From f352b6f40fd3c5d94cf5a99d8035428a576cf701 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 16 Jul 2023 23:56:44 +0100 Subject: [PATCH] Set run-once correctly, for expand_ssl_config() and escape_hazard() Set run-once after if condition, otherwise Forced execution does not set run-once. Use "local" variable 'makesafeconf' to force a new safe ssl config. Remove variable require_safe_ssl_conf, partially replaced by makesafeconf. Add 'make-safe-ssl' command to the list which does not require a CA. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 43 +++++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 46d8021ef..7af7b5978 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -897,8 +897,8 @@ Temporary session not preserved." # Make a copy safe SSL config file make_safe_ssl() { - EASYRSA_FORCE_SAFE_SSL=1 easyrsa_openssl makesafeconf + notice "\ Safe SSL config file created at: * $EASYRSA_SAFE_CONF" @@ -913,8 +913,9 @@ make_safe_ssl: NEW SSL cnf file: $safe_ssl_cnf_tmp" # This is required for all SSL libs, otherwise, # there are unacceptable differences in behavior escape_hazard() { - # Run once - if [ "$EASYRSA_FORCE_SAFE_SSL" ]; then + if [ "$EASYRSA_FORCE_SAFE_SSL" ] || \ + [ "$makesafeconf" ] + then # Always run verbose "escape_hazard: FORCED" elif [ "$EASYRSA_NO_SAFE_SSL" ]; then @@ -922,14 +923,17 @@ escape_hazard() { verbose "escape_hazard: DENIED" return elif [ "$working_safe_org_conf" ]; then + # Has run once verbose "escape_hazard: IGNORED" return else - # set Run once - working_safe_org_conf=1 + verbose "escape_hazard: RUN-ONCE" fi - # Assign temp file + # Set run once + working_safe_org_conf=1 + + # Assign temp-file vars_org_tmp="" easyrsa_mktemp vars_org_tmp || die \ "escape_hazard - easyrsa_mktemp vars_org_tmp" @@ -961,7 +965,9 @@ escape_hazard - Failed to source temp-file" # Replace environment variable names with current value # and write to temp-file or return error from sed expand_ssl_config() { - if [ "$EASYRSA_FORCE_SAFE_SSL" ]; then + if [ "$EASYRSA_FORCE_SAFE_SSL" ] || \ + [ "$makesafeconf" ] + then # Always run verbose "expand_ssl_config: FORCED" elif [ "$EASYRSA_NO_SAFE_SSL" ]; then @@ -973,11 +979,13 @@ expand_ssl_config() { verbose "expand_ssl_config: IGNORED" return else - # set Run once - working_safe_ssl_conf=1 + verbose "expand_ssl_config: RUN-ONCE" fi - # Assign safe_ssl_cnf_tmp temp-file + # Set run once + working_safe_ssl_conf=1 + + # Assign temp-file safe_ssl_cnf_tmp="" easyrsa_mktemp safe_ssl_cnf_tmp || die "\ expand_ssl_config - \ @@ -1051,7 +1059,7 @@ easyrsa_openssl() { rand) die "easyrsa_openssl: Illegal SSL command: rand" ;; - makesafeconf) require_safe_ssl_conf=1 ;; + makesafeconf) makesafeconf=1 ;; ca|req|srp|ts) has_config=1 ;; *) unset -v has_config esac @@ -1095,6 +1103,7 @@ easyrsa_openssl - Safe SSL conf MISSING: $safe_ssl_cnf_tmp" # Execute command - Return on success if [ "$openssl_command" = "makesafeconf" ]; then # COPY temp-file to safessl-easyrsa.cnf + unset -v makesafeconf cp -f "$safe_ssl_cnf_tmp" "$EASYRSA_SAFE_CONF" && \ return @@ -1144,14 +1153,10 @@ verify_ssl_lib() { ssl_version="$val" # SSL lib name - require_safe_ssl_conf=1 case "${val%% *}" in # OpenSSL does require a safe config-file for ampersand OpenSSL) ssl_lib=openssl - if [ "$EASYRSA_NO_SAFE_SSL" ]; then - unset -v require_safe_ssl_conf - fi ;; LibreSSL) ssl_lib=libressl @@ -4749,10 +4754,6 @@ read_db() { die "read_db - remove_secure_session" secure_session || \ die "read_db - secure_session" - if [ "$require_safe_ssl_conf" ]; then - EASYRSA_SILENT=1 make_safe_ssl || \ - die "read_db - make_safe_ssl" - fi # Interpret the db/certificate record unset -v db_serial db_cn db_revoke_date db_reason @@ -6763,6 +6764,7 @@ unset -v \ verify_ssl_lib_ok \ secured_session \ working_safe_ssl_conf working_safe_org_conf \ + makesafeconf \ alias_days \ prohibit_no_pass \ found_vars no_new_vars user_vars_true \ @@ -7001,7 +7003,8 @@ case "$cmd" in *) require_pki=1 case "$cmd" in - gen-req|gen-dh|build-ca|show-req) + gen-req|gen-dh|build-ca|show-req| \ + make-safe-ssl) unset -v require_ca ;; *)