CHARON;
322 }
323 if (stat(DEV_RANDOM, &stb) != 0)
324 {
325 plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
326 exit(LSB_RC_FAILURE);
327 }
328
329 if (stat(DEV_URANDOM, &stb)!= 0)
330 {
331 plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
332 exit(LSB_RC_FAILURE);
333 }
334
335 cfg = confread_load(CONFIG_FILE);
336 if (cfg == NULL || cfg->err > 0)
337 {
338 plog("unable to start strongSwan -- fatal errors in config");
339 if (cfg)
340 {
341 confread_free(cfg);
342 }
343 exit(LSB_RC_INVALID_ARGUMENT);
344 }
345
346 /* determine if we have a native netkey IPsec stack */
347 if (!starter_netkey_init())
348 {
349 plog("no netkey IPsec stack detected");
350 if (!starter_klips_init())
351 {
352 plog("no KLIPS IPsec stack detected");
353 plog("no known IPsec stack detected, ignoring!");
354 }
355 }
356
357 last_reload = time(NULL);
358
359 if (stat(STARTER_PID_FILE, &stb) == 0)
360 {
361 plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
362 exit(LSB_RC_SUCCESS);
363 }
364
365 generate_selfcert();
366
367 /* fork if we're not debugging stuff */
368 if (!no_fork)
369 {
370 log_to_stderr = FALSE;
371
372 switch (fork())
373 {
374 case 0:
375 {
376 int fnull = open("/dev/null", O_RDWR);
377
378 if (fnull >= 0)
379 {
380 dup2(fnull, STDIN_FILENO);
381 dup2(fnull, STDOUT_FILENO);
382 dup2(fnull, STDERR_FILENO);
383 close(fnull);
384 }
385 setsid();
386 }
387 break;
388 case -1:
389 plog("can't fork: %s", strerror(errno));
390 break;
391 default:
392 exit(LSB_RC_SUCCESS);
393 }
394 }
395
396 /* save pid file in /var/run/starter.pid */
397 {
398 FILE *fd = fopen(STARTER_PID_FILE, "w");
399
400 if (fd)
401 {
402 fprintf(fd, "%u\n", getpid());
403 fclose(fd);
404 }
405 }
406
407 for (;;)
408 {
409 /*
410 * Stop pluto/charon (if started) and exit
411 */
412 if (_action_ & FLAG_ACTION_QUIT)
413 {
414 if (starter_pluto_pid())
415 {
416 starter_stop_pluto();
417 }
418 if (starter_charon_pid())
419 {
420 starter_stop_charon();
421 }
422 starter_netkey_cleanup();
423 confread_free(cfg);
424 unlink(STARTER_PID_FILE);
425 unlink(INFO_FILE);
426 #ifdef LEAK_DETECTIVE
427 report_leaks();
428 #endif /* LEAK_DETECTIVE */
429 close_log();
430 plog("ipsec starter stopped");
431 exit(LSB_RC_SUCCESS);
432 }
433
434 /*
435 * Delete all connections. Will be added below
436 */
437 if (_action_ & FLAG_ACTION_RELOAD)
438 {
439 if (starter_pluto_pid() || starter_charon_pid())
440 {
441 for (conn = cfg->conn_first; conn; conn = conn->next)
442 {
443 if (conn->state == STATE_ADDED)
444 {
445 if (starter_charon_pid())
446 {
447 starter_stroke_del_conn(conn);
448 }
449 if (starter_pluto_pid())
450 {
451 starter_whack_del_conn(conn);
452 }
453 conn->state = STATE_TO_ADD;
454 }
455 }
456 for (ca = cfg->ca_first; ca; ca = ca->next)
457 {
458 if (ca->state == STATE_ADDED)
459 {
460 if (starter_charon_pid())
461 {
462 starter_stroke_del_ca(ca);
463 }
464 if (starter_pluto_pid())
465 {
466 starter_whack_del_ca(ca);
467 }
468 ca->state = STATE_TO_ADD;
469 }
470 }
471 }
472 _action_ &= ~FLAG_ACTION_RELOAD;
473 }
474
475 /*
476 * Update configuration
477 */
478 if (_action_ & FLAG_ACTION_UPDATE)
479 {
480 err = NULL;
481 DBG(DBG_CONTROL,
482 DBG_log("Reloading config...")
483 );
484 new_cfg = confread_load(CONFIG_FILE);
485
486 if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
487 {
488 /* Switch to new config. New conn will be loaded below */
489 if (!starter_cmp_defaultroute(&new_cfg->defaultroute
490 , &cfg->defaultroute))
491 {
492 _action_ |= FLAG_ACTION_LISTEN;
493 }
494
495 if (!starter_cmp_pluto(cfg, new_cfg))
496 {
497 plog("Pluto has changed");
498 if (starter_pluto_pid())
499 starter_stop_pluto();
500 _action_ &= ~FLAG_ACTION_LISTEN;
501 _action_ |= FLAG_ACTION_START_PLUTO;
502 }
503 else
504 {
505 /* Only reload conn and ca sections if pluto is not killed */
506
507 /* Look for new connections that are already loaded */
508 for (conn = cfg->conn_first; conn; conn = conn->next)
509 {
510 if (conn->state == STATE_ADDED)
511 {
512 for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
513 {
514 if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
515 {
516 conn->state = STATE_REPLACED;
517 conn2->state = STATE_ADDED;
518 conn2->id = conn->id;
519 break;
520 }
521 }
522 }
523 }
524
525 /* Remove conn sections that have become unused */
526 for (conn = cfg->conn_first; conn; conn = conn->next)
527 {
528 if (conn->state == STATE_ADDED)
529 {
530 if (starter_charon_pid())
531 {
532 starter_stroke_del_conn(conn);
533 }
534 if (starter_pluto_pid())
535 {
536 starter_whack_del_conn(conn);
537 }
538 }
539 }
540
541 /* Look for new ca sections that are already loaded */
542 for (ca = cfg->ca_first; ca; ca = ca->next)
543 {
544 if (ca->state == STATE_ADDED)
545 {
546 for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
547 {
548 if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
549 {
550 ca->state = STATE_REPLACED;
551 ca2->state = STATE_ADDED;
552 break;
553 }
554 }
555 }
556 }
557
558 /* Remove ca sections that have become unused */
559 for (ca = cfg->ca_first; ca; ca = ca->next)
560 {
561 if (ca->state == STATE_ADDED)
562 {
563 if (starter_charon_pid())
564 {
565 starter_stroke_del_ca(ca);
566 }
567 if (starter_pluto_pid())
568 {
569 starter_whack_del_ca(ca);
570 }
571 }
572 }
573 }
574 confread_free(cfg);
575 cfg = new_cfg;
576 }
577 else
578 {
579 plog("can't reload config file due to errors -- keeping old one");
580 if (new_cfg)
581 {
582 confread_free(new_cfg);
583 }
584 }
585 _action_ &= ~FLAG_ACTION_UPDATE;
586 last_reload = time(NULL);
587 }
588
589 /*
590 * Start pluto
591 */
592 if (_action_ & FLAG_ACTION_START_PLUTO)
593 {
594 if (cfg->setup.plutostart && !starter_pluto_pid())
595 {
596 DBG(DBG_CONTROL,
597 DBG_log("Attempting to start pluto...")
598 );
599
600 if (starter_start_pluto(cfg, no_fork, attach_gdb) == 0)
601 {
602 starter_whack_listen();
603 }
604 else
605 {
606 /* schedule next try */
607 alarm(PLUTO_RESTART_DELAY);
608 }
609 }
610 _action_ &= ~FLAG_ACTION_START_PLUTO;
611
612 for (ca = cfg->ca_first; ca; ca = ca->next)
613 {
614 if (ca->state == STATE_ADDED)
615 ca->state = STATE_TO_ADD;
616 }
617
618 for (conn = cfg->conn_first; conn; conn = conn->next)
619 {
620 if (conn->state == STATE_ADDED)
621 conn->state = STATE_TO_ADD;
622 }
623 }
624
625 /*
626 * Start charon
627 */
628 if (_action_ & FLAG_ACTION_START_CHARON)
629 {
630 if (cfg->setup.charonstart && !starter_charon_pid())
631 {
632 DBG(DBG_CONTROL,
633 DBG_log("Attempting to start charon...")
634 );
635 if (starter_start_charon(cfg, no_fork, attach_gdb))
636 {
637 /* schedule next try */
638 alarm(PLUTO_RESTART_DELAY);
639 }
640 starter_stroke_configure(cfg);
641 }
642 _action_ &= ~FLAG_ACTION_START_CHARON;
643 }
644
645 /*
646 * Tell pluto to reread its interfaces
647 */
648 if (_action_ & FLAG_ACTION_LISTEN)
649 {
650 if (starter_pluto_pid())
651 {
652 starter_whack_listen();
653 _action_ &= ~FLAG_ACTION_LISTEN;
654 }
655 }
656
657 /*
658 * Add stale conn and ca sections
659 */
660 if (starter_pluto_pid() || starter_charon_pid())
661 {
662 for (ca = cfg->ca_first; ca; ca = ca->next)
663 {
664 if (ca->state == STATE_TO_ADD)
665 {
666 if (starter_charon_pid())
667 {
668 starter_stroke_add_ca(ca);
669 }
670 if (starter_pluto_pid())
671 {
672 starter_whack_add_ca(ca);
673 }
674 ca->state = STATE_ADDED;
675 }
676 }
677
678 for (conn = cfg->conn_first; conn; conn = conn->next)
679 {
680 if (conn->state == STATE_TO_ADD)
681 {
682 if (conn->id == 0)
683 {
684 /* affect new unique id */
685 conn->id = id++;
686 }
687 if (starter_charon_pid())
688 {
689 starter_stroke_add_conn(cfg, conn);
690 }
691 if (starter_pluto_pid())
692 {
693 starter_whack_add_conn(conn);
694 }
695 conn->state = STATE_ADDED;
696
697 if (conn->startup == STARTUP_START)
698 {
699 if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
700 {
701 if (starter_charon_pid())
702 {
703 starter_stroke_initiate_conn(conn);
704 }
705 }
706 else
707 {
708 if (starter_pluto_pid())
709 {
710 starter_whack_initiate_conn(conn);
711 }
712 }
713 }
714 else if (conn->startup == STARTUP_ROUTE)
715 {
716 if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
717 {
718 if (starter_charon_pid())
719 {
720 starter_stroke_route_conn(conn);
721 }
722 }
723 else
724 {
725 if (starter_pluto_pid())
726 {
727 starter_whack_route_conn(conn);
728 }
729 }
730 }
731 }
732 }
733 }
734
735 /*
736 * If auto_update activated, when to stop select
737 */
738 if (auto_update)
739 {
740 time_t now = time(NULL);
741
742 tv.tv_sec = (now < last_reload + auto_update)
743 ? (last_reload + auto_update-now) : 0;
744 tv.tv_usec = 0;
745 }
746
747 /*
748 * Wait for something to happen
749 */
750 if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
751 {
752 /* timeout -> auto_update */
753 _action_ |= FLAG_ACTION_UPDATE;
754 }
755 }
756 exit(LSB_RC_SUCCESS);
757 }
758