/mandos/release

#!/bin/sh

# This script can be called in the following ways:

#

# After the package was installed:

#       <postinst> configure <old-version>

#

#

# If prerm fails during upgrade or fails on failed upgrade:

#       <old-postinst> abort-upgrade <new-version>

#

# If prerm fails during deconfiguration of a package:

#       <postinst> abort-deconfigure in-favour <new-package> <version>

#                  removing <old-package> <version>

#

# If prerm fails during replacement due to conflict:

#       <postinst> abort-remove in-favour <new-package> <version>

. /usr/share/debconf/confmodule

set -e

# Update the initial RAM file system image

update_initramfs()

{

    update-initramfs -u -k all

    if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then

        # Make old initrd.img files unreadable too, in case they were

        # created with mandos-client 1.0.8 or older.

	find /boot -maxdepth 1 -type f -name "initrd.img-*.bak" \

	    -print0 | xargs --null --no-run-if-empty chmod o-r

    fi

}

# Add user and group

add_mandos_user(){

    # Rename old "mandos" user and group

    if dpkg --compare-versions "$2" lt "1.0.3-1"; then

	case "`getent passwd mandos`" in

	    *:Mandos\ password\ system,,,:/nonexistent:/bin/false)

		usermod --login _mandos mandos

		groupmod --new-name _mandos mandos

		return

		;;

	esac

    fi

    # Create new user and group

    if ! getent passwd _mandos >/dev/null; then

	adduser --system --force-badname --quiet --home /nonexistent \

	    --no-create-home --group --disabled-password \

	    --gecos "Mandos password system" _mandos

    fi

}

# Create client key pairs

create_keys(){

    # If the OpenPGP key files do not exist, generate all keys using

    # mandos-keygen

    if ! [ -r /etc/keys/mandos/pubkey.txt \

	      -a -r /etc/keys/mandos/seckey.txt ]; then

	mandos-keygen

	gpg-connect-agent KILLAGENT /bye || :

	return 0

    fi

    # Remove any bad TLS keys by 1.8.0-1

    if dpkg --compare-versions "$2" eq "1.8.0-1" \

       || dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then

	# Is the key bad?

	if ! certtool --password='' \

	     --load-privkey=/etc/keys/mandos/tls-privkey.pem \

	     --outfile=/dev/null --pubkey-info --no-text \

	     2>/dev/null; then

	    shred --remove -- /etc/keys/mandos/tls-privkey.pem \

		  2>/dev/null || :

	    rm --force -- /etc/keys/mandos/tls-pubkey.pem

	fi

    fi

    # If the TLS keys already exists, do nothing

    if [ -r /etc/keys/mandos/tls-privkey.pem \

	    -a -r /etc/keys/mandos/tls-pubkey.pem ]; then

	return 0

    fi

    # Try to create the TLS keys

    TLS_PRIVKEYTMP="`mktemp -t mandos-client-privkey.XXXXXXXXXX`"

    if certtool --generate-privkey --password='' \

		--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

		--key-type=ed25519 --pkcs8 --no-text 2>/dev/null; then

	local umask=$(umask)

	umask 077

	cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem

	shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :

	# First try certtool from GnuTLS

	if ! certtool --password='' \

	     --load-privkey=/etc/keys/mandos/tls-privkey.pem \

	     --outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \

	     --no-text 2>/dev/null; then

	    # Otherwise try OpenSSL

	    if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \

		 -out /etc/keys/mandos/tls-pubkey.pem -pubout; then

		rm --force /etc/keys/mandos/tls-pubkey.pem

		# None of the commands succeded; give up

		umask $umask

		return 1

	    fi

	fi

	umask $umask

	key_id=$(mandos-keygen --passfile=/dev/null \

		     | grep --regexp="^key_id[ =]")

	db_version 2.0

	db_fset mandos-client/key_id seen false

	db_reset mandos-client/key_id

	db_subst mandos-client/key_id key_id $key_id

	db_input critical mandos-client/key_id || true

	db_go

	db_stop

    else

	shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :

    fi

}

create_dh_params(){

    if [ -r /etc/keys/mandos/dhparams.pem ]; then

	return 0

    fi

    # Create a Diffe-Hellman parameters file

    DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`"

    # First try certtool from GnuTLS

    if ! certtool --generate-dh-params --sec-param high \

	 --outfile "$DHFILE"; then

	# Otherwise try OpenSSL

	if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \

	     -pkeyopt dh_paramgen_prime_len:3072; then

	    # None of the commands succeded; give up

	    rm -- "$DHFILE"

	    return 1

	fi

    fi

    sed --in-place --expression='0,/^-----BEGIN DH PARAMETERS-----$/d' \

	"$DHFILE"

    sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \

	    "$DHFILE"

    cp --archive "$DHFILE" /etc/keys/mandos/dhparams.pem

    rm -- "$DHFILE"

}

case "$1" in

    configure)

	add_mandos_user "$@"

	create_keys "$@"

	create_dh_params "$@" || :

	update_initramfs "$@"

	if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then

	    PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers

	    if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \

		 >/dev/null 2>&1; then

		chmod u=rwx,go= -- "$PLUGINHELPERDIR"

	    fi

	    if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \

		 >/dev/null 2>&1; then

		chmod u=rwx,go= -- /etc/mandos/plugin-helpers

	    fi

	fi

	;;

    abort-upgrade|abort-deconfigure|abort-remove)

	;;

    *)

	echo "$0 called with unknown argument '$1'" 1>&2

	exit 1

	;;

esac

#DEBHELPER#

exit 0