376 lines
15 KiB
Bash
Executable File
376 lines
15 KiB
Bash
Executable File
#! /bin/bash
|
|
# postinst script for strongswan
|
|
#
|
|
# see: dh_installdeb(1)
|
|
|
|
set -e
|
|
|
|
# summary of how this script can be called:
|
|
# * <postinst> `configure' <most-recently-configured-version>
|
|
# * <old-postinst> `abort-upgrade' <new version>
|
|
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
|
|
# <new-version>
|
|
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
|
|
# <failed-install-package> <version> `removing'
|
|
# <conflicting-package> <version>
|
|
# for details, see /usr/share/doc/packaging-manual/
|
|
#
|
|
# quoting from the policy:
|
|
# Any necessary prompting should almost always be confined to the
|
|
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
|
|
# <failed-install-package> <version> `removing'
|
|
# <conflicting-package> <version>
|
|
# for details, see /usr/share/doc/packaging-manual/
|
|
#
|
|
# quoting from the policy:
|
|
# Any necessary prompting should almost always be confined to the
|
|
# post-installation script, and should be protected with a conditional
|
|
# so that unnecessary prompting doesn't happen if a package's
|
|
# installation fails and the `postinst' is called with `abort-upgrade',
|
|
# `abort-remove' or `abort-deconfigure'.
|
|
|
|
CONF_FILE=/var/lib/strongswan/ipsec.conf.inc
|
|
SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc
|
|
|
|
Warn ()
|
|
{
|
|
echo "$*" >&2
|
|
}
|
|
|
|
Error ()
|
|
{
|
|
Warn "Error: $*"
|
|
}
|
|
|
|
insert_private_key_filename() {
|
|
if ! ( [ -e $SECRETS_INC_FILE ] && egrep -q ": RSA $1" $SECRETS_INC_FILE ); then
|
|
echo ": RSA $1" >> $SECRETS_INC_FILE
|
|
fi
|
|
}
|
|
|
|
make_x509_cert() {
|
|
if [ $# -ne 12 ]; then
|
|
echo "Error in creating X.509 certificate"
|
|
exit 1
|
|
fi
|
|
|
|
case $5 in
|
|
false)
|
|
certreq=$4.req
|
|
selfsigned=""
|
|
;;
|
|
true)
|
|
certreq=$4
|
|
selfsigned="-x509"
|
|
;;
|
|
*)
|
|
echo "Error in creating X.509 certificate"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \
|
|
/usr/bin/openssl req -new -outform PEM -out $certreq \
|
|
-newkey rsa:$1 -nodes -keyout $3 -keyform PEM \
|
|
-days $2 $selfsigned >/dev/null
|
|
}
|
|
|
|
enable_daemon_start() {
|
|
daemon=$1
|
|
protocol=$2
|
|
|
|
echo -n "Enabling ${protocol} support by ${daemon}... "
|
|
if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
|
|
echo "already enabled"
|
|
elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then
|
|
sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
|
|
cp $CONF_FILE.tmp $CONF_FILE
|
|
rm $CONF_FILE.tmp
|
|
echo "done"
|
|
elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then
|
|
sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
|
|
cp $CONF_FILE.tmp $CONF_FILE
|
|
rm $CONF_FILE.tmp
|
|
echo "done"
|
|
elif [ ! -e $CONF_FILE ]; then
|
|
echo -e "\t${daemon}start=yes" > $CONF_FILE
|
|
else
|
|
echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
|
|
fi
|
|
}
|
|
|
|
disable_daemon_start() {
|
|
daemon=$1
|
|
protocol=$2
|
|
|
|
echo -n "Disabling ${protocol} support by ${daemon}... "
|
|
if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE ||
|
|
egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then
|
|
echo "already disabled"
|
|
elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
|
|
sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp
|
|
cp $CONF_FILE.tmp $CONF_FILE
|
|
rm $CONF_FILE.tmp
|
|
echo "done"
|
|
elif [ ! -e $CONF_FILE ]; then
|
|
echo -e "\t${daemon}start=yes" > $CONF_FILE
|
|
else
|
|
echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
|
|
fi
|
|
}
|
|
|
|
setup_strongswan_user() {
|
|
if ! getent passwd strongswan >/dev/null; then
|
|
adduser --quiet --system --no-create-home --home /var/lib/strongswan --shell /usr/sbin/nologin strongswan
|
|
fi
|
|
}
|
|
|
|
. /usr/share/debconf/confmodule
|
|
|
|
case "$1" in
|
|
configure)
|
|
db_get strongswan/install_x509_certificate
|
|
if [ "$RET" = "true" ]; then
|
|
db_get strongswan/how_to_get_x509_certificate
|
|
if [ "$RET" = "create" ]; then
|
|
# extract the key from a (newly created) x509 certificate
|
|
host=`hostname`
|
|
newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
|
|
newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
|
|
if [ -e $newcertfile -o -e $newkeyfile ]; then
|
|
Error "$newcertfile or $newkeyfile already exists."
|
|
Error "Please remove them first an then re-run dpkg-reconfigure to create a new keypair."
|
|
else
|
|
# create a new certificate
|
|
db_get strongswan/rsa_key_length
|
|
keylength=$RET
|
|
db_get strongswan/x509_self_signed
|
|
selfsigned=$RET
|
|
db_get strongswan/x509_country_code
|
|
countrycode=$RET
|
|
if [ -z "$countrycode" ]; then countrycode="."; fi
|
|
db_get strongswan/x509_state_name
|
|
statename=$RET
|
|
if [ -z "$statename" ]; then statename="."; fi
|
|
db_get strongswan/x509_locality_name
|
|
localityname=$RET
|
|
if [ -z "$localityname" ]; then localityname="."; fi
|
|
db_get strongswan/x509_organization_name
|
|
orgname=$RET
|
|
if [ -z "$orgname" ]; then orgname="."; fi
|
|
db_get strongswan/x509_organizational_unit
|
|
orgunit=$RET
|
|
if [ -z "$orgunit" ]; then orgunit="."; fi
|
|
db_get strongswan/x509_common_name
|
|
commonname=$RET
|
|
if [ -z "$commonname" ]; then commonname="."; fi
|
|
db_get strongswan/x509_email_address
|
|
email=$RET
|
|
if [ -z "$email" ]; then email="."; fi
|
|
make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
|
|
chmod 0600 "$newkeyfile"
|
|
umask 077
|
|
insert_private_key_filename "$newkeyfile"
|
|
echo "Successfully created x509 certificate."
|
|
fi
|
|
elif [ "$RET" = "import" ]; then
|
|
# existing certificate - use it
|
|
db_get strongswan/existing_x509_certificate_filename
|
|
certfile=$RET
|
|
db_get strongswan/existing_x509_key_filename
|
|
keyfile=$RET
|
|
db_get strongswan/existing_x509_rootca_filename
|
|
cafile=$RET
|
|
|
|
if [ ! "$certfile" ] || [ ! "$keyfile" ]; then
|
|
Error "Either the certificate or the key filename is not specified."
|
|
elif ! ( ( [ -f "$certfile" ] || [ -L "$certfile" ] ) && ( [ -f "$keyfile" ] || [ -L "$keyfile" ] ) && ( [ "$cafile" = "" ] || ( [ -f "$cafile" ] || [ -L "$cafile" ] ) ) ); then
|
|
Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a regular file or symbolic link."
|
|
elif [ ! "`grep 'BEGIN CERTIFICATE' $certfile`" ] || [ ! "`grep 'BEGIN RSA PRIVATE KEY' $keyfile`" ] || ( [ "$cafile" != "" ] && [ ! "`grep 'BEGIN CERTIFICATE' $cafile`" ] ); then
|
|
Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a valid PEM type file."
|
|
elif [ "$cafile" ] && ( [ "$certfile" = "$cafile" ] || [ "$keyfile" = "$cafile" ]); then
|
|
Error "The certificate or the key file contains the rootca - unable to import automatically."
|
|
elif [ "`grep 'BEGIN CERTIFICATE' $certfile | wc -l`" -gt 1 ]; then
|
|
Error "The certificate file contains more than one certificate - unable to import automatically."
|
|
elif [ "`grep 'ENCRYPTED' $keyfile`" ]; then
|
|
Error "The key file contains an encrypted key - unable to import automatically."
|
|
else
|
|
newcertfile="/etc/ipsec.d/certs/$(basename "$certfile")"
|
|
newkeyfile="/etc/ipsec.d/private/$(basename "$keyfile")"
|
|
if [ "$cafile" ]; then
|
|
newcafile="/etc/ipsec.d/private/$(basename "$cafile")"
|
|
else
|
|
newcafile=""
|
|
fi
|
|
|
|
if [ -e "$newcertfile" ] || [ -e "$newkeyfile" ] || ( [ "$newcafile" != "" ] && [ -e "$newcafile" ] ); then
|
|
Error "$newcertfile or $newkeyfile"${newcafile:+ or $newcafile}" already exists."
|
|
Error "Please remove them first and then re-run dpkg-reconfigure to extract an existing keypair"${newcafile:+ and a rootca}"."
|
|
else
|
|
openssl x509 -in $certfile -out $newcertfile 2>/dev/null
|
|
umask 077
|
|
openssl rsa -passin pass:"" -in $keyfile -out $newkeyfile 2>/dev/null
|
|
chmod 0600 "$newkeyfile"
|
|
insert_private_key_filename "$newkeyfile"
|
|
cp "$cafile" /etc/ipsec.d/cacerts
|
|
echo "Successfully integrated existing x509 certificate."
|
|
fi
|
|
fi
|
|
fi
|
|
db_set strongswan/install_x509_certificate false
|
|
fi
|
|
|
|
# lets see if we are already using dependency based booting or the correct runlevel parameters
|
|
if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then
|
|
db_fset strongswan/runlevel_changes seen false
|
|
db_input high strongswan/runlevel_changes || true
|
|
db_go
|
|
|
|
# if the admin did not change the runlevels which got installed by older packages we can modify them
|
|
if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then
|
|
update-rc.d -f ipsec remove
|
|
fi
|
|
|
|
update-rc.d ipsec defaults 16 84 > /dev/null
|
|
fi
|
|
|
|
db_get strongswan/enable-oe
|
|
if [ "$RET" != "true" ]; then
|
|
echo -n "Disabling opportunistic encryption (OE) in config file ... "
|
|
if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
|
|
# also update to new-style config
|
|
sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
|
|
mv $CONF_FILE.tmp $CONF_FILE
|
|
echo -n "converted old config line to new format"
|
|
fi
|
|
if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
|
|
sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
|
|
mv $CONF_FILE.tmp $CONF_FILE
|
|
echo "done"
|
|
elif [ ! -e $CONF_FILE ]; then
|
|
echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
|
|
else
|
|
echo "already disabled"
|
|
fi
|
|
else
|
|
echo -n "Enabling opportunistic encryption (OE) in config file ... "
|
|
if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
|
|
# also update to new-style config
|
|
sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
|
|
mv $CONF_FILE.tmp $CONF_FILE
|
|
echo -n "converted old config line to new format"
|
|
fi
|
|
if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
|
|
echo "already enabled"
|
|
elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
|
|
sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
|
|
mv $CONF_FILE.tmp $CONF_FILE
|
|
echo "done"
|
|
elif [ ! -e $CONF_FILE ]; then
|
|
echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
|
|
else
|
|
cat <<EOF >> $CONF_FILE
|
|
#Enable Opportunistic Encryption
|
|
include /etc/ipsec.d/examples/oe.conf
|
|
EOF
|
|
echo "done"
|
|
fi
|
|
fi
|
|
|
|
# disabled for now, until we can solve the don't-edit-conffiles issue
|
|
#db_get strongswan/ikev1
|
|
#if [ "$RET" != "true" ]; then
|
|
# enable_daemon_start "pluto" "IKEv1"
|
|
#else
|
|
# disable_daemon_start "pluto" "IKEv1"
|
|
#fi
|
|
#db_get strongswan/ikev2
|
|
#if [ "$RET" != "true" ]; then
|
|
# enable_daemon_start "charon" "IKEv2"
|
|
#else
|
|
# disable_daemon_start "charon" "IKEv2"
|
|
#fi
|
|
|
|
# create user for strongswan to change its uid into
|
|
setup_strongswan_user
|
|
|
|
if [ -z "$2" ]; then
|
|
# no old configured version - start strongswan now
|
|
invoke-rc.d ipsec start || true
|
|
else
|
|
# does the user wish strongswan to restart?
|
|
db_get strongswan/restart
|
|
if [ "$RET" = "true" ]; then
|
|
invoke-rc.d ipsec restart || true # sure, we'll restart it for you
|
|
fi
|
|
fi
|
|
|
|
db_stop
|
|
|
|
;;
|
|
|
|
abort-upgrade|abort-remove|abort-deconfigure)
|
|
|
|
;;
|
|
|
|
*)
|
|
echo "postinst called with unknown argument '$1'" >&2
|
|
exit 0
|
|
;;
|
|
esac
|
|
|
|
# dh_installdeb will replace this with shell code automatically
|
|
|
|
# Automatically added by dh_apparmor/2.13.2-10
|
|
if [ "$1" = "configure" ]; then
|
|
APP_PROFILE="/etc/apparmor.d/usr.lib.ipsec.stroke"
|
|
if [ -f "$APP_PROFILE" ]; then
|
|
# Add the local/ include
|
|
LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.lib.ipsec.stroke"
|
|
|
|
test -e "$LOCAL_APP_PROFILE" || {
|
|
mkdir -p `dirname "$LOCAL_APP_PROFILE"`
|
|
install --mode 644 /dev/null "$LOCAL_APP_PROFILE"
|
|
}
|
|
|
|
# Reload the profile, including any abstraction updates
|
|
if aa-enabled --quiet 2>/dev/null; then
|
|
apparmor_parser -r -T -W "$APP_PROFILE" || true
|
|
fi
|
|
fi
|
|
fi
|
|
# End automatically added section
|
|
# Automatically added by dh_systemd_enable/12.1.1
|
|
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
|
|
# This will only remove masks created by d-s-h on package removal.
|
|
deb-systemd-helper unmask 'strongswan.service' >/dev/null || true
|
|
|
|
# was-enabled defaults to true, so new installations run enable.
|
|
if deb-systemd-helper --quiet was-enabled 'strongswan.service'; then
|
|
# Enables the unit on first installation, creates new
|
|
# symlinks on upgrades if the unit file has changed.
|
|
deb-systemd-helper enable 'strongswan.service' >/dev/null || true
|
|
else
|
|
# Update the statefile to add new symlinks (if any), which need to be
|
|
# cleaned up on purge. Also remove old symlinks.
|
|
deb-systemd-helper update-state 'strongswan.service' >/dev/null || true
|
|
fi
|
|
fi
|
|
# End automatically added section
|
|
# Automatically added by dh_systemd_start/12.1.1
|
|
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
|
|
if [ -d /run/systemd/system ]; then
|
|
systemctl --system daemon-reload >/dev/null || true
|
|
if [ -n "$2" ]; then
|
|
_dh_action=restart
|
|
else
|
|
_dh_action=start
|
|
fi
|
|
deb-systemd-invoke $_dh_action 'strongswan.service' >/dev/null || true
|
|
fi
|
|
fi
|
|
# End automatically added section
|
|
|
|
|
|
exit 0
|