X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/52b7d2ce06d68d0a9160d16f6e7c08c21c149d0d..886926c087c10c05fed266ba16e5f571352de3b4:/ipsec-tools/racoon/main.c

diff --git a/ipsec-tools/racoon/main.c b/ipsec-tools/racoon/main.c
index f325c90..4d654cb 100644
--- a/ipsec-tools/racoon/main.c
+++ b/ipsec-tools/racoon/main.c
@@ -49,6 +49,7 @@
 #endif
 #include <paths.h>
 #include <err.h>
+#include <launch.h>
 
 /*
  * If we're using a debugging malloc library, this may define our
@@ -65,24 +66,34 @@
 
 #include "cfparse_proto.h"
 #include "isakmp_var.h"
-#ifdef HAVE_LIBRADIUS
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
 #include "isakmp.h"
 #include "isakmp_xauth.h"
+#include "isakmp_cfg.h"
 #endif
 #include "remoteconf.h"
 #include "localconf.h"
 #include "session.h"
 #include "oakley.h"
 #include "pfkey.h"
+#include "policy.h"
 #include "crypto_openssl.h"
-#include "backupsa.h"
 #include "vendorid.h"
 
+#if !TARGET_OS_EMBEDDED
+#include <sandbox.h>
+#endif // !TARGET_OS_EMBEDDED
+
+
+#include <CoreFoundation/CoreFoundation.h>
+#include "power_mgmt.h"
+#include "preferences.h"
+
 //#include "package_version.h"
 
 int f_local = 0;	/* local test mode.  behave like a wall. */
 int vflag = 1;		/* for print-isakmp.c */
-static int loading_sa = 0;	/* install sa when racoon boots up. */
 static int dump_config = 0;	/* dump parsed config file. */
 static int exec_done = 0;	/* we've already been exec'd */
 
@@ -92,46 +103,43 @@ static char version[] = "@(#)" TOP_PACKAGE_STRING " (" TOP_PACKAGE_URL ")";
 static char version[] = "@(#) racoon / IPsec-tools";
 #endif /* TOP_PACKAGE */
 
-int main __P((int, char **));
-static void usage __P((void));
-static void parse __P((int, char **));
-static void restore_params __P((void));
-static void save_params __P((void));
-static void saverestore_params __P((int));
-static void cleanup_pidfile __P((void));
+int main (int, char **);
+static void usage (void);
+static void parse (int, char **);
+static void restore_params (void);
+static void save_params (void);
+static void saverestore_params (int);
+static void cleanup_pidfile (void);
+#if 0 // <rdar://problem/9286626>
+int launchedbylaunchd (void);
+#endif
 
 pid_t racoon_pid = 0;
+int   launchdlaunched = 0;
 int print_pid = 1;	/* for racoon only */
 
+
 void
 usage()
 {
-	printf("usage: racoon [-BdFve%s] %s[-f (file)] [-l (file)] [-p (port)]\n",
+	printf("usage: racoon [-BdDFvs%s] %s[-f (file)] [-l (file)] [-p (port)]\n",
 #ifdef INET6
 		"46",
 #else
 		"",
 #endif
-#ifdef ENABLE_ADMINPORT
-		"[-a (port)] "
-#else
 		""
-#endif
 		);
-	printf("   -B: install SA to the kernel from the file "
-		"specified by the configuration file.\n");
 	printf("   -d: debug level, more -d will generate more debug message.\n");
+	printf("   -D: started by LaunchD (implies daemon mode).\n");
 	printf("   -C: dump parsed config file.\n");
 	printf("   -L: include location in debug messages\n");
 	printf("   -F: run in foreground, do not become daemon.\n");
 	printf("   -v: be more verbose\n");
-	printf("   -e: enable auto exit\n");
+	printf("   -s: override enable auto exit\n");
 #ifdef INET6
 	printf("   -4: IPv4 mode.\n");
 	printf("   -6: IPv6 mode.\n");
-#endif
-#ifdef ENABLE_ADMINPORT
-	printf("   -a: port number for admin port.\n");
 #endif
 	printf("   -f: pathname for configuration file.\n");
 	printf("   -l: pathname for log file.\n");
@@ -147,6 +155,21 @@ main(ac, av)
 {
 	int error;
 
+#if !TARGET_OS_EMBEDDED
+	char *errorbuf;
+	if (sandbox_init("racoon", SANDBOX_NAMED, &errorbuf) == -1) {
+		plog(ASL_LEVEL_ERR, "initializing sandbox failed %s", errorbuf);
+		sandbox_free_error(errorbuf);
+		return -1;
+	}
+#endif // !TARGET_OS_EMBEDDED
+
+	/*
+	 * Check IPSec plist
+	 */
+	prefsinit();
+	ploginit();
+
 	if (geteuid() != 0) {
 		errx(1, "must be root to invoke this program.");
 		/* NOTREACHED*/
@@ -164,30 +187,30 @@ main(ac, av)
 		/* NOTREACHED*/
 	}
 
-#ifdef DEBUG_RECORD_MALLOCATION
-	DRM_init();
-#endif
-
+#ifdef HAVE_OPENSSL
 	eay_init();
+#endif
+	
 	initlcconf();
 	initrmconf();
 	oakley_dhinit();
 	compute_vendorids();
 
 	parse(ac, av);
-	if (lcconf->logfile_param)
-		plogset(lcconf->logfile_param);
-	ploginit();
 
-	plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d  started by: %d\n", getpid(), getppid());
-	plog(LLV_INFO, LOCATION, NULL, "%s\n", version);
-	plog(LLV_INFO, LOCATION, NULL, "@(#)"
+	plog(ASL_LEVEL_INFO, "***** racoon started: pid=%d  started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched);
+	plog(ASL_LEVEL_INFO, "%s\n", version);
+#ifdef HAVE_OPENSSL
+	plog(ASL_LEVEL_INFO, "@(#)"
 	    "This product linked %s (http://www.openssl.org/)"
 	    "\n", eay_version());
+#endif
+	plog(ASL_LEVEL_INFO, "Reading configuration from \"%s\"\n", 
+	    lcconf->racoon_conf);
 
+    //%%%%% this sould probably be moved to session()
 	if (pfkey_init() < 0) {
-		errx(1, "something error happened "
-			"while pfkey initializing.");
+		errx(1, "failed to initialize pfkey.\n");
 		/* NOTREACHED*/
 	}
 
@@ -200,8 +223,9 @@ main(ac, av)
 	if (error != 0)
 		errx(1, "failed to parse configuration file.");
 	restore_params();
-	if (lcconf->logfile_param == NULL)
-		plogreset(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]);
+	
+	if (lcconf->logfile_param == NULL && logFileStr[0] == 0)
+		plogresetfile(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]);
 		
 #ifdef ENABLE_NATT
 	/* Tell the kernel which port to use for UDP encapsulation */
@@ -213,11 +237,11 @@ main(ac, av)
 	}
 #endif
 
-#ifdef HAVE_LIBRADIUS
-	if (xauth_radius_init() != 0) {
-		errx(1, "could not initialize libradius");
-		/* NOTREACHED*/
-	}
+
+#ifdef ENABLE_HYBRID
+	if(isakmp_cfg_config.network4 && isakmp_cfg_config.pool_size == 0)
+		if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
+			return error;
 #endif
 
 	if (dump_config)
@@ -227,69 +251,102 @@ main(ac, av)
 	 * install SAs from the specified file.  If the file is not specified
 	 * by the configuration file, racoon will exit.
 	 */
-	if (loading_sa && !f_local) {
-		if (backupsa_from_file() != 0)
-			errx(1, "something error happened "
-				"SA recovering.");
-	}
 
 	if (f_foreground)
 		close(0);
-	else if (exec_done) {
-		if (atexit(cleanup_pidfile) < 0) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"cannot register pidfile cleanup");
-		}
-	} else {
-		#define MAX_EXEC_ARGS 32
-		
-		char *args[MAX_EXEC_ARGS + 1];
-		char *env[1] = {0};	
-		int	i;
-		
-		if (ac > MAX_EXEC_ARGS) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"too many arguments.\n");
-			exit(1);
-		}
-		
-		if (daemon(0, 0) < 0) {
-			errx(1, "failed to be daemon. (%s)",
-				strerror(errno));
-		}
+	else {
+		if ( !exec_done && launchdlaunched ){
+			plog(ASL_LEVEL_INFO, 
+				 "racoon launched by launchd.\n");
+			exec_done = 1;
+			if (atexit(cleanup_pidfile) < 0) {
+				plog(ASL_LEVEL_ERR, 
+					 "cannot register pidfile cleanup");
+			}
+		}else {
 		
-		/* Radar 5129006 - Prevent non-root user from killing racoon
-		 * when launched by setuid process
-		 */
-		if (setuid(0)) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"cannot set uid.\n");
-			exit(1);
-		}
-		if (setgid(0)) {
-			plog(LLV_ERROR, LOCATION, NULL,
-				"cannot set gid.\n");
-			exit(1);
+			if (exec_done) {
+				if (atexit(cleanup_pidfile) < 0) {
+					plog(ASL_LEVEL_ERR, 
+						"cannot register pidfile cleanup");
+				}
+			} else {
+				#define MAX_EXEC_ARGS 32
+				
+				char *args[MAX_EXEC_ARGS + 2]; /* 2 extra, for '-x' and NULL */
+				char *env[1] = {0};	
+				int	i;
+				
+				if (ac > MAX_EXEC_ARGS) {
+					plog(ASL_LEVEL_ERR, 
+						"too many arguments.\n");
+					exit(1);
+				}
+				
+				if (daemon(0, 0) < 0) {
+					errx(1, "failed to be daemon. (%s)",
+						strerror(errno));
+				}
+				
+				/* Radar 5129006 - Prevent non-root user from killing racoon
+				 * when launched by setuid process
+				 */
+				if (setuid(0)) {
+					plog(ASL_LEVEL_ERR, 
+						"cannot set uid.\n");
+					exit(1);
+				}
+				if (setgid(0)) {
+					plog(ASL_LEVEL_ERR, 
+						"cannot set gid.\n");
+					exit(1);
+				}
+				
+				/* setup args to re-exec - for CoreFoundation issues */
+				args[0] = PATHRACOON;	
+				for (i = 1; i < ac; i++)
+					args[i] = *(av + i);
+				args[ac] = "-x";		/* tells racoon its been exec'd */
+				args[ac+1] = 0;
+				
+				execve(PATHRACOON, args, env);
+				plog(ASL_LEVEL_ERR, 
+						"failed to exec racoon. (%s)", strerror(errno));
+				exit(1);
+			}
 		}
-		
-		/* setup args to re-exec - for CoreFoundation issues */
-		args[0] = PATHRACOON;	
-		for (i = 1; i < ac; i++)
-			args[i] = *(av + i);
-		args[ac] = "-x";		/* tells racoon its been exec'd */
-		args[ac+1] = 0;
-		
-		execve(PATHRACOON, args, env);
-		plog(LLV_ERROR, LOCATION, NULL,
-				"failed to exec racoon. (%s)", strerror(errno));
-		exit(1);
 	}
-
+    
+    
+    /* start the session */
 	session();
-	
-	exit(0);
 }
 
+#if 0 // <rdar://problem/9286626>
+int
+launchedbylaunchd(){
+	launch_data_t checkin_response = NULL;
+    
+	if ((checkin_response = launch_socket_service_check_in()) == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			 "launch_socket_service_check_in fails.\n");
+		launchdlaunched = 0;
+		goto done;
+	}
+	if (LAUNCH_DATA_ERRNO == launch_data_get_type(checkin_response)) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			 "launch_data_get_type fails errno %d.\n", launch_data_get_errno(checkin_response));
+		launchdlaunched = 0;
+		goto done;
+	}
+	launchdlaunched = 1;
+done:
+	/* clean up before we leave */
+	if ( checkin_response )
+		launch_data_free(checkin_response);
+	return launchdlaunched;
+}
+#endif
 
 static void
 cleanup_pidfile()
@@ -300,12 +357,12 @@ cleanup_pidfile()
 	/* if it's not child process, clean everything */
 	if (racoon_pid == p) {
 		if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE] == NULL) 
-			strlcpy(pid_file, _PATH_VARRUN "racoon.pid", MAXPATHLEN);
+			strlcpy(pid_file, _PATH_VARRUN "racoon.pid", sizeof(pid_file));
 		else if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE][0] == '/') 
-			strlcpy(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], MAXPATHLEN);
+			strlcpy(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], sizeof(pid_file));
 		else {
-			strlcat(pid_file, _PATH_VARRUN, MAXPATHLEN);
-			strlcat(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], MAXPATHLEN);
+			strlcat(pid_file, _PATH_VARRUN, sizeof(pid_file));
+			strlcat(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], sizeof(pid_file));
 		}
 		(void) unlink(pid_file);
 	}
@@ -330,12 +387,7 @@ parse(ac, av)
 	else
 		pname = *av;
 
-#if 0	/* for debugging */
-	loglevel += 2;
-	plogset("/tmp/racoon.log");
-#endif
-
-	while ((c = getopt(ac, av, "dLFp:P:a:f:l:veZBCx"
+	while ((c = getopt(ac, av, "dDLFp:P:a:f:l:vsZBCx"
 #ifdef YYDEBUG
 			"y"
 #endif
@@ -345,12 +397,23 @@ parse(ac, av)
 			)) != -1) {
 		switch (c) {
 		case 'd':
-			loglevel++;
+			plogsetlevel(ASL_LEVEL_DEBUG);
+			break;
+		case 'D':
+			if (f_foreground) {
+				fprintf(stderr, "-D and -F are mutually exclusive\n");
+				exit(1);
+			}
+			launchdlaunched = 1;
 			break;
 		case 'L':
 			print_location = 1;
 			break;
 		case 'F':
+			if (launchdlaunched) {
+				fprintf(stderr, "-D and -F are mutually exclusive\n");
+				exit(1);
+			}
 			printf("Foreground mode.\n");
 			f_foreground = 1;
 			break;
@@ -361,14 +424,9 @@ parse(ac, av)
 			lcconf->port_isakmp_natt = atoi(optarg);
 			break;
 		case 'a':
-#ifdef ENABLE_ADMINPORT
-			lcconf->port_admin = atoi(optarg);
-			break;
-#else
 			fprintf(stderr, "%s: the option is disabled "
 			    "in the configuration\n", pname);
 			exit(1);
-#endif
 		case 'f':
 			lcconf->racoon_conf = optarg;
 			break;
@@ -378,8 +436,8 @@ parse(ac, av)
 		case 'v':
 			vflag++;
 			break;
-		case 'e':
-			lcconf->auto_exit_state |= LC_AUTOEXITSTATE_CLIENT;
+		case 's':
+			lcconf->auto_exit_state &= ~LC_AUTOEXITSTATE_CLIENT;	/* override default auto exit state */
 			break;
 		case 'x':
 			exec_done = 1;
@@ -411,9 +469,6 @@ parse(ac, av)
 			lcconf->default_af = AF_INET6;
 			break;
 #endif
-		case 'B':
-			loading_sa++;
-			break;
 		case 'C':
 			dump_config++;
 			break;
@@ -450,20 +505,11 @@ saverestore_params(f)
 	int f;
 {
 	static u_int16_t s_port_isakmp;
-#ifdef ENABLE_ADMINPORT
-	static u_int16_t s_port_admin;
-#endif
 
 	/* 0: save, 1: restore */
 	if (f) {
 		lcconf->port_isakmp = s_port_isakmp;
-#ifdef ENABLE_ADMINPORT
-		lcconf->port_admin = s_port_admin;
-#endif
 	} else {
 		s_port_isakmp = lcconf->port_isakmp;
-#ifdef ENABLE_ADMINPORT
-		s_port_admin = lcconf->port_admin;
-#endif
 	}
 }