Rebuild library.lo after changing ./configure options
[strongswan.git] / src / starter / starter.c
1 /* strongSwan IPsec starter
2 * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #include <sys/types.h>
16 #include <sys/wait.h>
17 #include <sys/stat.h>
18 #include <stdlib.h>
19 #include <stdio.h>
20 #include <signal.h>
21 #include <unistd.h>
22 #include <sys/time.h>
23 #include <time.h>
24 #include <string.h>
25 #include <errno.h>
26 #include <fcntl.h>
27 #include <pwd.h>
28 #include <grp.h>
29
30 #include <freeswan.h>
31 #include <library.h>
32
33 #include "../pluto/constants.h"
34 #include "../pluto/defs.h"
35 #include "../pluto/log.h"
36
37 #include "confread.h"
38 #include "files.h"
39 #include "starterwhack.h"
40 #include "starterstroke.h"
41 #include "invokepluto.h"
42 #include "invokecharon.h"
43 #include "netkey.h"
44 #include "klips.h"
45 #include "cmp.h"
46 #include "interfaces.h"
47
48 /**
49 * Return codes defined by Linux Standard Base Core Specification 3.1
50 * in section 20.2. Init Script Actions
51 */
52 #define LSB_RC_SUCCESS 0 /* success */
53 #define LSB_RC_FAILURE 1 /* generic or unspecified error */
54 #define LSB_RC_INVALID_ARGUMENT 2 /* invalid or excess argument(s) */
55 #define LSB_RC_NOT_IMPLEMENTED 3 /* unimplemented feature (reload) */
56 #define LSB_RC_NOT_ALLOWED 4 /* user had insufficient privilege */
57 #define LSB_RC_NOT_INSTALLED 5 /* program is not installed */
58 #define LSB_RC_NOT_CONFIGURED 6 /* program is not configured */
59 #define LSB_RC_NOT_RUNNING 7 /* program is not running */
60
61 #define FLAG_ACTION_START_PLUTO 0x01
62 #define FLAG_ACTION_UPDATE 0x02
63 #define FLAG_ACTION_RELOAD 0x04
64 #define FLAG_ACTION_QUIT 0x08
65 #define FLAG_ACTION_LISTEN 0x10
66 #define FLAG_ACTION_START_CHARON 0x20
67
68 static unsigned int _action_ = 0;
69
70 static void fsig(int signal)
71 {
72 switch (signal)
73 {
74 case SIGCHLD:
75 {
76 int status, exit_status = 0;
77 pid_t pid;
78 char *name = NULL;
79
80 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
81 {
82 if (pid == starter_pluto_pid())
83 {
84 name = " (Pluto)";
85 }
86 if (pid == starter_charon_pid())
87 {
88 name = " (Charon)";
89 }
90 if (WIFSIGNALED(status))
91 {
92 DBG(DBG_CONTROL,
93 DBG_log("child %d%s has been killed by sig %d\n",
94 pid, name?name:"", WTERMSIG(status))
95 )
96 }
97 else if (WIFSTOPPED(status))
98 {
99 DBG(DBG_CONTROL,
100 DBG_log("child %d%s has been stopped by sig %d\n",
101 pid, name?name:"", WSTOPSIG(status))
102 )
103 }
104 else if (WIFEXITED(status))
105 {
106 exit_status = WEXITSTATUS(status);
107 if (exit_status >= SS_RC_FIRST && exit_status <= SS_RC_LAST)
108 {
109 _action_ = FLAG_ACTION_QUIT;
110 }
111 DBG(DBG_CONTROL,
112 DBG_log("child %d%s has quit (exit code %d)\n",
113 pid, name?name:"", exit_status)
114 )
115 }
116 else
117 {
118 DBG(DBG_CONTROL,
119 DBG_log("child %d%s has quit", pid, name?name:"")
120 )
121 }
122 if (pid == starter_pluto_pid())
123 {
124 starter_pluto_sigchild(pid, exit_status);
125 }
126 if (pid == starter_charon_pid())
127 {
128 starter_charon_sigchild(pid, exit_status);
129 }
130 }
131 }
132 break;
133
134 case SIGPIPE:
135 /** ignore **/
136 break;
137
138 case SIGALRM:
139 _action_ |= FLAG_ACTION_START_PLUTO;
140 _action_ |= FLAG_ACTION_START_CHARON;
141 break;
142
143 case SIGHUP:
144 _action_ |= FLAG_ACTION_UPDATE;
145 break;
146
147 case SIGTERM:
148 case SIGQUIT:
149 case SIGINT:
150 _action_ |= FLAG_ACTION_QUIT;
151 break;
152
153 case SIGUSR1:
154 _action_ |= FLAG_ACTION_RELOAD;
155 _action_ |= FLAG_ACTION_UPDATE;
156 break;
157
158 default:
159 plog("fsig(): unknown signal %d -- investigate", signal);
160 break;
161 }
162 }
163
164 static void generate_selfcert()
165 {
166 struct stat stb;
167
168 /* if ipsec.secrets file is missing then generate RSA default key pair */
169 if (stat(SECRETS_FILE, &stb) != 0)
170 {
171 mode_t oldmask;
172 FILE *f;
173 uid_t uid = 0;
174 gid_t gid = 0;
175
176 #ifdef IPSEC_GROUP
177 {
178 char buf[1024];
179 struct group group, *grp;
180
181 if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp)
182 {
183 gid = grp->gr_gid;
184 }
185 }
186 #endif
187 #ifdef IPSEC_USER
188 {
189 char buf[1024];
190 struct passwd passwd, *pwp;
191
192 if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp)
193 {
194 uid = pwp->pw_uid;
195 }
196 }
197 #endif
198 setegid(gid);
199 seteuid(uid);
200 ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
201 seteuid(0);
202 setegid(0);
203
204 /* ipsec.secrets is root readable only */
205 oldmask = umask(0066);
206
207 f = fopen(SECRETS_FILE, "w");
208 if (f)
209 {
210 fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
211 fprintf(f, "\n");
212 fprintf(f, ": RSA myKey.der\n");
213 fclose(f);
214 }
215 ignore_result(chown(SECRETS_FILE, uid, gid));
216 umask(oldmask);
217 }
218 }
219
220 static void usage(char *name)
221 {
222 fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
223 "[--debug|--debug-more|--debug-all]\n");
224 exit(LSB_RC_INVALID_ARGUMENT);
225 }
226
227 int main (int argc, char **argv)
228 {
229 starter_config_t *cfg = NULL;
230 starter_config_t *new_cfg;
231 starter_conn_t *conn, *conn2;
232 starter_ca_t *ca, *ca2;
233
234 struct stat stb;
235
236 char *err = NULL;
237 int i;
238 int id = 1;
239 struct timeval tv;
240 unsigned long auto_update = 0;
241 time_t last_reload;
242 bool no_fork = FALSE;
243 bool attach_gdb = FALSE;
244 bool load_warning = FALSE;
245
246 /* global variables defined in log.h */
247 log_to_stderr = TRUE;
248 base_debugging = DBG_NONE;
249
250 library_init(NULL);
251 atexit(library_deinit);
252
253 /* parse command line */
254 for (i = 1; i < argc; i++)
255 {
256 if (streq(argv[i], "--debug"))
257 {
258 base_debugging |= DBG_CONTROL;
259 }
260 else if (streq(argv[i], "--debug-more"))
261 {
262 base_debugging |= DBG_CONTROLMORE;
263 }
264 else if (streq(argv[i], "--debug-all"))
265 {
266 base_debugging |= DBG_ALL;
267 }
268 else if (streq(argv[i], "--nofork"))
269 {
270 no_fork = TRUE;
271 }
272 else if (streq(argv[i], "--attach-gdb"))
273 {
274 no_fork = TRUE;
275 attach_gdb = TRUE;
276 }
277 else if (streq(argv[i], "--auto-update") && i+1 < argc)
278 {
279 auto_update = atoi(argv[++i]);
280 if (!auto_update)
281 usage(argv[0]);
282 }
283 else
284 {
285 usage(argv[0]);
286 }
287 }
288
289 /* Init */
290 init_log("ipsec_starter");
291 cur_debugging = base_debugging;
292
293 signal(SIGHUP, fsig);
294 signal(SIGCHLD, fsig);
295 signal(SIGPIPE, fsig);
296 signal(SIGINT, fsig);
297 signal(SIGTERM, fsig);
298 signal(SIGQUIT, fsig);
299 signal(SIGALRM, fsig);
300 signal(SIGUSR1, fsig);
301
302 plog("Starting strongSwan "VERSION" IPsec [starter]...");
303
304 #ifdef LOAD_WARNING
305 load_warning = TRUE;
306 #endif
307
308 if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning))
309 {
310 if (lib->settings->get_str(lib->settings, "charon.load", NULL) ||
311 lib->settings->get_str(lib->settings, "pluto.load", NULL))
312 {
313 plog("!! Your strongswan.conf contains manual plugin load options for");
314 plog("!! pluto and/or charon. This is recommended for experts only, see");
315 plog("!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad");
316 }
317 }
318
319 /* verify that we can start */
320 if (getuid() != 0)
321 {
322 plog("permission denied (must be superuser)");
323 exit(LSB_RC_NOT_ALLOWED);
324 }
325
326 if (stat(PLUTO_PID_FILE, &stb) == 0)
327 {
328 plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE);
329 }
330 else
331 {
332 _action_ |= FLAG_ACTION_START_PLUTO;
333 }
334 if (stat(CHARON_PID_FILE, &stb) == 0)
335 {
336 plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
337 }
338 else
339 {
340 _action_ |= FLAG_ACTION_START_CHARON;
341 }
342 if (stat(DEV_RANDOM, &stb) != 0)
343 {
344 plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
345 exit(LSB_RC_FAILURE);
346 }
347
348 if (stat(DEV_URANDOM, &stb)!= 0)
349 {
350 plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
351 exit(LSB_RC_FAILURE);
352 }
353
354 cfg = confread_load(CONFIG_FILE);
355 if (cfg == NULL || cfg->err > 0)
356 {
357 plog("unable to start strongSwan -- fatal errors in config");
358 if (cfg)
359 {
360 confread_free(cfg);
361 }
362 exit(LSB_RC_INVALID_ARGUMENT);
363 }
364
365 /* determine if we have a native netkey IPsec stack */
366 if (!starter_netkey_init())
367 {
368 plog("no netkey IPsec stack detected");
369 if (!starter_klips_init())
370 {
371 plog("no KLIPS IPsec stack detected");
372 plog("no known IPsec stack detected, ignoring!");
373 }
374 }
375
376 last_reload = time_monotonic(NULL);
377
378 if (stat(STARTER_PID_FILE, &stb) == 0)
379 {
380 plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
381 confread_free(cfg);
382 exit(LSB_RC_SUCCESS);
383 }
384
385 generate_selfcert();
386
387 /* fork if we're not debugging stuff */
388 if (!no_fork)
389 {
390 log_to_stderr = FALSE;
391
392 switch (fork())
393 {
394 case 0:
395 {
396 int fnull = open("/dev/null", O_RDWR);
397
398 if (fnull >= 0)
399 {
400 dup2(fnull, STDIN_FILENO);
401 dup2(fnull, STDOUT_FILENO);
402 dup2(fnull, STDERR_FILENO);
403 close(fnull);
404 }
405 setsid();
406 }
407 break;
408 case -1:
409 plog("can't fork: %s", strerror(errno));
410 break;
411 default:
412 confread_free(cfg);
413 exit(LSB_RC_SUCCESS);
414 }
415 }
416
417 /* save pid file in /var/run/starter.pid */
418 {
419 FILE *fd = fopen(STARTER_PID_FILE, "w");
420
421 if (fd)
422 {
423 fprintf(fd, "%u\n", getpid());
424 fclose(fd);
425 }
426 }
427
428 for (;;)
429 {
430 /*
431 * Stop pluto/charon (if started) and exit
432 */
433 if (_action_ & FLAG_ACTION_QUIT)
434 {
435 if (starter_pluto_pid())
436 {
437 starter_stop_pluto();
438 }
439 if (starter_charon_pid())
440 {
441 starter_stop_charon();
442 }
443 starter_netkey_cleanup();
444 confread_free(cfg);
445 unlink(STARTER_PID_FILE);
446 unlink(INFO_FILE);
447 plog("ipsec starter stopped");
448 close_log();
449 exit(LSB_RC_SUCCESS);
450 }
451
452 /*
453 * Delete all connections. Will be added below
454 */
455 if (_action_ & FLAG_ACTION_RELOAD)
456 {
457 if (starter_pluto_pid() || starter_charon_pid())
458 {
459 for (conn = cfg->conn_first; conn; conn = conn->next)
460 {
461 if (conn->state == STATE_ADDED)
462 {
463 if (starter_charon_pid())
464 {
465 starter_stroke_del_conn(conn);
466 }
467 if (starter_pluto_pid())
468 {
469 starter_whack_del_conn(conn);
470 }
471 conn->state = STATE_TO_ADD;
472 }
473 }
474 for (ca = cfg->ca_first; ca; ca = ca->next)
475 {
476 if (ca->state == STATE_ADDED)
477 {
478 if (starter_charon_pid())
479 {
480 starter_stroke_del_ca(ca);
481 }
482 if (starter_pluto_pid())
483 {
484 starter_whack_del_ca(ca);
485 }
486 ca->state = STATE_TO_ADD;
487 }
488 }
489 }
490 _action_ &= ~FLAG_ACTION_RELOAD;
491 }
492
493 /*
494 * Update configuration
495 */
496 if (_action_ & FLAG_ACTION_UPDATE)
497 {
498 err = NULL;
499 DBG(DBG_CONTROL,
500 DBG_log("Reloading config...")
501 );
502 new_cfg = confread_load(CONFIG_FILE);
503
504 if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
505 {
506 /* Switch to new config. New conn will be loaded below */
507 if (!starter_cmp_defaultroute(&new_cfg->defaultroute
508 , &cfg->defaultroute))
509 {
510 _action_ |= FLAG_ACTION_LISTEN;
511 }
512
513 if (!starter_cmp_pluto(cfg, new_cfg))
514 {
515 plog("Pluto has changed");
516 if (starter_pluto_pid())
517 starter_stop_pluto();
518 _action_ &= ~FLAG_ACTION_LISTEN;
519 _action_ |= FLAG_ACTION_START_PLUTO;
520 }
521 else
522 {
523 /* Only reload conn and ca sections if pluto is not killed */
524
525 /* Look for new connections that are already loaded */
526 for (conn = cfg->conn_first; conn; conn = conn->next)
527 {
528 if (conn->state == STATE_ADDED)
529 {
530 for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
531 {
532 if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
533 {
534 conn->state = STATE_REPLACED;
535 conn2->state = STATE_ADDED;
536 conn2->id = conn->id;
537 break;
538 }
539 }
540 }
541 }
542
543 /* Remove conn sections that have become unused */
544 for (conn = cfg->conn_first; conn; conn = conn->next)
545 {
546 if (conn->state == STATE_ADDED)
547 {
548 if (starter_charon_pid())
549 {
550 starter_stroke_del_conn(conn);
551 }
552 if (starter_pluto_pid())
553 {
554 starter_whack_del_conn(conn);
555 }
556 }
557 }
558
559 /* Look for new ca sections that are already loaded */
560 for (ca = cfg->ca_first; ca; ca = ca->next)
561 {
562 if (ca->state == STATE_ADDED)
563 {
564 for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
565 {
566 if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
567 {
568 ca->state = STATE_REPLACED;
569 ca2->state = STATE_ADDED;
570 break;
571 }
572 }
573 }
574 }
575
576 /* Remove ca sections that have become unused */
577 for (ca = cfg->ca_first; ca; ca = ca->next)
578 {
579 if (ca->state == STATE_ADDED)
580 {
581 if (starter_charon_pid())
582 {
583 starter_stroke_del_ca(ca);
584 }
585 if (starter_pluto_pid())
586 {
587 starter_whack_del_ca(ca);
588 }
589 }
590 }
591 }
592 confread_free(cfg);
593 cfg = new_cfg;
594 }
595 else
596 {
597 plog("can't reload config file due to errors -- keeping old one");
598 if (new_cfg)
599 {
600 confread_free(new_cfg);
601 }
602 }
603 _action_ &= ~FLAG_ACTION_UPDATE;
604 last_reload = time_monotonic(NULL);
605 }
606
607 /*
608 * Start pluto
609 */
610 if (_action_ & FLAG_ACTION_START_PLUTO)
611 {
612 if (cfg->setup.plutostart && !starter_pluto_pid())
613 {
614 DBG(DBG_CONTROL,
615 DBG_log("Attempting to start pluto...")
616 );
617
618 if (starter_start_pluto(cfg, no_fork, attach_gdb) == 0)
619 {
620 starter_whack_listen();
621 }
622 else
623 {
624 /* schedule next try */
625 alarm(PLUTO_RESTART_DELAY);
626 }
627 }
628 _action_ &= ~FLAG_ACTION_START_PLUTO;
629
630 for (ca = cfg->ca_first; ca; ca = ca->next)
631 {
632 if (ca->state == STATE_ADDED)
633 ca->state = STATE_TO_ADD;
634 }
635
636 for (conn = cfg->conn_first; conn; conn = conn->next)
637 {
638 if (conn->state == STATE_ADDED)
639 conn->state = STATE_TO_ADD;
640 }
641 }
642
643 /*
644 * Start charon
645 */
646 if (_action_ & FLAG_ACTION_START_CHARON)
647 {
648 if (cfg->setup.charonstart && !starter_charon_pid())
649 {
650 DBG(DBG_CONTROL,
651 DBG_log("Attempting to start charon...")
652 );
653 if (starter_start_charon(cfg, no_fork, attach_gdb))
654 {
655 /* schedule next try */
656 alarm(PLUTO_RESTART_DELAY);
657 }
658 starter_stroke_configure(cfg);
659 }
660 _action_ &= ~FLAG_ACTION_START_CHARON;
661 }
662
663 /*
664 * Tell pluto to reread its interfaces
665 */
666 if (_action_ & FLAG_ACTION_LISTEN)
667 {
668 if (starter_pluto_pid())
669 {
670 starter_whack_listen();
671 _action_ &= ~FLAG_ACTION_LISTEN;
672 }
673 }
674
675 /*
676 * Add stale conn and ca sections
677 */
678 if (starter_pluto_pid() || starter_charon_pid())
679 {
680 for (ca = cfg->ca_first; ca; ca = ca->next)
681 {
682 if (ca->state == STATE_TO_ADD)
683 {
684 if (starter_charon_pid())
685 {
686 starter_stroke_add_ca(ca);
687 }
688 if (starter_pluto_pid())
689 {
690 starter_whack_add_ca(ca);
691 }
692 ca->state = STATE_ADDED;
693 }
694 }
695
696 for (conn = cfg->conn_first; conn; conn = conn->next)
697 {
698 if (conn->state == STATE_TO_ADD)
699 {
700 if (conn->id == 0)
701 {
702 /* affect new unique id */
703 conn->id = id++;
704 }
705 if (starter_charon_pid())
706 {
707 starter_stroke_add_conn(cfg, conn);
708 }
709 if (starter_pluto_pid())
710 {
711 starter_whack_add_conn(conn);
712 }
713 conn->state = STATE_ADDED;
714
715 if (conn->startup == STARTUP_START)
716 {
717 if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
718 {
719 if (starter_charon_pid())
720 {
721 starter_stroke_initiate_conn(conn);
722 }
723 }
724 else
725 {
726 if (starter_pluto_pid())
727 {
728 starter_whack_initiate_conn(conn);
729 }
730 }
731 }
732 else if (conn->startup == STARTUP_ROUTE)
733 {
734 if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
735 {
736 if (starter_charon_pid())
737 {
738 starter_stroke_route_conn(conn);
739 }
740 }
741 else
742 {
743 if (starter_pluto_pid())
744 {
745 starter_whack_route_conn(conn);
746 }
747 }
748 }
749 }
750 }
751 }
752
753 /*
754 * If auto_update activated, when to stop select
755 */
756 if (auto_update)
757 {
758 time_t now = time_monotonic(NULL);
759
760 tv.tv_sec = (now < last_reload + auto_update)
761 ? (last_reload + auto_update-now) : 0;
762 tv.tv_usec = 0;
763 }
764
765 /*
766 * Wait for something to happen
767 */
768 if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
769 {
770 /* timeout -> auto_update */
771 _action_ |= FLAG_ACTION_UPDATE;
772 }
773 }
774 exit(LSB_RC_SUCCESS);
775 }
776