From 516519ba071f6ae36a6128a74d931400215b8844 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 2 Dec 2015 10:58:35 +0000 Subject: [PATCH] Command for calculating DH params Avoid duplication --- man/freedombone-dhparam.1.gz | Bin 0 -> 585 bytes src/freedombone-addcert | 28 ++++----- src/freedombone-dhparam | 117 +++++++++++++++++++++++++++++++++++ src/freedombone-sec | 112 +++++++++++++++------------------ 4 files changed, 178 insertions(+), 79 deletions(-) create mode 100644 man/freedombone-dhparam.1.gz create mode 100755 src/freedombone-dhparam diff --git a/man/freedombone-dhparam.1.gz b/man/freedombone-dhparam.1.gz new file mode 100644 index 0000000000000000000000000000000000000000..7bcc87d2ed437dd2c3d8470a8c44eafa2084d1cc GIT binary patch literal 585 zcmV-P0=E4hiwFQB#$Hwc1C5hWZ__Xk$KU-aPI&<&l5S<7twM-)3+=?ZR!hnRV-JpV zX{#JUpbuv#pnq`q zHh{ptpPuf)g3!Jom~!246)+Yh69_Jc(>P$eaS?b?huRxi=p63G-~~QCW}I1 zI6W>9a`FICSNaS^W;3)*L|=VmT*%Va@r@|La5;84p*R1FI@>zLna;hcxZ85 z5pGsUzqPsDYM;f)>DBo>J)d0$ES9cB3u0rF?tMPmr00D`Td_ql9DDk7RZE`+4e=#{ zqyb~#pMRQXY*ssIG*@Z`E7O4RRk$JpRHKl^3cNjdqKhE)-#He%Q4V&g$&c*lc!M7O zXYqCCjt)-Vc@q|#*(LWL6y*2tWefgqbPrAUJ>Rxyv>5w2USVylgREH+aL1w%l+M*O z==GL<1WgtRQ}r@Vr4_v$;hrRF9;K2vhT%mr+gpp5hp%4mdEt33(7IM!D2dv29{Cik zxKv#SN>XRSud1$}snHG_UC3oCESK8YHb8B$t!%L}u6@^{#-Cv)l&!j%Y}JWmt4<<9 z(TX+t8Ru(-u;xVmWIMCrBAv{x0yZ)kOpSBvEqR}r?4vcAaZ*s!+(piOU{Pk-d_3=s z=i>py!;|BF{N{KQ9Z6Rqt$(cnjHY2$^4G(*J6JFo^>+300jU5oYorI literal 0 HcmV?d00001 diff --git a/src/freedombone-addcert b/src/freedombone-addcert index b915a58b..0d4ec2fc 100755 --- a/src/freedombone-addcert +++ b/src/freedombone-addcert @@ -154,18 +154,18 @@ if [ $LETSENCRYPT_HOSTNAME ]; then cd $INSTALL_DIR # obtain the repo - if [ ! -d $INSTALL_DIR/letsencrypt ]; then + if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then git clone https://github.com/letsencrypt/letsencrypt - if [ ! -d $INSTALL_DIR/letsencrypt ]; then + if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then exit 76283 fi else - cd $INSTALL_DIR/letsencrypt + cd ${INSTALL_DIR}/letsencrypt git stash git pull fi - cd $INSTALL_DIR/letsencrypt + cd ${INSTALL_DIR}/letsencrypt # TODO this requires user interaction - is there a non-interactive mode? ./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME if [ ! "$?" = "0" ]; then @@ -206,23 +206,19 @@ else CERTFILE="ca-$HOSTNAME" fi - openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \ + openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \ -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \ - -newkey rsa:4096 -keyout /etc/ssl/private/$CERTFILE.key \ - -out /etc/ssl/certs/$CERTFILE.crt - chmod 400 /etc/ssl/private/$CERTFILE.key - chmod 640 /etc/ssl/certs/$CERTFILE.crt - cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts + -newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \ + -out /etc/ssl/certs/${CERTFILE}.crt + chmod 400 /etc/ssl/private/${CERTFILE}.key + chmod 640 /etc/ssl/certs/${CERTFILE}.crt + cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts fi # generate DH params if [ ! $NODH ]; then - if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then - openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam - if [ ! "$?" = "0" ]; then - exit 72428 - fi - chmod 640 /etc/ssl/certs/$CERTFILE.dhparam + if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then + ${PROJECT_NAME}-dhparam -h ${CERTFILE} fi fi diff --git a/src/freedombone-dhparam b/src/freedombone-dhparam new file mode 100755 index 00000000..23b3296a --- /dev/null +++ b/src/freedombone-dhparam @@ -0,0 +1,117 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Creates or re-calculates Diffie-Hellman parameters + +# License +# ======= +# +# Copyright (C) 2015 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +PROJECT_NAME='freedombone' + +export TEXTDOMAIN=${PROJECT_NAME}-dhparam +export TEXTDOMAINDIR="/usr/share/locale" + +HOSTNAME= +KEYLENGTH=2048 +RECALCULATE="no" + +function show_help { + echo '' + echo $"${PROJECT_NAME}-dhparam -h [hostname] -l [length in bits] --recalc [yes|no]" + echo '' + exit 0 +} + +function calc_dh { + openssl dhparam -check -text -dsaparam $KEYLENGTH -out ${1} + if [ ! "$?" = "0" ]; then + exit 3674 + fi + chmod 640 ${1} +} + +function regenerate_dh_keys { + for file in /etc/ssl/mycerts/* + do + if [[ -f $file ]]; then + filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam + if [ -f $filename ]; then + calc_dh $filename + echo $"Recalculated DH params for $filename" + fi + fi + done +} + +while [[ $# > 1 ]] +do +key="$1" + +case $key in + --help) + show_help + ;; + -h|--hostname) + shift + HOSTNAME="$1" + ;; + -l|--dhkey) + shift + KEYLENGTH=${1} + ;; + --recalc) + shift + RECALCULATE=${1} + ;; + *) + # unknown option + ;; +esac +shift +done + +if [[ $RECALCULATE == "yes" || $RECALCULATE == "y" ]]; then + regenerate_dh_keys + exit 0 +fi + +if [ ! $HOSTNAME ]; then + echo $'No hostname specified' + exit 5728 +fi + +if ! which openssl > /dev/null ;then + echo $"$0: openssl is not installed, exiting" 1>&2 + exit 5689 +fi + +if [ ! -d /etc/ssl/mycerts ]; then + mkdir -p /etc/ssl/mycerts +fi + +calc_dh /etc/ssl/certs/$HOSTNAME.dhparam + +systemctl reload nginx +exit 0 diff --git a/src/freedombone-sec b/src/freedombone-sec index b0d159f6..808aeb4e 100755 --- a/src/freedombone-sec +++ b/src/freedombone-sec @@ -225,10 +225,10 @@ function interactive_setup { if [ $SSL_CIPHERS ]; then data=$(tempfile 2>/dev/null) trap "rm -f $data" 0 1 2 5 15 - dialog --backtitle "Freedombone Security Configuration" \ - --form "\nWeb/IMAP Ciphers:" 10 95 2 \ - "Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \ - "Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \ + dialog --backtitle $"Freedombone Security Configuration" \ + --form $"\nWeb/IMAP Ciphers:" 10 95 2 \ + $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \ + $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \ 2> $data sel=$? case $sel in @@ -242,12 +242,12 @@ function interactive_setup { data=$(tempfile 2>/dev/null) trap "rm -f $data" 0 1 2 5 15 if [ $SSH_HOST_KEY_ALGORITHMS ]; then - dialog --backtitle "Freedombone Security Configuration" \ - --form "\nSecure Shell Ciphers:" 13 95 4 \ - "Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \ - "MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \ - "KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \ - "Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \ + dialog --backtitle $"Freedombone Security Configuration" \ + --form $"\nSecure Shell Ciphers:" 13 95 4 \ + $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \ + $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \ + $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \ + $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \ 2> $data sel=$? case $sel in @@ -259,11 +259,11 @@ function interactive_setup { 255) exit 0;; esac else - dialog --backtitle "Freedombone Security Configuration" \ - --form "\nSecure Shell Ciphers:" 11 95 3 \ - "Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \ - "MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \ - "KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \ + dialog --backtitle $"Freedombone Security Configuration" \ + --form $"\nSecure Shell Ciphers:" 11 95 3 \ + $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \ + $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \ + $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \ 2> $data sel=$? case $sel in @@ -276,14 +276,14 @@ function interactive_setup { fi if [[ $SSH_PASSWORDS == "yes" ]]; then - dialog --title "SSH Passwords" \ - --backtitle "Freedombone Security Configuration" \ - --yesno "\nAllow SSH login using passwords?" 7 60 + dialog --title $"SSH Passwords" \ + --backtitle $"Freedombone Security Configuration" \ + --yesno $"\nAllow SSH login using passwords?" 7 60 else - dialog --title "SSH Passwords" \ - --backtitle "Freedombone Security Configuration" \ + dialog --title $"SSH Passwords" \ + --backtitle $"Freedombone Security Configuration" \ --defaultno \ - --yesno "\nAllow SSH login using passwords?" 7 60 + --yesno $"\nAllow SSH login using passwords?" 7 60 fi sel=$? case $sel in @@ -295,10 +295,10 @@ function interactive_setup { if [ $XMPP_CIPHERS ]; then data=$(tempfile 2>/dev/null) trap "rm -f $data" 0 1 2 5 15 - dialog --backtitle "Freedombone Security Configuration" \ - --form "\nXMPP Ciphers:" 10 95 2 \ - "Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \ - "ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \ + dialog --backtitle $"Freedombone Security Configuration" \ + --form $"\nXMPP Ciphers:" 10 95 2 \ + $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \ + $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \ 2> $data sel=$? case $sel in @@ -309,10 +309,10 @@ function interactive_setup { esac fi - dialog --title "Final Confirmation" \ - --backtitle "Freedombone Security Configuration" \ + dialog --title $"Final Confirmation" \ + --backtitle $"Freedombone Security Configuration" \ --defaultno \ - --yesno "\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60 + --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60 sel=$? case $sel in 1) clear @@ -365,21 +365,7 @@ function regenerate_dh_keys { 3) DH_KEYLENGTH=4096;; esac - ctr=0 - for file in /etc/ssl/mycerts/* - do - if [[ -f $file ]]; then - filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam - if [ -f $filename ]; then - openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename - if [ ! "$?" = "0" ]; then - exit 3674 - fi - ctr=$((ctr + 1)) - fi - fi - done - echo $"$ctr dhparam certificates were regenerated" + ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH} fi } @@ -387,9 +373,9 @@ function renew_startssl { renew_domain= data=$(tempfile 2>/dev/null) trap "rm -f $data" 0 1 2 5 15 - dialog --title "Renew a StartSSL certificate" \ - --backtitle "Freedombone Security Settings" \ - --inputbox "Enter the domain name" 8 60 2>$data + dialog --title $"Renew a StartSSL certificate" \ + --backtitle $"Freedombone Security Settings" \ + --inputbox $"Enter the domain name" 8 60 2>$data sel=$? case $sel in 0) @@ -402,24 +388,24 @@ function renew_startssl { fi if [[ $renew_domain == "http"* ]]; then - dialog --title "Renew a StartSSL certificate" \ - --msgbox "Don't include the https://" 6 40 + dialog --title $"Renew a StartSSL certificate" \ + --msgbox $"Don't include the https://" 6 40 return fi if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then - dialog --title "Renew a StartSSL certificate" \ - --msgbox "An existing certificate for $renew_domain was not found" 6 40 + dialog --title $"Renew a StartSSL certificate" \ + --msgbox $"An existing certificate for $renew_domain was not found" 6 40 return fi if [[ $renew_domain != *"."* ]]; then - dialog --title "Renew a StartSSL certificate" \ - --msgbox "Invalid domain name: $renew_domain" 6 40 + dialog --title $"Renew a StartSSL certificate" \ + --msgbox $"Invalid domain name: $renew_domain" 6 40 return fi - freedombone-renew-cert -h $renew_domain -p startssl + ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl exit 0 } @@ -428,9 +414,9 @@ function renew_letsencrypt { renew_domain= data=$(tempfile 2>/dev/null) trap "rm -f $data" 0 1 2 5 15 - dialog --title "Renew a Let's Encrypt certificate" \ - --backtitle "Freedombone Security Settings" \ - --inputbox "Enter the domain name" 8 60 2>$data + dialog --title $"Renew a Let's Encrypt certificate" \ + --backtitle $"Freedombone Security Settings" \ + --inputbox $"Enter the domain name" 8 60 2>$data sel=$? case $sel in 0) @@ -443,24 +429,24 @@ function renew_letsencrypt { fi if [[ $renew_domain == "http"* ]]; then - dialog --title "Renew a Let's Encrypt certificate" \ - --msgbox "Don't include the https://" 6 40 + dialog --title $"Renew a Let's Encrypt certificate" \ + --msgbox $"Don't include the https://" 6 40 return fi if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then - dialog --title "Renew a Let's Encrypt certificate" \ - --msgbox "An existing certificate for $renew_domain was not found" 6 40 + dialog --title $"Renew a Let's Encrypt certificate" \ + --msgbox $"An existing certificate for $renew_domain was not found" 6 40 return fi if [[ $renew_domain != *"."* ]]; then - dialog --title "Renew a Let's Encrypt certificate" \ - --msgbox "Invalid domain name: $renew_domain" 6 40 + dialog --title $"Renew a Let's Encrypt certificate" \ + --msgbox $"Invalid domain name: $renew_domain" 6 40 return fi - freedombone-renew-cert -h $renew_domain -p 'letsencrypt' + ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt' exit 0 }