From caee0858cf71415e3cd861d008c0047a49117922 Mon Sep 17 00:00:00 2001 From: redfast00 Date: Tue, 4 Oct 2016 19:46:14 +0200 Subject: [PATCH] Sanitization 'n input validation --- scripts/makeOVPN.sh | 170 ++++++++++++++++++++++++-------------------- 1 file changed, 94 insertions(+), 76 deletions(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index bb3290e..4b5a52d 100644 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -1,13 +1,13 @@ -#!/bin/bash -# Create OVPN Client -# Default Variable Declarations -DEFAULT="Default.txt" -FILEEXT=".ovpn" -CRT=".crt" +#!/bin/bash +# Create OVPN Client +# Default Variable Declarations +DEFAULT="Default.txt" +FILEEXT=".ovpn" +CRT=".crt" OKEY=".key" -KEY=".3des.key" -CA="ca.crt" -TA="ta.key" +KEY=".3des.key" +CA="ca.crt" +TA="ta.key" INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) # Functions def @@ -19,7 +19,7 @@ function keynoPASS() { #Build the client key expect << EOF - spawn ./build-key $NAME + spawn ./build-key "$NAME" expect "Country Name" { send "\r" } expect "State or Province Name" { send "\r" } expect "Locality Name" { send "\r" } @@ -35,7 +35,7 @@ function keynoPASS() { expect eof EOF - cd keys + cd keys || exit } @@ -45,20 +45,31 @@ function keyPASS() { while true do printf "Enter the password for the Client: " - read PASSWD + read -r PASSWD printf "\n" printf "Enter the password again to verify: " - read PASSWD2 + read -r PASSWD2 printf "\n" [ "$PASSWD" = "$PASSWD2" ] && break printf "Passwords do not match! Please try again.\n" done stty echo + if [[ -z "$PASSWD" ]]; then + echo "You left the password blank" + echo "If you don't want a password, please run:" + echo "pivpn add nopass" + exit 1 + fi + if [ ${#PASSWD} -lt 4 ] || [ ${#PASSWD} -gt 1024 ] + then + echo "Password must be between from 4 to 1024 characters" + exit 1 + fi #Build the client key and then encrypt the key expect << EOF - spawn ./build-key-pass $NAME + spawn ./build-key-pass "$NAME" expect "Enter PEM pass phrase" { send "$PASSWD\r" } expect "Verifying - Enter PEM pass phrase" { send "$PASSWD\r" } expect "Country Name" { send "\r" } @@ -76,10 +87,10 @@ function keyPASS() { expect eof EOF - cd keys + cd keys || exit expect << EOF - spawn openssl rsa -in $NAME$OKEY -des3 -out $NAME$KEY + spawn openssl rsa -in "$NAME$OKEY" -des3 -out "$NAME$KEY" expect "Enter pass phrase for" { send "$PASSWD\r" } expect "Enter PEM pass phrase" { send "$PASSWD\r" } expect "Verifying - Enter PEM pass" { send "$PASSWD\r" } @@ -88,14 +99,19 @@ EOF } printf "Enter a Name for the Client: " -read NAME +read -r NAME -if [[ -z "$NAME" ]]; then - printf '%s\n' "::: You can not leave this blank!" +if [[ "$NAME" =~ [^a-zA-Z0-9] ]]; then + echo "Name can only contain alphanumeric characters" exit 1 fi -cd /etc/openvpn/easy-rsa +if [[ -z "$NAME" ]]; then + echo "You cannot leave the name blank" + exit 1 +fi + +cd /etc/openvpn/easy-rsa || exit source /etc/openvpn/easy-rsa/vars if [[ "$@" =~ "nopass" ]]; then @@ -103,66 +119,68 @@ if [[ "$@" =~ "nopass" ]]; then else keyPASS fi - -#1st Verify that clients Public Key Exists -if [ ! -f $NAME$CRT ]; then - echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT" - exit -fi -echo "Client's cert found: $NAME$CRT" - -#Then, verify that there is a private key for that client -if [ ! -f $NAME$KEY ]; then - echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY" - exit -fi + +#1st Verify that clients Public Key Exists +if [ ! -f "$NAME$CRT" ]; then + echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT" + exit +fi +echo "Client's cert found: $NAME$CRT" + +#Then, verify that there is a private key for that client +if [ ! -f "$NAME$KEY" ]; then + echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY" + exit +fi echo "Client's Private Key found: $NAME$KEY" - -#Confirm the CA public key exists -if [ ! -f $CA ]; then - echo "[ERROR]: CA Public Key not found: $CA" - exit -fi -echo "CA public Key found: $CA" - -#Confirm the tls-auth ta key file exists -if [ ! -f $TA ]; then - echo "[ERROR]: tls-auth Key not found: $TA" - exit -fi -echo "tls-auth Private Key found: $TA" - -#Ready to make a new .ovpn file - Start by populating with the -#default file -cat $DEFAULT > $NAME$FILEEXT - -#Now, append the CA Public Cert -echo "" >> $NAME$FILEEXT -cat $CA >> $NAME$FILEEXT -echo "" >> $NAME$FILEEXT - -#Next append the client Public Cert -echo "" >> $NAME$FILEEXT -cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT -echo "" >> $NAME$FILEEXT - -#Then, append the client Private Key -echo "" >> $NAME$FILEEXT -cat $NAME$KEY >> $NAME$FILEEXT -echo "" >> $NAME$FILEEXT - -#Finally, append the TA Private Key -echo "" >> $NAME$FILEEXT -cat $TA >> $NAME$FILEEXT -echo "" >> $NAME$FILEEXT + +#Confirm the CA public key exists +if [ ! -f "$CA" ]; then + echo "[ERROR]: CA Public Key not found: $CA" + exit +fi +echo "CA public Key found: $CA" + +#Confirm the tls-auth ta key file exists +if [ ! -f "$TA" ]; then + echo "[ERROR]: tls-auth Key not found: $TA" + exit +fi +echo "tls-auth Private Key found: $TA" + +#Ready to make a new .ovpn file +{ + # Start by populating with the default file + cat "$DEFAULT" + + #Now, append the CA Public Cert + echo "" + cat "$CA" + echo "" + + #Next append the client Public Cert + echo "" + sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "$NAME$CRT" + echo "" + + #Then, append the client Private Key + echo "" + cat "$NAME$KEY" + echo "" + + #Finally, append the TA Private Key + echo "" + cat "$TA" + echo "" +} > "$NAME$FILEEXT" # Copy the .ovpn profile to the home directory for convenient remote access -cp /etc/openvpn/easy-rsa/keys/$NAME$FILEEXT /home/$INSTALL_USER/ovpns/$NAME$FILEEXT -chown $INSTALL_USER /home/$INSTALL_USER/ovpns/$NAME$FILEEXT +cp "/etc/openvpn/easy-rsa/keys/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" +chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" printf "\n\n" printf "========================================================\n" -printf "\e[1mDone! $NAME$FILEEXT successfully created!\e[0m \n" -printf "$NAME$FILEEXT was copied to:\n" -printf " /home/$INSTALL_USER/ovpns\n" +printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT" +printf "%s was copied to:\n" "$NAME$FILEEXT" +printf " /home/%s/ovpns\n" "$INSTALL_USER" printf "for easy transfer.\n" printf "========================================================\n\n"