#! /bin/bash # postinst script for strongswan # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see /usr/share/doc/packaging-manual/ # # quoting from the policy: # Any necessary prompting should almost always be confined to the # * `abort-deconfigure' `in-favour' # `removing' # # for details, see /usr/share/doc/packaging-manual/ # # quoting from the policy: # Any necessary prompting should almost always be confined to the # post-installation script, and should be protected with a conditional # so that unnecessary prompting doesn't happen if a package's # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. CONF_FILE=/var/lib/strongswan/ipsec.conf.inc SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc insert_private_key() { cat <> $SECRETS_FILE : RSA { $1 } EOF } insert_private_key_filename() { if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then echo ": RSA $1" >> $SECRETS_FILE fi } IPSEC_SECRETS_PATTERN_1=': RSA {' IPSEC_SECRETS_PATTERN_2=' # yyy' IPSEC_SECRETS_PATTERN_3=' }' IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"' # remove old, misguided attempts at a default ipsec.secrets files repair_legacy_secrets() { if [ -e $SECRETS_FILE ] && grep -A 2 "$IPSEC_SECRETS_PATTERN_1" $SECRETS_FILE | tail --lines=2 | grep -A 1 "$IPSEC_SECRETS_PATTERN_2" | tail --lines=1 | grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then echo "Old default config file detected, removing the old defaults now." umask 077 ; ( # this is ugly, and someone maybe can formulate this in sed, but # this was the quickest way for me line=`grep -n "$IPSEC_SECRETS_PATTERN_2" $SECRETS_FILE | cut -d':' -f1` until=`expr $line - 1` head -n $until $SECRETS_FILE sum=`wc -l $SECRETS_FILE | cut -d ' ' -f1` from=`expr $sum - $line -1` tail -n $from $SECRETS_FILE ) > $SECRETS_FILE.tmp mv $SECRETS_FILE.tmp $SECRETS_FILE grep -v "$IPSEC_SECRETS_PATTERN_4" $SECRETS_FILE > $SECRETS_FILE.tmp mv $SECRETS_FILE.tmp $SECRETS_FILE fi } make_x509_cert() { if [ $# -ne 12 ]; then echo "Error in creating X.509 certificate" exit 1 fi case $5 in false) certreq=$4.req selfsigned="" ;; true) certreq=$4 selfsigned="-x509" ;; *) echo "Error in creating X.509 certificate" exit 1 ;; esac echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \ /usr/bin/openssl req -new -outform PEM -out $certreq \ -newkey rsa:$1 -nodes -keyout $3 -keyform PEM \ -days $2 $selfsigned >/dev/null } enable_daemon_start() { daemon=$1 protocol=$2 echo -n "Enabling ${protocol} support by pluto ... " if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then echo "already enabled" elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp cp $CONF_FILE.tmp $CONF_FILE rm $CONF_FILE.tmp echo "done" elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp cp $CONF_FILE.tmp $CONF_FILE rm $CONF_FILE.tmp echo "done" elif [ ! -e $CONF_FILE ]; then echo -e "\t${daemon}start=yes" > $CONF_FILE else echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!" fi } disable_daemon_start() { daemon=$1 protocol=$2 echo -n "Disabling ${protocol} support by pluto ... " if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE || egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then echo "already disabled" elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp cp $CONF_FILE.tmp $CONF_FILE rm $CONF_FILE.tmp echo "done" elif [ ! -e $CONF_FILE ]; then echo -e "\t${daemon}start=yes" > $CONF_FILE else echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!" fi } . /usr/share/debconf/confmodule case "$1" in configure) db_get strongswan/create_rsa_key if [ "$RET" = "true" ]; then repair_legacy_secrets # OK, ipsec.secrets should now be correct db_get strongswan/rsa_key_type if [ "$RET" = "plain" ]; then # a RSA keypair should be created - check if there is one already if [ -e /etc/ipsec.secrets ] && egrep -q ": RSA[:space:]*" /etc/ipsec.secrets; then echo "Warning: there is already a RSA key in /etc/ipsec.secrets." echo "Creating an additional one." fi if [ -e $SECRETS_FILE ] && egrep -q ": RSA[:space:]*" $SECRETS_FILE; then echo "Warning: there is already a RSA key in $SECRETS_FILE." echo "Creating an additional one." fi # create a plain strongswan keypair db_get strongswan/rsa_key_length umask 077 keylength=$RET privkey=`mktemp /tmp/ipsec-postinst.XXXXXX` /usr/lib/ipsec/rsasigkey $keylength > $privkey insert_private_key "`cat $privkey`" rm $privkey echo "Successfully created a plain strongSwan RSA keypair." else # extract the key from a (newly created) x509 certificate host=`hostname` newkeyfile="/etc/ipsec.d/private/${host}Key.pem" newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" if [ -e $newcertfile -o -e $newkeyfile ]; then echo "Error: $newcertfile or $newkeyfile already exists." echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." else # create a new certificate db_get strongswan/rsa_key_length keylength=$RET db_get strongswan/x509_self_signed selfsigned=$RET db_get strongswan/x509_country_code countrycode=$RET if [ -z "$countrycode" ]; then countrycode="."; fi db_get strongswan/x509_state_name statename=$RET if [ -z "$statename" ]; then statename="."; fi db_get strongswan/x509_locality_name localityname=$RET if [ -z "$localityname" ]; then localityname="."; fi db_get strongswan/x509_organization_name orgname=$RET if [ -z "$orgname" ]; then orgname="."; fi db_get strongswan/x509_organizational_unit orgunit=$RET if [ -z "$orgunit" ]; then orgunit="."; fi db_get strongswan/x509_common_name commonname=$RET if [ -z "$commonname" ]; then commonname="."; fi db_get strongswan/x509_email_address email=$RET if [ -z "$email" ]; then email="."; fi make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" chmod 0600 "$newkeyfile" umask 077 insert_private_key_filename "$newkeyfile" echo "Successfully created x509 certificate." fi fi else db_get strongswan/existing_x509_certificate if [ "$RET" = "true" ]; then if [ -e $newcertfile -o -e $newkeyfile ]; then echo "Error: $newcertfile or $newkeyfile already exists." echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." else # existing certificate - use it db_get strongswan/existing_x509_certificate_filename certfile=$RET db_get strongswan/existing_x509_key_filename keyfile=$RET if [ ! -r $certfile ] || [ ! -r $keyfile ]; then echo "Either the certificate or the key file could not be read !" else cp "$certfile" /etc/ipsec.d/certs umask 077 cp "$keyfile" "/etc/ipsec.d/private" newkeyfile="/etc/ipsec.d/private/`basename $keyfile`" chmod 0600 "$newkeyfile" insert_private_key_filename "$newkeyfile" echo "Successfully extracted RSA key from existing x509 certificate." fi fi fi fi # figure out the correct start time db_get strongswan/start_level if [ "$RET" = "earliest" ]; then LEVELS="start 41 S . stop 34 0 6 ." elif [ "$RET" = "after NFS" ]; then LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ." else LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ." fi update-rc.d ipsec $LEVELS > /dev/null db_get strongswan/enable-oe if [ "$RET" != "true" ]; then echo -n "Disabling opportunistic encryption (OE) in config file ... " if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then # also update to new-style config sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp mv $CONF_FILE.tmp $CONF_FILE echo -n "converted old config line to new format" fi if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp mv $CONF_FILE.tmp $CONF_FILE echo "done" elif [ ! -e $CONF_FILE ]; then echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE else echo "already disabled" fi else echo -n "Enabling opportunistic encryption (OE) in config file ... " if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then # also update to new-style config sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp mv $CONF_FILE.tmp $CONF_FILE echo -n "converted old config line to new format" fi if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then echo "already enabled" elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp mv $CONF_FILE.tmp $CONF_FILE echo "done" elif [ ! -e $CONF_FILE ]; then echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE else cat <> $CONF_FILE #Enable Opportunistic Encryption include /etc/ipsec.d/examples/oe.conf EOF echo "done" fi fi # disabled for now, until we can solve the don't-edit-conffiles issue #db_get strongswan/ikev1 #if [ "$RET" != "true" ]; then # enable_daemon_start "pluto" "IKEv1" #else # disable_daemon_start "pluto" "IKEv1" #fi #db_get strongswan/ikev2 #if [ "$RET" != "true" ]; then # enable_daemon_start "charon" "IKEv2" #else # disable_daemon_start "charon" "IKEv2" #fi if [ -z "$2" ]; then # no old configured version - start strongswan now invoke-rc.d ipsec start || true else # does the user wish strongswan to restart? db_get strongswan/restart if [ "$RET" = "true" ]; then invoke-rc.d ipsec restart || true # sure, we'll restart it for you fi fi db_stop ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument '$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically #DEBHELPER# exit 0