From d840e9acade9dd7295b87a9f655f674c08a03ccb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Jun 2018 16:58:34 +0200
Subject: [PATCH] system: samplify dh-parameter files #2431

---
 Makefile                                      |  2 +-
 plist                                         |  6 +-
 ...ameters.1024 => dh-parameters.1024.sample} |  0
 ...ameters.2048 => dh-parameters.2048.sample} |  0
 ...ameters.4096 => dh-parameters.4096.sample} |  0
 src/etc/inc/plugins.inc.d/openvpn.inc         |  2 +-
 src/etc/inc/plugins.inc.d/webgui.inc          |  2 +-
 src/etc/inc/util.inc                          | 64 +++++++++++--------
 8 files changed, 44 insertions(+), 32 deletions(-)
 rename src/etc/{dh-parameters.1024 => dh-parameters.1024.sample} (100%)
 rename src/etc/{dh-parameters.2048 => dh-parameters.2048.sample} (100%)
 rename src/etc/{dh-parameters.4096 => dh-parameters.4096.sample} (100%)

diff --git a/Makefile b/Makefile
index d6fc62b6e..82e51f066 100644
--- a/Makefile
+++ b/Makefile
@@ -338,7 +338,7 @@ license: want-p5-File-Slurp
 dhparam:
 .for BITS in 1024 2048 4096
 	${OPENSSL} dhparam -out \
-	    ${.CURDIR}/src/etc/dh-parameters.${BITS} ${BITS}
+	    ${.CURDIR}/src/etc/dh-parameters.${BITS}.sample ${BITS}
 .endfor
 
 test: want-phpunit6-php${CORE_PHP}
diff --git a/plist b/plist
index a38e5210d..f73a580d7 100644
--- a/plist
+++ b/plist
@@ -2,9 +2,6 @@
 /boot/logo-hourglass.4th
 /usr/local/etc/devd/carp.conf
 /usr/local/etc/devd/ifnet.conf
-/usr/local/etc/dh-parameters.1024
-/usr/local/etc/dh-parameters.2048
-/usr/local/etc/dh-parameters.4096
 /usr/local/etc/inc/IPv6.inc
 /usr/local/etc/inc/PEAR.inc
 /usr/local/etc/inc/XMLRPC_Client.inc
@@ -1203,6 +1200,9 @@
 @sample /usr/local/etc/bogons.sample
 @sample /usr/local/etc/bogonsv6.sample
 @sample /usr/local/etc/config.xml.sample
+@sample /usr/local/etc/dh-parameters.1024.sample
+@sample /usr/local/etc/dh-parameters.2048.sample
+@sample /usr/local/etc/dh-parameters.4096.sample
 @sample /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml.sample
 @shadow /usr/local/etc/pkg/repos/FreeBSD.conf.sample
 @shadow /usr/local/etc/pkg/repos/origin.conf.sample
diff --git a/src/etc/dh-parameters.1024 b/src/etc/dh-parameters.1024.sample
similarity index 100%
rename from src/etc/dh-parameters.1024
rename to src/etc/dh-parameters.1024.sample
diff --git a/src/etc/dh-parameters.2048 b/src/etc/dh-parameters.2048.sample
similarity index 100%
rename from src/etc/dh-parameters.2048
rename to src/etc/dh-parameters.2048.sample
diff --git a/src/etc/dh-parameters.4096 b/src/etc/dh-parameters.4096.sample
similarity index 100%
rename from src/etc/dh-parameters.4096
rename to src/etc/dh-parameters.4096.sample
diff --git a/src/etc/inc/plugins.inc.d/openvpn.inc b/src/etc/inc/plugins.inc.d/openvpn.inc
index 707bb03ab..7bac21501 100644
--- a/src/etc/inc/plugins.inc.d/openvpn.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn.inc
@@ -893,7 +893,7 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
                 openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key");
             }
             if ($mode == 'server') {
-                $conf .= "dh /usr/local/etc/dh-parameters.{$settings['dh_length']}\n";
+                $conf .= "dh " . get_dh_parameters($settings['dh_length']) . "\n";
             }
             if (!empty($settings['crlref'])) {
                 $crl = lookup_crl($settings['crlref']);
diff --git a/src/etc/inc/plugins.inc.d/webgui.inc b/src/etc/inc/plugins.inc.d/webgui.inc
index 65d312866..ddebdf206 100644
--- a/src/etc/inc/plugins.inc.d/webgui.inc
+++ b/src/etc/inc/plugins.inc.d/webgui.inc
@@ -376,7 +376,7 @@ EOD;
         $lighty_config .= "\n## ssl configuration\n";
         $lighty_config .= "ssl.engine = \"enable\"\n";
         $lighty_config .= "ssl.disable-client-renegotiation = \"enable\"\n";
-        $lighty_config .= "ssl.dh-file = \"/usr/local/etc/dh-parameters.4096\"\n";
+        $lighty_config .= "ssl.dh-file = \"" . get_dh_parameters(4096) . "\"\n";
         $lighty_config .= "ssl.ec-curve = \"secp384r1\"\n";
         $lighty_config .= "ssl.pemfile = \"/var/etc/{$cert_location}\"\n";
         if (!empty($ca)) {
diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
index 40566c17f..63f775325 100644
--- a/src/etc/inc/util.inc
+++ b/src/etc/inc/util.inc
@@ -1,32 +1,32 @@
 <?php
 
 /*
-    Copyright (C) 2015-2017 Franco Fichtner <franco@opnsense.org>
-    Copyright (C) 2004-2007 Scott Ullrich <sullrich@gmail.com>
-    Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2015-2018 Franco Fichtner <franco@opnsense.org>
+ * Copyright (C) 2004-2007 Scott Ullrich <sullrich@gmail.com>
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 require_once("IPv6.inc");
 
@@ -76,6 +76,18 @@ function is_process_running($process)
     return (intval($retval) == 0);
 }
 
+function get_dh_parameters($bits)
+{
+     /*
+     * XXX Use the sample file for now.  Later we want to
+     * try to see if the non-sample file is newer, in these
+     * cases we can use it.  If not, fall back to the sample
+     * file which should give a flexible and fixable apporach
+     * that does not leave users open to stale files.
+     */
+    return "/usr/local/etc/dh-parameters.$bits.sample";
+}
+
 function is_subsystem_dirty($subsystem = '')
 {
     return file_exists("/tmp/{$subsystem}.dirty");