This file is indexed.

postinst is in strongswan-starter 5.6.2-1ubuntu2.

This file is a maintainer script. It is executed when installing (*inst) or removing (*rm) the package.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
#! /bin/bash
# postinst script for strongswan
#
# see: dh_installdeb(1)

set -e

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
#
# quoting from the policy:
#     Any necessary prompting should almost always be confined to the
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
#
# quoting from the policy:
#     Any necessary prompting should almost always be confined to the
#     post-installation script, and should be protected with a conditional
#     so that unnecessary prompting doesn't happen if a package's
#     installation fails and the `postinst' is called with `abort-upgrade',
#     `abort-remove' or `abort-deconfigure'.

CONF_FILE=/var/lib/strongswan/ipsec.conf.inc
SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc

Warn ()
{
    echo "$*" >&2
}

Error ()
{
    Warn "Error: $*"
}

insert_private_key_filename() {
	if ! ( [ -e $SECRETS_INC_FILE ] && egrep -q ": RSA $1" $SECRETS_INC_FILE ); then
            echo ": RSA $1" >> $SECRETS_INC_FILE
        fi
}

make_x509_cert() {
    if [ $# -ne 12 ]; then
        echo "Error in creating X.509 certificate"
        exit 1
    fi

    case $5 in
        false)
            certreq=$4.req
            selfsigned=""
        ;;
        true)
            certreq=$4
            selfsigned="-x509"
        ;;
        *)
            echo "Error in creating X.509 certificate"
            exit 1
        ;;
    esac

    echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \
      /usr/bin/openssl req -new -outform PEM -out $certreq \
                       -newkey rsa:$1 -nodes -keyout $3 -keyform PEM \
                       -days $2 $selfsigned >/dev/null
}

enable_daemon_start() {
    daemon=$1
    protocol=$2

    echo -n "Enabling ${protocol} support by ${daemon}... "
    if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
        echo "already enabled"
    elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then
      	sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
        cp $CONF_FILE.tmp $CONF_FILE
	rm $CONF_FILE.tmp
        echo "done"
    elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then
      	sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
        cp $CONF_FILE.tmp $CONF_FILE
	rm $CONF_FILE.tmp
        echo "done"
    elif [ ! -e $CONF_FILE ]; then
	echo -e "\t${daemon}start=yes" > $CONF_FILE
    else
        echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
    fi
}

disable_daemon_start() {
    daemon=$1
    protocol=$2

    echo -n "Disabling ${protocol} support by ${daemon}... "
    if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE ||
       egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then
        echo "already disabled"
    elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
      	sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp
        cp $CONF_FILE.tmp $CONF_FILE
	rm $CONF_FILE.tmp
        echo "done"
    elif [ ! -e $CONF_FILE ]; then
	echo -e "\t${daemon}start=yes" > $CONF_FILE
    else
        echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
    fi
}

setup_strongswan_user() {
        if ! getent passwd strongswan >/dev/null; then
                adduser --quiet --system --no-create-home --home /var/lib/strongswan --shell /usr/sbin/nologin strongswan
        fi
}

. /usr/share/debconf/confmodule

case "$1" in
    configure)
	db_get strongswan/install_x509_certificate
	if [ "$RET" = "true" ]; then
	    db_get strongswan/how_to_get_x509_certificate
	    if [ "$RET" = "create" ]; then
                # extract the key from a (newly created) x509 certificate
		host=`hostname`
		newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
       		newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
                if [ -e $newcertfile -o -e $newkeyfile ]; then
                    Error "$newcertfile or $newkeyfile already exists."
                    Error "Please remove them first an then re-run dpkg-reconfigure to create a new keypair."
                else
     			# create a new certificate
       			db_get strongswan/rsa_key_length
       			keylength=$RET
       			db_get strongswan/x509_self_signed
       			selfsigned=$RET
       			db_get strongswan/x509_country_code
       			countrycode=$RET
       			if [ -z "$countrycode" ]; then countrycode="."; fi
       			db_get strongswan/x509_state_name
       			statename=$RET
       			if [ -z "$statename" ]; then statename="."; fi
       			db_get strongswan/x509_locality_name
       			localityname=$RET
       			if [ -z "$localityname" ]; then localityname="."; fi
       			db_get strongswan/x509_organization_name
       			orgname=$RET
       			if [ -z "$orgname" ]; then orgname="."; fi
       			db_get strongswan/x509_organizational_unit
       			orgunit=$RET
       			if [ -z "$orgunit" ]; then orgunit="."; fi
       			db_get strongswan/x509_common_name
       			commonname=$RET
       			if [ -z "$commonname" ]; then commonname="."; fi
       			db_get strongswan/x509_email_address
       			email=$RET
       			if [ -z "$email" ]; then email="."; fi
       			make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
       			chmod 0600 "$newkeyfile"
       			umask 077
       			insert_private_key_filename "$newkeyfile"
       			echo "Successfully created x509 certificate."
       		fi
       	    elif [ "$RET" = "import" ]; then
		# existing certificate - use it
		db_get strongswan/existing_x509_certificate_filename
		certfile=$RET
		db_get strongswan/existing_x509_key_filename
		keyfile=$RET
		db_get strongswan/existing_x509_rootca_filename
		cafile=$RET

		if [ ! "$certfile" ] || [ ! "$keyfile" ]; then
		    Error "Either the certificate or the key filename is not specified."
		elif ! ( ( [ -f "$certfile" ] || [ -L "$certfile" ] ) && ( [ -f "$keyfile" ] || [ -L "$keyfile" ] ) && ( [ "$cafile" = "" ] || ( [ -f "$cafile" ] || [ -L "$cafile" ] ) ) ); then
		    Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a regular file or symbolic link."
		elif [ ! "`grep 'BEGIN CERTIFICATE' $certfile`" ] || [ ! "`grep 'BEGIN RSA PRIVATE KEY' $keyfile`" ] || ( [ "$cafile" != "" ] && [ ! "`grep 'BEGIN CERTIFICATE' $cafile`" ] ); then
		    Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a valid PEM type file."
		elif [ "$cafile" ] && ( [ "$certfile" = "$cafile" ] || [ "$keyfile" = "$cafile" ]); then
		    Error "The certificate or the key file contains the rootca - unable to import automatically."
		elif [ "`grep 'BEGIN CERTIFICATE' $certfile | wc -l`" -gt 1 ]; then
		    Error "The certificate file contains more than one certificate - unable to import automatically."
		elif [ "`grep 'ENCRYPTED' $keyfile`" ]; then
		    Error "The key file contains an encrypted key - unable to import automatically."
		else
		    newcertfile="/etc/ipsec.d/certs/$(basename "$certfile")"
		    newkeyfile="/etc/ipsec.d/private/$(basename "$keyfile")"
		    if [ "$cafile" ]; then
			newcafile="/etc/ipsec.d/private/$(basename "$cafile")"
		    else
			newcafile=""
		    fi

		    if [ -e "$newcertfile" ] || [ -e "$newkeyfile" ] || ( [ "$newcafile" != "" ] && [ -e "$newcafile" ] ); then
			Error "$newcertfile or $newkeyfile"${newcafile:+ or $newcafile}" already exists."
			Error "Please remove them first and then re-run dpkg-reconfigure to extract an existing keypair"${newcafile:+ and a rootca}"."
		    else
			openssl x509 -in $certfile -out $newcertfile 2>/dev/null
			umask 077
			openssl rsa -passin pass:"" -in $keyfile -out $newkeyfile 2>/dev/null
			chmod 0600 "$newkeyfile"
			insert_private_key_filename "$newkeyfile"
			cp "$cafile" /etc/ipsec.d/cacerts
			echo "Successfully integrated existing x509 certificate."
		    fi
		fi
            fi
	    db_set strongswan/install_x509_certificate false
	fi

	# disabled for now, until we can solve the don't-edit-conffiles issue
        #db_get strongswan/ikev1
        #if [ "$RET" != "true" ]; then
        #    enable_daemon_start "pluto" "IKEv1"
	#else
        #    disable_daemon_start "pluto" "IKEv1"
        #fi
        #db_get strongswan/ikev2
        #if [ "$RET" != "true" ]; then
        #    enable_daemon_start "charon" "IKEv2"
	#else
        #    disable_daemon_start "charon" "IKEv2"
        #fi

	# create user for strongswan to change its uid into
	setup_strongswan_user

	if [ -z "$2" ]; then
	    # no old configured version - start strongswan now
            invoke-rc.d ipsec start || true
        else
  	    # does the user wish strongswan to restart?
	    db_get strongswan/restart
	    if [ "$RET" = "true" ]; then
	         invoke-rc.d ipsec restart || true # sure, we'll restart it for you
	    fi
	fi

        db_stop

    ;;

    abort-upgrade|abort-remove|abort-deconfigure)

    ;;

    *)
        echo "postinst called with unknown argument '$1'" >&2
        exit 0
    ;;
esac

# dh_installdeb will replace this with shell code automatically

# Automatically added by dh_apparmor/2.12-4ubuntu1
aa_is_enabled() {
   if command aa-enabled >/dev/null 2>&1; then
      # apparmor >= 2.10.95-2
      aa-enabled --quiet 2>/dev/null
   else
      # apparmor << 2.10.95-2
      # (This should be removed once Debian Stretch and Ubuntu 18.04 are out.)
      rc=0
      aa-status --enabled 2>/dev/null || rc=$?
      [ "$rc" = 0 ] || [ "$rc" = 2 ]
   fi
}

if [ "$1" = "configure" ]; then
    APP_PROFILE="/etc/apparmor.d/usr.lib.ipsec.stroke"
    if [ -f "$APP_PROFILE" ]; then
        # Add the local/ include
        LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.lib.ipsec.stroke"

        test -e "$LOCAL_APP_PROFILE" || {
            mkdir -p `dirname "$LOCAL_APP_PROFILE"`
            install --mode 644 /dev/null "$LOCAL_APP_PROFILE"
        }

        # Reload the profile, including any abstraction updates
        if aa_is_enabled; then
            apparmor_parser -r -T -W "$APP_PROFILE" || true
        fi
    fi
fi
# End automatically added section
# Automatically added by dh_systemd_enable/11.1.4ubuntu1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	# This will only remove masks created by d-s-h on package removal.
	deb-systemd-helper unmask 'strongswan.service' >/dev/null || true

	# was-enabled defaults to true, so new installations run enable.
	if deb-systemd-helper --quiet was-enabled 'strongswan.service'; then
		# Enables the unit on first installation, creates new
		# symlinks on upgrades if the unit file has changed.
		deb-systemd-helper enable 'strongswan.service' >/dev/null || true
	else
		# Update the statefile to add new symlinks (if any), which need to be
		# cleaned up on purge. Also remove old symlinks.
		deb-systemd-helper update-state 'strongswan.service' >/dev/null || true
	fi
fi
# End automatically added section
# Automatically added by dh_systemd_start/11.1.4ubuntu1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	if [ -d /run/systemd/system ]; then
		systemctl --system daemon-reload >/dev/null || true
		deb-systemd-invoke start 'strongswan.service' >/dev/null || true
	fi
fi
# End automatically added section
# Automatically added by dh_installdeb/11.1.4ubuntu1
dpkg-maintscript-helper rm_conffile /etc/init.d/ipsec 5.5.1-1ubuntu1~ -- "$@"
# End automatically added section


exit 0