#!/bin/sh
# -*- mode: sh; sh-shell: sh -*-
#
# prefix command to run stuff from our programs directory
#
# Copyright (C) 1998-2002  Henry Spencer.
# Copyright (C) 2013-2023  Tuomo Soini <tis@foobar.fi>
# Copyright (C) 2013-2016  Paul Wouters <pwouters@redhat.com>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <https://www.gnu.org/licenses/gpl2.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#

test "${IPSEC_INIT_SCRIPT_DEBUG}" && set -v -x

# where the private directory and the config files are
IPSEC_CONF="${IPSEC_CONF:-/etc/ipsec.conf}"
IPSEC_EXECDIR="${IPSEC_EXECDIR:-/usr/libexec/ipsec}"
IPSEC_SBINDIR="${IPSEC_SBINDIR:-/usr/sbin}"
IPSEC_CONFDDIR="${IPSEC_CONFDDIR:-/etc/ipsec.d}"
IPSEC_RUNDIR="${IPSEC_RUNDIR:-/run/pluto}"
IPSEC_NSSDIR="${IPSEC_NSSDIR:-/var/lib/ipsec/nss}"
IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}"
IPSEC_NSSPW="${IPSEC_CONFDDIR}/nsspassword"
USE_NFLOG="${USE_NFLOG:-true}"
DBPW=""
CACERTDIR="${IPSEC_CONFDDIR}/cacerts"
CRLDIR="${IPSEC_CONFDDIR}/crls"
CTLSOCKET="${IPSEC_RUNDIR}/pluto.ctl"
NSS_BINDIR="${NSS_BINDIR:-/usr/bin}"

export IPSEC_EXECDIR IPSEC_CONF IPSEC_RUNDIR CTLSOCKET

# standardize PATH, and export it for everything else's benefit;
# should config.mk generate this?
PATH="${NSS_BINDIR}:${PATH#${NSS_BINDIR}:}"
PATH="${IPSEC_SBINDIR}:${PATH#${IPSEC_SBINDIR}:}"
export PATH

# suppress ElectricFence banner changing our reference testing output
export EF_DISABLE_BANNER=1

# things not to be listed in help command list
DONTMENTION='^(_.*|.*\.old|.*\.orig|.*~)$'

# version numbering (details filled in by build)
export IPSEC_VERSION="5.0"

ipsec_add() {
    #
    # ipsec add/replace command
    #
    local conn_name usage
    local verbose

    while [ ${#} -gt 0 ]; do
	case "${1}" in
	    add|--add)
		usage="Usage: ipsec add connectionname|--chekcconfig \\
		[--config ${IPSEC_CONF}] [--ctlsocket ${CTLSOCKET}] [--verbose]"
		;;
	    replace|--replace)
		usage="Usage: ipsec replace connectionname \\
		[--config ${IPSEC_CONF}] [--ctlsocket ${CTLSOCKET}] [--verbose]"
		;;
	    checkconfig)
		usage="Usage: ipsec checkconfig [--config ${IPSEC_CONF}] [--verbose]"
		checkconfig="--checkconfig"
		;;
	    help|--help|-h)
		echo "${usage}"
		exit 0
		;;
	    --config)
		IPSEC_CONF="${2}"
		export IPSEC_CONF
		shift
		;;
	    --ctlsocket)
		CTLSOCKET="${2}"
		export CTLSOCKET
		shift
		;;
	    --dry-run|-n)
		dry_run="echo"
		;;
	    --verbose)
		verbose="${verbose} ${1}"
		;;
	    --checkconfig)
		checkconfig="${1}"
		;;
	    -*)
		echo "Unknown option \"${1}\"" >&2
		echo >&2
		echo "${usage}" >&2
		exit 2
		;;
	    *)
		conn_name="${1}"
		;;
	esac
	shift
    done
    # addconn performs a replace.  FIrst it deletes all connections
    # and aliases matching ${conn_name} and then creates a new
    # connection or aliases.
    ${dry_run} "${IPSEC_EXECDIR}/addconn" --config "${IPSEC_CONF}" --ctlsocket "${CTLSOCKET}" ${checkconfig} ${verbose} ${conn_name}
    exit $?
}

ipsec_combined() {
    #
    # ipsec start and ipsec ondemand commands
    #
    local cmd conn_name usage
    local verbose

    while [ ${#} -gt 0 ]; do
	case "${1}" in
	    ondemand|--ondemand)
		cmd="--route"
		usage="Usage: ipsec ondemand [--asynchronous] connectionname \\
		[--remote-host ipaddr] [--config ${IPSEC_CONF}] \\
		[--ctlsocket ${CTLSOCKET}] [--verbose]"
		;;
	    start|--start)
		cmd="--initiate"
		usage="Usage: ipsec start [--asynchronous] connectionname \\
		[--remote-host ipaddr] [--config ${IPSEC_CONF}] \\
		[--ctlsocket ${CTLSOCKET}] [--verbose]"
		;;
	    help|--help|-h)
		echo "${usage}"
		exit 0
		;;
	    --asynchronous)
		asynchronous="${1}"
		;;
	    --config)
		IPSEC_CONF="${2}"
		export IPSEC_CONF
		shift
		;;
	    --ctlsocket)
		CTLSOCKET="${2}"
		export CTLSOCKET
		shift
		;;
	    --dry-run|-n)
		dry_run="echo"
		;;
	    --verbose)
		verbose="${verbose} ${1}"
		;;
	    --remote-host)
		remote_host="--remote-host ${2}"
		shift
		;;
	    -*)
		echo "Unknown option \"${1}\"" >&2
		echo >&2
		echo "${usage}" >&2
		exit 2
		;;
	    *)
		conn_name="${1}"
		;;
	esac
	shift
    done
    ${dry_run} "${IPSEC_EXECDIR}/addconn" --config "${IPSEC_CONF}" --ctlsocket "${CTLSOCKET}" ${verbose} ${conn_name}
    ${dry_run} "${IPSEC_EXECDIR}/whack" --ctlsocket "${CTLSOCKET}" ${asynchronous} --name ${conn_name} ${cmd} ${remote_host}
    exit $?
}

ipsec_redirect() {
    #
    # ipsec redirect command
    #
    local cmd conn_name redirect_to usage

    while [ ${#} -gt 0 ]; do
	case "${1}" in
	    redirect)
		cmd="--redirect-to"
		usage="Usage: ipsec redirect [connectionname] --redirect-to {ip-address,...} \\
		[--ctlsocket ${CTLSOCKET}]"
		;;
	    help|--help|-h)
		echo "${usage}"
		exit 0
		;;
	    --redirect-to)
		redirect_to="${2}"
		shift
		;;
	    --ctlsocket)
		CTLSOCKET="${2}"
		export CTLSOCKET
		shift
		;;
	    --dry-run|-n)
		dry_run="echo"
		;;
	    -*)
		echo "Unknown option \"${1}\"" >&2
		echo  >&2
		echo "${usage}" >&2
		exit 2
		;;
	    *)
		conn_name="${1}"
		;;
	esac
	shift
    done
    ${dry_run} "${IPSEC_EXECDIR}/whack" --ctlsocket "${CTLSOCKET}" --name ${conn_name} ${cmd} "${redirect_to}"
    exit $?
}

ipsec_whack() {
    #
    # ipsec whack commands with per-command help
    #
    local cmd conn_name usage
    local verbose

    while [ ${#} -gt 0 ]; do
	case "${1}" in
	    briefstatus|--briefstatus)
		cmd="--briefstatus"
		usage="Usage: ipsec briefstatus [--ctlsocket ${CTLSOCKET}]"
		;;
	    checkpubkeys|--checkpubkeys)
		cmd="--checkpubkeys"
		usage="Usage: ipsec checkpubkeys [--ctlsocket ${CTLSOCKET}]"
		;;
	    connectionstatus|--connectionstatus)
		cmd="--connectionstatus"
		usage="Usage: ipsec connectionstatus [connnectionname] [--ctlsocket ${CTLSOCKET}]"
		;;
	    briefconnectionstatus|--briefconnectionstatus)
		cmd="--briefconnectionstatus"
		usage="Usage: ipsec briefconnectionstatus [connnectionname] [--ctlsocket ${CTLSOCKET}]"
		;;
	    delete|--delete)
		cmd="--delete"
		usage="Usage: ipsec delete connectionname [--ctlsocket ${CTLSOCKET}]"
		;;
	    down|--down|terminate)
		cmd="--terminate" # or --down
		usage="Usage: ipsec down connectionname \\
		[--remote-host ipaddr] [--ctlsocket ${CTLSOCKET}]"
		;;
	    fetchcrls|--fetchcrls|crls)
		cmd="--fetchcrls"
		usage="Usage: ipsec fetchcrls [--ctlsocket ${CTLSOCKET}]"
		;;
	    fipsstatus|--fipsstatus|fips)
		cmd="--fipsstatus"
		usage="Usage: ipsec fipsstatus [--ctlsocket ${CTLSOCKET}]"
		;;
	    globalstatus|--globalstatus)
		cmd="--globalstatus"
		usage="Usage: ipsec globalstatus [--ctlsocket ${CTLSOCKET}]"
		;;
	    listall|--listall)
		cmd="--listall"
		usage="Usage: ipsec listall [--utc] [--ctlsocket ${CTLSOCKET}]"
		;;
	    listcacerts|--listcacerts)
		cmd="--listcacerts"
		usage="Usage: ipsec listcacerts [--utc] [--ctlsocket ${CTLSOCKET}]"
		;;
	    listcerts|--listcerts)
		cmd="--listcerts"
		usage="Usage: ipsec listcerts [--utc] [--ctlsocket ${CTLSOCKET}]"
		;;
	    listcrls|--listcrls)
		cmd="--listcrls"
		usage="Usage: ipsec listcrls [--utc] [--ctlsocket ${CTLSOCKET}]"
		;;
	    listen|--listen|--ready|--rereadgroups)
		cmd="--listen"
		usage="Usage: ipsec listen [--ctlsocket ${CTLSOCKET}]"
		;;
	    listpubkeys|--listpubkeys)
		cmd="--listpubkeys"
		usage="Usage: ipsec listpubkeys [--utc] [--ctlsocket ${CTLSOCKET}]"
		;;
	    purgeocsp|--purgeocsp)
		cmd="--purgeocsp"
		usage="Usage: ipsec purgeocsp [--ctlsocket ${CTLSOCKET}]"
		;;
	    rereadall|--rereadall)
		cmd="--rereadall"
		usage="Usage: ipsec rereadall [--ctlsocket ${CTLSOCKET}]"
		;;
	    rereadcerts|--rereadcerts)
		cmd="--rereadcerts"
		usage="Usage: ipsec rereadcerts [--ctlsocket ${CTLSOCKET}]"
		;;
	    rereadsecrets|--rereadsecrets|secrets)
		cmd="--rereadsecrets"
		usage="Usage: ipsec rereadsecrets|secrets [--ctlsocket ${CTLSOCKET}]"
		;;
	    route|--route)
		cmd="--route"
		usage="Usage: ipsec route connectionname [--ctlsocket ${CTLSOCKET}]"
		;;
	    showstates|--showstates|--statestatus)
		cmd="--showstates"
		usage="Usage: ipsec showstates [--ctlsocket ${CTLSOCKET}]"
		;;
	    shuntstatus|--shuntstatus)
		cmd="--shuntstatus"
		usage="Usage: ipsec shuntstatus [--ctlsocket ${CTLSOCKET}]"
		;;
	    status|--status)
		cmd="--status"
		usage="Usage: ipsec status [--ctlsocket ${CTLSOCKET}]"
		;;
	    trafficstatus|--trafficstatus|traffic)
		cmd="--trafficstatus"
		usage="Usage: ipsec trafficstatus connectionname [--ctlsocket ${CTLSOCKET}]"
		;;
	    unroute|--unroute)
		cmd="--unroute"
		usage="Usage: ipsec unroute connectionname [--ctlsocket ${CTLSOCKET}]"
		;;
	    up|--up|initiate|--initiate)
		cmd="--initiate"
		usage="Usage: ipsec up [--asynchronous] connectionname \\
		[--remote-host ipaddr] [--ctlsocket ${CTLSOCKET}]"
		;;
	    help|--help|-h)
		echo "${usage}"
		exit 0
		;;
	    --asynchronous)
		asynchronous="${1}"
		;;
	    --ctlsocket)
		CTLSOCKET="${2}"
		export CTLSOCKET
		shift
		;;
	    --remote-host)
		remote_host="--remote-host ${2}"
		shift
		;;
	    --dry-run|-n)
		dry_run="echo"
		;;
	    --utc)
		utc="${1}"
		;;
	    --verbose)
		verbose="${verbose} ${1}"
		;;
	    -*)
		echo "Unknown option \"${1}\"" >&2
		echo >&2
		echo "${usage}" >&2
		exit 2
		;;
	    *)
		conn_name="--name ${1}"
		;;
	esac
	shift
    done
    ${dry_run} "${IPSEC_EXECDIR}/whack" --ctlsocket "${CTLSOCKET}" ${asynchronous} ${conn_name} ${utc} ${cmd} ${remote_host}
    exit $?
}

set_nss_db_trusts() {
    # has to handle a NSS nick with spaces
    certutil -L -d "${IPSEC_NSSDIR_SQL}" | \
	grep -E -v '(Trust Attributes|SSL,S/MIME,JAR/XPI|^)$' | \
	awk '{$NF=""; print $0}' | \
	while read -r cert
    do
	if certutil -L -d "${IPSEC_NSSDIR_SQL}" -n "${cert}" | \
	    grep -q 'Is a CA' && \
	    [ $(certutil -L -d "${IPSEC_NSSDIR_SQL}" -n "${cert}" | grep -i -A3 'ssl flags' | grep -i 'trusted' | wc -l) -ne 2 ]
	then
	    echo "correcting trust bits for ${cert}"
	    certutil -M -d "${IPSEC_NSSDIR_SQL}" -n "${cert}" -t 'CT,,'
	fi
    done
}

ipsec_usage() {
    echo "Usage: ipsec {command} [argument] ..."
    echo "See also: man ipsec, ipsec help or ipsec {command} help"
    echo
    echo "See <https://libreswan.org> for more general info."
    echo "Libreswan ${IPSEC_VERSION}"
    exit 2
}

ipsec_help() {
    echo "Usage: ipsec {command} [argument] ...>"
    echo "where {command} is one of:"
    echo
    GOTTWO=""
    for f in \
	add \
	briefstatus \
	certutil \
	checkconfig \
	checknflog \
	checknss \
	connectionstatus \
	briefconnectionstatus \
	delete \
	down \
	fetchcrls \
	fipsstatus \
	import \
	initnss \
	listall \
	listcacerts \
	listcerts \
	listcrls \
	listen \
	listpubkeys \
	ondemand \
	pk12util \
	purgeocsp \
	replace \
	rereadall \
	rereadcerts \
	rereadsecrets \
	restart \
	route \
	showstates \
	shuntstatus \
	start \
	status \
	stop \
	trafficstatus \
	unroute \
	up \
	$(ls "${IPSEC_EXECDIR}" | grep -E -v -i "${DONTMENTION}")
    do
	if [ -z "${GOTTWO}" ]; then
	    # first of two entries
	    GOTTWO="${f}"
	else
	    # second of two entries, we can print
	    printf "\t%s" "${GOTTWO}"
	    if [ "${#GOTTWO}" -ge 16 ]; then
		printf  "\t"
	    elif [ "${#GOTTWO}" -ge 8 ]; then
		printf "\t\t"
	    else
		printf "\t\t\t"
	    fi
	    printf "%s\n" "${f}"
	    GOTTWO=""
	fi
    done
    if [ -n "${GOTTWO}" ]; then
	# leftover entry
	printf "\t%s\n" "${GOTTWO}"
    fi
    echo
    echo "See also: man ipsec {command} or ipsec {command} help"
    echo "See <https://libreswan.org/> for more general info."
    echo "Libreswan ${IPSEC_VERSION}"
    exit 0
}

# add nflog-all
nflog_nftables_add() {
	nft -f - <<EOF

table inet ipsec-log {
	chain input {
		type filter hook input priority filter; policy accept;
		meta ipsec exists log prefix "all-ipsec-input" group 50
	}

	chain output {
		type filter hook output priority filter; policy accept;
		rt ipsec exists log prefix "all-ipsec-output" group 50
	}
}

EOF
}

nflog_nftables_delete_table() {
    local table=$1

    t=$(nft list table inet $table 2>/dev/null | wc -l)
    [ ${t} -eq 2 ] && nft delete table inet ${table}
}

nflog_nftables_delete_chain() {
    local chain=$1

    t=$(nft list table inet ipsec-log 2>/dev/null | wc -l)
    if [ ${t} -gt 0 ]; then
	c=$(nft list chain inet ipsec-log ${chain} 2>/dev/null | wc -l)
	if [ ${c} -gt 0 ]; then
	    nft delete chain inet ipsec-log ${chain}
	    # assumed nothing else used this chain.
	    # one day check if something else used this chain.
	    # if yes only delete the rule this script added and warn?
	    # something like
	    # nft -a list chain inet ipsec-log input | grep -v "all-ipsec-input" | wc -l
	    # count -eq 5 . chagpti's idea of finding empty nftable chain
	fi
    fi
}

nflog_nftables_delete() {
    nflog_nftables_delete_chain input
    nflog_nftables_delete_chain output
    nflog_nftables_delete_table ipsec-log
}

nflog_iptables_delete() {
    local GROUP=$1
    iptables -D INPUT  -m policy --dir in  --pol ipsec -j NFLOG --nflog-group "${GROUP}" --nflog-prefix all-ipsec
    iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group "${GROUP}" --nflog-prefix all-ipsec
}

ipsec_stopnflog() {
    if [ "${USE_NFLOG}" != "true" ]; then
	echo "NFLOG support has been disabled" >&2
	exit 0
    fi
    if [ -s "${dry_run}" ]; then
	echo "ipsec stopnflog does not support --dry-run" 1>&2
	exit 1
    fi
    local usage
    usage="Usage: ipsec stopnflog"
    while [ ${#} -gt 0 ]; do
	case ${1} in
	    help|--help|-h)
		echo "${usage}"
		exit 0
		;;
	    *)
		echo "ipsec stopnflog: Unknown option \"${1}\"" >&2
		echo >&2
		echo "${usage}" >&2
		exit 2
		;;
	esac
	shift
    done

    NFGROUP=$(ASAN_OPTIONS=detect_leaks=0 "${IPSEC_EXECDIR}/addconn" --ctlsocket "${CTLSOCKET}" --configsetup | grep -v "#" | grep nflog | sed -e "s/^.*=//" -e "s/'//g");
    if [ -z "${NFGROUP}" ]; then
	exit 0
    fi

    firewall_cmd

    if [ -n "${FIREWALL}" ]; then
	nflog_${FIREWALL}_delete "${NFGROUP}"
    fi

    exit 0
}

checknflog_iptables() {
    if [ -n "${NFGROUP}" ]; then
	OLDNFGROUP=$(iptables -L -n | grep "all-ipsec nflog-group" | sed "s/^.* //" | tail -1);
	if [ -n "${OLDNFGROUP}" ]; then
	    if [ "${NFGROUP}" = "${OLDNFGROUP}" ]; then
		# nothing to do
		echo "nflog ipsec capture enabled on nflog:${NFGROUP}"
		exit 0
	    else
		# delete rules with old group number
		echo "deleting rules with old nflog group ${OLDNFGROUP}"
		nflog_iptables_delete "${OLDNFGROUP}"
	    fi
	fi
	# insert rules with current group number
	iptables -I INPUT  -m policy --dir in  --pol ipsec -j NFLOG --nflog-group ${NFGROUP} --nflog-prefix all-ipsec
	iptables -I OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group ${NFGROUP} --nflog-prefix all-ipsec
	echo "nflog ipsec capture enabled on nflog:${NFGROUP}"
    else
	OLDNFGROUP=$(iptables -L -n | grep "all-ipsec nflog-group" | sed "s/^.* //" | tail -1);
	if [ -n "${OLDNFGROUP}" ]; then
	    echo "deleting rules with old nflog group ${OLDNFGROUP}"
	    nflog_iptables_delete "${OLDNFGROUP}"
	fi
	echo "nflog ipsec capture disabled"
    fi
}

checknflog_nftables() {
    if [ -n "${NFGROUP}" ]; then
	f=$(nft list table inet ipsec-log 2>/dev/null | wc -l)
	if [ ${f} -gt 0 ]; then
	    f=$(nft list chain inet ipsec-log input 2>/dev/null | wc -l)
	    if [ ${f} -gt 0 ]; then
		echo "found chain ipsec all-input"
		# this is incomplete need more work here to check both rules.
	    else
		nflog_nftables_add
	    fi
	else
	    nflog_nftables_add
	fi
    else
	nflog_nftables_delete
    fi
}

firewall_cmd() {
    USE_IPTABLES=false
    USE_NFTABLES=true

    if [ "${USE_NFTABLES}" = true ]; then
	FIREWALL=nftables
    elif [ "${USE_IPTABLES}" = true ]; then
	FIREWALL=iptables
    else
	FIREWALL=
    fi
}

ipsec_checknflog() {
    if [ "${USE_NFLOG}" != "true" ]; then
	echo "NFLOG support has been disabled" >&2
	exit 0
    fi
    if [ -s "${dry_run}" ]; then
	echo "ipsec checknflog does not support --dry-run" 1>&2
	exit 1
    fi
    local usage
    usage="Usage: ipsec checknflog"
    while [ ${#} -gt 0 ]; do
	case ${1} in
	    help|--help|-h)
		echo "${usage}"
		exit 0
		;;
	    *)
		echo "ipsec checknflog: Unknown option \"${1}\"" >&2
		echo >&2
		echo "${usage}" >&2
		exit 2
		;;
	esac
	shift
    done

    NFGROUP=$(ASAN_OPTIONS=detect_leaks=0 "${IPSEC_EXECDIR}/addconn" --ctlsocket "${CTLSOCKET}" --configsetup | grep -v "#" | grep nflog| sed -e "s/^.*=//" -e "s/'//g");

    firewall_cmd

    if [ -n "${FIREWALL}" ]; then
	checknflog_${FIREWALL}
    fi

    exit 0
}

ipsec_sniff() {
    if [ "${USE_NFLOG}" != "true" ]; then
	echo "NFLOG support has been disabled" >&2
	exit 0
    fi
    if [ -s "${dry_run}" ]; then
	echo "ipsec sniff does not support --dry-run" 1>&2
	exit 1
    fi
    local usage
    usage="Usage: ipsec sniff"
    while [ ${#} -gt 0 ]; do
	case ${1} in
	    help|--help|-h)
		echo "${usage}"
		exit 0
		;;
	    *)
		echo "ipsec sniff: Unknown option \"${1}\"" >&2
		echo >&2
		echo "${usage}" >&2
		exit 2
		;;
	esac
	shift
    done

    NFGROUP=$(ASAN_OPTIONS=detect_leaks=0 "${IPSEC_EXECDIR}/addconn" --ctlsocket "${CTLSOCKET}" --configsetup | grep -v "#" | grep nflog | sed -e "s/^.*=//" -e "s/'//g");
    tcpdump -n -i nflog:${NFGROUP}
    exit 0
}

ipsec_import() {
    if [ -z "${1}" ]; then
	echo "Usage: ipsec import [--nssdir ${IPSEC_NSSDIR}] /path/to/pkcs.12" >&2
	exit 1
    fi
    if [ -s "${dry_run}" ]; then
	echo "ipsec import does not support --dry-run" 1>&2
	exit 1
    fi

    while [ ${#} -gt 0 ]; do
	case "${1}" in
	    --configdir)
		echo "ipsec import warning: --configdir is obsoleted, use --nssdir" >&2
		if [ -d "${2}" ]; then
		    IPSEC_NSSDIR="${2}"
		fi
		shift
		;;
	    -d|--nssdir)
		if [ -d "${2}" ]; then
		    IPSEC_NSSDIR="${2}"
		fi
		shift
		# A lot of nss commands use -d to specify NSS db location.
		# We use --nssdir.
		;;
	    *)
		if [ -f "${1}" ]; then
		    pkcs12bundle="${1}"
		else
		    echo "Usage: ipsec import [--nssdir ${IPSEC_NSSDIR}] /path/to/pkcs.12" >&2
		    exit 1
		fi
		;;
	esac
	shift
    done

    if [ -d "${IPSEC_NSSDIR}" -a -w "${IPSEC_NSSDIR}" ]; then
	if [ -f "${IPSEC_NSSDIR}/key4.db" -a \
	    -f "${IPSEC_NSSDIR}/cert9.db" ]
	then
	    IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}"
	else
	    echo "ERROR: NSS database files are missing, import aborted." >&2
	    echo "Initialize database with command \"ipsec checknss\"." >&2
	    exit 1
	fi

	pk12util -i "${pkcs12bundle}" -d "${IPSEC_NSSDIR_SQL}"
	# check and correct trust bits
	set_nss_db_trusts
	exit 0
    else
	echo "ERROR: destination directory \"${IPSEC_NSSDIR}\" is missing or permission denied" >&2
	exit 1
    fi
}

ipsec_checknss() {
    local file
    while [ ${#} -gt 0 ]; do
	case "${1}" in
	    --checknss|checknss)
		cmd=checknss
		;;
	    --initnss|initnss)
		cmd=initnss
		;;
	    --settrusts)
		set_trusts=yes
		;;
	    --configdir)
		echo "ipsec ${cmd} warning: --configdir is obsoleted, use --nssdir" >&2
		IPSEC_NSSDIR="${2}"
		shift
		;;
	    -d|--nssdir)
		# A lot of nss commands use -d to specify NSS db location.
		# We use --nssdir.
		IPSEC_NSSDIR="${2}"
		shift
		;;
	    *)
		echo "Usage: ipsec ${cmd} [--nssdir ${IPSEC_NSSDIR}]" >&2
		exit 1
		;;
	esac
	shift
    done

    if [ -d "${IPSEC_NSSDIR}" -a -w "${IPSEC_NSSDIR}" ]; then
	IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}"
	# Handle nssdir default change from /etc/ipsec.d to /var/lib/ipsec/nss
	if [ "${IPSEC_CONFDDIR}" != "${IPSEC_NSSDIR}" -a \
	    "${cmd}" = "checknss" ]
	then
	    # Check for legacy nss db format in old location and give failure
	    # We can't handle two operations at same time.
	    if [ -f "${IPSEC_CONFDDIR}/cert8.db" -a \
		! -f "${IPSEC_CONFDDIR}/cert9.db" -a \
		! -f "${IPSEC_NSSDIR}/cert9.db" ]
	    then
		echo "Failure - we cannot handle both nss db format conversion and nss db move to new location in one run." >&2
		echo "Run \"ipsec checknss --nssdir ${IPSEC_CONFDDIR}\" manually first to convert db format" >&2
		exit 4
	    fi
	    for file in cert9.db key4.db pkcs11.txt; do
		if [ -f "${IPSEC_CONFDDIR}/${file}" -a \
		    ! -f "${IPSEC_NSSDIR}/${file}" ]
		then
		    if ! mv "${IPSEC_CONFDDIR}/${file}" \
			"${IPSEC_NSSDIR}/${file}"
		    then
			echo "Failed to mv ${IPSEC_CONFDDIR}/${file} ${IPSEC_NSSDIR}/${file}" >&2
			exit 4
		    fi
		fi
	    done
	fi
	# if we have old database
	if [ -f "${IPSEC_NSSDIR}/cert8.db" -o \
	    -f "${IPSEC_NSSDIR}/key3.db" -o \
	    -f "${IPSEC_NSSDIR}/secmod.db" ]
	then
	    if [ ! -f "${IPSEC_NSSDIR}/cert9.db" -o \
		! -f "${IPSEC_NSSDIR}/key4.db" ]; then
		IMPORTDBPW=""
		NSSTMP=$(mktemp -d /tmp/ipsec_nss_tmp.XXXXXXXXXX)
		if [ $? -gt 0 ]; then
		    echo "Failed to create temporary directory for NSS db migration" >&2
		    exit 4
		fi
		# save current umask
		umask=$(umask)
		# set safe umask
		umask 077
		echo "Migrating NSS db to ${IPSEC_NSSDIR_SQL}"
		# this section works around a few certutil quirks
		# to maintain the current password and merge keys
		certutil -N -d sql:"${NSSTMP}" --empty-password
		if [ $? -gt 0 ]; then
		    echo "Failed to initialize nss database sql:${NSSTMP}" >&2
		    exit 4
		fi
		if [ -f "${IPSEC_NSSPW}" ]; then
		    # Look for FIPS format of token:pw, or just the pw
		    grep -q ':' "${IPSEC_NSSPW}"
		    if [ $? -eq 0 ]; then
			cut -d':' -f2 "${IPSEC_NSSPW}" \
			    > "${NSSTMP}/nsspassword.txt"
			cut -d':' -f2 "${IPSEC_NSSPW}" \
			    >> "${NSSTMP}/nsspassword.txt"
		    else
			cat "${IPSEC_NSSPW}" > "${NSSTMP}/nsspassword.txt"
			cat "${IPSEC_NSSPW}" >> "${NSSTMP}/nsspassword.txt"
		    fi
		    # For the empty password prompt:
		    printf "\n\n" > "${NSSTMP}/nsspassword2.txt"
		    # Change blank pw to the current, and use
		    # for certutil --upgrade-merge
		    certutil -W -d sql:"${NSSTMP}" \
			-f "${NSSTMP}/nsspassword2.txt" \
			-@ "${NSSTMP}/nsspassword.txt"
		    DBPW="-f ${NSSTMP}/nsspassword.txt -@ ${NSSTMP}/nsspassword.txt"
		    IMPORTDBPW="-f ${NSSTMP}/nsspassword.txt"
		fi
		# restore umask
		umask ${umask}
		certutil --upgrade-merge --source-dir "${IPSEC_NSSDIR}" \
		    -d sql:"${NSSTMP}" --upgrade-id pluto ${DBPW}
		rc=$?
		if [ ${rc} -ne 0 ]; then
		    echo "NSS upgrade failed. You should run certutil --upgrade-merge manually against ${IPSEC_NSSDIR_SQL}"
		    exit ${rc}
		fi
		# import cacerts and crls
		if [ -d "${CACERTDIR}" ]; then
		    for file in "${CACERTDIR}"/*; do
			if [ -f "${file}" ]; then
			    filename=$(basename "${file}")
			    name=${filename%%.*}
			    certutil -A -i "${file}" -d sql:"${NSSTMP}" -n "${name}" -t 'CT,,' ${IMPORTDBPW}
			    [ $? -eq 0 ] || printf "%s\n" "${file}"
			fi
		    done
		fi
		if [ -d "${CRLDIR}" ]; then
		    for file in "${CRLDIR}"/*; do
			if [ -f "${file}" ]; then
			    crlutil -I -i "${file}" -d sql:"${NSSTMP}" -B ${IMPORTDBPW}
			    [ $? -eq 0 ] || printf "%s\n" "${file}"
			fi
		    done
		fi
		cp "${NSSTMP}"/*.db "${NSSTMP}"/*.txt "${IPSEC_NSSDIR}"
		rm -f "${NSSTMP}"/*.txt "${NSSTMP}"/*.db
		rmdir "${NSSTMP}"
		echo "NSS upgrade complete"
	    fi
	    exit 0
	fi	# old database
	if [ -f "${IPSEC_NSSDIR}/cert9.db" -o -f "${IPSEC_NSSDIR}/key4.db" ]; then
	    if [ "${cmd}" = "initnss" ]; then
		echo "NSS database already initialised - aborted"
		echo "To wipe the old NSS database, issue: rm ${IPSEC_NSSDIR}/*.db"
		exit 42
	    else
		if [ "${set_trusts}" = "yes" ]; then
		    set_nss_db_trusts
		fi
		exit 0
	    fi
	fi
	echo "Initializing NSS database"
	echo
	certutil -N -d "${IPSEC_NSSDIR_SQL}" --empty-password
	if [ $? -gt 0 ]; then
	    echo "Failed to initialize nss database ${IPSEC_NSSDIR_SQL}" >&2
	    exit 4
	fi
	restorecon="$(which restorecon 2>/dev/null)"
	if [ -n "${restorecon}" -a -x "${restorecon}" ]; then
	    "${restorecon}" -Rv "${IPSEC_NSSDIR}"
	fi
	exit 0
    else
	echo "ERROR: destination directory \"${IPSEC_NSSDIR}\" is missing or permission denied" >&2
	exit 1
    fi
}

ipsec_nsscmd() {
    #
    # run nss-tools utilities with correct nss directory
    #

    if [ -z "${1}" ]; then
	echo "Usage: ipsec {certutil|crlutil||pk12util|vfychain} ..." >&2
	exit 1
    fi

    # vfychain on Fedora isn't in the default path.
    if [ -x "/usr/lib64/nss/unsupported-tools/${1}" ] ; then
	cmd="/usr/lib64/nss/unsupported-tools/${1}"
    else
	cmd="${1}"
    fi
    shift	# drop the command

    # reject -d and --nssdir outright
    case " $* " in
	*' -d '*|*' --nssdir '*)
	    echo "ERROR: ipsec {certutil|crlutil|pk12util|vfychain} do not accept --nssdir" >&2
	    exit 2
	    ;;
	*' --dry-run '*)
	    echo "ERROR: ipsec {certutil|crlutil|modutil|pk12util|vfychain} do not accept --dry-run" >&2
	    exit 2
	    ;;
	*' -dbdir '*)
	    echo "ERROR: ipsec {modutil} does not accept -dbdir" >&2
	    exit 2
	    ;;
    esac

    # modutil's nssdir option is different, ulgn
    case "${cmd}" in
	modutil)
	    exec ${dry_run} ${cmd} -dbdir ${IPSEC_NSSDIR} "${@}"
	    ;;
	*)
	    exec ${dry_run} ${cmd} -d ${IPSEC_NSSDIR} "${@}"
	    ;;
    esac
    # exec failed?
    exit $?
}

ipsec_setup() {
    #
    # ipsec setup commands with per-command help
    #
    local cmd usage

    while [ ${#} -gt 0 ]; do
	case "${1}" in
	    restart|--restart)
		cmd="--restart"
		usage="Usage: ipsec restart"
		;;
	    start|--start)
		cmd="--start"
		usage="Usage: ipsec start"
		;;
	    stop|--stop)
		cmd="--stop"
		usage="Usage: ipsec stop"
		;;
	    help|--help|-h)
		echo "${usage}"
		exit 0
		;;
	    --dry-run|-n)
		dry_run="echo"
		;;
	    -*)
		echo "Unknown option \"${1}\"" >&2
		echo >&2
		echo "${usage}" >&2
		exit 2
		;;
	esac
	shift
    done
    ${dry_run} "${IPSEC_EXECDIR}/setup" ${cmd}
    exit $?
}

# Check for no options at all and return usage.
if [ -z "${1}" ]; then
    ipsec_usage
fi

# Make sure these variables are empty before parsing command line
verbose=
asynchronous=
dry_run=
remote_host=
utc=

while [ ${#} -gt 0 ]; do
    case "${1}" in
	--rundir)
	    RUNDIR="${2}"
	    CTLSOCKET="${RUNDIR}/pluto.ctl"
	    export CTLSOCKET
	    shift
	    shift
	    ;;
	--ctlsocket)
	    CTLSOCKET="${2}"
	    export CTLSOCKET
	    shift
	    shift
	    ;;
	auto)
	    # ipsec_auto deprecated at 5.0, we eat this option for now
	    # so that ipsec auto <command> continues to work.
	    echo "WARNING: ipsec auto has been deprecated" >&2
	    shift
	    ;;
	whack)
	    # Whack command is special because --ctlsocket is a whack cmdline option
	    # We need to make sure we don't give it twice
	    shift
	    case " ${@} " in
		--ctlsocket)
		    exec ${dry_run} "${IPSEC_EXECDIR}/whack" "${@}"
		    ;;
		*)
		    exec ${dry_run} "${IPSEC_EXECDIR}/whack" --ctlsocket "${CTLSOCKET}" "${@}"
		    ;;
	    esac
	    # exec failed?
	    exit $?
	    ;;
	add|--add|checkconfig|replace|--replace)
	    ipsec_add "${@}"
	    ;;
	briefstatus|--briefstatus|\
	checkpubkeys|--checkpubkeys|\
	connectionstatus|--connectionstatus|\
	briefconnectionstatus|--briefconnectionstatus|\
	delete|--delete|\
	down|--down|terminate|\
	fetchcrls|--fetchcrls|crls|\
	fipsstatus|--fipsstatus|fips|\
	globalstatus|--globalstatus|\
	listall|--listall|\
	listcacerts|--listcacerts|\
	listcerts|--listcerts|\
	listcrls|--listcrls|\
	listen|--listen|--ready|--rereadgroups|\
	listpubkeys|--listpubkeys|\
	purgeocsp|--purgeocsp|\
	rereadall|--rereadall|\
	rereadcerts|--rereadcerts|\
	rereadsecrets|--rereadsecrets|secrets|\
	route|--route|\
	showstates|--showstates|--statestatus|\
	shuntstatus|--shuntstatus|\
	status|--status|\
	trafficstatus|--trafficstatus|traffic|\
	unroute|--unroute|\
	up|--up|initiate|--initiate)
	    ipsec_whack "${@}"
	    ;;
	ondemand|--ondemand)
	    ipsec_combined "${@}"
	    ;;
	redirect)
	    ipsec_redirect "${@}"
	    ;;
	restart|--restart)
	    ipsec_setup "${@}"
	    ;;
	start|--start)
	    if [ -z "${2}" ]; then
		ipsec_setup "${@}"
	    else
	        ipsec_combined "${@}"
	    fi
	    ;;
	stop|--stop)
	    ipsec_setup "${@}"
	    ;;
	letsencrypt)
	    shift
	    exec ${dry_run} "${IPSEC_EXECDIR}/letsencrypt" "${@}"
	    # exec failed?
	    exit $?
	    ;;
	help|--help|-h)
	    ipsec_help
	    ;;
    	version|--version|--versioncode)
	    # some ubuntu/debian scripts use --versioncode, so let's keep the alias
	    echo "Libreswan ${IPSEC_VERSION}"
	    exit 0
	    ;;
	directory|--directory)
	    printf "%s\n" "${IPSEC_EXECDIR}"
	    exit 0
	    ;;
	stopnflog|--stopnflog)
	    shift
	    ipsec_stopnflog "${@}"
	    ;;
	checknflog|--checknflog|nflog)
	    shift
	    ipsec_checknflog "${@}"
	    ;;
	sniff|--sniff)
	    shift
	    ipsec_sniff "${@}"
	    ;;
	import|--import)
	    shift
	    ipsec_import "${@}"
	    ;;
	checknss|--checknss|initnss|--initnss)
	    ipsec_checknss "${@}"
	    ;;
	certutil|crlutil|modutil|pk12util|vfychain)
	    ipsec_nsscmd "${@}"
	    ;;
	unbound|--unbound)
	    # activate the unbound ipsec module
	    exec ${dry_run} unbound-control set_option ipsecmod-enabled: yes
	    # exec failed?
	    exit $?
	    ;;
	--asynchronous)
	    asynchronous="${1}"
	    shift
	    ;;
	--remote-host)
	    remote_host="--remote-host ${2}"
	    shift
	    shift
	    ;;
	--dry-run|-n)
	    dry_run="echo"
	    shift
	    ;;
	--utc)
	    utc="${1}"
	    shift
	    ;;
	-*)
	    printf "%s: unknown option \"%s\" (perhaps command name was omitted?)\n" "${0}" "${1}" >&2
	    exit 2
	    ;;
	*)
	    cmd="${1}"
	    shift
	    if [ -x "${IPSEC_EXECDIR}/${cmd}" ]; then
		exec ${dry_run} "${IPSEC_EXECDIR}/${cmd}" "${@}"
		# exec failed?
		exit $?
	    fi
	    printf "%s: unknown IPsec command \"%s\" (\"ipsec help\" for list)\n" "${0}" "${cmd}" >&2
	    exit 2
	    ;;
    esac
done
