#! /bin/sh
# mail OE DNS RR info to relevent administrator
#
# Copyright (C) 2003 Sam Sgro <sam@freeswan.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: mailkey.in,v 1.3 2003/06/30 05:34:22 sam Exp $

me="ipsec mailkey"

PATH=/sbin:/usr/bin:/usr/local/sbin:/usr/sbin:$PATH export PATH

reverse=0
forward=0
mymail=""
usage="Usage:
        $me --me my@address.tld --forward hostname.domain.tld
        $me --me my@address.tld --reverse 1.2.3.4"

for dummy
do
        case "$1" in
        --help)         echo "$usage" ; exit 0  ;;
        --forward)      forward=1 ; reverse=0 ; hostname="$2" ; shift	;;
        --reverse)      reverse=1 ; forward=0 ; reverseip="$2" ; shift	;;
        --me)           mymail="$2" ; shift	;;
        --)             shift ; break           ;;
        -*)             echo "$0: unknown option \`$1'" >&2 ; exit 2    ;;
        *)              break                   ;;
        esac
        shift
done

# only do one of iOE || (pOE/rOE/fOE/insert acronym here) at a time
# but you have to choose one. Plus, if ya ain't specified your mail address...
if [ "$forward" -eq "$reverse" ] || [ ! "$mymail" ]
then
{ 
echo "$usage"; exit 0;
}
fi 

# Test to see if there is a key to process in the first place.
test1st=`ipsec showhostkey --txt 1.2.3.4 2>&1`
test2nd=`echo $test1st | grep TXT`
if [ ! "$test2nd" ]
then
{
echo "Our attempt to retrieve your RSA key using 'ipsec showhostkey' failed
with the following error:

"$test1st"

Common concerns: This account must be able to read /etc/ipsec/ipsec.secrets. 
If you haven't generated your key yet, please run 'ipsec newhostkey'." 
exit 0
}
fi


# This is where we will save the script.
save_mail_file=~/"OE_mail_""$reverseip$hostname"

# RSA/SOA processing functions.
# takes two arguments - the IP address/hostname to be used, and an attempt to guess the
# beginning of the DNS record for the administrator
txtprocess(){
ipsec showhostkey --txt $1 | sed "s/^.*	IN	TXT/$2.	IN	TXT/" | grep TXT
}

# Find the hostmaster part of the SOA.
# This only works with the "net" portion of in-addr.arpa. commands - 20.168.192.in-addr.arpa. -
# or the domain portion of FQDNs. The data is prepped using host_data in the individual sections
# for $forward and $reverse.
# Note: I've experienced it returning SOAs for non-routeable IP addresses! This needs to be
# addressed.
hostprocess(){
host -t soa $1 | grep SOA | while read a b c d e
do 
echo $d | sed -e "s/\(^[a-zA-Z0-9-]*\)\.\([a-zA-Z0-9-\.]*\).$/\1@\2/"
done
}

# generate the pieces that go into the template, which are dependent on the type of OE.
if [ "$reverse" -eq 1 ]; then
{
# convert the reverse ip to something appropriate for a DNS record.
arpaip=`echo $reverseip | sed -e "s/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\4.\3.\2.\1.in-addr.arpa/"`
# prepare data for hostprocess()
host_data=`echo $arpaip | sed -e "s/^[0-9]*\.\(.*\)/\1/"`

firstsub="  I'm contacting you in your role as the administrator of the domain
\"$arpaip\" as listed in its SOA record.

  My network security software, which employs IPSec, requires the
below keying information to be published as a RR in the DNS domain 
which you are responsible for.

"

txt=`txtprocess $reverseip $arpaip`
secondsub="  To this end, I need you to publish the following TXT record:

--DNS_RESOURCE_RECORDS--

"$txt"

--DNS_RESOURCE_RECORDS--"

thirdsub="to enable full Opportunistic Encryption using the IP address: 

"$reverseip

fourthsub="and TXT records are"

proposed_email=`hostprocess $host_data`
}
elif [ "$forward" -eq 1 ]; then
{
# prepare data for hostprocess()
# leave only the domain name
domain_data=`echo $hostname | sed -e "s/.*\.\([a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$\)/\1/"`
# leave only the host name
host_data=`echo $hostname | sed -e "s/\(.*\)\.[a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$/\1/"`

firstsub="  I'm contacting you in your role as the administrator of the domain
\"$hostname\" as listed in its SOA record.

  My network security software, which employs IPSec, requires the
below keying information to be published as a RR in the DNS domain
which you are responsible for.

"

txt=`txtprocess @$hostname $host_data`
secondsub="  To this end, please publish the following TXT record for the hostname 
$hostname:


--DNS_RESOURCE_RECORDS--

$txt

--DNS_RESOURCE_RECORDS--"
thirdsub="to allow me to use the hostname: 

"$hostname" 

for initiator-only Opportunistic Encryption."
fourthsub="record is"

proposed_email=`hostprocess $domain_data`
}
fi

# Create the template used for the body of the e-mail.

mailbody=$firstsub$secondsub"


  Please be careful to preserve the spaces and/or quotation marks as written. 
These are important for the RSA key to survive DNS processing.

  Thanks for your help in securing the 'net!

	$mymail
	(Generated by '$me' for $mymail)



Opportunistic Encryption (OE) is the result of ongoing effort by the FreeS/WAN
project (www.freeswan.org). It allows for the creation of dynamic IPSec 
connections between hosts without pre-arrangement, authenticated via RSA keys 
stored in DNS records.

Technical information on OE can be found in this RFC draft:

http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/draft-richardson-ipsec-opportunistic.txt

If you have any questions about these TXT records, or about OE in general, 
please direct them to the FreeS/WAN support lists: 

users@lists.freeswan.org
"

# If we managed to find a hostmaster, make the appropriate modifications to the mail's body and 
# our instructions to the user.
if [ "$proposed_email" ]; then
{

# This is now converting the mail test into an executable script. 
# Most users will have reached this stage; they can edit the contact_email
# if they know better than us.
# -s - Subject line. By extending it, we can "hack" the mail program to
# include a customized Reply-To header.

mailbody="#!/bin/sh
#
# Edit this variable to send this message to an alternate destination
contact_email=$proposed_email

mail \$contact_email -s 'DNS records for Opportunistic Encryption ($hostname$reverseip) 
Reply-To: $mymail' <<EOF

"$mailbody"

EOF
"

screenoutput="Executable mail file saved to:  "$save_mail_file
}
else
{
# Slightly different instructions if we have nothing to tell the user.

screenoutput="$me: error: Unable to locate SOA record for this domain. Not generating executable file.
Sample mail file saved to:  "$save_mail_file
}
fi

# Create the output that has been prepared.
echo "$mailbody" > $save_mail_file

# Only make it executable if we've guessed a destination e-mail address.
if [ "$proposed_email" ]; then
{
chmod u+x $save_mail_file
}
fi

# Tell the user what'sgoing on.
echo "$screenoutput"
