* Sun Mar 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-31.sme

- handle dh params with template [SME: 12826]
 TODO timer and event
- foolproofing dummy.module
This commit is contained in:
2025-03-17 22:55:51 -04:00
parent ccd94a71e2
commit 8615e569eb
9 changed files with 149 additions and 10 deletions

View File

@@ -0,0 +1,27 @@
#!/usr/bin/perl
use strict;
use warnings;
use esmith::ssl;
my $event=shift||"program";
my $folder="/home/e-smith/dh.pem";
my $KeySize = 2048;
# load config db
mkdir($folder, 0700) unless(-d $folder );
# if program (or during updates) we only generate the 2048 to start all programs after install without waiting too much
if ( $event eq "program" || $event eq "temp" ) {
my $exit_code=dh_exists_good_size($KeySize,"$folder/$KeySize.pem") || system("/usr/bin/openssl","dhparam","-out","$folder/$KeySize.pem", $KeySize);
exit 0;
}
# if called as event, we generate a 4096 if 2096 exist, and then expand templates for services in need of this
# then the event will restart the service to use stronger dh.pem
else {
$KeySize = 4096 if (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
print "Key size is $KeySize\n";
exit 0 if (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
# here we should test if uptime > 2 hours and return if not enough uptime
system("/usr/bin/openssl","dhparam","-out","$folder/$KeySize.pem", $KeySize);
exit 0;
}

View File

@@ -0,0 +1,8 @@
{
use esmith::ssl;
my $folder="/home/e-smith/dh.pem";
my $KeySize = 4096;
$OUT = "#4096 dhparam exists";
$OUT = '@reboot root sleep 2d && /sbin/e-smith/signal-event dhparam-update'."\n" unless (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
}

View File

@@ -0,0 +1,35 @@
{
use esmith::ssl;
# for the generation of originals in /home/e-smith/dh.pem/
# we check that 4096 exist, if not we default to 2048. If not we generate it
# for replication : we copy what we have
my $DHSize = $modSSL{DHSize} ||'4096';
my $key = "/home/e-smith/dh.pem";
for my $DHSize (qw(4096 2048))
{
# if key exists and good size, we use it
if ( dh_exists_good_size($DHSize,"$key/$DHSize.pem") )
{
# Old key file is still good. Read it out - processTemplate will work
# out that it hasn't changed, and leave the old one in place
open(K, "$key/$DHSize.pem") or die "Couldn't open key file: $!";
my @key = <K>;
chomp @key;
$OUT = join "\n", @key;
close(K);
return;
}
}
# if nothing have ever been generated we call the action script as program
# it will generate a 2048, which 'should' be faster than 4096
# later if uptime is sufficient 4096 will be generated.
my $program = "/etc/e-smith/events/actions/dhgenerator";
system($program);
open(K, "$key/2048.pem") or die "Couldn't open dh file: $!";
my @key = <K>;
chomp @key;
$OUT = join "\n", @key;
close(K);
return;
}