nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'easyrsa_mktemp-v2' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-easyrsa_mktemp-v2

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-02-11 21:27:32 +00:00
commit 1dc5c265ac
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 118 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

205
easyrsa3/easyrsa
View File

@ -593,8 +593,9 @@ Type the word '$value' to continue, or any other input to abort."
# Generate random hex # Generate random hex
# Cannot use easyrsa-openssl() due to chicken vs egg, # Cannot use easyrsa-openssl() due to chicken vs egg,
# easyrsa_openssl() creates temp-files, which needs `openssl rand`. # easyrsa_openssl() creates temp-files,
# Redirect error-out, because LibreSSL complains of missing conf. # which needs `openssl rand`.
# Redirect error-out, ignore complaints of missing config
easyrsa_random() { easyrsa_random() {
case "$1" in case "$1" in
(*[!1234567890]*|0*|"") : ;; # invalid input (*[!1234567890]*|0*|"") : ;; # invalid input
@ -608,58 +609,58 @@ easyrsa_random() {
# Create session directory atomically or fail # Create session directory atomically or fail
secure_session() { secure_session() {
# Session is already defined # Session is already defined
[ "$EASYRSA_TEMP_DIR_session" ] && die "session overload" [ "$secured_session" ] && \
die "session overload"
# temporary directory must exist # temporary directory must exist
if [ "$EASYRSA_TEMP_DIR" ] && [ -d "$EASYRSA_TEMP_DIR" ] if [ "$EASYRSA_TEMP_DIR" ] && \
[ -d "$EASYRSA_TEMP_DIR" ]
then then
: # ok : # ok
else else
die "Non-existant temporary directory: $EASYRSA_TEMP_DIR" die "Non-existant temporary directory:
* $EASYRSA_TEMP_DIR"
fi fi
for i in 1 2 3; do for i in 1 2 3; do
random_session="$( session="$(
easyrsa_random 4 easyrsa_random 4
)" || die "secure_session - random_session '$random_session'" )" || die "secure_session - session"
EASYRSA_TEMP_DIR_session="${EASYRSA_TEMP_DIR}/${random_session}" secured_session="${EASYRSA_TEMP_DIR}/${session}"
# atomic: # atomic:
mkdir "$EASYRSA_TEMP_DIR_session" && return mkdir "$secured_session" && return
done done
die "secure_session failed" die "secure_session failed"
} # => secure_session() } # => secure_session()
# Create tempfile atomically or fail # Create temp-file atomically or fail
easyrsa_mktemp() { easyrsa_mktemp() {
[ "$#" = 1 ] || die "easyrsa_mktemp - invalid input"
# session directory must exist # session directory must exist
if [ "$EASYRSA_TEMP_DIR_session" ] && [ -d "$EASYRSA_TEMP_DIR_session" ] [ "$secured_session" ] || die "\
then easyrsa_mktemp - Temporary session undefined"
: # ok
else
die "\
easyrsa_mktemp - Non-existant temporary session:
* $EASYRSA_TEMP_DIR_session"
fi
for i in 1 2 3; do # Update counter
# Always use openssl directly for rand mktemp_counter="$(( mktemp_counter + 1 ))"
random_file="$(
easyrsa_random 4
)" || die "easyrsa_mktemp - random_file '$random_file'"
shotfile="${EASYRSA_TEMP_DIR_session}/shot.$random_file" # Assign internal temp-file name
t="${secured_session}/temp.${mktemp_counter}"
# Create temp-file or die
for i in x y z; do
shotfile="${t}.0"
target="$t.$i"
if [ -e "$shotfile" ]; then if [ -e "$shotfile" ]; then
continue break
else else
printf "" > "$shotfile" || continue printf "" > "$shotfile" || break
fi # atomic:
if mv "$shotfile" "$target"; then
tempfile="${EASYRSA_TEMP_DIR_session}/temp.$random_file" # Assign external temp-file name
# atomic: force_set_var "$1" "$target" && return
if mv "$shotfile" "$tempfile"; then fi
# Print the new temporary file-name for the caller
printf '%s\n' "$tempfile" && return
fi fi
done done
die "easyrsa_mktemp failed" die "easyrsa_mktemp failed"
@ -667,8 +668,8 @@ easyrsa_mktemp - Non-existant temporary session:
# remove temp files and do terminal cleanups # remove temp files and do terminal cleanups
cleanup() { cleanup() {
if [ "${EASYRSA_TEMP_DIR_session%/*}" ] && \ if [ "${secured_session%/*}" ] && \
[ -d "$EASYRSA_TEMP_DIR_session" ] [ -d "$secured_session" ]
then then
# Remove temp-session or create temp-snapshot # Remove temp-session or create temp-snapshot
if [ "$EASYRSA_KEEP_TEMP" ] if [ "$EASYRSA_KEEP_TEMP" ]
@ -684,18 +685,13 @@ Temporary session not preserved."
keep_tmp="$EASYRSA_TEMP_DIR/tmp/$EASYRSA_KEEP_TEMP" keep_tmp="$EASYRSA_TEMP_DIR/tmp/$EASYRSA_KEEP_TEMP"
mkdir -p "$keep_tmp" mkdir -p "$keep_tmp"
rm -rf "$keep_tmp" rm -rf "$keep_tmp"
mv -f "$EASYRSA_TEMP_DIR_session" "$keep_tmp" mv -f "$secured_session" "$keep_tmp"
print "Temp session preserved: $keep_tmp" print "Temp session preserved: $keep_tmp"
fi fi
fi fi
# Always remove temp-session # Always remove temp-session
rm -rf "$EASYRSA_TEMP_DIR_session" rm -rf "$secured_session"
fi
if [ "${EASYRSA_EC_DIR%/*}" ] && [ -d "$EASYRSA_EC_DIR" ]
then
rm -rf "$EASYRSA_EC_DIR"
fi fi
# Remove files when build_full()->sign_req() is interrupted # Remove files when build_full()->sign_req() is interrupted
@ -763,8 +759,9 @@ Generated safe SSL config file:
# Escape hazardous characters # Escape hazardous characters
escape_hazard() { escape_hazard() {
# Assign temp file # Assign temp file
easyrsa_vars_org="$(easyrsa_mktemp)" || \ easyrsa_vars_org=""
die "escape_hazard - easyrsa_mktemp failed" easyrsa_mktemp easyrsa_vars_org || die \
"escape_hazard - easyrsa_mktemp easyrsa_vars_org"
# write org fields to org temp-file and escape '&' and '$' # write org fields to org temp-file and escape '&' and '$'
print "\ print "\
@ -861,8 +858,9 @@ easyrsa_openssl() {
fi fi
# Assign safe temp file to create, may not be used # Assign safe temp file to create, may not be used
easyrsa_safe_ssl_conf="$(easyrsa_mktemp)" || \ easyrsa_safe_ssl_conf=""
die "easyrsa_openssl - easyrsa_mktemp failed" easyrsa_mktemp easyrsa_safe_ssl_conf || die \
"easyrsa_openssl - easyrsa_mktemp easyrsa_safe_ssl_conf"
# Auto-escape hazardous characters: # Auto-escape hazardous characters:
# '&' - Workaround 'sed' behavior # '&' - Workaround 'sed' behavior
@ -1405,10 +1403,13 @@ Unable to create necessary PKI files (permissions?)"
fi fi
# Assign cert and key temp files # Assign cert and key temp files
out_key_tmp="$(easyrsa_mktemp)" || \ out_key_tmp=""
die "Failed to create temp-key file" easyrsa_mktemp out_key_tmp || \
out_file_tmp="$(easyrsa_mktemp)" || \ die "build_ca - easyrsa_mktemp out_key_tmp"
die "Failed to create temp-cert file" out_file_tmp=""
easyrsa_mktemp out_file_tmp || \
die "build_ca - easyrsa_mktemp out_file_tmp"
# Get passphrase from user if necessary # Get passphrase from user if necessary
if [ "$EASYRSA_NO_PASS" ] if [ "$EASYRSA_NO_PASS" ]
@ -1421,10 +1422,12 @@ Unable to create necessary PKI files (permissions?)"
else else
# Assign passphrase vars and temp file # Assign passphrase vars and temp file
in_key_pass_tmp="$(easyrsa_mktemp)" || \ in_key_pass_tmp=""
die "in_key_pass_tmp: create" easyrsa_mktemp in_key_pass_tmp || \
out_key_pass_tmp="$(easyrsa_mktemp)" || \ die "build_ca - in_key_pass_tmp"
die "out_key_pass_tmp: create" out_key_pass_tmp=""
easyrsa_mktemp out_key_pass_tmp || \
die "build_ca - out_key_pass_tmp"
p="" p=""
q="" q=""
@ -1456,7 +1459,10 @@ Unable to create necessary PKI files (permissions?)"
{print} {print}
}' }'
conf_tmp="$(easyrsa_mktemp)" || die "conf_tmp: create" # Assign tmp-file for config
conf_tmp=""
easyrsa_mktemp conf_tmp || \
die "build_ca - easyrsa_mktemp conf_tmp"
{ {
cat "$EASYRSA_EXT_DIR/ca" "$EASYRSA_EXT_DIR/COMMON" cat "$EASYRSA_EXT_DIR/ca" "$EASYRSA_EXT_DIR/COMMON"
[ "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS" [ "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS"
@ -1565,8 +1571,9 @@ at: $out_file"
# Create a temp file # Create a temp file
# otherwise user abort leaves an incomplete dh.pem # otherwise user abort leaves an incomplete dh.pem
tmp_dh_file="$(easyrsa_mktemp)" || \ tmp_dh_file=""
die "Failed to create temp DH file" easyrsa_mktemp tmp_dh_file || \
die "gen_dh - easyrsa_mktemp tmp_dh_file"
# Generate dh.pem # Generate dh.pem
"$EASYRSA_OPENSSL" dhparam -out "$tmp_dh_file" \ "$EASYRSA_OPENSSL" dhparam -out "$tmp_dh_file" \
@ -1668,8 +1675,11 @@ $EASYRSA_EXTRA_EXTS"
{ while ( getline<"/dev/stdin" ) {print} next } { while ( getline<"/dev/stdin" ) {print} next }
{print} {print}
}' }'
conf_tmp="$(easyrsa_mktemp)" || die "\ # Assign temp-file for confg
gen_req - easyrsa_mktemp - conf_tmp" conf_tmp=""
easyrsa_mktemp conf_tmp || \
die "gen_req - easyrsa_mktemp conf_tmp"
print "$extra_exts" | \ print "$extra_exts" | \
awk "$awkscript" "$EASYRSA_SSL_CONF" \ awk "$awkscript" "$EASYRSA_SSL_CONF" \
> "$conf_tmp" \ > "$conf_tmp" \
@ -1679,10 +1689,12 @@ gen_req - easyrsa_mktemp - conf_tmp"
fi fi
# Name temp files # Name temp files
key_out_tmp="$(easyrsa_mktemp)" || die "\ key_out_tmp=""
gen_req - easyrsa_mktemp - key_out_tmp" easyrsa_mktemp key_out_tmp || \
req_out_tmp="$(easyrsa_mktemp)" || die "\ die "gen_req - easyrsa_mktemp key_out_tmp"
gen_req - easyrsa_mktemp - req_out_tmp" req_out_tmp=""
easyrsa_mktemp req_out_tmp || \
die "gen_req - easyrsa_mktemp req_out_tmp"
# Set Edwards curve name or elliptic curve parameters file # Set Edwards curve name or elliptic curve parameters file
algo_opts="" algo_opts=""
@ -1731,15 +1743,12 @@ sign_req() {
easyrsa_random 16 easyrsa_random 16
)" || die "sign_req - easyrsa_random" )" || die "sign_req - easyrsa_random"
# Print random $serial to pki/serial file
# for use by SSL config
print "$serial" > "$EASYRSA_PKI/serial" || \
die "sign_req - serial"
# Check for duplicate serial in CA db # Check for duplicate serial in CA db
# Always errors out - Do not capture error # Always errors out - Do not capture error
# unset EASYRSA_SILENT_SSL to capure all output
check_serial="$( check_serial="$(
easyrsa_openssl ca -status "$serial" 2>&1 EASYRSA_SILENT_SSL='' \
easyrsa_openssl ca -status "$serial" 2>&1
)" || : )" || :
case "$check_serial" in case "$check_serial" in
@ -1756,6 +1765,11 @@ sign_req - Randomize Serial number failed:
$check_serial" $check_serial"
fi fi
# Print random $serial to pki/serial file
# for use by SSL config
print "$serial" > "$EASYRSA_PKI/serial" || \
die "sign_req - write serial to file"
verify_ca_init verify_ca_init
# Check argument sanity: # Check argument sanity:
@ -1818,8 +1832,11 @@ to the latest official release."
{ while ( getline<"/dev/stdin" ) {print} next } { while ( getline<"/dev/stdin" ) {print} next }
{print} {print}
}' }'
conf_tmp="$(easyrsa_mktemp)" || \ # Assign temp-file for confg
die "sign_req - easyrsa_mktemp - conf_tmp" conf_tmp=""
easyrsa_mktemp conf_tmp || \
die "sign_req - easyrsa_mktemp conf_tmp"
print "$copy_exts" | \ print "$copy_exts" | \
awk "$awkscript" "$EASYRSA_SSL_CONF" \ awk "$awkscript" "$EASYRSA_SSL_CONF" \
> "$conf_tmp" \ > "$conf_tmp" \
@ -1829,8 +1846,9 @@ to the latest official release."
fi fi
# Generate the extensions file for this cert: # Generate the extensions file for this cert:
ext_tmp="$(easyrsa_mktemp)" || \ ext_tmp=""
die "sign_req - easyrsa_mktemp - ext_tmp" easyrsa_mktemp ext_tmp || \
die "sign_req - easyrsa_mktemp ext_tmp"
{ {
# Append COMMON and cert-type extensions # Append COMMON and cert-type extensions
cat "$EASYRSA_EXT_DIR/COMMON" || \ cat "$EASYRSA_EXT_DIR/COMMON" || \
@ -1928,8 +1946,9 @@ $(display_dn req "$req_in")
" # => confirm end " # => confirm end
# Assign temp cert file # Assign temp cert file
crt_out_tmp="$(easyrsa_mktemp)" || \ crt_out_tmp=""
die "sign_req - easyrsa_mktemp - crt_out_tmp" easyrsa_mktemp crt_out_tmp || \
die "sign_req - easyrsa_mktemp crt_out_tmp"
# sign request # sign request
easyrsa_openssl ca -utf8 -in "$req_in" \ easyrsa_openssl ca -utf8 -in "$req_in" \
@ -3077,7 +3096,10 @@ gen_crl() {
verify_ca_init verify_ca_init
out_file="$EASYRSA_PKI/crl.pem" out_file="$EASYRSA_PKI/crl.pem"
out_file_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
out_file_tmp=""
easyrsa_mktemp out_file_tmp || \
die "gen_crl - easyrsa_mktemp out_file_tmp"
easyrsa_openssl ca -utf8 -gencrl -out "$out_file_tmp" \ easyrsa_openssl ca -utf8 -gencrl -out "$out_file_tmp" \
${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || die "\ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || die "\
@ -3086,8 +3108,8 @@ CRL Generation failed."
mv "$out_file_tmp" "$out_file" mv "$out_file_tmp" "$out_file"
notice "\ notice "\
An updated CRL has been created. An updated CRL has been created:
CRL file: $out_file" * $out_file"
return 0 return 0
} # => gen_crl() } # => gen_crl()
@ -3293,7 +3315,10 @@ If the key is currently encrypted you must supply the decryption passphrase.
${cipher:+You will then enter a new PEM passphrase for this key.$NL}" ${cipher:+You will then enter a new PEM passphrase for this key.$NL}"
# Set password # Set password
out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" out_key_tmp=""
easyrsa_mktemp out_key_tmp || \
die "set_pass_legacy - easyrsa_mktemp out_key_tmp"
easyrsa_openssl "$key_type" -in "$file" -out "$out_key_tmp" \ easyrsa_openssl "$key_type" -in "$file" -out "$out_key_tmp" \
${cipher:+ "$cipher"} \ ${cipher:+ "$cipher"} \
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \ ${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
@ -3352,7 +3377,9 @@ If the key is encrypted then you must supply the decryption pass phrase.
${cipher:+You will then enter and verify a new PEM pass phrase for this key.}" ${cipher:+You will then enter and verify a new PEM pass phrase for this key.}"
# Set password # Set password
out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" out_key_tmp=""
easyrsa_mktemp out_key_tmp || \
die "set_pass - easyrsa_mktemp out_key_tmp"
easyrsa_openssl pkey -in "$file" -out "$out_key_tmp" \ easyrsa_openssl pkey -in "$file" -out "$out_key_tmp" \
${cipher:+ "$cipher"} \ ${cipher:+ "$cipher"} \
@ -3801,7 +3828,7 @@ cert_date_to_timestamp_s - input error"
busybox date -D "%b %e %H:%M:%S %Y" \ busybox date -D "%b %e %H:%M:%S %Y" \
-d "$in_date" +%s 2>/dev/null -d "$in_date" +%s 2>/dev/null
)" || die "\ )" || die "\
cert_date_to_timestamp_s - out_date_s - busybox" cert_date_to_timestamp_s - timestamp_s - busybox $in_date"
# Darwin, BSD # Darwin, BSD
elif timestamp_s="$( elif timestamp_s="$(
@ -4338,7 +4365,6 @@ satisfy_shellcheck() {
EASYRSA_ALGO= EASYRSA_ALGO=
EASYRSA_KEY_SIZE= EASYRSA_KEY_SIZE=
EASYRSA_CURVE= EASYRSA_CURVE=
EASYRSA_EC_DIR=
EASYRSA_CA_EXPIRE= EASYRSA_CA_EXPIRE=
EASYRSA_CERT_EXPIRE= EASYRSA_CERT_EXPIRE=
EASYRSA_CERT_RENEW= EASYRSA_CERT_RENEW=
@ -4433,7 +4459,9 @@ verify_algo_params() {
;; ;;
ec) ec)
# Verify Elliptic curve # Verify Elliptic curve
EASYRSA_ALGO_PARAMS="$(easyrsa_mktemp)" EASYRSA_ALGO_PARAMS=""
easyrsa_mktemp EASYRSA_ALGO_PARAMS || die \
"verify_algo_params - easyrsa_mktemp EASYRSA_ALGO_PARAMS"
# Create the required ecparams file # Create the required ecparams file
easyrsa_openssl ecparam -name "$EASYRSA_CURVE" \ easyrsa_openssl ecparam -name "$EASYRSA_CURVE" \
@ -4635,7 +4663,6 @@ Sourcing the vars file and building certificates will probably fail ..'
;; ;;
ec) ec)
set_var EASYRSA_CURVE secp384r1 set_var EASYRSA_CURVE secp384r1
set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams"
;; ;;
ed) ed)
set_var EASYRSA_CURVE ed25519 set_var EASYRSA_CURVE ed25519
@ -4988,12 +5015,12 @@ up23_create_openssl_cnf ()
# Create secure session # Create secure session
# Because the upgrade runs twice, once as a test and then for real # Because the upgrade runs twice, once as a test and then for real
# EASYRSA_TEMP_DIR_session must be cleared to avoid overload error # secured_session must be cleared to avoid overload error
[ "$EASYRSA_TEMP_DIR_session" ] && unset -v EASYRSA_TEMP_DIR_session [ "$secured_session" ] && unset -v secured_session
up23_verbose "> Create secure session" up23_verbose "> Create secure session"
secure_session || die "up23_create_openssl_cnf - secure_session failed." secure_session || die "up23_create_openssl_cnf - secure_session failed."
up23_verbose "> OK" up23_verbose "> OK"
up23_verbose " secure session: $EASYRSA_TEMP_DIR_session" up23_verbose " secure session: $secured_session"
# Create $EASYRSA_PKI/safessl-easyrsa.cnf # Create $EASYRSA_PKI/safessl-easyrsa.cnf
easyrsa_openssl makesafeconf easyrsa_openssl makesafeconf
@ -5366,10 +5393,13 @@ detect_host
unset -v \ unset -v \
easyrsa_error_exit \ easyrsa_error_exit \
prohibit_no_pass \ prohibit_no_pass \
secured_session \
user_vars_true \ user_vars_true \
user_san_true \ user_san_true \
alias_days alias_days
mktemp_counter=0
# Parse options # Parse options
while :; do while :; do
# Reset per pass flags # Reset per pass flags
@ -5711,6 +5741,7 @@ esac
[ $? = 0 ] || warn "Untrapped error detected!" [ $? = 0 ] || warn "Untrapped error detected!"
# Do 'cleanup ok' on successful completion # Do 'cleanup ok' on successful completion
#print "mktemp_counter: $mktemp_counter uses"
cleanup ok cleanup ok
# vim: ft=sh nu ai sw=8 ts=8 noet # vim: ft=sh nu ai sw=8 ts=8 noet