Package: openswan
Version: 1:2.6.23+dfsg-1
Severity: normal
Tags: patch
When the debconf options to use an existing certificate are selected,
postinst fails with the following error message:
Error: or already exists.
Please remove them first an re-run dpkg-reconfigure to create a new keypair.
I believe this is due to the uninitialized use of $newcertfile and
$newkeyfile on line 168 (in combination with the unusual behavior of bash
to return success for -e when given an empty variable). I have attached
a patch which corrects this behavior by checking for the existence of the
filenames which will be used.
Cheers,
Kevin
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.32.3-kevinoid1 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openswan depends on:
ii bind9-host [host] 1:9.6.1.dfsg.P3-1 Version of 'host' bundled with BIN
ii bsdmainutils 8.0.8 collection of more utilities from
ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii debianutils 3.2.2 Miscellaneous utilities specific t
ii iproute 20091226-1 networking and traffic control too
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
ii libcurl3 7.19.7-1 Multi-protocol file transfer libra
ii libgmp3c2 2:4.3.2+dfsg-1 Multiprecision arithmetic library
ii libldap-2.4-2 2.4.17-2.1 OpenLDAP libraries
ii libpam0g 1.1.1-2 Pluggable Authentication Modules l
ii openssl 0.9.8k-8 Secure Socket Layer (SSL) binary a
openswan recommends no packages.
Versions of packages openswan suggests:
ii curl 7.19.7-1 Get a file from an HTTP, HTTPS or
pn openswan-modules-source | lin <none> (no description available)
-- debconf information excluded
diff -ru openswan-2.6.23+dfsg.orig/debian/openswan.postinst openswan-2.6.23+dfsg/debian/openswan.postinst
--- openswan-2.6.23+dfsg.orig/debian/openswan.postinst 2010-03-06 19:03:00.896842017 -0700
+++ openswan-2.6.23+dfsg/debian/openswan.postinst 2010-03-06 19:14:56.766548908 -0700
@@ -168,26 +168,27 @@
else
db_get openswan/existing_x509_certificate
if [ "$RET" = "true" ]; then
- if [ -e $newcertfile -o -e $newkeyfile ]; then
- echo "Error: $newcertfile or $newkeyfile already exists."
- echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
- else
- # existing certificate - use it
- db_get openswan/existing_x509_certificate_filename
- certfile=$RET
- db_get openswan/existing_x509_key_filename
- keyfile=$RET
- if [ ! -r $certfile ] || [ ! -r $keyfile ]; then
- echo "Either the certificate or the key file could not be read !"
- else
- cp "$certfile" /etc/ipsec.d/certs
- umask 077
- cp "$keyfile" "/etc/ipsec.d/private"
- newkeyfile="/etc/ipsec.d/private/`basename $keyfile`"
- chmod 0600 "$newkeyfile"
- insert_private_key_filename "$newkeyfile"
- echo "Successfully extracted RSA key from existing x509 certificate."
- fi
+ # existing certificate - use it
+ db_get openswan/existing_x509_certificate_filename
+ certfile=$RET
+ db_get openswan/existing_x509_key_filename
+ keyfile=$RET
+
+ newkeyfile="/etc/ipsec.d/private/$(basename "$keyfile")"
+ newcertfile="/etc/ipsec.d/private/$(basename "$certfile")"
+
+ if [ ! -r $certfile ] || [ ! -r $keyfile ]; then
+ echo "Either the certificate or the key file could not be read !"
+ elif [ -e $newcertfile -o -e $newkeyfile ]; then
+ echo "Error: $newcertfile or $newkeyfile already exists."
+ echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
+ else
+ cp "$certfile" /etc/ipsec.d/certs
+ umask 077
+ cp "$keyfile" /etc/ipsec.d/private
+ chmod 0600 "$newkeyfile"
+ insert_private_key_filename "$newkeyfile"
+ echo "Successfully extracted RSA key from existing x509 certificate."
fi
fi
fi
