free
/
freedombone
關注 1
收藏 0
複製 0
程式碼 問題 0 合併請求 0 版本發佈 0 Wiki 活動
瀏覽代碼

Increase diffie-hellman key length, except on BBB 

This is a tradeoff between security and the amount of time which a user might be willing to wait for the installation to complete. If each key takes multiple hours to compute then the user may just abandon the install
Bob Mottram 10 年之前
父節點
5affb786ea
當前提交
1e28a68487
共有 2 個檔案被更改,包括 33 行新增20 行删除
分割檢視 顯示文件統計
  1. 26
    20
      src/freedombone
  2. 7
    0
      src/freedombone-config

+ 26
- 20
src/freedombone 查看文件 

@@ -402,6 +402,9 @@ TOX_NODE=
402 402
403 403 
 ZERONET_REPO='https://github.com/HelloZeroNet/ZeroNet.git'
404 404
405 
+# Default diffie-hellman key length in bits
406 
+DH_KEYLENGTH=3072
407 
+
405 408 
 function show_help {
406 409 
   echo ''
407 410 
   echo 'freedombone -c [configuration file]'
 
@@ -753,6 +756,9 @@ function read_configuration {
753 756 
   fi
754 757
755 758 
   if [ -f $CONFIGURATION_FILE ]; then
759 
+      if grep -q "DH_KEYLENGTH" $CONFIGURATION_FILE; then
760 
+          DH_KEYLENGTH=$(grep "DH_KEYLENGTH" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
761 
+      fi
756 762 
       if grep -q "WIFI_INTERFACE" $CONFIGURATION_FILE; then
757 763 
           WIFI_INTERFACE=$(grep "WIFI_INTERFACE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
758 764 
       fi
 
@@ -1595,7 +1601,7 @@ function install_zeronet {
1595 1601
1596 1602 
   apt-get -y install python python-msgpack python-gevent python-pip
1597 1603 
   pip install msgpack-python --upgrade
1598 
-
1604 
+
1599 1605 
   adduser --home /opt/zeronet/ --shell /bin/false --no-create-home --ingroup daemon --disabled-password --disabled-login zeronet
1600 1606 
   git clone $ZERONET_REPO /opt/zeronet
1601 1607 
   sudo chown -R zeronet:zeronet /opt/zeronet
 
@@ -1615,10 +1621,10 @@ function install_zeronet {
1615 1621 
   echo '' >> /etc/systemd/system/zeronet.service
1616 1622 
   echo '[Install]' >> /etc/systemd/system/zeronet.service
1617 1623 
   echo 'WantedBy=multi-user.target' >> /etc/systemd/system/zeronet.service
1618 
-
1624 
+
1619 1625 
   systemctl enable zeronet.service
1620 1626 
   systemctl start zeronet.service
1621 
-
1627 
+
1622 1628 
   echo 'mesh_zeronet' >> $COMPLETION_FILE
1623 1629 
 }
1624 1630 
 
@@ -1830,7 +1836,7 @@ function mesh_babel {
1830 1836 
   echo 'RemainAfterExit=yes' >> /etc/systemd/system/babel.service
1831 1837 
   echo '' >> /etc/systemd/system/babel.service
1832 1838 
   echo '# Allow time for the server to start/stop' >> /etc/systemd/system/babel.service
1833 
-  echo 'TimeoutSec=300' >> /etc/systemd/system/babel.service
1839 
+  echo 'TimeoutSec=300' >> /etc/systemd/system/babel.service
1834 1840 
   echo '' >> /etc/systemd/system/babel.service
1835 1841 
   echo '[Install]' >> /etc/systemd/system/babel.service
1836 1842 
   echo 'WantedBy=multi-user.target' >> /etc/systemd/system/babel.service
 
@@ -2048,7 +2054,7 @@ function mesh_batman_bridge {
2048 2054 
   echo 'RemainAfterExit=yes' >> /etc/systemd/system/batman.service
2049 2055 
   echo '' >> /etc/systemd/system/batman.service
2050 2056 
   echo '# Allow time for the server to start/stop' >> /etc/systemd/system/batman.service
2051 
-  echo 'TimeoutSec=300' >> /etc/systemd/system/batman.service
2057 
+  echo 'TimeoutSec=300' >> /etc/systemd/system/batman.service
2052 2058 
   echo '' >> /etc/systemd/system/batman.service
2053 2059 
   echo '[Install]' >> /etc/systemd/system/batman.service
2054 2060 
   echo 'WantedBy=multi-user.target' >> /etc/systemd/system/batman.service
 
@@ -2199,7 +2205,7 @@ function create_backup_script {
2199 2205
2200 2206 
   echo "if [ ! -f $BACKUP_CERTIFICATE ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME
2201 2207 
   echo '    echo "Creating backup key"' >> /usr/bin/$BACKUP_SCRIPT_NAME
2202 
-  echo '    freedombone-addcert -h backup' >> /usr/bin/$BACKUP_SCRIPT_NAME
2208 
+  echo "    freedombone-addcert -h backup --dhkey $DH_KEYLENGTH" >> /usr/bin/$BACKUP_SCRIPT_NAME
2203 2209 
   echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME
2204 2210 
   echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME
2205 2211 
 
@@ -3644,7 +3650,7 @@ function backup_to_friends_servers {
3644 3650
3645 3651 
   echo "if [ ! -f $BACKUP_CERTIFICATE ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3646 3652 
   echo '    echo "Creating backup key"' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3647 
-  echo '    freedombone-addcert -h backup' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3653 
+  echo "    freedombone-addcert -h backup --dhkey $DH_KEYLENGTH" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3648 3654 
   echo 'fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3649 3655 
   echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3650 3656 
 
@@ -6202,7 +6208,7 @@ function configure_email {
6202 6208
6203 6209 
   # make a tls certificate for email
6204 6210 
   if [ ! -f /etc/ssl/certs/exim.dhparam ]; then
6205 
-      freedombone-addcert -h exim
6211 
+      freedombone-addcert -h exim --dhkey $DH_KEYLENGTH
6206 6212 
       check_certificates exim
6207 6213 
   fi
6208 6214 
   cp /etc/ssl/private/exim.key /etc/exim4
 
@@ -6431,7 +6437,7 @@ function configure_imap {
6431 6437 
   fi
6432 6438
6433 6439 
   if [ ! -f /etc/ssl/certs/dovecot.dhparam ]; then
6434 
-      freedombone-addcert -h dovecot
6440 
+      freedombone-addcert -h dovecot --dhkey $DH_KEYLENGTH
6435 6441 
       check_certificates dovecot
6436 6442 
   fi
6437 6443 
   chown root:dovecot /etc/ssl/certs/dovecot.*
 
@@ -6518,7 +6524,7 @@ function configure_imap_client_certs {
6518 6524 
   fi
6519 6525 
   # make a CA cert
6520 6526 
   if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then
6521 
-      freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca ""
6527 
+      freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
6522 6528 
   fi
6523 6529 
   # CA configuration
6524 6530 
   echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf
 
@@ -7820,7 +7826,7 @@ quit" > $INSTALL_DIR/batch.sql
7820 7826 
   configure_php
7821 7827
7822 7828 
   if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then
7823 
-      freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME
7829 
+      freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH
7824 7830 
       check_certificates $OWNCLOUD_DOMAIN_NAME
7825 7831 
   fi
7826 7832 
 
@@ -8069,7 +8075,7 @@ quit" > $INSTALL_DIR/batch.sql
8069 8075 
   configure_php
8070 8076
8071 8077 
   if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then
8072 
-      freedombone-addcert -h $GIT_DOMAIN_NAME
8078 
+      freedombone-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH
8073 8079 
       check_certificates $GIT_DOMAIN_NAME
8074 8080 
   fi
8075 8081 
 
@@ -8242,7 +8248,7 @@ function install_xmpp {
8242 8248 
   fi
8243 8249
8244 8250 
   if [ ! -f /etc/ssl/certs/xmpp.dhparam ]; then
8245 
-      freedombone-addcert -h xmpp
8251 
+      freedombone-addcert -h xmpp --dhkey $DH_KEYLENGTH
8246 8252 
       check_certificates xmpp
8247 8253 
   fi
8248 8254 
   chown prosody:prosody /etc/ssl/private/xmpp.key
 
@@ -8367,7 +8373,7 @@ function install_irc_server {
8367 8373 
   fi
8368 8374
8369 8375 
   if [ ! -f /etc/ssl/certs/ngircd.dhparam ]; then
8370 
-      freedombone-addcert -h ngircd
8376 
+      freedombone-addcert -h ngircd --dhkey $DH_KEYLENGTH
8371 8377 
       check_certificates ngircd
8372 8378 
   fi
8373 8379 
 
@@ -8464,7 +8470,7 @@ function install_wiki {
8464 8470 
       rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs
8465 8471 
   fi
8466 8472 
   if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
8467 
-      freedombone-addcert -h $WIKI_DOMAIN_NAME
8473 
+      freedombone-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
8468 8474 
       check_certificates $WIKI_DOMAIN_NAME
8469 8475 
   fi
8470 8476 
 
@@ -8750,7 +8756,7 @@ function install_blog {
8750 8756 
   chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
8751 8757
8752 8758 
   if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
8753 
-      freedombone-addcert -h $FULLBLOG_DOMAIN_NAME
8759 
+      freedombone-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
8754 8760 
       check_certificates $FULLBLOG_DOMAIN_NAME
8755 8761 
   fi
8756 8762 
 
@@ -9115,7 +9121,7 @@ quit" > $INSTALL_DIR/batch.sql
9115 9121 
   configure_php
9116 9122
9117 9123 
   if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then
9118 
-      freedombone-addcert -h $MICROBLOG_DOMAIN_NAME
9124 
+      freedombone-addcert -h $MICROBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9119 9125 
       check_certificates $MICROBLOG_DOMAIN_NAME
9120 9126 
   fi
9121 9127 
 
@@ -9384,7 +9390,7 @@ quit" > $INSTALL_DIR/batch.sql
9384 9390 
   configure_php
9385 9391
9386 9392 
   if [ ! -f /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.dhparam ]; then
9387 
-      freedombone-addcert -h $REDMATRIX_DOMAIN_NAME
9393 
+      freedombone-addcert -h $REDMATRIX_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9388 9394 
       check_certificates $REDMATRIX_DOMAIN_NAME
9389 9395 
   fi
9390 9396 
 
@@ -9702,7 +9708,7 @@ function install_mediagoblin {
9702 9708 
   echo '}' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
9703 9709
9704 9710 
   if [ ! -f /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam ]; then
9705 
-      freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME
9711 
+      freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9706 9712 
       check_certificates $MEDIAGOBLIN_DOMAIN_NAME
9707 9713 
   fi
9708 9714 
 
@@ -10141,7 +10147,7 @@ function install_voip {
10141 10147
10142 10148 
   # Make an ssl cert for the server
10143 10149 
   if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then
10144 
-      freedombone-addcert -h mumble
10150 
+      freedombone-addcert -h mumble --dhkey $DH_KEYLENGTH
10145 10151 
       check_certificates mumble
10146 10152 
   fi
10147 10153

+ 7
- 0
src/freedombone-config 查看文件 

@@ -94,6 +94,7 @@ ESSID='mesh'
94 94 
 BATMAN_CELLID='02:BA:00:00:03:01'
95 95 
 WIFI_CHANNEL=
96 96 
 CONFIGURATION_FILE=
97 
+DH_KEYLENGTH=
97 98
98 99 
 function show_help {
99 100 
   echo ''
 
@@ -244,6 +245,9 @@ function save_configuration_file {
244 245 
   if [ $WIFI_CHANNEL ]; then
245 246 
       echo "WIFI_CHANNEL=$WIFI_CHANNEL" >> $CONFIGURATION_FILE
246 247 
   fi
248 
+  if [ $DH_KEYLENGTH ]; then
249 
+      echo "DH_KEYLENGTH=$DH_KEYLENGTH" >> $CONFIGURATION_FILE
250 
+  fi
247 251 
 }
248 252
249 253 
 # test a domain name to see if it's valid
 
@@ -631,6 +635,9 @@ function interactive_configuration {
631 635 
   esac
632 636 
   if [[ $INSTALLING_ON_BBB == "yes" ]]; then
633 637 
       USB_DRIVE=/dev/sda1
638 
+	  # here a short diffie-hellman key length is used, because otherwise creation of keys
639 
+	  # becomes impractically long on the beaglebone.
640 
+	  DH_KEYLENGTH=1024
634 641 
   fi
635 642 
   save_configuration_file
636 643