diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index abd7b52..98a13d5 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5844,301 +5844,6 @@ change these values: ${unexpected_error}" } # => validate_default_vars() -# vars setup -# Here sourcing of 'vars' if present occurs. -# If not present, defaults are used to support -# running without a sourced config format -vars_setup() { - die "vars_setup: DISABLED" - # Try to locate a 'vars' file in order of preference. - # If one is found then source it. - # NOTE: EASYRSA_PKI is never set here, - # unless cmd-line --pki-dir= is set. - # NOTE: EASYRSA is never set here, - # unless done so outside of easyrsa. - vars= - - # Find vars - # User set vars '$user_vars_true' takes priority - # Deliberate NO vars - if [ "$EASYRSA_NO_VARS" ]; then - user_vars_true=1 - # Found exactly zero vars files - found_vars=0 - - # Priority: Explicit user defined vars file: - elif [ "$EASYRSA_VARS_FILE" ]; then - if [ -e "$EASYRSA_VARS_FILE" ]; then - vars="$EASYRSA_VARS_FILE" - # User set vars turns off pki/var warning - user_vars_true=1 - # Found exactly one vars file - found_vars=1 - else - # If the --vars option does not point to a file - user_error "\ -The 'vars' file was not found: -* $EASYRSA_VARS_FILE" - fi - - # Secondary: Setting EASYRSA forces vars to EASYRSA/vars - elif [ "$EASYRSA" ]; then - if [ -e "$EASYRSA/vars" ]; then - vars="${EASYRSA}/vars" - user_vars_true=1 - found_vars=1 - else - # Allow to run without EASYRSA/vars file - user_vars_true=1 - found_vars=0 - fi - - # Otherwise, find vars - else - - # If EASYRSA_PKI is set then it is user set, - # allow use of the default vars in the set PKI - if [ "$EASYRSA_PKI" ]; then - # EASYRSA_PKI will not be changed by vars - pki_vars="${EASYRSA_PKI}/vars" - else - # default pki/vars - # if this conflicts then bail - pki_vars="${PWD}/pki/vars" - - # Setup "catch EXPECTED PKI changed" - # auto-load 'pki/vars' is FORBIDDEN to change PKI - expected_pki="${PWD}/pki" - fi - - # vars of last resort; The Default - pwd_vars="$PWD/vars" - - # Clear flags - This is the preferred order to find: - unset -v \ - e_pki_vars e_pwd_vars \ - found_vars vars_in_pki - - # PKI location, if present: - [ -e "$pki_vars" ] && e_pki_vars=1 - - # vars of last resort - [ -e "$pwd_vars" ] && e_pwd_vars=1 - - # Allow only one vars to be found, No exceptions! - found_vars="$(( - e_pki_vars + e_pwd_vars - ))" - verbose "vars_setup: found_vars = '$found_vars'" - - # If found_vars greater than 1 - # then output user info and exit - case "$found_vars" in - 0) - : # ok - ;; - 1) - # If a SINGLE vars file is found - # then assign $vars - [ "$e_pwd_vars" ] && vars="$pwd_vars" - if [ "$e_pki_vars" ]; then - vars="$pki_vars" - vars_in_pki=1 - else - unset -v vars_in_pki - fi - ;; - *) - found_msg="" - [ "$e_pki_vars" ] && \ - found_msg="${found_msg}${NL} * Found pki_vars : $pki_vars" - [ "$e_pwd_vars" ] && \ - found_msg="${found_msg}${NL} * Found pwd_vars : $pwd_vars" - - # If command is not 'help' etc then Error out - [ "$ignore_vars" ] || user_error "\ -Conflicting 'vars' files found: -$found_msg - -Use option --vars= to define the vars file -or remove the conflicting vars files. - -Easy-RSA recommends moving your vars file to your PKI and using -option --pki=, which will auto-select the correct vars file." - - verbose "vars_setup: Conflicting vars IGNORED" - esac - verbose "vars_setup: vars = '$vars'" - - # Clean up - unset -v pwd_vars pki_vars - # END: Find vars - fi - - # If EASYRSA_NO_VARS is defined then do not use vars - # If PKI is not required then located vars files are - # not required - if [ "$EASYRSA_NO_VARS" ]; then - verbose "vars_setup: EASYRSA_NO_VARS enabled" - - # $vars remains undefined .. no vars found - # 'install_data_to_pki vars-setup' will NOT - # create a default PKI/vars, no_new_vars - elif [ -z "$vars" ]; then - # If PKI is required then warn - # For init-pki, version and help, skip this - if [ "$require_pki" ]; then - information "\ -No Easy-RSA 'vars' configuration file exists!" - fi - - # If a vars file was located then source it - else - - # 'vars' MUST not be a directory - [ -d "$vars" ] && user_error "\ -Missing vars file: -* $vars" - - # 'vars' now MUST exist - [ -e "$vars" ] || user_error "\ -Missing vars file: -* $vars" - - # Installation information - [ "$require_pki" ] && information "\ -Using Easy-RSA 'vars' configuration: -* $vars" - - # Sanitize vars - if grep -q \ - -e 'EASYRSA_PASSIN' -e 'EASYRSA_PASSOUT' \ - -e '[^(]`[^)]' \ - "$vars" - then - user_error "\ -One or more of these problems has been found in your 'vars' file: - -* Use of 'EASYRSA_PASSIN' or 'EASYRSA_PASSOUT': -Storing password information in the 'vars' file is not permitted. - -* Use of unsupported characters: -These characters are not supported: \` backtick - -Please, correct these errors and try again." - fi - - # Sanitize vars - if grep -q \ - -e '[[:blank:]]export[[:blank:]]*' \ - -e '[[:blank:]]unset[[:blank:]]*' \ - "$vars" - then - user_error "\ -One or more of these problems has been found in your 'vars' file: - -* Use of 'export': -Remove 'export' or replace it with 'set_var'. - -* Use of 'unset': -Remove 'unset' ('force_set_var' may also work)." - fi - - # Enable sourcing 'vars' - # shellcheck disable=SC2034 # appears unused - EASYRSA_CALLER=1 - easyrsa_path="$PATH" - # shellcheck disable=SC2123 # PATH is the shell .. - PATH=./ - - # Test sourcing 'vars' in a subshell - # shellcheck disable=1090 # can't follow .. vars - ( . "$vars" ) || \ - die "Failed to dry-run the vars file." - - # Source 'vars' now - # shellcheck disable=1090 # can't follow .. vars - . "$vars" || \ - die "Failed to source the vars file." - - PATH="$easyrsa_path" - unset -v EASYRSA_CALLER easyrsa_path - verbose "vars_setup: sourced 'vars' OK" - fi - - # Set defaults, preferring existing env-vars if present - set_var EASYRSA "$PWD" - set_var EASYRSA_OPENSSL openssl - set_var EASYRSA_PKI "$EASYRSA/pki" - set_var EASYRSA_DN cn_only - set_var EASYRSA_REQ_COUNTRY "US" - set_var EASYRSA_REQ_PROVINCE "California" - set_var EASYRSA_REQ_CITY "San Francisco" - set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" - set_var EASYRSA_REQ_EMAIL me@example.net - set_var EASYRSA_REQ_OU "My Organizational Unit" - set_var EASYRSA_REQ_SERIAL "" - set_var EASYRSA_ALGO rsa - set_var EASYRSA_KEY_SIZE 2048 - - case "$EASYRSA_ALGO" in - rsa) - : # ok - # default EASYRSA_KEY_SIZE must always be set - # it must NOT be set selectively because it is - # present in the SSL config file - ;; - ec) - set_var EASYRSA_CURVE secp384r1 - ;; - ed) - set_var EASYRSA_CURVE ed25519 - ;; - *) user_error "\ -Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" - esac - - set_var EASYRSA_CA_EXPIRE 3650 - set_var EASYRSA_CERT_EXPIRE 825 - set_var \ - EASYRSA_PRE_EXPIRY_WINDOW 90 - set_var EASYRSA_CRL_DAYS 180 - set_var EASYRSA_NS_SUPPORT no - set_var EASYRSA_NS_COMMENT \ - "Easy-RSA (~VER~) Generated Certificate" - - set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" - set_var EASYRSA_REQ_CN ChangeMe - set_var EASYRSA_DIGEST sha256 - - set_var EASYRSA_SSL_CONF \ - "$EASYRSA_PKI/openssl-easyrsa.cnf" - set_var EASYRSA_SAFE_CONF \ - "$EASYRSA_PKI/safessl-easyrsa.cnf" - - set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" - - set_var EASYRSA_MAX_TEMP 4 - - # Catch unexpected PKI change - if [ "$expected_pki" ]; then - [ "$expected_pki" = "$EASYRSA_PKI" ] || \ - user_error "\ -The PKI was unexpectedly changed by the vars file. - - * vars : $vars - * Expected: $expected_pki - * Set : $EASYRSA_PKI" - fi - - # if the vars file in use is not in the PKI - # and not user defined then Show the messages - if [ "$require_pki" ]; then - prefer_vars_in_pki_msg - fi - verbose "vars_setup: COMPLETED" -} # => vars_setup() - # Verify working environment verify_working_env() { # Do not allow demented paths, eg: '/' or '\'