From bd3a3b041cb2e88a66e8117b4de3745782d2822e Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 15 May 2022 19:03:00 +0100 Subject: [PATCH] Add final check for 'vars'; MUST exist or die This check ensures the a valid command does not sneak a missing but expected 'vars' file through 'vars' detection phase. Move detect_host() and expand the comment. Minor reformatting, for readability. Improve/update comments. Stage-3-of: #566 Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 67 ++++++++++++++++++++++++++++-------------------- 1 file changed, 39 insertions(+), 28 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5950436..cd2e670 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -518,6 +518,7 @@ easyrsa_openssl() { # Make LibreSSL safe config file from OpenSSL config file # Do not use easyrsa_mktemp() for init-pki + # LibreSSL cannot generate random without a PKI and safe-conf if [ "$no_pki_required" ]; then # for init-pki $EASYRSA_SAFE_CONF is always set in the PKI, use it. easyrsa_openssl_conf="${EASYRSA_SAFE_CONF}.init-tmp" @@ -527,6 +528,7 @@ easyrsa_openssl() { fi # OpenSSL does not require a safe config, so skip to the copy + # require_safe_ssl_conf is set by verify_ssl_lib() if [ "$require_safe_ssl_conf" ]; then # Make a safe SSL config file sed \ @@ -2949,8 +2951,9 @@ vars_setup() { # Otherwise, find vars 'the new way' followed by 'the old way' .. else # if PKI is required - if [ -z "$no_pki_required" ]; then - + if [ "$no_pki_required" ]; then + : # ok - No vars required either + else # Clear flags - This is the preferred order to find: unset -v e_pki_vars e_easy_vars e_pwd_vars e_prog_vars found_vars vars_in_pki @@ -3003,15 +3006,24 @@ Priority should be given to your PKI vars file: # If $EASYRSA_NO_VARS is defined (not blank) then do not use vars. # If $no_pki_required then located vars files are not required. - # User defined '--vars=file' is respected. if [ "$EASYRSA_NO_VARS" ] || [ "$no_pki_required" ]; then : # ok else # If a vars file was located then source it if [ -z "$vars" ]; then # $vars remains undefined .. no vars found + # install_data_to_pki() will create a default 'PKI/vars' : # ok else + # 'vars' now MUST exist + if [ ! -e "$vars" ]; then + if [ -d "$EASYRSA_PKI" ]; then + die "Missing vars file, expected: $vars" + else + die "Your PKI is not initialised." + fi + fi + # Sanitize vars if grep -Eq 'EASYRSA_PASSIN|EASYRSA_PASSOUT' "$vars"; then die "\ @@ -3032,12 +3044,16 @@ Sourcing the vars file and building certificates will probably fail .." fi fi + # Enable sourcing 'vars' # shellcheck disable=SC2034 # EASYRSA_CALLER appears unused. EASYRSA_CALLER=1 + + # Test souring 'vars' in a subshell # shellcheck disable=1090 # can't follow non-constant source. vars ( . "$vars" 2>/dev/null ) || die "\ Failed to source the vars file, remove any unsupported characters." + # Source 'vars' now # shellcheck disable=1090 # can't follow non-constant source. vars . "$vars" 2>/dev/null notice "Using Easy-RSA configuration from: $vars" @@ -3090,29 +3106,24 @@ Failed to source the vars file, remove any unsupported characters." *) die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa', 'ec' or 'ed' " esac - # Assign value to $EASYRSA_TEMP_DIR_session - # and work-around Windows mktemp bug when parent dir is missing - # - # Bug: When the parent-dir is missing Windows'mktemp -du' fails. - # The work-around is to create the parent-dir, if it does not exist. - # The reason it does not exist is because 'init-pki' has not been run. - # Use the same gaurd against a missing PKI; Only set variables which - # require a PKI, eg '$EASYRSA_PKI', if there is a PKI ! - # - # Also, integrate a partial 'init-pki' by using 'install_data_to_pki()' - # - # If EASYRSA_PKI directory exists then + # For commands which 'require a PKI' and the PKI exists if [ ! "$no_pki_required" ] && [ -d "$EASYRSA_PKI" ]; then # Make a safe SSL config for LibreSSL + # Must specify 'no_pki_required' and 'require_safe_ssl_conf' here + # because verify_ssl_lib() has not yet run # sub-shell out, to change running variables, only the file is required - ( - no_pki_required=1 - require_safe_ssl_conf=1 - easyrsa_openssl makesafeconf - ) || die "Failed to create safe ssl conf (vars_setup)" + #( + # no_pki_required=1 + # require_safe_ssl_conf=1 + # easyrsa_openssl makesafeconf + #) || \ + # die "Failed to create safe ssl conf (vars_setup)" + # Alternate version: + no_pki_required=1 require_safe_ssl_conf=1 easyrsa_openssl makesafeconf || \ + die "Failed to create safe ssl conf (vars_setup)" - # Temp dir session + # mkdir Temp dir session secure_session || die "Temporary directory secure-session failed." if [ -d "$EASYRSA_TEMP_DIR" ]; then @@ -3127,6 +3138,7 @@ Failed to source the vars file, remove any unsupported characters." install_data_to_pki vars-setup || \ warn "Failed to install new required data-dir to PKI. (vars_setup)" + # export OPENSSL_CONF for OpenSSL, OpenSSL config file MUST exist # EASYRSA_SAFE_CONF is output by 'install_data_to_pki()' # via 'easyrsa_openssl() makesafeconf' above. # Setting EasyRSA specific OPENSSL_CONF to sanatized safe conf @@ -3139,7 +3151,7 @@ Failed to source the vars file, remove any unsupported characters." else # If the directory does not exist then we have not run init-pki # The temp-dir is Always created by 'install_data_to_pki' - : # ok + die "Temporary directory does not exist: $EASYRSA_TEMP_DIR" fi fi } # vars_setup() @@ -3893,21 +3905,20 @@ trap "exit 3" 3 trap "exit 6" 6 trap "exit 14" 15 +# Get host details - does not require vars_setup +detect_host + # Set cmd now because vars_setup needs to know if this is init-pki cmd="$1" [ -n "$1" ] && shift # scrape off command # This avoids unnecessary warnings and notices case "$cmd" in - init-pki|clean-all) no_pki_required=1 ;; - ""|help|-h|--help|--usage) no_pki_required=1 ;; - version) no_pki_required=1 ;; + init-pki|clean-all|""|help|-h|--help|--usage|version) + no_pki_required=1 ;; *) unset -v no_pki_required esac -# Get host details -detect_host - # Intelligent env-var detection and auto-loading: vars_setup