Merge branch 'err_out-random' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-err_out-random
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme
commit
b54d0f09a0
101
easyrsa3/easyrsa
101
easyrsa3/easyrsa
@ -42,6 +42,7 @@ Here is the list of commands available with a short syntax reminder. Use the
|
||||
rebuild <file_name_base> [ cmd-opts ]
|
||||
gen-crl
|
||||
update-db
|
||||
make-safe-ssl
|
||||
show-req <file_name_base> [ cmd-opts ]
|
||||
show-cert <file_name_base> [ cmd-opts ]
|
||||
show-ca [ cmd-opts ]
|
||||
@ -217,6 +218,12 @@ cmd_help() {
|
||||
|
||||
This command will use the system time to update the status of
|
||||
issued certificates."
|
||||
;;
|
||||
make-safe-ssl)
|
||||
text="
|
||||
* make-safe-ssl
|
||||
|
||||
Generate a safe SSL config file"
|
||||
;;
|
||||
show-req|show-cert)
|
||||
text="
|
||||
@ -586,18 +593,11 @@ Type the word '$value' to continue, or any other input to abort."
|
||||
# Can ony be used after a SAFE SSL config exists.
|
||||
# Otherwise, LibreSSL complains about the config file.
|
||||
easyrsa_random() {
|
||||
if [ "$EASYRSA_SAFE_CONF" ] && [ -e "$EASYRSA_SAFE_CONF" ]
|
||||
then
|
||||
: # ok
|
||||
else
|
||||
die "easyrsa_random - safe conf"
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
(*[!1234567890]*|0*|"") : ;; # invalid input
|
||||
(*)
|
||||
# Only return on success
|
||||
"$EASYRSA_OPENSSL" rand -hex "$1" && return
|
||||
"$EASYRSA_OPENSSL" rand -hex "$1" 2>/dev/null && return
|
||||
esac
|
||||
die "easyrsa_random failed"
|
||||
} # => easyrsa_random()
|
||||
@ -741,12 +741,13 @@ Temporary session not preserved."
|
||||
fi
|
||||
} # => cleanup()
|
||||
|
||||
# Make a copy safe SSL config file for comparison (undocumented)
|
||||
make_safe_ssl_copy() {
|
||||
no_pki_required=1
|
||||
require_safe_ssl_conf=1
|
||||
make_copy_ssl_conf=1
|
||||
# Make a copy safe SSL config file
|
||||
make_safe_ssl() {
|
||||
verify_pki_init
|
||||
easyrsa_openssl makesafeconf
|
||||
notice "\
|
||||
Generated safe SSL config file:
|
||||
* $EASYRSA_SAFE_CONF"
|
||||
} # => make_safe_ssl_copy()
|
||||
|
||||
# Escape hazardous characters
|
||||
@ -780,7 +781,7 @@ easyrsa_openssl() {
|
||||
# Do not allow 'rand' here because it interferes with EASYRSA_DEBUG
|
||||
case "$openssl_command" in
|
||||
rand) die "easyrsa_openssl: Illegal SSL command: rand" ;;
|
||||
makesafeconf) has_config=1 ;;
|
||||
makesafeconf) has_config=1; require_safe_ssl_conf=1 ;;
|
||||
ca|req|srp|ts) has_config=1 ;;
|
||||
*) unset -v has_config
|
||||
esac
|
||||
@ -797,21 +798,15 @@ easyrsa_openssl() {
|
||||
if [ "$has_config" ]; then
|
||||
# Make LibreSSL safe config file from OpenSSL config file
|
||||
|
||||
# Do not use easyrsa_mktemp() for init-pki
|
||||
# LibreSSL cannot generate random without a PKI and safe-conf
|
||||
if [ "$no_pki_required" ]; then
|
||||
# for init-pki $EASYRSA_SAFE_CONF is always set in the PKI, use it.
|
||||
easyrsa_openssl_conf="${EASYRSA_SAFE_CONF}.init-tmp"
|
||||
easyrsa_openssl_conf_org="${EASYRSA_SAFE_CONF}.org"
|
||||
else
|
||||
easyrsa_openssl_conf="$(easyrsa_mktemp)" || \
|
||||
die "easyrsa_openssl - Failed to create temporary file (1)"
|
||||
easyrsa_openssl_conf_org="$(easyrsa_mktemp)" || \
|
||||
die "easyrsa_openssl - Failed to create temporary file (2)"
|
||||
fi
|
||||
# Assign temp files
|
||||
easyrsa_openssl_conf="$(easyrsa_mktemp)" || \
|
||||
die "easyrsa_openssl - Failed to create temporary file (1)"
|
||||
easyrsa_openssl_conf_org="$(easyrsa_mktemp)" || \
|
||||
die "easyrsa_openssl - Failed to create temporary file (2)"
|
||||
|
||||
# Auto-escape hazardous characters:
|
||||
# '&' - Workaround 'sed' demented behavior
|
||||
# '&' - Workaround 'sed' behavior
|
||||
# '$' - Workaround 'easyrsa' based limitation
|
||||
escape_hazard
|
||||
|
||||
# require_safe_ssl_conf is ALWAYS set by verify_ssl_lib()
|
||||
@ -848,11 +843,6 @@ easyrsa_openssl() {
|
||||
# move temp file to safessl-easyrsa.cnf
|
||||
mv -f "$easyrsa_openssl_conf" "$EASYRSA_SAFE_CONF" || \
|
||||
die "easyrsa_openssl - makesafeconf failed"
|
||||
if [ "$make_copy_ssl_conf" ]; then
|
||||
print
|
||||
cp -v "$EASYRSA_SAFE_CONF" "${EASYRSA_SAFE_CONF}.temp"
|
||||
print
|
||||
fi
|
||||
else
|
||||
# debug log on
|
||||
if [ "$EASYRSA_DEBUG" ]; then print "<< DEBUG-ON >>"; set -x; fi
|
||||
@ -887,10 +877,12 @@ verify_ssl_lib() {
|
||||
# OpenSSL does require a safe config-file for ampersand
|
||||
OpenSSL) ssl_lib=openssl; require_safe_ssl_conf=1 ;;
|
||||
LibreSSL) ssl_lib=libressl; require_safe_ssl_conf=1 ;;
|
||||
*) die "\
|
||||
Missing SSL binary or invalid SSL output for 'version':
|
||||
* '${val%% *}'
|
||||
Expected to find openssl command at: $EASYRSA_OPENSSL"
|
||||
*)
|
||||
error_msg="$("$EASYRSA_OPENSSL" version)"
|
||||
die "\
|
||||
Invalid SSL output for 'version':
|
||||
|
||||
$error_msg"
|
||||
esac
|
||||
|
||||
# Set SSL version dependent $no_password option
|
||||
@ -1036,18 +1028,13 @@ and initialize a fresh PKI here."
|
||||
die "Failed to create PKI file structure (permissions?)"
|
||||
done
|
||||
|
||||
# for 'init-pki' create a secure_session
|
||||
secure_session || die "init_pki - secure_session failed."
|
||||
|
||||
# Install data-files into ALL new PKIs
|
||||
install_data_to_pki init-pki || \
|
||||
warn "Failed to install required data-files to PKI. (init)"
|
||||
|
||||
# Verify that $EASYRSA_SAFE_CONF exists ($OPENSSL_CONF)
|
||||
# Prevents bogus warnings (especially useful on win32)
|
||||
if [ "$EASYRSA_SAFE_CONF" ] && [ -e "$EASYRSA_SAFE_CONF" ]; then
|
||||
: # ok
|
||||
else
|
||||
die "init-pki failed to create safe SSL conf: $EASYRSA_SAFE_CONF"
|
||||
fi
|
||||
|
||||
notice "\
|
||||
'init-pki' complete; you may now create a CA or requests.
|
||||
|
||||
@ -1221,10 +1208,6 @@ install_data_to_pki() {
|
||||
[ -d "$EASYRSA_EXT_DIR" ] || \
|
||||
die "install_data_to_pki - Missing: $x509_types_dir"
|
||||
|
||||
# Create a safe ssl file, Complete or error
|
||||
require_safe_ssl_conf=1 # Always required for libressl
|
||||
[ -e "$EASYRSA_SAFE_CONF" ] || easyrsa_openssl makesafeconf || \
|
||||
die "install_data_to_pki - Missing: $EASYRSA_SAFE_CONF"
|
||||
} # => install_data_to_pki ()
|
||||
|
||||
# Disable terminal echo, if possible, otherwise warn
|
||||
@ -4293,17 +4276,7 @@ Sourcing the vars file and building certificates will probably fail ..'
|
||||
# Verify SSL Lib - One time ONLY
|
||||
verify_ssl_lib
|
||||
|
||||
# Make a safe SSL config for LibreSSL
|
||||
# Must specify 'no_pki_required' here, otherwise temp-files cannot
|
||||
# be created because secure_session has not created a temp-dir
|
||||
{ # Scope conditions to this single command
|
||||
no_pki_required=1 easyrsa_openssl makesafeconf || \
|
||||
die "Failed to create safe ssl conf (vars_setup)"
|
||||
} # End scope
|
||||
|
||||
# mkdir Temp dir session
|
||||
# Must be run after 'Make a safe SSL config for LibreSSL' above,
|
||||
# otherwise LibreSSL chokes without a safe config file
|
||||
secure_session || die "Temporary directory secure-session failed."
|
||||
|
||||
if [ -d "$EASYRSA_TEMP_DIR" ]; then
|
||||
@ -4331,16 +4304,6 @@ Sourcing the vars file and building certificates will probably fail ..'
|
||||
prefer_vars_in_pki_msg
|
||||
fi
|
||||
|
||||
# export OPENSSL_CONF for OpenSSL, OpenSSL config file MUST exist
|
||||
# EASYRSA_SAFE_CONF is output by 'install_data_to_pki()'
|
||||
# via 'easyrsa_openssl() makesafeconf' above.
|
||||
# Setting EasyRSA specific OPENSSL_CONF to sanatized safe conf
|
||||
if [ -e "$EASYRSA_SAFE_CONF" ]; then
|
||||
export OPENSSL_CONF="$EASYRSA_SAFE_CONF"
|
||||
else
|
||||
die "Failed to find Safe-SSL config file."
|
||||
fi
|
||||
|
||||
# Verify selected algorithm and parameters
|
||||
verify_algo_params
|
||||
|
||||
@ -5314,7 +5277,7 @@ case "$cmd" in
|
||||
show_host "$@"
|
||||
;;
|
||||
make-safe-ssl)
|
||||
make_safe_ssl_copy "$@"
|
||||
make_safe_ssl "$@"
|
||||
;;
|
||||
upgrade)
|
||||
up23_manage_upgrade_23 "$@"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user