diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-04-09 09:22:56 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-04-09 09:22:56 +0000 |
| commit | 360dba98ba678692e46482beae42a1c7bf1d4b33 (patch) | |
| tree | fa1db227a0a803c1183e9c4a119b385e1ca7f737 /debian/strongswan-starter.postinst | |
| parent | 02c055c1366d390f55b20801a40d9d94e72efd19 (diff) | |
| download | vyos-strongswan-360dba98ba678692e46482beae42a1c7bf1d4b33.tar.gz vyos-strongswan-360dba98ba678692e46482beae42a1c7bf1d4b33.zip | |
Sync postinst, rules, and debconf handling with openswan.
Diffstat (limited to 'debian/strongswan-starter.postinst')
| -rw-r--r-- | debian/strongswan-starter.postinst | 210 |
1 files changed, 107 insertions, 103 deletions
diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst index c63273dc2..98de3493c 100644 --- a/debian/strongswan-starter.postinst +++ b/debian/strongswan-starter.postinst @@ -32,39 +32,20 @@ set -e CONF_FILE=/var/lib/strongswan/ipsec.conf.inc SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc -insert_private_key_filename() { - if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then - echo ": RSA $1" >> $SECRETS_FILE - fi +Warn () +{ + echo "$*" >&2 } -IPSEC_SECRETS_PATTERN_1=': RSA {' -IPSEC_SECRETS_PATTERN_2=' # yyy' -IPSEC_SECRETS_PATTERN_3=' }' -IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"' +Error () +{ + Warn "Error: $*" +} -# remove old, misguided attempts at a default ipsec.secrets files -repair_legacy_secrets() { - if [ -e $SECRETS_FILE ] && grep -A 2 "$IPSEC_SECRETS_PATTERN_1" $SECRETS_FILE | - tail --lines=2 | - grep -A 1 "$IPSEC_SECRETS_PATTERN_2" | - tail --lines=1 | - grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then - echo "Old default config file detected, removing the old defaults now." - umask 077 ; ( - # this is ugly, and someone maybe can formulate this in sed, but - # this was the quickest way for me - line=`grep -n "$IPSEC_SECRETS_PATTERN_2" $SECRETS_FILE | cut -d':' -f1` - until=`expr $line - 1` - head -n $until $SECRETS_FILE - sum=`wc -l $SECRETS_FILE | cut -d ' ' -f1` - from=`expr $sum - $line -1` - tail -n $from $SECRETS_FILE - ) > $SECRETS_FILE.tmp - mv $SECRETS_FILE.tmp $SECRETS_FILE - grep -v "$IPSEC_SECRETS_PATTERN_4" $SECRETS_FILE > $SECRETS_FILE.tmp - mv $SECRETS_FILE.tmp $SECRETS_FILE - fi +insert_private_key_filename() { + if ! ( [ -e $SECRETS_INC_FILE ] && egrep -q ": RSA $1" $SECRETS_INC_FILE ); then + echo ": RSA $1" >> $SECRETS_INC_FILE + fi } make_x509_cert() { @@ -142,87 +123,110 @@ disable_daemon_start() { case "$1" in configure) - db_get strongswan/create_rsa_key + db_get strongswan/install_x509_certificate if [ "$RET" = "true" ]; then - repair_legacy_secrets - # OK, ipsec.secrets should now be correct - # create a new keypair - host=`hostname` - newkeyfile="/etc/ipsec.d/private/${host}Key.pem" - newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" - if [ -e $newcertfile -o -e $newkeyfile ]; then - echo "Error: $newcertfile or $newkeyfile already exists." - echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." - else - # create a new certificate - db_get strongswan/rsa_key_length - keylength=$RET - db_get strongswan/x509_self_signed - selfsigned=$RET - db_get strongswan/x509_country_code - countrycode=$RET - if [ -z "$countrycode" ]; then countrycode="."; fi - db_get strongswan/x509_state_name - statename=$RET - if [ -z "$statename" ]; then statename="."; fi - db_get strongswan/x509_locality_name - localityname=$RET - if [ -z "$localityname" ]; then localityname="."; fi - db_get strongswan/x509_organization_name - orgname=$RET - if [ -z "$orgname" ]; then orgname="."; fi - db_get strongswan/x509_organizational_unit - orgunit=$RET - if [ -z "$orgunit" ]; then orgunit="."; fi - db_get strongswan/x509_common_name - commonname=$RET - if [ -z "$commonname" ]; then commonname="."; fi - db_get strongswan/x509_email_address - email=$RET - if [ -z "$email" ]; then email="."; fi - make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" - chmod 0600 "$newkeyfile" - umask 077 - insert_private_key_filename "$newkeyfile" - echo "Successfully created x509 certificate." - fi - else - db_get strongswan/existing_x509_certificate - if [ "$RET" = "true" ]; then + db_get strongswan/how_to_get_x509_certificate + if [ "$RET" = "create" ]; then + # extract the key from a (newly created) x509 certificate + host=`hostname` + newkeyfile="/etc/ipsec.d/private/${host}Key.pem" + newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" if [ -e $newcertfile -o -e $newkeyfile ]; then - echo "Error: $newcertfile or $newkeyfile already exists." - echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." + Error "$newcertfile or $newkeyfile already exists." + Error "Please remove them first an then re-run dpkg-reconfigure to create a new keypair." else - # existing certificate - use it - db_get strongswan/existing_x509_certificate_filename - certfile=$RET - db_get strongswan/existing_x509_key_filename - keyfile=$RET - if [ ! -r $certfile ] || [ ! -r $keyfile ]; then - echo "Either the certificate or the key file could not be read !" - else - cp "$certfile" /etc/ipsec.d/certs - umask 077 - cp "$keyfile" "/etc/ipsec.d/private" - newkeyfile="/etc/ipsec.d/private/`basename $keyfile`" - chmod 0600 "$newkeyfile" - insert_private_key_filename "$newkeyfile" - echo "Successfully extracted RSA key from existing x509 certificate." - fi + # create a new certificate + db_get strongswan/rsa_key_length + keylength=$RET + db_get strongswan/x509_self_signed + selfsigned=$RET + db_get strongswan/x509_country_code + countrycode=$RET + if [ -z "$countrycode" ]; then countrycode="."; fi + db_get strongswan/x509_state_name + statename=$RET + if [ -z "$statename" ]; then statename="."; fi + db_get strongswan/x509_locality_name + localityname=$RET + if [ -z "$localityname" ]; then localityname="."; fi + db_get strongswan/x509_organization_name + orgname=$RET + if [ -z "$orgname" ]; then orgname="."; fi + db_get strongswan/x509_organizational_unit + orgunit=$RET + if [ -z "$orgunit" ]; then orgunit="."; fi + db_get strongswan/x509_common_name + commonname=$RET + if [ -z "$commonname" ]; then commonname="."; fi + db_get strongswan/x509_email_address + email=$RET + if [ -z "$email" ]; then email="."; fi + make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" + chmod 0600 "$newkeyfile" + umask 077 + insert_private_key_filename "$newkeyfile" + echo "Successfully created x509 certificate." + fi + elif [ "$RET" = "import" ]; then + # existing certificate - use it + db_get strongswan/existing_x509_certificate_filename + certfile=$RET + db_get strongswan/existing_x509_key_filename + keyfile=$RET + db_get strongswan/existing_x509_rootca_filename + cafile=$RET + + if [ ! "$certfile" ] || [ ! "$keyfile" ]; then + Error "Either the certificate or the key filename is not specified." + elif ! ( ( [ -f "$certfile" ] || [ -L "$certfile" ] ) && ( [ -f "$keyfile" ] || [ -L "$keyfile" ] ) && ( [ "$cafile" = "" ] || ( [ -f "$cafile" ] || [ -L "$cafile" ] ) ) ); then + Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a regular file or symbolic link." + elif [ ! "`grep 'BEGIN CERTIFICATE' $certfile`" ] || [ ! "`grep 'BEGIN RSA PRIVATE KEY' $keyfile`" ] || ( [ "$cafile" != "" ] && [ ! "`grep 'BEGIN CERTIFICATE' $cafile`" ] ); then + Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a valid PEM type file." + elif [ "$cafile" ] && ( [ "$certfile" = "$cafile" ] || [ "$keyfile" = "$cafile" ]); then + Error "The certificate or the key file contains the rootca - unable to import automatically." + elif [ "`grep 'BEGIN CERTIFICATE' $certfile | wc -l`" -gt 1 ]; then + Error "The certificate file contains more than one certificate - unable to import automatically." + elif [ "`grep 'ENCRYPTED' $keyfile`" ]; then + Error "The key file contains an encrypted key - unable to import automatically." + else + newcertfile="/etc/ipsec.d/certs/$(basename "$certfile")" + newkeyfile="/etc/ipsec.d/private/$(basename "$keyfile")" + if [ "$cafile" ]; then + newcafile="/etc/ipsec.d/private/$(basename "$cafile")" + else + newcafile="" + fi + + if [ -e "$newcertfile" ] || [ -e "$newkeyfile" ] || ( [ "$newcafile" != "" ] && [ -e "$newcafile" ] ); then + Error "$newcertfile or $newkeyfile"${newcafile:+ or $newcafile}" already exists." + Error "Please remove them first and then re-run dpkg-reconfigure to extract an existing keypair"${newcafile:+ and a rootca}"." + else + openssl x509 -in $certfile -out $newcertfile 2>/dev/null + umask 077 + openssl rsa -passin pass:"" -in $keyfile -out $newkeyfile 2>/dev/null + chmod 0600 "$newkeyfile" + insert_private_key_filename "$newkeyfile" + cp "$cafile" /etc/ipsec.d/cacerts + echo "Successfully integrated existing x509 certificate." + fi fi fi + db_set strongswan/install_x509_certificate false fi - # figure out the correct start time - db_get strongswan/start_level - if [ "$RET" = "earliest" ]; then - LEVELS="start 41 S . stop 34 0 6 ." - elif [ "$RET" = "after NFS" ]; then - LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ." - else - LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ." + # lets see if we are already using dependency based booting or the correct runlevel parameters + if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then + db_fset strongswan/runlevel_changes seen false + db_input high strongswan/runlevel_changes || true + db_go + + # if the admin did not change the runlevels which got installed by older packages we can modify them + if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then + update-rc.d -f ipsec remove + fi + + update-rc.d ipsec defaults 16 84 > /dev/null fi - update-rc.d ipsec $LEVELS > /dev/null db_get strongswan/enable-oe if [ "$RET" != "true" ]; then |