nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'correct-default-algo-assign' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-correct-default-algo-assign

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-05-06 20:20:19 +01:00
commit 7d310e421c
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 42 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
easyrsa3/easyrsa
View File

@ -689,8 +689,6 @@ easyrsa_mktemp - Temporary session undefined"
t="${secured_session}/temp.${mktemp_counter}" t="${secured_session}/temp.${mktemp_counter}"
# Create shotfile # Create shotfile
verbose "\
easyrsa_mktemp: Create temp-file for: $1"
for h in x y x; do for h in x y x; do
shotfile="${t}.${h}" shotfile="${t}.${h}"
if [ -e "$shotfile" ]; then if [ -e "$shotfile" ]; then
@ -700,8 +698,6 @@ easyrsa_mktemp: shot-file EXISTS: $shotfile"
else else
printf "" > "$shotfile" || die "\ printf "" > "$shotfile" || die "\
easyrsa_mktemp: create shotfile failed (1) $1" easyrsa_mktemp: create shotfile failed (1) $1"
verbose "\
easyrsa_mktemp: shot-file created: $shotfile"
# Create temp-file or die # Create temp-file or die
# subshells do not update mktemp_counter, # subshells do not update mktemp_counter,
@ -715,17 +711,19 @@ easyrsa_mktemp: temp-file EXISTS: $want_tmp_file"
continue continue
else else
# atomic: # atomic:
[ "$easyrsa_host_os" = win ] && \ [ "$easyrsa_host_os" = win ] && {
set -o noclobber set -o noclobber
}
if mv "$shotfile" "$want_tmp_file"; then if mv "$shotfile" "$want_tmp_file"; then
verbose "\
easyrsa_mktemp: atomic: Create temp-file OK: $want_tmp_file"
# Assign external temp-file name # Assign external temp-file name
if force_set_var "$1" "$want_tmp_file" if force_set_var "$1" "$want_tmp_file"
then then
[ "$easyrsa_host_os" = win ] && \ verbose "\
easyrsa_mktemp: $1 temp-file OK: $want_tmp_file"
[ "$easyrsa_host_os" = win ] && {
set +o noclobber set +o noclobber
}
unset -v want_tmp_file shotfile unset -v want_tmp_file shotfile
return 0 return 0
else else
@ -939,23 +937,6 @@ easyrsa_openssl() {
has_config=1 has_config=1
fi fi
# Auto-escape hazardous characters:
# '&' - Workaround 'sed' behavior
# '$' - Workaround 'easyrsa' based limitation
# This is required for all SSL libs, otherwise,
# there are unacceptable differences in behavior
# EASYRSA_FORCE_SAFE_SSL will always over-ride
if [ -z "$EASYRSA_FORCE_SAFE_SSL" ] && \
[ "$working_safe_ssl_conf" ]
then
: # ok - This has been done before
verbose "\
easyrsa_openssl: escape_hazard SKIPPED"
else
escape_hazard || \
die "easyrsa_openssl - escape_hazard failed"
fi
# Make LibreSSL safe config file from OpenSSL config file # Make LibreSSL safe config file from OpenSSL config file
# $require_safe_ssl_conf is ALWAYS set by verify_ssl_lib() # $require_safe_ssl_conf is ALWAYS set by verify_ssl_lib()
# Can be over-ruled for OpenSSL by option --no-safe-ssl # Can be over-ruled for OpenSSL by option --no-safe-ssl
@ -970,10 +951,23 @@ easyrsa_openssl: escape_hazard SKIPPED"
[ "$working_safe_ssl_conf" ] [ "$working_safe_ssl_conf" ]
then then
# ok - This has been done before # ok - This has been done before
# Set SAFE SSL conf to working SAFE SSL conf
easyrsa_safe_ssl_conf="$working_safe_ssl_conf" easyrsa_safe_ssl_conf="$working_safe_ssl_conf"
verbose "\ verbose "\
easyrsa_openssl: escape_hazard SKIPPED"
verbose "\
easyrsa_openssl: easyrsa_rewrite_ssl_config SKIPPED" easyrsa_openssl: easyrsa_rewrite_ssl_config SKIPPED"
else else
# Auto-escape hazardous characters:
# '&' - Workaround 'sed' behavior
# '$' - Workaround 'easyrsa' based limitation
# This is required for all SSL libs, otherwise,
# there are unacceptable differences in behavior
escape_hazard || \
die "easyrsa_openssl - escape_hazard failed"
verbose "\
easyrsa_openssl: escape_hazard COMPLETED"
# Assign easyrsa_safe_ssl_conf temp-file # Assign easyrsa_safe_ssl_conf temp-file
easyrsa_safe_ssl_conf="" easyrsa_safe_ssl_conf=""
easyrsa_mktemp easyrsa_safe_ssl_conf || die "\ easyrsa_mktemp easyrsa_safe_ssl_conf || die "\
@ -983,20 +977,20 @@ easyrsa_openssl - easyrsa_mktemp easyrsa_safe_ssl_conf"
if easyrsa_rewrite_ssl_config; then if easyrsa_rewrite_ssl_config; then
verbose "\ verbose "\
easyrsa_openssl: easyrsa_rewrite_ssl_config COMPLETED" easyrsa_openssl: easyrsa_rewrite_ssl_config COMPLETED"
# Save the the safe conf file-name
working_safe_ssl_conf="$easyrsa_safe_ssl_conf"
verbose "\
easyrsa_openssl: NEW SAFE SSL config: $easyrsa_safe_ssl_conf"
else else
die "\ die "\
easyrsa_openssl - easyrsa_rewrite_ssl_config" easyrsa_openssl - easyrsa_rewrite_ssl_config"
fi fi
# Save the the safe conf file-name
working_safe_ssl_conf="$easyrsa_safe_ssl_conf"
verbose "\
easyrsa_openssl: NEW SSL cnf file: $easyrsa_safe_ssl_conf"
fi fi
else else
# Assign safe temp file as Original openssl-easyrsa.conf # Assign safe temp file as Original openssl-easyrsa.conf
easyrsa_safe_ssl_conf="$EASYRSA_SSL_CONF" easyrsa_safe_ssl_conf="$EASYRSA_SSL_CONF"
verbose "easyrsa_openssl: No SAFE SSL config"
fi fi
# VERIFY safe temp-file exists # VERIFY safe temp-file exists
@ -4901,7 +4895,8 @@ verify_algo_params() {
"verify_algo_params - easyrsa_mktemp EASYRSA_ALGO_PARAMS" "verify_algo_params - easyrsa_mktemp EASYRSA_ALGO_PARAMS"
# Create the required ecparams file # Create the required ecparams file
easyrsa_openssl ecparam -name "$EASYRSA_CURVE" \ # call openssl directly because error is expected
"$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" \
-out "$EASYRSA_ALGO_PARAMS" \ -out "$EASYRSA_ALGO_PARAMS" \
1>/dev/null || die "\ 1>/dev/null || die "\
Failed to generate ecparam file (permissions?) at: Failed to generate ecparam file (permissions?) at:
@ -4909,6 +4904,7 @@ Failed to generate ecparam file (permissions?) at:
;; ;;
ed) ed)
# Verify Edwards curve # Verify Edwards curve
# call openssl directly because error is expected
"$EASYRSA_OPENSSL" genpkey \ "$EASYRSA_OPENSSL" genpkey \
-algorithm "$EASYRSA_CURVE" \ -algorithm "$EASYRSA_CURVE" \
1>/dev/null || die "\ 1>/dev/null || die "\
@ -4917,6 +4913,8 @@ Edwards Curve $EASYRSA_CURVE not found."
*) die "\ *) die "\
Alg '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" Alg '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'"
esac esac
verbose "\
verify_algo_params: Params verified for algo '$EASYRSA_ALGO'"
} # => verify_algo_params() } # => verify_algo_params()
# Check for conflicting input options # Check for conflicting input options
@ -5195,10 +5193,14 @@ One or more of these problems has been found in your 'vars' file:
set_var EASYRSA_REQ_OU "My Organizational Unit" set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_REQ_SERIAL "" set_var EASYRSA_REQ_SERIAL ""
set_var EASYRSA_ALGO rsa set_var EASYRSA_ALGO rsa
set_var EASYRSA_KEY_SIZE 2048
case "$EASYRSA_ALGO" in case "$EASYRSA_ALGO" in
rsa) rsa)
set_var EASYRSA_KEY_SIZE 2048 : # ok
# default EASYRSA_KEY_SIZE must always be set
# it must NOT be set selectively because it is
# present in the SSL config file
;; ;;
ec) ec)
set_var EASYRSA_CURVE secp384r1 set_var EASYRSA_CURVE secp384r1
@ -5269,6 +5271,13 @@ verify_working_env - install_data_to_pki vars-setup failed"
# Verify selected algorithm and parameters # Verify selected algorithm and parameters
verify_algo_params verify_algo_params
# Check $working_safe_ssl_conf, to build
# a fully configured safe ssl conf, on the
# next invocation of easyrsa_openssl()
[ -z "$working_safe_ssl_conf" ] || {
die "working_safe_ssl_conf must not be set!"
}
# Last setup msg # Last setup msg
information "\ information "\
Using SSL: $EASYRSA_OPENSSL $ssl_version Using SSL: $EASYRSA_OPENSSL $ssl_version
@ -5945,6 +5954,7 @@ unset -v \
easyrsa_error_exit \ easyrsa_error_exit \
prohibit_no_pass \ prohibit_no_pass \
secured_session \ secured_session \
working_safe_ssl_conf \
user_vars_true \ user_vars_true \
user_san_true \ user_san_true \
alias_days alias_days