From 320a3249656fdec9504cf754c5c6fb14ace71761 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 9 Nov 2022 21:21:05 +0000 Subject: [PATCH] New function: easyrsa-random() - Generate random hexadecimal data Squashed commit of the following: commit cb68324306febcddf7ef03fe56fc1eddf06e7db7 Merge: 82483f1 2199d0c Author: Richard T Bonhomme Date: Wed Nov 9 21:19:41 2022 +0000 Merge branch 'f-easyrsa_random' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-f-easyrsa_random Signed-off-by: Richard T Bonhomme commit 2199d0c323e506df436a335375be9115a12d6b7f Author: Richard T Bonhomme Date: Wed Nov 9 21:05:17 2022 +0000 Minor improvements to temp-session and temp-file Signed-off-by: Richard T Bonhomme commit aa15b74722632ecab14c07ba9f2158d121e55d4f Author: Richard T Bonhomme Date: Wed Nov 9 20:35:43 2022 +0000 New function: easyrsa-random() - Generate random hexadecimal data Replace the various random requirements with this new function. Signed-off-by: Richard T Bonhomme Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 67 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 45 insertions(+), 22 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 32e7c87..65956d2 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -590,35 +590,55 @@ Type the word '$value' to continue, or any other input to abort." exit 9 } # => confirm() +# Generate random hex +# Can ony be used after a SAFE SSL config exists. +# Otherwise, LibreSSL complains about the config file. +easyrsa_random() { + if [ "$EASYRSA_SAFE_CONF" ] && [ -e "$EASYRSA_SAFE_CONF" ] + then + : # ok + else + die "easyrsa_random - safe conf" + fi + + case "$1" in + (*[!1234567890]*|0*|"") : ;; # invalid input + (*) + # Only return on success + "$EASYRSA_OPENSSL" rand -hex "$1" && return + esac + die "easyrsa_random failed" +} # => easyrsa_random() + # Create session directory atomically or fail secure_session() { # Session is already defined [ "$EASYRSA_TEMP_DIR_session" ] && die "session overload" # temporary directory must exist - if [ "$EASYRSA_TEMP_DIR" ] && [ -d "$EASYRSA_TEMP_DIR" ]; then + if [ "$EASYRSA_TEMP_DIR" ] && [ -d "$EASYRSA_TEMP_DIR" ] + then : # ok else die "Non-existant temporary directory: $EASYRSA_TEMP_DIR" fi for i in 1 2 3; do - # Always use openssl directly for rand - rand="$( - "$EASYRSA_OPENSSL" rand -hex 4 - )" || die "secure_session - rand '$rand'" + random_session="$( + easyrsa_random 4 + )" || die "secure_session - random_session '$random_session'" - EASYRSA_TEMP_DIR_session="${EASYRSA_TEMP_DIR}/${rand}" + EASYRSA_TEMP_DIR_session="${EASYRSA_TEMP_DIR}/${random_session}" + # atomic: mkdir "$EASYRSA_TEMP_DIR_session" && return done - return 1 + die "secure_session failed" } # => secure_session() # Create tempfile atomically or fail easyrsa_mktemp() { # session directory must exist - if [ "$EASYRSA_TEMP_DIR_session" ] && \ - [ -d "$EASYRSA_TEMP_DIR_session" ] + if [ "$EASYRSA_TEMP_DIR_session" ] && [ -d "$EASYRSA_TEMP_DIR_session" ] then : # ok else @@ -629,23 +649,25 @@ Non-existant temporary session: for i in 1 2 3; do # Always use openssl directly for rand - rand="$( - "$EASYRSA_OPENSSL" rand -hex 4 - )" || die "easyrsa_mktemp - rand '$rand'" + random_file="$( + easyrsa_random 4 + )" || die "easyrsa_mktemp - random_file '$random_file'" - shotfile="${EASYRSA_TEMP_DIR_session}/shot.$rand" + shotfile="${EASYRSA_TEMP_DIR_session}/shot.$random_file" if [ -e "$shotfile" ]; then continue else printf "" > "$shotfile" || continue fi - tempfile="${EASYRSA_TEMP_DIR_session}/temp.$rand" - mv "$shotfile" "$tempfile" || continue - # Print the new temporary file-name for the caller - printf '%s\n' "$tempfile" && return + tempfile="${EASYRSA_TEMP_DIR_session}/temp.$random_file" + # atomic: + if mv "$shotfile" "$tempfile"; then + # Print the new temporary file-name for the caller + printf '%s\n' "$tempfile" && return + fi done - return 1 + die "easyrsa_mktemp failed" } # => easyrsa_mktemp() # remove temp files and do terminal cleanups @@ -1616,11 +1638,12 @@ sign_req() { serial="" check_serial="" for i in 1 2 3 4 5; do - # Always use openssl directly for rand - "$EASYRSA_OPENSSL" rand -hex -out "$EASYRSA_PKI/serial" 16 \ - || die "sign_req - rand" + serial="$( + easyrsa_random 16 + )" || die "sign_req - easyrsa_random" - serial="$(cat "$EASYRSA_PKI/serial")" + # Print random $serial to pki/serial file for use by SSL config + print "$serial" > "$EASYRSA_PKI/serial" || die "sign_req - serial" # Calls LibreSSL directly with a broken config and still works check_serial="$(