nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'TinCanTech-make-safe-ssl-copy-temp-file'

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-05-02 21:10:38 +01:00
commit 604f8d9db2
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 51 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
easyrsa3/easyrsa
View File

@ -640,7 +640,9 @@ secure_session() {
# atomic: # atomic:
if mkdir "$secured_session"; then if mkdir "$secured_session"; then
# New session requires safe-ssl conf # New session requires safe-ssl conf
unset -v working_safe_ssl_conf mktemp_counter unset -v mktemp_counter \
OPENSSL_CONF easyrsa_safe_ssl_conf \
working_safe_ssl_conf
verbose "\ verbose "\
secure_session: CREATED: $secured_session" secure_session: CREATED: $secured_session"
return return
@ -658,8 +660,9 @@ remove_secure_session() {
if rm -rf "$secured_session"; then if rm -rf "$secured_session"; then
verbose "\ verbose "\
remove_secure_session: DELETED: $secured_session" remove_secure_session: DELETED: $secured_session"
unset -v working_safe_ssl_conf \ unset -v secured_session mktemp_counter \
mktemp_counter secured_session OPENSSL_CONF easyrsa_safe_ssl_conf \
working_safe_ssl_conf
return 0 return 0
fi fi
fi fi
@ -762,11 +765,11 @@ Temporary session not preserved."
mv -f "$secured_session" "$keep_tmp" mv -f "$secured_session" "$keep_tmp"
print "Temp session preserved: $keep_tmp" print "Temp session preserved: $keep_tmp"
fi fi
else
# remove temp-session
remove_secure_session || \
die "cleanup - remove_secure_session"
fi fi
# Always remove temp-session
remove_secure_session || \
die "cleanup - remove_secure_session"
fi fi
# Remove files when build_full()->sign_req() is interrupted # Remove files when build_full()->sign_req() is interrupted
@ -823,9 +826,8 @@ make_safe_ssl() {
verify_pki_init verify_pki_init
EASYRSA_FORCE_SAFE_SSL=1 EASYRSA_FORCE_SAFE_SSL=1
easyrsa_openssl makesafeconf easyrsa_openssl makesafeconf
notice "\ verbose "\
Generated safe SSL config file: make_safe_ssl: NEW SSL cnf file: $easyrsa_safe_ssl_conf"
* $EASYRSA_SAFE_CONF"
} # => make_safe_ssl_copy() } # => make_safe_ssl_copy()
# Escape hazardous characters # Escape hazardous characters
@ -934,11 +936,6 @@ easyrsa_openssl() {
has_config=1 has_config=1
fi fi
# Assign safe temp file to create, may not be used
easyrsa_safe_ssl_conf=""
easyrsa_mktemp easyrsa_safe_ssl_conf || die \
"easyrsa_openssl - easyrsa_mktemp easyrsa_safe_ssl_conf"
# Auto-escape hazardous characters: # Auto-escape hazardous characters:
# '&' - Workaround 'sed' behavior # '&' - Workaround 'sed' behavior
# '$' - Workaround 'easyrsa' based limitation # '$' - Workaround 'easyrsa' based limitation
@ -959,7 +956,9 @@ easyrsa_openssl: escape_hazard SKIPPED"
# Make LibreSSL safe config file from OpenSSL config file # Make LibreSSL safe config file from OpenSSL config file
# $require_safe_ssl_conf is ALWAYS set by verify_ssl_lib() # $require_safe_ssl_conf is ALWAYS set by verify_ssl_lib()
# Can be over-ruled for OpenSSL by option --no-safe-ssl # Can be over-ruled for OpenSSL by option --no-safe-ssl
if [ "$require_safe_ssl_conf" ]; then if [ "$require_safe_ssl_conf" ] || \
[ "$EASYRSA_FORCE_SAFE_SSL" ]
then
# Only create a new safe config, # Only create a new safe config,
# if it has not been done before. # if it has not been done before.
@ -972,11 +971,24 @@ easyrsa_openssl: escape_hazard SKIPPED"
verbose "\ verbose "\
easyrsa_openssl: easyrsa_rewrite_ssl_config SKIPPED" easyrsa_openssl: easyrsa_rewrite_ssl_config SKIPPED"
else else
# Assign easyrsa_safe_ssl_conf temp-file
easyrsa_safe_ssl_conf=""
easyrsa_mktemp easyrsa_safe_ssl_conf || die "\
easyrsa_openssl - easyrsa_mktemp easyrsa_safe_ssl_conf"
# Write a safe SSL config temp-file # Write a safe SSL config temp-file
easyrsa_rewrite_ssl_config || die \ if easyrsa_rewrite_ssl_config; then
"easyrsa_openssl - easyrsa_rewrite_ssl_config" verbose "\
easyrsa_openssl: easyrsa_rewrite_ssl_config COMPLETED"
else
die "\
easyrsa_openssl - easyrsa_rewrite_ssl_config"
fi
# Save the the safe conf file-name # Save the the safe conf file-name
working_safe_ssl_conf="$easyrsa_safe_ssl_conf" working_safe_ssl_conf="$easyrsa_safe_ssl_conf"
verbose "\
easyrsa_openssl: NEW SSL cnf file: $easyrsa_safe_ssl_conf"
fi fi
else else
@ -984,13 +996,22 @@ easyrsa_openssl: easyrsa_rewrite_ssl_config SKIPPED"
easyrsa_safe_ssl_conf="$EASYRSA_SSL_CONF" easyrsa_safe_ssl_conf="$EASYRSA_SSL_CONF"
fi fi
# VERIFY safe temp-file exists
if [ -e "$easyrsa_safe_ssl_conf" ]; then
verbose "\
easyrsa_openssl: Safe SSL conf OK: $easyrsa_safe_ssl_conf"
else
die "\
easyrsa_openssl - Safe SSL conf MISSING: $easyrsa_safe_ssl_conf"
fi
# set $OPENSSL_CONF - Use which-ever file is assigned above # set $OPENSSL_CONF - Use which-ever file is assigned above
export OPENSSL_CONF="$easyrsa_safe_ssl_conf" export OPENSSL_CONF="$easyrsa_safe_ssl_conf"
# Execute command - Return on success # Execute command - Return on success
if [ "$openssl_command" = "makesafeconf" ]; then if [ "$openssl_command" = "makesafeconf" ]; then
# move temp file to safessl-easyrsa.cnf # COPY temp-file to safessl-easyrsa.cnf
mv -f "$easyrsa_safe_ssl_conf" "$EASYRSA_SAFE_CONF" && \ cp -f "$easyrsa_safe_ssl_conf" "$EASYRSA_SAFE_CONF" && \
return return
elif [ "$has_config" ]; then elif [ "$has_config" ]; then
@ -1041,11 +1062,16 @@ verify_ssl_lib() {
# OpenSSL does require a safe config-file for ampersand # OpenSSL does require a safe config-file for ampersand
OpenSSL) OpenSSL)
ssl_lib=openssl ssl_lib=openssl
[ "$EASYRSA_NO_SAFE_SSL" ] || require_safe_ssl_conf=1 if [ -z "$EASYRSA_NO_SAFE_SSL" ]; then
require_safe_ssl_conf=1
fi
;; ;;
LibreSSL) LibreSSL)
ssl_lib=libressl ssl_lib=libressl
require_safe_ssl_conf=1 require_safe_ssl_conf=1
if [ "$EASYRSA_NO_SAFE_SSL" ]; then
die "Cannot use '--no-safe-ssl' with LibreSSL"
fi
;; ;;
*) *)
error_msg="$("$EASYRSA_OPENSSL" version 2>&1)" error_msg="$("$EASYRSA_OPENSSL" version 2>&1)"
@ -4326,6 +4352,9 @@ read_db() {
die "read_db - remove_secure_session" die "read_db - remove_secure_session"
secure_session || \ secure_session || \
die "read_db - secure_session" die "read_db - secure_session"
if [ "$require_safe_ssl_conf" ]; then
make_safe_ssl || die "read_db - make_safe_ssl"
fi
# Interpret the db/certificate record # Interpret the db/certificate record
unset -v db_serial db_cn db_revoke_date db_reason unset -v db_serial db_cn db_revoke_date db_reason
@ -4928,6 +4957,7 @@ EasyRSA '$cmd' does not support --startdate or --enddate"
esac esac
fi fi
# Insecure Windows directory
if [ "$easyrsa_host_os" = win ]; then if [ "$easyrsa_host_os" = win ]; then
if echo "$PWD" | grep -q '/P.*/OpenVPN/easy-rsa'; then if echo "$PWD" | grep -q '/P.*/OpenVPN/easy-rsa'; then
warn "\ warn "\