#include "pfkey.h"
#include "policy.h"
#include "crypto_openssl.h"
-#include "backupsa.h"
#include "vendorid.h"
#include <CoreFoundation/CoreFoundation.h>
-#include <SystemConfiguration/SystemConfiguration.h>
-#ifndef TARGET_OS_EMBEDDED
-#include <sandbox.h>
-#endif // !TARGET_OS_EMBEDDED
#include "power_mgmt.h"
+#include "preferences.h"
//#include "package_version.h"
int f_local = 0; /* local test mode. behave like a wall. */
int vflag = 1; /* for print-isakmp.c */
-static int loading_sa = 0; /* install sa when racoon boots up. */
static int dump_config = 0; /* dump parsed config file. */
static int exec_done = 0; /* we've already been exec'd */
static char version[] = "@(#) racoon / IPsec-tools";
#endif /* TOP_PACKAGE */
-int main __P((int, char **));
-static void usage __P((void));
-static void parse __P((int, char **));
-static void restore_params __P((void));
-static void save_params __P((void));
-static void saverestore_params __P((int));
-static void cleanup_pidfile __P((void));
-int launchedbylaunchd __P((void));
+int main (int, char **);
+static void usage (void);
+static void parse (int, char **);
+static void restore_params (void);
+static void save_params (void);
+static void saverestore_params (int);
+static void cleanup_pidfile (void);
+#if 0 // <rdar://problem/9286626>
+int launchedbylaunchd (void);
+#endif
pid_t racoon_pid = 0;
+int launchdlaunched = 0;
int print_pid = 1; /* for racoon only */
-char logFileStr[MAXPATHLEN+1];
+
void
usage()
{
- printf("usage: racoon [-BdFvs%s] %s[-f (file)] [-l (file)] [-p (port)]\n",
+ printf("usage: racoon [-BdDFvs%s] %s[-f (file)] [-l (file)] [-p (port)]\n",
#ifdef INET6
"46",
#else
"",
#endif
-#ifdef ENABLE_ADMINPORT
- "[-a (port)] "
-#else
""
-#endif
);
- printf(" -B: install SA to the kernel from the file "
- "specified by the configuration file.\n");
printf(" -d: debug level, more -d will generate more debug message.\n");
+ printf(" -D: started by LaunchD (implies daemon mode).\n");
printf(" -C: dump parsed config file.\n");
printf(" -L: include location in debug messages\n");
printf(" -F: run in foreground, do not become daemon.\n");
#ifdef INET6
printf(" -4: IPv4 mode.\n");
printf(" -6: IPv6 mode.\n");
-#endif
-#ifdef ENABLE_ADMINPORT
- printf(" -a: port number for admin port.\n");
#endif
printf(" -f: pathname for configuration file.\n");
printf(" -l: pathname for log file.\n");
char **av;
{
int error;
-#ifndef TARGET_OS_EMBEDDED
- char *sb_errorbuf = NULL;
-#endif // !TARGET_OS_EMBEDDED
-
-#ifndef TARGET_OS_EMBEDDED
- if (sandbox_init("racoon", SANDBOX_NAMED, &sb_errorbuf) == -1) {
- if (sb_errorbuf) {
- syslog(LOG_ERR, "sandbox_init failed: %s\n", sb_errorbuf);
- sandbox_free_error(sb_errorbuf);
- sb_errorbuf = NULL;
- } else {
- syslog(LOG_ERR, "sandbox_init failed\n");
- }
- }
-#endif // !TARGET_OS_EMBEDDED
+
+ /*
+ * Check IPSec plist
+ */
+ prefsinit();
+ ploginit();
+
+ /*
+ * racoon is not sandboxed on Mac OS.
+ * On embedded, racoon is sandboxed with a seatbelt-profiles entitlement.
+ */
if (geteuid() != 0) {
errx(1, "must be root to invoke this program.");
/* NOTREACHED*/
}
-#ifdef DEBUG_RECORD_MALLOCATION
- DRM_init();
-#endif
-
- logFileStr[0] = 0;
-
#ifdef HAVE_OPENSSL
eay_init();
#endif
compute_vendorids();
parse(ac, av);
- plogmtxinit();
-
- /*
- * Check IPSec plist
- */
- {
- SCPreferencesRef prefs = NULL;
- CFPropertyListRef globals;
- CFStringRef logFileRef;
- CFNumberRef debugLevelRef;
-
- int level = 0;
-
- logFileStr[0] = 0;
-
- if ((prefs = SCPreferencesCreate(0, CFSTR("racoon"), CFSTR("com.apple.ipsec.plist"))) == NULL)
- goto skip;
- globals = SCPreferencesGetValue(prefs, CFSTR("Global"));
- if (!globals || (CFGetTypeID(globals) != CFDictionaryGetTypeID()))
- goto skip;
- debugLevelRef = CFDictionaryGetValue(globals, CFSTR("DebugLevel"));
- if (!debugLevelRef || (CFGetTypeID(debugLevelRef) != CFNumberGetTypeID()))
- goto skip;
- CFNumberGetValue(debugLevelRef, kCFNumberSInt32Type, &level);
- switch (level)
- {
- case 0:
- loglevel = 5;
- goto skip;
- break;
- case 1:
- loglevel = 6;
- break;
- case 2:
- loglevel = 7;
- break;
- default:
- break; /* invalid - ignore */
- }
-
- logFileRef = CFDictionaryGetValue(globals, CFSTR("DebugLogfile"));
- if (!logFileRef || (CFGetTypeID(logFileRef) != CFStringGetTypeID())) {
- goto skip;
- }
- CFStringGetCString(logFileRef, logFileStr, MAXPATHLEN, kCFStringEncodingMacRoman);
-skip:
- if (prefs)
- CFRelease(prefs);
- }
-
- if (logFileStr[0])
- plogset(logFileStr);
- else
- if (lcconf->logfile_param)
- plogset(lcconf->logfile_param);
-
- ploginit();
- plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d started by: %d\n", getpid(), getppid());
- plog(LLV_INFO, LOCATION, NULL, "%s\n", version);
+ plog(ASL_LEVEL_INFO, "***** racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched);
+ plog(ASL_LEVEL_INFO, "%s\n", version);
#ifdef HAVE_OPENSSL
- plog(LLV_INFO, LOCATION, NULL, "@(#)"
+ plog(ASL_LEVEL_INFO, "@(#)"
"This product linked %s (http://www.openssl.org/)"
"\n", eay_version());
#endif
- plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n",
+ plog(ASL_LEVEL_INFO, "Reading configuration from \"%s\"\n",
lcconf->racoon_conf);
+ //%%%%% this sould probably be moved to session()
if (pfkey_init() < 0) {
- errx(1, "something error happened "
- "while pfkey initializing.");
+ errx(1, "failed to initialize pfkey.\n");
/* NOTREACHED*/
}
-#ifdef ENABLE_HYBRID
- if (isakmp_cfg_init(ISAKMP_CFG_INIT_COLD))
- errx(1, "could not initialize ISAKMP mode config structures");
-#endif
-
-#ifdef HAVE_LIBLDAP
- if (xauth_ldap_init() != 0)
- errx(1, "could not initialize libldap");
-#endif
-
/*
* in order to prefer the parameters by command line,
* saving some parameters before parsing configuration file.
restore_params();
if (lcconf->logfile_param == NULL && logFileStr[0] == 0)
- plogreset(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]);
+ plogresetfile(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]);
#ifdef ENABLE_NATT
/* Tell the kernel which port to use for UDP encapsulation */
}
#endif
-#ifdef HAVE_LIBRADIUS
- if (xauth_radius_init() != 0) {
- errx(1, "could not initialize libradius");
- /* NOTREACHED*/
- }
-#endif
#ifdef ENABLE_HYBRID
if(isakmp_cfg_config.network4 && isakmp_cfg_config.pool_size == 0)
* install SAs from the specified file. If the file is not specified
* by the configuration file, racoon will exit.
*/
- if (loading_sa && !f_local) {
- if (backupsa_from_file() != 0)
- errx(1, "something error happened "
- "SA recovering.");
- }
if (f_foreground)
close(0);
else {
- if ( !exec_done && launchedbylaunchd() ){
- plog(LLV_INFO, LOCATION, NULL,
+ if ( !exec_done && launchdlaunched ){
+ plog(ASL_LEVEL_INFO,
"racoon launched by launchd.\n");
exec_done = 1;
if (atexit(cleanup_pidfile) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"cannot register pidfile cleanup");
}
}else {
if (exec_done) {
if (atexit(cleanup_pidfile) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"cannot register pidfile cleanup");
}
} else {
int i;
if (ac > MAX_EXEC_ARGS) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"too many arguments.\n");
exit(1);
}
* when launched by setuid process
*/
if (setuid(0)) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"cannot set uid.\n");
exit(1);
}
if (setgid(0)) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"cannot set gid.\n");
exit(1);
}
args[ac+1] = 0;
execve(PATHRACOON, args, env);
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"failed to exec racoon. (%s)", strerror(errno));
exit(1);
}
}
}
-
+
+
+ /* start the session */
session();
-
- exit(0);
}
-
+#if 0 // <rdar://problem/9286626>
int
launchedbylaunchd(){
- int launchdlaunched = 1;
launch_data_t checkin_response = NULL;
- launch_data_t checkin_request = NULL;
-
- /* check in with launchd */
- if ((checkin_request = launch_data_new_string(LAUNCH_KEY_CHECKIN)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "launch_data_new_string fails.\n");
- launchdlaunched = 0;
- goto done;
- }
- if ((checkin_response = launch_msg(checkin_request)) == NULL) {
+
+ if ((checkin_response = launch_socket_service_check_in()) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "launch_msg fails.\n");
+ "launch_socket_service_check_in fails.\n");
launchdlaunched = 0;
goto done;
}
launchdlaunched = 0;
goto done;
}
-
+ launchdlaunched = 1;
done:
/* clean up before we leave */
- if ( checkin_request )
- launch_data_free(checkin_request);
if ( checkin_response )
launch_data_free(checkin_response);
return launchdlaunched;
}
+#endif
static void
cleanup_pidfile()
else
pname = *av;
-#if 0 /* for debugging */
- loglevel += 2;
- plogset("/tmp/racoon.log");
-#endif
-
- while ((c = getopt(ac, av, "dLFp:P:a:f:l:vsZBCx"
+ while ((c = getopt(ac, av, "dDLFp:P:a:f:l:vsZBCx"
#ifdef YYDEBUG
"y"
#endif
)) != -1) {
switch (c) {
case 'd':
- loglevel++;
+ plogsetlevel(ASL_LEVEL_DEBUG);
+ break;
+ case 'D':
+ if (f_foreground) {
+ fprintf(stderr, "-D and -F are mutually exclusive\n");
+ exit(1);
+ }
+ launchdlaunched = 1;
break;
case 'L':
print_location = 1;
break;
case 'F':
+ if (launchdlaunched) {
+ fprintf(stderr, "-D and -F are mutually exclusive\n");
+ exit(1);
+ }
printf("Foreground mode.\n");
f_foreground = 1;
break;
lcconf->port_isakmp_natt = atoi(optarg);
break;
case 'a':
-#ifdef ENABLE_ADMINPORT
- lcconf->port_admin = atoi(optarg);
- break;
-#else
fprintf(stderr, "%s: the option is disabled "
"in the configuration\n", pname);
exit(1);
-#endif
case 'f':
lcconf->racoon_conf = optarg;
break;
lcconf->default_af = AF_INET6;
break;
#endif
- case 'B':
- loading_sa++;
- break;
case 'C':
dump_config++;
break;
int f;
{
static u_int16_t s_port_isakmp;
-#ifdef ENABLE_ADMINPORT
- static u_int16_t s_port_admin;
-#endif
/* 0: save, 1: restore */
if (f) {
lcconf->port_isakmp = s_port_isakmp;
-#ifdef ENABLE_ADMINPORT
- lcconf->port_admin = s_port_admin;
-#endif
} else {
s_port_isakmp = lcconf->port_isakmp;
-#ifdef ENABLE_ADMINPORT
- s_port_admin = lcconf->port_admin;
-#endif
}
}