ソースを参照

Increase diffie-hellman key length, except on BBB

This is a tradeoff between security and the amount of time which a user might be willing to wait for the installation to complete. If each key takes multiple hours to compute then the user may just abandon the install
Bob Mottram 10 年 前
コミット
1e28a68487
共有2 個のファイルを変更した33 個の追加20 個の削除を含む
  1. 26
    20
      src/freedombone
  2. 7
    0
      src/freedombone-config

+ 26
- 20
src/freedombone ファイルの表示

@@ -402,6 +402,9 @@ TOX_NODE=
402 402
 
403 403
 ZERONET_REPO='https://github.com/HelloZeroNet/ZeroNet.git'
404 404
 
405
+# Default diffie-hellman key length in bits
406
+DH_KEYLENGTH=3072
407
+
405 408
 function show_help {
406 409
   echo ''
407 410
   echo 'freedombone -c [configuration file]'
@@ -753,6 +756,9 @@ function read_configuration {
753 756
   fi
754 757
 
755 758
   if [ -f $CONFIGURATION_FILE ]; then
759
+      if grep -q "DH_KEYLENGTH" $CONFIGURATION_FILE; then
760
+          DH_KEYLENGTH=$(grep "DH_KEYLENGTH" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
761
+      fi
756 762
       if grep -q "WIFI_INTERFACE" $CONFIGURATION_FILE; then
757 763
           WIFI_INTERFACE=$(grep "WIFI_INTERFACE" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
758 764
       fi
@@ -1595,7 +1601,7 @@ function install_zeronet {
1595 1601
 
1596 1602
   apt-get -y install python python-msgpack python-gevent python-pip
1597 1603
   pip install msgpack-python --upgrade
1598
-  
1604
+
1599 1605
   adduser --home /opt/zeronet/ --shell /bin/false --no-create-home --ingroup daemon --disabled-password --disabled-login zeronet
1600 1606
   git clone $ZERONET_REPO /opt/zeronet
1601 1607
   sudo chown -R zeronet:zeronet /opt/zeronet
@@ -1615,10 +1621,10 @@ function install_zeronet {
1615 1621
   echo '' >> /etc/systemd/system/zeronet.service
1616 1622
   echo '[Install]' >> /etc/systemd/system/zeronet.service
1617 1623
   echo 'WantedBy=multi-user.target' >> /etc/systemd/system/zeronet.service
1618
-  
1624
+
1619 1625
   systemctl enable zeronet.service
1620 1626
   systemctl start zeronet.service
1621
-  
1627
+
1622 1628
   echo 'mesh_zeronet' >> $COMPLETION_FILE
1623 1629
 }
1624 1630
 
@@ -1830,7 +1836,7 @@ function mesh_babel {
1830 1836
   echo 'RemainAfterExit=yes' >> /etc/systemd/system/babel.service
1831 1837
   echo '' >> /etc/systemd/system/babel.service
1832 1838
   echo '# Allow time for the server to start/stop' >> /etc/systemd/system/babel.service
1833
-  echo 'TimeoutSec=300' >> /etc/systemd/system/babel.service  
1839
+  echo 'TimeoutSec=300' >> /etc/systemd/system/babel.service
1834 1840
   echo '' >> /etc/systemd/system/babel.service
1835 1841
   echo '[Install]' >> /etc/systemd/system/babel.service
1836 1842
   echo 'WantedBy=multi-user.target' >> /etc/systemd/system/babel.service
@@ -2048,7 +2054,7 @@ function mesh_batman_bridge {
2048 2054
   echo 'RemainAfterExit=yes' >> /etc/systemd/system/batman.service
2049 2055
   echo '' >> /etc/systemd/system/batman.service
2050 2056
   echo '# Allow time for the server to start/stop' >> /etc/systemd/system/batman.service
2051
-  echo 'TimeoutSec=300' >> /etc/systemd/system/batman.service  
2057
+  echo 'TimeoutSec=300' >> /etc/systemd/system/batman.service
2052 2058
   echo '' >> /etc/systemd/system/batman.service
2053 2059
   echo '[Install]' >> /etc/systemd/system/batman.service
2054 2060
   echo 'WantedBy=multi-user.target' >> /etc/systemd/system/batman.service
@@ -2199,7 +2205,7 @@ function create_backup_script {
2199 2205
 
2200 2206
   echo "if [ ! -f $BACKUP_CERTIFICATE ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME
2201 2207
   echo '    echo "Creating backup key"' >> /usr/bin/$BACKUP_SCRIPT_NAME
2202
-  echo '    freedombone-addcert -h backup' >> /usr/bin/$BACKUP_SCRIPT_NAME
2208
+  echo "    freedombone-addcert -h backup --dhkey $DH_KEYLENGTH" >> /usr/bin/$BACKUP_SCRIPT_NAME
2203 2209
   echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME
2204 2210
   echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME
2205 2211
 
@@ -3644,7 +3650,7 @@ function backup_to_friends_servers {
3644 3650
 
3645 3651
   echo "if [ ! -f $BACKUP_CERTIFICATE ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3646 3652
   echo '    echo "Creating backup key"' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3647
-  echo '    freedombone-addcert -h backup' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3653
+  echo "    freedombone-addcert -h backup --dhkey $DH_KEYLENGTH" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3648 3654
   echo 'fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3649 3655
   echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
3650 3656
 
@@ -6202,7 +6208,7 @@ function configure_email {
6202 6208
 
6203 6209
   # make a tls certificate for email
6204 6210
   if [ ! -f /etc/ssl/certs/exim.dhparam ]; then
6205
-      freedombone-addcert -h exim
6211
+      freedombone-addcert -h exim --dhkey $DH_KEYLENGTH
6206 6212
       check_certificates exim
6207 6213
   fi
6208 6214
   cp /etc/ssl/private/exim.key /etc/exim4
@@ -6431,7 +6437,7 @@ function configure_imap {
6431 6437
   fi
6432 6438
 
6433 6439
   if [ ! -f /etc/ssl/certs/dovecot.dhparam ]; then
6434
-      freedombone-addcert -h dovecot
6440
+      freedombone-addcert -h dovecot --dhkey $DH_KEYLENGTH
6435 6441
       check_certificates dovecot
6436 6442
   fi
6437 6443
   chown root:dovecot /etc/ssl/certs/dovecot.*
@@ -6518,7 +6524,7 @@ function configure_imap_client_certs {
6518 6524
   fi
6519 6525
   # make a CA cert
6520 6526
   if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then
6521
-      freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca ""
6527
+      freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
6522 6528
   fi
6523 6529
   # CA configuration
6524 6530
   echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf
@@ -7820,7 +7826,7 @@ quit" > $INSTALL_DIR/batch.sql
7820 7826
   configure_php
7821 7827
 
7822 7828
   if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then
7823
-      freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME
7829
+      freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH
7824 7830
       check_certificates $OWNCLOUD_DOMAIN_NAME
7825 7831
   fi
7826 7832
 
@@ -8069,7 +8075,7 @@ quit" > $INSTALL_DIR/batch.sql
8069 8075
   configure_php
8070 8076
 
8071 8077
   if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then
8072
-      freedombone-addcert -h $GIT_DOMAIN_NAME
8078
+      freedombone-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH
8073 8079
       check_certificates $GIT_DOMAIN_NAME
8074 8080
   fi
8075 8081
 
@@ -8242,7 +8248,7 @@ function install_xmpp {
8242 8248
   fi
8243 8249
 
8244 8250
   if [ ! -f /etc/ssl/certs/xmpp.dhparam ]; then
8245
-      freedombone-addcert -h xmpp
8251
+      freedombone-addcert -h xmpp --dhkey $DH_KEYLENGTH
8246 8252
       check_certificates xmpp
8247 8253
   fi
8248 8254
   chown prosody:prosody /etc/ssl/private/xmpp.key
@@ -8367,7 +8373,7 @@ function install_irc_server {
8367 8373
   fi
8368 8374
 
8369 8375
   if [ ! -f /etc/ssl/certs/ngircd.dhparam ]; then
8370
-      freedombone-addcert -h ngircd
8376
+      freedombone-addcert -h ngircd --dhkey $DH_KEYLENGTH
8371 8377
       check_certificates ngircd
8372 8378
   fi
8373 8379
 
@@ -8464,7 +8470,7 @@ function install_wiki {
8464 8470
       rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs
8465 8471
   fi
8466 8472
   if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
8467
-      freedombone-addcert -h $WIKI_DOMAIN_NAME
8473
+      freedombone-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
8468 8474
       check_certificates $WIKI_DOMAIN_NAME
8469 8475
   fi
8470 8476
 
@@ -8750,7 +8756,7 @@ function install_blog {
8750 8756
   chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
8751 8757
 
8752 8758
   if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
8753
-      freedombone-addcert -h $FULLBLOG_DOMAIN_NAME
8759
+      freedombone-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
8754 8760
       check_certificates $FULLBLOG_DOMAIN_NAME
8755 8761
   fi
8756 8762
 
@@ -9115,7 +9121,7 @@ quit" > $INSTALL_DIR/batch.sql
9115 9121
   configure_php
9116 9122
 
9117 9123
   if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then
9118
-      freedombone-addcert -h $MICROBLOG_DOMAIN_NAME
9124
+      freedombone-addcert -h $MICROBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9119 9125
       check_certificates $MICROBLOG_DOMAIN_NAME
9120 9126
   fi
9121 9127
 
@@ -9384,7 +9390,7 @@ quit" > $INSTALL_DIR/batch.sql
9384 9390
   configure_php
9385 9391
 
9386 9392
   if [ ! -f /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.dhparam ]; then
9387
-      freedombone-addcert -h $REDMATRIX_DOMAIN_NAME
9393
+      freedombone-addcert -h $REDMATRIX_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9388 9394
       check_certificates $REDMATRIX_DOMAIN_NAME
9389 9395
   fi
9390 9396
 
@@ -9702,7 +9708,7 @@ function install_mediagoblin {
9702 9708
   echo '}' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
9703 9709
 
9704 9710
   if [ ! -f /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam ]; then
9705
-      freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME
9711
+      freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9706 9712
       check_certificates $MEDIAGOBLIN_DOMAIN_NAME
9707 9713
   fi
9708 9714
 
@@ -10141,7 +10147,7 @@ function install_voip {
10141 10147
 
10142 10148
   # Make an ssl cert for the server
10143 10149
   if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then
10144
-      freedombone-addcert -h mumble
10150
+      freedombone-addcert -h mumble --dhkey $DH_KEYLENGTH
10145 10151
       check_certificates mumble
10146 10152
   fi
10147 10153
 

+ 7
- 0
src/freedombone-config ファイルの表示

@@ -94,6 +94,7 @@ ESSID='mesh'
94 94
 BATMAN_CELLID='02:BA:00:00:03:01'
95 95
 WIFI_CHANNEL=
96 96
 CONFIGURATION_FILE=
97
+DH_KEYLENGTH=
97 98
 
98 99
 function show_help {
99 100
   echo ''
@@ -244,6 +245,9 @@ function save_configuration_file {
244 245
   if [ $WIFI_CHANNEL ]; then
245 246
       echo "WIFI_CHANNEL=$WIFI_CHANNEL" >> $CONFIGURATION_FILE
246 247
   fi
248
+  if [ $DH_KEYLENGTH ]; then
249
+      echo "DH_KEYLENGTH=$DH_KEYLENGTH" >> $CONFIGURATION_FILE
250
+  fi
247 251
 }
248 252
 
249 253
 # test a domain name to see if it's valid
@@ -631,6 +635,9 @@ function interactive_configuration {
631 635
   esac
632 636
   if [[ $INSTALLING_ON_BBB == "yes" ]]; then
633 637
       USB_DRIVE=/dev/sda1
638
+	  # here a short diffie-hellman key length is used, because otherwise creation of keys
639
+	  # becomes impractically long on the beaglebone.
640
+	  DH_KEYLENGTH=1024
634 641
   fi
635 642
   save_configuration_file
636 643