#! /bin/sh
# prefix command to run stuff from our programs directory
# Copyright (C) 1998-2002  Henry Spencer.
# Copyright (C) 2006 Andreas Steffen
# Copyright (C) 2006 Martin Willi
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.

# define a minimum PATH environment in case it is not set
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH

# name and version of the ipsec implementation
OS_NAME=`uname -s`
IPSEC_NAME="strongSwan"
IPSEC_VERSION="U4.6.3/K`uname -r`"

# where the private directory and the config files are
IPSEC_DIR="/usr/lib64/strongswan/ipsec"
IPSEC_SBINDIR="/usr/sbin"
IPSEC_CONFDIR="/etc"
IPSEC_PIDDIR="/var/run"

IPSEC_STARTER_PID="${IPSEC_PIDDIR}/starter.pid"
IPSEC_PLUTO_PID="${IPSEC_PIDDIR}/pluto.pid"
IPSEC_CHARON_PID="${IPSEC_PIDDIR}/charon.pid"

IPSEC_WHACK="${IPSEC_DIR}/whack"
IPSEC_STROKE="${IPSEC_DIR}/stroke"
IPSEC_STARTER="${IPSEC_DIR}/starter"

export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_PLUTO_PID IPSEC_CHARON_PID

IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"

case "$1" in
'')
	echo "Usage: ipsec command argument ..."
	echo "Use --help for list of commands, or see ipsec(8) manual page"
	echo "or the $IPSEC_NAME documentation for names of the common ones."
	echo "Most have their own manual pages, e.g. ipsec_auto(8)."
	echo "See <http://www.strongswan.org> for more general info."
	exit 0
	;;
--help)
	echo "Usage: ipsec command argument ..."
	echo "where command is one of:"
	echo "	start|restart  arguments..."
	echo "	update|reload|stop"
	echo "	up|down|route|unroute <connectionname>"
	echo "	status|statusall [<connectionname>]"
	echo "	ready"
	echo "	listalgs|listpubkeys|listcerts [--utc]"
	echo "	listcacerts|listaacerts|listocspcerts [--utc]"
	echo "	listacerts|listgroups|listcainfos [--utc]"
	echo "	listcrls|listocsp|listcards|listplugins|listall [--utc]"
	echo "	leases [<poolname> [<address>]]"
	echo "	rereadsecrets|rereadgroups"
	echo "	rereadcacerts|rereadaacerts|rereadocspcerts"
	echo "	rereadacerts|rereadcrls|rereadall"
	echo "	purgeocsp|purgecrls|purgecerts|purgeike"
	echo "	scencrypt|scdecrypt <value> [--inbase <base>] [--outbase <base>] [--keyid <id>]"
	echo "	openac"
	echo "	pluto"
	echo "	scepclient"
	echo "	secrets"
	echo "	starter"
	echo "	version"
	echo "	whack"
	echo "	stroke"
	echo
	echo "Some of these functions have their own manual pages, e.g. ipsec_scepclient(8)."
	exit 0
	;;
--versioncode)
	echo "$IPSEC_VERSION"
	exit 0
	;;
--directory)
	echo "$IPSEC_DIR"
	exit 0
	;;
--confdir)
	echo "$IPSEC_CONFDIR"
	exit 0
	;;
copyright|--copyright)
	set _copyright
	# and fall through, invoking "ipsec _copyright"
	;;
down)
	shift
	if [ "$#" -ne 1 ]
	then
	    echo "Usage: ipsec down <connection name>"
	    exit 2
	fi
	rc=7
	if [ -e $IPSEC_PLUTO_PID ]
	then
		$IPSEC_WHACK --name "$1" --terminate
		rc="$?"
	fi
	if [ -e $IPSEC_CHARON_PID ]
	then
		$IPSEC_STROKE down "$1"
		rc="$?"
	fi
	exit "$rc"
	;;
down-srcip)
	shift
	if [ "$#" -lt 1 ]
	then
	    echo "Usage: ipsec down-srcip <start> [<end>]"
	    exit 2
	fi
	rc=7
	if [ -e $IPSEC_CHARON_PID ]
	then
		$IPSEC_STROKE down-srcip $*
		rc="$?"
	fi
	exit "$rc"
	;;
listcards|rereadgroups)
	op="$1"
	shift
	if [ -e $IPSEC_PLUTO_PID ]
	then
		$IPSEC_WHACK "$@" "--$op"
		rc="$?"
	fi
	if [ -e $IPSEC_CHARON_PID ]
	then
		exit 3
	else
		exit 7
	fi
	;;
leases)
	op="$1"
	rc=7
	shift
	if [ -e $IPSEC_PLUTO_PID ]
	then
		case "$#" in
		0) $IPSEC_WHACK "--$op" ;;
		1) $IPSEC_WHACK "--$op" --name "$1" ;;
		*) $IPSEC_WHACK "--$op" --name "$1" --lease-addr "$2" ;;
		esac
		rc="$?"
	fi
	if [ -e $IPSEC_CHARON_PID ]
	then
		case "$#" in
		0) $IPSEC_STROKE "$op" ;;
		1) $IPSEC_STROKE "$op" "$1" ;;
		*) $IPSEC_STROKE "$op" "$1" "$2" ;;
		esac
		rc="$?"
	fi
	exit "$rc"
	;;
listalgs|listpubkeys|listplugins|\
listcerts|listcacerts|listaacerts|\
listacerts|listgroups|listocspcerts|\
listcainfos|listcrls|listocsp|listall|\
rereadsecrets|rereadcacerts|rereadaacerts|\
rereadacerts|rereadocspcerts|rereadcrls|\
rereadall|purgeocsp)
	op="$1"
	rc=7
	shift
	if [ -e $IPSEC_PLUTO_PID ]
	then
		$IPSEC_WHACK "$@" "--$op"
		rc="$?"
	fi
	if [ -e $IPSEC_CHARON_PID ]
	then
		$IPSEC_STROKE "$op" "$@"
		rc="$?"
	fi
	exit "$rc"
	;;
purgeike|purgecrls|purgecerts)
	rc=7
	if [ -e $IPSEC_CHARON_PID ]
	then
		$IPSEC_STROKE "$1"
		rc="$?"
	fi
	exit "$rc"
	;;
ready)
	shift
	if [ -e $IPSEC_PLUTO_PID ]
	then
		$IPSEC_WHACK --listen
		exit 0
	else
		exit 7
	fi
	;;
reload)
	rc=7
	if [ -e $IPSEC_STARTER_PID ]
	then
		echo "Reloading strongSwan IPsec configuration..." >&2
		kill -USR1 `cat $IPSEC_STARTER_PID` 2>/dev/null && rc=0
	else
		echo "Reloading strongSwan IPsec failed: starter is not running" >&2
	fi
	exit "$rc"
	;;
restart)
	$IPSEC_SBINDIR/ipsec stop
	sleep 2
	shift
	exec $IPSEC_SBINDIR/ipsec start "$@"
	;;
route|unroute)
	op="$1"
	rc=7
	shift
	if [ "$#" -ne 1 ]
	then
		echo "Usage: ipsec $op <connection name>"
		exit 2
	fi
	if [ -e $IPSEC_PLUTO_PID ]
	then
		$IPSEC_WHACK --name "$1" "--$op"
		rc="$?"
	fi
	if [ -e $IPSEC_CHARON_PID ]
	then
		$IPSEC_STROKE "$op" "$1"
		rc="$?"
	fi
	exit "$rc"
	;;
scencrypt|scdecrypt)
	op="$1"
	shift
	if [ -e $IPSEC_PLUTO_PID ]
	then
		$IPSEC_WHACK "--$op" "$@"
		exit "$?"
	else
		exit 7
	fi
	;;
secrets)
	rc=7
	if [ -e $IPSEC_PLUTO_PID ]
	then
		$IPSEC_WHACK --rereadsecrets
		rc="$?"
	fi
	if [ -e $IPSEC_CHARON_PID ]
	then
		$IPSEC_STROKE rereadsecrets
		rc="$?"
	fi
	exit "$rc"
	;;
start)
	shift
	if [ -d /var/lock/subsys ]; then
		touch /var/lock/subsys/ipsec
	fi
	exec $IPSEC_STARTER "$@"
	;;
status|statusall)
	op="$1"
	# Return value is slightly different for the status command:
	# 0 - service up and running
	# 1 - service dead, but /var/run/  pid  file exists
	# 2 - service dead, but /var/lock/ lock file exists
	# 3 - service not running (unused)
	# 4 - service status unknown :-(
	# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
	shift
	if [ $# -eq 0 ]
	then
		if [ -e $IPSEC_PLUTO_PID ]
		then
			$IPSEC_WHACK "--$op"
		fi
		if [ -e $IPSEC_CHARON_PID ]
		then
			$IPSEC_STROKE "$op"
		fi
	else
		if [ -e $IPSEC_PLUTO_PID ]
		then
			$IPSEC_WHACK --name "$1" "--$op"
		fi
		if [ -e $IPSEC_CHARON_PID ]
		then
			$IPSEC_STROKE "$op" "$1"
		fi
	fi
	if [ -e $IPSEC_STARTER_PID ]
	then
		kill -0 `cat $IPSEC_STARTER_PID` 2>/dev/null
		exit $?
	fi
	exit 3
	;;
stop)
	# stopping a not-running service is considered as success
	if [ -e $IPSEC_STARTER_PID ]
	then
		echo "Stopping strongSwan IPsec..." >&2
		spid=`cat $IPSEC_STARTER_PID`
		if [ -n "$spid" ]
		then
			kill $spid 2>/dev/null
			loop=11
			while [ $loop -gt 0 ] ; do
				kill -0 $spid 2>/dev/null || break
				sleep 1
				loop=$(($loop - 1))
			done
			if [ $loop -eq 0 ]
			then
				kill -KILL $spid 2>/dev/null
				rm -f $IPSEC_STARTER_PID
			fi
		fi
	else
		echo "Stopping strongSwan IPsec failed: starter is not running" >&2
	fi
	if [ -d /var/lock/subsys ]; then
		rm -f /var/lock/subsys/ipsec
	fi
	exit 0
	;;
up)
	shift
	if [ "$#" -ne 1 ]
	then
	    echo "Usage: ipsec up <connection name>"
	    exit 2
	fi
	rc=7
	if [ -e $IPSEC_PLUTO_PID ]
	then
		$IPSEC_WHACK --name "$1" --initiate
		rc="$?"
	fi
	if [ -e $IPSEC_CHARON_PID ]
	then
		$IPSEC_STROKE up "$1"
		rc="$?"
	fi
	exit "$rc"
	;;
update)
	if [ -e $IPSEC_STARTER_PID ]
	then
		echo "Updating strongSwan IPsec configuration..." >&2
		kill -HUP `cat $IPSEC_STARTER_PID`
		exit 0
	else
		echo "Updating strongSwan IPsec failed: starter is not running" >&2
		exit 7
	fi
	;;
version|--version)
	printf "$OS_NAME $IPSEC_NAME $IPSEC_VERSION\n"
	printf "$IPSEC_DISTRO\n"
	printf "See 'ipsec --copyright' for copyright information.\n"
	exit 0
	;;
--*)
	echo "$0: unknown option \`$1' (perhaps command name was omitted?)" >&2
	exit 2
	;;
esac

cmd="$1"
shift

path="$IPSEC_DIR/$cmd"

if [ ! -x "$path" ]
then
    path="$IPSEC_DIR/$cmd"
    if [ ! -x "$path" ]
    then
	echo "$0: unknown IPsec command \`$cmd' (\`ipsec --help' for list)" >&2
	exit 2
    fi
fi

exec $path "$@"
