summaryrefslogtreecommitdiff
path: root/debian/strongswan.postinst
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2006-05-22 06:41:59 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2006-05-22 06:41:59 +0000
commitc6d4f7459c3436c6e629a6b1fcd7f73bcaeca790 (patch)
treeceeffc0a0897427a5c42733da1d9d46992f303f7 /debian/strongswan.postinst
parent4769e2f961d2930ffcc6cfa5b1561548e4ea552c (diff)
downloadvyos-strongswan-c6d4f7459c3436c6e629a6b1fcd7f73bcaeca790.tar.gz
vyos-strongswan-c6d4f7459c3436c6e629a6b1fcd7f73bcaeca790.zip
- s/openswan/strongswan/g
- s/Openswan/strongSwan/g But basically manually. Is certainly incomplete right now.
Diffstat (limited to 'debian/strongswan.postinst')
-rw-r--r--debian/strongswan.postinst258
1 files changed, 258 insertions, 0 deletions
diff --git a/debian/strongswan.postinst b/debian/strongswan.postinst
new file mode 100644
index 000000000..7d9b19b4b
--- /dev/null
+++ b/debian/strongswan.postinst
@@ -0,0 +1,258 @@
+#! /bin/bash
+# postinst script for openswan
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# post-installation script, and should be protected with a conditional
+# so that unnecessary prompting doesn't happen if a package's
+# installation fails and the `postinst' is called with `abort-upgrade',
+# `abort-remove' or `abort-deconfigure'.
+
+insert_private_key() {
+ cat <<EOF >> /etc/ipsec.secrets
+: RSA {
+$1
+ }
+EOF
+}
+
+insert_private_key_filename() {
+ if ! grep -q ": RSA $1" /etc/ipsec.secrets; then
+ echo ": RSA $1" >> /etc/ipsec.secrets
+ fi
+}
+
+IPSEC_SECRETS_PATTERN_1=': RSA {'
+IPSEC_SECRETS_PATTERN_2=' # yyy'
+IPSEC_SECRETS_PATTERN_3=' }'
+IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"'
+
+# remove old, misguided attempts at a default ipsec.secrets files
+repair_legacy_secrets() {
+ if grep -A 2 "$IPSEC_SECRETS_PATTERN_1" /etc/ipsec.secrets |
+ tail --lines=2 |
+ grep -A 1 "$IPSEC_SECRETS_PATTERN_2" |
+ tail --lines=1 |
+ grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then
+ echo "Old default config file detected, removing the old defaults now."
+ umask 077 ; (
+ # this is ugly, and someone maybe can formulate this in sed, but
+ # this was the quickest way for me
+ line=`grep -n "$IPSEC_SECRETS_PATTERN_2" /etc/ipsec.secrets | cut -d':' -f1`
+ until=`expr $line - 1`
+ head -n $until /etc/ipsec.secrets
+ sum=`wc -l /etc/ipsec.secrets | cut -d ' ' -f1`
+ from=`expr $sum - $line -1`
+ tail -n $from /etc/ipsec.secrets
+ ) > /etc/ipsec.secrets.tmp
+ mv /etc/ipsec.secrets.tmp /etc/ipsec.secrets
+ grep -v "$IPSEC_SECRETS_PATTERN_4" /etc/ipsec.secrets > /etc/ipsec.secrets.tmp
+ mv /etc/ipsec.secrets.tmp /etc/ipsec.secrets
+ fi
+}
+
+make_x509_cert() {
+ if [ $# -ne 12 ]; then
+ echo "Error in creating X.509 certificate"
+ exit 1
+ fi
+
+ case $5 in
+ false)
+ certreq=$4.req
+ selfsigned=""
+ ;;
+ true)
+ certreq=$4
+ selfsigned="-x509"
+ ;;
+ *)
+ echo "Error in creating X.509 certificate"
+ exit 1
+ ;;
+ esac
+
+ echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \
+ /usr/bin/openssl req -new -outform PEM -out $certreq \
+ -newkey rsa:$1 -nodes -keyout $3 -keyform PEM \
+ -days $2 $selfsigned >/dev/null
+}
+
+. /usr/share/debconf/confmodule
+
+case "$1" in
+ configure)
+ db_get openswan/create_rsa_key
+ if [ "$RET" = "true" ]; then
+ repair_legacy_secrets
+ # OK, ipsec.secrets should now be correct
+ db_get openswan/rsa_key_type
+ if [ "$RET" = "plain" ]; then
+ # a RSA keypair should be created - check if there is one already
+ if egrep -q ": RSA[:space:]*" /etc/ipsec.secrets; then
+ echo "Warning: there is already a RSA key in /etc/ipsec.secrets."
+ echo "Creating an additional one."
+ fi
+ # create a plain openswan keypair
+ db_get openswan/rsa_key_length
+ umask 077
+ keylength=$RET
+ privkey=`mktemp /tmp/ipsec-postinst.XXXXXX`
+ /usr/lib/ipsec/rsasigkey $keylength > $privkey
+ insert_private_key "`cat $privkey`"
+ rm $privkey
+ echo "Successfully created a plain openswan RSA keypair."
+ else
+ # extract the key from a (newly created) x509 certificate
+ host=`hostname`
+ newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
+ newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
+ if [ -e $newcertfile -o -e $newkeyfile ]; then
+ echo "Error: $newcertfile or $newkeyfile already exists."
+ echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
+ else
+ # create a new certificate
+ db_get openswan/rsa_key_length
+ keylength=$RET
+ db_get openswan/x509_self_signed
+ selfsigned=$RET
+ db_get openswan/x509_country_code
+ countrycode=$RET
+ if [ -z "$countrycode" ]; then countrycode="."; fi
+ db_get openswan/x509_state_name
+ statename=$RET
+ if [ -z "$statename" ]; then statename="."; fi
+ db_get openswan/x509_locality_name
+ localityname=$RET
+ if [ -z "$localityname" ]; then localityname="."; fi
+ db_get openswan/x509_organization_name
+ orgname=$RET
+ if [ -z "$orgname" ]; then orgname="."; fi
+ db_get openswan/x509_organizational_unit
+ orgunit=$RET
+ if [ -z "$orgunit" ]; then orgunit="."; fi
+ db_get openswan/x509_common_name
+ commonname=$RET
+ if [ -z "$commonname" ]; then commonname="."; fi
+ db_get openswan/x509_email_address
+ email=$RET
+ if [ -z "$email" ]; then email="."; fi
+ make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
+ chmod 0600 "$newkeyfile"
+ umask 077
+ insert_private_key_filename "$newkeyfile"
+ echo "Successfully created x509 certificate."
+ fi
+ fi
+ else
+ db_get openswan/existing_x509_certificate
+ if [ "$RET" = "true" ]; then
+ if [ -e $newcertfile -o -e $newkeyfile ]; then
+ echo "Error: $newcertfile or $newkeyfile already exists."
+ echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
+ else
+ # existing certificate - use it
+ db_get openswan/existing_x509_certificate_filename
+ certfile=$RET
+ db_get openswan/existing_x509_key_filename
+ keyfile=$RET
+ if [ ! -r $certfile ] || [ ! -r $keyfile ]; then
+ echo "Either the certificate or the key file could not be read !"
+ else
+ cp "$certfile" /etc/ipsec.d/certs
+ umask 077
+ cp "$keyfile" "/etc/ipsec.d/private"
+ newkeyfile="/etc/ipsec.d/private/`basename $keyfile`"
+ chmod 0600 "$newkeyfile"
+ insert_private_key_filename "$newkeyfile"
+ echo "Successfully extracted RSA key from existing x509 certificate."
+ fi
+ fi
+ fi
+ fi
+
+ # figure out the correct start time
+ db_get openswan/start_level
+ if [ "$RET" = "earliest" ]; then
+ LEVELS="start 41 S . stop 34 0 6 ."
+ elif [ "$RET" = "after NFS" ]; then
+ LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ."
+ else
+ LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ."
+ fi
+ update-rc.d ipsec $LEVELS > /dev/null
+
+ db_get openswan/enable-oe
+ if [ "$RET" != "true" ]; then
+ echo -n "Disabling opportunistic encryption (OE) in config file ... "
+ if egrep -q "^include /etc/ipsec.d/examples/no_oe.conf$" /etc/ipsec.conf; then
+ echo "already disabled"
+ else
+ cat <<EOF >> /etc/ipsec.conf
+#Disable Opportunistic Encryption
+include /etc/ipsec.d/examples/no_oe.conf
+EOF
+ echo "done"
+ fi
+ else
+ echo -n "Enabling opportunistic encryption (OE) in config file ... "
+ if egrep -q "^include /etc/ipsec.d/examples/no_oe.conf$" /etc/ipsec.conf; then
+ sed 's/include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/no_oe.conf/' < /etc/ipsec.conf > /etc/ipsec.conf.tmp
+ mv /etc/ipsec.conf.tmp /etc/ipsec.conf
+ echo "done"
+ else
+ echo "already enabled"
+ fi
+ fi
+
+ if [ -z "$2" ]; then
+ # no old configured version - start openswan now
+ invoke-rc.d ipsec start || true
+ else
+ # does the user wish openswan to restart?
+ db_get openswan/restart
+ if [ "$RET" = "true" ]; then
+ invoke-rc.d ipsec restart || true # sure, we'll restart it for you
+ fi
+ fi
+
+ db_stop
+
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument '$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+
+#DEBHELPER#
+
+exit 0