From 8615e569ebc935b67f8e0aa8cd9f3aebbee6564d Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Mon, 17 Mar 2025 22:55:51 -0400 Subject: [PATCH] * Sun Mar 16 2025 Jean-Philippe Pialasse 11.0.0-31.sme - handle dh params with template [SME: 12826] TODO timer and event - foolproofing dummy.module --- createlinks | 16 +++++++-- root/etc/e-smith/events/actions/dhgenerator | 27 ++++++++++++++ .../e-smith/templates/etc/crontab/dhgenerate | 8 +++++ .../etc/e-smith/templates/home/e-smith/dh.pem | 35 +++++++++++++++++++ root/etc/sysconfig/modules/dummy.modules | 1 + .../systemd/system-preset/50-koozali.preset | 7 +--- .../systemd/system/dhparam-generator.service | 24 +++++++++++++ .../usr/share/perl5/vendor_perl/esmith/ssl.pm | 34 +++++++++++++++++- smeserver-base.spec | 7 +++- 9 files changed, 149 insertions(+), 10 deletions(-) create mode 100755 root/etc/e-smith/events/actions/dhgenerator create mode 100644 root/etc/e-smith/templates/etc/crontab/dhgenerate create mode 100644 root/etc/e-smith/templates/home/e-smith/dh.pem create mode 100644 root/usr/lib/systemd/system/dhparam-generator.service diff --git a/createlinks b/createlinks index e28293c..b42e8dd 100755 --- a/createlinks +++ b/createlinks @@ -303,10 +303,11 @@ my $event = "smeserver-base-update"; event_link("remove-templates-custom", $event, "02"); +event_link("systemd-journald", $event, "02"); +event_link("dhgenerator", $event, "03"); templates2events("/etc/smartmontools/smartd.conf", $event); templates2events("/home/e-smith/ssl.pem/pem", $event); templates2events("/usr/lib/systemd/system/dhcpd.service.d/50koozali.conf", $event); -event_link("systemd-journald", $event, "02"); event_link("fix-startup", $event, "05"); event_link("init-accounts", $event, "05"); event_link("mail-spool-fix", $event, "05"); @@ -612,13 +613,24 @@ $event = "ldap-update"; templates2events("/home/e-smith/ssl.pem/pem", $event); #-------------------------------------------------- -# actions for ldap-update event +# actions for ssl-update event #-------------------------------------------------- $event = "ssl-update"; templates2events("/home/e-smith/ssl.pem/pem", $event); +#-------------------------------------------------- +# actions for dhparam-update event +#-------------------------------------------------- + +$event = "dhparam-update"; + +event_link("dhgenerator", $event, "03"); +templates2events("/etc/crontab", $event); +# add templates to expand + service to try-restart in target packages +# templates2events("/etc/dovecot/ssl/dhparam.pem", $event); +# safe_symlink("try-restart", "root/etc/e-smith/events/$event/services2adjust/dovecot"); #-------------------------------------------------- # actions for email-update event: diff --git a/root/etc/e-smith/events/actions/dhgenerator b/root/etc/e-smith/events/actions/dhgenerator new file mode 100755 index 0000000..76b08c9 --- /dev/null +++ b/root/etc/e-smith/events/actions/dhgenerator @@ -0,0 +1,27 @@ +#!/usr/bin/perl +use strict; +use warnings; +use esmith::ssl; + +my $event=shift||"program"; +my $folder="/home/e-smith/dh.pem"; +my $KeySize = 2048; +# load config db + +mkdir($folder, 0700) unless(-d $folder ); +# if program (or during updates) we only generate the 2048 to start all programs after install without waiting too much +if ( $event eq "program" || $event eq "temp" ) { + my $exit_code=dh_exists_good_size($KeySize,"$folder/$KeySize.pem") || system("/usr/bin/openssl","dhparam","-out","$folder/$KeySize.pem", $KeySize); + exit 0; +} +# if called as event, we generate a 4096 if 2096 exist, and then expand templates for services in need of this +# then the event will restart the service to use stronger dh.pem +else { + $KeySize = 4096 if (dh_exists_good_size($KeySize,"$folder/$KeySize.pem")); + print "Key size is $KeySize\n"; + exit 0 if (dh_exists_good_size($KeySize,"$folder/$KeySize.pem")); + # here we should test if uptime > 2 hours and return if not enough uptime + system("/usr/bin/openssl","dhparam","-out","$folder/$KeySize.pem", $KeySize); + exit 0; +} + diff --git a/root/etc/e-smith/templates/etc/crontab/dhgenerate b/root/etc/e-smith/templates/etc/crontab/dhgenerate new file mode 100644 index 0000000..8efe575 --- /dev/null +++ b/root/etc/e-smith/templates/etc/crontab/dhgenerate @@ -0,0 +1,8 @@ +{ +use esmith::ssl; +my $folder="/home/e-smith/dh.pem"; +my $KeySize = 4096; +$OUT = "#4096 dhparam exists"; +$OUT = '@reboot root sleep 2d && /sbin/e-smith/signal-event dhparam-update'."\n" unless (dh_exists_good_size($KeySize,"$folder/$KeySize.pem")); +} + diff --git a/root/etc/e-smith/templates/home/e-smith/dh.pem b/root/etc/e-smith/templates/home/e-smith/dh.pem new file mode 100644 index 0000000..20402ba --- /dev/null +++ b/root/etc/e-smith/templates/home/e-smith/dh.pem @@ -0,0 +1,35 @@ +{ + use esmith::ssl; + # for the generation of originals in /home/e-smith/dh.pem/ + # we check that 4096 exist, if not we default to 2048. If not we generate it + # for replication : we copy what we have + + my $DHSize = $modSSL{DHSize} ||'4096'; + my $key = "/home/e-smith/dh.pem"; + for my $DHSize (qw(4096 2048)) + { + # if key exists and good size, we use it + if ( dh_exists_good_size($DHSize,"$key/$DHSize.pem") ) + { + # Old key file is still good. Read it out - processTemplate will work + # out that it hasn't changed, and leave the old one in place + open(K, "$key/$DHSize.pem") or die "Couldn't open key file: $!"; + my @key = ; + chomp @key; + $OUT = join "\n", @key; + close(K); + return; + } + } + # if nothing have ever been generated we call the action script as program + # it will generate a 2048, which 'should' be faster than 4096 + # later if uptime is sufficient 4096 will be generated. + my $program = "/etc/e-smith/events/actions/dhgenerator"; + system($program); + open(K, "$key/2048.pem") or die "Couldn't open dh file: $!"; + my @key = ; + chomp @key; + $OUT = join "\n", @key; + close(K); + return; +} diff --git a/root/etc/sysconfig/modules/dummy.modules b/root/etc/sysconfig/modules/dummy.modules index ad1ac89..905a2dc 100644 --- a/root/etc/sysconfig/modules/dummy.modules +++ b/root/etc/sysconfig/modules/dummy.modules @@ -1,3 +1,4 @@ #!/bin/sh /sbin/modprobe dummy +$(ip link show dummy0 2>/dev/null 1>&2) || exec ip link add dummy0 type dummy exec ip link set dummy0 address 10:00:01:02:03:04 diff --git a/root/usr/lib/systemd/system-preset/50-koozali.preset b/root/usr/lib/systemd/system-preset/50-koozali.preset index 2c1fcee..d83f133 100644 --- a/root/usr/lib/systemd/system-preset/50-koozali.preset +++ b/root/usr/lib/systemd/system-preset/50-koozali.preset @@ -15,12 +15,6 @@ enable networking.service enable wan.service enable masq.service enable php-fpm.service -enable php55-php-fpm.service -enable php56-php-fpm.service -enable php70-php-fpm.service -enable php71-php-fpm.service -enable php72-php-fpm.service -enable php73-php-fpm.service enable php74-php-fpm.service enable php80-php-fpm.service enable httpd-e-smith.service @@ -73,3 +67,4 @@ disable ntpdate.service disable ftp.service disable proftpd.service +enable dhparam-generator.service diff --git a/root/usr/lib/systemd/system/dhparam-generator.service b/root/usr/lib/systemd/system/dhparam-generator.service new file mode 100644 index 0000000..13a080c --- /dev/null +++ b/root/usr/lib/systemd/system/dhparam-generator.service @@ -0,0 +1,24 @@ +[Unit] +Description=Diffie Hellman parameter generator +#TODO: add Requires= or Wants= to those: +Before=ftp.service +Before=dovecot.service +Before=qpsmtpd.service sqpsmtpd.service uqpsmtpd.service +Before=radiusd.service + +[Service] +Type=oneshot +ExecStart=/etc/e-smith/events/actions/dhgenerator +# sqpsmtpd and uqpsmtpd use a symlink to /var/service/qpsmtpd/ssl +ExecStartPost=-/sbin/e-smith/expand-template /var/service/qpsmtpd/ssl/dhparam.pem +ExecStartPost=-/sbin/e-smith/expand-template /etc/dovecot/ssl/dhparam.pem +ExecStartPost=-/sbin/e-smith/expand-template /etc/raddb/certs/dh + +PrivateTmp=true +ProtectSystem=no +ProtectHome=no +PrivateDevices=false + +[Install] +WantedBy=sme-server.target + diff --git a/root/usr/share/perl5/vendor_perl/esmith/ssl.pm b/root/usr/share/perl5/vendor_perl/esmith/ssl.pm index 8b0f4d4..a578912 100644 --- a/root/usr/share/perl5/vendor_perl/esmith/ssl.pm +++ b/root/usr/share/perl5/vendor_perl/esmith/ssl.pm @@ -6,7 +6,7 @@ use esmith::ConfigDB; our @ISA = qw(Exporter); -our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert SSLproto SSLprotoApache SSLprotoComa SSLprotoHyphen SSLprotoMin SSLprotoLDAP SSLprotoQpsmtpd $smeCiphers $smeSSLprotocol %existingSSLprotos); +our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert SSLproto SSLprotoApache SSLprotoComa SSLprotoHyphen SSLprotoMin SSLprotoLDAP SSLprotoQpsmtpd $smeCiphers $smeSSLprotocol %existingSSLprotos dh_exists_good_size); my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db"; our $SystemName = $configdb->get('SystemName')->value; @@ -162,6 +162,38 @@ sub related_key_cert { return 0; } +=head2 dh_exists_good_size +# check dh exist +# check dh is indeed dh +# check dh size +# openssl rsa -noout -modulus -in domain.key | openssl md5 +# openssl x509 -noout -modulus -in domain.crt | openssl md5 +=cut + +sub dh_exists_good_size { + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db"; + my %modSSL = $configdb->as_hash('modSSL'); + my $KeySize = shift || $modSSL{DHSize} ||'4096'; + my $dh = shift || "/home/e-smith/dh.pem/$KeySize.pem"; + if ( -f $dh ) + { + my $signatureKeySize = `openssl dhparam -text -noout -in $dh 2>/dev/null | grep "DH Parameters:" | head -1`; + chomp $signatureKeySize; + $signatureKeySize =~ s/^.*DH Parameters: \((.*) bit\)/$1/p; + if ( $signatureKeySize == $KeySize ) { + #print "$signatureKeySize\n"; + # cert is correct size and exists, we can proceed. + # next check key and cert are related + # next check cert is still valid + # next check alt name are still the same + return 1; + } + } + return 0; +} + + + ##TODO write sub and migrate those actions from template fragments # check cert is related to key # => /etc/e-smith/templates/home/e-smith/ssl.crt diff --git a/smeserver-base.spec b/smeserver-base.spec index 0af4a79..668541b 100644 --- a/smeserver-base.spec +++ b/smeserver-base.spec @@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module %define name smeserver-base Name: %{name} %define version 11.0.0 -%define release 30 +%define release 31 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -182,6 +182,11 @@ fi %changelog +* Sun Mar 16 2025 Jean-Philippe Pialasse 11.0.0-31.sme +- handle dh params with template [SME: 12826] + TODO timer and event +- foolproofing dummy.module + * Thu Mar 06 2025 Jean-Philippe Pialasse 11.0.0-30.sme - systemd unit for ippp [SME: 12876] - systemd unit for wan [SME: 12875]