From 68b05d7c6e051d35bd585379f60e04c7bf0c4f35 Mon Sep 17 00:00:00 2001
From: Paul Slootman <paul@wurtel.net>
Date: Mon, 31 Aug 2020 13:06:42 +0200
Subject: [PATCH 1/4] Fix slow fork bomb when directory containing getssl isn't
 writeable (#440) getssl updets itself by: - checking for a new version - if
 so:   - download the new one into a tmp location   - rename the current one
 to name with version appended   - rename the tmp file to the current location
   - run the new version If the renaming fails, the old version gets run,
 which again downloads, etc. Now exit if the rename (install command) fails.

---
 getssl | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/getssl b/getssl
index a5e72cf..734f176 100755
--- a/getssl
+++ b/getssl
@@ -234,6 +234,7 @@
 # 2020-06-06 Fix missing URL_revoke definition when no CA directory suffix (#566)
 # 2020-06-18 Fix CHECK_REMOTE for DUAL_RSA_ECDSA (#570)
 # 2020-07-14 Support space separated SANS (#574) (2.29)
+# 2020-08-31 Fix slow fork bomb when directory containing getssl isn't writeable (#440)
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
@@ -608,8 +609,12 @@ check_getssl_upgrade() { # check if a more recent version of code is available a
   # use a default of 0 for cases where the latest code has not been obtained.
   if [[ "${latestvdec:-0}" -gt "$localvdec" ]]; then
     if [[ ${_UPGRADE} -eq 1 ]]; then
-      install "$0" "${0}.v${VERSION}"
-      install -m 700 "$TEMP_UPGRADE_FILE" "$0"
+      if ! install "$0" "${0}.v${VERSION}"; then
+	 error_exit "problem renaming old version while updating, check permissions"
+      fi
+      if ! install -m 700 "$TEMP_UPGRADE_FILE" "$0"; then
+	 error_exit "problem installing new version while updating, check permissions"
+      fi
       if [[ ${_MUTE} -eq 0 ]]; then
         echo "Updated getssl from v${VERSION} to v${latestversion}"
         echo "these update notification can be turned off using the -Q option"

From 47b3962c139d799f9c1b19a0d5a4eb4ecde2b665 Mon Sep 17 00:00:00 2001
From: Tim Kimber <tkimber@mobius.org.uk>
Date: Wed, 2 Sep 2020 08:54:39 +0100
Subject: [PATCH 2/4] Support older versions of openssl which don't support
 RSA-PSS

---
 getssl | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/getssl b/getssl
index 6e7fb80..5e4285d 100755
--- a/getssl
+++ b/getssl
@@ -2566,7 +2566,13 @@ fi
 if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then
   debug "getting certificate for $DOMAIN from remote server"
   if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then
-    CIPHER="-sigalgs RSA-PSS+SHA256:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512"
+    # shellcheck disable=SC2086
+    # check if openssl supports RSA-PSS
+    if [[ $(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} -sigalgs RSA-PSS 2>/dev/null) ]]; then
+        CIPHER="-sigalgs RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA512"
+    else
+        CIPHER="-sigalgs RSA+SHA256:RSA+SHA384:RSA+SHA512"
+    fi
   else
     CIPHER=""
   fi
@@ -2827,7 +2833,14 @@ fi
 if [[ ${CHECK_REMOTE} == "true" ]]; then
   sleep "$CHECK_REMOTE_WAIT"
   if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then
-    PARAMS=("-sigalgs RSA-PSS+SHA256:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512" "-sigalgs ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512")
+    # shellcheck disable=SC2086
+    # check if openssl supports RSA-PSS
+    if [[ $(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} -sigalgs RSA-PSS 2>/dev/null) ]]; then
+        PARAMS=("-sigalgs RSA-PSS+SHA256:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512" "-sigalgs ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512")
+    else
+        PARAMS=("-sigalgs RSA+SHA256:RSA+SHA384:RSA+SHA512" "-sigalgs ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512")
+    fi
+
     CERTS=("$CERT_FILE" "${CERT_FILE%.*}.ec.crt")
     TYPES=("rsa" "$PRIVATE_KEY_ALG")
   else

From 693c37d4db4225508675e5a7f2fa5fc81f906675 Mon Sep 17 00:00:00 2001
From: Tim Kimber <tkimber@mobius.org.uk>
Date: Wed, 2 Sep 2020 08:55:26 +0100
Subject: [PATCH 3/4] Fix some test fragility

---
 test/14-test-revoke.bats           | 2 +-
 test/15-test-revoke-no-suffix.bats | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/14-test-revoke.bats b/test/14-test-revoke.bats
index 2e95e0d..e624552 100644
--- a/test/14-test-revoke.bats
+++ b/test/14-test-revoke.bats
@@ -38,5 +38,5 @@ setup() {
 
     run ${CODE_DIR}/getssl -d --revoke $CERT $KEY $CA
     assert_success
-    check_output_for_errors
+    check_output_for_errors "debug"
 }
diff --git a/test/15-test-revoke-no-suffix.bats b/test/15-test-revoke-no-suffix.bats
index 7b19c5a..26f5f3f 100644
--- a/test/15-test-revoke-no-suffix.bats
+++ b/test/15-test-revoke-no-suffix.bats
@@ -38,5 +38,5 @@ setup() {
 
     run ${CODE_DIR}/getssl -d --revoke $CERT $KEY $CA
     assert_success
-    check_output_for_errors
+    check_output_for_errors "debug"
 }

From d95b3e61b79c79369ab4c43c9c1c4a64ae9db5b7 Mon Sep 17 00:00:00 2001
From: Tim Kimber <tkimber@mobius.org.uk>
Date: Wed, 2 Sep 2020 15:25:59 +0100
Subject: [PATCH 4/4] Fix openssl RSA-PSS check

---
 getssl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/getssl b/getssl
index 5e4285d..2737f1a 100755
--- a/getssl
+++ b/getssl
@@ -2568,7 +2568,7 @@ if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then
   if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then
     # shellcheck disable=SC2086
     # check if openssl supports RSA-PSS
-    if [[ $(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} -sigalgs RSA-PSS 2>/dev/null) ]]; then
+    if [[ $(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} -sigalgs RSA-PSS+SHA256 2>/dev/null) ]]; then
         CIPHER="-sigalgs RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA512"
     else
         CIPHER="-sigalgs RSA+SHA256:RSA+SHA384:RSA+SHA512"
@@ -2835,7 +2835,7 @@ if [[ ${CHECK_REMOTE} == "true" ]]; then
   if [[ "$DUAL_RSA_ECDSA" == "true" ]]; then
     # shellcheck disable=SC2086
     # check if openssl supports RSA-PSS
-    if [[ $(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} -sigalgs RSA-PSS 2>/dev/null) ]]; then
+    if [[ $(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} -sigalgs RSA-PSS+SHA256 2>/dev/null) ]]; then
         PARAMS=("-sigalgs RSA-PSS+SHA256:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512" "-sigalgs ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512")
     else
         PARAMS=("-sigalgs RSA+SHA256:RSA+SHA384:RSA+SHA512" "-sigalgs ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512")