X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/52b7d2ce06d68d0a9160d16f6e7c08c21c149d0d..886926c087c10c05fed266ba16e5f571352de3b4:/ipsec-tools/racoon/main.c diff --git a/ipsec-tools/racoon/main.c b/ipsec-tools/racoon/main.c index f325c90..4d654cb 100644 --- a/ipsec-tools/racoon/main.c +++ b/ipsec-tools/racoon/main.c @@ -49,6 +49,7 @@ #endif #include <paths.h> #include <err.h> +#include <launch.h> /* * If we're using a debugging malloc library, this may define our @@ -65,24 +66,34 @@ #include "cfparse_proto.h" #include "isakmp_var.h" -#ifdef HAVE_LIBRADIUS +#ifdef ENABLE_HYBRID +#include <resolv.h> #include "isakmp.h" #include "isakmp_xauth.h" +#include "isakmp_cfg.h" #endif #include "remoteconf.h" #include "localconf.h" #include "session.h" #include "oakley.h" #include "pfkey.h" +#include "policy.h" #include "crypto_openssl.h" -#include "backupsa.h" #include "vendorid.h" +#if !TARGET_OS_EMBEDDED +#include <sandbox.h> +#endif // !TARGET_OS_EMBEDDED + + +#include <CoreFoundation/CoreFoundation.h> +#include "power_mgmt.h" +#include "preferences.h" + //#include "package_version.h" int f_local = 0; /* local test mode. behave like a wall. */ int vflag = 1; /* for print-isakmp.c */ -static int loading_sa = 0; /* install sa when racoon boots up. */ static int dump_config = 0; /* dump parsed config file. */ static int exec_done = 0; /* we've already been exec'd */ @@ -92,46 +103,43 @@ static char version[] = "@(#)" TOP_PACKAGE_STRING " (" TOP_PACKAGE_URL ")"; static char version[] = "@(#) racoon / IPsec-tools"; #endif /* TOP_PACKAGE */ -int main __P((int, char **)); -static void usage __P((void)); -static void parse __P((int, char **)); -static void restore_params __P((void)); -static void save_params __P((void)); -static void saverestore_params __P((int)); -static void cleanup_pidfile __P((void)); +int main (int, char **); +static void usage (void); +static void parse (int, char **); +static void restore_params (void); +static void save_params (void); +static void saverestore_params (int); +static void cleanup_pidfile (void); +#if 0 // <rdar://problem/9286626> +int launchedbylaunchd (void); +#endif pid_t racoon_pid = 0; +int launchdlaunched = 0; int print_pid = 1; /* for racoon only */ + void usage() { - printf("usage: racoon [-BdFve%s] %s[-f (file)] [-l (file)] [-p (port)]\n", + printf("usage: racoon [-BdDFvs%s] %s[-f (file)] [-l (file)] [-p (port)]\n", #ifdef INET6 "46", #else "", #endif -#ifdef ENABLE_ADMINPORT - "[-a (port)] " -#else "" -#endif ); - printf(" -B: install SA to the kernel from the file " - "specified by the configuration file.\n"); printf(" -d: debug level, more -d will generate more debug message.\n"); + printf(" -D: started by LaunchD (implies daemon mode).\n"); printf(" -C: dump parsed config file.\n"); printf(" -L: include location in debug messages\n"); printf(" -F: run in foreground, do not become daemon.\n"); printf(" -v: be more verbose\n"); - printf(" -e: enable auto exit\n"); + printf(" -s: override enable auto exit\n"); #ifdef INET6 printf(" -4: IPv4 mode.\n"); printf(" -6: IPv6 mode.\n"); -#endif -#ifdef ENABLE_ADMINPORT - printf(" -a: port number for admin port.\n"); #endif printf(" -f: pathname for configuration file.\n"); printf(" -l: pathname for log file.\n"); @@ -147,6 +155,21 @@ main(ac, av) { int error; +#if !TARGET_OS_EMBEDDED + char *errorbuf; + if (sandbox_init("racoon", SANDBOX_NAMED, &errorbuf) == -1) { + plog(ASL_LEVEL_ERR, "initializing sandbox failed %s", errorbuf); + sandbox_free_error(errorbuf); + return -1; + } +#endif // !TARGET_OS_EMBEDDED + + /* + * Check IPSec plist + */ + prefsinit(); + ploginit(); + if (geteuid() != 0) { errx(1, "must be root to invoke this program."); /* NOTREACHED*/ @@ -164,30 +187,30 @@ main(ac, av) /* NOTREACHED*/ } -#ifdef DEBUG_RECORD_MALLOCATION - DRM_init(); -#endif - +#ifdef HAVE_OPENSSL eay_init(); +#endif + initlcconf(); initrmconf(); oakley_dhinit(); compute_vendorids(); parse(ac, av); - if (lcconf->logfile_param) - plogset(lcconf->logfile_param); - ploginit(); - plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d started by: %d\n", getpid(), getppid()); - plog(LLV_INFO, LOCATION, NULL, "%s\n", version); - plog(LLV_INFO, LOCATION, NULL, "@(#)" + plog(ASL_LEVEL_INFO, "***** racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched); + plog(ASL_LEVEL_INFO, "%s\n", version); +#ifdef HAVE_OPENSSL + plog(ASL_LEVEL_INFO, "@(#)" "This product linked %s (http://www.openssl.org/)" "\n", eay_version()); +#endif + plog(ASL_LEVEL_INFO, "Reading configuration from \"%s\"\n", + lcconf->racoon_conf); + //%%%%% this sould probably be moved to session() if (pfkey_init() < 0) { - errx(1, "something error happened " - "while pfkey initializing."); + errx(1, "failed to initialize pfkey.\n"); /* NOTREACHED*/ } @@ -200,8 +223,9 @@ main(ac, av) if (error != 0) errx(1, "failed to parse configuration file."); restore_params(); - if (lcconf->logfile_param == NULL) - plogreset(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]); + + if (lcconf->logfile_param == NULL && logFileStr[0] == 0) + plogresetfile(lcconf->pathinfo[LC_PATHTYPE_LOGFILE]); #ifdef ENABLE_NATT /* Tell the kernel which port to use for UDP encapsulation */ @@ -213,11 +237,11 @@ main(ac, av) } #endif -#ifdef HAVE_LIBRADIUS - if (xauth_radius_init() != 0) { - errx(1, "could not initialize libradius"); - /* NOTREACHED*/ - } + +#ifdef ENABLE_HYBRID + if(isakmp_cfg_config.network4 && isakmp_cfg_config.pool_size == 0) + if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0) + return error; #endif if (dump_config) @@ -227,69 +251,102 @@ main(ac, av) * install SAs from the specified file. If the file is not specified * by the configuration file, racoon will exit. */ - if (loading_sa && !f_local) { - if (backupsa_from_file() != 0) - errx(1, "something error happened " - "SA recovering."); - } if (f_foreground) close(0); - else if (exec_done) { - if (atexit(cleanup_pidfile) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot register pidfile cleanup"); - } - } else { - #define MAX_EXEC_ARGS 32 - - char *args[MAX_EXEC_ARGS + 1]; - char *env[1] = {0}; - int i; - - if (ac > MAX_EXEC_ARGS) { - plog(LLV_ERROR, LOCATION, NULL, - "too many arguments.\n"); - exit(1); - } - - if (daemon(0, 0) < 0) { - errx(1, "failed to be daemon. (%s)", - strerror(errno)); - } + else { + if ( !exec_done && launchdlaunched ){ + plog(ASL_LEVEL_INFO, + "racoon launched by launchd.\n"); + exec_done = 1; + if (atexit(cleanup_pidfile) < 0) { + plog(ASL_LEVEL_ERR, + "cannot register pidfile cleanup"); + } + }else { - /* Radar 5129006 - Prevent non-root user from killing racoon - * when launched by setuid process - */ - if (setuid(0)) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot set uid.\n"); - exit(1); - } - if (setgid(0)) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot set gid.\n"); - exit(1); + if (exec_done) { + if (atexit(cleanup_pidfile) < 0) { + plog(ASL_LEVEL_ERR, + "cannot register pidfile cleanup"); + } + } else { + #define MAX_EXEC_ARGS 32 + + char *args[MAX_EXEC_ARGS + 2]; /* 2 extra, for '-x' and NULL */ + char *env[1] = {0}; + int i; + + if (ac > MAX_EXEC_ARGS) { + plog(ASL_LEVEL_ERR, + "too many arguments.\n"); + exit(1); + } + + if (daemon(0, 0) < 0) { + errx(1, "failed to be daemon. (%s)", + strerror(errno)); + } + + /* Radar 5129006 - Prevent non-root user from killing racoon + * when launched by setuid process + */ + if (setuid(0)) { + plog(ASL_LEVEL_ERR, + "cannot set uid.\n"); + exit(1); + } + if (setgid(0)) { + plog(ASL_LEVEL_ERR, + "cannot set gid.\n"); + exit(1); + } + + /* setup args to re-exec - for CoreFoundation issues */ + args[0] = PATHRACOON; + for (i = 1; i < ac; i++) + args[i] = *(av + i); + args[ac] = "-x"; /* tells racoon its been exec'd */ + args[ac+1] = 0; + + execve(PATHRACOON, args, env); + plog(ASL_LEVEL_ERR, + "failed to exec racoon. (%s)", strerror(errno)); + exit(1); + } } - - /* setup args to re-exec - for CoreFoundation issues */ - args[0] = PATHRACOON; - for (i = 1; i < ac; i++) - args[i] = *(av + i); - args[ac] = "-x"; /* tells racoon its been exec'd */ - args[ac+1] = 0; - - execve(PATHRACOON, args, env); - plog(LLV_ERROR, LOCATION, NULL, - "failed to exec racoon. (%s)", strerror(errno)); - exit(1); } - + + + /* start the session */ session(); - - exit(0); } +#if 0 // <rdar://problem/9286626> +int +launchedbylaunchd(){ + launch_data_t checkin_response = NULL; + + if ((checkin_response = launch_socket_service_check_in()) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "launch_socket_service_check_in fails.\n"); + launchdlaunched = 0; + goto done; + } + if (LAUNCH_DATA_ERRNO == launch_data_get_type(checkin_response)) { + plog(LLV_ERROR, LOCATION, NULL, + "launch_data_get_type fails errno %d.\n", launch_data_get_errno(checkin_response)); + launchdlaunched = 0; + goto done; + } + launchdlaunched = 1; +done: + /* clean up before we leave */ + if ( checkin_response ) + launch_data_free(checkin_response); + return launchdlaunched; +} +#endif static void cleanup_pidfile() @@ -300,12 +357,12 @@ cleanup_pidfile() /* if it's not child process, clean everything */ if (racoon_pid == p) { if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE] == NULL) - strlcpy(pid_file, _PATH_VARRUN "racoon.pid", MAXPATHLEN); + strlcpy(pid_file, _PATH_VARRUN "racoon.pid", sizeof(pid_file)); else if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE][0] == '/') - strlcpy(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], MAXPATHLEN); + strlcpy(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], sizeof(pid_file)); else { - strlcat(pid_file, _PATH_VARRUN, MAXPATHLEN); - strlcat(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], MAXPATHLEN); + strlcat(pid_file, _PATH_VARRUN, sizeof(pid_file)); + strlcat(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], sizeof(pid_file)); } (void) unlink(pid_file); } @@ -330,12 +387,7 @@ parse(ac, av) else pname = *av; -#if 0 /* for debugging */ - loglevel += 2; - plogset("/tmp/racoon.log"); -#endif - - while ((c = getopt(ac, av, "dLFp:P:a:f:l:veZBCx" + while ((c = getopt(ac, av, "dDLFp:P:a:f:l:vsZBCx" #ifdef YYDEBUG "y" #endif @@ -345,12 +397,23 @@ parse(ac, av) )) != -1) { switch (c) { case 'd': - loglevel++; + plogsetlevel(ASL_LEVEL_DEBUG); + break; + case 'D': + if (f_foreground) { + fprintf(stderr, "-D and -F are mutually exclusive\n"); + exit(1); + } + launchdlaunched = 1; break; case 'L': print_location = 1; break; case 'F': + if (launchdlaunched) { + fprintf(stderr, "-D and -F are mutually exclusive\n"); + exit(1); + } printf("Foreground mode.\n"); f_foreground = 1; break; @@ -361,14 +424,9 @@ parse(ac, av) lcconf->port_isakmp_natt = atoi(optarg); break; case 'a': -#ifdef ENABLE_ADMINPORT - lcconf->port_admin = atoi(optarg); - break; -#else fprintf(stderr, "%s: the option is disabled " "in the configuration\n", pname); exit(1); -#endif case 'f': lcconf->racoon_conf = optarg; break; @@ -378,8 +436,8 @@ parse(ac, av) case 'v': vflag++; break; - case 'e': - lcconf->auto_exit_state |= LC_AUTOEXITSTATE_CLIENT; + case 's': + lcconf->auto_exit_state &= ~LC_AUTOEXITSTATE_CLIENT; /* override default auto exit state */ break; case 'x': exec_done = 1; @@ -411,9 +469,6 @@ parse(ac, av) lcconf->default_af = AF_INET6; break; #endif - case 'B': - loading_sa++; - break; case 'C': dump_config++; break; @@ -450,20 +505,11 @@ saverestore_params(f) int f; { static u_int16_t s_port_isakmp; -#ifdef ENABLE_ADMINPORT - static u_int16_t s_port_admin; -#endif /* 0: save, 1: restore */ if (f) { lcconf->port_isakmp = s_port_isakmp; -#ifdef ENABLE_ADMINPORT - lcconf->port_admin = s_port_admin; -#endif } else { s_port_isakmp = lcconf->port_isakmp; -#ifdef ENABLE_ADMINPORT - s_port_admin = lcconf->port_admin; -#endif } }