free
/
freedombonee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Increase diffie-hellman key length, except on BBB 

This is a tradeoff between security and the amount of time which a user might be willing to wait for the installation to complete. If each key takes multiple hours to compute then the user may just abandon the install
This commit is contained in:
Bob Mottram 2015-08-15 09:30:51 +01:00
parent 5affb786ea
commit 1e28a68487
2 changed files with 33 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
src/freedombone
View File

@ -402,6 +402,9 @@ TOX_NODE=
ZERONET_REPO='https://github.com/HelloZeroNet/ZeroNet.git' ZERONET_REPO='https://github.com/HelloZeroNet/ZeroNet.git'
# Default diffie-hellman key length in bits
DH_KEYLENGTH=3072
function show_help { function show_help {
echo '' echo ''
echo 'freedombone -c [configuration file]' echo 'freedombone -c [configuration file]'
@ -753,6 +756,9 @@ function read_configuration {
fi fi
if [ -f $CONFIGURATION_FILE ]; then if [ -f $CONFIGURATION_FILE ]; then
if grep -q "DH_KEYLENGTH" $CONFIGURATION_FILE; then
DH_KEYLENGTH=$(grep "DH_KEYLENGTH" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "WIFI_INTERFACE" $CONFIGURATION_FILE; then if grep -q "WIFI_INTERFACE" $CONFIGURATION_FILE; then
WIFI_INTERFACE=$(grep "WIFI_INTERFACE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') WIFI_INTERFACE=$(grep "WIFI_INTERFACE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi fi
@ -1595,7 +1601,7 @@ function install_zeronet {
apt-get -y install python python-msgpack python-gevent python-pip apt-get -y install python python-msgpack python-gevent python-pip
pip install msgpack-python --upgrade pip install msgpack-python --upgrade
adduser --home /opt/zeronet/ --shell /bin/false --no-create-home --ingroup daemon --disabled-password --disabled-login zeronet adduser --home /opt/zeronet/ --shell /bin/false --no-create-home --ingroup daemon --disabled-password --disabled-login zeronet
git clone $ZERONET_REPO /opt/zeronet git clone $ZERONET_REPO /opt/zeronet
sudo chown -R zeronet:zeronet /opt/zeronet sudo chown -R zeronet:zeronet /opt/zeronet
@ -1615,10 +1621,10 @@ function install_zeronet {
echo '' >> /etc/systemd/system/zeronet.service echo '' >> /etc/systemd/system/zeronet.service
echo '[Install]' >> /etc/systemd/system/zeronet.service echo '[Install]' >> /etc/systemd/system/zeronet.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/zeronet.service echo 'WantedBy=multi-user.target' >> /etc/systemd/system/zeronet.service
systemctl enable zeronet.service systemctl enable zeronet.service
systemctl start zeronet.service systemctl start zeronet.service
echo 'mesh_zeronet' >> $COMPLETION_FILE echo 'mesh_zeronet' >> $COMPLETION_FILE
} }
@ -1830,7 +1836,7 @@ function mesh_babel {
echo 'RemainAfterExit=yes' >> /etc/systemd/system/babel.service echo 'RemainAfterExit=yes' >> /etc/systemd/system/babel.service
echo '' >> /etc/systemd/system/babel.service echo '' >> /etc/systemd/system/babel.service
echo '# Allow time for the server to start/stop' >> /etc/systemd/system/babel.service echo '# Allow time for the server to start/stop' >> /etc/systemd/system/babel.service
echo 'TimeoutSec=300' >> /etc/systemd/system/babel.service echo 'TimeoutSec=300' >> /etc/systemd/system/babel.service
echo '' >> /etc/systemd/system/babel.service echo '' >> /etc/systemd/system/babel.service
echo '[Install]' >> /etc/systemd/system/babel.service echo '[Install]' >> /etc/systemd/system/babel.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/babel.service echo 'WantedBy=multi-user.target' >> /etc/systemd/system/babel.service
@ -2048,7 +2054,7 @@ function mesh_batman_bridge {
echo 'RemainAfterExit=yes' >> /etc/systemd/system/batman.service echo 'RemainAfterExit=yes' >> /etc/systemd/system/batman.service
echo '' >> /etc/systemd/system/batman.service echo '' >> /etc/systemd/system/batman.service
echo '# Allow time for the server to start/stop' >> /etc/systemd/system/batman.service echo '# Allow time for the server to start/stop' >> /etc/systemd/system/batman.service
echo 'TimeoutSec=300' >> /etc/systemd/system/batman.service echo 'TimeoutSec=300' >> /etc/systemd/system/batman.service
echo '' >> /etc/systemd/system/batman.service echo '' >> /etc/systemd/system/batman.service
echo '[Install]' >> /etc/systemd/system/batman.service echo '[Install]' >> /etc/systemd/system/batman.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/batman.service echo 'WantedBy=multi-user.target' >> /etc/systemd/system/batman.service
@ -2199,7 +2205,7 @@ function create_backup_script {
echo "if [ ! -f $BACKUP_CERTIFICATE ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo "if [ ! -f $BACKUP_CERTIFICATE ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME
echo ' echo "Creating backup key"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo ' echo "Creating backup key"' >> /usr/bin/$BACKUP_SCRIPT_NAME
echo ' freedombone-addcert -h backup' >> /usr/bin/$BACKUP_SCRIPT_NAME echo " freedombone-addcert -h backup --dhkey $DH_KEYLENGTH" >> /usr/bin/$BACKUP_SCRIPT_NAME
echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME
echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME
@ -3644,7 +3650,7 @@ function backup_to_friends_servers {
echo "if [ ! -f $BACKUP_CERTIFICATE ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo "if [ ! -f $BACKUP_CERTIFICATE ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' echo "Creating backup key"' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' echo "Creating backup key"' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' freedombone-addcert -h backup' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo " freedombone-addcert -h backup --dhkey $DH_KEYLENGTH" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo 'fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
@ -6202,7 +6208,7 @@ function configure_email {
# make a tls certificate for email # make a tls certificate for email
if [ ! -f /etc/ssl/certs/exim.dhparam ]; then if [ ! -f /etc/ssl/certs/exim.dhparam ]; then
freedombone-addcert -h exim freedombone-addcert -h exim --dhkey $DH_KEYLENGTH
check_certificates exim check_certificates exim
fi fi
cp /etc/ssl/private/exim.key /etc/exim4 cp /etc/ssl/private/exim.key /etc/exim4
@ -6431,7 +6437,7 @@ function configure_imap {
fi fi
if [ ! -f /etc/ssl/certs/dovecot.dhparam ]; then if [ ! -f /etc/ssl/certs/dovecot.dhparam ]; then
freedombone-addcert -h dovecot freedombone-addcert -h dovecot --dhkey $DH_KEYLENGTH
check_certificates dovecot check_certificates dovecot
fi fi
chown root:dovecot /etc/ssl/certs/dovecot.* chown root:dovecot /etc/ssl/certs/dovecot.*
@ -6518,7 +6524,7 @@ function configure_imap_client_certs {
fi fi
# make a CA cert # make a CA cert
if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then
freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
fi fi
# CA configuration # CA configuration
echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf
@ -7820,7 +7826,7 @@ quit" > $INSTALL_DIR/batch.sql
configure_php configure_php
if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH
check_certificates $OWNCLOUD_DOMAIN_NAME check_certificates $OWNCLOUD_DOMAIN_NAME
fi fi
@ -8069,7 +8075,7 @@ quit" > $INSTALL_DIR/batch.sql
configure_php configure_php
if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $GIT_DOMAIN_NAME freedombone-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH
check_certificates $GIT_DOMAIN_NAME check_certificates $GIT_DOMAIN_NAME
fi fi
@ -8242,7 +8248,7 @@ function install_xmpp {
fi fi
if [ ! -f /etc/ssl/certs/xmpp.dhparam ]; then if [ ! -f /etc/ssl/certs/xmpp.dhparam ]; then
freedombone-addcert -h xmpp freedombone-addcert -h xmpp --dhkey $DH_KEYLENGTH
check_certificates xmpp check_certificates xmpp
fi fi
chown prosody:prosody /etc/ssl/private/xmpp.key chown prosody:prosody /etc/ssl/private/xmpp.key
@ -8367,7 +8373,7 @@ function install_irc_server {
fi fi
if [ ! -f /etc/ssl/certs/ngircd.dhparam ]; then if [ ! -f /etc/ssl/certs/ngircd.dhparam ]; then
freedombone-addcert -h ngircd freedombone-addcert -h ngircd --dhkey $DH_KEYLENGTH
check_certificates ngircd check_certificates ngircd
fi fi
@ -8464,7 +8470,7 @@ function install_wiki {
rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs
fi fi
if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $WIKI_DOMAIN_NAME freedombone-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
check_certificates $WIKI_DOMAIN_NAME check_certificates $WIKI_DOMAIN_NAME
fi fi
@ -8750,7 +8756,7 @@ function install_blog {
chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $FULLBLOG_DOMAIN_NAME freedombone-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
check_certificates $FULLBLOG_DOMAIN_NAME check_certificates $FULLBLOG_DOMAIN_NAME
fi fi
@ -9115,7 +9121,7 @@ quit" > $INSTALL_DIR/batch.sql
configure_php configure_php
if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $MICROBLOG_DOMAIN_NAME freedombone-addcert -h $MICROBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
check_certificates $MICROBLOG_DOMAIN_NAME check_certificates $MICROBLOG_DOMAIN_NAME
fi fi
@ -9384,7 +9390,7 @@ quit" > $INSTALL_DIR/batch.sql
configure_php configure_php
if [ ! -f /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $REDMATRIX_DOMAIN_NAME freedombone-addcert -h $REDMATRIX_DOMAIN_NAME --dhkey $DH_KEYLENGTH
check_certificates $REDMATRIX_DOMAIN_NAME check_certificates $REDMATRIX_DOMAIN_NAME
fi fi
@ -9702,7 +9708,7 @@ function install_mediagoblin {
echo '}' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
if [ ! -f /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME --dhkey $DH_KEYLENGTH
check_certificates $MEDIAGOBLIN_DOMAIN_NAME check_certificates $MEDIAGOBLIN_DOMAIN_NAME
fi fi
@ -10141,7 +10147,7 @@ function install_voip {
# Make an ssl cert for the server # Make an ssl cert for the server
if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then
freedombone-addcert -h mumble freedombone-addcert -h mumble --dhkey $DH_KEYLENGTH
check_certificates mumble check_certificates mumble
fi fi

7
src/freedombone-config
View File

@ -94,6 +94,7 @@ ESSID='mesh'
BATMAN_CELLID='02:BA:00:00:03:01' BATMAN_CELLID='02:BA:00:00:03:01'
WIFI_CHANNEL= WIFI_CHANNEL=
CONFIGURATION_FILE= CONFIGURATION_FILE=
DH_KEYLENGTH=
function show_help { function show_help {
echo '' echo ''
@ -244,6 +245,9 @@ function save_configuration_file {
if [ $WIFI_CHANNEL ]; then if [ $WIFI_CHANNEL ]; then
echo "WIFI_CHANNEL=$WIFI_CHANNEL" >> $CONFIGURATION_FILE echo "WIFI_CHANNEL=$WIFI_CHANNEL" >> $CONFIGURATION_FILE
fi fi
if [ $DH_KEYLENGTH ]; then
echo "DH_KEYLENGTH=$DH_KEYLENGTH" >> $CONFIGURATION_FILE
fi
} }
# test a domain name to see if it's valid # test a domain name to see if it's valid
@ -631,6 +635,9 @@ function interactive_configuration {
esac esac
if [[ $INSTALLING_ON_BBB == "yes" ]]; then if [[ $INSTALLING_ON_BBB == "yes" ]]; then
USB_DRIVE=/dev/sda1 USB_DRIVE=/dev/sda1
# here a short diffie-hellman key length is used, because otherwise creation of keys
# becomes impractically long on the beaglebone.
DH_KEYLENGTH=1024
fi fi
save_configuration_file save_configuration_file