/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to debian/mandos-client.postinst

  • Committer: Teddy Hogeborn
  • Date: 2019-02-09 23:34:15 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 370.
  • Revision ID: teddy@recompile.se-20190209233415-m1ntebuepwna1xg1
Doc fix: Change some "/etc/mandos" to "/etc/keys/mandos"

* clients.conf: Change "/etc/mandos" to "/etc/keys/mandos" where
                appropriate
* mandos-keygen.xml: - '' -

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/mandos-client.postinst
15
15
# If prerm fails during replacement due to conflict:
16
16
#       <postinst> abort-remove in-favour <new-package> <version>
17
17
 
18
 
. /usr/share/debconf/confmodule
19
 
 
20
18
set -e
21
19
 
22
20
# Update the initial RAM file system image
63
61
        return 0
64
62
    fi
65
63
 
66
 
    # Remove any bad TLS keys by 1.8.0-1
67
 
    if dpkg --compare-versions "$2" eq "1.8.0-1" \
68
 
       || dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then
69
 
        # Is the key bad?
70
 
        if ! certtool --password='' \
71
 
             --load-privkey=/etc/keys/mandos/tls-privkey.pem \
72
 
             --outfile=/dev/null --pubkey-info --no-text \
73
 
             2>/dev/null; then
74
 
            shred --remove -- /etc/keys/mandos/tls-privkey.pem
75
 
            rm -- /etc/keys/mandos/tls-pubkey.pem
76
 
        fi
77
 
    fi
78
 
 
79
64
    # If the TLS keys already exists, do nothing
80
65
    if [ -r /etc/keys/mandos/tls-privkey.pem \
81
66
            -a -r /etc/keys/mandos/tls-pubkey.pem ]; then
82
67
        return 0
83
68
    fi
84
69
 
85
 
    # Try to create the TLS keys
86
 
 
87
 
    TLS_PRIVKEYTMP="`mktemp -t mandos-client-privkey.XXXXXXXXXX`"
88
 
 
89
 
    if certtool --generate-privkey --password='' \
90
 
                --outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
91
 
                --key-type=ed25519 --pkcs8 --no-text 2>/dev/null; then
92
 
 
93
 
        local umask=$(umask)
94
 
        umask 077
95
 
        cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem
96
 
        shred --remove -- "$TLS_PRIVKEYTMP"
97
 
 
98
 
        # First try certtool from GnuTLS
99
 
        if ! certtool --password='' \
100
 
             --load-privkey=/etc/keys/mandos/tls-privkey.pem \
101
 
             --outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
102
 
             --no-text 2>/dev/null; then
103
 
            # Otherwise try OpenSSL
104
 
            if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
105
 
                 -out /etc/keys/mandos/tls-pubkey.pem -pubout; then
106
 
                rm --force /etc/keys/mandos/tls-pubkey.pem
107
 
                # None of the commands succeded; give up
108
 
                umask $umask
109
 
                return 1
110
 
            fi
111
 
        fi
112
 
        umask $umask
113
 
 
114
 
        key_id=$(mandos-keygen --passfile=/dev/null \
115
 
                     | grep --regexp="^key_id[ =]")
116
 
 
117
 
        db_version 2.0
118
 
        db_fset mandos-client/key_id seen false
119
 
        db_reset mandos-client/key_id
120
 
        db_subst mandos-client/key_id key_id $key_id
121
 
        db_input critical mandos-client/key_id || true
122
 
        db_go
123
 
        db_stop
124
 
    else
125
 
        shred --remove -- "$TLS_PRIVKEYTMP"
126
 
    fi
 
70
    # If this is an upgrade from an old installation, the TLS keys
 
71
    # will not exist; create them.
 
72
 
 
73
    # First try certtool from GnuTLS
 
74
    if ! certtool --generate-privkey --password='' \
 
75
         --outfile /etc/keys/mandos/tls-privkey.pem \
 
76
         --sec-param ultra --key-type=ed25519 --pkcs8 --no-text \
 
77
         2>/dev/null; then
 
78
        # Otherwise try OpenSSL
 
79
        if ! openssl genpkey -algorithm X25519 \
 
80
             -out /etc/keys/mandos/tls-privkey.pem; then
 
81
            rm --force /etc/keys/mandos/tls-privkey.pem
 
82
            # None of the commands succeded; give up
 
83
            return 1
 
84
        fi
 
85
    fi
 
86
 
 
87
    local umask=$(umask)
 
88
    umask 077
 
89
    # First try certtool from GnuTLS
 
90
    if ! certtool --password='' \
 
91
         --load-privkey=/etc/keys/mandos/tls-privkey.pem \
 
92
         --outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
 
93
         --no-text 2>/dev/null; then
 
94
        # Otherwise try OpenSSL
 
95
        if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
 
96
             -out /etc/keys/mandos/tls-pubkey.pem -pubout; then
 
97
            rm --force /etc/keys/mandos/tls-pubkey.pem
 
98
            # None of the commands succeded; give up
 
99
            umask $umask
 
100
            return 1
 
101
        fi
 
102
    fi
 
103
    umask $umask
127
104
}
128
105
 
129
106
create_dh_params(){