X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/52b7d2ce06d68d0a9160d16f6e7c08c21c149d0d..886926c087c10c05fed266ba16e5f571352de3b4:/ipsec-tools/racoon/main.c
diff --git a/ipsec-tools/racoon/main.c b/ipsec-tools/racoon/main.c
index f325c90..4d654cb 100644
--- a/ipsec-tools/racoon/main.c
+++ b/ipsec-tools/racoon/main.c
@@ -49,6 +49,7 @@
#endif
#include <paths.h>
#include <err.h>
+#include <launch.h>
/*
* If we're using a debugging malloc library, this may define our
@@ -65,24 +66,34 @@
#include "cfparse_proto.h"
#include "isakmp_var.h"
-#ifdef HAVE_LIBRADIUS
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
#include "isakmp.h"
#include "isakmp_xauth.h"
+#include "isakmp_cfg.h"
#endif
#include "remoteconf.h"
#include "localconf.h"
#include "session.h"
#include "oakley.h"
#include "pfkey.h"
+#include "policy.h"
#include "crypto_openssl.h"
-#include "backupsa.h"
#include "vendorid.h"
+#if !TARGET_OS_EMBEDDED
+#include <sandbox.h>
+#endif // !TARGET_OS_EMBEDDED
+
+
+#include <CoreFoundation/CoreFoundation.h>
+#include "power_mgmt.h"
+#include "preferences.h"
+
//#include "package_version.h"
int f_local = 0; /* local test mode. behave like a wall. */
int vflag = 1; /* for print-isakmp.c */
-static int loading_sa = 0; /* install sa when racoon boots up. */
static int dump_config = 0; /* dump parsed config file. */
static int exec_done = 0; /* we've already been exec'd */
@@ -92,46 +103,43 @@ static char version[] = "@(#)" TOP_PACKAGE_STRING " (" TOP_PACKAGE_URL ")";
static char version[] = "@(#) racoon / IPsec-tools";
#endif /* TOP_PACKAGE */
-int main __P((int, char **));
-static void usage __P((void));
-static void parse __P((int, char **));
-static void restore_params __P((void));
-static void save_params __P((void));
-static void saverestore_params __P((int));
-static void cleanup_pidfile __P((void));
+int main (int, char **);
+static void usage (void);
+static void parse (int, char **);
+static void restore_params (void);
+static void save_params (void);
+static void saverestore_params (int);
+static void cleanup_pidfile (void);
+#if 0 // <rdar://problem/9286626>
+int launchedbylaunchd (void);
+#endif
pid_t racoon_pid = 0;
+int launchdlaunched = 0;
int print_pid = 1; /* for racoon only */
+
void
usage()
{
- printf("usage: racoon [-BdFve%s] %s[-f (file)] [-l (file)] [-p (port)]\n",
+ printf("usage: racoon [-BdDFvs%s] %s[-f (file)] [-l (file)] [-p (port)]\n",
#ifdef INET6
"46",
#else
"",
#endif
-#ifdef ENABLE_ADMINPORT
- "[-a (port)] "
-#else
""
-#endif
);
- printf(" -B: install SA to the kernel from the file "
- "specified by the configuration file.\n");
printf(" -d: debug level, more -d will generate more debug message.\n");
+ printf(" -D: started by LaunchD (implies daemon mode).\n");
printf(" -C: dump parsed config file.\n");
printf(" -L: include location in debug messages\n");
printf(" -F: run in foreground, do not become daemon.\n");
printf(" -v: be more verbose\n");
- printf(" -e: enable auto exit\n");
+ printf(" -s: override enable auto exit\n");
#ifdef INET6
printf(" -4: IPv4 mode.\n");
printf(" -6: IPv6 mode.\n");
-#endif
-#ifdef ENABLE_ADMINPORT
- printf(" -a: port number for admin port.\n");
#endif
printf(" -f: pathname for configuration file.\n");
printf(" -l: pathname for log file.\n");
@@ -147,6 +155,21 @@ main(ac, av)
{
int error;
+#if !TARGET_OS_EMBEDDED
+ char *errorbuf;
+ if (sandbox_init("racoon", SANDBOX_NAMED, &errorbuf) == -1) {
+ plog(ASL_LEVEL_ERR, "initializing sandbox failed %s", errorbuf);
+ sandbox_free_error(errorbuf);
+ return -1;
+ }
+#endif // !TARGET_OS_EMBEDDED
+
+ /*
+ * Check IPSec plist
+ */
+ prefsinit();
+ ploginit();
+
if (geteuid() != 0) {
errx(1, "must be root to invoke this program.");
/* NOTREACHED*/
@@ -164,30 +187,30 @@ main(ac, av)
/* NOTREACHED*/
}
-#ifdef DEBUG_RECORD_MALLOCATION
- DRM_init();
-#endif
-
+#ifdef HAVE_OPENSSL
eay_init();
+#endif
+
initlcconf();
initrmconf();
oakley_dhinit();
compute_vendorids();
parse(ac, av);
- if (lcconf->logfile_param)
- plogset(lcconf->logfile_param);
- ploginit();
- plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d started by: %d\n", getpid(), getppid());
- plog(LLV_INFO, LOCATION, NULL, "%s\n", version);
- plog(LLV_INFO, LOCATION, NULL, "@(#)"
+ plog(ASL_LEVEL_INFO, "***** racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched);
+ plog(ASL_LEVEL_INFO, "%s\n", version);
+#ifdef HAVE_OPENSSL
+ plog(ASL_LEVEL_INFO, "@(#)"
"This product linked %s (http://www.openssl.org/)"
"\n", eay_version());
+#endif
+ plog(ASL_LEVEL_INFO, "Reading configuration from \"%s\"\n",
+ lcconf->racoon_conf);
+ //%%%%% this sould probably be moved to session()
if (pfkey_init() < 0) {
- errx(1, "something error happened "
- "while pfkey initializing.");
+ errx(1, "failed to initialize pfkey.\n");
/* NOTREACHED*/
}
@@ -200,8 +223,9 @@ main(ac, av)
if (error != 0)
errx(1, "failed to parse configuration file.");
restore_params();
- if (lcconf->logfile_param == NULL)
- plogreset(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]);
+
+ if (lcconf->logfile_param == NULL && logFileStr[0] == 0)
+ plogresetfile(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]);
#ifdef ENABLE_NATT
/* Tell the kernel which port to use for UDP encapsulation */
@@ -213,11 +237,11 @@ main(ac, av)
}
#endif
-#ifdef HAVE_LIBRADIUS
- if (xauth_radius_init() != 0) {
- errx(1, "could not initialize libradius");
- /* NOTREACHED*/
- }
+
+#ifdef ENABLE_HYBRID
+ if(isakmp_cfg_config.network4 && isakmp_cfg_config.pool_size == 0)
+ if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
+ return error;
#endif
if (dump_config)
@@ -227,69 +251,102 @@ main(ac, av)
* install SAs from the specified file. If the file is not specified
* by the configuration file, racoon will exit.
*/
- if (loading_sa && !f_local) {
- if (backupsa_from_file() != 0)
- errx(1, "something error happened "
- "SA recovering.");
- }
if (f_foreground)
close(0);
- else if (exec_done) {
- if (atexit(cleanup_pidfile) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot register pidfile cleanup");
- }
- } else {
- #define MAX_EXEC_ARGS 32
-
- char *args[MAX_EXEC_ARGS + 1];
- char *env[1] = {0};
- int i;
-
- if (ac > MAX_EXEC_ARGS) {
- plog(LLV_ERROR, LOCATION, NULL,
- "too many arguments.\n");
- exit(1);
- }
-
- if (daemon(0, 0) < 0) {
- errx(1, "failed to be daemon. (%s)",
- strerror(errno));
- }
+ else {
+ if ( !exec_done && launchdlaunched ){
+ plog(ASL_LEVEL_INFO,
+ "racoon launched by launchd.\n");
+ exec_done = 1;
+ if (atexit(cleanup_pidfile) < 0) {
+ plog(ASL_LEVEL_ERR,
+ "cannot register pidfile cleanup");
+ }
+ }else {
- /* Radar 5129006 - Prevent non-root user from killing racoon
- * when launched by setuid process
- */
- if (setuid(0)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot set uid.\n");
- exit(1);
- }
- if (setgid(0)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot set gid.\n");
- exit(1);
+ if (exec_done) {
+ if (atexit(cleanup_pidfile) < 0) {
+ plog(ASL_LEVEL_ERR,
+ "cannot register pidfile cleanup");
+ }
+ } else {
+ #define MAX_EXEC_ARGS 32
+
+ char *args[MAX_EXEC_ARGS + 2]; /* 2 extra, for '-x' and NULL */
+ char *env[1] = {0};
+ int i;
+
+ if (ac > MAX_EXEC_ARGS) {
+ plog(ASL_LEVEL_ERR,
+ "too many arguments.\n");
+ exit(1);
+ }
+
+ if (daemon(0, 0) < 0) {
+ errx(1, "failed to be daemon. (%s)",
+ strerror(errno));
+ }
+
+ /* Radar 5129006 - Prevent non-root user from killing racoon
+ * when launched by setuid process
+ */
+ if (setuid(0)) {
+ plog(ASL_LEVEL_ERR,
+ "cannot set uid.\n");
+ exit(1);
+ }
+ if (setgid(0)) {
+ plog(ASL_LEVEL_ERR,
+ "cannot set gid.\n");
+ exit(1);
+ }
+
+ /* setup args to re-exec - for CoreFoundation issues */
+ args[0] = PATHRACOON;
+ for (i = 1; i < ac; i++)
+ args[i] = *(av + i);
+ args[ac] = "-x"; /* tells racoon its been exec'd */
+ args[ac+1] = 0;
+
+ execve(PATHRACOON, args, env);
+ plog(ASL_LEVEL_ERR,
+ "failed to exec racoon. (%s)", strerror(errno));
+ exit(1);
+ }
}
-
- /* setup args to re-exec - for CoreFoundation issues */
- args[0] = PATHRACOON;
- for (i = 1; i < ac; i++)
- args[i] = *(av + i);
- args[ac] = "-x"; /* tells racoon its been exec'd */
- args[ac+1] = 0;
-
- execve(PATHRACOON, args, env);
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to exec racoon. (%s)", strerror(errno));
- exit(1);
}
-
+
+
+ /* start the session */
session();
-
- exit(0);
}
+#if 0 // <rdar://problem/9286626>
+int
+launchedbylaunchd(){
+ launch_data_t checkin_response = NULL;
+
+ if ((checkin_response = launch_socket_service_check_in()) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "launch_socket_service_check_in fails.\n");
+ launchdlaunched = 0;
+ goto done;
+ }
+ if (LAUNCH_DATA_ERRNO == launch_data_get_type(checkin_response)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "launch_data_get_type fails errno %d.\n", launch_data_get_errno(checkin_response));
+ launchdlaunched = 0;
+ goto done;
+ }
+ launchdlaunched = 1;
+done:
+ /* clean up before we leave */
+ if ( checkin_response )
+ launch_data_free(checkin_response);
+ return launchdlaunched;
+}
+#endif
static void
cleanup_pidfile()
@@ -300,12 +357,12 @@ cleanup_pidfile()
/* if it's not child process, clean everything */
if (racoon_pid == p) {
if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE] == NULL)
- strlcpy(pid_file, _PATH_VARRUN "racoon.pid", MAXPATHLEN);
+ strlcpy(pid_file, _PATH_VARRUN "racoon.pid", sizeof(pid_file));
else if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE][0] == '/')
- strlcpy(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], MAXPATHLEN);
+ strlcpy(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], sizeof(pid_file));
else {
- strlcat(pid_file, _PATH_VARRUN, MAXPATHLEN);
- strlcat(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], MAXPATHLEN);
+ strlcat(pid_file, _PATH_VARRUN, sizeof(pid_file));
+ strlcat(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], sizeof(pid_file));
}
(void) unlink(pid_file);
}
@@ -330,12 +387,7 @@ parse(ac, av)
else
pname = *av;
-#if 0 /* for debugging */
- loglevel += 2;
- plogset("/tmp/racoon.log");
-#endif
-
- while ((c = getopt(ac, av, "dLFp:P:a:f:l:veZBCx"
+ while ((c = getopt(ac, av, "dDLFp:P:a:f:l:vsZBCx"
#ifdef YYDEBUG
"y"
#endif
@@ -345,12 +397,23 @@ parse(ac, av)
)) != -1) {
switch (c) {
case 'd':
- loglevel++;
+ plogsetlevel(ASL_LEVEL_DEBUG);
+ break;
+ case 'D':
+ if (f_foreground) {
+ fprintf(stderr, "-D and -F are mutually exclusive\n");
+ exit(1);
+ }
+ launchdlaunched = 1;
break;
case 'L':
print_location = 1;
break;
case 'F':
+ if (launchdlaunched) {
+ fprintf(stderr, "-D and -F are mutually exclusive\n");
+ exit(1);
+ }
printf("Foreground mode.\n");
f_foreground = 1;
break;
@@ -361,14 +424,9 @@ parse(ac, av)
lcconf->port_isakmp_natt = atoi(optarg);
break;
case 'a':
-#ifdef ENABLE_ADMINPORT
- lcconf->port_admin = atoi(optarg);
- break;
-#else
fprintf(stderr, "%s: the option is disabled "
"in the configuration\n", pname);
exit(1);
-#endif
case 'f':
lcconf->racoon_conf = optarg;
break;
@@ -378,8 +436,8 @@ parse(ac, av)
case 'v':
vflag++;
break;
- case 'e':
- lcconf->auto_exit_state |= LC_AUTOEXITSTATE_CLIENT;
+ case 's':
+ lcconf->auto_exit_state &= ~LC_AUTOEXITSTATE_CLIENT; /* override default auto exit state */
break;
case 'x':
exec_done = 1;
@@ -411,9 +469,6 @@ parse(ac, av)
lcconf->default_af = AF_INET6;
break;
#endif
- case 'B':
- loading_sa++;
- break;
case 'C':
dump_config++;
break;
@@ -450,20 +505,11 @@ saverestore_params(f)
int f;
{
static u_int16_t s_port_isakmp;
-#ifdef ENABLE_ADMINPORT
- static u_int16_t s_port_admin;
-#endif
/* 0: save, 1: restore */
if (f) {
lcconf->port_isakmp = s_port_isakmp;
-#ifdef ENABLE_ADMINPORT
- lcconf->port_admin = s_port_admin;
-#endif
} else {
s_port_isakmp = lcconf->port_isakmp;
-#ifdef ENABLE_ADMINPORT
- s_port_admin = lcconf->port_admin;
-#endif
}
}