nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'remove-has_config' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-remove-has_config

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-07-19 22:52:27 +01:00
commit 135d3da0a8
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 67 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

158
easyrsa3/easyrsa
View File

@ -72,9 +72,14 @@ A list of commands is shown below:
# CA Status # CA Status
if verify_ca_init test; then if verify_ca_init test; then
CA_cert="$EASYRSA_PKI/ca.crt" CA_cert="$EASYRSA_PKI/ca.crt"
CA_status=" CA status: OK CA_status=" CA status: OK"
CA subject: \ CA_subject="$(
$("$EASYRSA_OPENSSL" x509 -in "$CA_cert" -noout -subject)" OPENSSL_CONF=/dev/null \
"$EASYRSA_OPENSSL" x509 -in "$CA_cert" \
-noout -subject -nameopt multiline
)"
CA_subject=" CA subject: ${CA_subject#subject=}"
CA_status="${CA_status}${NL}${CA_subject}"
else else
CA_status=" CA status: CA has not been built." CA_status=" CA status: CA has not been built."
fi fi
@ -661,7 +666,8 @@ easyrsa_random() {
(*[!1234567890]*|0*|"") : ;; # invalid input (*[!1234567890]*|0*|"") : ;; # invalid input
(*) (*)
# Only return on success # Only return on success
if "$EASYRSA_OPENSSL" rand -hex "$1" 2>/dev/null if OPENSSL_CONF=/dev/null \
"$EASYRSA_OPENSSL" rand -hex "$1"
then then
return return
fi fi
@ -918,20 +924,10 @@ escape_hazard() {
then then
# Always run # Always run
verbose "escape_hazard: FORCED" verbose "escape_hazard: FORCED"
# Do not respect --no-safe-ssl, escape the fields
# before they are expanded by OpenSSL or easyrsa.
#elif [ "$EASYRSA_NO_SAFE_SSL" ]; then
# # Never run
# verbose "escape_hazard: DENIED"
# return
elif [ "$working_safe_org_conf" ]; then elif [ "$working_safe_org_conf" ]; then
# Has run once # Has run once
verbose "escape_hazard: BYPASSED" verbose "escape_hazard: BYPASSED"
return return
elif [ -z "$has_config" ]; then
# SSL Config not required
verbose "escape_hazard: IGNORED"
return
else else
# Run once # Run once
verbose "escape_hazard: RUN-ONCE" verbose "escape_hazard: RUN-ONCE"
@ -979,23 +975,27 @@ expand_ssl_config() {
verbose "expand_ssl_config: FORCED" verbose "expand_ssl_config: FORCED"
elif [ "$EASYRSA_NO_SAFE_SSL" ]; then elif [ "$EASYRSA_NO_SAFE_SSL" ]; then
# Never run # Never run
verbose "expand_ssl_config: DENIED" verbose "expand_ssl_config: DISABLED"
return return
elif [ "$working_safe_ssl_conf" ]; then elif [ "$working_safe_ssl_conf" ]; then
# Has run once # Has run once
verbose "expand_ssl_config: BYPASSED" verbose "expand_ssl_config: BYPASSED"
return return
elif [ -z "$has_config" ]; then elif [ "$ssl_lib" = libressl ]; then
# SSL Config not required # Always run
verbose "expand_ssl_config: REQUIRED"
elif [ "$ssl_lib" = openssl ]; then
# OpenSSl does not require a safe config
verbose "expand_ssl_config: IGNORED" verbose "expand_ssl_config: IGNORED"
return return
else else
# Run once # do NOT Run
verbose "expand_ssl_config: RUN-ONCE" die "expand_ssl_config: EXCEPTION"
fi fi
# Set run once # Set run once
working_safe_ssl_conf=1 working_safe_ssl_conf=1
verbose "expand_ssl_config: RUN-ONCE"
# Assign temp-file # Assign temp-file
safe_ssl_cnf_tmp="" safe_ssl_cnf_tmp=""
@ -1076,20 +1076,10 @@ easyrsa_openssl() {
rand) rand)
die "easyrsa_openssl: Illegal SSL command: rand" die "easyrsa_openssl: Illegal SSL command: rand"
;; ;;
makesafeconf) makesafeconf=1; has_config=1 ;; makesafeconf) makesafeconf=1 ;;
ca|req|srp|ts) has_config=1 ;; *) :
*) unset -v has_config
esac esac
# OpenSSL 1x genpkey does not support -config
# OpenSSL 3x genpkey requires -config
# LibreSSL passes the test without -config ..
if [ "$openssl_command" = genpkey ] && \
[ "$ssl_lib" = openssl ] && [ "$osslv_major" = 3 ]
then
has_config=1
fi
# Auto-escape hazardous characters # Auto-escape hazardous characters
escape_hazard || \ escape_hazard || \
die "easyrsa_openssl - escape_hazard failed" die "easyrsa_openssl - escape_hazard failed"
@ -1098,64 +1088,41 @@ easyrsa_openssl() {
expand_ssl_config || \ expand_ssl_config || \
die "easyrsa_openssl - expand_ssl_config failed" die "easyrsa_openssl - expand_ssl_config failed"
# Support --no-safe-ssl
if [ "$EASYRSA_NO_SAFE_SSL" ]; then
# Assign safe temp file as Original openssl-easyrsa.conf
safe_ssl_cnf_tmp="$EASYRSA_SSL_CONF"
verbose "easyrsa_openssl: No SAFE SSL config"
fi
# VERIFY safe temp-file exists # VERIFY safe temp-file exists
if [ -e "$safe_ssl_cnf_tmp" ]; then if [ -e "$safe_ssl_cnf_tmp" ]; then
verbose "\ verbose "\
easyrsa_openssl: Safe SSL conf OK: $safe_ssl_cnf_tmp" easyrsa_openssl: Safe SSL conf OK: $safe_ssl_cnf_tmp"
export OPENSSL_CONF="$safe_ssl_cnf_tmp"
else else
[ "$has_config" ] && die "\ verbose "\
easyrsa_openssl - Safe SSL conf MISSING: $safe_ssl_cnf_tmp" easyrsa_openssl: No Safe SSL conf, FALLBACK to default"
export OPENSSL_CONF="$EASYRSA_SSL_CONF"
fi fi
# set $OPENSSL_CONF - Use which-ever file is assigned above
export OPENSSL_CONF="$safe_ssl_cnf_tmp"
# Execute command - Return on success # Execute command - Return on success
if [ "$openssl_command" = "makesafeconf" ]; then if [ "$openssl_command" = "makesafeconf" ]; then
# COPY temp-file to safessl-easyrsa.cnf # COPY temp-file to safessl-easyrsa.cnf
unset -v makesafeconf unset -v makesafeconf
cp -f "$safe_ssl_cnf_tmp" "$EASYRSA_SAFE_CONF" && \ cp -f "$safe_ssl_cnf_tmp" "$EASYRSA_SAFE_CONF" && \
return return
die "easyrsa_openssl: makesafeconf FAILED"
fi
elif [ "$has_config" ]; then # Exec SSL
# Exec SSL with -config temp-file if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ]
if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ] then
then "$EASYRSA_OPENSSL" "$openssl_command" "$@" \
"$EASYRSA_OPENSSL" "$openssl_command" \ 2>/dev/null && \
-config "$safe_ssl_cnf_tmp" "$@" \ return
2>/dev/null && \
return
else
"$EASYRSA_OPENSSL" "$openssl_command" \
-config "$safe_ssl_cnf_tmp" "$@" && \
return
fi
else else
# Exec SSL without -config temp-file "$EASYRSA_OPENSSL" "$openssl_command" "$@" && \
if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ] return
then
"$EASYRSA_OPENSSL" "$openssl_command" "$@" \
2>/dev/null && \
return
else
"$EASYRSA_OPENSSL" "$openssl_command" "$@" && \
return
fi
fi fi
# Always fail here # Always fail here
die "\ die "\
easyrsa_openssl - Command has failed: easyrsa_openssl - Command has failed:
* $EASYRSA_OPENSSL $openssl_command \ * $EASYRSA_OPENSSL $openssl_command $*"
${has_config:+-config $safe_ssl_cnf_tmp }$*"
} # => easyrsa_openssl() } # => easyrsa_openssl()
# Verify the SSL library is functional # Verify the SSL library is functional
@ -1166,12 +1133,13 @@ verify_ssl_lib() {
verify_ssl_lib_ok=1 verify_ssl_lib_ok=1
# redirect std-err, ignore missing ssl/openssl.cnf # redirect std-err, ignore missing ssl/openssl.cnf
val="$("$EASYRSA_OPENSSL" version 2>/dev/null)" val="$(
OPENSSL_CONF=/dev/null "$EASYRSA_OPENSSL" version
)"
ssl_version="$val" ssl_version="$val"
# SSL lib name # SSL lib name
case "${val%% *}" in case "${val%% *}" in
# OpenSSL does require a safe config-file for ampersand
OpenSSL) OpenSSL)
ssl_lib=openssl ssl_lib=openssl
;; ;;
@ -1998,14 +1966,16 @@ at: $out_file"
die "gen_dh - easyrsa_mktemp tmp_dh_file" die "gen_dh - easyrsa_mktemp tmp_dh_file"
# Generate dh.pem # Generate dh.pem
"$EASYRSA_OPENSSL" dhparam -out "$tmp_dh_file" \ OPENSSL_CONF=/dev/null \
"$EASYRSA_KEY_SIZE" || \ "$EASYRSA_OPENSSL" dhparam -out "$tmp_dh_file" \
die "Failed to generate DH params" "$EASYRSA_KEY_SIZE" || \
die "Failed to generate DH params"
# Validate dh.pem # Validate dh.pem
"$EASYRSA_OPENSSL" dhparam -in "$tmp_dh_file" \ OPENSSL_CONF=/dev/null \
-check -noout || \ "$EASYRSA_OPENSSL" dhparam -in "$tmp_dh_file" \
die "Failed to validate DH params" -check -noout || \
die "Failed to validate DH params"
mv -f "$tmp_dh_file" "$out_file" || \ mv -f "$tmp_dh_file" "$out_file" || \
die "Failed to move temp DH file" die "Failed to move temp DH file"
@ -4130,16 +4100,17 @@ Input is not a valid certificate: $crt_in"
if [ "$EASYRSA_SILENT_SSL" ]; then if [ "$EASYRSA_SILENT_SSL" ]; then
# Test SSL out # Test SSL out
# openssl direct call because error is expected # openssl direct call because error is expected
if "$EASYRSA_OPENSSL" verify \ if OPENSSL_CONF=/dev/null "$EASYRSA_OPENSSL" verify \
-CAfile "$ca_crt" "$crt_in" 1>/dev/null 2>&1 -CAfile "$ca_crt" "$crt_in" 1>/dev/null
then then
verify_cert_ok=1 verify_cert_ok=1
else else
unset -v verify_cert_ok unset -v verify_cert_ok
fi fi
else else
if "$EASYRSA_OPENSSL" verify \ if OPENSSL_CONF=/dev/null \
-CAfile "$ca_crt" "$crt_in" "$EASYRSA_OPENSSL" verify \
-CAfile "$ca_crt" "$crt_in"
then then
verify_cert_ok=1 verify_cert_ok=1
else else
@ -4934,9 +4905,10 @@ expire_status: FALL-BACK completed"
# Check cert expiry against window # Check cert expiry against window
# openssl direct call because error is expected # openssl direct call because error is expected
if "$EASYRSA_OPENSSL" x509 -in "$cert_issued" \ if OPENSSL_CONF=/dev/null \
-noout -checkend "$pre_expire_window_s" \ "$EASYRSA_OPENSSL" x509 -in "$cert_issued" \
1>/dev/null -noout -checkend "$pre_expire_window_s" \
1>/dev/null
then then
expire_msg="will NOT expire" expire_msg="will NOT expire"
will_not_expire=1 will_not_expire=1
@ -5314,18 +5286,21 @@ verify_algo_params - easyrsa_mktemp EASYRSA_ALGO_PARAMS"
# Create the required ecparams file # Create the required ecparams file
# call openssl directly because error is expected # call openssl directly because error is expected
"$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" \ OPENSSL_CONF=/dev/null \
-out "$EASYRSA_ALGO_PARAMS" \ "$EASYRSA_OPENSSL" ecparam \
1>/dev/null || die "\ -name "$EASYRSA_CURVE" \
-out "$EASYRSA_ALGO_PARAMS" \
1>/dev/null || die "\
Failed to generate ecparam file (permissions?) at: Failed to generate ecparam file (permissions?) at:
* $EASYRSA_ALGO_PARAMS" * $EASYRSA_ALGO_PARAMS"
;; ;;
ed) ed)
# Verify Edwards curve # Verify Edwards curve
# call openssl directly because error is expected # call openssl directly because error is expected
"$EASYRSA_OPENSSL" genpkey \ OPENSSL_CONF=/dev/null \
-algorithm "$EASYRSA_CURVE" \ "$EASYRSA_OPENSSL" genpkey \
1>/dev/null || die "\ -algorithm "$EASYRSA_CURVE" \
1>/dev/null || die "\
Edwards Curve $EASYRSA_CURVE not found." Edwards Curve $EASYRSA_CURVE not found."
;; ;;
*) user_error "\ *) user_error "\
@ -6740,7 +6715,8 @@ return 0
print_version() print_version()
{ {
ssl_version="$( ssl_version="$(
"${EASYRSA_OPENSSL:-openssl}" version 2>/dev/null OPENSSL_CONF=/dev/null \
"${EASYRSA_OPENSSL:-openssl}" version
)" )"
cat << VERSION_TEXT cat << VERSION_TEXT
EasyRSA Version Information EasyRSA Version Information