File: //sbin/ipsec
#!/usr/bin/sh
#
# prefix command to run stuff from our programs directory
#
# Copyright (C) 1998-2002 Henry Spencer.
# Copyright (C) 2013-2018 Tuomo Soini <tis@foobar.fi>
# Copyright (C) 2013-2016 Paul Wouters <pwouters@redhat.com>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <https://www.gnu.org/licenses/gpl2.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
test "${IPSEC_INIT_SCRIPT_DEBUG}" && set -v -x
# where the private directory and the config files are
IPSEC_CONF="${IPSEC_CONF:-/etc/ipsec.conf}"
IPSEC_EXECDIR="${IPSEC_EXECDIR:-/usr/libexec/ipsec}"
IPSEC_SBINDIR="${IPSEC_SBINDIR:-/usr/sbin}"
IPSEC_CONFDDIR="${IPSEC_CONFDDIR:-/etc/ipsec.d}"
IPSEC_RUNDIR="${IPSEC_RUNDIR:-/run/pluto}"
IPSEC_NSSDIR="${IPSEC_NSSDIR:-/etc/ipsec.d}"
IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}"
IPSEC_NSSPW="${IPSEC_CONFDDIR}/nsspassword"
DBPW=""
CACERTDIR="${IPSEC_CONFDDIR}/cacerts"
CRLDIR="${IPSEC_CONFDDIR}/crls"
CTLSOCKET="${IPSEC_RUNDIR}/pluto.ctl"
export IPSEC_EXECDIR IPSEC_CONF IPSEC_RUNDIR CTLSOCKET
# standardize PATH, and export it for everything else's benefit
PATH="${IPSEC_SBINDIR}:${PATH#${IPSEC_SBINDIR}:}"
export PATH
# suppress ElectricFence banner changing our reference testing output
export EF_DISABLE_BANNER=1
# things not to be listed in --help command list
DONTMENTION='^(ipsec|_.*|.*\.old|.*\.orig|.*~)$'
# version numbering (details filled in by build)
# Possibly should call a C program to invoke the version_code() function
# instead, but for performance's sake, we inline it here (and only here).
version="4.5"
# export the version information
IPSEC_VERSION="${version}"
export IPSEC_VERSION
# function for the funky user/kernel version stuff
fixversion() {
stack=" (none)"
if [ -f /proc/sys/net/core/xfrm_acq_expires ]; then
stack=" (XFRM)"
else
if [ -f /mach_kernel ]; then
stack=" (OSX)"
fi
fi
version="${version}${stack} on $(uname -r)"
}
set_nss_db_trusts() {
# has to handle a NSS nick with spaces
certutil -L -d "${IPSEC_NSSDIR_SQL}" | \
grep -E -v '(Trust Attributes|SSL,S/MIME,JAR/XPI|^)$' | \
awk '{$NF=""; print $0}' | \
while read -r cert
do
if certutil -L -d "${IPSEC_NSSDIR_SQL}" -n "${cert}" | \
grep -q 'Is a CA' && \
[ $(certutil -L -d "${IPSEC_NSSDIR_SQL}" -n "${cert}" | grep -i -A3 'ssl flags' | grep -i 'trusted' | wc -l) -ne 2 ]
then
echo "correcting trust bits for ${cert}"
certutil -M -d "${IPSEC_NSSDIR_SQL}" -n "${cert}" -t 'CT,,'
fi
done
}
ipsec_usage() {
echo "Usage: ipsec {command} [argument] ...>"
echo "Use --help for a list of commands, or see the ipsec(8) manual page"
echo "Most commands have their own manual pages, e.g. ipsec_auto(8)."
echo "See <https://libreswan.org> for more general info."
fixversion
echo "Linux Libreswan ${version}"
exit 2
}
ipsec_help() {
echo "Usage: ipsec {command} [argument] ...>"
echo "where {command} is one of:"
echo ""
GOTTWO=""
for f in start stop restart status trafficstatus traffic globalstatus shuntstatus briefstatus showstates fips import initnss checknss checknflog \
$(ls "${IPSEC_EXECDIR}" | grep -E -v -i "${DONTMENTION}"); do
if [ -z "${GOTTWO}" ]; then
# first of two entries
GOTTWO="${f}"
else
# second of two entries, we can print
printf "\t%s" "${GOTTWO}"
if [ "${#GOTTWO}" -ge 16 ]; then
printf "\t"
elif [ "${#GOTTWO}" -ge 8 ]; then
printf "\t\t"
else
printf "\t\t\t"
fi
printf "%s\n" "${f}"
GOTTWO=""
fi
done
if [ -n "${GOTTWO}" ]; then
# leftover entry
printf "\t%s" "${GOTTWO}"
fi
echo
echo "See also: man ipsec <command> or ipsec <command> --help"
echo "See <https://libreswan.org/> for more general info."
fixversion
echo "Linux Libreswan ${version}"
exit 2
}
ipsec_stopnflog() {
NFGROUP=$(ASAN_OPTIONS=detect_leaks=0 "${IPSEC_EXECDIR}/addconn" --ctlsocket "${CTLSOCKET}" --configsetup | grep -v "#" | grep nflog | sed -e "s/^.*=//" -e "s/'//g");
if [ -z "${NFGROUP}" ]; then
exit 0
fi
iptables -D INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group "${NFGROUP}" --nflog-prefix all-ipsec
iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group "${NFGROUP}" --nflog-prefix all-ipsec
exit 0
}
ipsec_checknflog() {
NFGROUP=$(ASAN_OPTIONS=detect_leaks=0 "${IPSEC_EXECDIR}/addconn" --ctlsocket "${CTLSOCKET}" --configsetup | grep -v "#" | grep nflog| sed -e "s/^.*=//" -e "s/'//g");
if [ -n "${NFGROUP}" ]; then
OLDNFGROUP=$(iptables -L -n | grep "all-ipsec nflog-group" | sed "s/^.* //" | tail -1);
if [ -n "${OLDNFGROUP}" ]; then
if [ "${NFGROUP}" = "${OLDNFGROUP}" ]; then
# nothing to do
echo "nflog ipsec capture enabled on nflog:${NFGROUP}"
exit 0
else
# delete rules with old group number
echo "deleting rules with old nflog group ${OLDNFGROUP}"
iptables -D INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group ${OLDNFGROUP} --nflog-prefix all-ipsec
iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group ${OLDNFGROUP} --nflog-prefix all-ipsec
fi
fi
# insert rules with current group number
iptables -I INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group ${NFGROUP} --nflog-prefix all-ipsec
iptables -I OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group ${NFGROUP} --nflog-prefix all-ipsec
echo "nflog ipsec capture enabled on nflog:${NFGROUP}"
else
OLDNFGROUP=$(iptables -L -n | grep "all-ipsec nflog-group" | sed "s/^.* //" | tail -1);
if [ -n "${OLDNFGROUP}" ]; then
echo "deleting rules with old nflog group ${OLDNFGROUP}"
iptables -D INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group "${OLDNFGROUP}" --nflog-prefix all-ipsec
iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group "${OLDNFGROUP}" --nflog-prefix all-ipsec
fi
echo "nflog ipsec capture disabled"
fi
exit 0
}
ipsec_sniff() {
NFGROUP=$(ASAN_OPTIONS=detect_leaks=0 "${IPSEC_EXECDIR}/addconn" --ctlsocket "${CTLSOCKET}" --configsetup | grep -v "#" | grep nflog | sed -e "s/^.*=//" -e "s/'//g");
tcpdump -n -i nflog:${NFGROUP}
exit 0
}
ipsec_import() {
if [ -z "${1}" ]; then
echo "Usage: ipsec import [--nssdir ${IPSEC_NSSDIR}] /path/to/pkcs.12" >&2
exit 1
fi
while [ ${#} -gt 0 ]; do
case "${1}" in
--configdir)
echo "ipsec import warning: --configdir is obsoleted, use --nssdir" >&2
if [ -d "${2}" ]; then
IPSEC_NSSDIR="${2}"
fi
shift
;;
-d|--nssdir)
if [ -d "${2}" ]; then
IPSEC_NSSDIR="${2}"
fi
shift
# A lot of nss commands use -d to specify NSS db location.
# We use --nssdir.
;;
*)
if [ -f "${1}" ]; then
pkcs12bundle="${1}"
else
echo "Usage: ipsec import [--nssdir ${IPSEC_NSSDIR}] /path/to/pkcs.12" >&2
exit 1
fi
;;
esac
shift
done
if [ -d "${IPSEC_NSSDIR}" -a -w "${IPSEC_NSSDIR}" ]; then
if [ -f "${IPSEC_NSSDIR}/key4.db" -a \
-f "${IPSEC_NSSDIR}/cert9.db" ]
then
IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}"
else
echo "ERROR: NSS database files are missing, import aborted." >&2
echo "Initialize database with command \"ipsec checknss\"." >&2
exit 1
fi
pk12util -i "${pkcs12bundle}" -d "${IPSEC_NSSDIR_SQL}"
# check and correct trust bits
set_nss_db_trusts
exit 0
else
echo "ERROR: destination directory \"${IPSEC_NSSDIR}\" is missing or permission denied" >&2
exit 1
fi
}
ipsec_checknss() {
local file
while [ ${#} -gt 0 ]; do
case "${1}" in
--checknss|checknss)
cmd=checknss
;;
--initnss|initnss)
cmd=initnss
;;
--settrusts)
set_trusts=yes
;;
--configdir)
echo "ipsec ${cmd} warning: --configdir is obsoleted, use --nssdir" >&2
IPSEC_NSSDIR="${2}"
shift
;;
-d|--nssdir)
# A lot of nss commands use -d to specify NSS db location.
# We use --nssdir.
IPSEC_NSSDIR="${2}"
shift
;;
*)
echo "Usage: ipsec ${cmd} [--nssdir ${IPSEC_NSSDIR}]" >&2
exit 1
;;
esac
shift
done
if [ -d "${IPSEC_NSSDIR}" -a -w "${IPSEC_NSSDIR}" ]; then
IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}"
# Handle nssdir default change from /etc/ipsec.d to /var/lib/ipsec/nss
if [ "${IPSEC_CONFDDIR}" != "${IPSEC_NSSDIR}" -a \
"${cmd}" = "checknss" ]
then
# Check for legacy nss db format in old location and give failure
# We can't handle two operations at same time.
if [ -f "${IPSEC_CONFDDIR}/cert8.db" -a \
! -f "${IPSEC_CONFDDIR}/cert9.db" -a \
! -f "${IPSEC_NSSDIR}/cert9.db" ]
then
echo "Failure - we cannot handle both nss db format conversion and nss db move to new location in one run." >&2
echo "Run \"ipsec checknss --nssdir ${IPSEC_CONFDDIR}\" manually first to convert db format" >&2
exit 4
fi
for file in cert9.db key4.db pkcs11.txt; do
if [ -f "${IPSEC_CONFDDIR}/${file}" -a \
! -f "${IPSEC_NSSDIR}/${file}" ]
then
if ! mv "${IPSEC_CONFDDIR}/${file}" \
"${IPSEC_NSSDIR}/${file}"
then
echo "Failed to mv ${IPSEC_CONFDDIR}/${file} ${IPSEC_NSSDIR}/${file}" >&2
exit 4
fi
fi
done
fi
# if we have old database
if [ -f "${IPSEC_NSSDIR}/cert8.db" -o \
-f "${IPSEC_NSSDIR}/key3.db" -o \
-f "${IPSEC_NSSDIR}/secmod.db" ]
then
if [ ! -f "${IPSEC_NSSDIR}/cert9.db" -o \
! -f "${IPSEC_NSSDIR}/key4.db" ]; then
IMPORTDBPW=""
NSSTMP=$(mktemp -d /tmp/ipsec_nss_tmp.XXXXXXXXXX)
if [ $? -gt 0 ]; then
echo "Failed to create temporary directory for NSS db migration" >&2
exit 4
fi
# save current umask
umask=$(umask)
# set safe umask
umask 077
echo "Migrating NSS db to ${IPSEC_NSSDIR_SQL}"
# this section works around a few certutil quirks
# to maintain the current password and merge keys
certutil -N -d sql:"${NSSTMP}" --empty-password
if [ $? -gt 0 ]; then
echo "Failed to initialize nss database sql:${NSSTMP}" >&2
exit 4
fi
if [ -f "${IPSEC_NSSPW}" ]; then
# Look for FIPS format of token:pw, or just the pw
grep -q ':' "${IPSEC_NSSPW}"
if [ $? -eq 0 ]; then
cut -d':' -f2 "${IPSEC_NSSPW}" \
> "${NSSTMP}/nsspassword.txt"
cut -d':' -f2 "${IPSEC_NSSPW}" \
>> "${NSSTMP}/nsspassword.txt"
else
cat "${IPSEC_NSSPW}" > "${NSSTMP}/nsspassword.txt"
cat "${IPSEC_NSSPW}" >> "${NSSTMP}/nsspassword.txt"
fi
# For the empty password prompt:
printf "\n\n" > "${NSSTMP}/nsspassword2.txt"
# Change blank pw to the current, and use
# for certutil --upgrade-merge
certutil -W -d sql:"${NSSTMP}" \
-f "${NSSTMP}/nsspassword2.txt" \
-@ "${NSSTMP}/nsspassword.txt"
DBPW="-f ${NSSTMP}/nsspassword.txt -@ ${NSSTMP}/nsspassword.txt"
IMPORTDBPW="-f ${NSSTMP}/nsspassword.txt"
fi
# restore umask
umask ${umask}
certutil --upgrade-merge --source-dir "${IPSEC_NSSDIR}" \
-d sql:"${NSSTMP}" --upgrade-id pluto ${DBPW}
rc=$?
if [ ${rc} -ne 0 ]; then
echo "NSS upgrade failed. You should run certutil --upgrade-merge manually against ${IPSEC_NSSDIR_SQL}"
exit ${rc}
fi
# import cacerts and crls
if [ -d "${CACERTDIR}" ]; then
for file in "${CACERTDIR}"/*; do
if [ -f "${file}" ]; then
filename=$(basename "${file}")
name=${filename%%.*}
certutil -A -i "${file}" -d sql:"${NSSTMP}" -n "${name}" -t 'CT,,' ${IMPORTDBPW}
[ $? -eq 0 ] || printf "%s\n" "${file}"
fi
done
fi
if [ -d "${CRLDIR}" ]; then
for file in "${CRLDIR}"/*; do
if [ -f "${file}" ]; then
crlutil -I -i "${file}" -d sql:"${NSSTMP}" -B ${IMPORTDBPW}
[ $? -eq 0 ] || printf "%s\n" "${file}"
fi
done
fi
cp "${NSSTMP}"/*.db "${NSSTMP}"/*.txt "${IPSEC_NSSDIR}"
rm -f "${NSSTMP}"/*.txt "${NSSTMP}"/*.db
rmdir "${NSSTMP}"
echo "NSS upgrade complete"
fi
exit 0
fi # old database
if [ -f "${IPSEC_NSSDIR}/cert9.db" -o -f "${IPSEC_NSSDIR}/key4.db" ]; then
if [ "${cmd}" = "initnss" ]; then
echo "NSS database already initialised - aborted"
echo "To wipe the old NSS database, issue: rm ${IPSEC_NSSDIR}/*.db"
exit 42
else
if [ "${set_trusts}" = "yes" ]; then
set_nss_db_trusts
fi
exit 0
fi
fi
echo "Initializing NSS database"
echo ""
certutil -N -d "${IPSEC_NSSDIR_SQL}" --empty-password
if [ $? -gt 0 ]; then
echo "Failed to initialize nss database ${IPSEC_NSSDIR_SQL}" >&2
exit 4
fi
restorecon="$(which restorecon 2>/dev/null)"
if [ -n "${restorecon}" -a -x "${restorecon}" ]; then
"${restorecon}" -Rv "${IPSEC_NSSDIR}"
fi
exit 0
else
echo "ERROR: destination directory \"${IPSEC_NSSDIR}\" is missing or permission denied" >&2
exit 1
fi
}
# Check for no options at all and return usage.
if [ -z "${1}" ]; then
ipsec_usage
fi
while [ ${#} -gt 0 ]; do
case "${1}" in
--rundir)
RUNDIR="${2}"
CTLSOCKET="${RUNDIR}/pluto.ctl"
export CTLSOCKET
shift;
shift;
;;
--ctlsocket)
CTLSOCKET="${2}"
export CTLSOCKET
shift;
shift;
;;
whack)
# Whack command is special because --ctlsocket is a whack cmdline option
# We need to make sure we don't give it twice
shift
if echo "${@}" | grep -q -- --ctlsocket; then
exec "${IPSEC_EXECDIR}/whack" "${@}"
else
exec "${IPSEC_EXECDIR}/whack" --ctlsocket "${CTLSOCKET}" "${@}"
fi
exit 0
;;
status|--status)
cmd="whack"
whackoption="--status"
shift
;;
trafficstatus|--trafficstatus|traffic)
cmd="whack"
whackoption="--trafficstatus"
shift
;;
fipsstatus|--fipsstatus|fips)
cmd="whack"
whackoption="--fipsstatus"
shift
;;
globalstatus|--globalstatus)
cmd="whack"
whackoption="--globalstatus"
shift
;;
shuntstatus|--shuntstatus)
cmd="whack"
whackoption="--shuntstatus"
shift
;;
briefstatus|--briefstatus)
cmd="whack"
whackoption="--briefstatus"
shift
;;
showstates|--showstates)
cmd="whack"
whackoption="--showstates"
shift
;;
start|--start)
cmd="setup"
setupoption="--start"
shift
;;
stop|--stop)
cmd="setup"
setupoption="--stop"
shift
;;
letsencrypt)
shift
exec "${IPSEC_EXECDIR}/letsencrypt" "${@}"
;;
restart|--restart)
cmd="setup"
setupoption="--restart"
shift
;;
help|--help)
# if cmd is unset, this is help for ipsec command
if [ -z "${cmd}" ]; then
ipsec_help
fi
;;
version|--version|--versioncode)
# some ubuntu/debian scripts use --versioncode, so let's keep the alias
fixversion
echo "Linux Libreswan ${version}"
exit 0
;;
--directory)
printf "%s\n" "${IPSEC_EXECDIR}"
exit 0
;;
--stopnflog|stopnflog)
ipsec_stopnflog
;;
--checknflog|checknflog|nflog)
ipsec_checknflog
;;
sniff|--sniff)
ipsec_sniff
;;
import|--import)
shift
ipsec_import "${@}"
;;
checknss|--checknss|initnss|--initnss)
ipsec_checknss "${@}"
;;
secrets)
cmd="whack"
whackoption="--rereadsecrets"
shift
;;
rereadcrls|--rereadcrls)
echo "ipsec auto: --rereadcrls and /etc/ipsec.d/crls/ are obsoleted. did you mean: ipsec crls"
exit 1
;;
crls|fetchcrls)
cmd="whack"
whackoption="--fetchcrls"
shift
;;
unbound|--unbound)
# activate the unbound ipsec module
unbound-control set_option ipsecmod-enabled: yes
exit $?
;;
--*)
printf "%s: unknown option \"%s\" (perhaps command name was omitted?)\n" "${0}" "${1}" >&2
exit 1
;;
*)
cmd="${1}"
shift
if [ -x "${IPSEC_EXECDIR}/${cmd}" ]; then
exec "${IPSEC_EXECDIR}/${cmd}" "${@}"
else
printf "%s: unknown IPsec command \"%s\" (\"ipsec --help\" for list)\n" "${0}" "${cmd}" >&2
exit 1
fi
;;
esac
done
case "${cmd}" in
setup)
exec "${IPSEC_EXECDIR}/setup" "${setupoption}"
;;
whack)
exec "${IPSEC_EXECDIR}/whack" --ctlsocket "${CTLSOCKET}" "${whackoption}"
;;
esac