- Modularize: move stuff to sub-packages.

1 files changed, 313 insertions, 0 deletions

diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst
new file mode 100644
index 000000000..c63273dc2
--- /dev/null
+++ b/debian/strongswan-starter.postinst
@@ -0,0 +1,313 @@
+#! /bin/bash
+# postinst script for strongswan
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+#     Any necessary prompting should almost always be confined to the
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+#     Any necessary prompting should almost always be confined to the
+#     post-installation script, and should be protected with a conditional
+#     so that unnecessary prompting doesn't happen if a package's
+#     installation fails and the `postinst' is called with `abort-upgrade',
+#     `abort-remove' or `abort-deconfigure'.
+
+CONF_FILE=/var/lib/strongswan/ipsec.conf.inc
+SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc
+
+insert_private_key_filename() {
+	if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then
+            echo ": RSA $1" >> $SECRETS_FILE
+        fi
+}
+
+IPSEC_SECRETS_PATTERN_1=': RSA	{'
+IPSEC_SECRETS_PATTERN_2='	# yyy'
+IPSEC_SECRETS_PATTERN_3='	}'
+IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"'
+
+# remove old, misguided attempts at a default ipsec.secrets files
+repair_legacy_secrets() {
+    if [ -e $SECRETS_FILE ] && grep -A 2 "$IPSEC_SECRETS_PATTERN_1" $SECRETS_FILE |
+       tail --lines=2 |
+       grep -A 1 "$IPSEC_SECRETS_PATTERN_2" |
+       tail --lines=1 |
+       grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then
+        echo "Old default config file detected, removing the old defaults now."
+        umask 077 ; (
+            # this is ugly, and someone maybe can formulate this in sed, but
+            # this was the quickest way for me
+            line=`grep -n "$IPSEC_SECRETS_PATTERN_2" $SECRETS_FILE | cut -d':' -f1`
+            until=`expr $line - 1`
+            head -n $until $SECRETS_FILE
+            sum=`wc -l $SECRETS_FILE | cut -d ' ' -f1`
+            from=`expr $sum - $line -1`
+            tail -n $from $SECRETS_FILE
+        ) > $SECRETS_FILE.tmp
+        mv $SECRETS_FILE.tmp $SECRETS_FILE
+        grep -v "$IPSEC_SECRETS_PATTERN_4" $SECRETS_FILE > $SECRETS_FILE.tmp
+        mv $SECRETS_FILE.tmp $SECRETS_FILE
+    fi
+}
+
+make_x509_cert() {
+    if [ $# -ne 12 ]; then
+        echo "Error in creating X.509 certificate"
+        exit 1
+    fi
+
+    case $5 in
+        false)
+            certreq=$4.req
+            selfsigned=""
+        ;;
+        true)
+            certreq=$4
+            selfsigned="-x509"
+        ;;
+        *)
+            echo "Error in creating X.509 certificate"
+            exit 1
+        ;;
+    esac
+
+    echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \
+      /usr/bin/openssl req -new -outform PEM -out $certreq \
+                       -newkey rsa:$1 -nodes -keyout $3 -keyform PEM \
+                       -days $2 $selfsigned >/dev/null
+}
+
+enable_daemon_start() {
+    daemon=$1
+    protocol=$2
+
+    echo -n "Enabling ${protocol} support by pluto ... "
+    if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
+        echo "already enabled"
+    elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then
+      	sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
+        cp $CONF_FILE.tmp $CONF_FILE
+	rm $CONF_FILE.tmp
+        echo "done"
+    elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then
+      	sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
+        cp $CONF_FILE.tmp $CONF_FILE
+	rm $CONF_FILE.tmp
+        echo "done"
+    elif [ ! -e $CONF_FILE ]; then
+	echo -e "\t${daemon}start=yes" > $CONF_FILE
+    else
+        echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
+    fi
+}
+
+disable_daemon_start() {
+    daemon=$1
+    protocol=$2
+
+    echo -n "Disabling ${protocol} support by pluto ... "
+    if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE ||
+       egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then
+        echo "already disabled"
+    elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
+      	sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp
+        cp $CONF_FILE.tmp $CONF_FILE
+	rm $CONF_FILE.tmp
+        echo "done"
+    elif [ ! -e $CONF_FILE ]; then
+	echo -e "\t${daemon}start=yes" > $CONF_FILE
+    else
+        echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
+    fi
+}
+
+. /usr/share/debconf/confmodule
+
+case "$1" in
+    configure)
+	db_get strongswan/create_rsa_key
+	if [ "$RET" = "true" ]; then
+            repair_legacy_secrets
+ 	    # OK, ipsec.secrets should now be correct
+            # create a new keypair
+	    host=`hostname`
+	    newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
+       	    newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
+            if [ -e $newcertfile -o -e $newkeyfile ]; then
+                echo "Error: $newcertfile or $newkeyfile already exists."
+                echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
+            else
+     		# create a new certificate
+       		db_get strongswan/rsa_key_length
+       		keylength=$RET
+       		db_get strongswan/x509_self_signed
+       		selfsigned=$RET
+       		db_get strongswan/x509_country_code
+       		countrycode=$RET
+       		if [ -z "$countrycode" ]; then countrycode="."; fi
+       		db_get strongswan/x509_state_name
+       		statename=$RET
+       		if [ -z "$statename" ]; then statename="."; fi
+       		db_get strongswan/x509_locality_name
+       		localityname=$RET
+       		if [ -z "$localityname" ]; then localityname="."; fi
+       		db_get strongswan/x509_organization_name
+       		orgname=$RET
+       		if [ -z "$orgname" ]; then orgname="."; fi
+       		db_get strongswan/x509_organizational_unit
+       		orgunit=$RET
+       		if [ -z "$orgunit" ]; then orgunit="."; fi
+       		db_get strongswan/x509_common_name
+       		commonname=$RET
+       		if [ -z "$commonname" ]; then commonname="."; fi
+       		db_get strongswan/x509_email_address
+       		email=$RET
+       		if [ -z "$email" ]; then email="."; fi
+       		make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
+       		chmod 0600 "$newkeyfile"
+       		umask 077
+       		insert_private_key_filename "$newkeyfile"
+       		echo "Successfully created x509 certificate."
+       	    fi
+        else
+	    db_get strongswan/existing_x509_certificate
+       	    if [ "$RET" = "true" ]; then
+                if [ -e $newcertfile -o -e $newkeyfile ]; then
+                     echo "Error: $newcertfile or $newkeyfile already exists."
+                     echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
+                else
+       			# existing certificate - use it
+       			db_get strongswan/existing_x509_certificate_filename
+       			certfile=$RET
+       			db_get strongswan/existing_x509_key_filename
+       			keyfile=$RET
+       			if [ ! -r $certfile ] || [ ! -r $keyfile ]; then
+       			    echo "Either the certificate or the key file could not be read !"
+       			else
+                            cp "$certfile" /etc/ipsec.d/certs
+       			    umask 077
+			    cp "$keyfile" "/etc/ipsec.d/private"
+                            newkeyfile="/etc/ipsec.d/private/`basename $keyfile`"
+			    chmod 0600 "$newkeyfile"
+			    insert_private_key_filename "$newkeyfile"
+			    echo "Successfully extracted RSA key from existing x509 certificate."
+			fi
+		fi
+            fi
+	fi
+
+        # figure out the correct start time
+        db_get strongswan/start_level
+	if [ "$RET" = "earliest" ]; then
+	    LEVELS="start 41 S . stop 34 0 6 ."
+	elif [ "$RET" = "after NFS" ]; then
+	    LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ."
+	else
+	    LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ."
+	fi
+	update-rc.d ipsec $LEVELS > /dev/null
+
+        db_get strongswan/enable-oe
+        if [ "$RET" != "true" ]; then
+            echo -n "Disabling opportunistic encryption (OE) in config file ... "
+            if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
+                # also update to new-style config
+                sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
+                mv $CONF_FILE.tmp $CONF_FILE
+                echo -n "converted old config line to new format"
+            fi
+            if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
+            	sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
+                mv $CONF_FILE.tmp $CONF_FILE
+                echo "done"
+            elif [ ! -e $CONF_FILE ]; then
+                echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
+            else
+                echo "already disabled"
+            fi
+	else
+            echo -n "Enabling opportunistic encryption (OE) in config file ... "
+            if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
+                # also update to new-style config
+            	sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
+                mv $CONF_FILE.tmp $CONF_FILE
+                echo -n "converted old config line to new format"
+            fi
+            if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
+                echo "already enabled"
+            elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
+            	sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
+                mv $CONF_FILE.tmp $CONF_FILE
+                echo "done"
+            elif [ ! -e $CONF_FILE ]; then
+                echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
+            else
+                cat <<EOF >> $CONF_FILE
+#Enable Opportunistic Encryption
+include /etc/ipsec.d/examples/oe.conf
+EOF
+              echo "done"
+            fi
+        fi
+
+	# disabled for now, until we can solve the don't-edit-conffiles issue
+        #db_get strongswan/ikev1
+        #if [ "$RET" != "true" ]; then
+        #    enable_daemon_start "pluto" "IKEv1"
+	#else
+        #    disable_daemon_start "pluto" "IKEv1"
+        #fi
+        #db_get strongswan/ikev2
+        #if [ "$RET" != "true" ]; then
+        #    enable_daemon_start "charon" "IKEv2"
+	#else
+        #    disable_daemon_start "charon" "IKEv2"
+        #fi
+
+	if [ -z "$2" ]; then
+	    # no old configured version - start strongswan now
+            invoke-rc.d ipsec start || true
+        else
+  	    # does the user wish strongswan to restart?
+	    db_get strongswan/restart
+	    if [ "$RET" = "true" ]; then
+	         invoke-rc.d ipsec restart || true # sure, we'll restart it for you
+	    fi
+	fi
+
+        db_stop
+
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+
+    ;;
+
+    *)
+        echo "postinst called with unknown argument '$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+
+#DEBHELPER#
+
+exit 0