Command for calculating DH params

Avoid duplication

src/freedombone-addcert

@@ -154,18 +154,18 @@ if [ $LETSENCRYPT_HOSTNAME ]; then
     cd $INSTALL_DIR
 
     # obtain the repo
-    if [ ! -d $INSTALL_DIR/letsencrypt ]; then
+    if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
         git clone https://github.com/letsencrypt/letsencrypt
-        if [ ! -d $INSTALL_DIR/letsencrypt ]; then
+        if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
             exit 76283
         fi
     else
-        cd $INSTALL_DIR/letsencrypt
+        cd ${INSTALL_DIR}/letsencrypt
         git stash
         git pull
     fi
 
-    cd $INSTALL_DIR/letsencrypt
+    cd ${INSTALL_DIR}/letsencrypt
     # TODO this requires user interaction - is there a non-interactive mode?
     ./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME
     if [ ! "$?" = "0" ]; then
@@ -206,23 +206,19 @@ else
         CERTFILE="ca-$HOSTNAME"
     fi
 
-    openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \
+    openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
         -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
-        -newkey rsa:4096 -keyout /etc/ssl/private/$CERTFILE.key \
-        -out /etc/ssl/certs/$CERTFILE.crt
-    chmod 400 /etc/ssl/private/$CERTFILE.key
-    chmod 640 /etc/ssl/certs/$CERTFILE.crt
-    cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts
+        -newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \
+        -out /etc/ssl/certs/${CERTFILE}.crt
+    chmod 400 /etc/ssl/private/${CERTFILE}.key
+    chmod 640 /etc/ssl/certs/${CERTFILE}.crt
+    cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts
 fi
 
 # generate DH params
 if [ ! $NODH ]; then
-    if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
-        openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
-        if [ ! "$?" = "0" ]; then
-            exit 72428
-        fi
-        chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
+    if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then
+        ${PROJECT_NAME}-dhparam -h ${CERTFILE}
     fi
 fi
 

src/freedombone-dhparam

@@ -0,0 +1,117 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Creates or re-calculates Diffie-Hellman parameters
+
+# License
+# =======
+#
+# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+PROJECT_NAME='freedombone'
+
+export TEXTDOMAIN=${PROJECT_NAME}-dhparam
+export TEXTDOMAINDIR="/usr/share/locale"
+
+HOSTNAME=
+KEYLENGTH=2048
+RECALCULATE="no"
+
+function show_help {
+    echo ''
+    echo $"${PROJECT_NAME}-dhparam -h [hostname] -l [length in bits] --recalc [yes|no]"
+    echo ''
+    exit 0
+}
+
+function calc_dh {
+    openssl dhparam -check -text -dsaparam $KEYLENGTH -out ${1}
+    if [ ! "$?" = "0" ]; then
+        exit 3674
+    fi
+    chmod 640 ${1}
+}
+
+function regenerate_dh_keys {
+    for file in /etc/ssl/mycerts/*
+    do
+        if [[ -f $file ]]; then
+            filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
+            if [ -f $filename ]; then
+                calc_dh $filename
+                echo $"Recalculated DH params for $filename"
+            fi
+        fi
+    done
+}
+
+while [[ $# > 1 ]]
+do
+key="$1"
+
+case $key in
+    --help)
+    show_help
+    ;;
+    -h|--hostname)
+    shift
+    HOSTNAME="$1"
+    ;;
+    -l|--dhkey)
+    shift
+    KEYLENGTH=${1}
+    ;;
+    --recalc)
+    shift
+    RECALCULATE=${1}
+    ;;
+    *)
+    # unknown option
+    ;;
+esac
+shift
+done
+
+if [[ $RECALCULATE == "yes" || $RECALCULATE == "y" ]]; then
+    regenerate_dh_keys
+    exit 0
+fi
+
+if [ ! $HOSTNAME ]; then
+    echo $'No hostname specified'
+    exit 5728
+fi
+
+if ! which openssl > /dev/null ;then
+    echo $"$0: openssl is not installed, exiting" 1>&2
+    exit 5689
+fi
+
+if [ ! -d /etc/ssl/mycerts ]; then
+    mkdir -p /etc/ssl/mycerts
+fi
+
+calc_dh /etc/ssl/certs/$HOSTNAME.dhparam
+
+systemctl reload nginx
+exit 0

src/freedombone-sec

@@ -225,10 +225,10 @@ function interactive_setup {
   if [ $SSL_CIPHERS ]; then
       data=$(tempfile 2>/dev/null)
       trap "rm -f $data" 0 1 2 5 15
-      dialog --backtitle "Freedombone Security Configuration" \
-          --form "\nWeb/IMAP Ciphers:" 10 95 2 \
-          "Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
-          "Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
+      dialog --backtitle $"Freedombone Security Configuration" \
+          --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
+          $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
+          $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
           2> $data
       sel=$?
       case $sel in
@@ -242,12 +242,12 @@ function interactive_setup {
   data=$(tempfile 2>/dev/null)
   trap "rm -f $data" 0 1 2 5 15
   if [ $SSH_HOST_KEY_ALGORITHMS ]; then
-      dialog --backtitle "Freedombone Security Configuration" \
-        --form "\nSecure Shell Ciphers:" 13 95 4 \
-         "Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
-         "MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
-         "KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
-         "Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
+      dialog --backtitle $"Freedombone Security Configuration" \
+        --form $"\nSecure Shell Ciphers:" 13 95 4 \
+         $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
+         $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
+         $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
+         $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
          2> $data
       sel=$?
       case $sel in
@@ -259,11 +259,11 @@ function interactive_setup {
           255) exit 0;;
       esac
   else
-      dialog --backtitle "Freedombone Security Configuration" \
-        --form "\nSecure Shell Ciphers:" 11 95 3 \
-         "Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
-         "MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
-         "KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
+      dialog --backtitle $"Freedombone Security Configuration" \
+        --form $"\nSecure Shell Ciphers:" 11 95 3 \
+         $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
+         $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
+         $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
          2> $data
       sel=$?
       case $sel in
@@ -276,14 +276,14 @@ function interactive_setup {
   fi
 
   if [[ $SSH_PASSWORDS == "yes" ]]; then
-      dialog --title "SSH Passwords" \
-          --backtitle "Freedombone Security Configuration" \
-          --yesno "\nAllow SSH login using passwords?" 7 60
+      dialog --title $"SSH Passwords" \
+          --backtitle $"Freedombone Security Configuration" \
+          --yesno $"\nAllow SSH login using passwords?" 7 60
   else
-      dialog --title "SSH Passwords" \
-          --backtitle "Freedombone Security Configuration" \
+      dialog --title $"SSH Passwords" \
+          --backtitle $"Freedombone Security Configuration" \
           --defaultno \
-          --yesno "\nAllow SSH login using passwords?" 7 60
+          --yesno $"\nAllow SSH login using passwords?" 7 60
   fi
   sel=$?
   case $sel in
@@ -295,10 +295,10 @@ function interactive_setup {
   if [ $XMPP_CIPHERS ]; then
       data=$(tempfile 2>/dev/null)
       trap "rm -f $data" 0 1 2 5 15
-      dialog --backtitle "Freedombone Security Configuration" \
-          --form "\nXMPP Ciphers:" 10 95 2 \
-          "Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
-          "ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
+      dialog --backtitle $"Freedombone Security Configuration" \
+          --form $"\nXMPP Ciphers:" 10 95 2 \
+          $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
+          $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
           2> $data
       sel=$?
       case $sel in
@@ -309,10 +309,10 @@ function interactive_setup {
       esac
   fi
 
-  dialog --title "Final Confirmation" \
-      --backtitle "Freedombone Security Configuration" \
+  dialog --title $"Final Confirmation" \
+      --backtitle $"Freedombone Security Configuration" \
       --defaultno \
-      --yesno "\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
+      --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
   sel=$?
   case $sel in
       1) clear
@@ -365,21 +365,7 @@ function regenerate_dh_keys {
           3) DH_KEYLENGTH=4096;;
       esac
 
-      ctr=0
-      for file in /etc/ssl/mycerts/*
-      do
-          if [[ -f $file ]]; then
-              filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
-              if [ -f $filename ]; then
-                  openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename
-				  if [ ! "$?" = "0" ]; then
-					  exit 3674
-				  fi
-                  ctr=$((ctr + 1))
-              fi
-          fi
-      done
-      echo $"$ctr dhparam certificates were regenerated"
+	  ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
   fi
 }
 
@@ -387,9 +373,9 @@ function renew_startssl {
   renew_domain=
   data=$(tempfile 2>/dev/null)
   trap "rm -f $data" 0 1 2 5 15
-  dialog --title "Renew a StartSSL certificate" \
-         --backtitle "Freedombone Security Settings" \
-         --inputbox "Enter the domain name" 8 60 2>$data
+  dialog --title $"Renew a StartSSL certificate" \
+         --backtitle $"Freedombone Security Settings" \
+         --inputbox $"Enter the domain name" 8 60 2>$data
   sel=$?
   case $sel in
       0)
@@ -402,24 +388,24 @@ function renew_startssl {
   fi
 
   if [[ $renew_domain == "http"* ]]; then
-      dialog --title "Renew a StartSSL certificate" \
-             --msgbox "Don't include the https://" 6 40
+      dialog --title $"Renew a StartSSL certificate" \
+             --msgbox $"Don't include the https://" 6 40
 	  return
   fi
 
   if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
-      dialog --title "Renew a StartSSL certificate" \
-             --msgbox "An existing certificate for $renew_domain was not found" 6 40
+      dialog --title $"Renew a StartSSL certificate" \
+             --msgbox $"An existing certificate for $renew_domain was not found" 6 40
 	  return
   fi
 
   if [[ $renew_domain != *"."* ]]; then
-      dialog --title "Renew a StartSSL certificate" \
-             --msgbox "Invalid domain name: $renew_domain" 6 40
+      dialog --title $"Renew a StartSSL certificate" \
+             --msgbox $"Invalid domain name: $renew_domain" 6 40
 	  return
   fi
 
-  freedombone-renew-cert -h $renew_domain -p startssl
+  ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
 
   exit 0
 }
@@ -428,9 +414,9 @@ function renew_letsencrypt {
   renew_domain=
   data=$(tempfile 2>/dev/null)
   trap "rm -f $data" 0 1 2 5 15
-  dialog --title "Renew a Let's Encrypt certificate" \
-         --backtitle "Freedombone Security Settings" \
-         --inputbox "Enter the domain name" 8 60 2>$data
+  dialog --title $"Renew a Let's Encrypt certificate" \
+         --backtitle $"Freedombone Security Settings" \
+         --inputbox $"Enter the domain name" 8 60 2>$data
   sel=$?
   case $sel in
       0)
@@ -443,24 +429,24 @@ function renew_letsencrypt {
   fi
 
   if [[ $renew_domain == "http"* ]]; then
-      dialog --title "Renew a Let's Encrypt certificate" \
-             --msgbox "Don't include the https://" 6 40
+      dialog --title $"Renew a Let's Encrypt certificate" \
+             --msgbox $"Don't include the https://" 6 40
 	  return
   fi
 
   if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
-      dialog --title "Renew a Let's Encrypt certificate" \
-             --msgbox "An existing certificate for $renew_domain was not found" 6 40
+      dialog --title $"Renew a Let's Encrypt certificate" \
+             --msgbox $"An existing certificate for $renew_domain was not found" 6 40
 	  return
   fi
 
   if [[ $renew_domain != *"."* ]]; then
-      dialog --title "Renew a Let's Encrypt certificate" \
-             --msgbox "Invalid domain name: $renew_domain" 6 40
+      dialog --title $"Renew a Let's Encrypt certificate" \
+             --msgbox $"Invalid domain name: $renew_domain" 6 40
 	  return
   fi
 
-  freedombone-renew-cert -h $renew_domain -p 'letsencrypt'
+  ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
 
   exit 0
 }