2
# postinst script for freeswan
4
# see: dh_installdeb(1)
8
# summary of how this script can be called:
9
# * <postinst> `configure' <most-recently-configured-version>
10
# * <old-postinst> `abort-upgrade' <new version>
11
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
13
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
14
# <failed-install-package> <version> `removing'
15
# <conflicting-package> <version>
16
# for details, see /usr/share/doc/packaging-manual/
18
# quoting from the policy:
19
# Any necessary prompting should almost always be confined to the
20
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
21
# <failed-install-package> <version> `removing'
22
# <conflicting-package> <version>
23
# for details, see /usr/share/doc/packaging-manual/
25
# quoting from the policy:
26
# Any necessary prompting should almost always be confined to the
27
# post-installation script, and should be protected with a conditional
28
# so that unnecessary prompting doesn't happen if a package's
29
# installation fails and the `postinst' is called with `abort-upgrade',
30
# `abort-remove' or `abort-deconfigure'.
33
if grep -A 2 "$IPSEC_SECRETS_PATTERN_1" /etc/ipsec.secrets |
35
grep -A 1 "$IPSEC_SECRETS_PATTERN_2" |
37
grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then
38
cp /etc/ipsec.secrets /etc/ipsec.secrets.orig
41
echo "/etc/ipsec.secrets already contains a RSA secret key."
42
echo "Not creating a new key. If you want it to be created,"
43
echo "restore /etc/ipsec.secrets to distributed state first."
48
insert_private_key() {
50
sed "/$IPSEC_SECRETS_PATTERN_1/,\$d" /etc/ipsec.secrets
52
sed "1,/$IPSEC_SECRETS_PATTERN_3/d" /etc/ipsec.secrets
53
) > /etc/ipsec.secrets.tmp
54
mv /etc/ipsec.secrets.tmp /etc/ipsec.secrets
57
insert_private_key_filename() {
59
sed "/$IPSEC_SECRETS_PATTERN_1/,\$d" /etc/ipsec.secrets
61
sed "1,/$IPSEC_SECRETS_PATTERN_3/d" /etc/ipsec.secrets
62
) > /etc/ipsec.secrets.tmp
63
mv /etc/ipsec.secrets.tmp /etc/ipsec.secrets
66
. /usr/share/debconf/confmodule
68
IPSEC_SECRETS_PATTERN_1=': RSA {'
69
IPSEC_SECRETS_PATTERN_2='\-\- not filled in because ipsec.secrets existed at build time \-\-'
70
IPSEC_SECRETS_PATTERN_3=' }'
74
if [ ! -e /dev/.devfsd ]; then
75
db_get freeswan/makedev
76
if [ "$RET" = "true" ]; then
77
(cd /dev && MAKEDEV ipsec)
81
# does the user wish frees/wan to restart?
82
db_get freeswan/restart
83
if [ "$RET" = "true" ]; then
84
/etc/init.d/ipsec restart || true # sure, we'll restart it for you
87
db_get freeswan/create_rsa_key
88
if [ "$RET" = "true" ]; then
89
# OK, ipsec.secrets is still untouched
90
db_get freeswan/rsa_key_type
91
if [ "$RET" = "plain" ]; then
92
# a RSA keypair should be created - check if there is one already
93
if check_private; then
94
# create a plain freeswan keypair
95
db_get freeswan/rsa_key_length
98
privkey=`mktemp /tmp/ipsec-postinst.XXXXXX`
99
/usr/lib/ipsec/rsasigkey $keylength > $privkey
100
insert_private_key $privkey
102
echo "Successfully created a plain freeswan RSA keypair."
106
newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
107
newcertfile="/etc/ipsec.d/${host}Cert.pem"
108
# extract the key from a x509 certificate
109
db_get freeswan/existing_x509_certificate
110
if [ "$RET" = "true" ]; then
111
if check_private; then
112
# existing certificate - use it
113
db_get freeswan/existing_x509_certificate_filename
115
db_get freeswan/existing_x509_key_filename
117
if [ ! -r $certfile ] || [ ! -r $keyfile ]; then
118
echo "Either the certificate or the key file could not be read !"
120
openssl x509 -in "$certfile" -outform DER -out /etc/x509cert.der
122
cp "$keyfile" "$newkeyfile"
123
chmod 0600 "$newkeyfile"
124
insert_private_key_filename "$newkeyfile"
125
echo "Successfully extracted RSA key from existing x509 certificate."
129
if check_private; then
130
# create a new certificate
131
db_get freeswan/rsa_key_length
133
db_get freeswan/x509_self_signed
135
db_get freeswan/x509_country_code
137
db_get freeswan/x509_state_name
139
db_get freeswan/x509_locality_name
141
db_get freeswan/x509_organization_name
143
db_get freeswan/x509_organizational_unit
145
db_get freeswan/x509_common_name
147
db_get freeswan/x509_email_address
149
/usr/lib/ipsec/mkx509cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
150
if [ "$selfsigned" = "true" ]; then
151
openssl x509 -in "$newcertfile" -outform DER -out /etc/x509cert.der
153
chmod 0600 "$newkeyfile"
155
insert_private_key_filename "$newkeyfile"
156
echo "Successfully created x509 certificate."
162
update-rc.d ipsec defaults 15 >/dev/null
164
# no old configured version - start freeswan now
165
/etc/init.d/ipsec start || true
172
abort-upgrade|abort-remove|abort-deconfigure)
177
echo "postinst called with unknown argument '$1'" >&2
182
# dh_installdeb will replace this with shell code automatically
183
# generated by other debhelper scripts.