#!/bin/sh
# This script can be called in the following ways:
#
# After the package was installed:
#       <postinst> configure <old-version>
#
#
# If prerm fails during upgrade or fails on failed upgrade:
#       <old-postinst> abort-upgrade <new-version>
#
# If prerm fails during deconfiguration of a package:
#       <postinst> abort-deconfigure in-favour <new-package> <version>
#                  removing <old-package> <version>
#
# If prerm fails during replacement due to conflict:
#       <postinst> abort-remove in-favour <new-package> <version>

. /usr/share/debconf/confmodule

set -e

# Update the initial RAM file system image
update_initramfs()
{
    update-initramfs -u -k all
    
    if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then
        # Make old initrd.img files unreadable too, in case they were
        # created with mandos-client 1.0.8 or older.
	find /boot -maxdepth 1 -type f -name "initrd.img-*.bak" \
	    -print0 | xargs --null --no-run-if-empty chmod o-r
    fi
}

# Add user and group
add_mandos_user(){
    # Rename old "mandos" user and group
    if dpkg --compare-versions "$2" lt "1.0.3-1"; then
	case "`getent passwd mandos`" in
	    *:Mandos\ password\ system,,,:/nonexistent:/bin/false)
		usermod --login _mandos mandos
		groupmod --new-name _mandos mandos
		return
		;;
	esac
    fi
    # Create new user and group
    if ! getent passwd _mandos >/dev/null; then
	adduser --system --force-badname --quiet --home /nonexistent \
	    --no-create-home --group --disabled-password \
	    --gecos "Mandos password system" _mandos
    fi
}

# Create client key pairs
create_keys(){
    # If the OpenPGP key files do not exist, generate all keys using
    # mandos-keygen
    if ! [ -r /etc/keys/mandos/pubkey.txt \
	      -a -r /etc/keys/mandos/seckey.txt ]; then
	mandos-keygen
	gpg-connect-agent KILLAGENT /bye || :
	return 0
    fi

    # Remove any bad TLS keys by 1.8.0-1
    if dpkg --compare-versions "$2" eq "1.8.0-1" \
       || dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then
	# Is the key bad?
	if ! certtool --password='' \
	     --load-privkey=/etc/keys/mandos/tls-privkey.pem \
	     --outfile=/dev/null --pubkey-info --no-text \
	     2>/dev/null; then
	    shred --remove -- /etc/keys/mandos/tls-privkey.pem \
		  2>/dev/null || :
	    rm --force -- /etc/keys/mandos/tls-pubkey.pem
	fi
    fi

    # If the TLS keys already exists, do nothing
    if [ -r /etc/keys/mandos/tls-privkey.pem \
	    -a -r /etc/keys/mandos/tls-pubkey.pem ]; then
	return 0
    fi

    # Try to create the TLS keys

    TLS_PRIVKEYTMP="`mktemp -t mandos-client-privkey.XXXXXXXXXX`"

    if certtool --generate-privkey --password='' \
		--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
		--key-type=ed25519 --pkcs8 --no-text 2>/dev/null; then

	local umask=$(umask)
	umask 077
	cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem
	shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :

	# First try certtool from GnuTLS
	if ! certtool --password='' \
	     --load-privkey=/etc/keys/mandos/tls-privkey.pem \
	     --outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
	     --no-text 2>/dev/null; then
	    # Otherwise try OpenSSL
	    if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
		 -out /etc/keys/mandos/tls-pubkey.pem -pubout; then
		rm --force /etc/keys/mandos/tls-pubkey.pem
		# None of the commands succeded; give up
		umask $umask
		return 1
	    fi
	fi
	umask $umask

	key_id=$(mandos-keygen --passfile=/dev/null \
		     | grep --regexp="^key_id[ =]")

	db_version 2.0
	db_fset mandos-client/key_id seen false
	db_reset mandos-client/key_id
	db_subst mandos-client/key_id key_id $key_id
	db_input critical mandos-client/key_id || true
	db_go
	db_stop
    else
	shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :
    fi
}

create_dh_params(){
    if [ -r /etc/keys/mandos/dhparams.pem ]; then
	return 0
    fi
    # Create a Diffe-Hellman parameters file
    DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`"
    # First try certtool from GnuTLS
    if ! certtool --generate-dh-params --sec-param high \
	 --outfile "$DHFILE"; then
	# Otherwise try OpenSSL
	if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \
	     -pkeyopt dh_paramgen_prime_len:3072; then
	    # None of the commands succeded; give up
	    rm -- "$DHFILE"
	    return 1
	fi
    fi
    sed --in-place --expression='0,/^-----BEGIN DH PARAMETERS-----$/d' \
	"$DHFILE"
    sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \
	    "$DHFILE"
    cp --archive "$DHFILE" /etc/keys/mandos/dhparams.pem
    rm -- "$DHFILE"
}

case "$1" in
    configure)
	add_mandos_user "$@"
	create_keys "$@"
	create_dh_params "$@" || :
	update_initramfs "$@"
	if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then
	    PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers
	    if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \
		 >/dev/null 2>&1; then
		chmod u=rwx,go= -- "$PLUGINHELPERDIR"
	    fi
	    if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \
		 >/dev/null 2>&1; then
		chmod u=rwx,go= -- /etc/mandos/plugin-helpers
	    fi
	fi
	;;
    abort-upgrade|abort-deconfigure|abort-remove)
	;;

    *)
	echo "$0 called with unknown argument '$1'" 1>&2
	exit 1
	;;
esac

#DEBHELPER#

exit 0