From 12ee30a802f8227e65f25581f86853ddfc430592 Mon Sep 17 00:00:00 2001 From: Luiz Angelo Daros de Luca Date: Thu, 30 May 2019 18:52:27 -0300 Subject: [PATCH 1/2] check for failed easyrsa_mktemp Signed-off-by: Luiz Angelo Daros de Luca --- easyrsa3/easyrsa | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index e9fbb21..0c569e8 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -334,10 +334,10 @@ easyrsa_openssl() { return fi - easyrsa_openssl_conf=$(easyrsa_mktemp) + easyrsa_openssl_conf=$(easyrsa_mktemp) || die "Failed to create temporary file" easyrsa_extra_exts= if [ -n "$EASYRSA_EXTRA_EXTS" ]; then - easyrsa_extra_exts=$(easyrsa_mktemp) + easyrsa_extra_exts=$(easyrsa_mktemp) || die "Failed to create temporary file" cat >"$easyrsa_extra_exts" <<-EOF req_extensions = req_extra [ req_extra ] @@ -576,11 +576,11 @@ current CA keypair. If you intended to start a new CA, run init-pki first." # shellcheck disable=SC2015 [ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA" - out_key_tmp="$(easyrsa_mktemp)" - out_file_tmp="$(easyrsa_mktemp)" + out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" + out_file_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" # Get password from user if necessary if [ ! $nopass ] && ( [ -z "$EASYRSA_PASSOUT" ] || [ -z "$EASYRSA_PASSIN" ] ); then - out_key_pass_tmp="$(easyrsa_mktemp)" + out_key_pass_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" echo printf "Enter New CA Key Passphrase: " hide_read_pass kpass @@ -703,7 +703,7 @@ $EASYRSA_EXTRA_EXTS" { while ( getline<"/dev/stdin" ) {print} next } {print} }' - conf_tmp="$(easyrsa_mktemp)" + conf_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" print "$extra_exts" | \ awk "$awkscript" "$EASYRSA_SSL_CONF" \ > "$conf_tmp" \ @@ -712,8 +712,8 @@ $EASYRSA_EXTRA_EXTS" EASYRSA_SSL_CONF="$conf_tmp" fi - key_out_tmp="$(easyrsa_mktemp)" - req_out_tmp="$(easyrsa_mktemp)" + key_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" + req_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" # generate request [ $EASYRSA_BATCH ] && opts="$opts -batch" # shellcheck disable=2086,2148 @@ -792,7 +792,7 @@ $(display_dn req "$req_in") " # => confirm end # Generate the extensions file for this cert: - ext_tmp="$(easyrsa_mktemp)" + ext_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" { # Append first any COMMON file (if present) then the cert-type extensions cat "$EASYRSA_EXT_DIR/COMMON" @@ -834,7 +834,7 @@ Failed to create temp extension file (bad permissions?) at: $ext_tmp" # sign request - crt_out_tmp="$(easyrsa_mktemp)" + crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \ -extfile "$ext_tmp" -days "$EASYRSA_CERT_EXPIRE" -batch $opts ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \ || die "signing failed (openssl output above may have more detail)" @@ -1178,7 +1178,7 @@ gen_crl() { verify_ca_init out_file="$EASYRSA_PKI/crl.pem" - out_file_tmp="$(easyrsa_mktemp)" + out_file_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" easyrsa_openssl ca -utf8 -gencrl -out "$out_file_tmp" ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || die "\ CRL Generation failed. " @@ -1336,7 +1336,7 @@ $file" If the key is currently encrypted you must supply the decryption passphrase. ${crypto:+You will then enter a new PEM passphrase for this key.$NL}" - out_key_tmp="$(easyrsa_mktemp)" + out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" easyrsa_openssl "$key_type" -in "$file" -out "$out_key_tmp" $crypto ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || die "\ Failed to change the private key passphrase. See above for possible openssl error messages." From e2a8b78d9a6ad9aa8352ba795b1d8c00f70efe96 Mon Sep 17 00:00:00 2001 From: Luiz Angelo Daros de Luca Date: Thu, 30 May 2019 18:53:22 -0300 Subject: [PATCH 2/2] workaround win32 mktemp bug win32 mktemp shipped by easyrsa does not work. It returns unmodified template as the "temporary file". This results in file conflicts when two temporary files are in use. However win32 mktemp -d does work as expected. So, we can use mktemp -du to generate a correct temporary file name. Signed-off-by: Luiz Angelo Daros de Luca --- easyrsa3/easyrsa | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0c569e8..10219d6 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -311,7 +311,18 @@ easyrsa_mktemp() { [ -n "$EASYRSA_TEMP_DIR_session" ] || die "EASYRSA_TEMP_DIR_session not initialized!" [ -d "$EASYRSA_TEMP_DIR_session" ] || mkdir -p "$EASYRSA_TEMP_DIR_session" || die "Could not create temporary directory '$EASYRSA_TEMP_DIR_session'. Permission or concurrency problem?" - mktemp "$EASYRSA_TEMP_DIR_session/tmp.XXXXXX" + [ -d "$EASYRSA_TEMP_DIR_session" ] || die "Temporary directory '$EASYRSA_TEMP_DIR_session' does not exist" + + template="$EASYRSA_TEMP_DIR_session/tmp.XXXXXX" + tempfile=$(mktemp "$template") || return + + # win32 mktemp shipped by easyrsa returns template as file! + if [ "$template" = "$tempfile" ]; then + # but win32 mktemp -d does work + tempfile=$(mktemp -du "$tempfile") || return + printf "" > "$tempfile" || return + fi + echo "$tempfile" } # => easyrsa_mktemp # remove temp files and do terminal cleanups