nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'TinCanTech-rewrite-ssl-org-conf-files'

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-07-17 20:23:05 +01:00
commit f0c6788413
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 133 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

235
easyrsa3/easyrsa
View File

@ -695,7 +695,7 @@ secure_session() {
if mkdir "$secured_session"; then if mkdir "$secured_session"; then
# New session requires safe-ssl conf # New session requires safe-ssl conf
unset -v mktemp_counter \ unset -v mktemp_counter \
OPENSSL_CONF easyrsa_safe_ssl_conf \ OPENSSL_CONF safe_ssl_cnf_tmp \
working_safe_ssl_conf working_safe_ssl_conf
easyrsa_err_log="$secured_session/error.log" easyrsa_err_log="$secured_session/error.log"
verbose "\ verbose "\
@ -716,7 +716,7 @@ remove_secure_session() {
verbose "\ verbose "\
remove_secure_session: DELETED: $secured_session" remove_secure_session: DELETED: $secured_session"
unset -v secured_session mktemp_counter \ unset -v secured_session mktemp_counter \
OPENSSL_CONF easyrsa_safe_ssl_conf \ OPENSSL_CONF safe_ssl_cnf_tmp \
working_safe_ssl_conf working_safe_ssl_conf
return return
fi fi
@ -779,7 +779,7 @@ easyrsa_mktemp: temp-file EXISTS: $want_tmp_file"
if force_set_var "$1" "$want_tmp_file" if force_set_var "$1" "$want_tmp_file"
then then
verbose "\ verbose "\
easyrsa_mktemp: $1 temp-file OK: $want_tmp_file" easyrsa_mktemp: $1 OK: $want_tmp_file"
if [ "$easyrsa_host_os" = win ]; then if [ "$easyrsa_host_os" = win ]; then
set +o noclobber set +o noclobber
@ -897,21 +897,53 @@ Temporary session not preserved."
# Make a copy safe SSL config file # Make a copy safe SSL config file
make_safe_ssl() { make_safe_ssl() {
EASYRSA_FORCE_SAFE_SSL=1
easyrsa_openssl makesafeconf easyrsa_openssl makesafeconf
notice "\ notice "\
Safe SSL config file created at: Safe SSL config file created at:
* $EASYRSA_SAFE_CONF" * $EASYRSA_SAFE_CONF"
verbose "\ verbose "\
make_safe_ssl: NEW SSL cnf file: $easyrsa_safe_ssl_conf" make_safe_ssl: NEW SSL cnf file: $safe_ssl_cnf_tmp"
} # => make_safe_ssl_copy() } # => make_safe_ssl_copy()
# Escape hazardous characters # Escape hazardous characters
# Auto-escape hazardous characters:
# '&' - Workaround 'sed' behavior
# '$' - Workaround 'easyrsa' based limitation
# This is required for all SSL libs, otherwise,
# there are unacceptable differences in behavior
escape_hazard() { escape_hazard() {
# Assign temp file if [ "$EASYRSA_FORCE_SAFE_SSL" ] || \
easyrsa_vars_org="" [ "$makesafeconf" ]
easyrsa_mktemp easyrsa_vars_org || die \ then
"escape_hazard - easyrsa_mktemp easyrsa_vars_org" # Always run
verbose "escape_hazard: FORCED"
# Do not respect --no-safe-ssl, escape the fields
# before they are expanded by OpenSSL or easyrsa.
#elif [ "$EASYRSA_NO_SAFE_SSL" ]; then
# # Never run
# verbose "escape_hazard: DENIED"
# return
elif [ "$working_safe_org_conf" ]; then
# Has run once
verbose "escape_hazard: BYPASSED"
return
elif [ -z "$has_config" ]; then
# SSL Config not required
verbose "escape_hazard: IGNORED"
return
else
# Run once
verbose "escape_hazard: RUN-ONCE"
fi
# Set run once
working_safe_org_conf=1
# Assign temp-file
escape_hazard_tmp=""
easyrsa_mktemp escape_hazard_tmp || die \
"escape_hazard - easyrsa_mktemp escape_hazard_tmp"
# write org fields to org temp-file and escape '&' and '$' # write org fields to org temp-file and escape '&' and '$'
print "\ print "\
@ -924,22 +956,56 @@ export EASYRSA_REQ_EMAIL=\"$EASYRSA_REQ_EMAIL\"
export EASYRSA_REQ_SERIAL=\"$EASYRSA_REQ_SERIAL\"\ export EASYRSA_REQ_SERIAL=\"$EASYRSA_REQ_SERIAL\"\
" | sed -e s\`'\&'\`'\\\&'\`g \ " | sed -e s\`'\&'\`'\\\&'\`g \
-e s\`'\$'\`'\\\$'\`g \ -e s\`'\$'\`'\\\$'\`g \
> "$easyrsa_vars_org" || die "\ > "$escape_hazard_tmp" || die "\
escape_hazard - Failed to write temp-file" escape_hazard - Failed to write temp-file"
# Reload fields from fully escaped temp-file # Reload fields from fully escaped temp-file
# shellcheck disable=SC1090 # can't follow ... # shellcheck disable=SC1090 # can't follow ...
(. "$easyrsa_vars_org") || die "\ (. "$escape_hazard_tmp") || die "\
escape_hazard - Failed to source temp-file" escape_hazard - Failed to source temp-file"
verbose "escape_hazard: COMPLETED"
# shellcheck disable=SC1090 # can't follow ... # shellcheck disable=SC1090 # can't follow ...
. "$easyrsa_vars_org" . "$escape_hazard_tmp"
} # => escape_hazard() } # => escape_hazard()
# Replace environment variable names with current value # Replace environment variable names with current value
# and write to temp-file or return error from sed # and write to temp-file or return error from sed
easyrsa_rewrite_ssl_config () { expand_ssl_config() {
if [ "$EASYRSA_FORCE_SAFE_SSL" ] || \
[ "$makesafeconf" ]
then
# Always run
verbose "expand_ssl_config: FORCED"
elif [ "$EASYRSA_NO_SAFE_SSL" ]; then
# Never run
verbose "expand_ssl_config: DENIED"
return
elif [ "$working_safe_ssl_conf" ]; then
# Has run once
verbose "expand_ssl_config: BYPASSED"
return
elif [ -z "$has_config" ]; then
# SSL Config not required
verbose "expand_ssl_config: IGNORED"
return
else
# Run once
verbose "expand_ssl_config: RUN-ONCE"
fi
# Set run once
working_safe_ssl_conf=1
# Assign temp-file
safe_ssl_cnf_tmp=""
easyrsa_mktemp safe_ssl_cnf_tmp || die "\
expand_ssl_config - \
easyrsa_mktemp safe_ssl_cnf_tmp"
# Rewrite
# shellcheck disable=SC2016 # No expansion inside '' # shellcheck disable=SC2016 # No expansion inside ''
sed \ if sed \
\ \
-e s\`'$dir'\`\ -e s\`'$dir'\`\
\""$EASYRSA_PKI"\"\`g \ \""$EASYRSA_PKI"\"\`g \
@ -986,12 +1052,22 @@ easyrsa_rewrite_ssl_config () {
-e s\`'$ENV::EASYRSA_REQ_SERIAL'\`\ -e s\`'$ENV::EASYRSA_REQ_SERIAL'\`\
\""$EASYRSA_REQ_SERIAL"\"\`g \ \""$EASYRSA_REQ_SERIAL"\"\`g \
\ \
"$EASYRSA_SSL_CONF" > "$easyrsa_safe_ssl_conf" "$EASYRSA_SSL_CONF" > "$safe_ssl_cnf_tmp"
} # => easyrsa_rewrite_ssl_config() then
verbose "expand_ssl_config: COMPLETED"
else
return 1
fi
} # => expand_ssl_config()
# Easy-RSA meta-wrapper for SSL # Easy-RSA meta-wrapper for SSL
# WARNING: Running easyrsa_openssl in a subshell # WARNING: Running easyrsa_openssl in a subshell
# will hide error message and verbose messages # will hide error message and verbose messages
#
# The expansion here takes place on EASYRSA_SSL_CONF,
# which may have already been replaced by a temp-file
# with the extensions having been inserted by build-ca,
# sign-req or gen-req.
easyrsa_openssl() { easyrsa_openssl() {
openssl_command="$1"; shift openssl_command="$1"; shift
@ -1000,7 +1076,7 @@ easyrsa_openssl() {
rand) rand)
die "easyrsa_openssl: Illegal SSL command: rand" die "easyrsa_openssl: Illegal SSL command: rand"
;; ;;
makesafeconf) require_safe_ssl_conf=1 ;; makesafeconf) makesafeconf=1; has_config=1 ;;
ca|req|srp|ts) has_config=1 ;; ca|req|srp|ts) has_config=1 ;;
*) unset -v has_config *) unset -v has_config
esac esac
@ -1014,78 +1090,38 @@ easyrsa_openssl() {
has_config=1 has_config=1
fi fi
# Make LibreSSL safe config file from OpenSSL config file # Auto-escape hazardous characters
# $require_safe_ssl_conf is ALWAYS set by verify_ssl_lib() escape_hazard || \
# Can be over-ruled for OpenSSL by option --no-safe-ssl die "easyrsa_openssl - escape_hazard failed"
if [ "$require_safe_ssl_conf" ] || \
[ "$EASYRSA_FORCE_SAFE_SSL" ]
then
# Only create a new safe config, # Rewrite SSL config
# if it has not been done before. expand_ssl_config || \
# EASYRSA_FORCE_SAFE_SSL will always over-ride die "easyrsa_openssl - expand_ssl_config failed"
if [ -z "$EASYRSA_FORCE_SAFE_SSL" ] && \
[ "$working_safe_ssl_conf" ]
then
# ok - This has been done before
# Set SAFE SSL conf to working SAFE SSL conf
easyrsa_safe_ssl_conf="$working_safe_ssl_conf"
verbose "\
easyrsa_openssl: escape_hazard SKIPPED"
verbose "\
easyrsa_openssl: easyrsa_rewrite_ssl_config SKIPPED"
else
# Auto-escape hazardous characters:
# '&' - Workaround 'sed' behavior
# '$' - Workaround 'easyrsa' based limitation
# This is required for all SSL libs, otherwise,
# there are unacceptable differences in behavior
escape_hazard || \
die "easyrsa_openssl - escape_hazard failed"
verbose "\
easyrsa_openssl: escape_hazard COMPLETED"
# Assign easyrsa_safe_ssl_conf temp-file # Support --no-safe-ssl
easyrsa_safe_ssl_conf="" if [ "$EASYRSA_NO_SAFE_SSL" ]; then
easyrsa_mktemp easyrsa_safe_ssl_conf || die "\
easyrsa_openssl - easyrsa_mktemp easyrsa_safe_ssl_conf"
# Write a safe SSL config temp-file
if easyrsa_rewrite_ssl_config; then
verbose "\
easyrsa_openssl: easyrsa_rewrite_ssl_config COMPLETED"
# Save the the safe conf file-name
working_safe_ssl_conf="$easyrsa_safe_ssl_conf"
verbose "\
easyrsa_openssl: NEW SAFE SSL config: $easyrsa_safe_ssl_conf"
else
die "\
easyrsa_openssl - easyrsa_rewrite_ssl_config"
fi
fi
else
# Assign safe temp file as Original openssl-easyrsa.conf # Assign safe temp file as Original openssl-easyrsa.conf
easyrsa_safe_ssl_conf="$EASYRSA_SSL_CONF" safe_ssl_cnf_tmp="$EASYRSA_SSL_CONF"
verbose "easyrsa_openssl: No SAFE SSL config" verbose "easyrsa_openssl: No SAFE SSL config"
fi fi
# VERIFY safe temp-file exists # VERIFY safe temp-file exists
if [ -e "$easyrsa_safe_ssl_conf" ]; then if [ -e "$safe_ssl_cnf_tmp" ]; then
verbose "\ verbose "\
easyrsa_openssl: Safe SSL conf OK: $easyrsa_safe_ssl_conf" easyrsa_openssl: Safe SSL conf OK: $safe_ssl_cnf_tmp"
else else
die "\ [ "$has_config" ] && die "\
easyrsa_openssl - Safe SSL conf MISSING: $easyrsa_safe_ssl_conf" easyrsa_openssl - Safe SSL conf MISSING: $safe_ssl_cnf_tmp"
fi fi
# set $OPENSSL_CONF - Use which-ever file is assigned above # set $OPENSSL_CONF - Use which-ever file is assigned above
export OPENSSL_CONF="$easyrsa_safe_ssl_conf" export OPENSSL_CONF="$safe_ssl_cnf_tmp"
# Execute command - Return on success # Execute command - Return on success
if [ "$openssl_command" = "makesafeconf" ]; then if [ "$openssl_command" = "makesafeconf" ]; then
# COPY temp-file to safessl-easyrsa.cnf # COPY temp-file to safessl-easyrsa.cnf
cp -f "$easyrsa_safe_ssl_conf" "$EASYRSA_SAFE_CONF" && \ unset -v makesafeconf
cp -f "$safe_ssl_cnf_tmp" "$EASYRSA_SAFE_CONF" && \
return return
elif [ "$has_config" ]; then elif [ "$has_config" ]; then
@ -1093,12 +1129,12 @@ easyrsa_openssl - Safe SSL conf MISSING: $easyrsa_safe_ssl_conf"
if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ] if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ]
then then
"$EASYRSA_OPENSSL" "$openssl_command" \ "$EASYRSA_OPENSSL" "$openssl_command" \
-config "$easyrsa_safe_ssl_conf" "$@" \ -config "$safe_ssl_cnf_tmp" "$@" \
2>/dev/null && \ 2>/dev/null && \
return return
else else
"$EASYRSA_OPENSSL" "$openssl_command" \ "$EASYRSA_OPENSSL" "$openssl_command" \
-config "$easyrsa_safe_ssl_conf" "$@" && \ -config "$safe_ssl_cnf_tmp" "$@" && \
return return
fi fi
@ -1119,7 +1155,7 @@ easyrsa_openssl - Safe SSL conf MISSING: $easyrsa_safe_ssl_conf"
die "\ die "\
easyrsa_openssl - Command has failed: easyrsa_openssl - Command has failed:
* $EASYRSA_OPENSSL $openssl_command \ * $EASYRSA_OPENSSL $openssl_command \
${has_config:+-config $easyrsa_safe_ssl_conf }$*" ${has_config:+-config $safe_ssl_cnf_tmp }$*"
} # => easyrsa_openssl() } # => easyrsa_openssl()
# Verify the SSL library is functional # Verify the SSL library is functional
@ -1134,14 +1170,10 @@ verify_ssl_lib() {
ssl_version="$val" ssl_version="$val"
# SSL lib name # SSL lib name
require_safe_ssl_conf=1
case "${val%% *}" in case "${val%% *}" in
# OpenSSL does require a safe config-file for ampersand # OpenSSL does require a safe config-file for ampersand
OpenSSL) OpenSSL)
ssl_lib=openssl ssl_lib=openssl
if [ "$EASYRSA_NO_SAFE_SSL" ]; then
unset -v require_safe_ssl_conf
fi
;; ;;
LibreSSL) LibreSSL)
ssl_lib=libressl ssl_lib=libressl
@ -1754,9 +1786,9 @@ Raw CA mode
fi fi
# Assign tmp-file for config # Assign tmp-file for config
conf_tmp="" raw_ssl_cnf_tmp=""
easyrsa_mktemp conf_tmp || \ easyrsa_mktemp raw_ssl_cnf_tmp || \
die "build_ca - easyrsa_mktemp conf_tmp" die "build_ca - easyrsa_mktemp raw_ssl_cnf_tmp"
# Assign awkscript to insert EASYRSA_EXTRA_EXTS # Assign awkscript to insert EASYRSA_EXTRA_EXTS
# shellcheck disable=SC2016 # vars don't expand in '' # shellcheck disable=SC2016 # vars don't expand in ''
@ -1787,11 +1819,12 @@ Raw CA mode
print "$EASYRSA_EXTRA_EXTS" print "$EASYRSA_EXTRA_EXTS"
} | awk "$awkscript" "$EASYRSA_SSL_CONF" \ } | awk "$awkscript" "$EASYRSA_SSL_CONF" \
> "$conf_tmp" || \ > "$raw_ssl_cnf_tmp" || \
die "Copying X509_TYPES to config file failed" die "Copying X509_TYPES to config file failed"
verbose "build-ca: insert x509 and extensions OK"
# Use this new SSL config for the rest of this function # Use this new SSL config for the rest of this function
EASYRSA_SSL_CONF="$conf_tmp" EASYRSA_SSL_CONF="$raw_ssl_cnf_tmp"
# Generate CA Key # Generate CA Key
if [ "$EASYRSA_RAW_CA" ]; then if [ "$EASYRSA_RAW_CA" ]; then
@ -2067,18 +2100,18 @@ $EASYRSA_EXTRA_EXTS"
{print} {print}
}' }'
# Assign temp-file for confg # Assign temp-file for confg
conf_tmp="" raw_ssl_cnf_tmp=""
easyrsa_mktemp conf_tmp || \ easyrsa_mktemp raw_ssl_cnf_tmp || \
die "gen_req - easyrsa_mktemp conf_tmp" die "gen_req - easyrsa_mktemp raw_ssl_cnf_tmp"
# Insert $extra_exts @ %EXTRA_EXTS% in SSL Config # Insert $extra_exts @ %EXTRA_EXTS% in SSL Config
print "$extra_exts" | \ print "$extra_exts" | \
awk "$awkscript" "$EASYRSA_SSL_CONF" \ awk "$awkscript" "$EASYRSA_SSL_CONF" \
> "$conf_tmp" || \ > "$raw_ssl_cnf_tmp" || \
die "Writing SSL config to temp file failed" die "Writing SSL config to temp file failed"
# Use this SSL config for the rest of this function # Use this SSL config for the rest of this function
EASYRSA_SSL_CONF="$conf_tmp" EASYRSA_SSL_CONF="$raw_ssl_cnf_tmp"
fi fi
# Name temp files # Name temp files
@ -2239,17 +2272,17 @@ to the latest Easy-RSA release."
{print} {print}
}' }'
# Assign temp-file for confg # Assign temp-file for confg
conf_tmp="" raw_ssl_cnf_tmp=""
easyrsa_mktemp conf_tmp || \ easyrsa_mktemp raw_ssl_cnf_tmp || \
die "sign_req - easyrsa_mktemp conf_tmp" die "sign_req - easyrsa_mktemp raw_ssl_cnf_tmp"
print "$copy_exts" | \ print "$copy_exts" | \
awk "$awkscript" "$EASYRSA_SSL_CONF" \ awk "$awkscript" "$EASYRSA_SSL_CONF" \
> "$conf_tmp" || die "\ > "$raw_ssl_cnf_tmp" || die "\
Writing 'copy_exts' to SSL config temp-file failed" Writing 'copy_exts' to SSL config temp-file failed"
# Use this SSL config for the rest of this function # Use this SSL config for the rest of this function
EASYRSA_SSL_CONF="$conf_tmp" EASYRSA_SSL_CONF="$raw_ssl_cnf_tmp"
verbose "sign_req: Using '$copy_exts'" verbose "sign_req: Using '$copy_exts'"
fi fi
@ -4231,7 +4264,7 @@ $in_file"
This file is not a valid $type file: This file is not a valid $type file:
$in_file" $in_file"
notice " notice "\
Showing details for CA certificate, at: Showing details for CA certificate, at:
* $in_file${NL}" * $in_file${NL}"
@ -4738,10 +4771,6 @@ read_db() {
die "read_db - remove_secure_session" die "read_db - remove_secure_session"
secure_session || \ secure_session || \
die "read_db - secure_session" die "read_db - secure_session"
if [ "$require_safe_ssl_conf" ]; then
EASYRSA_SILENT=1 make_safe_ssl || \
die "read_db - make_safe_ssl"
fi
# Interpret the db/certificate record # Interpret the db/certificate record
unset -v db_serial db_cn db_revoke_date db_reason unset -v db_serial db_cn db_revoke_date db_reason
@ -6751,7 +6780,8 @@ detect_host
unset -v \ unset -v \
verify_ssl_lib_ok \ verify_ssl_lib_ok \
secured_session \ secured_session \
working_safe_ssl_conf \ working_safe_ssl_conf working_safe_org_conf \
makesafeconf \
alias_days \ alias_days \
prohibit_no_pass \ prohibit_no_pass \
found_vars no_new_vars user_vars_true \ found_vars no_new_vars user_vars_true \
@ -6990,7 +7020,8 @@ case "$cmd" in
*) *)
require_pki=1 require_pki=1
case "$cmd" in case "$cmd" in
gen-req|gen-dh|build-ca|show-req) gen-req|gen-dh|build-ca|show-req| \
make-safe-ssl)
unset -v require_ca unset -v require_ca
;; ;;
*) *)