]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/session.c
projects / apple / ipsec.git / blob
? search:


c5c98da354a001e0d27b06ede18c08865aaf8c59
[apple/ipsec.git] / ipsec-tools / racoon / session.c
1 /* $NetBSD: session.c,v 1.7.6.2 2007/08/01 11:52:22 vanhu Exp $ */
2
3 /* $KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/time.h>
39 #include <sys/socket.h>
40 #if HAVE_SYS_WAIT_H
41 # include <sys/wait.h>
42 #endif
43 #ifndef WEXITSTATUS
44 # define WEXITSTATUS(s) ((unsigned)(s) >> 8)
45 #endif
46 #ifndef WIFEXITED
47 # define WIFEXITED(s) (((s) & 255) == 0)
48 #endif
49
50 #ifndef HAVE_NETINET6_IPSEC
51 #include <netinet/ipsec.h>
52 #else
53 #include <netinet6/ipsec.h>
54 #endif
55
56 #include <stdlib.h>
57 #include <stdio.h>
58 #include <string.h>
59 #include <errno.h>
60 #ifdef HAVE_UNISTD_H
61 #include <unistd.h>
62 #endif
63 #include <signal.h>
64 #include <sys/stat.h>
65 #include <paths.h>
66
67 #include <netinet/in.h>
68 #include <netinet/ip.h>
69 #include <netinet/ip_icmp.h>
70
71 #include <resolv.h>
72 #include <TargetConditionals.h>
73
74 #include "libpfkey.h"
75
76 #include "var.h"
77 #include "misc.h"
78 #include "vmbuf.h"
79 #include "plog.h"
80 #include "debug.h"
81
82 #include "schedule.h"
83 #include "session.h"
84 #include "grabmyaddr.h"
85 #include "evt.h"
86 #include "cfparse_proto.h"
87 #include "isakmp_var.h"
88 #include "isakmp_xauth.h"
89 #include "isakmp_cfg.h"
90 #include "admin_var.h"
91 #include "admin.h"
92 #include "privsep.h"
93 #include "oakley.h"
94 #include "pfkey.h"
95 #include "handler.h"
96 #include "localconf.h"
97 #include "remoteconf.h"
98 #include "backupsa.h"
99 #ifdef ENABLE_NATT
100 #include "nattraversal.h"
101 #endif
102 #include "vpn_control_var.h"
103 #include "policy.h"
104 #include "algorithm.h" /* XXX ??? */
105
106 #include "sainfo.h"
107
108
109
110 extern pid_t racoon_pid;
111 static void close_session __P((void));
112 static void check_rtsock __P((void *));
113 static void initfds __P((void));
114 static void init_signal __P((void));
115 static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int))));
116 static void check_sigreq __P((void));
117 static void check_flushsa_stub __P((void *));
118 static void check_flushsa __P((void));
119 static void auto_exit_do __P((void *));
120 static int close_sockets __P((void));
121
122 static fd_set mask0;
123 static fd_set maskdying;
124 static int nfds = 0;
125 static volatile sig_atomic_t sigreq[NSIG + 1];
126 static int dying = 0;
127 static struct sched *check_rtsock_sched = NULL;
128 int terminated = 0;
129
130 static void
131 reinit_socks (void)
132 {
133 isakmp_close();
134 close(lcconf->rtsock);
135 initmyaddr();
136 if (isakmp_open() < 0) {
137 plog(LLV_ERROR2, LOCATION, NULL,
138 "failed to reopen isakmp sockets\n");
139 }
140 initfds();
141 }
142
143 int
144 session(void)
145 {
146 fd_set rfds;
147 struct timeval *timeout;
148 int error;
149 struct myaddrs *p;
150 char pid_file[MAXPATHLEN];
151 FILE *fp;
152 int i, update_fds;
153
154 /* initialize schedular */
155 sched_init();
156
157 initmyaddr();
158
159 #ifndef __APPLE__
160 if (isakmp_init() < 0) {
161 #else
162 if (isakmp_init(false) < 0) {
163 #endif /* __APPLE__ */
164 plog(LLV_ERROR2, LOCATION, NULL,
165 "failed to initialize isakmp");
166 exit(1);
167 }
168
169 #ifdef ENABLE_ADMINPORT
170 if (admin_init() < 0) {
171 plog(LLV_ERROR2, LOCATION, NULL,
172 "failed to initialize admin port");
173 exit(1);
174 }
175 #endif
176 #ifdef ENABLE_VPNCONTROL_PORT
177 if (vpncontrol_init() < 0) {
178 plog(LLV_ERROR2, LOCATION, NULL,
179 "failed to initialize vpn control port");
180 exit(1);
181 }
182
183 #endif
184
185 init_signal();
186 initfds();
187
188 #ifndef __APPLE__
189 #ifdef ENABLE_NATT
190 natt_keepalive_init ();
191 #endif
192 #endif
193
194 if (privsep_init() != 0) {
195 plog(LLV_ERROR2, LOCATION, NULL,
196 "failed to initialize privsep");
197 exit(1);
198 }
199
200 for (i = 0; i <= NSIG; i++)
201 sigreq[i] = 0;
202
203 /* write .pid file */
204 if (!f_foreground) {
205 racoon_pid = getpid();
206 if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE] == NULL)
207 strlcpy(pid_file, _PATH_VARRUN "racoon.pid", sizeof(pid_file));
208 else if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE][0] == '/')
209 strlcpy(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], sizeof(pid_file));
210 else {
211 strlcat(pid_file, _PATH_VARRUN, sizeof(pid_file));
212 strlcat(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], sizeof(pid_file));
213 }
214 fp = fopen(pid_file, "w");
215 if (fp) {
216 if (fchmod(fileno(fp),
217 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
218 syslog(LOG_ERR, "%s", strerror(errno));
219 fclose(fp);
220 exit(1);
221 }
222 fprintf(fp, "%ld\n", (long)racoon_pid);
223 fclose(fp);
224 } else {
225 plog(LLV_ERROR, LOCATION, NULL,
226 "cannot open %s", pid_file);
227 }
228 }
229
230 while (1) {
231 if (!TAILQ_EMPTY(&lcconf->saved_msg_queue))
232 pfkey_post_handler();
233 update_fds = 0;
234 /*
235 * asynchronous requests via signal.
236 * make sure to reset sigreq to 0.
237 */
238 check_sigreq();
239
240 /* scheduling */
241 timeout = schedular();
242 // <rdar://problem/7650111> Workaround: make sure timeout is playing nice
243 if (timeout) {
244 if (timeout->tv_usec < 0 || timeout->tv_usec > SELECT_USEC_MAX ) {
245 timeout->tv_sec += ((__typeof__(timeout->tv_sec))timeout->tv_usec)/SELECT_USEC_MAX;
246 timeout->tv_usec %= SELECT_USEC_MAX;
247 }
248 if (timeout->tv_sec > SELECT_SEC_MAX /* tv_sec is unsigned */) {
249 timeout->tv_sec = SELECT_SEC_MAX;
250 }
251 if (!timeout->tv_sec && !timeout->tv_usec) {
252 timeout->tv_sec = 1;
253 }
254 }
255
256 if (dying)
257 rfds = maskdying;
258 else
259 rfds = mask0;
260 error = select(nfds, &rfds, (fd_set *)0, (fd_set *)0, timeout);
261 if (error < 0) {
262 switch (errno) {
263 case EINTR:
264 continue;
265 default:
266 plog(LLV_ERROR2, LOCATION, NULL,
267 "failed select (%s) nfds %d\n",
268 strerror(errno), nfds);
269 reinit_socks();
270 update_fds = 0;
271 continue;
272 }
273 /*NOTREACHED*/
274 }
275
276 #ifdef ENABLE_ADMINPORT
277 if ((lcconf->sock_admin != -1) &&
278 (FD_ISSET(lcconf->sock_admin, &rfds)))
279 admin_handler();
280 #endif
281 #ifdef ENABLE_VPNCONTROL_PORT
282 {
283 struct vpnctl_socket_elem *elem;
284 struct vpnctl_socket_elem *t_elem;
285
286 if ((lcconf->sock_vpncontrol != -1) &&
287 (FD_ISSET(lcconf->sock_vpncontrol, &rfds))) {
288 vpncontrol_handler();
289 update_fds = 1; // in case new socket created - update mask
290 }
291 /* The handler may close and remove the list element
292 * so we can't rely on it being valid after calling
293 * the handler.
294 */
295 LIST_FOREACH_SAFE(elem, &lcconf->vpnctl_comm_socks, chain, t_elem) {
296 if ((elem->sock != -1) &&
297 (FD_ISSET(elem->sock, &rfds)))
298 if (vpncontrol_comm_handler(elem))
299 update_fds = 1; // socket closed by peer - update mask
300 }
301 }
302 #endif
303
304 for (p = lcconf->myaddrs; p; p = p->next) {
305 if (!p->addr)
306 continue;
307 if (FD_ISSET(p->sock, &rfds))
308 if ((error = isakmp_handler(p->sock)) == -2)
309 break;
310 }
311 if (error == -2) {
312 reinit_socks();
313 update_fds = 0;
314 }
315
316 if (FD_ISSET(lcconf->sock_pfkey, &rfds))
317 pfkey_handler();
318
319 if (lcconf->rtsock >= 0 && FD_ISSET(lcconf->rtsock, &rfds)) {
320 if (update_myaddrs() && lcconf->autograbaddr)
321 if (check_rtsock_sched == NULL) /* only schedule if not already done */
322 check_rtsock_sched = sched_new(5, check_rtsock, NULL);
323 // initfds(); //%%% BUG FIX - not needed here
324 }
325 if (update_fds) {
326 initfds();
327 update_fds = 0;
328 }
329 }
330 }
331
332
333 /* clear all status and exit program. */
334 static void
335 close_session()
336 {
337 if ( terminated )
338 flushph2(false);
339 flushph1(false);
340 close_sockets();
341 backupsa_clean();
342
343 plog(LLV_INFO, LOCATION, NULL, "racoon shutdown\n");
344 exit(0);
345 }
346
347 static void
348 check_rtsock(p)
349 void *p;
350 {
351
352 check_rtsock_sched = NULL;
353 grab_myaddrs();
354 isakmp_close_unused();
355
356 autoconf_myaddrsport();
357 isakmp_open();
358
359 /* initialize socket list again */
360 initfds();
361 }
362
363 static void
364 initfds()
365 {
366 struct myaddrs *p;
367
368 nfds = 0;
369
370 FD_ZERO(&mask0);
371 FD_ZERO(&maskdying);
372
373 #ifdef ENABLE_ADMINPORT
374 if (lcconf->sock_admin != -1) {
375 if (lcconf->sock_admin >= FD_SETSIZE) {
376 plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun - admin socket\n");
377 exit(1);
378 }
379 FD_SET(lcconf->sock_admin, &mask0);
380 /* XXX should we listen on admin socket when dying ?
381 */
382 #if 0
383 FD_SET(lcconf->sock_admin, &maskdying);
384 #endif
385 nfds = (nfds > lcconf->sock_admin ? nfds : lcconf->sock_admin);
386 }
387 #endif
388 #ifdef ENABLE_VPNCONTROL_PORT
389 {
390 struct vpnctl_socket_elem *elem;
391
392 if (lcconf->sock_vpncontrol != -1) {
393 if (lcconf->sock_vpncontrol >= FD_SETSIZE) {
394 plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun - vpncontrol socket\n");
395 exit(1);
396 }
397 FD_SET(lcconf->sock_vpncontrol, &mask0);
398 nfds = (nfds > lcconf->sock_vpncontrol ? nfds : lcconf->sock_vpncontrol);
399 }
400
401 LIST_FOREACH(elem, &lcconf->vpnctl_comm_socks, chain) {
402 if (elem->sock != -1) {
403 if (elem->sock >= FD_SETSIZE) {
404 plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun vpnctl_comm socket\n");
405 exit(1);
406 }
407 FD_SET(elem->sock, &mask0);
408 nfds = (nfds > elem->sock ? nfds : elem->sock);
409 }
410 }
411 }
412 #endif
413
414 if (lcconf->sock_pfkey >= FD_SETSIZE) {
415 plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun - pfkey socket\n");
416 exit(1);
417 }
418 FD_SET(lcconf->sock_pfkey, &mask0);
419 FD_SET(lcconf->sock_pfkey, &maskdying);
420 nfds = (nfds > lcconf->sock_pfkey ? nfds : lcconf->sock_pfkey);
421 if (lcconf->rtsock >= 0) {
422 if (lcconf->rtsock >= FD_SETSIZE) {
423 plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun - rt socket\n");
424 exit(1);
425 }
426 FD_SET(lcconf->rtsock, &mask0);
427 nfds = (nfds > lcconf->rtsock ? nfds : lcconf->rtsock);
428 }
429
430 for (p = lcconf->myaddrs; p; p = p->next) {
431 if (!p->addr)
432 continue;
433 if (p->sock < 0)
434 continue;
435 if (p->sock >= FD_SETSIZE) {
436 plog(LLV_ERROR2, LOCATION, NULL, "fd_set overrun - isakmp socket\n");
437 exit(1);
438 }
439 FD_SET(p->sock, &mask0);
440 nfds = (nfds > p->sock ? nfds : p->sock);
441 }
442 nfds++;
443 }
444
445
446 static int signals[] = {
447 SIGHUP,
448 SIGINT,
449 SIGTERM,
450 SIGUSR1,
451 SIGUSR2,
452 SIGCHLD,
453 SIGPIPE,
454 0
455 };
456
457 /*
458 * asynchronous requests will actually dispatched in the
459 * main loop in session().
460 */
461 RETSIGTYPE
462 signal_handler(sig)
463 int sig;
464 {
465 /* Do not just set it to 1, because we may miss some signals by just setting
466 * values to 0/1
467 */
468 sigreq[sig]++;
469 if ( sig == SIGTERM ){
470 terminated = 1;
471 }
472 }
473
474 static void
475 check_sigreq()
476 {
477 int sig;
478
479 /*
480 * XXX We are not able to tell if we got
481 * several time the same signal. This is
482 * not a problem for the current code,
483 * but we shall remember this limitation.
484 */
485 for (sig = 0; sig <= NSIG; sig++) {
486 if (sigreq[sig] == 0)
487 continue;
488
489 sigreq[sig]--;
490 switch(sig) {
491 case 0:
492 return;
493
494 /* Catch up childs, mainly scripts.
495 */
496 case SIGCHLD:
497 {
498 pid_t pid;
499 int s;
500
501 pid = wait(&s);
502 }
503 break;
504
505 #ifdef DEBUG_RECORD_MALLOCATION
506 /*
507 * XXX This operation is signal handler unsafe and may lead to
508 * crashes and security breaches: See Henning Brauer talk at
509 * EuroBSDCon 2005. Do not run in production with this option
510 * enabled.
511 */
512 case SIGUSR2:
513 DRM_dump();
514 break;
515 #endif
516
517 case SIGUSR1:
518 case SIGHUP:
519 #ifdef ENABLE_HYBRID
520 if ((isakmp_cfg_init(ISAKMP_CFG_INIT_WARM)) != 0) {
521 plog(LLV_ERROR, LOCATION, NULL,
522 "ISAKMP mode config structure reset failed, "
523 "not reloading\n");
524 return;
525 }
526 #endif
527 if ( terminated )
528 break;
529
530 /* Save old configuration, load new one... */
531 isakmp_close();
532 close(lcconf->rtsock);
533 if (cfreparse(sig)) {
534 plog(LLV_ERROR2, LOCATION, NULL,
535 "configuration read failed\n");
536 exit(1);
537 }
538 if (lcconf->logfile_param == NULL)
539 plogreset(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]);
540
541 initmyaddr();
542 isakmp_cleanup();
543 #ifdef __APPLE__
544 isakmp_init(true);
545 #else
546 isakmp_init();
547 #endif /* __APPLE__ */
548 initfds();
549 #if TARGET_OS_EMBEDDED
550 if (no_remote_configs(TRUE)) {
551 EVT_PUSH(NULL, NULL, EVTT_RACOON_QUIT, NULL);
552 pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC);
553 #ifdef ENABLE_FASTQUIT
554 close_session();
555 #else
556 sched_new(1, check_flushsa_stub, NULL);
557 #endif
558 dying = 1;
559 }
560 #endif
561 break;
562
563 case SIGINT:
564 case SIGTERM:
565 plog(LLV_INFO, LOCATION, NULL,
566 "caught signal %d\n", sig);
567 EVT_PUSH(NULL, NULL, EVTT_RACOON_QUIT, NULL);
568 pfkey_send_flush(lcconf->sock_pfkey,
569 SADB_SATYPE_UNSPEC);
570 if ( sig == SIGTERM ){
571 terminated = 1; /* in case if it hasn't been set yet */
572 close_session();
573 }
574 else
575 sched_new(1, check_flushsa_stub, NULL);
576
577 dying = 1;
578 break;
579
580 default:
581 plog(LLV_INFO, LOCATION, NULL,
582 "caught signal %d\n", sig);
583 break;
584 }
585 }
586 }
587
588 /*
589 * waiting the termination of processing until sending DELETE message
590 * for all inbound SA will complete.
591 */
592 static void
593 check_flushsa_stub(p)
594 void *p;
595 {
596
597 check_flushsa();
598 }
599
600 static void
601 check_flushsa()
602 {
603 vchar_t *buf;
604 struct sadb_msg *msg, *end, *next;
605 struct sadb_sa *sa;
606 caddr_t mhp[SADB_EXT_MAX + 1];
607 int n;
608
609 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
610 if (buf == NULL) {
611 plog(LLV_DEBUG, LOCATION, NULL,
612 "pfkey_dump_sadb: returned nothing.\n");
613 return;
614 }
615
616 msg = (struct sadb_msg *)buf->v;
617 end = (struct sadb_msg *)(buf->v + buf->l);
618
619 /* counting SA except of dead one. */
620 n = 0;
621 while (msg < end) {
622 if (PFKEY_UNUNIT64(msg->sadb_msg_len) < sizeof(*msg))
623 break;
624 next = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len));
625 if (msg->sadb_msg_type != SADB_DUMP) {
626 msg = next;
627 continue;
628 }
629
630 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
631 plog(LLV_ERROR, LOCATION, NULL,
632 "pfkey_check (%s)\n", ipsec_strerror());
633 msg = next;
634 continue;
635 }
636
637 sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
638 if (!sa) {
639 msg = next;
640 continue;
641 }
642
643 if (sa->sadb_sa_state != SADB_SASTATE_DEAD) {
644 n++;
645 msg = next;
646 continue;
647 }
648
649 msg = next;
650 }
651
652 if (buf != NULL)
653 vfree(buf);
654
655 if (n) {
656 sched_new(1, check_flushsa_stub, NULL);
657 return;
658 }
659
660 #if !TARGET_OS_EMBEDDED
661 // abort exit if policies/config/control state is still there
662 if (vpn_control_connected() ||
663 policies_installed() ||
664 !no_remote_configs(FALSE)) {
665 return;
666 }
667 #endif
668
669 close_session();
670 #if !TARGET_OS_EMBEDDED
671 if (lcconf->vt)
672 vproc_transaction_end(NULL, lcconf->vt);
673 #endif
674 }
675
676 void
677 auto_exit_do(void *p)
678 {
679 EVT_PUSH(NULL, NULL, EVTT_RACOON_QUIT, NULL);
680 plog(LLV_DEBUG, LOCATION, NULL,
681 "performing auto exit\n");
682 pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC);
683 sched_new(1, check_flushsa_stub, NULL);
684 dying = 1;
685 }
686
687 void
688 check_auto_exit(void)
689 {
690 if (lcconf->auto_exit_sched != NULL) { /* exit scheduled? */
691 if (lcconf->auto_exit_state != LC_AUTOEXITSTATE_ENABLED
692 || vpn_control_connected() /* vpn control connected */
693 || policies_installed() /* policies installed in kernel */
694 || !no_remote_configs(FALSE)) /* remote or anonymous configs */
695 SCHED_KILL(lcconf->auto_exit_sched);
696 } else { /* exit not scheduled */
697 if (lcconf->auto_exit_state == LC_AUTOEXITSTATE_ENABLED
698 && !vpn_control_connected()
699 && !policies_installed()
700 && no_remote_configs(FALSE))
701 if (lcconf->auto_exit_delay == 0)
702 auto_exit_do(NULL); /* immediate exit */
703 else
704 lcconf->auto_exit_sched = sched_new(lcconf->auto_exit_delay, auto_exit_do, NULL);
705 }
706 }
707
708
709 static void
710 init_signal()
711 {
712 int i;
713
714 for (i = 0; signals[i] != 0; i++)
715 if (set_signal(signals[i], signal_handler) < 0) {
716 plog(LLV_ERROR2, LOCATION, NULL,
717 "failed to set_signal (%s)\n",
718 strerror(errno));
719 exit(1);
720 }
721 }
722
723 static int
724 set_signal(sig, func)
725 int sig;
726 RETSIGTYPE (*func) __P((int));
727 {
728 struct sigaction sa;
729
730 memset((caddr_t)&sa, 0, sizeof(sa));
731 sa.sa_handler = func;
732 sa.sa_flags = SA_RESTART;
733
734 if (sigemptyset(&sa.sa_mask) < 0)
735 return -1;
736
737 if (sigaction(sig, &sa, (struct sigaction *)0) < 0)
738 return(-1);
739
740 return 0;
741 }
742
743 static int
744 close_sockets()
745 {
746 isakmp_close();
747 pfkey_close(lcconf->sock_pfkey);
748 #ifdef ENABLE_ADMINPORT
749 (void)admin_close();
750 #endif
751 #ifdef ENABLE_VPNCONTROL_PORT
752 vpncontrol_close();
753 #endif
754 return 0;
755 }
756
757
mirror of ipsec