2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * RCSID $Id: plutomain.c,v 1.16 2005/09/25 21:30:52 as Exp $
24 #include <sys/types.h>
30 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
31 #include <sys/queue.h>
38 #include "constants.h"
44 #include "connections.h"
45 #include "foodgroups.h"
47 #include "demux.h" /* needs packet.h */
52 #include "adns.h" /* needs <resolv.h> */
53 #include "dnskey.h" /* needs keys.h and adns.h */
56 #include "ipsec_doi.h" /* needs demux.h and state.h */
63 #include "crypto.h" /* requires sha1.h and md5.h */
70 #include "nat_traversal.h"
74 usage(const char *mess
)
76 if (mess
!= NULL
&& *mess
!= '\0')
77 fprintf(stderr
, "%s\n", mess
);
82 " [--optionsfrom <filename>]"
90 " [--crlcheckinterval]"
94 "[--interface <ifname>]"
95 " [--ikeport <port-number>]"
99 "[--perpeerlogbase <path>] [--perpeerlog]"
101 "[--secretsfile <secrets-file>]"
102 " [--policygroupsdir <policygroups-dir>]"
104 "[--adns <pathname>]"
105 "[--pkcs11module <path>]"
115 " [--debug-emitting]"
118 " [--debug-lifecycle]"
123 " [--debug-controlmore]"
129 "[--nat_traversal] [--keep_alive <delay_sec>]"
131 "[--force_keepalive] [--disable_port_floating]"
135 "[--virtual_private <network_list>]"
139 , ipsec_version_code());
140 exit_pluto(mess
== NULL
? 0 : 1);
145 * - provides convenient way for scripts to find Pluto's pid
146 * - prevents multiple Plutos competing for the same port
147 * - same basename as unix domain control socket
148 * NOTE: will not take account of sharing LOCK_DIR with other systems.
151 static char pluto_lock
[sizeof(ctl_addr
.sun_path
)] = DEFAULT_CTLBASE LOCK_SUFFIX
;
152 static bool pluto_lock_created
= FALSE
;
154 /* create lockfile, or die in the attempt */
158 int fd
= open(pluto_lock
, O_WRONLY
| O_CREAT
| O_EXCL
| O_TRUNC
159 , S_IRUSR
| S_IRGRP
| S_IROTH
);
165 fprintf(stderr
, "pluto: lock file \"%s\" already exists\n"
172 , "pluto: unable to create lock file \"%s\" (%d %s)\n"
173 , pluto_lock
, errno
, strerror(errno
));
177 pluto_lock_created
= TRUE
;
182 fill_lock(int lockfd
, pid_t pid
)
184 char buf
[30]; /* holds "<pid>\n" */
185 int len
= snprintf(buf
, sizeof(buf
), "%u\n", (unsigned int) pid
);
186 bool ok
= len
> 0 && write(lockfd
, buf
, len
) == len
;
195 if (pluto_lock_created
)
198 unlink(pluto_lock
); /* is noting failure useful? */
202 /* by default pluto sends certificate requests to its peers */
203 bool no_cr_send
= FALSE
;
205 /* by default the CRL policy is lenient */
206 bool strict_crl_policy
= FALSE
;
208 /* by default CRLs are cached locally as files */
209 bool cache_crls
= FALSE
;
211 /* by default pluto does not check crls dynamically */
212 long crl_check_interval
= 0;
214 /* path to the PKCS#11 module */
215 char *pkcs11_module_path
= NULL
;
217 /* by default pluto logs out after every smartcard use */
218 bool pkcs11_keep_state
= FALSE
;
220 /* by default pluto does not allow pkcs11 proxy access via whack */
221 bool pkcs11_proxy
= FALSE
;
224 main(int argc
, char **argv
)
226 bool fork_desired
= TRUE
;
227 bool log_to_stderr_desired
= FALSE
;
229 bool nat_traversal
= FALSE
;
230 bool nat_t_spf
= TRUE
; /* support port floating */
231 unsigned int keep_alive
= 0;
232 bool force_keepalive
= FALSE
;
235 char *virtual_private
= NULL
;
239 /* handle arguments */
242 # define DBG_OFFSET 256
243 static const struct option long_opts
[] = {
244 /* name, has_arg, flag, val */
245 { "help", no_argument
, NULL
, 'h' },
246 { "version", no_argument
, NULL
, 'v' },
247 { "optionsfrom", required_argument
, NULL
, '+' },
248 { "nofork", no_argument
, NULL
, 'd' },
249 { "stderrlog", no_argument
, NULL
, 'e' },
250 { "noklips", no_argument
, NULL
, 'n' },
251 { "nocrsend", no_argument
, NULL
, 'c' },
252 { "strictcrlpolicy", no_argument
, NULL
, 'r' },
253 { "crlcheckinterval", required_argument
, NULL
, 'x'},
254 { "cachecrls", no_argument
, NULL
, 'C' },
255 { "uniqueids", no_argument
, NULL
, 'u' },
256 { "interface", required_argument
, NULL
, 'i' },
257 { "ikeport", required_argument
, NULL
, 'p' },
258 { "ctlbase", required_argument
, NULL
, 'b' },
259 { "secretsfile", required_argument
, NULL
, 's' },
260 { "foodgroupsdir", required_argument
, NULL
, 'f' },
261 { "perpeerlogbase", required_argument
, NULL
, 'P' },
262 { "perpeerlog", no_argument
, NULL
, 'l' },
263 { "policygroupsdir", required_argument
, NULL
, 'f' },
265 { "lwdnsq", required_argument
, NULL
, 'a' },
266 #else /* !USE_LWRES */
267 { "adns", required_argument
, NULL
, 'a' },
268 #endif /* !USE_LWRES */
269 { "pkcs11module", required_argument
, NULL
, 'm' },
270 { "pkcs11keepstate", no_argument
, NULL
, 'k' },
271 { "pkcs11proxy", no_argument
, NULL
, 'y' },
273 { "nat_traversal", no_argument
, NULL
, '1' },
274 { "keep_alive", required_argument
, NULL
, '2' },
275 { "force_keepalive", no_argument
, NULL
, '3' },
276 { "disable_port_floating", no_argument
, NULL
, '4' },
277 { "debug-natt", no_argument
, NULL
, '5' },
280 { "virtual_private", required_argument
, NULL
, '6' },
283 { "debug-none", no_argument
, NULL
, 'N' },
284 { "debug-all", no_argument
, NULL
, 'A' },
286 { "debug-raw", no_argument
, NULL
, DBG_RAW
+ DBG_OFFSET
},
287 { "debug-crypt", no_argument
, NULL
, DBG_CRYPT
+ DBG_OFFSET
},
288 { "debug-parsing", no_argument
, NULL
, DBG_PARSING
+ DBG_OFFSET
},
289 { "debug-emitting", no_argument
, NULL
, DBG_EMITTING
+ DBG_OFFSET
},
290 { "debug-control", no_argument
, NULL
, DBG_CONTROL
+ DBG_OFFSET
},
291 { "debug-lifecycle", no_argument
, NULL
, DBG_LIFECYCLE
+ DBG_OFFSET
},
292 { "debug-klips", no_argument
, NULL
, DBG_KLIPS
+ DBG_OFFSET
},
293 { "debug-dns", no_argument
, NULL
, DBG_DNS
+ DBG_OFFSET
},
294 { "debug-oppo", no_argument
, NULL
, DBG_OPPO
+ DBG_OFFSET
},
295 { "debug-controlmore", no_argument
, NULL
, DBG_CONTROLMORE
+ DBG_OFFSET
},
296 { "debug-private", no_argument
, NULL
, DBG_PRIVATE
+ DBG_OFFSET
},
298 { "impair-delay-adns-key-answer", no_argument
, NULL
, IMPAIR_DELAY_ADNS_KEY_ANSWER
+ DBG_OFFSET
},
299 { "impair-delay-adns-txt-answer", no_argument
, NULL
, IMPAIR_DELAY_ADNS_TXT_ANSWER
+ DBG_OFFSET
},
300 { "impair-bust-mi2", no_argument
, NULL
, IMPAIR_BUST_MI2
+ DBG_OFFSET
},
301 { "impair-bust-mr2", no_argument
, NULL
, IMPAIR_BUST_MR2
+ DBG_OFFSET
},
305 /* Note: we don't like the way short options get parsed
306 * by getopt_long, so we simply pass an empty string as
307 * the list. It could be "hvdenp:l:s:" "NARXPECK".
309 int c
= getopt_long(argc
, argv
, "", long_opts
, NULL
);
311 /* Note: "breaking" from case terminates loop */
314 case EOF
: /* end of flags */
317 case 0: /* long option already handled */
320 case ':': /* diagnostic already printed by getopt_long */
321 case '?': /* diagnostic already printed by getopt_long */
323 break; /* not actually reached */
325 case 'h': /* --help */
327 break; /* not actually reached */
329 case 'v': /* --version */
331 const char **sp
= ipsec_copyright_notice();
333 printf("%s%s\n", ipsec_version_string(),
334 compile_time_interop_options
);
335 for (; *sp
!= NULL
; sp
++)
339 break; /* not actually reached */
341 case '+': /* --optionsfrom <filename> */
342 optionsfrom(optarg
, &argc
, &argv
, optind
, stderr
);
343 /* does not return on error */
346 case 'd': /* --nofork*/
347 fork_desired
= FALSE
;
350 case 'e': /* --stderrlog */
351 log_to_stderr_desired
= TRUE
;
354 case 'n': /* --noklips */
358 case 'c': /* --nocrsend */
362 case 'r': /* --strictcrlpolicy */
363 strict_crl_policy
= TRUE
;
366 case 'x': /* --crlcheckinterval <time>*/
367 if (optarg
== NULL
|| !isdigit(optarg
[0]))
368 usage("missing interval time");
372 long interval
= strtol(optarg
, &endptr
, 0);
374 if (*endptr
!= '\0' || endptr
== optarg
376 usage("<interval-time> must be a positive number");
377 crl_check_interval
= interval
;
381 case 'C': /* --cachecrls */
385 case 'u': /* --uniqueids */
389 case 'i': /* --interface <ifname> */
390 if (!use_interface(optarg
))
391 usage("too many --interface specifications");
394 case 'p': /* --port <portnumber> */
395 if (optarg
== NULL
|| !isdigit(optarg
[0]))
396 usage("missing port number");
400 long port
= strtol(optarg
, &endptr
, 0);
402 if (*endptr
!= '\0' || endptr
== optarg
403 || port
<= 0 || port
> 0x10000)
404 usage("<port-number> must be a number between 1 and 65535");
409 case 'b': /* --ctlbase <path> */
410 if (snprintf(ctl_addr
.sun_path
, sizeof(ctl_addr
.sun_path
)
411 , "%s%s", optarg
, CTL_SUFFIX
) == -1)
412 usage("<path>" CTL_SUFFIX
" too long for sun_path");
413 if (snprintf(info_addr
.sun_path
, sizeof(info_addr
.sun_path
)
414 , "%s%s", optarg
, INFO_SUFFIX
) == -1)
415 usage("<path>" INFO_SUFFIX
" too long for sun_path");
416 if (snprintf(pluto_lock
, sizeof(pluto_lock
)
417 , "%s%s", optarg
, LOCK_SUFFIX
) == -1)
418 usage("<path>" LOCK_SUFFIX
" must fit");
421 case 's': /* --secretsfile <secrets-file> */
422 shared_secrets_file
= optarg
;
425 case 'f': /* --policygroupsdir <policygroups-dir> */
426 policygroups_dir
= optarg
;
429 case 'a': /* --adns <pathname> */
430 pluto_adns_option
= optarg
;
433 case 'm': /* --pkcs11module <pathname> */
434 pkcs11_module_path
= optarg
;
437 case 'k': /* --pkcs11keepstate */
438 pkcs11_keep_state
= TRUE
;
441 case 'y': /* --pkcs11proxy */
446 case 'N': /* --debug-none */
447 base_debugging
= DBG_NONE
;
450 case 'A': /* --debug-all */
451 base_debugging
= DBG_ALL
;
455 case 'P': /* --perpeerlogbase */
456 base_perpeer_logdir
= optarg
;
460 log_to_perpeer
= TRUE
;
464 case '1': /* --nat_traversal */
465 nat_traversal
= TRUE
;
467 case '2': /* --keep_alive */
468 keep_alive
= atoi(optarg
);
470 case '3': /* --force_keepalive */
471 force_keepalive
= TRUE
;
473 case '4': /* --disable_port_floating */
476 case '5': /* --debug-nat_t */
477 base_debugging
|= DBG_NATT
;
481 case '6': /* --virtual_private */
482 virtual_private
= optarg
;
490 base_debugging
|= c
- DBG_OFFSET
;
500 usage("unexpected argument");
502 lockfd
= create_lock();
504 /* select between logging methods */
506 if (log_to_stderr_desired
)
507 log_to_syslog
= FALSE
;
509 log_to_stderr
= FALSE
;
511 /* set the logging function of pfkey debugging */
513 pfkey_debug_func
= DBG_log
;
515 pfkey_debug_func
= NULL
;
518 /* create control socket.
519 * We must create it before the parent process returns so that
520 * there will be no race condition in using it. The easiest
521 * place to do this is before the daemon fork.
524 err_t ugh
= init_ctl_socket();
528 fprintf(stderr
, "pluto: %s", ugh
);
534 /* create info socket. */
536 err_t ugh
= init_info_socket();
540 fprintf(stderr
, "pluto: %s", ugh
);
546 /* If not suppressed, do daemon fork */
557 fprintf(stderr
, "pluto: fork failed (%d %s)\n",
564 /* parent: die, after filling PID into lock file.
565 * must not use exit_pluto: lock would be removed!
567 exit(fill_lock(lockfd
, pid
)? 0 : 1);
575 fprintf(stderr
, "setsid() failed in main(). Errno %d: %s\n",
582 /* no daemon fork: we have to fill in lock file */
583 (void) fill_lock(lockfd
, getpid());
584 fprintf(stdout
, "Pluto initialized\n");
588 /* Close everything but ctl_fd and (if needed) stderr.
589 * There is some danger that a library that we don't know
590 * about is using some fd that we don't know about.
591 * I guess we'll soon find out.
596 for (i
= getdtablesize() - 1; i
>= 0; i
--) /* Bad hack */
597 if ((!log_to_stderr
|| i
!= 2)
604 /* make sure that stdin, stdout, stderr are reserved */
605 if (open("/dev/null", O_RDONLY
) != 0)
609 if (!log_to_stderr
&& dup2(0, 2) != 2)
616 /* Note: some scripts may look for this exact message -- don't change
617 * ipsec barf was one, but it no longer does.
619 plog("Starting Pluto (strongSwan Version %s%s)"
620 , ipsec_version_code()
621 , compile_time_interop_options
);
624 init_nat_traversal(nat_traversal
, keep_alive
, force_keepalive
, nat_t_spf
);
628 init_virtual_ip(virtual_private
);
630 scx_init(pkcs11_module_path
); /* load and initialize PKCS #11 module */
641 /* loading X.509 CA certificates */
642 load_authcerts("CA cert", CA_CERT_PATH
, AUTH_CA
);
643 /* loading X.509 AA certificates */
644 load_authcerts("AA cert", AA_CERT_PATH
, AUTH_AA
);
645 /* loading X.509 OCSP certificates */
646 load_authcerts("OCSP cert", OCSP_CERT_PATH
, AUTH_OCSP
);
647 /* loading X.509 CRLs */
649 /* loading attribute certificates (experimental) */
654 return -1; /* Shouldn't ever reach this */
657 /* leave pluto, with status.
658 * Once child is launched, parent must not exit this way because
659 * the lock would be released.
662 * 1 general discomfort
663 * 10 lock file exists
666 exit_pluto(int status
)
668 reset_globals(); /* needed because we may be called in odd state */
669 free_preshared_secrets();
670 free_remembered_public_keys();
671 delete_every_connection();
672 free_crl_fetch(); /* free chain of crl fetch requests */
673 free_ocsp_fetch(); /* free chain of ocsp fetch requests */
674 free_authcerts(); /* free chain of X.509 authority certificates */
675 free_crls(); /* free chain of X.509 CRLs */
676 free_acerts(); /* free chain of X.509 attribute certificates */
677 free_ca_infos(); /* free chain of X.509 CA information records */
678 free_ocsp(); /* free ocsp cache */
680 scx_finalize(); /* finalize and unload PKCS #11 module */
684 #ifdef LEAK_DETECTIVE
686 #endif /* LEAK_DETECTIVE */