From 62e891c141e7d11379ee5c262c61df954a7b9e9d Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 3 Mar 2018 19:47:31 +0000
Subject: [PATCH 1/6] Update manpage for static analysis tests

---
 man/freedombone-tests.1.gz | Bin 652 -> 751 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/man/freedombone-tests.1.gz b/man/freedombone-tests.1.gz
index 4c52195dde398f9554f64c7568933772d9d90fec..bdbc094f7e582cfb7aeea61b19578038e7db9be2 100644
GIT binary patch
literal 751
zcmV<L0ucQliwFR?`<hw+1BFygZ__{!z3;CW<x-G{0~H5UAw)~sG!p$#oCqP{uwIYj
zrS`7b9jCFxk7su6wCM*B<&vG5H}mGbNwPeL!Xf6i&aA;Pp(hV-V03s0XPCj^>o@O4
zFyimoeHN@dx&sdv(zLP~36Z4dFuFXxI30<nVBg2EXbo&+rE^Kz8jvOjkE(T=I_Q()
zD`?|MRuyu%^Mv()oPNE$x=!cmbLiu-C%uMm9s1ve-u{RW+(r$x)6?|RVt&1xUtNyG
zveX`wt?MvBUr(hZkWB+#Io(hUH&q9>no15L;I=_UVI*>`qSj%YUsm1@#Z?8ih`F*Q
zTg#aIkX|FbPhehf>Fz1F=73@#lt%jKoOMv6_i~Lq0Rv|U4!NnpJP|xULb{yK;6=K_
zU!p3FR<eRQ&y6)2>X$rgb&me!&`t8#ByYG+;cOi`isS@J>2hS~N}F~o8fSkp)mM<U
z6bovb>q0Y|g2xK{lr@A~3UnouwnpaZHt68C#LytD!27mt!UViZ=EMXTq~NfjzPE(6
zmi%K^%AHEvdd5;{q|-Km3+rjvX${utwKlxvjsdx41o67om2?BU47FK<W0x`U#rf&y
z0h}XUoNATA)J_vf5uqe%{Ly5xW`)}<VZA30_Am(>9={z=G2=OfNTZ!tA6a#t{S(OF
zOTM$sZK+im&EvH1SFwLFy`SSoqH}_-tw|s{vc#%k7g)GKZ1zy$7oS%UxovvSZLH3t
zg>1Ibyfdh^532fPaQiAfp79YbEvORJO>fXB%bvqaxxt6l)-0<lq~hhaMn&<CgaH0L
zIXDr(!=|GT<I~?#celx>`Ak)0M6L_Ghr0<jW|jGjfxVcqoBxZ=xp&z9u}~%oHPHSi
z(%v7&$!f-bGz)C3Bff++4@&V?p4ujpzI1A`2RYGf|3EiF9j}(>SBsH2u^C&M$jKVs
hXEyt|SCJT`4<gB&_=4HdU6)50;t!n)Q*fvS003bYeK!CA

literal 652
zcmV;70(1QziwFSW!;V@21BFvfZ__{!z57>;d?`r8p%n*IAw)~sBob|^*bzd&VRt>Y
zmwI=t-Eo^p{CLJ22U=Q0<V!p=?_=gUD;7|B#L^k*EKUdm1vrNE<OD8J!pZC7w<)Cj
zT>j~TO+bGX;7ZtDv}uxL`2y1Gv#X0Vc?$Mz0_)zwooIC_NIMI{mJm?&UegZtP4O*g
z8%VS*a(NdB&4`?TxnAAm%ltX?$s~}j;p+~=&q{B<k0Y~-{Ns9gQ!H24X;L&gfO5tR
z#QQO71cB%}2+He@V!3N~aIdN1A_8tZR5U0d-z(}pM%khbZX9k~a8>LTJvk#{^J7<?
z2qA-I#iNH;rL#vA3&Uu1jov#C215`vvH}K{2p*Z#VwokZA0aQ6b9j*-@C#Ip)k?Im
zWZh`c(tfw|UY8hNj%<QulelG`$~!YKCfPYO!k5U<t+xF(>Ad^FR$qbaDGnG{>PoYl
zie(M{l(U3e8te*aoI&>K@6f}2g9E{^f)IMs4GMUb?1>F9NX2DKdu{=>7X0Th%1n*x
z17j()!fThol?ycP)PVE4)|R)tV?d^iAVC}53O~A&sBI0N!^Otei;GVqI9GO2)h36T
zn`MwALPOMr)9JM43->bPdru$jVLEJh@@6ta$vVdvZSu1@hq`c}8dSIY%SXQtqSJ^w
ze4H80`|_1gth%=<ZsjydfPYT{oDATDg?Qlj>R+vgtaH?#nTqiw&&J&$kV8Iref(Jf
zA6art{)^4MqxJL6oIkiVcFq$=qh<n%;d#18DMI7b^a1Epa~=kn5$bGHELQ6@Id_t8
mOyq@uchboZ4<<5;^ghX?Pd=kO{mt@MNAe4Q#G)Or1ONboqCFu1


From 5db74ee7dfe4d62b9d3eaa1e08ade99f067dfb2a Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 3 Mar 2018 22:26:29 +0000
Subject: [PATCH 2/6] Checking certificates for onion only versions

---
 src/freedombone-utils-web | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web
index 9d2c73cd..290feca9 100755
--- a/src/freedombone-utils-web
+++ b/src/freedombone-utils-web
@@ -190,7 +190,7 @@ function check_certificates {
     if [ "$2" ]; then
         USE_LETSENCRYPT="$2"
     fi
-    if [[ $USE_LETSENCRYPT == 'no' ]]; then
+    if [[ $USE_LETSENCRYPT == 'no' || "$ONION_ONLY" != 'no' ]]; then
         if [ ! -f "/etc/ssl/private/${1}.key" ]; then
             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"
             exit 63959
@@ -239,12 +239,21 @@ function cert_exists {
 }
 
 function create_self_signed_cert {
+    if [ ! "${SITE_DOMAIN_NAME}" ]; then
+        echo $'No site domain specified for self signed cert'
+        exit 4638565385
+    fi
     "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"
     function_check check_certificates
     check_certificates "${SITE_DOMAIN_NAME}"
 }
 
 function create_letsencrypt_cert {
+    if [ ! "${SITE_DOMAIN_NAME}" ]; then
+        echo $'No site domain specified for letsencrypt cert'
+        exit 246824624
+    fi
+
     if ! "${PROJECT_NAME}-addcert" -e "${SITE_DOMAIN_NAME}" -s "${LETSENCRYPT_SERVER}" --dhkey "${DH_KEYLENGTH}" --email "${MY_EMAIL_ADDRESS}"; then
         if [[ ${NO_SELF_SIGNED} == 'no' ]]; then
             echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"

From 978f848350d3499de99df0f96809d6100c0e2f48 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 3 Mar 2018 22:36:56 +0000
Subject: [PATCH 3/6] Exit if certificate check fails

---
 src/freedombone-app-irc    | 1 +
 src/freedombone-app-xmpp   | 1 +
 src/freedombone-base-email | 1 +
 src/freedombone-utils-web  | 6 +++++-
 4 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/freedombone-app-irc b/src/freedombone-app-irc
index 5e4e56df..5212f17d 100755
--- a/src/freedombone-app-irc
+++ b/src/freedombone-app-irc
@@ -523,6 +523,7 @@ function install_irc_server {
     if [[ "$(cert_exists "${DEFAULT_DOMAIN_NAME}")" == "0" ]]; then
         "${PROJECT_NAME}-addcert" -h ngircd --dhkey "${DH_KEYLENGTH}"
         function_check check_certificates
+        CHECK_HOSTNAME=ngircd
         check_certificates ngircd
     fi
 
diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp
index a1b6ff53..568988da 100755
--- a/src/freedombone-app-xmpp
+++ b/src/freedombone-app-xmpp
@@ -973,6 +973,7 @@ function install_xmpp {
     if [ ! -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then
         if [ ! -f /etc/ssl/certs/xmpp.crt ]; then
             "${PROJECT_NAME}-addcert" -h xmpp --dhkey "${DH_KEYLENGTH}"
+            CHECK_HOSTNAME=xmpp
             check_certificates xmpp
             if [ ! -f /etc/ssl/certs/xmpp.crt ]; then
                 echo $'Failed to create xmpp certificate'
diff --git a/src/freedombone-base-email b/src/freedombone-base-email
index 0c7e2e7d..b8959027 100755
--- a/src/freedombone-base-email
+++ b/src/freedombone-base-email
@@ -1068,6 +1068,7 @@ function configure_imap {
 
     if [[ "$(cert_exists dovecot)" == "0" ]]; then
         "${PROJECT_NAME}-addcert" -h dovecot --dhkey "$DH_KEYLENGTH"
+        CHECK_HOSTNAME=dovecot
         check_certificates dovecot
     fi
 
diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web
index 290feca9..81bf3e1a 100755
--- a/src/freedombone-utils-web
+++ b/src/freedombone-utils-web
@@ -184,7 +184,8 @@ function test_domain_name {
 # Checks whether certificates were generated for the given hostname
 function check_certificates {
     if [ ! "$1" ]; then
-        return
+        echo $'No certificate name provided'
+        exit 3568736585683
     fi
     USE_LETSENCRYPT='no'
     if [ "$2" ]; then
@@ -259,6 +260,7 @@ function create_letsencrypt_cert {
             echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"
             "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"
             function_check check_certificates
+            CHECK_HOSTNAME="${SITE_DOMAIN_NAME}"
             check_certificates "${SITE_DOMAIN_NAME}"
         else
             echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"
@@ -272,6 +274,7 @@ function create_letsencrypt_cert {
     fi
 
     function_check check_certificates
+    CHECK_HOSTNAME="${SITE_DOMAIN_NAME}"
     check_certificates "${SITE_DOMAIN_NAME}" 'yes'
 }
 
@@ -1013,6 +1016,7 @@ function email_install_tls {
     fi
     if [ ! -f /etc/ssl/certs/exim.dhparam ]; then
         "${PROJECT_NAME}-addcert" -h exim --dhkey "$DH_KEYLENGTH"
+        CHECK_HOSTNAME=exim
         check_certificates exim
         cp /etc/ssl/certs/exim.dhparam /etc/exim4
         chown root:Debian-exim /etc/exim4/exim.dhparam

From f1f789415e90f81d25d57bcc4a82b3f1c9627738 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sun, 4 Mar 2018 11:38:02 +0000
Subject: [PATCH 4/6] Don't quote extensions

---
 src/freedombone-addcert | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/freedombone-addcert b/src/freedombone-addcert
index 5579fb7e..dc16d71a 100755
--- a/src/freedombone-addcert
+++ b/src/freedombone-addcert
@@ -310,7 +310,8 @@ function add_cert_selfsigned {
         CERTFILE="ca-$HOSTNAME"
     fi
 
-    openssl req -x509 "${EXTENSIONS}" -nodes -days 3650 -sha256 \
+    # shellcheck disable=SC2086
+    openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
             -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
             -newkey rsa:2048 -keyout "/etc/ssl/private/${CERTFILE}.key" \
             -out "/etc/ssl/certs/${CERTFILE}.crt"

From eb6103f19ac6d54b3c482c5004f742ff8a207740 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sun, 4 Mar 2018 11:40:54 +0000
Subject: [PATCH 5/6] Deprecate cert bundle

---
 src/freedombone-addcert | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/src/freedombone-addcert b/src/freedombone-addcert
index dc16d71a..7f23c0c7 100755
--- a/src/freedombone-addcert
+++ b/src/freedombone-addcert
@@ -170,10 +170,6 @@ if ! which openssl > /dev/null ;then
     exit 5689
 fi
 
-if [ ! -d /etc/ssl/mycerts ]; then
-    mkdir /etc/ssl/mycerts
-fi
-
 CERTFILE=$HOSTNAME
 
 function remove_cert_letsencrypt {
@@ -317,7 +313,6 @@ function add_cert_selfsigned {
             -out "/etc/ssl/certs/${CERTFILE}.crt"
     chmod 400 "/etc/ssl/private/${CERTFILE}.key"
     chmod 640 "/etc/ssl/certs/${CERTFILE}.crt"
-    cp "/etc/ssl/certs/${CERTFILE}.crt" "/etc/ssl/mycerts"
 
     if [ "$PIN_CERTS" ]; then
         if ! "${PROJECT_NAME}-pin-cert" "$CERTFILE"; then
@@ -341,12 +336,6 @@ function restart_web_server {
     fi
 }
 
-function make_cert_bundle {
-    # Create a bundle of your certificates
-    cat /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem > /etc/ssl/${PROJECT_NAME}-bundle.crt
-    tar -czvf /etc/ssl/${PROJECT_NAME}-certs.tar.gz /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem
-}
-
 function create_cert {
     if [ "$remove_cert" ]; then
         remove_cert_letsencrypt
@@ -363,6 +352,5 @@ function create_cert {
 create_cert
 generate_dh_params
 restart_web_server
-make_cert_bundle
 
 exit 0

From 4ca29d02e5bc60d0a2b2a6f4210f879abc6767ff Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sun, 4 Mar 2018 11:55:35 +0000
Subject: [PATCH 6/6] Credit scores on passwords

---
 src/freedombone-utils-passwords | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/freedombone-utils-passwords b/src/freedombone-utils-passwords
index c289dfb4..fa5c8703 100755
--- a/src/freedombone-utils-passwords
+++ b/src/freedombone-utils-passwords
@@ -46,7 +46,7 @@ function enforce_good_passwords {
     fi
     apt-get -yq install libpam-cracklib
 
-    sed -i 's/password.*requisite.*pam_cracklib.so.*/password        required                       pam_cracklib.so retry=2 dcredit=-4 ucredit=-1 ocredit=-1 lcredit=0 minlen=10 reject_username/g' /etc/pam.d/common-password
+    sed -i 's/password.*requisite.*pam_cracklib.so.*/password        required                       pam_cracklib.so retry=2 dcredit=-1 ucredit=-1 ocredit=0 lcredit=0 minlen=10 reject_username/g' /etc/pam.d/common-password
     mark_completed "${FUNCNAME[0]}"
 }