summaryrefslogtreecommitdiff
path: root/debian/strongswan.postinst
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2009-03-26 16:03:13 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2009-03-26 16:03:13 +0000
commit49bf9e74e53dbed0079595f8a6fb9f1aa8247de3 (patch)
treebc8fe341de61027426e2814559b0a7b57d130fe1 /debian/strongswan.postinst
parent9e964aaea512fd10456eff0ac4152d47e87748eb (diff)
downloadvyos-strongswan-49bf9e74e53dbed0079595f8a6fb9f1aa8247de3.tar.gz
vyos-strongswan-49bf9e74e53dbed0079595f8a6fb9f1aa8247de3.zip
- Modularize: move stuff to sub-packages.
Diffstat (limited to 'debian/strongswan.postinst')
-rw-r--r--debian/strongswan.postinst313
1 files changed, 0 insertions, 313 deletions
diff --git a/debian/strongswan.postinst b/debian/strongswan.postinst
deleted file mode 100644
index c63273dc2..000000000
--- a/debian/strongswan.postinst
+++ /dev/null
@@ -1,313 +0,0 @@
-#! /bin/bash
-# postinst script for strongswan
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-# * <postinst> `configure' <most-recently-configured-version>
-# * <old-postinst> `abort-upgrade' <new version>
-# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
-# <new-version>
-# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
-# <failed-install-package> <version> `removing'
-# <conflicting-package> <version>
-# for details, see /usr/share/doc/packaging-manual/
-#
-# quoting from the policy:
-# Any necessary prompting should almost always be confined to the
-# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
-# <failed-install-package> <version> `removing'
-# <conflicting-package> <version>
-# for details, see /usr/share/doc/packaging-manual/
-#
-# quoting from the policy:
-# Any necessary prompting should almost always be confined to the
-# post-installation script, and should be protected with a conditional
-# so that unnecessary prompting doesn't happen if a package's
-# installation fails and the `postinst' is called with `abort-upgrade',
-# `abort-remove' or `abort-deconfigure'.
-
-CONF_FILE=/var/lib/strongswan/ipsec.conf.inc
-SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc
-
-insert_private_key_filename() {
- if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then
- echo ": RSA $1" >> $SECRETS_FILE
- fi
-}
-
-IPSEC_SECRETS_PATTERN_1=': RSA {'
-IPSEC_SECRETS_PATTERN_2=' # yyy'
-IPSEC_SECRETS_PATTERN_3=' }'
-IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"'
-
-# remove old, misguided attempts at a default ipsec.secrets files
-repair_legacy_secrets() {
- if [ -e $SECRETS_FILE ] && grep -A 2 "$IPSEC_SECRETS_PATTERN_1" $SECRETS_FILE |
- tail --lines=2 |
- grep -A 1 "$IPSEC_SECRETS_PATTERN_2" |
- tail --lines=1 |
- grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then
- echo "Old default config file detected, removing the old defaults now."
- umask 077 ; (
- # this is ugly, and someone maybe can formulate this in sed, but
- # this was the quickest way for me
- line=`grep -n "$IPSEC_SECRETS_PATTERN_2" $SECRETS_FILE | cut -d':' -f1`
- until=`expr $line - 1`
- head -n $until $SECRETS_FILE
- sum=`wc -l $SECRETS_FILE | cut -d ' ' -f1`
- from=`expr $sum - $line -1`
- tail -n $from $SECRETS_FILE
- ) > $SECRETS_FILE.tmp
- mv $SECRETS_FILE.tmp $SECRETS_FILE
- grep -v "$IPSEC_SECRETS_PATTERN_4" $SECRETS_FILE > $SECRETS_FILE.tmp
- mv $SECRETS_FILE.tmp $SECRETS_FILE
- fi
-}
-
-make_x509_cert() {
- if [ $# -ne 12 ]; then
- echo "Error in creating X.509 certificate"
- exit 1
- fi
-
- case $5 in
- false)
- certreq=$4.req
- selfsigned=""
- ;;
- true)
- certreq=$4
- selfsigned="-x509"
- ;;
- *)
- echo "Error in creating X.509 certificate"
- exit 1
- ;;
- esac
-
- echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \
- /usr/bin/openssl req -new -outform PEM -out $certreq \
- -newkey rsa:$1 -nodes -keyout $3 -keyform PEM \
- -days $2 $selfsigned >/dev/null
-}
-
-enable_daemon_start() {
- daemon=$1
- protocol=$2
-
- echo -n "Enabling ${protocol} support by pluto ... "
- if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
- echo "already enabled"
- elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then
- sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
- cp $CONF_FILE.tmp $CONF_FILE
- rm $CONF_FILE.tmp
- echo "done"
- elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then
- sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
- cp $CONF_FILE.tmp $CONF_FILE
- rm $CONF_FILE.tmp
- echo "done"
- elif [ ! -e $CONF_FILE ]; then
- echo -e "\t${daemon}start=yes" > $CONF_FILE
- else
- echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
- fi
-}
-
-disable_daemon_start() {
- daemon=$1
- protocol=$2
-
- echo -n "Disabling ${protocol} support by pluto ... "
- if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE ||
- egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then
- echo "already disabled"
- elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
- sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp
- cp $CONF_FILE.tmp $CONF_FILE
- rm $CONF_FILE.tmp
- echo "done"
- elif [ ! -e $CONF_FILE ]; then
- echo -e "\t${daemon}start=yes" > $CONF_FILE
- else
- echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
- fi
-}
-
-. /usr/share/debconf/confmodule
-
-case "$1" in
- configure)
- db_get strongswan/create_rsa_key
- if [ "$RET" = "true" ]; then
- repair_legacy_secrets
- # OK, ipsec.secrets should now be correct
- # create a new keypair
- host=`hostname`
- newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
- newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
- if [ -e $newcertfile -o -e $newkeyfile ]; then
- echo "Error: $newcertfile or $newkeyfile already exists."
- echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
- else
- # create a new certificate
- db_get strongswan/rsa_key_length
- keylength=$RET
- db_get strongswan/x509_self_signed
- selfsigned=$RET
- db_get strongswan/x509_country_code
- countrycode=$RET
- if [ -z "$countrycode" ]; then countrycode="."; fi
- db_get strongswan/x509_state_name
- statename=$RET
- if [ -z "$statename" ]; then statename="."; fi
- db_get strongswan/x509_locality_name
- localityname=$RET
- if [ -z "$localityname" ]; then localityname="."; fi
- db_get strongswan/x509_organization_name
- orgname=$RET
- if [ -z "$orgname" ]; then orgname="."; fi
- db_get strongswan/x509_organizational_unit
- orgunit=$RET
- if [ -z "$orgunit" ]; then orgunit="."; fi
- db_get strongswan/x509_common_name
- commonname=$RET
- if [ -z "$commonname" ]; then commonname="."; fi
- db_get strongswan/x509_email_address
- email=$RET
- if [ -z "$email" ]; then email="."; fi
- make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
- chmod 0600 "$newkeyfile"
- umask 077
- insert_private_key_filename "$newkeyfile"
- echo "Successfully created x509 certificate."
- fi
- else
- db_get strongswan/existing_x509_certificate
- if [ "$RET" = "true" ]; then
- if [ -e $newcertfile -o -e $newkeyfile ]; then
- echo "Error: $newcertfile or $newkeyfile already exists."
- echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
- else
- # existing certificate - use it
- db_get strongswan/existing_x509_certificate_filename
- certfile=$RET
- db_get strongswan/existing_x509_key_filename
- keyfile=$RET
- if [ ! -r $certfile ] || [ ! -r $keyfile ]; then
- echo "Either the certificate or the key file could not be read !"
- else
- cp "$certfile" /etc/ipsec.d/certs
- umask 077
- cp "$keyfile" "/etc/ipsec.d/private"
- newkeyfile="/etc/ipsec.d/private/`basename $keyfile`"
- chmod 0600 "$newkeyfile"
- insert_private_key_filename "$newkeyfile"
- echo "Successfully extracted RSA key from existing x509 certificate."
- fi
- fi
- fi
- fi
-
- # figure out the correct start time
- db_get strongswan/start_level
- if [ "$RET" = "earliest" ]; then
- LEVELS="start 41 S . stop 34 0 6 ."
- elif [ "$RET" = "after NFS" ]; then
- LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ."
- else
- LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ."
- fi
- update-rc.d ipsec $LEVELS > /dev/null
-
- db_get strongswan/enable-oe
- if [ "$RET" != "true" ]; then
- echo -n "Disabling opportunistic encryption (OE) in config file ... "
- if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
- # also update to new-style config
- sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo -n "converted old config line to new format"
- fi
- if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
- sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo "done"
- elif [ ! -e $CONF_FILE ]; then
- echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
- else
- echo "already disabled"
- fi
- else
- echo -n "Enabling opportunistic encryption (OE) in config file ... "
- if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
- # also update to new-style config
- sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo -n "converted old config line to new format"
- fi
- if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
- echo "already enabled"
- elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
- sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo "done"
- elif [ ! -e $CONF_FILE ]; then
- echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
- else
- cat <<EOF >> $CONF_FILE
-#Enable Opportunistic Encryption
-include /etc/ipsec.d/examples/oe.conf
-EOF
- echo "done"
- fi
- fi
-
- # disabled for now, until we can solve the don't-edit-conffiles issue
- #db_get strongswan/ikev1
- #if [ "$RET" != "true" ]; then
- # enable_daemon_start "pluto" "IKEv1"
- #else
- # disable_daemon_start "pluto" "IKEv1"
- #fi
- #db_get strongswan/ikev2
- #if [ "$RET" != "true" ]; then
- # enable_daemon_start "charon" "IKEv2"
- #else
- # disable_daemon_start "charon" "IKEv2"
- #fi
-
- if [ -z "$2" ]; then
- # no old configured version - start strongswan now
- invoke-rc.d ipsec start || true
- else
- # does the user wish strongswan to restart?
- db_get strongswan/restart
- if [ "$RET" = "true" ]; then
- invoke-rc.d ipsec restart || true # sure, we'll restart it for you
- fi
- fi
-
- db_stop
-
- ;;
-
- abort-upgrade|abort-remove|abort-deconfigure)
-
- ;;
-
- *)
- echo "postinst called with unknown argument '$1'" >&2
- exit 0
- ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-
-#DEBHELPER#
-
-exit 0
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-24 01:51:31 +0000