From 2a46fd3121eb3e72643c977e8388d4ee74f21d4b Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Sat, 15 Aug 2015 13:34:59 +0100
Subject: [PATCH] Regenerate keys

---
 src/freedombone-sec | 75 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)

diff --git a/src/freedombone-sec b/src/freedombone-sec
index 0788191a..625d3368 100755
--- a/src/freedombone-sec
+++ b/src/freedombone-sec
@@ -50,6 +50,10 @@ EXPORT_FILE=
 
 CURRENT_DIR=$(pwd)
 
+REGENERATE_SSH_HOST_KEYS="no"
+REGENERATE_DH_KEYS="no"
+DH_KEYLENGTH=3072
+
 function get_protocols_from_website {
   if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
       return
@@ -317,6 +321,74 @@ function interactive_setup {
   clear
 }
 
+function regenerate_ssh_host_keys {
+  if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
+      rm -f /etc/ssh/ssh_host_*
+      dpkg-reconfigure openssh-server
+      echo 'ssh host keys regenerated'
+      # remove small moduli
+      awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
+      mv ~/moduli /etc/ssh/moduli
+      echo 'ssh small moduli removed'
+      systemctl restart ssh
+  fi
+}
+
+function regenerate_dh_keys {
+  if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
+      if [ ! -d /etc/ssl/mycerts ]; then
+          return
+      fi
+
+      data=$(tempfile 2>/dev/null)
+      trap "rm -f $data" 0 1 2 5 15
+      dialog --backtitle "Freedombone Security Configuration" \
+             --radiolist "Select a key length:" 10 40 2 \
+             1 "1024 bits" off \
+             2 "3072 bits" on 2> $data
+      sel=$?
+      case $sel in
+          1) exit 1;;
+          255) exit 1;;
+      esac
+      case $(cat $data) in
+          1) DH_KEYLENGTH=1024;;
+          2) DH_KEYLENGTH=3072;;
+      esac
+
+      for file in /etc/ssl/mycerts/*
+      do
+          if [[ -f $file ]]; then
+              filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
+              if [ -f $filename ]; then
+                  openssl dhparam -check -text -5 $DH_KEYLENGTH -out $filename
+              fi
+          fi
+      done
+  fi
+}
+
+function housekeeping {
+  cmd=(dialog --separate-output \
+              --backtitle "Freedombone Security Configuration" \
+              --checklist "Housekeeping options. If you don't need to do any of these things then just press Enter:" 10 76 16)
+  options=(1 "Regenerate ssh host keys" off
+           2 "Regenerate Diffie-Hellman keys" off)
+  choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
+  clear
+  for choice in $choices
+  do
+    case $choice in
+      1)
+        REGENERATE_SSH_HOST_KEYS="yes"
+        ;;
+      2)
+        REGENERATE_DH_KEYS="yes"
+        ;;
+    esac
+  done
+}
+
 function import_settings {
   cd $CURRENT_DIR
 
@@ -532,6 +604,7 @@ esac
 shift
 done
 
+housekeeping
 get_website_settings
 get_imap_settings
 get_ssh_settings
@@ -543,4 +616,6 @@ change_website_settings
 change_imap_settings
 change_ssh_settings
 change_xmpp_settings
+regenerate_ssh_host_keys
+regenerate_dh_keys
 exit 0