X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/476121220b14176dcbf5f70f47b9ef8e38f8b389..d9c572c0d1634988834f2a68361f92bc7242cce4:/ipsec-tools/racoon/main.c diff --git a/ipsec-tools/racoon/main.c b/ipsec-tools/racoon/main.c index 7d4827e..631b86c 100644 --- a/ipsec-tools/racoon/main.c +++ b/ipsec-tools/racoon/main.c @@ -79,19 +79,16 @@ #include "pfkey.h" #include "policy.h" #include "crypto_openssl.h" -#include "backupsa.h" #include "vendorid.h" -#ifdef __APPLE__ #include -#include -#endif +#include "power_mgmt.h" +#include "preferences.h" //#include "package_version.h" int f_local = 0; /* local test mode. behave like a wall. */ int vflag = 1; /* for print-isakmp.c */ -static int loading_sa = 0; /* install sa when racoon boots up. */ static int dump_config = 0; /* dump parsed config file. */ static int exec_done = 0; /* we've already been exec'd */ @@ -101,36 +98,35 @@ static char version[] = "@(#)" TOP_PACKAGE_STRING " (" TOP_PACKAGE_URL ")"; static char version[] = "@(#) racoon / IPsec-tools"; #endif /* TOP_PACKAGE */ -int main __P((int, char **)); -static void usage __P((void)); -static void parse __P((int, char **)); -static void restore_params __P((void)); -static void save_params __P((void)); -static void saverestore_params __P((int)); -static void cleanup_pidfile __P((void)); -static int launchedbylaunchd(void); +int main (int, char **); +static void usage (void); +static void parse (int, char **); +static void restore_params (void); +static void save_params (void); +static void saverestore_params (int); +static void cleanup_pidfile (void); +#if 0 // +int launchedbylaunchd (void); +#endif pid_t racoon_pid = 0; +int launchdlaunched = 0; int print_pid = 1; /* for racoon only */ + void usage() { - printf("usage: racoon [-BdFvs%s] %s[-f (file)] [-l (file)] [-p (port)]\n", + printf("usage: racoon [-BdDFvs%s] %s[-f (file)] [-l (file)] [-p (port)]\n", #ifdef INET6 "46", #else "", #endif -#ifdef ENABLE_ADMINPORT - "[-a (port)] " -#else "" -#endif ); - printf(" -B: install SA to the kernel from the file " - "specified by the configuration file.\n"); printf(" -d: debug level, more -d will generate more debug message.\n"); + printf(" -D: started by LaunchD (implies daemon mode).\n"); printf(" -C: dump parsed config file.\n"); printf(" -L: include location in debug messages\n"); printf(" -F: run in foreground, do not become daemon.\n"); @@ -139,9 +135,6 @@ usage() #ifdef INET6 printf(" -4: IPv4 mode.\n"); printf(" -6: IPv6 mode.\n"); -#endif -#ifdef ENABLE_ADMINPORT - printf(" -a: port number for admin port.\n"); #endif printf(" -f: pathname for configuration file.\n"); printf(" -l: pathname for log file.\n"); @@ -156,7 +149,17 @@ main(ac, av) char **av; { int error; - char logFileStr[MAXPATHLEN+1]; + + /* + * Check IPSec plist + */ + prefsinit(); + ploginit(); + + /* + * racoon is not sandboxed on Mac OS. + * On embedded, racoon is sandboxed with a seatbelt-profiles entitlement. + */ if (geteuid() != 0) { errx(1, "must be root to invoke this program."); @@ -175,102 +178,33 @@ main(ac, av) /* NOTREACHED*/ } -#ifdef DEBUG_RECORD_MALLOCATION - DRM_init(); -#endif - - logFileStr[0] = 0; - +#ifdef HAVE_OPENSSL eay_init(); +#endif + initlcconf(); initrmconf(); oakley_dhinit(); compute_vendorids(); parse(ac, av); - - #ifdef __APPLE__ - /* - * Check IPSec plist - */ - { - SCPreferencesRef prefs = NULL; - CFPropertyListRef globals; - CFStringRef logFileRef; - CFNumberRef debugLevelRef; - - int level = 0; - - logFileStr[0] = 0; - - if ((prefs = SCPreferencesCreate(0, CFSTR("racoon"), CFSTR("com.apple.ipsec.plist"))) == NULL) - goto skip; - globals = SCPreferencesGetValue(prefs, CFSTR("Global")); - if (!globals || (CFGetTypeID(globals) != CFDictionaryGetTypeID())) - goto skip; - debugLevelRef = CFDictionaryGetValue(globals, CFSTR("DebugLevel")); - if (!debugLevelRef || (CFGetTypeID(debugLevelRef) != CFNumberGetTypeID())) - goto skip; - CFNumberGetValue(debugLevelRef, kCFNumberSInt32Type, &level); - switch (level) - { - case 0: - loglevel = 5; - goto skip; - break; - case 1: - loglevel = 6; - break; - case 2: - loglevel = 7; - break; - default: - break; /* invalid - ignore */ - } - - logFileRef = CFDictionaryGetValue(globals, CFSTR("DebugLogfile")); - if (!logFileRef || (CFGetTypeID(logFileRef) != CFStringGetTypeID())) { - goto skip; - } - CFStringGetCString(logFileRef, logFileStr, MAXPATHLEN, kCFStringEncodingMacRoman); -skip: - if (prefs) - CFRelease(prefs); - } - - if (logFileStr[0]) - plogset(logFileStr); - else -#endif /* __APPLE__ */ - if (lcconf->logfile_param) - plogset(lcconf->logfile_param); - ploginit(); - - plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d started by: %d\n", getpid(), getppid()); - plog(LLV_INFO, LOCATION, NULL, "%s\n", version); - plog(LLV_INFO, LOCATION, NULL, "@(#)" + plog(ASL_LEVEL_INFO, "***** racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched); + plog(ASL_LEVEL_INFO, "%s\n", version); +#ifdef HAVE_OPENSSL + plog(ASL_LEVEL_INFO, "@(#)" "This product linked %s (http://www.openssl.org/)" "\n", eay_version()); - plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n", +#endif + plog(ASL_LEVEL_INFO, "Reading configuration from \"%s\"\n", lcconf->racoon_conf); + //%%%%% this sould probably be moved to session() if (pfkey_init() < 0) { - errx(1, "something error happened " - "while pfkey initializing."); + errx(1, "failed to initialize pfkey.\n"); /* NOTREACHED*/ } -#ifdef ENABLE_HYBRID - if (isakmp_cfg_init(ISAKMP_CFG_INIT_COLD)) - errx(1, "could not initialize ISAKMP mode config structures"); -#endif - -#ifdef HAVE_LIBLDAP - if (xauth_ldap_init() != 0) - errx(1, "could not initialize libldap"); -#endif - /* * in order to prefer the parameters by command line, * saving some parameters before parsing configuration file. @@ -282,7 +216,7 @@ skip: restore_params(); if (lcconf->logfile_param == NULL && logFileStr[0] == 0) - plogreset(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]); + plogresetfile(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]); #ifdef ENABLE_NATT /* Tell the kernel which port to use for UDP encapsulation */ @@ -294,12 +228,6 @@ skip: } #endif -#ifdef HAVE_LIBRADIUS - if (xauth_radius_init() != 0) { - errx(1, "could not initialize libradius"); - /* NOTREACHED*/ - } -#endif #ifdef ENABLE_HYBRID if(isakmp_cfg_config.network4 && isakmp_cfg_config.pool_size == 0) @@ -314,28 +242,23 @@ skip: * install SAs from the specified file. If the file is not specified * by the configuration file, racoon will exit. */ - if (loading_sa && !f_local) { - if (backupsa_from_file() != 0) - errx(1, "something error happened " - "SA recovering."); - } if (f_foreground) close(0); else { - if ( !exec_done && launchedbylaunchd() ){ - plog(LLV_INFO, LOCATION, NULL, + if ( !exec_done && launchdlaunched ){ + plog(ASL_LEVEL_INFO, "racoon launched by launchd.\n"); exec_done = 1; if (atexit(cleanup_pidfile) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot register pidfile cleanup"); } }else { if (exec_done) { if (atexit(cleanup_pidfile) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot register pidfile cleanup"); } } else { @@ -346,7 +269,7 @@ skip: int i; if (ac > MAX_EXEC_ARGS) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "too many arguments.\n"); exit(1); } @@ -360,12 +283,12 @@ skip: * when launched by setuid process */ if (setuid(0)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot set uid.\n"); exit(1); } if (setgid(0)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "cannot set gid.\n"); exit(1); } @@ -378,35 +301,26 @@ skip: args[ac+1] = 0; execve(PATHRACOON, args, env); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to exec racoon. (%s)", strerror(errno)); exit(1); } } } - + + + /* start the session */ session(); - - exit(0); } - -static int +#if 0 // +int launchedbylaunchd(){ - int launchdlaunched = 1; launch_data_t checkin_response = NULL; - launch_data_t checkin_request = NULL; - - /* check in with launchd */ - if ((checkin_request = launch_data_new_string(LAUNCH_KEY_CHECKIN)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "launch_data_new_string fails.\n"); - launchdlaunched = 0; - goto done; - } - if ((checkin_response = launch_msg(checkin_request)) == NULL) { + + if ((checkin_response = launch_socket_service_check_in()) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "launch_msg fails.\n"); + "launch_socket_service_check_in fails.\n"); launchdlaunched = 0; goto done; } @@ -416,15 +330,14 @@ launchedbylaunchd(){ launchdlaunched = 0; goto done; } - + launchdlaunched = 1; done: /* clean up before we leave */ - if ( checkin_request ) - launch_data_free(checkin_request); if ( checkin_response ) launch_data_free(checkin_response); return launchdlaunched; } +#endif static void cleanup_pidfile() @@ -465,12 +378,7 @@ parse(ac, av) else pname = *av; -#if 0 /* for debugging */ - loglevel += 2; - plogset("/tmp/racoon.log"); -#endif - - while ((c = getopt(ac, av, "dLFp:P:a:f:l:vsZBCx" + while ((c = getopt(ac, av, "dDLFp:P:a:f:l:vsZBCx" #ifdef YYDEBUG "y" #endif @@ -480,12 +388,23 @@ parse(ac, av) )) != -1) { switch (c) { case 'd': - loglevel++; + plogsetlevel(ASL_LEVEL_DEBUG); + break; + case 'D': + if (f_foreground) { + fprintf(stderr, "-D and -F are mutually exclusive\n"); + exit(1); + } + launchdlaunched = 1; break; case 'L': print_location = 1; break; case 'F': + if (launchdlaunched) { + fprintf(stderr, "-D and -F are mutually exclusive\n"); + exit(1); + } printf("Foreground mode.\n"); f_foreground = 1; break; @@ -496,14 +415,9 @@ parse(ac, av) lcconf->port_isakmp_natt = atoi(optarg); break; case 'a': -#ifdef ENABLE_ADMINPORT - lcconf->port_admin = atoi(optarg); - break; -#else fprintf(stderr, "%s: the option is disabled " "in the configuration\n", pname); exit(1); -#endif case 'f': lcconf->racoon_conf = optarg; break; @@ -546,9 +460,6 @@ parse(ac, av) lcconf->default_af = AF_INET6; break; #endif - case 'B': - loading_sa++; - break; case 'C': dump_config++; break; @@ -585,20 +496,11 @@ saverestore_params(f) int f; { static u_int16_t s_port_isakmp; -#ifdef ENABLE_ADMINPORT - static u_int16_t s_port_admin; -#endif /* 0: save, 1: restore */ if (f) { lcconf->port_isakmp = s_port_isakmp; -#ifdef ENABLE_ADMINPORT - lcconf->port_admin = s_port_admin; -#endif } else { s_port_isakmp = lcconf->port_isakmp; -#ifdef ENABLE_ADMINPORT - s_port_admin = lcconf->port_admin; -#endif } }