📄 plutomain.c
字号:
/* Pluto main program * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998-2001 D. Hugh Redelmeier. * Copyright (C) 2003-2004 Xelerance Corporation * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * * RCSID $Id: plutomain.c,v 1.96 2004/10/18 00:07:39 mcr Exp $ */#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <ctype.h>#include <errno.h>#include <string.h>#include <sys/types.h>#include <sys/stat.h>#include <sys/un.h>#include <fcntl.h>#include <getopt.h>#include <resolv.h>#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */#include <sys/queue.h>#include <openswan.h>#include <pfkeyv2.h>#include <pfkey.h>#include "constants.h"#include "defs.h"#include "id.h"#include "x509.h"#include "pgp.h"#include "paths.h"#include "certs.h"#include "ac.h"#include "smartcard.h"#ifdef XAUTH_USEPAM#include <security/pam_appl.h>#endif#include "connections.h" /* needs id.h */#include "foodgroups.h"#include "packet.h"#include "demux.h" /* needs packet.h */#include "server.h"#include "kernel.h" /* needs connections.h */#include "log.h"#include "keys.h"#include "adns.h" /* needs <resolv.h> */#include "dnskey.h" /* needs keys.h and adns.h */#include "rnd.h"#include "state.h"#include "ipsec_doi.h" /* needs demux.h and state.h */#include "ocsp.h"#include "fetch.h"#include "sha1.h"#include "md5.h"#include "crypto.h" /* requires sha1.h and md5.h */#include "vendor.h"#include "pluto_crypt.h"#ifdef VIRTUAL_IP#include "virtual.h"#endif#ifdef NAT_TRAVERSAL#include "nat_traversal.h"#endif#ifndef IPSECDIR#define IPSECDIR "/etc/ipsec.d"#endifconst char *ipsec_dir = IPSECDIR;openswan_passert_fail_t openswan_passert_fail = passert_fail;/** usage - print help messages * * @param mess String - alternate message to print */static voidusage(const char *mess){ if (mess != NULL && *mess != '\0') fprintf(stderr, "%s\n", mess); fprintf(stderr , "Usage: pluto" " [--help]" " [--version]" " [--optionsfrom <filename>]" " \\\n\t" "[--nofork]" " [--stderrlog]" " [--noklips]" " [--nocrsend]" " [--strictcrlpolicy]" " [--crlcheckinterval]" " [--ocspuri]" " [--uniqueids]" " \\\n\t" "[--interface <ifname>]" " [--ikeport <port-number>]" " \\\n\t" "[--ctlbase <path>]" " \\\n\t" "[--perpeerlogbase <path>] [--perpeerlog]" " \\\n\t" "[--secretsfile <secrets-file>]" " [--ipsecdir <ipsec-dir>]" " \\\n\t" "[--adns <pathname>]" "[--nhelpers <number>]"#ifdef DEBUG " \\\n\t" "[--debug-none]" " [--debug-all]" " \\\n\t" "[--debug-raw]" " [--debug-crypt]" " [--debug-parsing]" " [--debug-emitting]" " \\\n\t" "[--debug-control]" " [--debug-klips]" " [--debug-dns]" " [--debug-dpd]" " [ --debug-private]" " [ --debug-pfkey]"#endif#ifdef NAT_TRAVERSAL " [ --debug-nat_t]" " \\\n\t" "[--nat_traversal] [--keep_alive <delay_sec>]" " \\\n\t" "[--force_keepalive] [--disable_port_floating]"#endif#ifdef VIRTUAL_IP " \\\n\t" "[--virtual_private <network_list>]"#endif "\n" "Openswan %s\n" , ipsec_version_code()); exit(mess == NULL? 0 : 1); /* not exit_pluto because we are not initialized yet */}/* lock file support * - provides convenient way for scripts to find Pluto's pid * - prevents multiple Plutos competing for the same port * - same basename as unix domain control socket * NOTE: will not take account of sharing LOCK_DIR with other systems. */static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX;static bool pluto_lock_created = FALSE;/** create lockfile, or die in the attempt */static intcreate_lock(void){ int fd = open(pluto_lock, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC , S_IRUSR | S_IRGRP | S_IROTH); if (fd < 0) { if (errno == EEXIST) { fprintf(stderr, "pluto: lock file \"%s\" already exists\n" , pluto_lock); exit_pluto(10); } else { fprintf(stderr , "pluto: unable to create lock file \"%s\" (%d %s)\n" , pluto_lock, errno, strerror(errno)); exit_pluto(1); } } pluto_lock_created = TRUE; return fd;}/** fill_lock - Populate the lock file with pluto's PID * * @param lockfd File Descriptor for the lock file * @param pid PID (pid_t struct) to be put into the lock file * @return bool True if successful */static boolfill_lock(int lockfd, pid_t pid){ char buf[30]; /* holds "<pid>\n" */ int len = snprintf(buf, sizeof(buf), "%u\n", (unsigned int) pid); bool ok = len > 0 && write(lockfd, buf, len) == len; close(lockfd); return ok;}/** delete_lock - Delete the lock file * */ static voiddelete_lock(void){ if (pluto_lock_created) { delete_ctl_socket(); unlink(pluto_lock); /* is noting failure useful? */ }}/** by default pluto sends certificate requests to its peers */bool no_cr_send = FALSE;/** by default the CRL policy is lenient */bool strict_crl_policy = FALSE;/** by default pluto does not check crls dynamically */long crl_check_interval = 0;char **global_argv;int global_argc;intmain(int argc, char **argv){ bool fork_desired = TRUE; bool log_to_stderr_desired = FALSE; int lockfd; char* ocspuri = NULL; int nhelpers = -1; char *coredir;#ifdef NAT_TRAVERSAL /** Overridden by nat_traversal= in ipsec.conf */ bool nat_traversal = FALSE; bool nat_t_spf = TRUE; /* support port floating */ unsigned int keep_alive = 0; bool force_keepalive = FALSE;#endif#ifdef VIRTUAL_IP /** Overridden by virtual_private= in ipsec.conf */ char *virtual_private = NULL;#endif global_argv = argv; global_argc = argc; openswan_passert_fail = passert_fail; /* see if there is an environment variable */ coredir = getenv("PLUTO_CORE_DIR"); /* handle arguments */ for (;;) {# define DBG_OFFSET 256 static const struct option long_opts[] = { /* name, has_arg, flag, val */ { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'v' }, { "optionsfrom", required_argument, NULL, '+' }, { "nofork", no_argument, NULL, 'd' }, { "stderrlog", no_argument, NULL, 'e' }, { "noklips", no_argument, NULL, 'n' }, { "nocrsend", no_argument, NULL, 'c' }, { "strictcrlpolicy", no_argument, NULL, 'r' }, { "crlcheckinterval", required_argument, NULL, 'x'}, { "ocsprequestcert", required_argument, NULL, 'q'}, { "ocspuri", required_argument, NULL, 'o'}, { "uniqueids", no_argument, NULL, 'u' }, { "interface", required_argument, NULL, 'i' }, { "ikeport", required_argument, NULL, 'p' }, { "ctlbase", required_argument, NULL, 'b' }, { "secretsfile", required_argument, NULL, 's' }, { "foodgroupsdir", required_argument, NULL, 'f' }, { "perpeerlogbase", required_argument, NULL, 'P' }, { "perpeerlog", no_argument, NULL, 'l' }, { "noretransmits", no_argument, NULL, 'R' }, { "coredir", required_argument, NULL, 'C' }, { "ipsecdir", required_argument, NULL, 'f' }, { "ipsec_dir", required_argument, NULL, 'f' },#ifdef USE_LWRES { "lwdnsq", required_argument, NULL, 'a' },#else /* !USE_LWRES */ { "adns", required_argument, NULL, 'a' },#endif /* !USE_LWRES */#ifdef NAT_TRAVERSAL { "nat_traversal", no_argument, NULL, '1' }, { "keep_alive", required_argument, NULL, '2' }, { "force_keepalive", no_argument, NULL, '3' }, { "disable_port_floating", no_argument, NULL, '4' }, { "debug-nat_t", no_argument, NULL, '5' },#endif#ifdef VIRTUAL_IP { "virtual_private", required_argument, NULL, '6' },#endif { "nhelpers", required_argument, NULL, 'j' },#ifdef DEBUG { "debug-none", no_argument, NULL, 'N' }, { "debug-all]", no_argument, NULL, 'A' }, { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET }, { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET }, { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET }, { "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET }, { "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET }, { "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET }, { "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET }, { "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET }, { "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET }, { "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET }, { "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET }, { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET }, { "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET }, { "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET }, { "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET }, { "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET }, { "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },#endif { 0,0,0,0 } }; /* Note: we don't like the way short options get parsed * by getopt_long, so we simply pass an empty string as * the list. It could be "hvdenp:l:s:" "NARXPECK". */ int c = getopt_long(argc, argv, "", long_opts, NULL); /** Note: "breaking" from case terminates loop */ switch (c) { case EOF: /* end of flags */ break; case 0: /* long option already handled */ continue; case ':': /* diagnostic already printed by getopt_long */ case '?': /* diagnostic already printed by getopt_long */ usage(""); break; /* not actually reached */ case 'h': /* --help */ usage(NULL); break; /* not actually reached */ case 'C': coredir = clone_str(optarg, "coredir"); break; case 'v': /* --version */ { const char **sp = ipsec_copyright_notice(); printf("%s%s\n", ipsec_version_string(), compile_time_interop_options); for (; *sp != NULL; sp++) puts(*sp); } exit(0); /* not exit_pluto because we are not initialized yet */ break; /* not actually reached */ case '+': /* --optionsfrom <filename> */ optionsfrom(optarg, &argc, &argv, optind, stderr); /* does not return on error */ continue; case 'j': /* --nhelpers */ if (optarg == NULL || !isdigit(optarg[0])) usage("missing number of pluto helpers"); { char *endptr; long count = strtol(optarg, &endptr, 0); if (*endptr != '\0' || endptr == optarg⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -