nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Always make a safe SSL config file for LibreSSL

Browse Source 
LibreSSL chokes on 'rand' without a config file and dies on the
standard config file.

A common fix would be to redirect error out to '/dev/null' but this
would obviously mask all error messages, which is not satisfactory.

Instead, always make a safe config file before the temporary session
directory and any temp-files are required.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-04-28 21:02:16 +01:00
parent 5e57887c39
commit a3db60f229
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
easyrsa3/easyrsa
View File

@ -381,7 +381,7 @@ Non-existant temporary directory: $EASYRSA_TEMP_DIR"
for i in 1 2 3; do
# Always use openssl directly for rand
rand="$("$EASYRSA_OPENSSL" rand -hex 4)" \
|| die "secure_session - rand $rand"
|| die "secure_session - rand '$rand'"
EASYRSA_TEMP_DIR_session="${EASYRSA_TEMP_DIR}/${rand}"
mkdir "$EASYRSA_TEMP_DIR_session" || continue
@ -399,7 +399,7 @@ easyrsa_mktemp() {
for i in 1 2 3; do
# Always use openssl directly for rand
rand="$("$EASYRSA_OPENSSL" rand -hex 4)" \
|| die "easyrsa_mktemp - rand: $rand"
|| die "easyrsa_mktemp - rand '$rand'"
shotfile="${EASYRSA_TEMP_DIR_session}/shot.$rand"
if [ -e "$shotfile" ]; then
@ -2577,6 +2577,14 @@ Failed to source the vars file, remove any unsupported characters."
# If EASYRSA_PKI directory exists then
if [ ! "$no_pki_required" ] && [ -d "$EASYRSA_PKI" ]; then
# Make a safe SSL config for LibreSSL
# sub-shell out, to change running variables, only the file is required
(
no_pki_required=1
require_safe_ssl_conf=1
easyrsa_openssl makesafeconf
) || die "Failed to create safe ssl conf (vars_setup)"
# Temp dir session
secure_session || die "Temporary directory secure-session failed."
@ -2590,7 +2598,7 @@ Failed to source the vars file, remove any unsupported characters."
# This will find x509-types and export EASYRSA_EXT_DIR or die.
# Other errors only require warning.
install_data_to_pki vars-setup || \
warn "Failed to install new required data-dir to PKI. (setup)"
warn "Failed to install new required data-dir to PKI. (vars_setup)"
# EASYRSA_SAFE_CONF is output by 'install_data_to_pki()'
# via 'easyrsa_openssl() makesafeconf' above.