Build Safe SSL config at correct stage #954
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
EASYRSA_KEY_SIZE is present in the SSL config file, therefore, it MUST always be set, regardless of EASYRSA_ALGO in use. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
verify_algo_params() expects errors when settings are not corrrect. Therefore, is must not use easyrsa_openssl() meta-wrapper, which would error out with a misleading error message. Fixing this also ensures that the SAFE SSL config is not built prior to EASYRSA_REQ_CN being set. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Saving the name of the fully expanded Safe SSL config means that this config file only has to be built once. The assignment of working_safe_ssl_conf, which signifies that a Safe SSL config has already been created, was set too late, which caused it to be set even if the Safe SSL config had not been created. Also, include a final check in verify_working_env() to ensure that working_safe_ssl_conf has not been set prior to executing the issued command, eg. build-ca. Also, improve verbose messages and comments. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
TinCanTech
added
Priority
This was
linked to
issues
May 6, 2023
Move escape_hazard() to use the same control as easyrsa_rewrite_ssl_config(). Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch set fixes three inter-linked problems.
Problem-1:
When using EC algorithms, it was found that
EASYRSA_REQ_CNwas ignored byeasyrsabecause the value in the config took priority.The config built was built too soon, before
EASYRSA_REQ_CNhad been assigned, which meant that building a CA would result in a CA CommonName ofChangeMe, instead ofEasy-RSA CA.This is partially resolved by not using
easyrsa_openssl()meta-wrapper when callingverify_algo_params()but callingEASYRSA_OPENSSLdirectly.This also, resolves an issue that if incorrect algorithm settings were chosen then
easyrsa_openssl()would die with a misleading error, instead ofverify_algo_params()exiting with the correct error message.Problem-2:
Diagnosing Problem-1 exposed an issue with the SSL config file. When
EASYRSA_ALGOwas not set torsathenEASYRSA_KEY_SIZEwas also not set. This resulted in an error in the config file for empty vaue fordefault_bits.This is resolved by ALWAYS assigning a value to
EASYRSA_KEY_SIZE, regardless of algorithm.Problem-3:
The first time the Safe SSL config is created then
working_safe_ssl_confis set and further invocations ofeasyrsa_openssl()will use the same SSL config file. A new Safe SSL config file is not required once it has been built.The assignment of
working_safe_ssl_confwas set too late and resulted in it being set even if the Safe SSL config file had not been built.This is resolved by moving the assignment to the correct place.
A secondary check is also now in place, at the end of
verify_working_env(), to ensure thatworking_safe_ssl_confremains unset until the issued command is executed. eg. build_ca()`.Additional:
Move the use of
escape_hazard(), use the same controlling code aseasyrsa_rewrite_ssl_config().