1 /*        $NetBSD: main.c,v 1.16 2025/03/07 15:55:29 christos Exp $   */
2 
3 /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */
4 
5 /*
6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "config.h"
35 
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/stat.h>
40 
41 #include <netinet/in.h>
42 
43 #include <stdlib.h>
44 #include <stdio.h>
45 #include <string.h>
46 #include <errno.h>
47 #include <limits.h>
48 #ifdef HAVE_UNISTD_H
49 #include <unistd.h>
50 #endif
51 #include <paths.h>
52 #include <err.h>
53 
54 /*
55  * If we're using a debugging malloc library, this may define our
56  * wrapper stubs.
57  */
58 #define   RACOON_MAIN_PROGRAM
59 #include "gcmalloc.h"
60 
61 #include "var.h"
62 #include "misc.h"
63 #include "vmbuf.h"
64 #include "plog.h"
65 #include "debug.h"
66 
67 #include "cfparse_proto.h"
68 #include "isakmp_var.h"
69 #include "remoteconf.h"
70 #include "localconf.h"
71 #include "session.h"
72 #include "oakley.h"
73 #include "pfkey.h"
74 #include "policy.h"
75 #include "crypto_openssl.h"
76 #include "backupsa.h"
77 #include "vendorid.h"
78 
79 #include "package_version.h"
80 
81 int dump_config = 0;          /* dump parsed config file. */
82 int f_local = 0;    /* local test mode.  behave like a wall. */
83 int vflag = 1;                /* for print-isakmp.c */
84 static int loading_sa = 0;    /* install sa when racoon boots up. */
85 
86 #ifdef TOP_PACKAGE
87 static char version[] = "@(#)" TOP_PACKAGE_STRING " (" TOP_PACKAGE_URL ")";
88 #else
89 static char version[] = "@(#) racoon / IPsec-tools";
90 #endif
91 
92 static void
print_version(void)93 print_version(void)
94 {
95           printf("%s\n"
96                  "\n"
97                  "Compiled with:\n"
98                  "- %s (http://www.openssl.org/)\n"
99 #ifdef INET6
100                  "- IPv6 support\n"
101 #endif
102 #ifdef ENABLE_DPD
103                  "- Dead Peer Detection\n"
104 #endif
105 #ifdef ENABLE_FRAG
106                  "- IKE fragmentation\n"
107 #endif
108 #ifdef ENABLE_HYBRID
109                  "- Hybrid authentication\n"
110 #endif
111 #ifdef ENABLE_GSSAPI
112                  "- GSS-API authentication\n"
113 #endif
114 #ifdef ENABLE_NATT
115                  "- NAT Traversal\n"
116 #endif
117 #ifdef ENABLE_STATS
118                  "- Timing statistics\n"
119 #endif
120 #ifdef ENABLE_ADMINPORT
121                  "- Admin port\n"
122 #endif
123 #ifdef HAVE_CLOCK_MONOTONIC
124                  "- Monotonic clock\n"
125 #endif
126 #ifdef HAVE_SECCTX
127                  "- Security context\n"
128 #endif
129                  "\n",
130                  version,
131                  eay_version());
132           exit(0);
133 }
134 
135 static void
usage(void)136 usage(void)
137 {
138           printf("usage: racoon [-BdFv"
139 #ifdef INET6
140                     "46"
141 #endif
142                     "] [-f (file)] [-l (file)] [-p (port)] [-P (natt port)]\n"
143                     "   -B: install SA to the kernel from the file "
144                     "specified by the configuration file.\n"
145                     "   -d: debug level, more -d will generate more debug message.\n"
146                     "   -C: dump parsed config file.\n"
147                     "   -L: include location in debug messages\n"
148                     "   -F: run in foreground, do not become daemon.\n"
149                     "   -v: be more verbose\n"
150                     "   -V: print version and exit\n"
151 #ifdef INET6
152                     "   -4: IPv4 mode.\n"
153                     "   -6: IPv6 mode.\n"
154 #endif
155                     "   -f: pathname for configuration file.\n"
156                     "   -l: pathname for log file.\n"
157                     "   -p: port number for isakmp (default: %d).\n"
158                     "   -P: port number for NAT-T (default: %d).\n"
159                     "\n",
160                     PORT_ISAKMP, PORT_ISAKMP_NATT);
161           exit(1);
162 }
163 
164 static void
parse(int ac,char ** av)165 parse(int ac, char **av)
166 {
167           int c;
168 #ifdef YYDEBUG
169           extern int yydebug;
170 #endif
171 
172           pname = strrchr(*av, '/');
173           if (pname)
174                     pname++;
175           else
176                     pname = *av;
177 
178           while ((c = getopt(ac, av, "dLFp:P:f:l:vVZBC"
179 #ifdef YYDEBUG
180                               "y"
181 #endif
182 #ifdef INET6
183                               "46"
184 #endif
185                               )) != -1) {
186                     switch (c) {
187                     case 'd':
188                               loglevel++;
189                               break;
190                     case 'L':
191                               print_location = 1;
192                               break;
193                     case 'F':
194                               printf("Foreground mode.\n");
195                               f_foreground = 1;
196                               break;
197                     case 'p':
198                               lcconf->port_isakmp = atoi(optarg);
199                               break;
200                     case 'P':
201                               lcconf->port_isakmp_natt = atoi(optarg);
202                               break;
203                     case 'f':
204                               lcconf->racoon_conf = optarg;
205                               break;
206                     case 'l':
207                               plogset(optarg);
208                               break;
209                     case 'v':
210                               vflag++;
211                               break;
212                     case 'V':
213                               print_version();
214                               break;
215                     case 'Z':
216                               /*
217                                * only local test.
218                                * To specify -Z option and to choice a appropriate
219                                * port number for ISAKMP, you can launch some racoons
220                                * on the local host for debug.
221                                * pk_sendadd() on initiator side is always failed
222                                * even if this flag is used.  Because there is same
223                                * spi in the SAD which is inserted by pk_sendgetspi()
224                                * on responder side.
225                                */
226                               printf("Local test mode.\n");
227                               f_local = 1;
228                               break;
229 #ifdef YYDEBUG
230                     case 'y':
231                               yydebug = 1;
232                               break;
233 #endif
234 #ifdef INET6
235                     case '4':
236                               lcconf->default_af = AF_INET;
237                               break;
238                     case '6':
239                               lcconf->default_af = AF_INET6;
240                               break;
241 #endif
242                     case 'B':
243                               loading_sa++;
244                               break;
245                     case 'C':
246                               dump_config++;
247                               break;
248                     default:
249                               usage();
250                               /* NOTREACHED */
251                     }
252           }
253           ac -= optind;
254           av += optind;
255 
256           if (ac != 0) {
257                     usage();
258                     /* NOTREACHED */
259           }
260 }
261 
262 int
main(int ac,char ** av)263 main(int ac, char **av)
264 {
265           initlcconf();
266           parse(ac, av);
267 
268           if (geteuid() != 0) {
269                     errx(1, "must be root to invoke this program.");
270                     /* NOTREACHED*/
271           }
272 
273           /*
274            * Don't let anyone read files I write.  Although some files (such as
275            * the PID file) can be other readable, we dare to use the global mask,
276            * because racoon uses fopen(3), which can't specify the permission
277            * at the creation time.
278            */
279           umask(077);
280           if (umask(077) != 077) {
281                     errx(1, "could not set umask");
282                     /* NOTREACHED*/
283           }
284 
285           ploginit();
286 
287 #ifdef DEBUG_RECORD_MALLOCATION
288           DRM_init();
289 #endif
290 
291 #ifdef HAVE_SECCTX
292           init_avc();
293 #endif
294           eay_init();
295           initrmconf();
296           oakley_dhinit();
297           compute_vendorids();
298 
299           plog(LLV_INFO, LOCATION, NULL, "%s\n", version);
300           plog(LLV_INFO, LOCATION, NULL, "@(#)"
301               "This product linked %s (http://www.openssl.org/)"
302               "\n", eay_version());
303           plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n",
304               lcconf->racoon_conf);
305 
306           /*
307            * install SAs from the specified file.  If the file is not specified
308            * by the configuration file, racoon will exit.
309            */
310           if (loading_sa && !f_local) {
311                     if (backupsa_from_file() != 0)
312                               errx(1, "something error happened "
313                                         "SA recovering.");
314           }
315 
316           if (f_foreground)
317                     close(0);
318           else {
319                     if (daemon(0, 0) < 0) {
320                               errx(1, "failed to be daemon. (%s)",
321                                         strerror(errno));
322                     }
323 #ifndef __linux__
324                     /*
325                      * In case somebody has started inetd manually, we need to
326                      * clear the logname, so that old servers run as root do not
327                      * get the user's logname..
328                      */
329                     if (setlogin("") < 0) {
330                               plog(LLV_ERROR, LOCATION, NULL,
331                                         "cannot clear logname: %s\n", strerror(errno));
332                               /* no big deal if it fails.. */
333                     }
334 #endif
335           }
336 
337           session();
338 
339           return 0;
340 }
341