1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
|
#! /bin/bash
# postinst script for strongswan
#
# see: dh_installdeb(1)
set -e
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
#
# quoting from the policy:
# Any necessary prompting should almost always be confined to the
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
#
# quoting from the policy:
# Any necessary prompting should almost always be confined to the
# post-installation script, and should be protected with a conditional
# so that unnecessary prompting doesn't happen if a package's
# installation fails and the `postinst' is called with `abort-upgrade',
# `abort-remove' or `abort-deconfigure'.
CONF_FILE=/var/lib/strongswan/ipsec.conf.inc
SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc
insert_private_key() {
cat <<EOF >> $SECRETS_FILE
: RSA {
$1
}
EOF
}
insert_private_key_filename() {
if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then
echo ": RSA $1" >> $SECRETS_FILE
fi
}
IPSEC_SECRETS_PATTERN_1=': RSA {'
IPSEC_SECRETS_PATTERN_2=' # yyy'
IPSEC_SECRETS_PATTERN_3=' }'
IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"'
# remove old, misguided attempts at a default ipsec.secrets files
repair_legacy_secrets() {
if [ -e $SECRETS_FILE ] && grep -A 2 "$IPSEC_SECRETS_PATTERN_1" $SECRETS_FILE |
tail --lines=2 |
grep -A 1 "$IPSEC_SECRETS_PATTERN_2" |
tail --lines=1 |
grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then
echo "Old default config file detected, removing the old defaults now."
umask 077 ; (
# this is ugly, and someone maybe can formulate this in sed, but
# this was the quickest way for me
line=`grep -n "$IPSEC_SECRETS_PATTERN_2" $SECRETS_FILE | cut -d':' -f1`
until=`expr $line - 1`
head -n $until $SECRETS_FILE
sum=`wc -l $SECRETS_FILE | cut -d ' ' -f1`
from=`expr $sum - $line -1`
tail -n $from $SECRETS_FILE
) > $SECRETS_FILE.tmp
mv $SECRETS_FILE.tmp $SECRETS_FILE
grep -v "$IPSEC_SECRETS_PATTERN_4" $SECRETS_FILE > $SECRETS_FILE.tmp
mv $SECRETS_FILE.tmp $SECRETS_FILE
fi
}
make_x509_cert() {
if [ $# -ne 12 ]; then
echo "Error in creating X.509 certificate"
exit 1
fi
case $5 in
false)
certreq=$4.req
selfsigned=""
;;
true)
certreq=$4
selfsigned="-x509"
;;
*)
echo "Error in creating X.509 certificate"
exit 1
;;
esac
echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \
/usr/bin/openssl req -new -outform PEM -out $certreq \
-newkey rsa:$1 -nodes -keyout $3 -keyform PEM \
-days $2 $selfsigned >/dev/null
}
enable_daemon_start() {
daemon=$1
protocol=$2
echo -n "Enabling ${protocol} support by pluto ... "
if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
echo "already enabled"
elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then
sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
cp $CONF_FILE.tmp $CONF_FILE
rm $CONF_FILE.tmp
echo "done"
elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then
sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
cp $CONF_FILE.tmp $CONF_FILE
rm $CONF_FILE.tmp
echo "done"
else [ ! -e $CONF_FILE ]; then
echo -e "\t${daemon}start=yes" > $CONF_FILE
else
echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
fi
}
disable_daemon_start() {
daemon=$1
protocol=$2
echo -n "Disabling ${protocol} support by pluto ... "
if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE ||
egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then
echo "already disabled"
elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp
cp $CONF_FILE.tmp $CONF_FILE
rm $CONF_FILE.tmp
echo "done"
else [ ! -e $CONF_FILE ]; then
echo -e "\t${daemon}start=yes" > $CONF_FILE
else
echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
fi
}
. /usr/share/debconf/confmodule
case "$1" in
configure)
db_get strongswan/create_rsa_key
if [ "$RET" = "true" ]; then
repair_legacy_secrets
# OK, ipsec.secrets should now be correct
db_get strongswan/rsa_key_type
if [ "$RET" = "plain" ]; then
# a RSA keypair should be created - check if there is one already
if [ -e /etc/ipsec.secrets ] && egrep -q ": RSA[:space:]*" /etc/ipsec.secrets; then
echo "Warning: there is already a RSA key in /etc/ipsec.secrets."
echo "Creating an additional one."
fi
if [ -e $SECRETS_FILE ] && egrep -q ": RSA[:space:]*" $SECRETS_FILE; then
echo "Warning: there is already a RSA key in $SECRETS_FILE."
echo "Creating an additional one."
fi
# create a plain strongswan keypair
db_get strongswan/rsa_key_length
umask 077
keylength=$RET
privkey=`mktemp /tmp/ipsec-postinst.XXXXXX`
/usr/lib/ipsec/rsasigkey $keylength > $privkey
insert_private_key "`cat $privkey`"
rm $privkey
echo "Successfully created a plain strongSwan RSA keypair."
else
# extract the key from a (newly created) x509 certificate
host=`hostname`
newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
if [ -e $newcertfile -o -e $newkeyfile ]; then
echo "Error: $newcertfile or $newkeyfile already exists."
echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
else
# create a new certificate
db_get strongswan/rsa_key_length
keylength=$RET
db_get strongswan/x509_self_signed
selfsigned=$RET
db_get strongswan/x509_country_code
countrycode=$RET
if [ -z "$countrycode" ]; then countrycode="."; fi
db_get strongswan/x509_state_name
statename=$RET
if [ -z "$statename" ]; then statename="."; fi
db_get strongswan/x509_locality_name
localityname=$RET
if [ -z "$localityname" ]; then localityname="."; fi
db_get strongswan/x509_organization_name
orgname=$RET
if [ -z "$orgname" ]; then orgname="."; fi
db_get strongswan/x509_organizational_unit
orgunit=$RET
if [ -z "$orgunit" ]; then orgunit="."; fi
db_get strongswan/x509_common_name
commonname=$RET
if [ -z "$commonname" ]; then commonname="."; fi
db_get strongswan/x509_email_address
email=$RET
if [ -z "$email" ]; then email="."; fi
make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
chmod 0600 "$newkeyfile"
umask 077
insert_private_key_filename "$newkeyfile"
echo "Successfully created x509 certificate."
fi
fi
else
db_get strongswan/existing_x509_certificate
if [ "$RET" = "true" ]; then
if [ -e $newcertfile -o -e $newkeyfile ]; then
echo "Error: $newcertfile or $newkeyfile already exists."
echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
else
# existing certificate - use it
db_get strongswan/existing_x509_certificate_filename
certfile=$RET
db_get strongswan/existing_x509_key_filename
keyfile=$RET
if [ ! -r $certfile ] || [ ! -r $keyfile ]; then
echo "Either the certificate or the key file could not be read !"
else
cp "$certfile" /etc/ipsec.d/certs
umask 077
cp "$keyfile" "/etc/ipsec.d/private"
newkeyfile="/etc/ipsec.d/private/`basename $keyfile`"
chmod 0600 "$newkeyfile"
insert_private_key_filename "$newkeyfile"
echo "Successfully extracted RSA key from existing x509 certificate."
fi
fi
fi
fi
# figure out the correct start time
db_get strongswan/start_level
if [ "$RET" = "earliest" ]; then
LEVELS="start 41 S . stop 34 0 6 ."
elif [ "$RET" = "after NFS" ]; then
LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ."
else
LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ."
fi
update-rc.d ipsec $LEVELS > /dev/null
db_get strongswan/enable-oe
if [ "$RET" != "true" ]; then
echo -n "Disabling opportunistic encryption (OE) in config file ... "
if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
# also update to new-style config
sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
mv $CONF_FILE.tmp $CONF_FILE
echo -n "converted old config line to new format"
fi
if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
mv $CONF_FILE.tmp $CONF_FILE
echo "done"
elif [ ! -e $CONF_FILE ]; then
echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
else
echo "already disabled"
fi
else
echo -n "Enabling opportunistic encryption (OE) in config file ... "
if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
# also update to new-style config
sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
mv $CONF_FILE.tmp $CONF_FILE
echo -n "converted old config line to new format"
fi
if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
echo "already enabled"
elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
mv $CONF_FILE.tmp $CONF_FILE
echo "done"
elif [ ! -e $CONF_FILE ]; then
echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
else
cat <<EOF >> $CONF_FILE
#Enable Opportunistic Encryption
include /etc/ipsec.d/examples/oe.conf
EOF
echo "done"
fi
fi
# disabled for now, until we can solve the don't-edit-conffiles issue
#db_get strongswan/ikev1
#if [ "$RET" != "true" ]; then
# enable_daemon_start "pluto" "IKEv1"
#else
# disable_daemon_start "pluto" "IKEv1"
#fi
#db_get strongswan/ikev2
#if [ "$RET" != "true" ]; then
# enable_daemon_start "charon" "IKEv2"
#else
# disable_daemon_start "charon" "IKEv2"
#fi
if [ -z "$2" ]; then
# no old configured version - start strongswan now
invoke-rc.d ipsec start || true
else
# does the user wish strongswan to restart?
db_get strongswan/restart
if [ "$RET" = "true" ]; then
invoke-rc.d ipsec restart || true # sure, we'll restart it for you
fi
fi
db_stop
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument '$1'" >&2
exit 0
;;
esac
# dh_installdeb will replace this with shell code automatically
#DEBHELPER#
exit 0
|
