2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
24 #include <sys/types.h>
30 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
34 #include "constants.h"
38 #include "connections.h" /* needs id.h */
40 #include "demux.h" /* needs packet.h */
45 #include "preshared.h"
46 #include "adns.h" /* needs <resolv.h> */
47 #include "dnskey.h" /* needs preshared.h and adns.h */
53 #include "crypto.h" /* requires sha1.h and md5.h */
60 #include "nat_traversal.h"
63 char *phys_interfaces[NUM_INTERFACES];
66 * Version of X.509 patch
68 static const char x509patch_version[] = "0.9.13";
71 usage(const char *mess)
73 if (mess != NULL && *mess != '\0')
74 fprintf(stderr, "%s\n", mess);
79 " [--optionsfrom <filename>]"
87 "[--interface <ifname>]"
88 " [--ikeport <port-number>]"
92 "[--secretsfile <secrets-file>]"
103 " [--debug-emitting]"
108 " [ --debug-private]"
113 "[--nat_traversal] [--keep_alive <delay_sec>]"
115 "[--force_keepalive] [--disable_port_floating]"
119 "[--virtual_private <network_list>]"
123 ipsec_version_code());
124 exit_pluto(mess == NULL? 0 : 1);
127 static void init_interfaces( char *ipsec0, char *ipsec1, char *ipsec2, char *ipsec3)
130 phys_interfaces[0] = strdup(ipsec0);
132 phys_interfaces[1] = strdup(ipsec1);
134 phys_interfaces[2] = strdup(ipsec2);
136 phys_interfaces[3] = strdup(ipsec3);
140 * - provides convenient way for scripts to find Pluto's pid
141 * - prevents multiple Plutos competing for the same port
142 * - same basename as unix domain control socket
143 * NOTE: will not take account of sharing LOCK_DIR with other systems.
146 static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX;
147 static bool pluto_lock_created = FALSE;
149 /* create lockfile, or die in the attempt */
153 int fd = open(pluto_lock, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC,
154 S_IRUSR | S_IRGRP | S_IROTH);
160 fprintf(stderr, "pluto: lock file \"%s\" already exists\n"
167 , "pluto: unable to create lock file \"%s\" (%d %s)\n"
168 , pluto_lock, errno, strerror(errno));
172 pluto_lock_created = TRUE;
177 fill_lock(int lockfd, pid_t pid)
179 char buf[30]; /* holds "<pid>\n" */
180 int len = snprintf(buf, sizeof(buf), "%u\n", (unsigned int) pid);
181 bool ok = len > 0 && write(lockfd, buf, len) == len;
190 if (pluto_lock_created)
193 unlink(pluto_lock); /* is noting failure useful? */
197 /* by default pluto sends certificate requests to its peers */
198 bool no_cr_send = FALSE;
201 main(int argc, char **argv)
203 bool fork_desired = TRUE;
204 bool log_to_stderr_desired = FALSE;
207 bool nat_traversal = FALSE;
208 bool nat_t_spf = TRUE; /* support port floating */
209 unsigned int keep_alive = 0;
210 bool force_keepalive = FALSE;
213 char *virtual_private = NULL;
221 /* handle arguments */
224 static const struct option long_opts[] = {
225 /* name, has_arg, flag, val */
226 { "help", no_argument, NULL, 'h' },
227 { "version", no_argument, NULL, 'v' },
228 { "optionsfrom", required_argument, NULL, '+' },
229 { "nofork", no_argument, NULL, 'd' },
230 { "stderrlog", no_argument, NULL, 'e' },
231 { "noklips", no_argument, NULL, 'n' },
232 { "nocrsend", no_argument, NULL, 'c' },
233 { "uniqueids", no_argument, NULL, 'u' },
234 { "interface", required_argument, NULL, 'i' },
235 { "ikeport", required_argument, NULL, 'p' },
236 { "ctlbase", required_argument, NULL, 'b' },
237 { "secretsfile", required_argument, NULL, 's' },
238 { "adns", required_argument, NULL, 'a' },
240 { "debug-none", no_argument, NULL, 'N' },
241 { "debug-all]", no_argument, NULL, 'A' },
242 { "debug-raw", no_argument, NULL, 'R' },
243 { "debug-crypt", no_argument, NULL, 'X' },
244 { "debug-parsing", no_argument, NULL, 'P' },
245 { "debug-emitting", no_argument, NULL, 'E' },
246 { "debug-control", no_argument, NULL, 'C' },
247 { "debug-lifecycle", no_argument, NULL, 'L' },
248 { "debug-klips", no_argument, NULL, 'K' },
249 { "debug-dns", no_argument, NULL, 'D' },
250 { "debug-private", no_argument, NULL, 'Z' },
253 { "nat_traversal", no_argument, NULL, '1' },
254 { "keep_alive", required_argument, NULL, '2' },
255 { "force_keepalive", no_argument, NULL, '3' },
256 { "disable_port_floating", no_argument, NULL, '4' },
257 { "debug-nat_t", no_argument, NULL, '5' },
260 { "virtual_private", required_argument, NULL, '6' },
262 { "ipsec0", required_argument, NULL, '7' },
263 { "ipsec1", required_argument, NULL, '8' },
264 { "ipsec2", required_argument, NULL, '9' },
265 { "ipsec3", required_argument, NULL, '0' },
268 /* Note: we don't like the way short options get parsed
269 * by getopt_long, so we simply pass an empty string as
270 * the list. It could be "hvdenp:l:s:" "NARXPECK".
272 int c = getopt_long(argc, argv, "", long_opts, NULL);
274 /* Note: "breaking" from case terminates loop */
277 case EOF: /* end of flags */
280 case 0: /* long option already handled */
283 case ':': /* diagnostic already printed by getopt_long */
284 case '?': /* diagnostic already printed by getopt_long */
286 break; /* not actually reached */
288 case 'h': /* --help */
290 break; /* not actually reached */
292 case 'v': /* --version */
294 const char **sp = ipsec_copyright_notice();
296 printf("%s\n", ipsec_version_string());
297 for (; *sp != NULL; sp++)
301 break; /* not actually reached */
303 case '+': /* --optionsfrom <filename> */
304 optionsfrom(optarg, &argc, &argv, optind, stderr);
305 /* does not return on error */
308 case 'd': /* --nofork*/
309 fork_desired = FALSE;
312 case 'e': /* --stderrlog */
313 log_to_stderr_desired = TRUE;
316 case 'n': /* --noklips */
320 case 'c': /* --nocrsend */
324 case 'u': /* --uniquids */
328 case 'i': /* --interface <ifname> */
329 if (!use_interface(optarg))
330 usage("too many --interface specifications");
333 case 'p': /* --port <portnumber> */
334 if (optarg == NULL || !isdigit(optarg[0]))
335 usage("missing port number");
339 long port = strtol(optarg, &endptr, 0);
341 if (*endptr != '\0' || endptr == optarg
342 || port <= 0 || port > 0x10000)
343 usage("<port-number> must be a number between 1 and 65535");
348 case 'b': /* --ctlbase <path> */
349 if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
350 , "%s%s", optarg, CTL_SUFFIX) == -1)
351 usage("<path>" CTL_SUFFIX " too long for sun_path");
352 if (snprintf(pluto_lock, sizeof(pluto_lock)
353 , "%s%s", optarg, LOCK_SUFFIX) == -1)
354 usage("<path>" LOCK_SUFFIX " must fit");
357 case 's': /* --secretsfile <secrets-file> */
358 shared_secrets_file = optarg;
361 case 'a': /* --adns <pathname> */
362 pluto_adns_option = optarg;
366 case 'N': /* --debug-none */
367 base_debugging = DBG_NONE;
370 case 'A': /* --debug-all */
371 base_debugging = DBG_ALL;
374 case 'R': /* --debug-raw */
375 base_debugging |= DBG_RAW;
378 case 'X': /* --debug-crypt */
379 base_debugging |= DBG_CRYPT;
382 case 'P': /* --debug-parsing */
383 base_debugging |= DBG_PARSING;
386 case 'E': /* --debug-emitting */
387 base_debugging |= DBG_EMITTING;
390 case 'C': /* --debug-control */
391 base_debugging |= DBG_CONTROL;
394 case 'L': /* --debug-lifecycle */
395 base_debugging |= DBG_LIFECYCLE;
398 case 'K': /* --debug-klips */
399 base_debugging |= DBG_KLIPS;
402 case 'D': /* --debug-dns */
403 base_debugging |= DBG_DNS;
406 case 'Z': /* --debug-private */
407 base_debugging |= DBG_PRIVATE;
411 case '1': /* --nat_traversal */
412 nat_traversal = TRUE;
414 case '2': /* --keep_alive */
415 keep_alive = atoi(optarg);
417 case '3': /* --force_keepalive */
418 force_keepalive = TRUE;
420 case '4': /* --disable_port_floating */
423 case '5': /* --debug-nat_t */
424 base_debugging |= DBG_NATT;
428 case '6': /* --virtual_private */
429 virtual_private = optarg;
432 case '7': /* --ipsec0 */
435 case '8': /* --ipsec1 */
438 case '9': /* --ipsec2 */
441 case '0': /* --ipsec3 */
451 usage("unexpected argument");
453 lockfd = create_lock();
455 /* select between logging methods */
457 if (log_to_stderr_desired)
458 log_to_syslog = FALSE;
460 log_to_stderr = FALSE;
462 /* create control socket.
463 * We must create it before the parent process returns so that
464 * there will be no race condition in using it. The easiest
465 * place to do this is before the daemon fork.
468 err_t ugh = init_ctl_socket();
472 fprintf(stderr, "pluto: %s", ugh);
477 /* If not suppressed, do daemon fork */
489 fprintf(stderr, "pluto: fork failed (%d %s)\n",
496 /* parent: die, after filling PID into lock file.
497 * must not use exit_pluto: lock would be removed!
499 exit(fill_lock(lockfd, pid)? 0 : 1);
507 fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
512 /* Close everything but ctl_fd and (if needed) stderr. */
516 for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
517 if ((!log_to_stderr || i != 2)
521 /* make sure that stdin, stdout, stderr are reserved */
522 if (open("/dev/null", O_RDONLY) != 0)
526 if (!log_to_stderr && dup2(0, 2) != 2)
539 /* no daemon fork: we have to fill in lock file */
540 (void) fill_lock(lockfd, getpid());
541 fprintf(stdout, "Pluto initialized\n");
547 /* Note: some scripts may look for this exact message -- don't change */
548 log("Starting Pluto (FreeS/WAN Version %s)", ipsec_version_code());
549 log(" including X.509 patch (Version %s)", x509patch_version);
552 init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
556 init_virtual_ip(virtual_private);
558 init_interfaces(ipsec0, ipsec1, ipsec2, ipsec3);
567 /* loading CA certificates */
571 /* loading my X.509 or OpenPGP certificate */
575 return -1; /* Shouldn't ever reach this */
578 /* leave pluto, with status.
579 * Once child is launched, parent must not exit this way because
580 * the lock would be released.
583 * 1 general discomfort
584 * 10 lock file exists
587 exit_pluto(int status)
589 reset_globals(); /* needed because we may be called in odd state */
590 free_preshared_secrets();
591 free_remembered_public_keys();
592 delete_every_connection();
593 free_cacerts(); /* free chain of CA certificates */
594 free_crls(); /* free chain of CRLS */
595 free_mycert(); /* free default certificate (deprecated for X.509) */
600 #ifdef LEAK_DETECTIVE
602 #endif /* LEAK_DETECTIVE */