diff options
Diffstat (limited to 'roles/common/files/usr')
-rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 10 | ||||
-rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall | 6 |
2 files changed, 9 insertions, 7 deletions
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index ad65aef..72102f4 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -119,14 +119,16 @@ done case "$type" in # XXX: genrsa and dsaparam have been deprecated in favor of genpkey. # genpkey can also create explicit EC parameters, but not named. - rsa) genkey=genrsa; genkeyargs="-f4 ${bits:-2048}";; - dsa) genkey=dsaparam; genkeyargs="-noout -genkey ${bits:-1024}";; + rsa) genkey=genrsa; genkeyargs="-rand /dev/urandom -f4 ${bits:-2048}";; + dsa) genkey=dsaparam; genkeyargs="-rand /dev/urandom -noout -genkey ${bits:-1024}";; # See 'openssl ecparam -list_curves' for the list of supported # curves. StrongSwan doesn't support explicit curve parameters # (however explicit parameters might be required to make exotic # curves work with some clients.) ecdsa) genkey=ecparam - genkeyargs="-noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";; + genkeyargs="-rand /dev/urandom -noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";; + x25519|x448|ed25519|ed448) genkey=genpkey + genkeyargs="-algorithm $type";; *) echo "Unrecognized key type: $type" >&2; exit 2 esac @@ -173,7 +175,7 @@ if [ -s "$privkey" -a $force -eq 0 ]; then exit 1 elif [ ! -s "$privkey" -o $force -ge 2 ]; then install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2 - openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2 + openssl $genkey $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && exit fi diff --git a/roles/common/files/usr/local/sbin/update-firewall b/roles/common/files/usr/local/sbin/update-firewall index 4b3e5cf..e11e8a9 100755 --- a/roles/common/files/usr/local/sbin/update-firewall +++ b/roles/common/files/usr/local/sbin/update-firewall @@ -36,14 +36,14 @@ for idx in "${!INTERFACES[@]}"; do done # clear sets in the old rules before diff'ing with the new ones -nft list ruleset -sn >"$oldrules" +nft -sn list ruleset >"$oldrules" ip netns exec "$netns" nft -f - <"$oldrules" ip netns exec "$netns" nft flush set inet filter fail2ban || true ip netns exec "$netns" nft flush set inet filter fail2ban6 || true -ip netns exec "$netns" nft list ruleset -sn >"$oldrules" +ip netns exec "$netns" nft -sn list ruleset >"$oldrules" ip netns exec "$netns" nft -f - <"$script" -ip netns exec "$netns" nft list ruleset -sn >"$newrules" +ip netns exec "$netns" nft -sn list ruleset >"$newrules" ip netns del "$netns" netns= |