From 64e8603cf9790aa4419d0f2746671bd242e6344d Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 26 May 2015 00:55:19 +0200
Subject: logjam mitigation.

---
 roles/common/files/usr/local/bin/gendhparam.sh | 13 +++++++++++++
 roles/common/files/usr/local/bin/genkeypair.sh |  4 ++--
 roles/common/tasks/main.yml                    | 12 +++++++++---
 3 files changed, 24 insertions(+), 5 deletions(-)
 create mode 100755 roles/common/files/usr/local/bin/gendhparam.sh

(limited to 'roles/common')

diff --git a/roles/common/files/usr/local/bin/gendhparam.sh b/roles/common/files/usr/local/bin/gendhparam.sh
new file mode 100755
index 0000000..074986b
--- /dev/null
+++ b/roles/common/files/usr/local/bin/gendhparam.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -ue
+PATH=/usr/bin:/bin
+
+privkey="$1"
+bits="${2:-2048}"
+rand=
+
+mv -f "$(mktemp)" "$privkey"
+chmod og-rwx "$privkey"
+
+openssl dhparam -rand "${rand:-/dev/urandom}" "$bits" >"$privkey"
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index d6539e2..982c1d9 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -37,6 +37,7 @@ cn=
 usage=
 chmod=
 chown=
+rand=
 
 usage() {
     cat >&2 <<- EOF
@@ -123,7 +124,6 @@ while [ $# -gt 0 ]; do
     shift;
 done
 
-rand=/dev/urandom
 case "$type" in
     # XXX: genrsa and dsaparam have been deprecated in favor of genpkey.
     # genpkey can also create explicit EC parameters, but not named.
@@ -184,7 +184,7 @@ elif [ ! -s "$privkey" -o $force -ge 2 ]; then
     mv -f "$(mktemp)" "$privkey" || exit 2
     chmod "${chmod:-og-rwx}" "$privkey" || exit 2
     [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2
-    openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
+    openssl $genkey -rand "${rand:-/dev/urandom}" $genkeyargs >"$privkey" || exit 2
     [ "$cmd" = dkim ] && { dkiminfo; exit; }
 fi
 
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 3b3c0a5..4e85d0a 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -15,12 +15,18 @@
 - include: smart.yml    tags=smartmontools,smart
   when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')"
 - include: haveged.yml  tags=haveged,entropy
-- name: Copy genkeypair.sh
-  copy: src=usr/local/bin/genkeypair.sh
-        dest=/usr/local/bin/genkeypair.sh
+- name: Copy genkeypair.sh and gendhparam.sh
+  copy: src=usr/local/bin/{{ item }}
+        dest=/usr/local/bin/{{ item }}
         owner=root group=root
         mode=0755
   tags: genkey
+  with_items:
+    - genkeypair.sh
+    - gendhparam.sh
+- name: Generate DH parameters
+  command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem
+  tags: genkey
 - include: logging.yml  tags=logging
 - include: ntp.yml      tags=ntp
 - include: mail.yml     tags=mail,postfix
-- 
cgit v1.2.3