auto.in

This a good VPN source

#! /bin/sh
# user interface to automatic keying and Pluto in general
# Copyright (C) 1998, 1999, 2000  Henry Spencer.
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: auto.in,v 1.103 2004/11/12 04:18:54 mcr Exp $

me='ipsec auto'
usage="Usage:
	$me [--showonly] [--asynchronous] --up connectionname
	$me [--showonly] --{add|delete|replace|down} connectionname
	$me [--showonly] --{route|unroute} connectionname
	$me [--showonly] --{ready|status|rereadsecrets|rereadgroups}
        $me [--showonly] --{rereadcacerts|rereadaacerts|rereadocspcerts}
        $me [--showonly] --{rereadacerts|rereadcrls|rereadall}
        $me [--showonly] [--utc] --{listpubkeys|listcerts}
        $me [--showonly] [--utc] --{listcacerts|listaacerts|listocspcerts}
        $me [--showonly] [--utc] --{listacerts|listgroups}
        $me [--showonly] [--utc] --{listcrls|listocsp|listcards|listall}
        $me [--showonly] --purgeocsp

	other options: [--config ipsecconfigfile] [--verbose] [--show]"

showonly=
config=
info=/var/run/ipsec.info
shopts=
noinclude=
async=
logfilter='$1 != "002"'
op=
argc=
utc=

for dummy
do
	case "$1" in
	--help)		echo "$usage" ; exit 0	;;
	--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
	--show)		shopts=-x		;;
	--showonly)	showonly=yes		;;
	--utc)		utc="$1"		;;
	--config)	config="--config $2" ; shift	;;
	--noinclude)	noinclude=--noinclude	;;
	--asynchronous)	async="--asynchronous"	;;
	--verbose)	logfilter='1'		;;
	--up|--down|--add|--delete|--replace|--route|--unroute)
			if test " $op" != " "
			then
				echo "$usage" >&2
				exit 2
			fi
			op="$1"
			argc=1
			;;
	--ready|--status|--rereadsecrets|--rereadgroups|\
        --rereadcacerts|--rereadaacerts|--rereadocspcerts|\
        --rereadacerts|--rereadcrls|--rereadall|\
        --listpubkeys|--listcerts|\
        --listcacerts|--listaacerts|--listocspcerts|\
        --listacerts|--listgroups|\
        --listcrls|--listocsp|--listcards|--listall|\
        --purgeocsp)
			if test " $op" != " "
			then
				echo "$usage" >&2
				exit 2
			fi
			op="$1"
			argc=0
			;;
	--)		shift ; break		;;
	-*)		echo "$me: unknown option \`$1'" >&2 ; exit 2 ;;
	*)		break			;;
	esac
	shift
done

names=
case "$op$#:$1:$2" in
2:*:up|2:*:down|2:*:add|2:*:delete|2:*:replace|2:*:route|2:*:unroute)
		echo "$me: warning: obsolete command syntax used" >&2
		names="$1"
		op="--$2"
		;;
1:ready:|1:status:|1:rereadsecrets:|\
1:rereadcacerts:|1:rereadaacerts:|1:rereadocspcerts:|\
1:rereadacerts:|1:rereadcrls:|1:rereadall:\
1:listpubkeys:|1:listcerts:|\
1:listcacerts:|1:listaacerts:|1:listocspcerts:|\
1:listacerts:|1:listgroups:|\
1:listcrls:|1:listocsp:|1:listcards:|1:listall:|1:purgeocsp:)
		echo "$me: warning: obsolete command syntax used" >&2
		op="--$1"
		;;
--*)		if test " $argc" -ne $#
		then
			echo "$usage" >&2
			exit 2
		fi
		names="$*"
		;;
*)		echo "$usage" >&2 ; exit 2	;;
esac

# before we go any further, duplicate stdin/stdout to fds 3/4
exec 3<&0
exec 4>&1

runit() {
	if test "$showonly"
	then
		cat
	else
		(
		    echo '('
		    echo 'exec <&3'     # regain stdin
		    cat
		    echo ');'
		    echo 'echo = $?'
		) | sh $shopts |
			awk "/^= / { exit \$2 } $logfilter { print }"
	fi
}

case "$op" in
--ready)          echo "ipsec whack --listen"                | runit ; exit ;;
--rereadsecrets)   echo "ipsec whack --rereadsecrets"        | runit ; exit ;;
--rereadgroups)           echo "ipsec whack --listen"                | runit ; exit ;;
--rereadcacerts)   echo "ipsec whack --rereadcacerts"         | runit ; exit ;;
--rereadaacerts)   echo "ipsec whack --rereadaacerts"         | runit ; exit ;;
--rereadocspcerts) echo "ipsec whack --rereadocspcerts"       | runit ; exit ;;
--rereadacerts)    echo "ipsec whack --rereadacerts"          | runit ; exit ;;
--rereadcrls)     echo "ipsec whack --rereadcrls"            | runit ; exit ;;
--rereadall)      echo "ipsec whack --rereadall"             | runit ; exit ;;
--listpubkeys)    echo "ipsec whack $utc --listpubkeys"      | runit ; exit ;;
--listcerts)      echo "ipsec whack $utc --listcerts"        | runit ; exit ;;
--listcacerts)    echo "ipsec whack $utc --listcacerts"      | runit ; exit ;;
--listaacerts)    echo "ipsec whack $utc --listaacerts"      | runit ; exit ;;
--listocspcerts)   echo "ipsec whack $utc --listocspcerts"    | runit ; exit ;;
--listacerts)     echo "ipsec whack $utc --listacerts"       | runit ; exit ;;
--listgroups)     echo "ipsec whack $utc --listgroups"       | runit ; exit ;; 
--listcrls)       echo "ipsec whack $utc --listcrls"         | runit ; exit ;; 
--listocsp)       echo "ipsec whack $utc --listocsp"         | runit ; exit ;;
--listcards)      echo "ipsec whack $utc --listcards"        | runit ; exit ;;
--listall)        echo "ipsec whack $utc --listall"          | runit ; exit ;;
--purgeocsp)      echo "ipsec whack $utc --purgeocsp"        | runit ; exit ;;
--up)  echo "ipsec whack $async --name $names --initiate"    | runit ; exit ;;
--down)        echo "ipsec whack --name $names --terminate"          | runit ; exit ;;
--delete)         echo "ipsec whack --name $names --delete"  | runit ; exit ;; 
--route)          echo "ipsec whack --name $names --route"   | runit ; exit ;;
--unroute)        echo "ipsec whack --name $names --unroute" | runit ; exit ;; 
--status)         echo "ipsec whack --status"                | runit ; exit ;; 
esac

if test -s $info
then
	. $info
fi

ipsec _confread $config $noinclude $names |
awk '	BEGIN {
		FS = "\t"
		op = "'"$op"'"
		err = "cat >&2"
		draddr = "'"$defaultrouteaddr"'"
		drnexthop = "'"$defaultroutenexthop"'"
		failed = 0
		s[""] = ""
		init()
		print "PATH=\"'"$PATH"'\""
		print "export PATH"
		flip["left"] = "right"
		flip["right"] = "left"
	}
	function init(   n) {
		for (n in s)
			delete s[n]
		name = ""
		seensome = 0
	}
	$1 == ":" {
		s[$2] = $3
		seensome = 1
		next
	}
	$1 == "!" {
		if ($2 != "")
			fail($2)
		next
	}
	$1 == "=" {
		if (name == "")
			name = $2
		next
	}
	$1 == "." {
		output()
		init()
		next
	}
	{
		fail("internal error, unknown type code " v($1))
	}
	function fail(m) {
		print "ipsec_auto: fatal error in " v(name) ": " m |err
		failed = 1
		exit
	}
	function yesno(k) {
		if ((k in s) && s[k] != "yes" && s[k] != "no")
			fail("parameter " v(k) " must be \"yes\" or \"no\"")
	}
	function default(k, val) {
		if (!(k in s))
			s[k] = val
	}
	function was(new, old) {
		if (!(new in s) && (old in s))
			s[new] = s[old]
	}
	function need(k) {
		if (!(k in s))
			fail("connection has no " v(k) " parameter specified")
		if (s[k] == "")
			fail("parameter " v(k) " value must be non-empty")
	}
	function integer(k) {
		if (!(k in s))
			return
		if (s[k] !~ /^[0-9]+$/)
			fail("parameter " v(k) " value must be integer")
	}
	function duration(k,   n, t) {
		if (!(k in s))
			return
		t = s[k]
		n = substr(t, 1, length(t)-1)
		if (t ~ /^[0-9]+$/)
			s[k] = t
		else if (t ~ /^[0-9]+s$/)
			s[k] = n
		else if (t ~ /^[0-9]+(\.[0-9]+)?m$/)
			s[k] = int(n*60)
		else if (t ~ /^[0-9]+(\.[0-9]+)?h$/)
			s[k] = int(n*3600)
		else if (t ~ /^[0-9]+(\.[0-9]+)?d$/)
			s[k] = int(n*3600*24)
		else
			fail("parameter " v(k) " not valid time, must be nnn[smhd]")
	}
	function nexthopset(dir, val,   k) {
		k = dir "nexthop"
		if (k in s)
			fail("non-default value of " k " is being overridden")
		if (val != "")
			s[k] = val
		else if (k in s)
			delete s[k]
	}
	function id(dir,   k) {
		k = dir "id"
		if (!(k in s))
			k = dir
		return s[k]
	}
	function whackkey(dir, which, flag,   rk, n) {
		if (id(dir) == "%opportunistic")
			return
		rk = s[dir which]
		if (rk == "%dnsondemand")
		{
			kod="--dnskeyondemand"
			return
		}
		if (rk == "" || rk == "%none" || rk == "%cert" || rk == "0x00")
			return
		n = "\"\\\"" name "\\\" " dir which"\""
		if (rk == "%dns" || rk == "%dnsonload")
		{
			if (id(flip[dir]) == "%opportunistic" || s[flip[dir]] == "%any")
				return
			print "ipsec whack --label", n, flag,
						"--keyid", q(id(dir)), "\\"
		}
		else
		{
			print "ipsec whack --label", n, flag,
						"--keyid", q(id(dir)),
						"--pubkeyrsa", q(rk), "\\"
		}
		print "\t|| exit $?"
	}
	function q(str) {	# quoting for shell
		return "\"" str "\""
	}
	function qs(k) {	# utility abbreviation for q(s[k])
		return q(s[k])
	}
	function v(str) {	# quoting for human viewing
		return "\"" str "\""
	}
	function output() {
		if (!seensome)
			fail("internal error, output called inappropriately")

		default("type", "tunnel")
		type_flags = ""
		t = s["type"]
		if (t == "tunnel") {
			# do NOT default subnets to side/32, despite what
			# the docs say...
			type_flags = "--tunnel"
		} else if (t == "transport") {
			if ("leftsubnet" in s)
				fail("type=transport incompatible with leftsubnet")
			if ("rightsubnet" in s)
				fail("type=transport incompatible with rightsubnet")
			type_flags = ""