From e22664f7a27660cc4d24218aea28594237b6db3c Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sat, 22 Sep 2018 12:10:02 -0500
Subject: [PATCH] Improve upgrade config

- Try to automatically update modecfgdns lines in /etc/ipsec.conf
  in the Libreswan upgrade scripts
- Cleanup
---
 extras/vpnupgrade.sh        | 109 +++++++++++++++++-------------------
 extras/vpnupgrade_centos.sh | 106 ++++++++++++++++-------------------
 2 files changed, 101 insertions(+), 114 deletions(-)

diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index 7f2d422..0b9beba 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -57,6 +57,25 @@ EOF
     ;;
 esac
 
+dns_state=0
+case "$SWAN_VER" in
+  3.2[356])
+    DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
+    DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
+    [ -n "$DNS_SRV1" ] && dns_state=2
+    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
+    [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" != "1" ] && dns_state=0
+    ;;
+  3.19|3.2[012])
+    DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2)
+    DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 1)
+    DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//')
+    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3
+    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ]  && dns_state=4
+    [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" != "1" ] && dns_state=0
+    ;;
+esac
+
 ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)"
 ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')"
 if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
@@ -80,24 +99,6 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then
   esac
 fi
 
-is_upgrade_to_323_or_newer=0
-case "$SWAN_VER" in
-  3.2[356])
-    if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then
-      is_upgrade_to_323_or_newer=1
-    fi
-    ;;
-esac
-
-is_downgrade_to_322_or_older=0
-case "$SWAN_VER" in
-  3.19|3.2[012])
-    if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then
-      is_downgrade_to_322_or_older=1
-    fi
-    ;;
-esac
-
 clear
 
 cat <<EOF
@@ -130,7 +131,22 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes.
     2. Replace "forceencaps=yes" with "encapsulation=yes"
     3. Consolidate VPN ciphers for "ike=" and "phase2alg=",
        re-add "MODP1024" to the list of allowed "ike=" ciphers,
-       which was removed from the defaults in Libreswan 3.19.
+       which was removed from the defaults in Libreswan 3.19
+EOF
+
+if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
+cat <<'EOF'
+    4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
+EOF
+fi
+
+if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
+cat <<'EOF'
+    4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
+EOF
+fi
+
+cat <<'EOF'
 
     Your other VPN configuration files will not be modified.
 
@@ -154,16 +170,15 @@ esac
 mkdir -p /opt/src
 cd /opt/src || exit 1
 
-# Update package index and install Wget
+# Update package index
 export DEBIAN_FRONTEND=noninteractive
 apt-get -yq update || exiterr "'apt-get update' failed."
-apt-get -yq install wget || exiterr2
 
 # Install necessary packages
 apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
   libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
-  libcurl4-nss-dev flex bison gcc make libnss3-tools \
-  libevent-dev || exiterr2
+  libcurl4-nss-dev libnss3-tools libevent-dev \
+  flex bison gcc make wget sed || exiterr2
 
 # Compile and install Libreswan
 swan_file="libreswan-$SWAN_VER.tar.gz"
@@ -202,15 +217,29 @@ fi
 # Update ipsec.conf
 IKE_NEW="  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
 PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
+
 if uname -m | grep -qi '^arm'; then
   PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
 fi
+
 sed -i".old-$(date +%F-%T)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/" \
     -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
     -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf
 
+if [ "$dns_state" = "1" ]; then
+  sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \
+      -e "/modecfgdns2/d" /etc/ipsec.conf
+elif [ "$dns_state" = "2" ]; then
+  sed -i "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1\"/" /etc/ipsec.conf
+elif [ "$dns_state" = "3" ]; then
+  sed -i "/modecfgdns=/a \  modecfgdns2=$DNS_SRV2" /etc/ipsec.conf
+  sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
+elif [ "$dns_state" = "4" ]; then
+  sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
+fi
+
 # Restart IPsec service
 mkdir -p /run/pluto
 service ipsec restart
@@ -226,40 +255,6 @@ Libreswan $SWAN_VER has been successfully installed!
 
 EOF
 
-if [ "$is_upgrade_to_323_or_newer" = "1" ]; then
-cat <<'EOF'
-IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit
-    /etc/ipsec.conf and replace these two lines:
-
-      modecfgdns1=8.8.8.8
-      modecfgdns2=8.8.4.4
-
-    with a single line like this:
-
-      modecfgdns="8.8.8.8, 8.8.4.4"
-
-    Then run "sudo service ipsec restart".
-
-EOF
-fi
-
-if [ "$is_downgrade_to_322_or_older" = "1" ]; then
-cat <<'EOF'
-IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit
-    /etc/ipsec.conf and replace this line:
-
-      modecfgdns="8.8.8.8, 8.8.4.4"
-
-    with two lines like this:
-
-      modecfgdns1=8.8.8.8
-      modecfgdns2=8.8.4.4
-
-    Then run "sudo service ipsec restart".
-
-EOF
-fi
-
 }
 
 ## Defer setup until we have the complete script
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 7f95d1a..9282b0d 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -48,6 +48,25 @@ EOF
     ;;
 esac
 
+dns_state=0
+case "$SWAN_VER" in
+  3.2[356])
+    DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
+    DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
+    [ -n "$DNS_SRV1" ] && dns_state=2
+    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
+    [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" != "1" ] && dns_state=0
+    ;;
+  3.19|3.2[012])
+    DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2)
+    DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 1)
+    DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//')
+    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3
+    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ]  && dns_state=4
+    [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" != "1" ] && dns_state=0
+    ;;
+esac
+
 ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)"
 ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')"
 if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
@@ -71,24 +90,6 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then
   esac
 fi
 
-is_upgrade_to_323_or_newer=0
-case "$SWAN_VER" in
-  3.2[356])
-    if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then
-      is_upgrade_to_323_or_newer=1
-    fi
-    ;;
-esac
-
-is_downgrade_to_322_or_older=0
-case "$SWAN_VER" in
-  3.19|3.2[012])
-    if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then
-      is_downgrade_to_322_or_older=1
-    fi
-    ;;
-esac
-
 clear
 
 cat <<EOF
@@ -121,7 +122,22 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes.
     2. Replace "forceencaps=yes" with "encapsulation=yes"
     3. Consolidate VPN ciphers for "ike=" and "phase2alg=",
        re-add "MODP1024" to the list of allowed "ike=" ciphers,
-       which was removed from the defaults in Libreswan 3.19.
+       which was removed from the defaults in Libreswan 3.19
+EOF
+
+if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
+cat <<'EOF'
+    4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
+EOF
+fi
+
+if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
+cat <<'EOF'
+    4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
+EOF
+fi
+
+cat <<'EOF'
 
     Your other VPN configuration files will not be modified.
 
@@ -145,9 +161,6 @@ esac
 mkdir -p /opt/src
 cd /opt/src || exit 1
 
-# Install Wget
-yum -y install wget || exiterr2
-
 # Add the EPEL repository
 epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
 yum -y install epel-release || yum -y install "$epel_url" || exiterr2
@@ -155,7 +168,7 @@ yum -y install epel-release || yum -y install "$epel_url" || exiterr2
 # Install necessary packages
 yum -y install nss-devel nspr-devel pkgconfig pam-devel \
   libcap-ng-devel libselinux-devel curl-devel \
-  flex bison gcc make || exiterr2
+  flex bison gcc make wget sed || exiterr2
 
 REPO1='--enablerepo=*server-optional*'
 REPO2='--enablerepo=*releases-optional*'
@@ -206,12 +219,25 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 # Update ipsec.conf
 IKE_NEW="  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
 PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
+
 sed -i".old-$(date +%F-%T)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/" \
     -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \
     -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf
 
+if [ "$dns_state" = "1" ]; then
+  sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \
+      -e "/modecfgdns2/d" /etc/ipsec.conf
+elif [ "$dns_state" = "2" ]; then
+  sed -i "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1\"/" /etc/ipsec.conf
+elif [ "$dns_state" = "3" ]; then
+  sed -i "/modecfgdns=/a \  modecfgdns2=$DNS_SRV2" /etc/ipsec.conf
+  sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
+elif [ "$dns_state" = "4" ]; then
+  sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
+fi
+
 # Restart IPsec service
 mkdir -p /run/pluto
 service ipsec restart
@@ -227,40 +253,6 @@ Libreswan $SWAN_VER has been successfully installed!
 
 EOF
 
-if [ "$is_upgrade_to_323_or_newer" = "1" ]; then
-cat <<'EOF'
-IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit
-    /etc/ipsec.conf and replace these two lines:
-
-      modecfgdns1=8.8.8.8
-      modecfgdns2=8.8.4.4
-
-    with a single line like this:
-
-      modecfgdns="8.8.8.8, 8.8.4.4"
-
-    Then run "sudo service ipsec restart".
-
-EOF
-fi
-
-if [ "$is_downgrade_to_322_or_older" = "1" ]; then
-cat <<'EOF'
-IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit
-    /etc/ipsec.conf and replace this line:
-
-      modecfgdns="8.8.8.8, 8.8.4.4"
-
-    with two lines like this:
-
-      modecfgdns1=8.8.8.8
-      modecfgdns2=8.8.4.4
-
-    Then run "sudo service ipsec restart".
-
-EOF
-fi
-
 }
 
 ## Defer setup until we have the complete script