#!/bin/sh /etc/rc.common
# IPsec startup and shutdown script
# Copyright (C) 1998, 1999, 2001  Henry Spencer.
# Copyright (C) 2002			  Michael Richardson <mcr@freeswan.org>
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
#
# ipsec		 init.d script for starting and stopping
#			   the IPsec security subsystem (KLIPS and Pluto).
#
# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
# and is also accessible as "ipsec setup" (the preferred route for human
# invocation).
#
# The startup and shutdown times are a difficult compromise (in particular,
# it is almost impossible to reconcile them with the insanely early/late
# times of NFS filesystem startup/shutdown).  Startup is after startup of
# syslog and pcmcia support; shutdown is just before shutdown of syslog.
#
# chkconfig: 2345 47 76
# description: IPsec provides encrypted and authenticated communications; \
# KLIPS is the kernel half of it, Pluto is the user-level management daemon.

START=60
EXTRA_COMMANDS=status
EXTRA_HELP="	status	Show the status of the service"

# Format a list into a delimited string and print it
config_list_delimit() {
	local SECTION="$1"
	local OPTION="$2"
	local DELIMITER="${3:- }"

	config_list_foreach "$SECTION" "$OPTION" "printf \"%s%s\"" "$DELIMITER" | sed "s/.\{${#DELIMITER}\}$//"
}

# Callback for each ipsec configuration section
# Converts list options from UCI to ipsec format and writes ipsec section headers
CUR_SECTION_NAME=
CUR_SECTION_TYPE=
config_cb() {
	local TYPE="$1"
	local NAME="$2"

	# Handle list options from previous section
	if [ "$CUR_SECTION_TYPE" = "ipsec_conn" ] ; then
		local IKE="$(config_list_delimit "$CUR_SECTION_NAME" "ike" ", ")"
		if [ -n "$IKE" ] ; then
			printf "\tike=\"%s\"\n" "$IKE" >> "$IPSEC_UCI_CONF"
		fi

		local SUBNETS
		local SPACE_PAT="* *"
		config_get "SUBNETS" "$CUR_SECTION_NAME" "leftsubnets"
		case "$SUBNETS" in
			$SPACE_PAT)
				printf "\tleftsubnets={ %s }\n" "$SUBNETS" >> "$IPSEC_UCI_CONF"
				;;
			?*)
				printf "\tleftsubnet=%s\n" "$SUBNETS" >> "$IPSEC_UCI_CONF"
				;;
		esac

		config_get "SUBNETS" "$CUR_SECTION_NAME" "rightsubnets"
		case "$SUBNETS" in
			$SPACE_PAT)
				printf "\trightsubnets={ %s }\n" "$SUBNETS" >> "$IPSEC_UCI_CONF"
				;;
			?*)
				printf "\trightsubnet=%s\n" "$SUBNETS" >> "$IPSEC_UCI_CONF"
				;;
		esac
	elif [ "$CUR_SECTION_TYPE" = "ipsec_config" ] ; then
		local VPRIV="$(config_list_delimit "$CUR_SECTION_NAME" "virtual_private" ",")"
		if [ -n "$VPRIV" ] ; then
			printf "\tvirtual_private=%s\n" "$VPRIV" >> "$IPSEC_UCI_CONF"
		fi
	fi

	CUR_SECTION_NAME="$NAME"
	CUR_SECTION_TYPE="$TYPE"

	case "$CUR_SECTION_TYPE" in
		ipsec_config|ipsec_conn)
			# Handled in option_cb
			echo >> "$IPSEC_UCI_CONF"
			echo "${TYPE#ipsec_} $NAME" >> "$IPSEC_UCI_CONF"
			;;
		*)
			# Not handled in option_cb
			;;
	esac

	return 0
}

# Callback for each ipsec configuration option
# Prints each UCI option to $IPSEC_UCI_CONF in ipsec.conf format
option_cb() {
	local NAME="$1"
	local VALUE="$2"

	case "$CUR_SECTION_TYPE" in
		ipsec_config|ipsec_conn)
			# Handle option in these sections
			;;
		*)
			# Ignore options in all other sections
			return 0
			;;
	esac

	case "$NAME" in
		modecfgdns_ITEM[0-9]*)
			printf "\tmodecfgdns%d=%s\n" "${NAME##modecfgdns_ITEM}" "$VALUE" >> "$IPSEC_UCI_CONF"
			;;
		modecfgwins_ITEM[0-9]*)
			printf "\tmodecfgwins%d=%s\n" "${NAME##modecfgwins_ITEM}" "$VALUE" >> "$IPSEC_UCI_CONF"
			;;
		*_ITEM[0-9]*|*_LENGTH)
			# Ignore list items and length updates
			;;
		[!a-zA-Z]*)
			# Ignore non-ipsec.conf parameters
			;;
		*)
			# Quote values with characers which require quoting
			if echo "$VALUE" | grep -q '^[[:alnum:]_%.]*$' ; then
				printf "\t%s=%s\n" "$NAME" "$VALUE" >> "$IPSEC_UCI_CONF"
			else
				printf "\t%s=\"%s\"\n" "$NAME" "$VALUE" >> "$IPSEC_UCI_CONF"
			fi
			;;
	esac

	return 0
}

ipsec_config_convert() {
	IPSEC_UCI_CONF="${IPSEC_UCI_CONF:-${IPSEC_CONFS:-/etc}/ipsec.uci.conf}"
	ipsec_config_print_header
	config_load "ipsec"
	# Conversion for $IPSEC_UCI_CONF handled in section_cb and option_cb

	IPSEC_SEC_UCI_CONF="${IPSEC_SEC_UCI_CONF:-${IPSEC_CONFS:-/etc}/ipsec.uci.secrets}"
	ipsec_config_print_header_secret
	echo >> "$IPSEC_SEC_UCI_CONF"
	echo "# Certificate Secrets" >> "$IPSEC_SEC_UCI_CONF"
	config_foreach "ipsec_config_add_secret_cs" "ipsec_secret_cs"
	echo >> "$IPSEC_SEC_UCI_CONF"
	echo "# Shared Secrets" >> "$IPSEC_SEC_UCI_CONF"
	config_foreach "ipsec_config_add_secret_ss" "ipsec_secret_ss"
	echo >> "$IPSEC_SEC_UCI_CONF"
	echo "# XAUTH Secrets" >> "$IPSEC_SEC_UCI_CONF"
	config_foreach "ipsec_config_add_secret_xs" "ipsec_secret_xs"
}

ipsec_config_print_header() {
	cat > "$IPSEC_UCI_CONF" <<ENDHEADER
# $IPSEC_UCI_CONF - UCI IPsec configuration file
#
# This file is automatically generated by the ipsec init script from
# configuration information stored in UCI.  DO NOT EDIT THIS FILE BY HAND.
ENDHEADER
}

ipsec_config_print_header_secret() {
	cat > "$IPSEC_SEC_UCI_CONF" <<ENDHEADER
# $IPSEC_SEC_UCI_CONF - UCI IPsec sensitive configuration file
#
# This file is automatically generated by the ipsec init script from
# configuration information stored in UCI.  DO NOT EDIT THIS FILE BY HAND.
ENDHEADER
}

ipsec_config_add_secret_cs() {
	local SECTNAME="$1"

	config_get "FILE" "$SECTNAME" "file"
	config_get "SECRET" "$SECTNAME" "secret"

	FILE="\"$FILE\""
	if [ "$SECRET" != "%prompt" ] ; then
		SECRET="\"$SECRET\""
	fi

	echo ": RSA $FILE $SECRET" >> "$IPSEC_SEC_UCI_CONF"
}

ipsec_config_add_secret_ss() {
	local SECTNAME="$1"

	config_get "INDICES" "$SECTNAME" "indices"
	config_get "SECRET" "$SECTNAME" "secret"

	echo "$INDICES : PSK \"$SECRET\"" >> "$IPSEC_SEC_UCI_CONF"
}

ipsec_config_add_secret_xs() {
	local SECTNAME="$1"

	config_get "USERNAME" "$SECTNAME" "username"
	config_get "SECRET" "$SECTNAME" "secret"

	echo "@$USERNAME : XAUTH \"$SECRET\"" >> "$IPSEC_SEC_UCI_CONF"
}

script_init() {
	me='ipsec setup'		# for messages

	# where the private directory and the config files are
	IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
	IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}"
	IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
	IPSEC_CONFS="${IPSEC_CONFS-/etc}"

	if test " $IPSEC_DIR" = " "	# if we were not called by the ipsec command
	then
		# we must establish a suitable PATH ourselves
		PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
		export PATH

		IPSEC_DIR="$IPSEC_LIBDIR"
		export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
	fi

	# Check that the ipsec command is available.
	found=
	for dir in `echo $PATH | tr ':' ' '`
	do
		if test -f $dir/ipsec -a -x $dir/ipsec
		then
			found=yes
			break			# NOTE BREAK OUT
		fi
	done
	if ! test "$found"
	then
		echo "cannot find ipsec command -- \`$1' aborted" |
			logger -s -p daemon.error -t ipsec_setup
		exit 1
	fi

	# accept a few flags

	export IPSEC_setupflags
	IPSEC_setupflags=""

	config=""

	for dummy
	do
		case "$1" in
		--showonly|--show)  IPSEC_setupflags="$1" ;;
		--config)  config="--config $2" ; shift	;;
		*) break ;;
		esac
		shift
	done


	# Pick up IPsec configuration (until we have done this, successfully, we
	# do not know where errors should go, hence the explicit "daemon.error"s.)
	# Note the "--export", which exports the variables created.
	variables=`ipsec addconn $config --varprefix IPSEC --configsetup`
	if [ $? != 0 ]
	then
		echo "Failed to parse config setup portion of ipsec.conf"
		exit $?
	fi
	eval $variables

	if test " $IPSEC_confreadstatus" != " "
	then
		case $1 in 
		stop|--stop|_autostop) 
		echo "$IPSEC_confreadstatus -- \`$1' may not work" |
			logger -s -p daemon.error -t ipsec_setup;;
			
		*) echo "$IPSEC_confreadstatus -- \`$1' aborted" |
			logger -s -p daemon.error -t ipsec_setup;
		exit 1;;
		esac
	fi

	IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
	export IPSEC_confreadsection

	IPSECsyslog=${IPSECsyslog-daemon.error}
	export IPSECsyslog

	# misc setup
	umask 022

	mkdir -p /var/run/pluto
}

script_command() {
	# do it
	case "$1" in
	start|--start|stop|--stop|_autostop|_autostart)
		# remove for: @cygwin_START@ 
		# portable way for checking for root
		if [ ! -w / ]
		then

			echo "permission denied (must be superuser)" |
				logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
			exit 1
		fi
		# remove for: @cygwin_END@
		tmp=/var/run/pluto/ipsec_setup.st
		outtmp=/var/run/pluto/ipsec_setup.out
		(
			ipsec _realsetup $1
			echo "$?" >$tmp
		) > ${outtmp} 2>&1
		st=$?
		if test -f $tmp
		then
			st=`cat $tmp`
			rm -f $tmp
		fi
		if [ -f ${outtmp} ]; then
			cat ${outtmp} | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
			rm -f ${outtmp}
		fi
		;;

	restart|--restart|force-reload)
		$0 $IPSEC_setupflags stop
		$0 $IPSEC_setupflags start
		;;

	_autorestart)			# for internal use only
		$0 $IPSEC_setupflags _autostop
		$0 $IPSEC_setupflags _autostart
		;;

	status|--status)
		ipsec _realsetup $1
		exit
		;;

	--version)
		echo "$me $IPSEC_VERSION"
		exit 0
		;;

	--help)
		echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
		echo "	   $me --status"
		exit 0
		;;

	*)
		echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
		echo "	   $me --status"
		exit 2
	esac
}
start() {
	ipsec_config_convert
	script_init start "$@"
	script_command start "$@"
}

stop() {
	script_init stop "$@"
	script_command stop "$@"
}

restart() {
	ipsec_config_convert
	script_init stop "$@"
	script_command stop "$@"
	script_command start "$@"
}

status() {
	script_init status "$@"
	ipsec _realsetup status
}