From 7e77e1d791b0caa2e8393717c4691e53d0042352 Mon Sep 17 00:00:00 2001 From: "Kyle J. McKay" Date: Sun, 22 Nov 2020 01:46:21 -0700 Subject: [PATCH] config: allow specific openssl binary to be used Provide a $Girocco::Config::openssl_bin setting that allows a specific `openssl` binary to be specified. If left `undef`, the default continues to be the `openssl` found in $PATH. Additionally, arrange for CACreateCert to use the same openssl binary when creating certificates by prepending the "$basedir/bin" directory (which now contains a symbolic link to the desired copy of `openssl`) to $PATH before running CACreateCert. Signed-off-by: Kyle J. McKay --- Girocco/Config.pm | 5 +++++ install.sh | 27 +++++++++++++++------------ shlib.sh | 2 ++ 3 files changed, 22 insertions(+), 12 deletions(-) diff --git a/Girocco/Config.pm b/Girocco/Config.pm index 7787a07..177c06a 100644 --- a/Girocco/Config.pm +++ b/Girocco/Config.pm @@ -51,6 +51,11 @@ our $perl_bin = undef; # Path to gzip executable to use. Set to undef to use gzip found in $PATH our $gzip_bin = undef; +# Path to OpenSSL/LibreSSL executable to use. +# Set to undef to use openssl found in $PATH +# Not used unless $httpspushurl is defined +our $openssl_bin = undef; + # Path to the sendmail instance to use. It should understand the -f , -i and -t # options as well as accepting a list of recipient addresses in order to be used here. # You MUST set this, even if to '/usr/sbin/sendmail'! diff --git a/install.sh b/install.sh index a945e3f..11f4345 100755 --- a/install.sh +++ b/install.sh @@ -667,6 +667,7 @@ ln -s "$cfg_git_bin" "$basedir/bin/git" ln -s "$shbin" "$basedir/bin/sh" ln -s "$perlbin" "$basedir/bin/perl" ln -s "$gzipbin" "$basedir/bin/gzip" +[ -z "$var_openssl_bin" ] || ln -s "$var_openssl_bin" "$basedir/bin/openssl" echo "*** Preprocessing scripts..." SHBIN="$shbin" && export SHBIN @@ -972,6 +973,8 @@ cat gitweb/gitweb.css >>"$webroot"/gitweb.css if [ -n "$cfg_httpspushurl" ]; then echo "*** Setting up SSL certificates..." + openssl="${var_openssl_bin:-openssl}" + createcert() { PATH="$basedir/bin:$PATH" "$basedir/bin/CACreateCert" "$@"; } bits=2048 if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then bits="$cfg_rsakeylength" @@ -981,7 +984,7 @@ if [ -n "$cfg_httpspushurl" ]; then wwwcertcn= if [ -e "$cfg_certsdir/girocco_www_crt.pem" ]; then wwwcertcn="$( - openssl x509 -in "$cfg_certsdir/girocco_www_crt.pem" -noout -subject | + "$openssl" x509 -in "$cfg_certsdir/girocco_www_crt.pem" -noout -subject | sed -e 's,[^/]*,,' )" fi @@ -1004,14 +1007,14 @@ if [ -n "$cfg_httpspushurl" ]; then if [ -n "$needroot" ] && ! [ -e "$cfg_certsdir/girocco_root_key.pem" ]; then rm -f "$cfg_certsdir/girocco_root_crt.pem" "$cfg_certsdir/girocco_root_key.pem" umask 0077 - openssl genrsa -f4 -out "$cfg_certsdir/girocco_root_key.pem" $bits + "$openssl" genrsa -f4 -out "$cfg_certsdir/girocco_root_key.pem" $bits chmod 0600 "$cfg_certsdir/girocco_root_key.pem" rm -f "$cfg_certsdir/girocco_root_crt.pem" umask 0022 echo "Created new root key" fi if ! [ -e "$cfg_certsdir/girocco_root_crt.pem" ]; then - "$basedir/bin/CACreateCert" --root --key "$cfg_certsdir/girocco_root_key.pem" \ + createcert --root --key "$cfg_certsdir/girocco_root_key.pem" \ --out "$cfg_certsdir/girocco_root_crt.pem" "girocco $cfg_nickname root certificate" rm -f "$cfg_certsdir/girocco_www_crt.pem" "$cfg_certsdir/girocco_www_chain.pem" rm -f "$cfg_certsdir/girocco_client_crt.pem" "$cfg_certsdir/girocco_client_suffix.pem" @@ -1021,7 +1024,7 @@ if [ -n "$cfg_httpspushurl" ]; then fi if ! [ -e "$cfg_certsdir/girocco_www_key.pem" ]; then umask 0077 - openssl genrsa -f4 -out "$cfg_certsdir/girocco_www_key.pem" $bits + "$openssl" genrsa -f4 -out "$cfg_certsdir/girocco_www_key.pem" $bits chmod 0600 "$cfg_certsdir/girocco_www_key.pem" rm -f "$cfg_certsdir/girocco_www_crt.pem" umask 0022 @@ -1029,8 +1032,8 @@ if [ -n "$cfg_httpspushurl" ]; then fi if ! [ -e "$cfg_certsdir/girocco_www_crt.pem" ] || [ "$wwwcertcn" != "/CN=$cfg_httpsdnsname" ] || [ "$wwwcertdns" != "$wwwcertdnsfile" ]; then - openssl rsa -in "$cfg_certsdir/girocco_www_key.pem" -pubout | - "$basedir/bin/CACreateCert" --server --key "$cfg_certsdir/girocco_root_key.pem" \ + "$openssl" rsa -in "$cfg_certsdir/girocco_www_key.pem" -pubout | + createcert --server --key "$cfg_certsdir/girocco_root_key.pem" \ --cert "$cfg_certsdir/girocco_root_crt.pem" $wwwcertdns \ --out "$cfg_certsdir/girocco_www_crt.pem" "$cfg_httpsdnsname" printf '%s\n' "$wwwcertdns" >"$cfg_certsdir/girocco_www_crt.dns" @@ -1042,15 +1045,15 @@ if [ -n "$cfg_httpspushurl" ]; then fi if ! [ -e "$cfg_certsdir/girocco_client_key.pem" ]; then umask 0037 - openssl genrsa -f4 -out "$cfg_certsdir/girocco_client_key.pem" $bits + "$openssl" genrsa -f4 -out "$cfg_certsdir/girocco_client_key.pem" $bits chmod 0640 "$cfg_certsdir/girocco_client_key.pem" rm -f "$cfg_certsdir/girocco_client_crt.pem" umask 0022 echo "Created new client key" fi if ! [ -e "$cfg_certsdir/girocco_client_crt.pem" ]; then - openssl rsa -in "$cfg_certsdir/girocco_client_key.pem" -pubout | - "$basedir/bin/CACreateCert" --subca --key "$cfg_certsdir/girocco_root_key.pem" \ + "$openssl" rsa -in "$cfg_certsdir/girocco_client_key.pem" -pubout | + createcert --subca --key "$cfg_certsdir/girocco_root_key.pem" \ --cert "$cfg_certsdir/girocco_root_crt.pem" \ --out "$cfg_certsdir/girocco_client_crt.pem" "girocco $cfg_nickname client authority" rm -f "$cfg_certsdir/girocco_client_suffix.pem" @@ -1069,14 +1072,14 @@ if [ -n "$cfg_httpspushurl" ]; then fi if [ -n "$cfg_mob" ]; then if ! [ -e "$cfg_certsdir/girocco_mob_user_key.pem" ]; then - openssl genrsa -f4 -out "$cfg_certsdir/girocco_mob_user_key.pem" $bits + "$openssl" genrsa -f4 -out "$cfg_certsdir/girocco_mob_user_key.pem" $bits chmod 0644 "$cfg_certsdir/girocco_mob_user_key.pem" rm -f "$cfg_certsdir/girocco_mob_user_crt.pem" echo "Created new mob user key" fi if ! [ -e "$cfg_certsdir/girocco_mob_user_crt.pem" ]; then - openssl rsa -in "$cfg_mobuserkey" -pubout | - "$basedir/bin/CACreateCert" --client --key "$cfg_clientkey" \ + "$openssl" rsa -in "$cfg_mobuserkey" -pubout | + createcert --client --key "$cfg_clientkey" \ --cert "$cfg_clientcert" \ --out "$cfg_certsdir/girocco_mob_user_crt.pem" 'mob' echo "Created mob user client certificate" diff --git a/shlib.sh b/shlib.sh index 8dd17ce..d0af51f 100644 --- a/shlib.sh +++ b/shlib.sh @@ -91,6 +91,7 @@ get_girocco_config_var_list() ( # var_sh_bin Full path to the posix sh interpreter to use # var_perl_bin Full path to the perl interpreter to use # var_gzip_bin Full path to the gzip executable to use + # var_openssl_bin Full path to the openssl executable to use # var_nc_openbsd_bin Full path to the netcat (nc) with -U support # var_have_git_171 Set to 1 if git version >= 1.7.1 otherwise '' # var_have_git_172 Set to 1 if git version >= 1.7.2 otherwise '' @@ -131,6 +132,7 @@ get_girocco_config_var_list() ( printf 'var_sh_bin="%s"\n' "$(_fcp "${cfg_posix_sh_bin:-/bin/sh}")" printf 'var_perl_bin="%s"\n' "$(_fcp "${cfg_perl_bin:-$(unset -f perl; command -v perl)}")" printf 'var_gzip_bin="%s"\n' "$(_fcp "${cfg_gzip_bin:-$(unset -f gzip; command -v gzip)}")" + printf 'var_openssl_bin="%s"\n' "$(_fcp "${cfg_openssl_bin:-$(unset -f openssl; command -v openssl)}")" printf 'var_nc_openbsd_bin="%s"\n' "$(_fcp "${cfg_nc_openbsd_bin:-$(unset -f nc; command -v nc)}")" printf 'var_have_git_171=%s\n' "$([ $(vcmp "$_gver" 1.7.1) -ge 0 ] && echo 1)" printf 'var_have_git_172=%s\n' "$([ $(vcmp "$_gver" 1.7.2) -ge 0 ] && echo 1)" -- 2.11.4.GIT