Merge branch 'master' into pkcs1

2022-04-25 16:37:45 +03:00 · 2022-04-25 16:37:45 +03:00 · b80ec52810
commit b80ec52810
parent 21ddca1af9 7e3242b636
7 changed files with 987 additions and 594 deletions
--- a/.github/workflows/action.yml
+++ b/.github/workflows/action.yml
@ -21,7 +21,7 @@ jobs:
    runs-on: ubuntu-latest

    env:
-      #EASYRSA_BY_TINCANTECH: 1
+      EASYRSA_BY_TINCANTECH: 1
      EASYRSA_REMOTE_CI: 1
      EASYRSA_NIX: 1
      TERM: xterm-256color
@ -33,7 +33,7 @@ jobs:

      # Runs a single command using the runners shell
      - name: operational test
-        run: sh op-test.sh -v
+        run: sh op-test.sh -v -sc -o3

      # Runs a set of commands using the runners shell
      # - name: Run a multi-line script
--- a/6
+++ b/6
@ -1,11 +1,17 @@
 Easy-RSA 3 ChangeLog

 3.1.0 (TBD)
+   * Support Windows-Git 'version of bash' (#533)
+   * Disallow use of single quote (') in vars file, Warning (#530)
+   * Creating a CA uses x509-types/ca and COMMON (#526)
   * Prefer 'PKI/vars' over all other locations (#528)
   * Introduce 'init-pki soft'  option (#197)
   * Warnings are no longer silenced by --batch (#523)
   * Improve packaging options (#510)
   * Introduce basic support for OpenSSL version 3 (#492)
+
+   * New maintenance begins.
+
   * Upgrade OpenSSL from 1.1.0j to 1.1.1m (#405, #407) 
   * Fix --version so it uses EASYRSA_OPENSSL (#416)
   * Use openssl rand instead of non-POSIX mktemp (#478)
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
--- a/easyrsa3/openssl-easyrsa.cnf
+++ b/easyrsa3/openssl-easyrsa.cnf
@ -128,8 +128,8 @@ keyUsage = cRLSign, keyCertSign
 # nsCertType omitted by default. Let's try to let the deprecated stuff die.
 # nsCertType = sslCA

-# A placeholder to handle the $X509_TYPES:
-#%X509_TYPES%	# Do NOT remove or change this line as $X509_TYPES demands it
+# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
+#%CA_X509_TYPES_EXTRA_EXTS%	# Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it

 # CRL extensions.
 [ crl_ext ]
--- a/easyrsa3/vars.example
+++ b/easyrsa3/vars.example
@ -1,22 +1,22 @@
 # Easy-RSA 3 parameter settings

-# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
+# NOTE: If you installed Easy-RSA from your package manager, do not edit
 # this file in place -- instead, you should copy the entire easy-rsa directory
-# to another location so future upgrades don't wipe out your changes.
+# to another location so future upgrades do not wipe out your changes.

 # HOW TO USE THIS FILE
 #
 # vars.example contains built-in examples to Easy-RSA settings. You MUST name
-# this file 'vars' if you want it to be used as a configuration file. If you do
+# this file "vars" if you want it to be used as a configuration file. If you do
 # not, it WILL NOT be automatically read when you call easyrsa commands.
 #
 # It is not necessary to use this config file unless you wish to change
 # operational defaults. These defaults should be fine for many uses without the
-# need to copy and edit the 'vars' file.
+# need to copy and edit the "vars" file.
 #
 # All of the editable settings are shown commented and start with the command
-# 'set_var' -- this means any set_var command that is uncommented has been
-# modified by the user. If you're happy with a default, there is no need to
+# "set_var" -- this means any set_var command that is uncommented has been
+# modified by the user. If you are happy with a default, there is no need to
 # define the value to its default.

 # NOTES FOR WINDOWS USERS
@ -26,14 +26,14 @@
 # the openssl binary might look like this:
 # "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"

-# A little housekeeping: DON'T EDIT THIS SECTION
+# A little housekeeping: DO NOT EDIT THIS SECTION
 #
-# Easy-RSA 3.x doesn't source into the environment directly.
+# Easy-RSA 3.x does not source into the environment directly.
 # Complain if a user tries to do this:
 if [ -z "$EASYRSA_CALLER" ]; then
-	echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
+	echo "You appear to be sourcing an Easy-RSA *vars* file." >&2
 	echo "This is no longer necessary and is disallowed. See the section called" >&2
-	echo "'How to use this file' near the top comments for more details." >&2
+	echo "*How to use this file* near the top comments for more details." >&2
 	return 1
 fi

@ -78,7 +78,7 @@ fi
 # Define X509 DN mode.
 # This is used to adjust what elements are included in the Subject field as the DN
 # (this is the "Distinguished Name.")
-# Note that in cn_only mode the Organizational fields further below aren't used.
+# Note that in cn_only mode the Organizational fields further below are not used.
 #
 # Choices are:
 #   cn_only  - use just a CN value
@ -86,9 +86,9 @@ fi

 #set_var EASYRSA_DN	"cn_only"

-# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
+# Organizational fields (used with "org" mode and ignored in "cn_only" mode.)
 # These are the default values for fields which will be placed in the
-# certificate.  Don't leave any of these fields blank, although interactively
+# certificate.  Do not leave any of these fields blank, although interactively
 # you may omit any specific field by typing the "." symbol (not valid for
 # email.)

@ -171,9 +171,9 @@ fi
 # Broken shell command aliases: If you have a largely broken shell that is
 # missing any of these POSIX-required commands used by Easy-RSA, you will need
 # to define an alias to the proper path for the command.  The symptom will be
-# some form of a 'command not found' error from your shell. This means your
+# some form of a "command not found" error from your shell. This means your
 # shell is BROKEN, but you can hack around it here if you really need. These
-# shown values are not defaults: it is up to you to know what you're doing if
+# shown values are not defaults: it is up to you to know what you are doing if
 # you touch these.
 #
 #alias awk="/alt/bin/awk"
@ -182,9 +182,9 @@ fi
 # X509 extensions directory:
 # If you want to customize the X509 extensions used, set the directory to look
 # for extensions here. Each cert type you sign must have a matching filename,
-# and an optional file named 'COMMON' is included first when present. Note that
+# and an optional file named "COMMON" is included first when present. Note that
 # when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
-# fallback to $EASYRSA for the 'x509-types' dir.  You may override this
+# fallback to $EASYRSA for the "x509-types" dir.  You may override this
 # detection with an explicit dir here.
 #
 #set_var EASYRSA_EXT_DIR	"$EASYRSA/x509-types"
--- a/op-test.sh
+++ b/op-test.sh
@ -4,74 +4,388 @@
 # and executes that - allows for disconnected testing from the easy-rsa
 # repo with TravisCI.

-verb='-v'
-enable_shellcheck=1
+# log
+log () {
+	[ "$disable_log" ] && return
+	if printf '%s\n' "* $*"; then
+		return
+	else
+		echo "printf failed"
+		exit 9
+	fi
+} # => log ()
+
+# clean up
+clean_up () {
+	if [ "$no_delete" ]; then
+		log "saved final state.."
+	else
+		log "op-test: clean_up"
+		if [ "$EASYRSA_NIX" ]; then
+			[ "$keep_eut" ] || rm -f "$utest_bin"
+			[ "$keep_sc" ] || rm -f "$sc_bin"
+			[ "$keep_ssl" ] || rm -f "$ssl_bin"
+		fi
+	fi
+} # => clean_up ()
+
+# curl download and openssl hash
+# wing it ..
+curl_it () {
+	#log "BEGIN: curl_it"
+	if [ "$#" -eq 2 ]; then
+		file="$1"
+		hash="$2"
+	else
+		log "> Usage: <file> <hash>"
+		return 1
+	fi
+
+	if [ "$enable_curl" ]; then
+		: # ok
+	else
+		log "> curl disabled"
+		return 0
+	fi
+
+	# valid target
+	case "$file" in
+	easyrsa-unit-tests.sh)
+		unset -v require_hash
+	;;
+	shellcheck|openssl)
+		require_hash=1
+	;;
+	*)
+		log "> invalid target: $file"
+		return 1
+	esac
+
+	# download
+	if [ "$enable_curl" ]; then
+		log "> download: ${gh_url}/${file}"
+		curl -SO "${gh_url}/${file}" || \
+			log "> download failed: ${file}"
+	else
+		log "> curl disabled"
+	fi
+
+	# hash download
+	if [ "${require_hash}" ]; then
+		if [ -e "${file}" ]; then
+			log "> hash ${file}"
+			temp_hash="$(openssl sha256 "${file}")"
+			#log "temp_hash: $temp_hash"
+			#log "hash     : $hash"
+			if [ "$temp_hash" = "$hash" ]; then
+				: # OK - hash is good
+			else
+				log "> hash failed: ${file}"
+				return 1
+			fi
+		else
+			log "> file missing: ${file}"
+			return 1
+		fi
+	else
+		if [ -e "${file}" ]; then
+			: # ok - file is here
+		else
+			log "> file missing: ${file}"
+			return 1
+		fi
+	fi
+} # => curl_it ()
+
+################################################################################
+
+# RUN unit test
+run_unit_test ()
+{
+	if [ "${utest_bin_ok}" ] && [ "${ssl_bin_ok}" ]; then
+
+		# Start unit tests
+		log ">>> BEGIN unit tests:"
+		[ "$no_delete" ] && export SAVE_PKI=1
+
+		if [ "${dry_run}" ]; then
+			log "<<dry-run>> sh ${utest_bin} ${verb}"
+			estat=1
+		else
+			log ">>>>>>: sh ${utest_bin} ${verb}"
+			if sh "${utest_bin}" "${verb}"; then
+				log "OK"
+				estat=0
+			else
+				log "FAIL"
+				estat=1
+			fi
+		fi
+		log "<<< END unit tests:"
+		unset SAVE_PKI
+	else
+		log "unit-test abandoned"
+		estat=1
+	fi
+} # => run_unit_test ()
+
+########################################
+
+## DOWNLOAD unit-test
+download_unit_test () {
+	# if not present then download unit-test 
+	target_file="${utest_file}"
+	target_hash="${utest_hash}"
+	if [ "$enable_unit_test" ]; then
+		if [ -e "${ERSA_UT}/${target_file}" ]; then
+			[ -x "${ERSA_UT}/${target_file}" ] || \
+				chmod +x "${ERSA_UT}/${target_file}"
+			# version check
+			if "${ERSA_UT}/${target_file}" version; then
+				utest_bin="${ERSA_UT}/${target_file}"
+				utest_bin_ok=1
+				export ERSA_UTEST_CURL_TARGET=localhost
+			else
+				log "version check failed: ${ERSA_UT}/${target_file}"
+			fi
+		else
+			# download and basic check
+			log "curl_it ${target_file}"
+			if curl_it "${target_file}" "${target_hash}"; then
+				[ -x "${ERSA_UT}/${target_file}" ] || \
+					chmod +x "${ERSA_UT}/${target_file}"
+				# functional check - version check
+				if "${ERSA_UT}/${target_file}" version; then
+					utest_bin="${ERSA_UT}/${target_file}"
+					utest_bin_ok=1
+					export ERSA_UTEST_CURL_TARGET=online
+					unset -v keep_eut
+				else
+					log "version check failed: ${target_file}"
+				fi
+			else
+				log "curl_it ${target_file} - failed"
+			fi
+		fi
+		[ "$utest_bin_ok" ] || log "undefined: utest_bin_ok"
+		log "setup unit-test - ok"
+	else
+		log "unit-test disabled"
+	fi # => shellcheck
+}
+## DOWNLOAD unit-test
+
+################################################################################
+
+## USE shellcheck
+
+# Run shellcheck
+run_shellcheck () {
+	if [ "$enable_shellcheck" ] && [ "$sc_bin_ok" ] && [ "$EASYRSA_NIX" ]; then
+		# shell-check easyrsa3/easyrsa
+		if [ -e easyrsa3/easyrsa ]; then
+			if "${sc_bin}" -s sh -S warning -x easyrsa3/easyrsa; then
+				log "shellcheck easyrsa3/easyrsa completed - ok"
+			else
+				log "shellcheck easyrsa3/easyrsa completed - FAILED"
+			fi
+		else
+			log "easyrsa binary not present, not using shellcheck"
+		fi
+
+		# shell-check easyrsa-unit-tests.sh
+		if [ -e easyrsa-unit-tests.sh ]; then
+			if "${sc_bin}" -s sh -S warning -x easyrsa-unit-tests.sh; then
+				log "shellcheck easyrsa-unit-tests.sh completed - ok"
+			else
+				log "shellcheck easyrsa-unit-tests.sh completed - FAILED"
+			fi
+		else
+			log "easyrsa-unit-tests.sh binary not present, not using shellcheck"
+		fi
+	else
+		log "shellcheck abandoned"
+	fi
+}
+## USE shellcheck
+
+########################################
+
+## DOWNLOAD shellcheck
+download_shellcheck () {
+	# if not present then download shellcheck
+	target_file="${sc_file}"
+	target_hash="${sc_hash}"
+	if [ "$enable_shellcheck" ] && [ "$EASYRSA_NIX" ]; then
+		log "setup shellcheck"
+		if [ -e "${ERSA_UT}/${target_file}" ]; then
+			[ -x "${ERSA_UT}/${target_file}" ] || \
+				chmod +x "${ERSA_UT}/${target_file}"
+			"${ERSA_UT}/${target_file}" -V || \
+				log "version check failed: ${ERSA_UT}/${target_file}"
+			sc_bin="${ERSA_UT}/${target_file}"
+			sc_bin_ok=1
+		else
+			# download and basic check
+			log "curl_it ${target_file}"
+			if curl_it "${target_file}" "${target_hash}"; then
+				log "curl_it ${target_file} - ok"
+				[ -x "${ERSA_UT}/${target_file}" ] || \
+					chmod +x "${ERSA_UT}/${target_file}"
+				# functional check
+				if "${ERSA_UT}/${target_file}" -V; then
+					sc_bin="${ERSA_UT}/${target_file}"
+					sc_bin_ok=1
+					unset -v keep_sc
+				else
+					log "version check failed: ${ERSA_UT}/${target_file}"
+				fi
+				log "shellcheck enabled"
+			else
+				log "curl_it ${target_file} - failed"
+			fi
+		fi
+	fi
+
+	## DOWNLOAD shellcheck
+}
+
+################################################################################
+
+## DOWNLOAD openssl-3
+download_opensslv3 () {
+	# if not present then download and then use openssl3
+	target_file="${ssl_file}"
+	target_hash="${ssl_hash}"
+	if [ "$enable_openssl3" ] && [ "$EASYRSA_NIX" ]; then
+		if [ -e "${ERSA_UT}/${target_file}" ]; then
+			[ -x "${ERSA_UT}/${target_file}" ] || \
+				chmod +x "${ERSA_UT}/${target_file}"
+			# version check 'openssl version'
+			"${ERSA_UT}/${target_file}" version || \
+				log "version check failed: ${ERSA_UT}/${target_file}"
+			ssl_bin="${ERSA_UT}/${target_file}"
+			ssl_bin_ok=1
+			# Set up Easy-RSA Unit-Test for OpenSSL-v3
+			export EASYRSA_OPENSSL="${ssl_bin}"
+		else
+			# download and basic check
+			log "curl_it ${target_file}"
+			if curl_it "${target_file}" "${target_hash}"; then
+				log "curl_it ${target_file} - ok"
+				[ -x "${ERSA_UT}/${target_file}" ] || \
+					chmod +x "${ERSA_UT}/${target_file}"
+				# functional check - version check 'openssl version'
+				if "${ERSA_UT}/${target_file}" version; then
+					ssl_bin="${ERSA_UT}/${target_file}"
+					ssl_bin_ok=1
+					unset -v keep_ssl
+					# Set up Easy-RSA Unit-Test for OpenSSL-v3
+					export EASYRSA_OPENSSL="${ssl_bin}"
+				else
+					log "version check failed: ${ERSA_UT}/${target_file}"
+				fi
+			else
+				log "curl_it ${target_file} - failed"
+			fi
+		fi
+
+			log "OpenSSL-v3 enabled"
+
+	else
+		if [ "$EASYRSA_NIX" ]; then
+			log "System SSL enabled"
+			ssl_bin="openssl"
+			ssl_bin_ok=1
+		else
+			log "Windows, no OpenSSL-v3"
+			log "System SSL enabled"
+			ssl_bin="openssl"
+			ssl_bin_ok=1
+		fi
+	fi
+} # => ## DOWNLOAD openssl-3
+
+################################################################################
+
+	# Register clean_up on EXIT
+	#trap "exited 0" 0
+	# When SIGHUP, SIGINT, SIGQUIT, SIGABRT and SIGTERM,
+	# explicitly exit to signal EXIT (non-bash shells)
+	trap "clean_up" 1
+	trap "clean_up" 2
+	trap "clean_up" 3
+	trap "clean_up" 6
+	trap "clean_up" 15
+
+
+unset -v disable_log verb no_delete \
+		enable_unit_test enable_shellcheck enable_openssl3
+
+keep_sc=1
+keep_ssl=1
+keep_eut=1
+
+# Set by default
+enable_unit_test=1
+enable_curl=1
+EASYRSA_NIX=1

 while [ -n "$1" ]; do
 	case "$1" in
-	-v)		verb='-v' ;;
-	-vv)	verb='-vv' ;;
-	-scoff)	unset -v enable_shellcheck ;;
-	*)		verb='-v'
+	--no-log)			disable_log=1 ;;
+	'')					verb='-v' ;;
+	-v)					verb='-v' ;;
+	-vv)				verb='-vv' ;;
+	-sc)				enable_shellcheck=1 ;;
+	-o3)				enable_openssl3=1 ;;
+	-dr)				dry_run=1 ;;
+	-nt|--no-test)		unset -v enable_unit_test ;;
+	-nc|--no-curl)		unset -v enable_curl ;;
+	-nd|--no-delete)	no_delete=1 ;;
+	-w|--windows)		export EASYRSA_WIN=1; unset -v EASYRSA_NIX ;;
+	*)
+		log "Unknown option: $1"
+		exit 9
 	esac
 	shift
 done

-github_url='https://raw.githubusercontent.com'
+log "Easy-RSA Unit Tests:"

-if [ "$enable_shellcheck" ]; then
+# Layout
+ERSA_UT="${PWD}"

-if [ -e "shellcheck" ] && [ "$EASYRSA_NIX" ]; then
-	chmod +x shellcheck
-	./shellcheck -V
-	if [ -e easyrsa3/easyrsa ]; then
-		./shellcheck -s sh -S warning -x easyrsa3/easyrsa
-		echo "* shellcheck completed *"
-	else
-		echo "* easyrsa binary not present, using path, no shellcheck"
-	fi
-elif [ "$EASYRSA_NIX" ]; then
-	github_target='OpenVPN/easyrsa-unit-tests/master/shellcheck'
-	curl -O "${github_url}/${github_target}"
-	[ -e "shellcheck" ] || { echo "shellcheck download failed."; exit 9; }
-	chmod +x shellcheck
-	./shellcheck -V
-	if [ -e easyrsa3/easyrsa ]; then
-		./shellcheck -s sh -S warning -x easyrsa3/easyrsa
-		echo "* shellcheck completed *"
-	else
-		echo "* easyrsa binary not present, using path, no shellcheck"
-	fi
-	rm -f ./shellcheck
-fi
+# Sources
+gh_url='https://raw.githubusercontent.com/OpenVPN/easyrsa-unit-tests/master'

-else
-	# shellcheck is disabled
-	:
-fi
+utest_file='easyrsa-unit-tests.sh'
+unset -v utest_bin utest_bin_ok
+utest_hash='no-hash'

+sc_file='shellcheck'
+unset -v sc_bin sc_bin_ok
+sc_hash='SHA256(shellcheck)= f4bce23c11c3919c1b20bcb0f206f6b44c44e26f2bc95f8aa708716095fa0651'

-estat=0
+ssl_file='openssl'
+unset -v ssl_bin ssl_bin_ok
+ssl_hash='SHA256(openssl)= bc4a5882bad4f51e6d04c25877e1e85ad86f14c5f6e078dd9c02f9d38f8791be'

-if [ -e "easyrsa-unit-tests.sh" ]; then
-	if sh easyrsa-unit-tests.sh "$verb"; then
-		if [ "$EASYRSA_NIX" ] && [ "$EASYRSA_BY_TINCANTECH" ]; then
-			sh easyrsa-unit-tests.sh "$verb" -x || estat=2
-		fi
-	else
-		estat=1
-	fi
-else
-	github_target='OpenVPN/easyrsa-unit-tests/master/easyrsa-unit-tests.sh'
-	curl -O "${github_url}/${github_target}"
-	[ -e "easyrsa-unit-tests.sh" ] || { echo "Unit-test download failed."; exit 9; }
-	if sh easyrsa-unit-tests.sh "$verb"; then
-		: # ok
-	else
-		estat=1
-	fi
-	rm -f easyrsa-unit-tests.sh
-fi
+# Here we go ..

-echo "estat: $estat"
+download_shellcheck
+download_opensslv3
+download_unit_test
+
+run_shellcheck
+run_unit_test
+
+# No trap required..
+clean_up
+
+################################################################################
+
+log "estat: $estat ${dry_run:+<<dry run>>}"
 exit $estat
+
+# vim: no
--- a/wop-test.sh
+++ b/wop-test.sh
@ -67,4 +67,4 @@ echo "Invoke './easyrsa' to call the program. Without commands, help is displaye

 cd ..

-./op-test.sh -v
+./op-test.sh -w -v