postinst is in openswan 1:2.6.38-1.
This file is a maintainer script. It is executed when installing (*inst) or removing (*rm) the package.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 | #! /bin/bash
# postinst script for openswan
#
# see: dh_installdeb(1)
set -e
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
#
# quoting from the policy:
# Any necessary prompting should almost always be confined to the
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
#
# quoting from the policy:
# Any necessary prompting should almost always be confined to the
# post-installation script, and should be protected with a conditional
# so that unnecessary prompting doesn't happen if a package's
# installation fails and the `postinst' is called with `abort-upgrade',
# `abort-remove' or `abort-deconfigure'.
SECRETS_INC_DIR=/var/lib/openswan
SECRETS_INC_FILE="$SECRETS_INC_DIR"/ipsec.secrets.inc
Warn ()
{
echo "$*" >&2
}
Error ()
{
Warn "Error: $*"
}
insert_private_key_filename() {
if ! ( [ -e $SECRETS_INC_FILE ] && egrep -q ": RSA $1" $SECRETS_INC_FILE ); then
echo ": RSA $1" >> $SECRETS_INC_FILE
fi
}
make_x509_cert() {
if [ $# -ne 12 ]; then
echo "Error in creating X.509 certificate"
exit 1
fi
case $5 in
false)
certreq=$4.req
selfsigned=""
;;
true)
certreq=$4
selfsigned="-x509"
;;
*)
echo "Error in creating X.509 certificate"
exit 1
;;
esac
echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \
/usr/bin/openssl req -new -outform PEM -out $certreq \
-newkey rsa:$1 -nodes -keyout $3 -keyform PEM \
-days $2 $selfsigned >/dev/null
}
. /usr/share/debconf/confmodule
case "$1" in
configure)
# if SECRETS_INC_FILE is not there we touch it to avoid error messages
if [ ! -f "$SECRETS_INC_FILE" ]; then
touch $SECRETS_INC_FILE
fi
# now we fix permissions of SECRETS_INC_DIR and SECRETS_INC_FILE (if the admin did not specify different ones)
if [ "`dpkg-statoverride --list $SECRETS_INC_DIR`" ] || [ "`find $SECRETS_INC_DIR ! -perm 0700`" ]; then
chmod 0700 $SECRETS_INC_DIR
fi
if [ "`dpkg-statoverride --list $SECRETS_INC_FILE`" ] || [ "`find $SECRETS_INC_FILE ! -perm 0700`" ]; then
chmod 0600 $SECRETS_INC_FILE
fi
db_get openswan/install_x509_certificate
if [ "$RET" = "true" ]; then
db_get openswan/how_to_get_x509_certificate
if [ "$RET" = "create" ]; then
# extract the key from a (newly created) x509 certificate
host=`hostname`
newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
if [ -e $newcertfile -o -e $newkeyfile ]; then
Error "$newcertfile or $newkeyfile already exists."
Error "Please remove them first an then re-run dpkg-reconfigure to create a new keypair."
else
# create a new certificate
db_get openswan/rsa_key_length
keylength=$RET
db_get openswan/x509_self_signed
selfsigned=$RET
db_get openswan/x509_country_code
countrycode=$RET
if [ -z "$countrycode" ]; then countrycode="."; fi
db_get openswan/x509_state_name
statename=$RET
if [ -z "$statename" ]; then statename="."; fi
db_get openswan/x509_locality_name
localityname=$RET
if [ -z "$localityname" ]; then localityname="."; fi
db_get openswan/x509_organization_name
orgname=$RET
if [ -z "$orgname" ]; then orgname="."; fi
db_get openswan/x509_organizational_unit
orgunit=$RET
if [ -z "$orgunit" ]; then orgunit="."; fi
db_get openswan/x509_common_name
commonname=$RET
if [ -z "$commonname" ]; then commonname="."; fi
db_get openswan/x509_email_address
email=$RET
if [ -z "$email" ]; then email="."; fi
make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
chmod 0600 "$newkeyfile"
insert_private_key_filename "$newkeyfile"
echo "Successfully created x509 certificate."
fi
elif [ "$RET" = "import" ]; then
# existing certificate - use it
db_get openswan/existing_x509_certificate_filename
certfile=$RET
db_get openswan/existing_x509_key_filename
keyfile=$RET
db_get openswan/existing_x509_rootca_filename
cafile=$RET
if [ ! "$certfile" ] || [ ! "$keyfile" ]; then
Error "Either the certificate or the key filename is not specified."
elif ! ( ( [ -f "$certfile" ] || [ -L "$certfile" ] ) && ( [ -f "$keyfile" ] || [ -L "$keyfile" ] ) && ( [ "$cafile" = "" ] || ( [ -f "$cafile" ] || [ -L "$cafile" ] ) ) ); then
Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a regular file or symbolic link."
elif [ ! "`grep 'BEGIN CERTIFICATE' $certfile`" ] || [ ! "`grep 'BEGIN RSA PRIVATE KEY' $keyfile`" ] || ( [ "$cafile" != "" ] && [ ! "`grep 'BEGIN CERTIFICATE' $cafile`" ] ); then
Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a valid PEM type file."
elif [ "$cafile" ] && ( [ "$certfile" = "$cafile" ] || [ "$keyfile" = "$cafile" ]); then
Error "The certificate or the key file contains the rootca - unable to import automatically."
elif [ "`grep 'BEGIN CERTIFICATE' $certfile | wc -l`" -gt 1 ]; then
Error "The certificate file contains more than one certificate - unable to import automatically."
elif [ "`grep 'ENCRYPTED' $keyfile`" ]; then
Error "The key file contains an encrypted key - unable to import automatically."
else
newcertfile="/etc/ipsec.d/certs/$(basename "$certfile")"
newkeyfile="/etc/ipsec.d/private/$(basename "$keyfile")"
if [ "$cafile" ]; then
newcafile="/etc/ipsec.d/private/$(basename "$cafile")"
else
newcafile=""
fi
if [ -e "$newcertfile" ] || [ -e "$newkeyfile" ] || ( [ "$newcafile" != "" ] && [ -e "$newcafile" ] ); then
Error "$newcertfile or $newkeyfile"${newcafile:+ or $newcafile}" already exists."
Error "Please remove them first and then re-run dpkg-reconfigure to extract an existing keypair"${newcafile:+ and a rootca}"."
else
openssl x509 -in $certfile -out $newcertfile 2>/dev/null
openssl rsa -passin pass:"" -in $keyfile -out $newkeyfile 2>/dev/null
chmod 0600 "$newkeyfile"
insert_private_key_filename "$newkeyfile"
cp "$cafile" /etc/ipsec.d/cacerts
echo "Successfully integrated existing x509 certificate."
fi
fi
fi
db_set openswan/install_x509_certificate false
fi
# scheduled for removal 2012-02
if egrep -q "^include /etc/ipsec.d/examples/no_oe.conf$" /etc/ipsec.conf; then
db_fset openswan/no-oe_include_file seen false
db_input high openswan/no-oe_include_file || true
db_go
cat /etc/ipsec.conf | grep -v "^#Disable Opportunistic Encryption$" | grep -v "^include /etc/ipsec.d/examples/no_oe.conf$" > /etc/ipsec.conf.tmp
mv /etc/ipsec.conf.tmp /etc/ipsec.conf
fi
# scheduled for removal 2011-03
runlevels=`find /etc/rc*.d -type l -a -name "*ipsec" -a -lname "../init.d/ipsec" -print0 | sed 's/\/etc\/rc//g' | sed 's/\.d\///g' | sed 's/ipsec//g'`
# lets see if we are already using dependency based booting or the correct runlevel parameters
if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then
db_fset openswan/runlevel_changes seen false
db_input high openswan/runlevel_changes || true
db_go
# if the admin did not change the runlevels which got installed by older packages we can modify them
if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then
update-rc.d -f ipsec remove
fi
update-rc.d ipsec defaults 16 84 > /dev/null
fi
if [ -z "$2" ]; then
# no old configured version - start openswan now
invoke-rc.d ipsec start || true
else
# does the user wish openswan to restart?
db_get openswan/restart
if [ "$RET" = "true" ]; then
invoke-rc.d ipsec restart || true # sure, we'll restart it for you
fi
fi
db_stop
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument '$1'" >&2
exit 0
;;
esac
# dh_installdeb will replace this with shell code automatically
exit 0
|