wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-07 15:43:54 +02:00
Code Issues Projects Releases Wiki Activity

LibreSSL fix #625 (#685)

Browse source
This commit is contained in:
Jack Ivanov 2017-10-01 22:40:08 +02:00 committed by Dan Guido
parent fee009688e
commit 6b803e069f
3 changed files with 22 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
roles/vpn/defaults/main.yml
View file

@ -1,5 +1,5 @@
--- ---
openssl_bin: openssl
strongswan_enabled_plugins: strongswan_enabled_plugins:
- aes - aes
- gcm - gcm

43
roles/vpn/tasks/openssl.yml
View file

@ -38,10 +38,10 @@
- name: Build the CA pair - name: Build the CA pair
shell: > shell: >
openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem && {{ openssl_bin }} ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
openssl req -utf8 -new {{ openssl_bin }} req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config openssl.cnf -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
-keyout private/cakey.pem -keyout private/cakey.pem
-out cacert.pem -x509 -days 3650 -out cacert.pem -x509 -days 3650
-batch -batch
@ -50,8 +50,7 @@
args: args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/" chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: "{{ IP_subject_alt_name }}_ca_generated" creates: "{{ IP_subject_alt_name }}_ca_generated"
environment: executable: bash
subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
- name: Copy the CA certificate - name: Copy the CA certificate
copy: copy:
@ -67,52 +66,52 @@
- name: Build the server pair - name: Build the server pair
shell: > shell: >
openssl req -utf8 -new {{ openssl_bin }} req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config openssl.cnf -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
-keyout private/{{ IP_subject_alt_name }}.key -keyout private/{{ IP_subject_alt_name }}.key
-out reqs/{{ IP_subject_alt_name }}.req -nodes -out reqs/{{ IP_subject_alt_name }}.req -nodes
-passin pass:"{{ easyrsa_CA_password }}" -passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ IP_subject_alt_name }}" -batch && -subj "/CN={{ IP_subject_alt_name }}" -batch &&
openssl ca -utf8 {{ openssl_bin }} ca -utf8
-in reqs/{{ IP_subject_alt_name }}.req -in reqs/{{ IP_subject_alt_name }}.req
-out certs/{{ IP_subject_alt_name }}.crt -out certs/{{ IP_subject_alt_name }}.crt
-config openssl.cnf -days 3650 -batch -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
-days 3650 -batch
-passin pass:"{{ easyrsa_CA_password }}" -passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ IP_subject_alt_name }}" && -subj "/CN={{ IP_subject_alt_name }}" &&
touch certs/{{ IP_subject_alt_name }}_crt_generated touch certs/{{ IP_subject_alt_name }}_crt_generated
args: args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/" chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: certs/{{ IP_subject_alt_name }}_crt_generated creates: certs/{{ IP_subject_alt_name }}_crt_generated
environment: executable: bash
subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
- name: Build the client's pair - name: Build the client's pair
shell: > shell: >
openssl req -utf8 -new {{ openssl_bin }} req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config openssl.cnf -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
-keyout private/{{ item }}.key -keyout private/{{ item }}.key
-out reqs/{{ item }}.req -nodes -out reqs/{{ item }}.req -nodes
-passin pass:"{{ easyrsa_CA_password }}" -passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ item }}" -batch && -subj "/CN={{ item }}" -batch &&
openssl ca -utf8 {{ openssl_bin }} ca -utf8
-in reqs/{{ item }}.req -in reqs/{{ item }}.req
-out certs/{{ item }}.crt -out certs/{{ item }}.crt
-config openssl.cnf -days 3650 -batch -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
-days 3650 -batch
-passin pass:"{{ easyrsa_CA_password }}" -passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ item }}" && -subj "/CN={{ item }}" &&
touch certs/{{ item }}_crt_generated touch certs/{{ item }}_crt_generated
args: args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/" chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: certs/{{ item }}_crt_generated creates: certs/{{ item }}_crt_generated
environment: executable: bash
subjectAltName: "DNS:{{ item }}"
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Build the client's p12 - name: Build the client's p12
shell: > shell: >
openssl pkcs12 {{ openssl_bin }} pkcs12
-in certs/{{ item }}.crt -in certs/{{ item }}.crt
-inkey private/{{ item }}.key -inkey private/{{ item }}.key
-export -export
@ -122,6 +121,7 @@
-passout pass:"{{ easyrsa_p12_export_password }}" -passout pass:"{{ easyrsa_p12_export_password }}"
args: args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/" chdir: "configs/{{ IP_subject_alt_name }}/pki/"
executable: bash
with_items: "{{ users }}" with_items: "{{ users }}"
register: p12 register: p12
@ -145,16 +145,15 @@
- name: Revoke non-existing users - name: Revoke non-existing users
shell: > shell: >
openssl ca -gencrl {{ openssl_bin }} ca -gencrl
-config openssl.cnf -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
-passin pass:"{{ easyrsa_CA_password }}" -passin pass:"{{ easyrsa_CA_password }}"
-revoke certs/{{ item }}.crt -revoke certs/{{ item }}.crt
-out crl/{{ item }}.crt -out crl/{{ item }}.crt
args: args:
chdir: configs/{{ IP_subject_alt_name }}/pki/ chdir: configs/{{ IP_subject_alt_name }}/pki/
creates: crl/{{ item }}.crt creates: crl/{{ item }}.crt
environment: executable: bash
subjectAltName: "DNS:{{ item }}"
when: item not in users when: item not in users
with_items: "{{ valid_certs.stdout_lines }}" with_items: "{{ valid_certs.stdout_lines }}"

4
roles/vpn/templates/openssl.cnf.j2
View file

@ -110,7 +110,6 @@ authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth,clientAuth,1.3.6.1.5.5.7.3.17 extendedKeyUsage = serverAuth,clientAuth,1.3.6.1.5.5.7.3.17
keyUsage = digitalSignature, keyEncipherment keyUsage = digitalSignature, keyEncipherment
subjectAltName = ${ENV::subjectAltName}
# The Easy-RSA CA extensions # The Easy-RSA CA extensions
[ easyrsa_ca ] [ easyrsa_ca ]
@ -138,6 +137,3 @@ keyUsage = cRLSign, keyCertSign
# issuerAltName=issuer:copy # issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always authorityKeyIdentifier=keyid:always,issuer:always