Package: openswan Version: 1:2.6.23+dfsg-1 Severity: normal Tags: patch When the debconf options to use an existing certificate are selected, postinst fails with the following error message:
Error: or already exists. Please remove them first an re-run dpkg-reconfigure to create a new keypair. I believe this is due to the uninitialized use of $newcertfile and $newkeyfile on line 168 (in combination with the unusual behavior of bash to return success for -e when given an empty variable). I have attached a patch which corrects this behavior by checking for the existence of the filenames which will be used. Cheers, Kevin -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32.3-kevinoid1 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openswan depends on: ii bind9-host [host] 1:9.6.1.dfsg.P3-1 Version of 'host' bundled with BIN ii bsdmainutils 8.0.8 collection of more utilities from ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy ii debianutils 3.2.2 Miscellaneous utilities specific t ii iproute 20091226-1 networking and traffic control too ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libcurl3 7.19.7-1 Multi-protocol file transfer libra ii libgmp3c2 2:4.3.2+dfsg-1 Multiprecision arithmetic library ii libldap-2.4-2 2.4.17-2.1 OpenLDAP libraries ii libpam0g 1.1.1-2 Pluggable Authentication Modules l ii openssl 0.9.8k-8 Secure Socket Layer (SSL) binary a openswan recommends no packages. Versions of packages openswan suggests: ii curl 7.19.7-1 Get a file from an HTTP, HTTPS or pn openswan-modules-source | lin <none> (no description available) -- debconf information excluded
diff -ru openswan-2.6.23+dfsg.orig/debian/openswan.postinst openswan-2.6.23+dfsg/debian/openswan.postinst --- openswan-2.6.23+dfsg.orig/debian/openswan.postinst 2010-03-06 19:03:00.896842017 -0700 +++ openswan-2.6.23+dfsg/debian/openswan.postinst 2010-03-06 19:14:56.766548908 -0700 @@ -168,26 +168,27 @@ else db_get openswan/existing_x509_certificate if [ "$RET" = "true" ]; then - if [ -e $newcertfile -o -e $newkeyfile ]; then - echo "Error: $newcertfile or $newkeyfile already exists." - echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." - else - # existing certificate - use it - db_get openswan/existing_x509_certificate_filename - certfile=$RET - db_get openswan/existing_x509_key_filename - keyfile=$RET - if [ ! -r $certfile ] || [ ! -r $keyfile ]; then - echo "Either the certificate or the key file could not be read !" - else - cp "$certfile" /etc/ipsec.d/certs - umask 077 - cp "$keyfile" "/etc/ipsec.d/private" - newkeyfile="/etc/ipsec.d/private/`basename $keyfile`" - chmod 0600 "$newkeyfile" - insert_private_key_filename "$newkeyfile" - echo "Successfully extracted RSA key from existing x509 certificate." - fi + # existing certificate - use it + db_get openswan/existing_x509_certificate_filename + certfile=$RET + db_get openswan/existing_x509_key_filename + keyfile=$RET + + newkeyfile="/etc/ipsec.d/private/$(basename "$keyfile")" + newcertfile="/etc/ipsec.d/private/$(basename "$certfile")" + + if [ ! -r $certfile ] || [ ! -r $keyfile ]; then + echo "Either the certificate or the key file could not be read !" + elif [ -e $newcertfile -o -e $newkeyfile ]; then + echo "Error: $newcertfile or $newkeyfile already exists." + echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." + else + cp "$certfile" /etc/ipsec.d/certs + umask 077 + cp "$keyfile" /etc/ipsec.d/private + chmod 0600 "$newkeyfile" + insert_private_key_filename "$newkeyfile" + echo "Successfully extracted RSA key from existing x509 certificate." fi fi fi