#!/bin/bash

# Author by JKO Email: jonathan@kosar.email
# This script tool enables DHEC for SSL on Nginx. 
# A user can also add a more hardened SSL cipher suite. 
# Otherwise a default 2048 EC key is generated and added to nginx-ssl.conf.  
# No suite or protocols are changed. Only in hardened mode they are changed.
# But only clients that support the suites will be able to connect, please remember that.
# http://www.roushtech.net/2014/04/01/100-qualys-ssl-test-a/
# See usage command for more.
# Sidenote: -h -b 2048 will produce a hardened settings with 2048 bit key.

source /etc/mailinabox.conf # load global vars
source setup/functions.sh #functions
 
apt_install openssl

nginx_ssl_conf=/etc/nginx/nginx-ssl.conf
DEFAULT_BIT_SIZE=2048 
isHardened="false"
hardened_ciphers="'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH';"
hardened_protocol="TLSv1.2;"

DHEC_path=$STORAGE_ROOT/ssl/dhparam.pem

# Functions
update_config() 
{
	lineNUM=$(grep -n "$2" $1 | tail -n1 | sed 's/:.*//')
	[ "$lineNUM" ] || lineNUM="$"
	sed -i -r "$lineNUM s|#?(.*)|#\1\n$4\n$2 $3|" "$1"
} 

ok() 
{ 
	echo -e '\e[32m'$1'\e[m'; 
}


# Usage info
usage()
{
    cat << EOF
    Usage: ${0##*/} [-h] [-b BIT_SIZE] [-p DIR_DHEC_KEY]  [-c DIR_NGINX_SSL]
    This script generates and enables DHEC for Nginx.  Defaulted to 2048 key.
    Hardened mode will generate 4096 key and the following cipher suites:
    'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH'
    
    -h          Enable hardened ciphers and 4096 bit key.
    -b          Specify the bit size to generate which will override any other default.
    -p          Specify dir to generate the DHEC key.
    -c          Specify dir nginx ssl conf is. 
EOF
    exit 1
}  

while getopts "hb:c:p:" opt ; do
    case "${opt}" in
        b)
            BIT_SIZE=${OPTARG}
            if [ -z "${OPTARG}" ]; then
               usage
            fi
            ;;
        h)
            isHardened=true
            BIT_SIZE=4096 
            ;;
 	p)
            DHEC_path=${OPTARG}
	    if [ -z "${OPTARG}" ]; then
               usage
            fi
            ;;
    	c)
            nginx_ssl_conf=${OPTARG}
            if [ -z "${OPTARG}" ]; then
               usage
            fi
            ;;
        *)
            usage
            ;;
    esac
done
shift $((OPTIND-1))

if [ -z "${BIT_SIZE}" -a "true" == ${isHardened} ]; then
    BIT_SIZE=4096
elif [ -z "${BIT_SIZE}" ]; then
    BIT_SIZE=$DEFAULT_BIT_SIZE
fi

ok "❯❯❯ It might take a while, grab a coffee!"

if [ ! -f $DHEC_path ]; then
  # Generate a 4096 bit random parameter for DH elliptic curves.
  # Generated by OpenSSL with the following command:
  #   openssl dhparam -outform pem -out dhparam.pem 2048
  #   openssl dhparam -outform pem -out dhparam.pem 4096
  openssl dhparam -outform pem -out $DHEC_path $BIT_SIZE
fi
        update_config $nginx_ssl_conf ssl_dhparam $DHEC_path';' "#Path to DHEC key"      

if [ $isHardened == "true" ]; then
	update_config $nginx_ssl_conf ssl_ciphers $hardened_ciphers "#Hardened SSL Ciphers DHEC" 
        update_config $nginx_ssl_conf ssl_protocols $hardened_protocol "#Hardened SSL Protocol"  
fi

service nginx reload