Skip to content

Commit

Permalink
easyrsa_openssl(): Definitive test for Safe SSL conf file EXISTS
Browse files Browse the repository at this point in the history
All other tests for Safe SSL file exists are subordinate to this check
and are not required.

Also, change use of '--no--safe-ssl' with LibreSSL a FATAL error.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
  • Loading branch information
TinCanTech committed May 2, 2023
1 parent b17c28b commit 9f0886d
Showing 1 changed file with 17 additions and 13 deletions.
30 changes: 17 additions & 13 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -826,11 +826,8 @@ make_safe_ssl() {
verify_pki_init
EASYRSA_FORCE_SAFE_SSL=1
easyrsa_openssl makesafeconf
[ -e "$easyrsa_safe_ssl_conf" ] || die "\
make_safe_ssl - Missing ssl conf: $easyrsa_safe_ssl_conf"
verbose "\
make_safe_ssl: NEW SSL cnf file: $easyrsa_safe_ssl_conf"

} # => make_safe_ssl_copy()

# Escape hazardous characters
Expand Down Expand Up @@ -988,10 +985,6 @@ easyrsa_openssl: easyrsa_rewrite_ssl_config COMPLETED"
easyrsa_openssl - easyrsa_rewrite_ssl_config"
fi

# VERIFY safe temp-file exists
[ -e "$easyrsa_safe_ssl_conf" ] || die "\
easyrsa_openssl - Missing ssl conf: $easyrsa_safe_ssl_conf"

# Save the the safe conf file-name
working_safe_ssl_conf="$easyrsa_safe_ssl_conf"
verbose "\
Expand All @@ -1003,6 +996,15 @@ easyrsa_openssl: NEW SSL cnf file: $easyrsa_safe_ssl_conf"
easyrsa_safe_ssl_conf="$EASYRSA_SSL_CONF"
fi

# VERIFY safe temp-file exists
if [ -e "$easyrsa_safe_ssl_conf" ]; then
verbose "\
easyrsa_openssl: Safe SSL conf OK: $easyrsa_safe_ssl_conf"
else
die "\
easyrsa_openssl - Safe SSL conf MISSING: $easyrsa_safe_ssl_conf"
fi

# set $OPENSSL_CONF - Use which-ever file is assigned above
export OPENSSL_CONF="$easyrsa_safe_ssl_conf"

Expand Down Expand Up @@ -1060,11 +1062,16 @@ verify_ssl_lib() {
# OpenSSL does require a safe config-file for ampersand
OpenSSL)
ssl_lib=openssl
[ "$EASYRSA_NO_SAFE_SSL" ] || require_safe_ssl_conf=1
if [ -z "$EASYRSA_NO_SAFE_SSL" ]; then
require_safe_ssl_conf=1
fi
;;
LibreSSL)
ssl_lib=libressl
require_safe_ssl_conf=1
if [ "$EASYRSA_NO_SAFE_SSL" ]; then
die "Cannot use '--no-safe-ssl' with LibreSSL"
fi
;;
*)
error_msg="$("$EASYRSA_OPENSSL" version 2>&1)"
Expand Down Expand Up @@ -4346,8 +4353,7 @@ read_db() {
secure_session || \
die "read_db - secure_session"
if [ "$require_safe_ssl_conf" ]; then
EASYRSA_SILENT=1 make_safe_ssl || \
die "read_db - make_safe_ssl"
make_safe_ssl || die "read_db - make_safe_ssl"
fi

# Interpret the db/certificate record
Expand Down Expand Up @@ -4510,9 +4516,6 @@ expire_status: FALL-BACK completed"
# Only verify if there is a certificate
if [ "$expire_status_cert_exists" ]; then

[ -e "$easyrsa_safe_ssl_conf" ] || \
die "Missing ssl conf: $easyrsa_safe_ssl_conf"

# Check cert expiry against window
# openssl direct call because error is expected
if "$EASYRSA_OPENSSL" x509 -in "$cert_issued" \
Expand Down Expand Up @@ -4954,6 +4957,7 @@ EasyRSA '$cmd' does not support --startdate or --enddate"
esac
fi

# Insecure Windows directory
if [ "$easyrsa_host_os" = win ]; then
if echo "$PWD" | grep -q '/P.*/OpenVPN/easy-rsa'; then
warn "\
Expand Down

0 comments on commit 9f0886d

Please sign in to comment.