1 /* strongSwan IPsec starter
2 * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 #include <sys/select.h>
16 #include <sys/types.h>
35 #include <utils/backtrace.h>
36 #include <threading/thread.h>
37 #include <utils/debug.h>
41 #include "starterstroke.h"
42 #include "invokecharon.h"
48 #define LOG_AUTHPRIV LOG_AUTH
51 #define CHARON_RESTART_DELAY 5
54 static bool log_to_stderr
= TRUE
;
55 static bool log_to_syslog
= TRUE
;
56 static level_t current_loglevel
= 1;
59 * logging function for scepclient
61 static void starter_dbg(debug_t group
, level_t level
, char *fmt
, ...)
64 char *current
= buffer
, *next
;
67 if (level
<= current_loglevel
)
72 vfprintf(stderr
, fmt
, args
);
74 fprintf(stderr
, "\n");
78 /* write in memory buffer first */
80 vsnprintf(buffer
, sizeof(buffer
), fmt
, args
);
83 /* do a syslog with every line */
86 next
= strchr(current
, '\n');
91 syslog(LOG_INFO
, "%s\n", current
);
99 * Initialize logging to stderr/syslog
101 static void init_log(const char *program
)
107 setbuf(stderr
, NULL
);
111 openlog(program
, LOG_CONS
| LOG_NDELAY
| LOG_PID
, LOG_AUTHPRIV
);
116 * Deinitialize logging to syslog
118 static void close_log()
127 * Return codes defined by Linux Standard Base Core Specification 3.1
128 * in section 20.2. Init Script Actions
130 #define LSB_RC_SUCCESS 0 /* success */
131 #define LSB_RC_FAILURE 1 /* generic or unspecified error */
132 #define LSB_RC_INVALID_ARGUMENT 2 /* invalid or excess argument(s) */
133 #define LSB_RC_NOT_IMPLEMENTED 3 /* unimplemented feature (reload) */
134 #define LSB_RC_NOT_ALLOWED 4 /* user had insufficient privilege */
135 #define LSB_RC_NOT_INSTALLED 5 /* program is not installed */
136 #define LSB_RC_NOT_CONFIGURED 6 /* program is not configured */
137 #define LSB_RC_NOT_RUNNING 7 /* program is not running */
139 #define FLAG_ACTION_START_PLUTO 0x01
140 #define FLAG_ACTION_UPDATE 0x02
141 #define FLAG_ACTION_RELOAD 0x04
142 #define FLAG_ACTION_QUIT 0x08
143 #define FLAG_ACTION_LISTEN 0x10
144 #define FLAG_ACTION_START_CHARON 0x20
146 static unsigned int _action_
= 0;
149 * Handle signals in the main thread
151 static void signal_handler(int signal
)
157 int status
, exit_status
= 0;
161 while ((pid
= waitpid(-1, &status
, WNOHANG
)) > 0)
163 if (pid
== starter_charon_pid())
167 if (WIFSIGNALED(status
))
169 DBG2(DBG_APP
, "child %d%s has been killed by sig %d\n",
170 pid
, name?name
:"", WTERMSIG(status
));
172 else if (WIFSTOPPED(status
))
174 DBG2(DBG_APP
, "child %d%s has been stopped by sig %d\n",
175 pid
, name?name
:"", WSTOPSIG(status
));
177 else if (WIFEXITED(status
))
179 exit_status
= WEXITSTATUS(status
);
180 if (exit_status
>= SS_RC_FIRST
&& exit_status
<= SS_RC_LAST
)
182 _action_
= FLAG_ACTION_QUIT
;
184 DBG2(DBG_APP
, "child %d%s has quit (exit code %d)\n",
185 pid
, name?name
:"", exit_status
);
189 DBG2(DBG_APP
, "child %d%s has quit", pid
, name?name
:"");
191 if (pid
== starter_charon_pid())
193 starter_charon_sigchild(pid
, exit_status
);
200 _action_
|= FLAG_ACTION_START_CHARON
;
204 _action_
|= FLAG_ACTION_UPDATE
;
210 _action_
|= FLAG_ACTION_QUIT
;
214 _action_
|= FLAG_ACTION_RELOAD
;
215 _action_
|= FLAG_ACTION_UPDATE
;
219 DBG1(DBG_APP
, "fsig(): unknown signal %d -- investigate", signal
);
225 * Handle fatal signals raised by threads
227 static void fatal_signal_handler(int signal
)
229 backtrace_t
*backtrace
;
231 DBG1(DBG_APP
, "thread %u received %d", thread_current_id(), signal
);
232 backtrace
= backtrace_create(2);
233 backtrace
->log(backtrace
, stderr
, TRUE
);
234 backtrace
->destroy(backtrace
);
236 DBG1(DBG_APP
, "killing ourself, received critical signal");
240 #ifdef GENERATE_SELFCERT
241 static void generate_selfcert()
245 /* if ipsec.secrets file is missing then generate RSA default key pair */
246 if (stat(SECRETS_FILE
, &stb
) != 0)
256 struct group group
, *grp
;
258 if (getgrnam_r(IPSEC_GROUP
, &group
, buf
, sizeof(buf
), &grp
) == 0 && grp
)
267 struct passwd passwd
, *pwp
;
269 if (getpwnam_r(IPSEC_USER
, &passwd
, buf
, sizeof(buf
), &pwp
) == 0 && pwp
)
277 ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
281 /* ipsec.secrets is root readable only */
282 oldmask
= umask(0066);
284 f
= fopen(SECRETS_FILE
, "w");
287 fprintf(f
, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
289 fprintf(f
, ": RSA myKey.der\n");
292 ignore_result(chown(SECRETS_FILE
, uid
, gid
));
296 #endif /* GENERATE_SELFCERT */
298 static bool check_pid(char *pid_file
)
303 if (stat(pid_file
, &stb
) == 0)
305 pidfile
= fopen(pid_file
, "r");
310 memset(buf
, 0, sizeof(buf
));
311 if (fread(buf
, 1, sizeof(buf
), pidfile
))
313 buf
[sizeof(buf
) - 1] = '\0';
317 if (pid
&& kill(pid
, 0) == 0)
318 { /* such a process is running */
322 DBG1(DBG_APP
, "removing pidfile '%s', process not running", pid_file
);
328 static void usage(char *name
)
330 fprintf(stderr
, "Usage: starter [--nofork] [--auto-update <sec>]\n"
331 " [--debug|--debug-more|--debug-all|--nolog]\n"
332 " [--attach-gdb]\n");
333 exit(LSB_RC_INVALID_ARGUMENT
);
336 int main (int argc
, char **argv
)
338 starter_config_t
*cfg
= NULL
;
339 starter_config_t
*new_cfg
;
340 starter_conn_t
*conn
, *conn2
;
341 starter_ca_t
*ca
, *ca2
;
343 struct sigaction action
;
349 unsigned long auto_update
= 0;
351 bool no_fork
= FALSE
;
352 bool attach_gdb
= FALSE
;
353 bool load_warning
= FALSE
;
356 atexit(library_deinit
);
358 libhydra_init("starter");
359 atexit(libhydra_deinit
);
361 /* parse command line */
362 for (i
= 1; i
< argc
; i
++)
364 if (streq(argv
[i
], "--debug"))
366 current_loglevel
= 2;
368 else if (streq(argv
[i
], "--debug-more"))
370 current_loglevel
= 3;
372 else if (streq(argv
[i
], "--debug-all"))
374 current_loglevel
= 4;
376 else if (streq(argv
[i
], "--nolog"))
378 current_loglevel
= 0;
380 else if (streq(argv
[i
], "--nofork"))
384 else if (streq(argv
[i
], "--attach-gdb"))
389 else if (streq(argv
[i
], "--auto-update") && i
+1 < argc
)
391 auto_update
= atoi(argv
[++i
]);
401 init_log("ipsec_starter");
403 DBG1(DBG_APP
, "Starting %sSwan "VERSION
" IPsec [starter]...",
404 lib
->settings
->get_bool(lib
->settings
,
405 "charon.i_dont_care_about_security_and_use_aggressive_mode_psk",
406 FALSE
) ?
"weak" : "strong");
412 if (lib
->settings
->get_bool(lib
->settings
, "starter.load_warning", load_warning
))
414 if (lib
->settings
->get_str(lib
->settings
, "charon.load", NULL
))
416 DBG1(DBG_APP
, "!! Your strongswan.conf contains manual plugin load options for charon.");
417 DBG1(DBG_APP
, "!! This is recommended for experts only, see");
418 DBG1(DBG_APP
, "!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad");
422 /* verify that we can start */
425 DBG1(DBG_APP
, "permission denied (must be superuser)");
426 exit(LSB_RC_NOT_ALLOWED
);
429 if (check_pid(CHARON_PID_FILE
))
431 DBG1(DBG_APP
, "charon is already running (%s exists) -- skipping charon start",
436 _action_
|= FLAG_ACTION_START_CHARON
;
438 if (stat(DEV_RANDOM
, &stb
) != 0)
440 DBG1(DBG_APP
, "unable to start strongSwan IPsec -- no %s!", DEV_RANDOM
);
441 exit(LSB_RC_FAILURE
);
444 if (stat(DEV_URANDOM
, &stb
)!= 0)
446 DBG1(DBG_APP
, "unable to start strongSwan IPsec -- no %s!", DEV_URANDOM
);
447 exit(LSB_RC_FAILURE
);
450 cfg
= confread_load(CONFIG_FILE
);
451 if (cfg
== NULL
|| cfg
->err
> 0)
453 DBG1(DBG_APP
, "unable to start strongSwan -- fatal errors in config");
458 exit(LSB_RC_INVALID_ARGUMENT
);
461 /* determine if we have a native netkey IPsec stack */
462 if (!starter_netkey_init())
464 DBG1(DBG_APP
, "no netkey IPsec stack detected");
465 if (!starter_klips_init())
467 DBG1(DBG_APP
, "no KLIPS IPsec stack detected");
468 DBG1(DBG_APP
, "no known IPsec stack detected, ignoring!");
472 last_reload
= time_monotonic(NULL
);
474 if (check_pid(STARTER_PID_FILE
))
476 DBG1(DBG_APP
, "starter is already running (%s exists) -- no fork done",
479 exit(LSB_RC_SUCCESS
);
482 #ifdef GENERATE_SELFCERT
486 /* fork if we're not debugging stuff */
489 log_to_stderr
= FALSE
;
500 fnull
= open("/dev/null", O_RDWR
);
503 dup2(fnull
, STDIN_FILENO
);
504 dup2(fnull
, STDOUT_FILENO
);
505 dup2(fnull
, STDERR_FILENO
);
510 init_log("ipsec_starter");
514 DBG1(DBG_APP
, "can't fork: %s", strerror(errno
));
518 exit(LSB_RC_SUCCESS
);
522 /* save pid file in /var/run/starter.pid */
524 FILE *fd
= fopen(STARTER_PID_FILE
, "w");
528 fprintf(fd
, "%u\n", getpid());
533 /* we handle these signals only in pselect() */
534 memset(&action
, 0, sizeof(action
));
535 sigemptyset(&action
.sa_mask
);
536 sigaddset(&action
.sa_mask
, SIGHUP
);
537 sigaddset(&action
.sa_mask
, SIGINT
);
538 sigaddset(&action
.sa_mask
, SIGTERM
);
539 sigaddset(&action
.sa_mask
, SIGQUIT
);
540 sigaddset(&action
.sa_mask
, SIGALRM
);
541 sigaddset(&action
.sa_mask
, SIGUSR1
);
542 pthread_sigmask(SIG_SETMASK
, &action
.sa_mask
, NULL
);
544 /* install a handler for fatal signals */
545 action
.sa_handler
= fatal_signal_handler
;
546 sigaction(SIGSEGV
, &action
, NULL
);
547 sigaction(SIGILL
, &action
, NULL
);
548 sigaction(SIGBUS
, &action
, NULL
);
549 action
.sa_handler
= SIG_IGN
;
550 sigaction(SIGPIPE
, &action
, NULL
);
552 /* install main signal handler */
553 action
.sa_handler
= signal_handler
;
554 sigaction(SIGHUP
, &action
, NULL
);
555 sigaction(SIGINT
, &action
, NULL
);
556 sigaction(SIGTERM
, &action
, NULL
);
557 sigaction(SIGQUIT
, &action
, NULL
);
558 sigaction(SIGALRM
, &action
, NULL
);
559 sigaction(SIGUSR1
, &action
, NULL
);
560 /* this is not blocked above as we want to receive it asynchronously */
561 sigaction(SIGCHLD
, &action
, NULL
);
563 /* empty mask for pselect() call below */
564 sigemptyset(&action
.sa_mask
);
569 * Stop charon (if started) and exit
571 if (_action_
& FLAG_ACTION_QUIT
)
573 if (starter_charon_pid())
575 starter_stop_charon();
577 starter_netkey_cleanup();
579 unlink(STARTER_PID_FILE
);
580 DBG1(DBG_APP
, "ipsec starter stopped");
582 exit(LSB_RC_SUCCESS
);
586 * Delete all connections. Will be added below
588 if (_action_
& FLAG_ACTION_RELOAD
)
590 if (starter_charon_pid())
592 for (conn
= cfg
->conn_first
; conn
; conn
= conn
->next
)
594 if (conn
->state
== STATE_ADDED
)
596 if (starter_charon_pid())
598 if (conn
->startup
== STARTUP_ROUTE
)
600 starter_stroke_unroute_conn(conn
);
602 starter_stroke_del_conn(conn
);
604 conn
->state
= STATE_TO_ADD
;
607 for (ca
= cfg
->ca_first
; ca
; ca
= ca
->next
)
609 if (ca
->state
== STATE_ADDED
)
611 if (starter_charon_pid())
613 starter_stroke_del_ca(ca
);
615 ca
->state
= STATE_TO_ADD
;
619 _action_
&= ~FLAG_ACTION_RELOAD
;
623 * Update configuration
625 if (_action_
& FLAG_ACTION_UPDATE
)
627 DBG2(DBG_APP
, "Reloading config...");
628 new_cfg
= confread_load(CONFIG_FILE
);
630 if (new_cfg
&& (new_cfg
->err
== 0))
632 /* Switch to new config. New conn will be loaded below */
634 /* Look for new connections that are already loaded */
635 for (conn
= cfg
->conn_first
; conn
; conn
= conn
->next
)
637 if (conn
->state
== STATE_ADDED
)
639 for (conn2
= new_cfg
->conn_first
; conn2
; conn2
= conn2
->next
)
641 if (conn2
->state
== STATE_TO_ADD
&& starter_cmp_conn(conn
, conn2
))
643 conn
->state
= STATE_REPLACED
;
644 conn2
->state
= STATE_ADDED
;
645 conn2
->id
= conn
->id
;
652 /* Remove conn sections that have become unused */
653 for (conn
= cfg
->conn_first
; conn
; conn
= conn
->next
)
655 if (conn
->state
== STATE_ADDED
)
657 if (starter_charon_pid())
659 if (conn
->startup
== STARTUP_ROUTE
)
661 starter_stroke_unroute_conn(conn
);
663 starter_stroke_del_conn(conn
);
668 /* Look for new ca sections that are already loaded */
669 for (ca
= cfg
->ca_first
; ca
; ca
= ca
->next
)
671 if (ca
->state
== STATE_ADDED
)
673 for (ca2
= new_cfg
->ca_first
; ca2
; ca2
= ca2
->next
)
675 if (ca2
->state
== STATE_TO_ADD
&& starter_cmp_ca(ca
, ca2
))
677 ca
->state
= STATE_REPLACED
;
678 ca2
->state
= STATE_ADDED
;
685 /* Remove ca sections that have become unused */
686 for (ca
= cfg
->ca_first
; ca
; ca
= ca
->next
)
688 if (ca
->state
== STATE_ADDED
)
690 if (starter_charon_pid())
692 starter_stroke_del_ca(ca
);
701 DBG1(DBG_APP
, "can't reload config file due to errors -- keeping old one");
704 confread_free(new_cfg
);
707 _action_
&= ~FLAG_ACTION_UPDATE
;
708 last_reload
= time_monotonic(NULL
);
714 if (_action_
& FLAG_ACTION_START_CHARON
)
716 if (cfg
->setup
.charonstart
&& !starter_charon_pid())
718 DBG2(DBG_APP
, "Attempting to start charon...");
719 if (starter_start_charon(cfg
, no_fork
, attach_gdb
))
721 /* schedule next try */
722 alarm(CHARON_RESTART_DELAY
);
724 starter_stroke_configure(cfg
);
726 _action_
&= ~FLAG_ACTION_START_CHARON
;
728 for (ca
= cfg
->ca_first
; ca
; ca
= ca
->next
)
730 if (ca
->state
== STATE_ADDED
)
732 ca
->state
= STATE_TO_ADD
;
736 for (conn
= cfg
->conn_first
; conn
; conn
= conn
->next
)
738 if (conn
->state
== STATE_ADDED
)
740 conn
->state
= STATE_TO_ADD
;
746 * Add stale conn and ca sections
748 if (starter_charon_pid())
750 for (ca
= cfg
->ca_first
; ca
; ca
= ca
->next
)
752 if (ca
->state
== STATE_TO_ADD
)
754 if (starter_charon_pid())
756 starter_stroke_add_ca(ca
);
758 ca
->state
= STATE_ADDED
;
762 for (conn
= cfg
->conn_first
; conn
; conn
= conn
->next
)
764 if (conn
->state
== STATE_TO_ADD
)
768 /* affect new unique id */
771 if (starter_charon_pid())
773 starter_stroke_add_conn(cfg
, conn
);
775 conn
->state
= STATE_ADDED
;
777 if (conn
->startup
== STARTUP_START
)
779 if (starter_charon_pid())
781 starter_stroke_initiate_conn(conn
);
784 else if (conn
->startup
== STARTUP_ROUTE
)
786 if (starter_charon_pid())
788 starter_stroke_route_conn(conn
);
796 * If auto_update activated, when to stop select
800 time_t now
= time_monotonic(NULL
);
802 ts
.tv_sec
= (now
< last_reload
+ auto_update
) ?
803 (last_reload
+ auto_update
- now
) : 0;
808 * Wait for something to happen
810 if (pselect(0, NULL
, NULL
, NULL
, auto_update ?
&ts
: NULL
,
811 &action
.sa_mask
) == 0)
813 /* timeout -> auto_update */
814 _action_
|= FLAG_ACTION_UPDATE
;
817 exit(LSB_RC_SUCCESS
);