merginton

VM_OPENSSL_APACHE.sh

@@ -12,11 +12,8 @@ id -u john &>/dev/null || useradd john
 echo "password" | passwd --stdin john
 
 # dar acesso ao apache para ler o .google_authenticator
-groupadd -f totp
-usermod -aG totp apache
-usermod -aG totp john
-
-sudo chown apache:totp /home/john/.google_authenticator
+usermod -aG apache john
+sudo chown apache:apache /home/john/.google_authenticator
 sudo chmod 660 /home/john/.google_authenticator
 
 if_dentro="enp0s8"

VM_VPN_GATEWAY.sh

@@ -45,8 +45,6 @@ systemctl enable --now openvpn-server@vpn.service
 # --- utilizador --- #
 id -u john &>/dev/null || useradd john
 echo "password" | passwd --stdin john
-groupadd -f totp
-usermod -aG totp john
-usermod -aG totp openvpn
-sudo chown john:totp /home/john/.google_authenticator
+usermod -aG openvpn john
+sudo chown john:openvpn /home/john/.google_authenticator
 sudo chmod 660 /home/john/.google_authenticator

conf/ocsp-verify.sh

@@ -1,32 +1,35 @@
 #!/bin/bash
-depth=$1
-env >> /etc/openvpn/server/ocsp_env.log
-if [ "$depth" -eq 0 ]; then
-    echo "Checking OCSP for serial=$tls_serial_0" >> /etc/openvpn/server/ocsp.log
-    if [ -n "$tls_serial_0" ]; then
-        # é preciso converter o serial para hexadecimal porque o openssl espera em hex
-        hex_serial=$(printf '%x' "$tls_serial_0")
-        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>>/etc/openvpn/server/ocsp.log)
-        echo "OCSP Status: $status" >> /etc/openvpn/server/ocsp.log
+# fonte: https://github.com/OpenVPN/openvpn/blob/master/contrib/OCSP_check/OCSP_check.sh
 
-        if echo "$status" | grep -q "revoked"; then
-            echo "Result: REVOKED" >> /etc/openvpn/server/ocsp.log
-            exit 1
-        fi
+ocsp_url="http://10.60.0.1:8888"
+issuer="/etc/openvpn/server/ca.crt"
+nonce="-no_nonce"
+verify="/etc/openvpn/server/ca.crt"
+check_depth=0
 
-        if echo "$status" | grep -q "good"; then
-            echo "Result: GOOD" >> /etc/openvpn/server/ocsp.log
-            exit 0
-        fi
+cur_depth=$1
+common_name=$2
 
-        echo "Result: UNKNOWN/ERROR" >> /etc/openvpn/server/ocsp.log
-        exit 1
-    else
-        echo "tls_serial_0 is empty!" >> /etc/openvpn/server/ocsp.log
-        exit 1
-    fi
+if [ -z "$issuer" ] || [ ! -e "$issuer" ] || [ -z "$verify" ] || [ ! -e "$verify" ] || [ -z "$ocsp_url" ]; then
+  exit 1
 fi
 
-echo "ERROR: depth > 0" >> /etc/openvpn/server/ocsp.log
+if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
+  eval serial="\$tls_serial_${cur_depth}"
 
-exit 0
+  if [ -n "$serial" ]; then
+    status=$(openssl ocsp -issuer "$issuer" "$nonce" -CAfile "$verify" -url "$ocsp_url" -serial "${serial}" 2>&1)
+
+    if [ $? -eq 0 ]; then
+      if echo "$status" | grep -Eq "(error|fail)"; then
+          exit 1
+      fi
+      
+      if echo "$status" | grep -Eq "^${serial}: good" && echo "$status" | grep -Eq "^Response verify OK"; then
+        exit 0
+      fi
+    fi
+  fi
+  
+  exit 1
+fi

relatorio/relatorio.tex

@@ -252,37 +252,40 @@ e verifica o resultado.
 
 \begin{codeblock}{ocsp\_verify.sh}
 #!/bin/bash
-depth=$1
-env >> /etc/openvpn/server/ocsp_env.log
-if [ "$depth" -eq 0 ]; then
-    echo "Checking OCSP for serial=$tls_serial_0" >> /etc/openvpn/server/ocsp.log
-    if [ -n "$tls_serial_0" ]; then
-        # e preciso converter o serial para hexadecimal porque o openssl espera em hex
-        hex_serial=$(printf '%x' "$tls_serial_0")
-        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>>/etc/openvpn/server/ocsp.log)
-        echo "OCSP Status: $status" >> /etc/openvpn/server/ocsp.log
+# fonte: https://github.com/OpenVPN/openvpn/blob/master/contrib/OCSP_check/OCSP_check.sh
 
-        if echo "$status" | grep -q "revoked"; then
-            echo "Result: REVOKED" >> /etc/openvpn/server/ocsp.log
-            exit 1
-        fi
+ocsp_url="http://10.60.0.1:8888"
+issuer="/etc/openvpn/server/ca.crt"
+nonce="-no_nonce"
+verify="/etc/openvpn/server/ca.crt"
+check_depth=0
 
-        if echo "$status" | grep -q "good"; then
-            echo "Result: GOOD" >> /etc/openvpn/server/ocsp.log
-            exit 0
-        fi
+cur_depth=$1
+common_name=$2
 
-        echo "Result: UNKNOWN/ERROR" >> /etc/openvpn/server/ocsp.log
-        exit 1
-    else
-        echo "tls_serial_0 is empty!" >> /etc/openvpn/server/ocsp.log
-        exit 1
-    fi
+if [ -z "$issuer" ] || [ ! -e "$issuer" ] || [ -z "$verify" ] || [ ! -e "$verify" ] || [ -z "$ocsp_url" ]; then
+  exit 1
 fi
 
-echo "ERROR: depth > 0" >> /etc/openvpn/server/ocsp.log
+if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
+  eval serial="\$tls_serial_${cur_depth}"
 
-exit 0
+  if [ -n "$serial" ]; then
+    status=$(openssl ocsp -issuer "$issuer" "$nonce" -CAfile "$verify" -url "$ocsp_url" -serial "${serial}" 2>&1)
+
+    if [ $? -eq 0 ]; then
+      if echo "$status" | grep -Eq "(error|fail)"; then
+          exit 1
+      fi
+      
+      if echo "$status" | grep -Eq "^${serial}: good" && echo "$status" | grep -Eq "^Response verify OK"; then
+        exit 0
+      fi
+    fi
+  fi
+  
+  exit 1
+fi
 \end{codeblock}
 
 \subsection{Erros}