Merge pull request #95 from redfast00/cleanup

Sanitization 'n input validation
This commit is contained in:
0-kaladin 2016-10-08 14:13:37 -04:00 committed by GitHub
commit 6be0b09b00
3 changed files with 139 additions and 111 deletions

View file

@ -3,9 +3,8 @@
INDEX="/etc/openvpn/easy-rsa/keys/index.txt" INDEX="/etc/openvpn/easy-rsa/keys/index.txt"
printf "\n" printf "\n"
if [ ! -f $INDEX ]; then if [ ! -f "$INDEX" ]; then
printf "The file: $INDEX \n" echo "The file: $INDEX was not found!"
printf "Was not Found!\n"
exit 1 exit 1
fi fi
@ -14,18 +13,15 @@ printf "\n"
printf "\e[1m::: Certificate Status List :::\e[0m\n" printf "\e[1m::: Certificate Status List :::\e[0m\n"
printf " ::\e[4m Status \e[0m||\e[4m Name \e[0m:: \n" printf " ::\e[4m Status \e[0m||\e[4m Name \e[0m:: \n"
while read -r line || [[ -n "$line" ]]; do while read -r line || [ -n "$line" ]; do
status=$(echo $line | awk '{print $1}') STATUS=$(echo "$line" | awk '{print $1}')
var=$(echo $line | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/') NAME=$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')
if [[ $status = "V" ]]; then if [ "$STATUS" = "V" ]; then
printf " Valid :: " printf " Valid :: %s\n" "$NAME"
printf " $var\n" elif [ "$STATUS" = "R" ]; then
elif [[ $status = "R" ]]; then printf " Revoked :: %s\n" "$NAME"
printf " Revoked :: "
printf " $var\n"
else else
printf " Unknown :: \n" printf " Unknown :: %s\n" "$NAME"
printf " $var\n"
fi fi
done <$INDEX done <$INDEX
printf "\n" printf "\n"

View file

@ -8,6 +8,7 @@ OKEY=".key"
KEY=".3des.key" KEY=".3des.key"
CA="ca.crt" CA="ca.crt"
TA="ta.key" TA="ta.key"
INDEX="/etc/openvpn/easy-rsa/keys/index.txt"
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
# Functions def # Functions def
@ -19,7 +20,7 @@ function keynoPASS() {
#Build the client key #Build the client key
expect << EOF expect << EOF
spawn ./build-key $NAME spawn ./build-key "$NAME"
expect "Country Name" { send "\r" } expect "Country Name" { send "\r" }
expect "State or Province Name" { send "\r" } expect "State or Province Name" { send "\r" }
expect "Locality Name" { send "\r" } expect "Locality Name" { send "\r" }
@ -35,7 +36,7 @@ function keynoPASS() {
expect eof expect eof
EOF EOF
cd keys cd keys || exit
} }
@ -44,21 +45,32 @@ function keyPASS() {
stty -echo stty -echo
while true while true
do do
printf "Enter the password for the Client: " printf "Enter the password for the client: "
read PASSWD read -r PASSWD
printf "\n" printf "\n"
printf "Enter the password again to verify: " printf "Enter the password again to verify: "
read PASSWD2 read -r PASSWD2
printf "\n" printf "\n"
[ "$PASSWD" = "$PASSWD2" ] && break [ "$PASSWD" = "$PASSWD2" ] && break
printf "Passwords do not match! Please try again.\n" printf "Passwords do not match! Please try again.\n"
done done
stty echo stty echo
if [[ -z "$PASSWD" ]]; then
echo "You left the password blank"
echo "If you don't want a password, please run:"
echo "pivpn add nopass"
exit 1
fi
if [ ${#PASSWD} -lt 4 ] || [ ${#PASSWD} -gt 1024 ]
then
echo "Password must be between from 4 to 1024 characters"
exit 1
fi
#Build the client key and then encrypt the key #Build the client key and then encrypt the key
expect << EOF expect << EOF
spawn ./build-key-pass $NAME spawn ./build-key-pass "$NAME"
expect "Enter PEM pass phrase" { send "$PASSWD\r" } expect "Enter PEM pass phrase" { send "$PASSWD\r" }
expect "Verifying - Enter PEM pass phrase" { send "$PASSWD\r" } expect "Verifying - Enter PEM pass phrase" { send "$PASSWD\r" }
expect "Country Name" { send "\r" } expect "Country Name" { send "\r" }
@ -76,10 +88,10 @@ function keyPASS() {
expect eof expect eof
EOF EOF
cd keys cd keys || exit
expect << EOF expect << EOF
spawn openssl rsa -in $NAME$OKEY -des3 -out $NAME$KEY spawn openssl rsa -in "$NAME$OKEY" -des3 -out "$NAME$KEY"
expect "Enter pass phrase for" { send "$PASSWD\r" } expect "Enter pass phrase for" { send "$PASSWD\r" }
expect "Enter PEM pass phrase" { send "$PASSWD\r" } expect "Enter PEM pass phrase" { send "$PASSWD\r" }
expect "Verifying - Enter PEM pass" { send "$PASSWD\r" } expect "Verifying - Enter PEM pass" { send "$PASSWD\r" }
@ -88,14 +100,33 @@ EOF
} }
printf "Enter a Name for the Client: " printf "Enter a Name for the Client: "
read NAME read -r NAME
if [[ -z "$NAME" ]]; then if [[ "$NAME" =~ [^a-zA-Z0-9] ]]; then
printf '%s\n' "::: You can not leave this blank!" echo "Name can only contain alphanumeric characters"
exit 1 exit 1
fi fi
cd /etc/openvpn/easy-rsa if [[ -z "$NAME" ]]; then
echo "You cannot leave the name blank"
exit 1
fi
# Check if name is already in use
while read -r line || [ -n "$line" ]; do
if [ "$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')" = "$NAME" ]; then
echo "Name is already in use"
exit 1
fi
done <$INDEX
# Check if name is reserved
if [ "$NAME" = "ta" ] || [ "$NAME" = "server" ] || [ "$NAME" = "ca" ]; then
echo "Sorry, this name is unavailable, please choose another one"
exit 1
fi
cd /etc/openvpn/easy-rsa || exit
source /etc/openvpn/easy-rsa/vars source /etc/openvpn/easy-rsa/vars
if [[ "$@" =~ "nopass" ]]; then if [[ "$@" =~ "nopass" ]]; then
@ -105,64 +136,66 @@ else
fi fi
#1st Verify that clients Public Key Exists #1st Verify that clients Public Key Exists
if [ ! -f $NAME$CRT ]; then if [ ! -f "$NAME$CRT" ]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT" echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit exit
fi fi
echo "Client's cert found: $NAME$CRT" echo "Client's cert found: $NAME$CRT"
#Then, verify that there is a private key for that client #Then, verify that there is a private key for that client
if [ ! -f $NAME$KEY ]; then if [ ! -f "$NAME$KEY" ]; then
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY" echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
exit exit
fi fi
echo "Client's Private Key found: $NAME$KEY" echo "Client's Private Key found: $NAME$KEY"
#Confirm the CA public key exists #Confirm the CA public key exists
if [ ! -f $CA ]; then if [ ! -f "$CA" ]; then
echo "[ERROR]: CA Public Key not found: $CA" echo "[ERROR]: CA Public Key not found: $CA"
exit exit
fi fi
echo "CA public Key found: $CA" echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists #Confirm the tls-auth ta key file exists
if [ ! -f $TA ]; then if [ ! -f "$TA" ]; then
echo "[ERROR]: tls-auth Key not found: $TA" echo "[ERROR]: tls-auth Key not found: $TA"
exit exit
fi fi
echo "tls-auth Private Key found: $TA" echo "tls-auth Private Key found: $TA"
#Ready to make a new .ovpn file - Start by populating with the #Ready to make a new .ovpn file
#default file {
cat $DEFAULT > $NAME$FILEEXT # Start by populating with the default file
cat "$DEFAULT"
#Now, append the CA Public Cert #Now, append the CA Public Cert
echo "<ca>" >> $NAME$FILEEXT echo "<ca>"
cat $CA >> $NAME$FILEEXT cat "$CA"
echo "</ca>" >> $NAME$FILEEXT echo "</ca>"
#Next append the client Public Cert #Next append the client Public Cert
echo "<cert>" >> $NAME$FILEEXT echo "<cert>"
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "$NAME$CRT"
echo "</cert>" >> $NAME$FILEEXT echo "</cert>"
#Then, append the client Private Key #Then, append the client Private Key
echo "<key>" >> $NAME$FILEEXT echo "<key>"
cat $NAME$KEY >> $NAME$FILEEXT cat "$NAME$KEY"
echo "</key>" >> $NAME$FILEEXT echo "</key>"
#Finally, append the TA Private Key #Finally, append the TA Private Key
echo "<tls-auth>" >> $NAME$FILEEXT echo "<tls-auth>"
cat $TA >> $NAME$FILEEXT cat "$TA"
echo "</tls-auth>" >> $NAME$FILEEXT echo "</tls-auth>"
} > "$NAME$FILEEXT"
# Copy the .ovpn profile to the home directory for convenient remote access # Copy the .ovpn profile to the home directory for convenient remote access
cp /etc/openvpn/easy-rsa/keys/$NAME$FILEEXT /home/$INSTALL_USER/ovpns/$NAME$FILEEXT cp "/etc/openvpn/easy-rsa/keys/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
chown $INSTALL_USER /home/$INSTALL_USER/ovpns/$NAME$FILEEXT chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
printf "\n\n" printf "\n\n"
printf "========================================================\n" printf "========================================================\n"
printf "\e[1mDone! $NAME$FILEEXT successfully created!\e[0m \n" printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT"
printf "$NAME$FILEEXT was copied to:\n" printf "%s was copied to:\n" "$NAME$FILEEXT"
printf " /home/$INSTALL_USER/ovpns\n" printf " /home/%s/ovpns\n" "$INSTALL_USER"
printf "for easy transfer.\n" printf "for easy transfer.\n"
printf "========================================================\n\n" printf "========================================================\n\n"

View file

@ -6,9 +6,8 @@ REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
PLAT=$(cat /etc/pivpn/DET_PLATFORM) PLAT=$(cat /etc/pivpn/DET_PLATFORM)
INDEX="/etc/openvpn/easy-rsa/keys/index.txt" INDEX="/etc/openvpn/easy-rsa/keys/index.txt"
if [ ! -f $INDEX ]; then if [ ! -f "$INDEX" ]; then
printf "The file: $INDEX \n" printf "The file: %s was not found\n" "$INDEX"
printf "Was not Found!\n"
exit 1 exit 1
fi fi
@ -16,49 +15,49 @@ printf "\n"
printf " ::\e[4m Certificate List \e[0m:: \n" printf " ::\e[4m Certificate List \e[0m:: \n"
i=0 i=0
while read -r line || [[ -n "$line" ]]; do while read -r line || [ -n "$line" ]; do
status=$(echo $line | awk '{print $1}') STATUS=$(echo "$line" | awk '{print $1}')
if [[ $status = "V" ]]; then if [[ "$STATUS" = "V" ]]; then
var=$(echo $line | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/') NAME=$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')
certs[$i]=$var CERTS[$i]=$NAME
if [ "$i" != 0 ]; then if [ "$i" != 0 ]; then
printf " $var\n" # Prevent printing "server" certificate
printf " %s\n" "$NAME"
fi fi
let i=i+1 let i=i+1
y=$i
fi fi
done <$INDEX done <$INDEX
printf "\n" printf "\n"
echo "::: Please enter the Name of the client to be revoked from the list above:" echo "::: Please enter the Name of the client to be revoked from the list above:"
read NAME read -r NAME
if [[ -z "$NAME" ]]; then if [[ -z "$NAME" ]]; then
printf '%s\n' "::: You can not leave this blank!" echo "::: You can not leave this blank!"
exit 1 exit 1
fi fi
for((x=1;x<=$y;++x)); do for((x=1;x<=i;++x)); do
if [[ ${certs[$x]} = ${NAME} ]]; then if [ "${CERTS[$x]}" = "${NAME}" ]; then
Valid=1 VALID=1
fi fi
done done
if [[ -z "$Valid" ]]; then if [ -z "$VALID" ]; then
printf "::: You didn't enter a valid cert name!\n" printf "::: You didn't enter a valid cert name!\n"
exit 1 exit 1
fi fi
cd /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa || exit
source /etc/openvpn/easy-rsa/vars source /etc/openvpn/easy-rsa/vars
./revoke-full $NAME ./revoke-full "$NAME"
echo "::: Certificate revoked, removing ovpns from /home/$INSTALL_USER/ovpns" echo "::: Certificate revoked, removing ovpns from /home/$INSTALL_USER/ovpns"
rm /home/$INSTALL_USER/ovpns/$NAME.ovpn rm "/home/$INSTALL_USER/ovpns/$NAME.ovpn"
cp /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/crl.pem
echo "::: Completed!" echo "::: Completed!"
if [ $REVOKE_STATUS == 0 ]; then if [ "$REVOKE_STATUS" == 0 ]; then
echo 1 > /etc/pivpn/REVOKE_STATUS echo 1 > /etc/pivpn/REVOKE_STATUS
printf "\nThis seems to be the first time you have revoked a cert.\n" printf "\nThis seems to be the first time you have revoked a cert.\n"
printf "We are adding the CRL to the server.conf and restarting openvpn.\n" printf "We are adding the CRL to the server.conf and restarting openvpn.\n"