New function: easyrsa-random() - Generate random hexadecimal data
Squashed commit of the following:
commit cb68324306febcddf7ef03fe56fc1eddf06e7db7
Merge: 82483f1 2199d0c
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 9 21:19:41 2022 +0000
Merge branch 'f-easyrsa_random' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-f-easyrsa_random
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 2199d0c323e506df436a335375be9115a12d6b7f
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 9 21:05:17 2022 +0000
Minor improvements to temp-session and temp-file
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit aa15b74722632ecab14c07ba9f2158d121e55d4f
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 9 20:35:43 2022 +0000
New function: easyrsa-random() - Generate random hexadecimal data
Replace the various random requirements with this new function.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme
parent
82483f103e
commit
320a324965
@ -590,35 +590,55 @@ Type the word '$value' to continue, or any other input to abort."
|
||||
exit 9
|
||||
} # => confirm()
|
||||
|
||||
# Generate random hex
|
||||
# Can ony be used after a SAFE SSL config exists.
|
||||
# Otherwise, LibreSSL complains about the config file.
|
||||
easyrsa_random() {
|
||||
if [ "$EASYRSA_SAFE_CONF" ] && [ -e "$EASYRSA_SAFE_CONF" ]
|
||||
then
|
||||
: # ok
|
||||
else
|
||||
die "easyrsa_random - safe conf"
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
(*[!1234567890]*|0*|"") : ;; # invalid input
|
||||
(*)
|
||||
# Only return on success
|
||||
"$EASYRSA_OPENSSL" rand -hex "$1" && return
|
||||
esac
|
||||
die "easyrsa_random failed"
|
||||
} # => easyrsa_random()
|
||||
|
||||
# Create session directory atomically or fail
|
||||
secure_session() {
|
||||
# Session is already defined
|
||||
[ "$EASYRSA_TEMP_DIR_session" ] && die "session overload"
|
||||
|
||||
# temporary directory must exist
|
||||
if [ "$EASYRSA_TEMP_DIR" ] && [ -d "$EASYRSA_TEMP_DIR" ]; then
|
||||
if [ "$EASYRSA_TEMP_DIR" ] && [ -d "$EASYRSA_TEMP_DIR" ]
|
||||
then
|
||||
: # ok
|
||||
else
|
||||
die "Non-existant temporary directory: $EASYRSA_TEMP_DIR"
|
||||
fi
|
||||
|
||||
for i in 1 2 3; do
|
||||
# Always use openssl directly for rand
|
||||
rand="$(
|
||||
"$EASYRSA_OPENSSL" rand -hex 4
|
||||
)" || die "secure_session - rand '$rand'"
|
||||
random_session="$(
|
||||
easyrsa_random 4
|
||||
)" || die "secure_session - random_session '$random_session'"
|
||||
|
||||
EASYRSA_TEMP_DIR_session="${EASYRSA_TEMP_DIR}/${rand}"
|
||||
EASYRSA_TEMP_DIR_session="${EASYRSA_TEMP_DIR}/${random_session}"
|
||||
# atomic:
|
||||
mkdir "$EASYRSA_TEMP_DIR_session" && return
|
||||
done
|
||||
return 1
|
||||
die "secure_session failed"
|
||||
} # => secure_session()
|
||||
|
||||
# Create tempfile atomically or fail
|
||||
easyrsa_mktemp() {
|
||||
# session directory must exist
|
||||
if [ "$EASYRSA_TEMP_DIR_session" ] && \
|
||||
[ -d "$EASYRSA_TEMP_DIR_session" ]
|
||||
if [ "$EASYRSA_TEMP_DIR_session" ] && [ -d "$EASYRSA_TEMP_DIR_session" ]
|
||||
then
|
||||
: # ok
|
||||
else
|
||||
@ -629,23 +649,25 @@ Non-existant temporary session:
|
||||
|
||||
for i in 1 2 3; do
|
||||
# Always use openssl directly for rand
|
||||
rand="$(
|
||||
"$EASYRSA_OPENSSL" rand -hex 4
|
||||
)" || die "easyrsa_mktemp - rand '$rand'"
|
||||
random_file="$(
|
||||
easyrsa_random 4
|
||||
)" || die "easyrsa_mktemp - random_file '$random_file'"
|
||||
|
||||
shotfile="${EASYRSA_TEMP_DIR_session}/shot.$rand"
|
||||
shotfile="${EASYRSA_TEMP_DIR_session}/shot.$random_file"
|
||||
if [ -e "$shotfile" ]; then
|
||||
continue
|
||||
else
|
||||
printf "" > "$shotfile" || continue
|
||||
fi
|
||||
|
||||
tempfile="${EASYRSA_TEMP_DIR_session}/temp.$rand"
|
||||
mv "$shotfile" "$tempfile" || continue
|
||||
# Print the new temporary file-name for the caller
|
||||
printf '%s\n' "$tempfile" && return
|
||||
tempfile="${EASYRSA_TEMP_DIR_session}/temp.$random_file"
|
||||
# atomic:
|
||||
if mv "$shotfile" "$tempfile"; then
|
||||
# Print the new temporary file-name for the caller
|
||||
printf '%s\n' "$tempfile" && return
|
||||
fi
|
||||
done
|
||||
return 1
|
||||
die "easyrsa_mktemp failed"
|
||||
} # => easyrsa_mktemp()
|
||||
|
||||
# remove temp files and do terminal cleanups
|
||||
@ -1616,11 +1638,12 @@ sign_req() {
|
||||
serial=""
|
||||
check_serial=""
|
||||
for i in 1 2 3 4 5; do
|
||||
# Always use openssl directly for rand
|
||||
"$EASYRSA_OPENSSL" rand -hex -out "$EASYRSA_PKI/serial" 16 \
|
||||
|| die "sign_req - rand"
|
||||
serial="$(
|
||||
easyrsa_random 16
|
||||
)" || die "sign_req - easyrsa_random"
|
||||
|
||||
serial="$(cat "$EASYRSA_PKI/serial")"
|
||||
# Print random $serial to pki/serial file for use by SSL config
|
||||
print "$serial" > "$EASYRSA_PKI/serial" || die "sign_req - serial"
|
||||
|
||||
# Calls LibreSSL directly with a broken config and still works
|
||||
check_serial="$(
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user