From 736ce5e2fb53234371bcb1dd3444bb81ccd862a1 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Wed, 2 Dec 2015 08:31:18 +0000
Subject: [PATCH] Check on dhparam creation

---
 src/freedombone-addcert | 105 +++++++++++++++++++++-------------------
 src/freedombone-sec     |   3 ++
 2 files changed, 57 insertions(+), 51 deletions(-)

diff --git a/src/freedombone-addcert b/src/freedombone-addcert
index 187fa7d7..b915a58b 100755
--- a/src/freedombone-addcert
+++ b/src/freedombone-addcert
@@ -130,10 +130,10 @@ shift
 done
 
 if [ ! $HOSTNAME ]; then
-	if [ ! $LETSENCRYPT_HOSTNAME ]; then
+    if [ ! $LETSENCRYPT_HOSTNAME ]; then
         echo $'No hostname specified'
         exit 5748
-	fi
+    fi
 fi
 
 if ! which openssl > /dev/null ;then
@@ -148,56 +148,56 @@ fi
 if [ $LETSENCRYPT_HOSTNAME ]; then
     CERTFILE=$LETSENCRYPT_HOSTNAME
 
-	if [ ! -d $INSTALL_DIR ]; then
-		mkdir -p $INSTALL_DIR
-	fi
-	cd $INSTALL_DIR
+    if [ ! -d $INSTALL_DIR ]; then
+        mkdir -p $INSTALL_DIR
+    fi
+    cd $INSTALL_DIR
 
-	# obtain the repo
-	if [ ! -d $INSTALL_DIR/letsencrypt ]; then
-		git clone https://github.com/letsencrypt/letsencrypt
-		if [ ! -d $INSTALL_DIR/letsencrypt ]; then
-			exit 76283
-		fi
-	else
-		cd $INSTALL_DIR/letsencrypt
-		git stash
-		git pull
-	fi
+    # obtain the repo
+    if [ ! -d $INSTALL_DIR/letsencrypt ]; then
+        git clone https://github.com/letsencrypt/letsencrypt
+        if [ ! -d $INSTALL_DIR/letsencrypt ]; then
+            exit 76283
+        fi
+    else
+        cd $INSTALL_DIR/letsencrypt
+        git stash
+        git pull
+    fi
 
-	cd $INSTALL_DIR/letsencrypt
-	# TODO this requires user interaction - is there a non-interactive mode?
-	./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME
-	if [ ! "$?" = "0" ]; then
-		echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
-		exit 63216
-	fi
+    cd $INSTALL_DIR/letsencrypt
+    # TODO this requires user interaction - is there a non-interactive mode?
+    ./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME
+    if [ ! "$?" = "0" ]; then
+        echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
+        exit 63216
+    fi
 
-	# replace some legacy filenames
-	if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then
-		mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
-	fi
-	if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then
-		mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
-	fi
-	sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
-	sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
+    # replace some legacy filenames
+    if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then
+        mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
+    fi
+    if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then
+        mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
+    fi
+    sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
+    sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
 
-	# link the private key
-	if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then
-		if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
-			mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
-		fi
-	fi
-	ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
+    # link the private key
+    if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then
+        if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
+            mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
+        fi
+    fi
+    ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
 
-	# link the public key
-	if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then
-		if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
-			mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
-		fi
-	fi
-	ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
+    # link the public key
+    if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then
+        if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
+            mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
+        fi
+    fi
+    ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
 
     cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem
 else
@@ -217,10 +217,13 @@ fi
 
 # generate DH params
 if [ ! $NODH ]; then
-	if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
-		openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
-		chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
-	fi
+    if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
+        openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
+        if [ ! "$?" = "0" ]; then
+            exit 72428
+        fi
+        chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
+    fi
 fi
 
 if [ -f /etc/init.d/nginx ]; then
diff --git a/src/freedombone-sec b/src/freedombone-sec
index 6d599a09..b0d159f6 100755
--- a/src/freedombone-sec
+++ b/src/freedombone-sec
@@ -372,6 +372,9 @@ function regenerate_dh_keys {
               filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
               if [ -f $filename ]; then
                   openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename
+				  if [ ! "$?" = "0" ]; then
+					  exit 3674
+				  fi
                   ctr=$((ctr + 1))
               fi
           fi