replaced --with-gid/uid by --with-group/user
[strongswan.git] / src / starter / starter.c
1 /* strongSwan IPsec starter
2 * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 *
14 * RCSID $Id$
15 */
16
17 #include <sys/types.h>
18 #include <sys/wait.h>
19 #include <sys/stat.h>
20 #include <stdlib.h>
21 #include <stdio.h>
22 #include <signal.h>
23 #include <unistd.h>
24 #include <sys/time.h>
25 #include <time.h>
26 #include <string.h>
27 #include <errno.h>
28 #include <fcntl.h>
29 #include <pwd.h>
30 #include <grp.h>
31
32 #include <freeswan.h>
33
34 #include "../pluto/constants.h"
35 #include "../pluto/defs.h"
36 #include "../pluto/log.h"
37
38 #include "confread.h"
39 #include "files.h"
40 #include "starterwhack.h"
41 #include "starterstroke.h"
42 #include "invokepluto.h"
43 #include "invokecharon.h"
44 #include "netkey.h"
45 #include "cmp.h"
46 #include "interfaces.h"
47
48 /**
49 * Return codes defined by Linux Standard Base Core Specification 3.1
50 * in section 20.2. Init Script Actions
51 */
52 #define LSB_RC_SUCCESS 0 /* success */
53 #define LSB_RC_FAILURE 1 /* generic or unspecified error */
54 #define LSB_RC_INVALID_ARGUMENT 2 /* invalid or excess argument(s) */
55 #define LSB_RC_NOT_IMPLEMENTED 3 /* unimplemented feature (reload) */
56 #define LSB_RC_NOT_ALLOWED 4 /* user had insufficient privilege */
57 #define LSB_RC_NOT_INSTALLED 5 /* program is not installed */
58 #define LSB_RC_NOT_CONFIGURED 6 /* program is not configured */
59 #define LSB_RC_NOT_RUNNING 7 /* program is not running */
60
61 #define FLAG_ACTION_START_PLUTO 0x01
62 #define FLAG_ACTION_UPDATE 0x02
63 #define FLAG_ACTION_RELOAD 0x04
64 #define FLAG_ACTION_QUIT 0x08
65 #define FLAG_ACTION_LISTEN 0x10
66 #define FLAG_ACTION_START_CHARON 0x20
67
68 static unsigned int _action_ = 0;
69
70 static void
71 fsig(int signal)
72 {
73 switch (signal)
74 {
75 case SIGCHLD:
76 {
77 int status;
78 pid_t pid;
79 char *name = NULL;
80
81 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
82 {
83 if (pid == starter_pluto_pid())
84 name = " (Pluto)";
85 if (pid == starter_charon_pid())
86 name = " (Charon)";
87 if (WIFSIGNALED(status))
88 DBG(DBG_CONTROL,
89 DBG_log("child %d%s has been killed by sig %d\n",
90 pid, name?name:"", WTERMSIG(status))
91 )
92 else if (WIFSTOPPED(status))
93 DBG(DBG_CONTROL,
94 DBG_log("child %d%s has been stopped by sig %d\n",
95 pid, name?name:"", WSTOPSIG(status))
96 )
97 else if (WIFEXITED(status))
98 DBG(DBG_CONTROL,
99 DBG_log("child %d%s has quit (exit code %d)\n",
100 pid, name?name:"", WEXITSTATUS(status))
101 )
102 else
103 DBG(DBG_CONTROL,
104 DBG_log("child %d%s has quit", pid, name?name:"")
105 )
106 if (pid == starter_pluto_pid())
107 starter_pluto_sigchild(pid);
108 if (pid == starter_charon_pid())
109 starter_charon_sigchild(pid);
110 }
111 }
112 break;
113
114 case SIGPIPE:
115 /** ignore **/
116 break;
117
118 case SIGALRM:
119 _action_ |= FLAG_ACTION_START_PLUTO;
120 _action_ |= FLAG_ACTION_START_CHARON;
121 break;
122
123 case SIGHUP:
124 _action_ |= FLAG_ACTION_UPDATE;
125 break;
126
127 case SIGTERM:
128 case SIGQUIT:
129 case SIGINT:
130 _action_ |= FLAG_ACTION_QUIT;
131 break;
132
133 case SIGUSR1:
134 _action_ |= FLAG_ACTION_RELOAD;
135 _action_ |= FLAG_ACTION_UPDATE;
136 break;
137
138 default:
139 plog("fsig(): unknown signal %d -- investigate", signal);
140 break;
141 }
142 }
143
144 static void generate_selfcert()
145 {
146 struct stat stb;
147
148 /* if ipsec.secrets file is missing then generate RSA default key pair */
149 if (stat(SECRETS_FILE, &stb) != 0)
150 {
151 mode_t oldmask;
152 FILE *f;
153 uid_t uid = 0;
154 gid_t gid = 0;
155
156 #ifdef IPSEC_GROUP
157 {
158 char buf[1024];
159 struct group group, *grp;
160
161 if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 &&
162 grp)
163 {
164 gid = grp->gr_gid;
165 }
166 }
167 #endif
168 #ifdef IPSEC_USER
169 {
170 char buf[1024];
171 struct passwd passwd, *pwp;
172
173 if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 &&
174 pwp)
175 {
176 uid = pwp->pw_uid;
177 }
178 }
179 #endif
180 setegid(gid);
181 seteuid(uid);
182 system("ipsec scepclient --out pkcs1 --out cert-self --quiet");
183 seteuid(0);
184 setegid(0);
185
186 /* ipsec.secrets is root readable only */
187 oldmask = umask(0066);
188
189 f = fopen(SECRETS_FILE, "w");
190 if (f)
191 {
192 fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
193 fprintf(f, "\n");
194 fprintf(f, ": RSA myKey.der\n");
195 fclose(f);
196 }
197 chown(SECRETS_FILE, uid, gid);
198 umask(oldmask);
199 }
200 }
201
202 static void
203 usage(char *name)
204 {
205 fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
206 "[--debug|--debug-more|--debug-all]\n");
207 exit(LSB_RC_INVALID_ARGUMENT);
208 }
209
210 int main (int argc, char **argv)
211 {
212 starter_config_t *cfg = NULL;
213 starter_config_t *new_cfg;
214 starter_conn_t *conn, *conn2;
215 starter_ca_t *ca, *ca2;
216
217 struct stat stb;
218
219 char *err = NULL;
220 int i;
221 int id = 1;
222 struct timeval tv;
223 unsigned long auto_update = 0;
224 time_t last_reload;
225 bool no_fork = FALSE;
226
227 /* global variables defined in log.h */
228 log_to_stderr = TRUE;
229 base_debugging = DBG_NONE;
230
231 /* parse command line */
232 for (i = 1; i < argc; i++)
233 {
234 if (streq(argv[i], "--debug"))
235 {
236 base_debugging |= DBG_CONTROL;
237 }
238 else if (streq(argv[i], "--debug-more"))
239 {
240 base_debugging |= DBG_CONTROLMORE;
241 }
242 else if (streq(argv[i], "--debug-all"))
243 {
244 base_debugging |= DBG_ALL;
245 }
246 else if (streq(argv[i], "--nofork"))
247 {
248 no_fork = TRUE;
249 }
250 else if (streq(argv[i], "--auto-update") && i+1 < argc)
251 {
252 auto_update = atoi(argv[++i]);
253 if (!auto_update)
254 usage(argv[0]);
255 }
256 else
257 {
258 usage(argv[0]);
259 }
260 }
261
262 /* Init */
263 init_log("ipsec_starter");
264 cur_debugging = base_debugging;
265
266 signal(SIGHUP, fsig);
267 signal(SIGCHLD, fsig);
268 signal(SIGPIPE, fsig);
269 signal(SIGINT, fsig);
270 signal(SIGTERM, fsig);
271 signal(SIGQUIT, fsig);
272 signal(SIGALRM, fsig);
273 signal(SIGUSR1, fsig);
274
275 plog("Starting strongSwan %s IPsec [starter]...", ipsec_version_code());
276
277 /* verify that we can start */
278 if (getuid() != 0)
279 {
280 plog("permission denied (must be superuser)");
281 exit(LSB_RC_NOT_ALLOWED);
282 }
283
284 if (stat(PLUTO_PID_FILE, &stb) == 0)
285 {
286 plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE);
287 }
288 else
289 {
290 _action_ |= FLAG_ACTION_START_PLUTO;
291 }
292 if (stat(CHARON_PID_FILE, &stb) == 0)
293 {
294 plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
295 }
296 else
297 {
298 _action_ |= FLAG_ACTION_START_CHARON;
299 }
300 if (stat(DEV_RANDOM, &stb) != 0)
301 {
302 plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
303 exit(LSB_RC_FAILURE);
304 }
305
306 if (stat(DEV_URANDOM, &stb)!= 0)
307 {
308 plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
309 exit(LSB_RC_FAILURE);
310 }
311
312 cfg = confread_load(CONFIG_FILE);
313 if (cfg == NULL || cfg->err > 0)
314 {
315 plog("unable to start strongSwan -- fatal errors in config");
316 if (cfg)
317 {
318 confread_free(cfg);
319 }
320 exit(LSB_RC_INVALID_ARGUMENT);
321 }
322
323 /* determine if we have a native netkey IPsec stack */
324 if (!starter_netkey_init())
325 {
326 plog("no netkey IPSec stack detected");
327 exit(LSB_RC_FAILURE);
328 }
329
330 last_reload = time(NULL);
331
332 if (stat(STARTER_PID_FILE, &stb) == 0)
333 {
334 plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
335 exit(LSB_RC_SUCCESS);
336 }
337
338 generate_selfcert();
339
340 /* fork if we're not debugging stuff */
341 if (!no_fork)
342 {
343 log_to_stderr = FALSE;
344
345 switch (fork())
346 {
347 case 0:
348 {
349 int fnull = open("/dev/null", O_RDWR);
350
351 if (fnull >= 0)
352 {
353 dup2(fnull, STDIN_FILENO);
354 dup2(fnull, STDOUT_FILENO);
355 dup2(fnull, STDERR_FILENO);
356 close(fnull);
357 }
358 setsid();
359 }
360 break;
361 case -1:
362 plog("can't fork: %s", strerror(errno));
363 break;
364 default:
365 exit(LSB_RC_SUCCESS);
366 }
367 }
368
369 /* save pid file in /var/run/starter.pid */
370 {
371 FILE *fd = fopen(STARTER_PID_FILE, "w");
372
373 if (fd)
374 {
375 fprintf(fd, "%u\n", getpid());
376 fclose(fd);
377 }
378 }
379
380 for (;;)
381 {
382 /*
383 * Stop pluto/charon (if started) and exit
384 */
385 if (_action_ & FLAG_ACTION_QUIT)
386 {
387 if (starter_pluto_pid())
388 starter_stop_pluto();
389 if (starter_charon_pid())
390 starter_stop_charon();
391 starter_netkey_cleanup();
392 confread_free(cfg);
393 unlink(STARTER_PID_FILE);
394 unlink(INFO_FILE);
395 #ifdef LEAK_DETECTIVE
396 report_leaks();
397 #endif /* LEAK_DETECTIVE */
398 close_log();
399 plog("ipsec starter stopped");
400 exit(LSB_RC_SUCCESS);
401 }
402
403 /*
404 * Delete all connections. Will be added below
405 */
406 if (_action_ & FLAG_ACTION_RELOAD)
407 {
408 if (starter_pluto_pid() || starter_charon_pid())
409 {
410 for (conn = cfg->conn_first; conn; conn = conn->next)
411 {
412 if (conn->state == STATE_ADDED)
413 {
414 if (starter_charon_pid())
415 {
416 starter_stroke_del_conn(conn);
417 }
418 if (starter_pluto_pid())
419 {
420 starter_whack_del_conn(conn);
421 }
422 conn->state = STATE_TO_ADD;
423 }
424 }
425 for (ca = cfg->ca_first; ca; ca = ca->next)
426 {
427 if (ca->state == STATE_ADDED)
428 {
429 if (starter_charon_pid())
430 {
431 starter_stroke_del_ca(ca);
432 }
433 if (starter_pluto_pid())
434 {
435 starter_whack_del_ca(ca);
436 }
437 ca->state = STATE_TO_ADD;
438 }
439 }
440 }
441 _action_ &= ~FLAG_ACTION_RELOAD;
442 }
443
444 /*
445 * Update configuration
446 */
447 if (_action_ & FLAG_ACTION_UPDATE)
448 {
449 err = NULL;
450 DBG(DBG_CONTROL,
451 DBG_log("Reloading config...")
452 );
453 new_cfg = confread_load(CONFIG_FILE);
454
455 if (new_cfg->err + new_cfg->non_fatal_err == 0)
456 {
457 /* Switch to new config. New conn will be loaded below */
458 if (!starter_cmp_defaultroute(&new_cfg->defaultroute
459 , &cfg->defaultroute))
460 {
461 _action_ |= FLAG_ACTION_LISTEN;
462 }
463
464 if (!starter_cmp_pluto(cfg, new_cfg))
465 {
466 plog("Pluto has changed");
467 if (starter_pluto_pid())
468 starter_stop_pluto();
469 _action_ &= ~FLAG_ACTION_LISTEN;
470 _action_ |= FLAG_ACTION_START_PLUTO;
471 }
472 else
473 {
474 /* Only reload conn and ca sections if pluto is not killed */
475
476 /* Look for new connections that are already loaded */
477 for (conn = cfg->conn_first; conn; conn = conn->next)
478 {
479 if (conn->state == STATE_ADDED)
480 {
481 for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
482 {
483 if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
484 {
485 conn->state = STATE_REPLACED;
486 conn2->state = STATE_ADDED;
487 conn2->id = conn->id;
488 break;
489 }
490 }
491 }
492 }
493
494 /* Remove conn sections that have become unused */
495 for (conn = cfg->conn_first; conn; conn = conn->next)
496 {
497 if (conn->state == STATE_ADDED)
498 {
499 if (starter_charon_pid())
500 {
501 starter_stroke_del_conn(conn);
502 }
503 if (starter_pluto_pid())
504 {
505 starter_whack_del_conn(conn);
506 }
507 }
508 }
509
510 /* Look for new ca sections that are already loaded */
511 for (ca = cfg->ca_first; ca; ca = ca->next)
512 {
513 if (ca->state == STATE_ADDED)
514 {
515 for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
516 {
517 if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
518 {
519 ca->state = STATE_REPLACED;
520 ca2->state = STATE_ADDED;
521 break;
522 }
523 }
524 }
525 }
526
527 /* Remove ca sections that have become unused */
528 for (ca = cfg->ca_first; ca; ca = ca->next)
529 {
530 if (ca->state == STATE_ADDED)
531 {
532 if (starter_charon_pid())
533 {
534 starter_stroke_del_ca(ca);
535 }
536 if (starter_pluto_pid())
537 {
538 starter_whack_del_ca(ca);
539 }
540 }
541 }
542 }
543 confread_free(cfg);
544 cfg = new_cfg;
545 }
546 else
547 {
548 plog("can't reload config file due to errors -- keeping old one");
549 confread_free(new_cfg);
550 }
551 _action_ &= ~FLAG_ACTION_UPDATE;
552 last_reload = time(NULL);
553 }
554
555 /*
556 * Start pluto
557 */
558 if (_action_ & FLAG_ACTION_START_PLUTO)
559 {
560 if (cfg->setup.plutostart && !starter_pluto_pid())
561 {
562 DBG(DBG_CONTROL,
563 DBG_log("Attempting to start pluto...")
564 );
565
566 if (starter_start_pluto(cfg, no_fork) == 0)
567 {
568 starter_whack_listen();
569 }
570 else
571 {
572 /* schedule next try */
573 alarm(PLUTO_RESTART_DELAY);
574 }
575 }
576 _action_ &= ~FLAG_ACTION_START_PLUTO;
577
578 for (ca = cfg->ca_first; ca; ca = ca->next)
579 {
580 if (ca->state == STATE_ADDED)
581 ca->state = STATE_TO_ADD;
582 }
583
584 for (conn = cfg->conn_first; conn; conn = conn->next)
585 {
586 if (conn->state == STATE_ADDED)
587 conn->state = STATE_TO_ADD;
588 }
589 }
590
591 /*
592 * Start charon
593 */
594 if (_action_ & FLAG_ACTION_START_CHARON)
595 {
596 if (cfg->setup.charonstart && !starter_charon_pid())
597 {
598 DBG(DBG_CONTROL,
599 DBG_log("Attempting to start charon...")
600 );
601 if (starter_start_charon(cfg, no_fork))
602 {
603 /* schedule next try */
604 alarm(PLUTO_RESTART_DELAY);
605 }
606 starter_stroke_configure(cfg);
607 }
608 _action_ &= ~FLAG_ACTION_START_CHARON;
609 }
610
611 /*
612 * Tell pluto to reread its interfaces
613 */
614 if (_action_ & FLAG_ACTION_LISTEN)
615 {
616 if (starter_pluto_pid())
617 {
618 starter_whack_listen();
619 _action_ &= ~FLAG_ACTION_LISTEN;
620 }
621 }
622
623 /*
624 * Add stale conn and ca sections
625 */
626 if (starter_pluto_pid() || starter_charon_pid())
627 {
628 for (ca = cfg->ca_first; ca; ca = ca->next)
629 {
630 if (ca->state == STATE_TO_ADD)
631 {
632 if (starter_charon_pid())
633 {
634 starter_stroke_add_ca(ca);
635 }
636 if (starter_pluto_pid())
637 {
638 starter_whack_add_ca(ca);
639 }
640 ca->state = STATE_ADDED;
641 }
642 }
643
644 for (conn = cfg->conn_first; conn; conn = conn->next)
645 {
646 if (conn->state == STATE_TO_ADD)
647 {
648 if (conn->id == 0)
649 {
650 /* affect new unique id */
651 conn->id = id++;
652 }
653 if (starter_charon_pid())
654 {
655 starter_stroke_add_conn(cfg, conn);
656 }
657 if (starter_pluto_pid())
658 {
659 starter_whack_add_conn(conn);
660 }
661 conn->state = STATE_ADDED;
662
663 if (conn->startup == STARTUP_START)
664 {
665 if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
666 {
667 if (starter_charon_pid())
668 {
669 starter_stroke_initiate_conn(conn);
670 }
671 }
672 else
673 {
674 if (starter_pluto_pid())
675 {
676 starter_whack_initiate_conn(conn);
677 }
678 }
679 }
680 else if (conn->startup == STARTUP_ROUTE)
681 {
682 if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
683 {
684 if (starter_charon_pid())
685 {
686 starter_stroke_route_conn(conn);
687 }
688 }
689 else
690 {
691 if (starter_pluto_pid())
692 {
693 starter_whack_route_conn(conn);
694 }
695 }
696 }
697 }
698 }
699 }
700
701 /*
702 * If auto_update activated, when to stop select
703 */
704 if (auto_update)
705 {
706 time_t now = time(NULL);
707
708 tv.tv_sec = (now < last_reload + auto_update)
709 ? (last_reload + auto_update-now) : 0;
710 tv.tv_usec = 0;
711 }
712
713 /*
714 * Wait for something to happen
715 */
716 if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
717 {
718 /* timeout -> auto_update */
719 _action_ |= FLAG_ACTION_UPDATE;
720 }
721 }
722 exit(LSB_RC_SUCCESS);
723 }
724