From 76a9d5db299f32843bac6e1d3b4104a21bba7e6b Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Thu, 1 Feb 2018 18:03:01 -0600 Subject: [PATCH 01/22] Fix format string for printf I've gotta be doing this wrong... (I mean git.) Signed-off-by: Eric F Crist --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 7b227e5..ae946f0 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -479,7 +479,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." echo if [ "$kpass" = "$kpass2" ]; then - printf "$kpass" > "$out_key_pass_tmp" + printf "%s" "$kpass" > "$out_key_pass_tmp" else die "Passphrases do not match." fi From ff07d754f54c83787cd3e8179c89c762178d16f6 Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Mon, 26 Feb 2018 09:27:54 -0600 Subject: [PATCH 02/22] Update ChangeLog Signed-off-by: Eric F Crist --- ChangeLog | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index faa26ba..cc85de2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,7 +2,10 @@ Easy-RSA 3 ChangeLog 3.0.5 * Fix #17 & #58: use AES256 for CA key - * Also, don't use read -s, use stty -echo + * Also, don't use read -s, use stty -echo + * Fix broken "nopass" option + * Add -r to read to stop errors reported by shellcheck (and to behave) + * remove overzealous quotes around $pkcs_opts (more SC errors) 3.0.4 * Remove use of egrep (#154) From 185f3ee03e6aa208a5b61f9a5932227b4968ad80 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 19:57:51 +0100 Subject: [PATCH 03/22] libressl: add esayrsa3/safessl-easyrsa.cnf to .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 9101272..8e1f584 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ easyrsa3/pki/* easyrsa3/vars +easyrsa3/safessl-easyrsa.cnf From cfab21f79f72c8c544b17d53447ca22d8dc67b4f Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 20:03:36 +0100 Subject: [PATCH 04/22] libressl: prepare openssl-easyrsa.cnf for use with libressl --- easyrsa3/openssl-easyrsa.cnf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf index d9109b5..4167031 100644 --- a/easyrsa3/openssl-easyrsa.cnf +++ b/easyrsa3/openssl-easyrsa.cnf @@ -1,4 +1,4 @@ -# For use with Easy-RSA 3.0 and OpenSSL 1.0.* +# For use with Easy-RSA 3.1 and OpenSSL or LibreSSL RANDFILE = $ENV::EASYRSA_PKI/.rnd From 8feb0f24fe86eb8cf688427a0da259c5aa668454 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 20:12:55 +0100 Subject: [PATCH 05/22] libressl: introduce function make_ssl_config This function reads openssl-easyrsa.cnf and then removes "ENV::" and replaces "$vars" with value then writes the results to safessl-easyrsa.cnf --- easyrsa3/easyrsa | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cede5b1..467dc6d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -287,6 +287,28 @@ clean_temp() { done } # => clean_temp() +# Make LibreSSL safe config file from OpenSSL config file +make_ssl_config() { +sed -e "s,ENV::,,g" \ + -e "s,\$dir,$EASYRSA_PKI,g" \ + -e "s,\$EASYRSA_PKI,$EASYRSA_PKI,g" \ + -e "s,\$EASYRSA_CERT_EXPIRE,$EASYRSA_CERT_EXPIRE,g" \ + -e "s,\$EASYRSA_CRL_DAYS,$EASYRSA_CRL_DAYS,g" \ + -e "s,\$EASYRSA_DIGEST,$EASYRSA_DIGEST,g" \ + -e "s,\$EASYRSA_KEY_SIZE,$EASYRSA_KEY_SIZE,g" \ + -e "s,\$EASYRSA_DIGEST,$EASYRSA_DIGEST,g" \ + -e "s,\$EASYRSA_DN,$EASYRSA_DN,g" \ + -e "s,\$EASYRSA_REQ_COUNTRY,$EASYRSA_REQ_COUNTRY,g" \ + -e "s,\$EASYRSA_REQ_PROVINCE,$EASYRSA_REQ_PROVINCE,g" \ + -e "s,\$EASYRSA_REQ_CITY,$EASYRSA_REQ_CITY,g" \ + -e "s,\$EASYRSA_REQ_ORG,$EASYRSA_REQ_ORG,g" \ + -e "s,\$EASYRSA_REQ_OU,$EASYRSA_REQ_OU,g" \ + -e "s,\$EASYRSA_REQ_CN,$EASYRSA_REQ_CN,g" \ + -e "s,\$EASYRSA_REQ_EMAIL,$EASYRSA_REQ_EMAIL,g" \ + "$EASYRSA_SSL_CONF" > "$EASYRSA_SAFE_CONF" || die "\ +Failed to update $EASYRSA_SAFE_CONF" +} # => make_ssl_config() + vars_source_check() { # Check for defined EASYRSA_PKI [ -n "$EASYRSA_PKI" ] || die "\ From 673f158230bdf01ca8c40678b85cd5e72d362445 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 20:22:43 +0100 Subject: [PATCH 06/22] libressl: switch to using safessl-easyrsa.cnf Keep openssl-easyrsa.cnf but switch to using safessl-easyrsa.cnf Has the benefit of fixing easyrsa3 openssl version check for libressl --- easyrsa3/easyrsa | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 467dc6d..0aaec32 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1162,7 +1162,9 @@ Note: using Easy-RSA configuration from: $vars" # Detect openssl config, preferring EASYRSA_PKI over EASYRSA if [ -f "$EASYRSA_PKI/openssl-easyrsa.cnf" ]; then set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf" + set_var EASYRSA_SAFE_CONF "$EASYRSA_PKI/safessl-easyrsa.cnf" else set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" + set_var EASYRSA_SAFE_CONF "$EASYRSA/safessl-easyrsa.cnf" fi # Same as above for the x509-types extensions dir @@ -1181,7 +1183,7 @@ Note: using Easy-RSA configuration from: $vars" fi # Setting OPENSSL_CONF prevents bogus warnings (especially useful on win32) - export OPENSSL_CONF="$EASYRSA_SSL_CONF" + export OPENSSL_CONF="$EASYRSA_SAFE_CONF" } # vars_setup() # variable assignment by indirection when undefined; merely exports From 2688e2493dfa20344ae1d55754578c141d2c3c90 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 20:29:35 +0100 Subject: [PATCH 07/22] libressl: add notify SSL library in use --- easyrsa3/easyrsa | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0aaec32..5bb01ba 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -318,7 +318,9 @@ EASYRSA_PKI env-var undefined" if [ -z "$EASYRSA_SSL_OK" ]; then val="$("$EASYRSA_OPENSSL" version)" case "${val%% *}" in - OpenSSL|LibreSSL) ;; + OpenSSL|LibreSSL) + notice "\ +Using SSL: $EASYRSA_OPENSSL $("$EASYRSA_OPENSSL" version)" ;; *) die "\ Missing or invalid OpenSSL Expected to find openssl command at: $EASYRSA_OPENSSL" From f13b8c7a0345919f6497a65d7e4770315c618672 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 20:36:48 +0100 Subject: [PATCH 08/22] libressl: use make_ssl_config() for easyrsa openssl version check --- easyrsa3/easyrsa | 3 +++ 1 file changed, 3 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5bb01ba..5d6ffd7 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -314,6 +314,9 @@ vars_source_check() { [ -n "$EASYRSA_PKI" ] || die "\ EASYRSA_PKI env-var undefined" + # make safessl-easyrsa.cnf + make_ssl_config + # Verify EASYRSA_OPENSSL command gives expected output if [ -z "$EASYRSA_SSL_OK" ]; then val="$("$EASYRSA_OPENSSL" version)" From 97681d486d3a0bde4503bc74881e0bf1e26abab5 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:05:26 +0100 Subject: [PATCH 09/22] libressl: use make_ssl_config and safessl-easyrsa.cnf for build_ca --- easyrsa3/easyrsa | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5d6ffd7..a325e73 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -527,11 +527,15 @@ current CA keypair. If you intended to start a new CA, run init-pki first." "$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \ "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts fi + + # make safessl-easyrsa.cnf + make_ssl_config + # create the CA keypair: [ ! $nopass ] && crypto_opts="-passin file:$out_key_pass_tmp" #shellcheck disable=SC2086 "$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \ - -config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \ + -config "$EASYRSA_SAFE_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \ die "Failed to build the CA" mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2= From 95d26a38405cc629851b281dd71b7ce9e0aae1d6 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:10:57 +0100 Subject: [PATCH 10/22] libressl: use make_ssl_config and safessl-easyrsa.cnf for gen_req --- easyrsa3/easyrsa | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a325e73..c0ff406 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -626,13 +626,16 @@ $EASYRSA_EXTRA_EXTS" EASYRSA_SSL_CONF="$EASYRSA_TEMP_CONF" fi + # make safessl-easyrsa.cnf + make_ssl_config + key_out_tmp="$(mktemp "$key_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$key_out_tmp" req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp" # generate request [ $EASYRSA_BATCH ] && opts="$opts -batch" # shellcheck disable=SC2086 "$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \ - -config "$EASYRSA_SSL_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \ + -config "$EASYRSA_SAFE_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \ || die "Failed to generate request" mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2= mv "$req_out_tmp" "$req_out"; EASYRSA_TEMP_FILE_3= From 93785e1e25f8e785a8700789d1bd7d44fa4e7b68 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:12:39 +0100 Subject: [PATCH 11/22] libressl: use make_ssl_config and safessl-easyrsa.cnf for sign_req --- easyrsa3/easyrsa | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c0ff406..871ca34 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -745,10 +745,13 @@ $(display_dn req "$req_in") Failed to create temp extension file (bad permissions?) at: $EASYRSA_TEMP_EXT" + # make safessl-easyrsa.cnf + make_ssl_config + # sign request # shellcheck disable=SC2086 crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp" - "$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SSL_CONF" \ + "$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SAFE_CONF" \ -extfile "$EASYRSA_TEMP_EXT" -days "$EASYRSA_CERT_EXPIRE" -batch $opts \ || die "signing failed (openssl output above may have more detail)" mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2= From d1e72d4ea7130db773a7e7d65231083f8278fbb0 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:16:32 +0100 Subject: [PATCH 12/22] libressl: use make_ssl_config and safessl-easyrsa.cnf for gen_crl --- easyrsa3/easyrsa | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 871ca34..db6eb36 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -847,9 +847,12 @@ infrastructure in order to prevent the revoked cert from being accepted. gen_crl() { verify_ca_init + # make safessl-easyrsa.cnf + make_ssl_config + out_file="$EASYRSA_PKI/crl.pem" out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp" - "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SSL_CONF" || die "\ + "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" || die "\ CRL Generation failed. " mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2= From e9d6393da33bdc9cc554a1bd6f762368c41882d1 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:20:53 +0100 Subject: [PATCH 13/22] libressl: use make_ssl_config and safessl-easyrsa.cnf for revoke --- easyrsa3/easyrsa | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index db6eb36..cef181e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -831,7 +831,10 @@ $(display_dn x509 "$crt_in") Unable to revoke as no certificate was found. Certificate was expected at: $crt_in" - "$EASYRSA_OPENSSL" ca -utf8 -revoke "$crt_in" -config "$EASYRSA_SSL_CONF" || die "\ + # make safessl-easyrsa.cnf + make_ssl_config + + "$EASYRSA_OPENSSL" ca -utf8 -revoke "$crt_in" -config "$EASYRSA_SAFE_CONF" || die "\ Failed to revoke certificate: revocation command failed." notice "\ From 815d45a0083e2c944a2a9e47e892c9985f1a326a Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:26:30 +0100 Subject: [PATCH 14/22] libressl: minor style corrections --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cef181e..44475d6 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -321,12 +321,12 @@ EASYRSA_PKI env-var undefined" if [ -z "$EASYRSA_SSL_OK" ]; then val="$("$EASYRSA_OPENSSL" version)" case "${val%% *}" in - OpenSSL|LibreSSL) + OpenSSL|LibreSSL) notice "\ Using SSL: $EASYRSA_OPENSSL $("$EASYRSA_OPENSSL" version)" ;; *) die "\ Missing or invalid OpenSSL -Expected to find openssl command at: $EASYRSA_OPENSSL" +Expected to find openssl command at: $EASYRSA_OPENSSL" ;; esac fi EASYRSA_SSL_OK=1 From f9e659a54094aba92e12f529e76bfd7bd0fd3249 Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Thu, 23 Aug 2018 16:10:22 -0500 Subject: [PATCH 15/22] shellcheck provided in travis-ci by default Apparently no longer required to install shellcheck in the travis-ci environment. See https://github.com/koalaman/shellcheck/wiki/TravisCI Signed-off-by: Eric F Crist --- .travis.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index bd946c9..14b0477 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,8 +6,6 @@ addons: apt: sources: - debian-sid - packages: - - shellcheck env: - PATH=/usr/bin:/bin:./ script: From 81dfc91e1a686b4d79fac0f07f3b2a45e6223bce Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Thu, 23 Aug 2018 16:16:29 -0500 Subject: [PATCH 16/22] Travis-CI, yay! :\ --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 14b0477..b4d6b14 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,6 +9,7 @@ addons: env: - PATH=/usr/bin:/bin:./ script: + - which shellcheck - bash -c 'export SHELLCHECK_OPTS="-e SC2006"; shopt -s globstar; shellcheck **/*.sh easyrsa3/easyrsa' - bash -c 'pwd' - bash -c 'ls -la' From f22cd26caaf953186edb895302af4ec46c5a1016 Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Thu, 23 Aug 2018 16:23:57 -0500 Subject: [PATCH 17/22] gah --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index b4d6b14..04478c1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,6 +6,8 @@ addons: apt: sources: - debian-sid + packages: + - shellcheck env: - PATH=/usr/bin:/bin:./ script: From 376c62f2b81e36db6f449ac7673013075b0c3ef1 Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Thu, 23 Aug 2018 16:51:17 -0500 Subject: [PATCH 18/22] Update default certificate length, comments - Resolve #57, set default certificate length to 1080 days, leaves CA certifcates at 3650 - Add EasyRSA version to certificate comment for later troubleshooting and identification. Signed-off-by: Eric F Crist --- build/build-dist.sh | 4 ++++ easyrsa3/easyrsa | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/build/build-dist.sh b/build/build-dist.sh index 5bc91e5..1ce5c8a 100755 --- a/build/build-dist.sh +++ b/build/build-dist.sh @@ -73,9 +73,11 @@ stage_unix() { src_files="easyrsa3/ Licensing/ COPYING.md ChangeLog README.md README.quickstart.md" for f in $src_files do + sed -i -e "s/~~~/$VERSION/" "$SRC_ROOT/$f" cp -a "$SRC_ROOT/$f" "$DIST_ROOT/unix/$PV" || die "failed to copy $f" done + sed -i -e "s/~~~/$VERSION/" "$SRC_ROOT/$f" cp -R "$SRC_ROOT/doc" "$DIST_ROOT/unix/$PV/" || die "failed to copy unix doc" # files not included @@ -92,6 +94,7 @@ stage_win() { for f in $SRC_ROOT/doc/*.md; do fname=$(basename "$f" .md) + sed -i -e "s/~~~/$VERSION/" "$SRC_ROOT/$f" python -m markdown "$f" > "$DIST_ROOT/windows/$PV/doc/$fname.html" done @@ -103,6 +106,7 @@ stage_win() { src_files="easyrsa3/ ChangeLog COPYING.md" for f in $src_files do + sed -i -e "s/~~~/$VERSION/" "$SRC_ROOT/$f" cp -a "$SRC_ROOT/$f" "$DIST_ROOT/windows/$PV" || die "failed to copy $f" done diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 44475d6..16b219e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2,7 +2,7 @@ # Easy-RSA 3 -- A Shell-based CA Utility # -# Copyright (C) 2013 by the Open-Source OpenVPN development community. +# Copyright (C) 2018 by the Open-Source OpenVPN development community. # A full list of contributors can be found in the ChangeLog. # # This code released under version 2 of the GNU GPL; see COPYING and the @@ -1169,10 +1169,10 @@ Note: using Easy-RSA configuration from: $vars" set_var EASYRSA_CURVE secp384r1 set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams" set_var EASYRSA_CA_EXPIRE 3650 - set_var EASYRSA_CERT_EXPIRE 3650 + set_var EASYRSA_CERT_EXPIRE 1080 # new default of 36 months set_var EASYRSA_CRL_DAYS 180 set_var EASYRSA_NS_SUPPORT no - set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + set_var EASYRSA_NS_COMMENT "Easy-RSA (~~~) Generated Certificate" set_var EASYRSA_TEMP_CONF "$EASYRSA_PKI/openssl-easyrsa.temp" set_var EASYRSA_TEMP_EXT "$EASYRSA_PKI/extensions.temp" set_var EASYRSA_TEMP_FILE_2 "" From 1eccb901482dca0d005ff668a8848af1739c346c Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Thu, 23 Aug 2018 17:01:55 -0500 Subject: [PATCH 19/22] Correct sed work on version replacement Signed-off-by: Eric F Crist --- build/build-dist.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/build/build-dist.sh b/build/build-dist.sh index 1ce5c8a..70c13f0 100755 --- a/build/build-dist.sh +++ b/build/build-dist.sh @@ -73,13 +73,13 @@ stage_unix() { src_files="easyrsa3/ Licensing/ COPYING.md ChangeLog README.md README.quickstart.md" for f in $src_files do - sed -i -e "s/~~~/$VERSION/" "$SRC_ROOT/$f" cp -a "$SRC_ROOT/$f" "$DIST_ROOT/unix/$PV" || die "failed to copy $f" done - sed -i -e "s/~~~/$VERSION/" "$SRC_ROOT/$f" cp -R "$SRC_ROOT/doc" "$DIST_ROOT/unix/$PV/" || die "failed to copy unix doc" + sed -i -e "s/~~~/$VERSION/" "$DIST_ROOT/unix/$PV/easyrsa" + # files not included rm -rf "$DIST_ROOT/unix/$PV/doc/TODO" || die "failed rm TODO" } @@ -106,7 +106,6 @@ stage_win() { src_files="easyrsa3/ ChangeLog COPYING.md" for f in $src_files do - sed -i -e "s/~~~/$VERSION/" "$SRC_ROOT/$f" cp -a "$SRC_ROOT/$f" "$DIST_ROOT/windows/$PV" || die "failed to copy $f" done From 4d084268b8e939cc58a9ea7b5503860283a148fb Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Fri, 7 Sep 2018 13:23:35 +0100 Subject: [PATCH 20/22] Fix set_pass() 'nopass' option --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 16b219e..db5c9e8 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1012,7 +1012,7 @@ $file" If the key is currently encrypted you must supply the decryption passphrase. ${crypto:+You will then enter a new PEM passphrase for this key.$NL}" - "$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" "$crypto" || die "\ + "$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" $crypto || die "\ Failed to change the private key passphrase. See above for possible openssl error messages." From a6192a7fe9abd1ec4c5dd1c40c13a58c63afcb75 Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Fri, 7 Sep 2018 09:14:27 -0500 Subject: [PATCH 21/22] Update copyright date. Signed-off-by: Eric F Crist --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 44475d6..5f79bd5 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2,7 +2,7 @@ # Easy-RSA 3 -- A Shell-based CA Utility # -# Copyright (C) 2013 by the Open-Source OpenVPN development community. +# Copyright (C) 2018 by the Open-Source OpenVPN development community. # A full list of contributors can be found in the ChangeLog. # # This code released under version 2 of the GNU GPL; see COPYING and the From d0326c0d498e02c9f5bdc8a3ff479104264f4b6b Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Fri, 7 Sep 2018 09:41:39 -0500 Subject: [PATCH 22/22] Merge in other commits suitable for v3.0.5 from masteer. Signed-off-by: Eric F Crist --- build/build-dist.sh | 3 +++ easyrsa3/easyrsa | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/build/build-dist.sh b/build/build-dist.sh index 5bc91e5..70c13f0 100755 --- a/build/build-dist.sh +++ b/build/build-dist.sh @@ -78,6 +78,8 @@ stage_unix() { cp -R "$SRC_ROOT/doc" "$DIST_ROOT/unix/$PV/" || die "failed to copy unix doc" + sed -i -e "s/~~~/$VERSION/" "$DIST_ROOT/unix/$PV/easyrsa" + # files not included rm -rf "$DIST_ROOT/unix/$PV/doc/TODO" || die "failed rm TODO" } @@ -92,6 +94,7 @@ stage_win() { for f in $SRC_ROOT/doc/*.md; do fname=$(basename "$f" .md) + sed -i -e "s/~~~/$VERSION/" "$SRC_ROOT/$f" python -m markdown "$f" > "$DIST_ROOT/windows/$PV/doc/$fname.html" done diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cede5b1..c78323f 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2,7 +2,7 @@ # Easy-RSA 3 -- A Shell-based CA Utility # -# Copyright (C) 2013 by the Open-Source OpenVPN development community. +# Copyright (C) 2018 by the Open-Source OpenVPN development community. # A full list of contributors can be found in the ChangeLog. # # This code released under version 2 of the GNU GPL; see COPYING and the @@ -969,7 +969,7 @@ $file" If the key is currently encrypted you must supply the decryption passphrase. ${crypto:+You will then enter a new PEM passphrase for this key.$NL}" - "$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" "$crypto" || die "\ + "$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" $crypto || die "\ Failed to change the private key passphrase. See above for possible openssl error messages." @@ -1126,10 +1126,10 @@ Note: using Easy-RSA configuration from: $vars" set_var EASYRSA_CURVE secp384r1 set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams" set_var EASYRSA_CA_EXPIRE 3650 - set_var EASYRSA_CERT_EXPIRE 3650 + set_var EASYRSA_CERT_EXPIRE 1080 # new default of 36 months set_var EASYRSA_CRL_DAYS 180 set_var EASYRSA_NS_SUPPORT no - set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + set_var EASYRSA_NS_COMMENT "Easy-RSA (~~~) Generated Certificate" set_var EASYRSA_TEMP_CONF "$EASYRSA_PKI/openssl-easyrsa.temp" set_var EASYRSA_TEMP_EXT "$EASYRSA_PKI/extensions.temp" set_var EASYRSA_TEMP_FILE_2 ""