use SS_RC_FIRST and SS_RC_LAST
[strongswan.git] / src / starter / starter.c
1 /* strongSwan IPsec starter
2 * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #include <sys/types.h>
16 #include <sys/wait.h>
17 #include <sys/stat.h>
18 #include <stdlib.h>
19 #include <stdio.h>
20 #include <signal.h>
21 #include <unistd.h>
22 #include <sys/time.h>
23 #include <time.h>
24 #include <string.h>
25 #include <errno.h>
26 #include <fcntl.h>
27 #include <pwd.h>
28 #include <grp.h>
29
30 #include <freeswan.h>
31
32 #include "../pluto/constants.h"
33 #include "../pluto/defs.h"
34 #include "../pluto/log.h"
35
36 #include "confread.h"
37 #include "files.h"
38 #include "starterwhack.h"
39 #include "starterstroke.h"
40 #include "invokepluto.h"
41 #include "invokecharon.h"
42 #include "netkey.h"
43 #include "klips.h"
44 #include "cmp.h"
45 #include "interfaces.h"
46
47 /**
48 * Return codes defined by Linux Standard Base Core Specification 3.1
49 * in section 20.2. Init Script Actions
50 */
51 #define LSB_RC_SUCCESS 0 /* success */
52 #define LSB_RC_FAILURE 1 /* generic or unspecified error */
53 #define LSB_RC_INVALID_ARGUMENT 2 /* invalid or excess argument(s) */
54 #define LSB_RC_NOT_IMPLEMENTED 3 /* unimplemented feature (reload) */
55 #define LSB_RC_NOT_ALLOWED 4 /* user had insufficient privilege */
56 #define LSB_RC_NOT_INSTALLED 5 /* program is not installed */
57 #define LSB_RC_NOT_CONFIGURED 6 /* program is not configured */
58 #define LSB_RC_NOT_RUNNING 7 /* program is not running */
59
60 #define FLAG_ACTION_START_PLUTO 0x01
61 #define FLAG_ACTION_UPDATE 0x02
62 #define FLAG_ACTION_RELOAD 0x04
63 #define FLAG_ACTION_QUIT 0x08
64 #define FLAG_ACTION_LISTEN 0x10
65 #define FLAG_ACTION_START_CHARON 0x20
66
67 static unsigned int _action_ = 0;
68
69 static void fsig(int signal)
70 {
71 switch (signal)
72 {
73 case SIGCHLD:
74 {
75 int status, exit_status = 0;
76 pid_t pid;
77 char *name = NULL;
78
79 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
80 {
81 if (pid == starter_pluto_pid())
82 {
83 name = " (Pluto)";
84 }
85 if (pid == starter_charon_pid())
86 {
87 name = " (Charon)";
88 }
89 if (WIFSIGNALED(status))
90 {
91 DBG(DBG_CONTROL,
92 DBG_log("child %d%s has been killed by sig %d\n",
93 pid, name?name:"", WTERMSIG(status))
94 )
95 }
96 else if (WIFSTOPPED(status))
97 {
98 DBG(DBG_CONTROL,
99 DBG_log("child %d%s has been stopped by sig %d\n",
100 pid, name?name:"", WSTOPSIG(status))
101 )
102 }
103 else if (WIFEXITED(status))
104 {
105 exit_status = WEXITSTATUS(status);
106 if (exit_status >= SS_RC_FIRST && exit_status <= SS_RC_LAST)
107 {
108 _action_ = FLAG_ACTION_QUIT;
109 }
110 DBG(DBG_CONTROL,
111 DBG_log("child %d%s has quit (exit code %d)\n",
112 pid, name?name:"", exit_status)
113 )
114 }
115 else
116 {
117 DBG(DBG_CONTROL,
118 DBG_log("child %d%s has quit", pid, name?name:"")
119 )
120 }
121 if (pid == starter_pluto_pid())
122 {
123 starter_pluto_sigchild(pid, exit_status);
124 }
125 if (pid == starter_charon_pid())
126 {
127 starter_charon_sigchild(pid, exit_status);
128 }
129 }
130 }
131 break;
132
133 case SIGPIPE:
134 /** ignore **/
135 break;
136
137 case SIGALRM:
138 _action_ |= FLAG_ACTION_START_PLUTO;
139 _action_ |= FLAG_ACTION_START_CHARON;
140 break;
141
142 case SIGHUP:
143 _action_ |= FLAG_ACTION_UPDATE;
144 break;
145
146 case SIGTERM:
147 case SIGQUIT:
148 case SIGINT:
149 _action_ |= FLAG_ACTION_QUIT;
150 break;
151
152 case SIGUSR1:
153 _action_ |= FLAG_ACTION_RELOAD;
154 _action_ |= FLAG_ACTION_UPDATE;
155 break;
156
157 default:
158 plog("fsig(): unknown signal %d -- investigate", signal);
159 break;
160 }
161 }
162
163 static void generate_selfcert()
164 {
165 struct stat stb;
166
167 /* if ipsec.secrets file is missing then generate RSA default key pair */
168 if (stat(SECRETS_FILE, &stb) != 0)
169 {
170 mode_t oldmask;
171 FILE *f;
172 uid_t uid = 0;
173 gid_t gid = 0;
174
175 #ifdef IPSEC_GROUP
176 {
177 char buf[1024];
178 struct group group, *grp;
179
180 if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp)
181 {
182 gid = grp->gr_gid;
183 }
184 }
185 #endif
186 #ifdef IPSEC_USER
187 {
188 char buf[1024];
189 struct passwd passwd, *pwp;
190
191 if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp)
192 {
193 uid = pwp->pw_uid;
194 }
195 }
196 #endif
197 setegid(gid);
198 seteuid(uid);
199 ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
200 seteuid(0);
201 setegid(0);
202
203 /* ipsec.secrets is root readable only */
204 oldmask = umask(0066);
205
206 f = fopen(SECRETS_FILE, "w");
207 if (f)
208 {
209 fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
210 fprintf(f, "\n");
211 fprintf(f, ": RSA myKey.der\n");
212 fclose(f);
213 }
214 ignore_result(chown(SECRETS_FILE, uid, gid));
215 umask(oldmask);
216 }
217 }
218
219 static void usage(char *name)
220 {
221 fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
222 "[--debug|--debug-more|--debug-all]\n");
223 exit(LSB_RC_INVALID_ARGUMENT);
224 }
225
226 int main (int argc, char **argv)
227 {
228 starter_config_t *cfg = NULL;
229 starter_config_t *new_cfg;
230 starter_conn_t *conn, *conn2;
231 starter_ca_t *ca, *ca2;
232
233 struct stat stb;
234
235 char *err = NULL;
236 int i;
237 int id = 1;
238 struct timeval tv;
239 unsigned long auto_update = 0;
240 time_t last_reload;
241 bool no_fork = FALSE;
242 bool attach_gdb = FALSE;
243
244 /* global variables defined in log.h */
245 log_to_stderr = TRUE;
246 base_debugging = DBG_NONE;
247
248 /* parse command line */
249 for (i = 1; i < argc; i++)
250 {
251 if (streq(argv[i], "--debug"))
252 {
253 base_debugging |= DBG_CONTROL;
254 }
255 else if (streq(argv[i], "--debug-more"))
256 {
257 base_debugging |= DBG_CONTROLMORE;
258 }
259 else if (streq(argv[i], "--debug-all"))
260 {
261 base_debugging |= DBG_ALL;
262 }
263 else if (streq(argv[i], "--nofork"))
264 {
265 no_fork = TRUE;
266 }
267 else if (streq(argv[i], "--attach-gdb"))
268 {
269 no_fork = TRUE;
270 attach_gdb = TRUE;
271 }
272 else if (streq(argv[i], "--auto-update") && i+1 < argc)
273 {
274 auto_update = atoi(argv[++i]);
275 if (!auto_update)
276 usage(argv[0]);
277 }
278 else
279 {
280 usage(argv[0]);
281 }
282 }
283
284 /* Init */
285 init_log("ipsec_starter");
286 cur_debugging = base_debugging;
287
288 signal(SIGHUP, fsig);
289 signal(SIGCHLD, fsig);
290 signal(SIGPIPE, fsig);
291 signal(SIGINT, fsig);
292 signal(SIGTERM, fsig);
293 signal(SIGQUIT, fsig);
294 signal(SIGALRM, fsig);
295 signal(SIGUSR1, fsig);
296
297 plog("Starting strongSwan "VERSION" IPsec [starter]...");
298
299 /* verify that we can start */
300 if (getuid() != 0)
301 {
302 plog("permission denied (must be superuser)");
303 exit(LSB_RC_NOT_ALLOWED);
304 }
305
306 if (stat(PLUTO_PID_FILE, &stb) == 0)
307 {
308 plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE);
309 }
310 else
311 {
312 _action_ |= FLAG_ACTION_START_PLUTO;
313 }
314 if (stat(CHARON_PID_FILE, &stb) == 0)
315 {
316 plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
317 }
318 else
319 {
320 _action_ |= FLAG_ACTION_START_CHARON;
321 }
322 if (stat(DEV_RANDOM, &stb) != 0)
323 {
324 plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
325 exit(LSB_RC_FAILURE);
326 }
327
328 if (stat(DEV_URANDOM, &stb)!= 0)
329 {
330 plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
331 exit(LSB_RC_FAILURE);
332 }
333
334 cfg = confread_load(CONFIG_FILE);
335 if (cfg == NULL || cfg->err > 0)
336 {
337 plog("unable to start strongSwan -- fatal errors in config");
338 if (cfg)
339 {
340 confread_free(cfg);
341 }
342 exit(LSB_RC_INVALID_ARGUMENT);
343 }
344
345 /* determine if we have a native netkey IPsec stack */
346 if (!starter_netkey_init())
347 {
348 plog("no netkey IPsec stack detected");
349 if (!starter_klips_init())
350 {
351 plog("no KLIPS IPsec stack detected");
352 plog("no known IPsec stack detected, ignoring!");
353 }
354 }
355
356 last_reload = time(NULL);
357
358 if (stat(STARTER_PID_FILE, &stb) == 0)
359 {
360 plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
361 exit(LSB_RC_SUCCESS);
362 }
363
364 generate_selfcert();
365
366 /* fork if we're not debugging stuff */
367 if (!no_fork)
368 {
369 log_to_stderr = FALSE;
370
371 switch (fork())
372 {
373 case 0:
374 {
375 int fnull = open("/dev/null", O_RDWR);
376
377 if (fnull >= 0)
378 {
379 dup2(fnull, STDIN_FILENO);
380 dup2(fnull, STDOUT_FILENO);
381 dup2(fnull, STDERR_FILENO);
382 close(fnull);
383 }
384 setsid();
385 }
386 break;
387 case -1:
388 plog("can't fork: %s", strerror(errno));
389 break;
390 default:
391 exit(LSB_RC_SUCCESS);
392 }
393 }
394
395 /* save pid file in /var/run/starter.pid */
396 {
397 FILE *fd = fopen(STARTER_PID_FILE, "w");
398
399 if (fd)
400 {
401 fprintf(fd, "%u\n", getpid());
402 fclose(fd);
403 }
404 }
405
406 for (;;)
407 {
408 /*
409 * Stop pluto/charon (if started) and exit
410 */
411 if (_action_ & FLAG_ACTION_QUIT)
412 {
413 if (starter_pluto_pid())
414 {
415 starter_stop_pluto();
416 }
417 if (starter_charon_pid())
418 {
419 starter_stop_charon();
420 }
421 starter_netkey_cleanup();
422 confread_free(cfg);
423 unlink(STARTER_PID_FILE);
424 unlink(INFO_FILE);
425 #ifdef LEAK_DETECTIVE
426 report_leaks();
427 #endif /* LEAK_DETECTIVE */
428 close_log();
429 plog("ipsec starter stopped");
430 exit(LSB_RC_SUCCESS);
431 }
432
433 /*
434 * Delete all connections. Will be added below
435 */
436 if (_action_ & FLAG_ACTION_RELOAD)
437 {
438 if (starter_pluto_pid() || starter_charon_pid())
439 {
440 for (conn = cfg->conn_first; conn; conn = conn->next)
441 {
442 if (conn->state == STATE_ADDED)
443 {
444 if (starter_charon_pid())
445 {
446 starter_stroke_del_conn(conn);
447 }
448 if (starter_pluto_pid())
449 {
450 starter_whack_del_conn(conn);
451 }
452 conn->state = STATE_TO_ADD;
453 }
454 }
455 for (ca = cfg->ca_first; ca; ca = ca->next)
456 {
457 if (ca->state == STATE_ADDED)
458 {
459 if (starter_charon_pid())
460 {
461 starter_stroke_del_ca(ca);
462 }
463 if (starter_pluto_pid())
464 {
465 starter_whack_del_ca(ca);
466 }
467 ca->state = STATE_TO_ADD;
468 }
469 }
470 }
471 _action_ &= ~FLAG_ACTION_RELOAD;
472 }
473
474 /*
475 * Update configuration
476 */
477 if (_action_ & FLAG_ACTION_UPDATE)
478 {
479 err = NULL;
480 DBG(DBG_CONTROL,
481 DBG_log("Reloading config...")
482 );
483 new_cfg = confread_load(CONFIG_FILE);
484
485 if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
486 {
487 /* Switch to new config. New conn will be loaded below */
488 if (!starter_cmp_defaultroute(&new_cfg->defaultroute
489 , &cfg->defaultroute))
490 {
491 _action_ |= FLAG_ACTION_LISTEN;
492 }
493
494 if (!starter_cmp_pluto(cfg, new_cfg))
495 {
496 plog("Pluto has changed");
497 if (starter_pluto_pid())
498 starter_stop_pluto();
499 _action_ &= ~FLAG_ACTION_LISTEN;
500 _action_ |= FLAG_ACTION_START_PLUTO;
501 }
502 else
503 {
504 /* Only reload conn and ca sections if pluto is not killed */
505
506 /* Look for new connections that are already loaded */
507 for (conn = cfg->conn_first; conn; conn = conn->next)
508 {
509 if (conn->state == STATE_ADDED)
510 {
511 for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
512 {
513 if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
514 {
515 conn->state = STATE_REPLACED;
516 conn2->state = STATE_ADDED;
517 conn2->id = conn->id;
518 break;
519 }
520 }
521 }
522 }
523
524 /* Remove conn sections that have become unused */
525 for (conn = cfg->conn_first; conn; conn = conn->next)
526 {
527 if (conn->state == STATE_ADDED)
528 {
529 if (starter_charon_pid())
530 {
531 starter_stroke_del_conn(conn);
532 }
533 if (starter_pluto_pid())
534 {
535 starter_whack_del_conn(conn);
536 }
537 }
538 }
539
540 /* Look for new ca sections that are already loaded */
541 for (ca = cfg->ca_first; ca; ca = ca->next)
542 {
543 if (ca->state == STATE_ADDED)
544 {
545 for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
546 {
547 if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
548 {
549 ca->state = STATE_REPLACED;
550 ca2->state = STATE_ADDED;
551 break;
552 }
553 }
554 }
555 }
556
557 /* Remove ca sections that have become unused */
558 for (ca = cfg->ca_first; ca; ca = ca->next)
559 {
560 if (ca->state == STATE_ADDED)
561 {
562 if (starter_charon_pid())
563 {
564 starter_stroke_del_ca(ca);
565 }
566 if (starter_pluto_pid())
567 {
568 starter_whack_del_ca(ca);
569 }
570 }
571 }
572 }
573 confread_free(cfg);
574 cfg = new_cfg;
575 }
576 else
577 {
578 plog("can't reload config file due to errors -- keeping old one");
579 if (new_cfg)
580 {
581 confread_free(new_cfg);
582 }
583 }
584 _action_ &= ~FLAG_ACTION_UPDATE;
585 last_reload = time(NULL);
586 }
587
588 /*
589 * Start pluto
590 */
591 if (_action_ & FLAG_ACTION_START_PLUTO)
592 {
593 if (cfg->setup.plutostart && !starter_pluto_pid())
594 {
595 DBG(DBG_CONTROL,
596 DBG_log("Attempting to start pluto...")
597 );
598
599 if (starter_start_pluto(cfg, no_fork, attach_gdb) == 0)
600 {
601 starter_whack_listen();
602 }
603 else
604 {
605 /* schedule next try */
606 alarm(PLUTO_RESTART_DELAY);
607 }
608 }
609 _action_ &= ~FLAG_ACTION_START_PLUTO;
610
611 for (ca = cfg->ca_first; ca; ca = ca->next)
612 {
613 if (ca->state == STATE_ADDED)
614 ca->state = STATE_TO_ADD;
615 }
616
617 for (conn = cfg->conn_first; conn; conn = conn->next)
618 {
619 if (conn->state == STATE_ADDED)
620 conn->state = STATE_TO_ADD;
621 }
622 }
623
624 /*
625 * Start charon
626 */
627 if (_action_ & FLAG_ACTION_START_CHARON)
628 {
629 if (cfg->setup.charonstart && !starter_charon_pid())
630 {
631 DBG(DBG_CONTROL,
632 DBG_log("Attempting to start charon...")
633 );
634 if (starter_start_charon(cfg, no_fork, attach_gdb))
635 {
636 /* schedule next try */
637 alarm(PLUTO_RESTART_DELAY);
638 }
639 starter_stroke_configure(cfg);
640 }
641 _action_ &= ~FLAG_ACTION_START_CHARON;
642 }
643
644 /*
645 * Tell pluto to reread its interfaces
646 */
647 if (_action_ & FLAG_ACTION_LISTEN)
648 {
649 if (starter_pluto_pid())
650 {
651 starter_whack_listen();
652 _action_ &= ~FLAG_ACTION_LISTEN;
653 }
654 }
655
656 /*
657 * Add stale conn and ca sections
658 */
659 if (starter_pluto_pid() || starter_charon_pid())
660 {
661 for (ca = cfg->ca_first; ca; ca = ca->next)
662 {
663 if (ca->state == STATE_TO_ADD)
664 {
665 if (starter_charon_pid())
666 {
667 starter_stroke_add_ca(ca);
668 }
669 if (starter_pluto_pid())
670 {
671 starter_whack_add_ca(ca);
672 }
673 ca->state = STATE_ADDED;
674 }
675 }
676
677 for (conn = cfg->conn_first; conn; conn = conn->next)
678 {
679 if (conn->state == STATE_TO_ADD)
680 {
681 if (conn->id == 0)
682 {
683 /* affect new unique id */
684 conn->id = id++;
685 }
686 if (starter_charon_pid())
687 {
688 starter_stroke_add_conn(cfg, conn);
689 }
690 if (starter_pluto_pid())
691 {
692 starter_whack_add_conn(conn);
693 }
694 conn->state = STATE_ADDED;
695
696 if (conn->startup == STARTUP_START)
697 {
698 if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
699 {
700 if (starter_charon_pid())
701 {
702 starter_stroke_initiate_conn(conn);
703 }
704 }
705 else
706 {
707 if (starter_pluto_pid())
708 {
709 starter_whack_initiate_conn(conn);
710 }
711 }
712 }
713 else if (conn->startup == STARTUP_ROUTE)
714 {
715 if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
716 {
717 if (starter_charon_pid())
718 {
719 starter_stroke_route_conn(conn);
720 }
721 }
722 else
723 {
724 if (starter_pluto_pid())
725 {
726 starter_whack_route_conn(conn);
727 }
728 }
729 }
730 }
731 }
732 }
733
734 /*
735 * If auto_update activated, when to stop select
736 */
737 if (auto_update)
738 {
739 time_t now = time(NULL);
740
741 tv.tv_sec = (now < last_reload + auto_update)
742 ? (last_reload + auto_update-now) : 0;
743 tv.tv_usec = 0;
744 }
745
746 /*
747 * Wait for something to happen
748 */
749 if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
750 {
751 /* timeout -> auto_update */
752 _action_ |= FLAG_ACTION_UPDATE;
753 }
754 }
755 exit(LSB_RC_SUCCESS);
756 }
757