nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

easyrsa_openssl: Replace variable 'has_config' with OPENSSL_CONF

Browse Source 
Variable 'has_config' was a way to minimize the need to fully expand the
SSL config file (ENV:OPENSSL_CONF) for use by LibreSSL. IE. Only expand
the SSL config file when the SSL command requires a config file.

LibreSSL Always requires the config file to be expanded, even when it
is Not used.

OpenSSL Never requires the config file to be expanded.

Changes follow.

The first part:
* Disable expanding the SSL config file for OpenSSL.
* Require expanding the SSL config file for LibreSSL.

LibreSSL will use the run-once mechanism to expand the SSL config file.

The second part:
Replace the use of SSL option '-config', by Always configuring the SSL
environment variable OPENSSL_CONF to point to the Easy-RSA generated
config file. This is supported by LibreSSL and OpenSSL.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-07-19 02:17:20 +01:00
parent 27fce22919
commit d4fa9bdb6d
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 23 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
easyrsa3/easyrsa
View File

@ -918,20 +918,10 @@ escape_hazard() {
then then
# Always run # Always run
verbose "escape_hazard: FORCED" verbose "escape_hazard: FORCED"
# Do not respect --no-safe-ssl, escape the fields
# before they are expanded by OpenSSL or easyrsa.
#elif [ "$EASYRSA_NO_SAFE_SSL" ]; then
# # Never run
# verbose "escape_hazard: DENIED"
# return
elif [ "$working_safe_org_conf" ]; then elif [ "$working_safe_org_conf" ]; then
# Has run once # Has run once
verbose "escape_hazard: BYPASSED" verbose "escape_hazard: BYPASSED"
return return
elif [ -z "$has_config" ]; then
# SSL Config not required
verbose "escape_hazard: IGNORED"
return
else else
# Run once # Run once
verbose "escape_hazard: RUN-ONCE" verbose "escape_hazard: RUN-ONCE"
@ -979,23 +969,27 @@ expand_ssl_config() {
verbose "expand_ssl_config: FORCED" verbose "expand_ssl_config: FORCED"
elif [ "$EASYRSA_NO_SAFE_SSL" ]; then elif [ "$EASYRSA_NO_SAFE_SSL" ]; then
# Never run # Never run
verbose "expand_ssl_config: DENIED" verbose "expand_ssl_config: DISABLED"
return return
elif [ "$working_safe_ssl_conf" ]; then elif [ "$working_safe_ssl_conf" ]; then
# Has run once # Has run once
verbose "expand_ssl_config: BYPASSED" verbose "expand_ssl_config: BYPASSED"
return return
elif [ -z "$has_config" ]; then elif [ "$ssl_lib" = libressl ]; then
# SSL Config not required # Always run
verbose "expand_ssl_config: REQUIRED"
elif [ "$ssl_lib" = openssl ]; then
# OpenSSl does not require a safe config
verbose "expand_ssl_config: IGNORED" verbose "expand_ssl_config: IGNORED"
return return
else else
# Run once # do NOT Run
verbose "expand_ssl_config: RUN-ONCE" die "expand_ssl_config: EXCEPTION"
fi fi
# Set run once # Set run once
working_safe_ssl_conf=1 working_safe_ssl_conf=1
verbose "expand_ssl_config: RUN-ONCE"
# Assign temp-file # Assign temp-file
safe_ssl_cnf_tmp="" safe_ssl_cnf_tmp=""
@ -1098,57 +1092,35 @@ easyrsa_openssl() {
expand_ssl_config || \ expand_ssl_config || \
die "easyrsa_openssl - expand_ssl_config failed" die "easyrsa_openssl - expand_ssl_config failed"
# Support --no-safe-ssl
if [ "$EASYRSA_NO_SAFE_SSL" ]; then
# Assign safe temp file as Original openssl-easyrsa.conf
safe_ssl_cnf_tmp="$EASYRSA_SSL_CONF"
verbose "easyrsa_openssl: No SAFE SSL config"
fi
# VERIFY safe temp-file exists # VERIFY safe temp-file exists
if [ -e "$safe_ssl_cnf_tmp" ]; then if [ -e "$safe_ssl_cnf_tmp" ]; then
verbose "\ verbose "\
easyrsa_openssl: Safe SSL conf OK: $safe_ssl_cnf_tmp" easyrsa_openssl: Safe SSL conf OK: $safe_ssl_cnf_tmp"
export OPENSSL_CONF="$safe_ssl_cnf_tmp"
else else
[ "$has_config" ] && die "\ verbose "\
easyrsa_openssl - Safe SSL conf MISSING: $safe_ssl_cnf_tmp" easyrsa_openssl: No Safe SSL conf, FALLBACK to default"
export OPENSSL_CONF="$EASYRSA_SSL_CONF"
fi fi
# set $OPENSSL_CONF - Use which-ever file is assigned above
export OPENSSL_CONF="$safe_ssl_cnf_tmp"
# Execute command - Return on success # Execute command - Return on success
if [ "$openssl_command" = "makesafeconf" ]; then if [ "$openssl_command" = "makesafeconf" ]; then
# COPY temp-file to safessl-easyrsa.cnf # COPY temp-file to safessl-easyrsa.cnf
unset -v makesafeconf unset -v makesafeconf
cp -f "$safe_ssl_cnf_tmp" "$EASYRSA_SAFE_CONF" && \ cp -f "$safe_ssl_cnf_tmp" "$EASYRSA_SAFE_CONF" && \
return return
die "easyrsa_openssl: makesafeconf FAILED"
fi
elif [ "$has_config" ]; then # Exec SSL
# Exec SSL with -config temp-file if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ]
if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ] then
then "$EASYRSA_OPENSSL" "$openssl_command" "$@" \
"$EASYRSA_OPENSSL" "$openssl_command" \ 2>/dev/null && \
-config "$safe_ssl_cnf_tmp" "$@" \ return
2>/dev/null && \
return
else
"$EASYRSA_OPENSSL" "$openssl_command" \
-config "$safe_ssl_cnf_tmp" "$@" && \
return
fi
else else
# Exec SSL without -config temp-file "$EASYRSA_OPENSSL" "$openssl_command" "$@" && \
if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ] return
then
"$EASYRSA_OPENSSL" "$openssl_command" "$@" \
2>/dev/null && \
return
else
"$EASYRSA_OPENSSL" "$openssl_command" "$@" && \
return
fi
fi fi
# Always fail here # Always fail here