Where errors are known, exit via 'Known' branch.
Allow preset error number to propagate.
Long line wrapping. Shorten associated variable names.
Move clearing traps to within cleanup().
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If 'easyrsa' is being run by the unit-test then allow the default method
for 'build-ca' to be exercised.
The default 'easyrsa' method is to use temp-files, generated by EasyRSA,
to pass the CA passphrase, provided by the user, to the SSL command.
The normal 'unit-test' method to use a passphrase is to configure EasyRSA
ommand line options '--passin' and '--passout'.
The change made here is to simulate user-interaction and to supply a
default passphrase, as a user, to the SSL command.
To NOT use EasyRSA command line options to set any passphrase.
ONLY when being run by the unit-test.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Using OpenSSL 3.0.7, packaged by OpenVPN Windows installer, causes
EasyRSA command 'build-ca' to fail, because it does not have an input
password to re-open the private key, which is required to generate
the CA certificate.
Provide the user specified CA passphrase as input password for build-ca.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
When using set_var() with a variable as in input for name of the variable,
use this wrapper to verify the input is suitable as a variable name.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Command show-expire:
Improve report outut to show 'expired: <date>' for expired certificates.
Otherwise, show 'expires: <date>' for currently Valid certicates.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Some commands must capture the SSL output via a subshell.
eg: ssl_cert_serial() and ssl_cert_not_before/after_date()
To use easyrsa_openssl() for these commands, EASYRSA_DEBUG must be disabled.
This patch unsets EASYRSA_DEBUG in the function subshells only.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Always assign the easyrsa_openssl() temp-file before escape_hazard().
In the event of failure, easyrsa_openssl() will try first.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Global option '--no-safe-ssl' disables generating a safe SSL config file.
The default is to always generate a safe SSL config file.
Can be used by OpenSSL ONLY.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
fn_ is preferable to f_
This is to simulate 'local', which was not POSIX, until recently.
Baseline: Windows sh.exe
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Use replaced in display_san() and display_dn().
verify_file(): Return status of SSL command.
Wrap long lines x4.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
LibreSSL Always probes the file assigned by environment variable OPENSSL_CONF.
Default can be found via command 'openssl version -d'
EasyRSA MUST provide a suitable "safe" SSL config file to LibreSSL.
Therefore, all SSL calls made by EasyRSA SHOULD go via easyrsa_openssl(),
which can be forced to ALWAYS build a "safe" SSL config file.
By always building a "safe" SSL config file, EasyRSA can always configure
the default value for OPENSSL_CONF.
This patch changes easyrsa_openssl(), to force generation of a safe SSL
config on EVERY use and set OPENSSL_CONF to the same.
Calls to easyrsa_openssl() ALWAYS generate a safe SSL config file, however,
that config file is only called via SSL option '-config' when the command
requires an SSL config file. (As by original design)
The environment variable OPENSSL_CONF always points to the EasyRSA "safe" SSL
config file, although the SSL command may not support the '-config' option.
The fundemental changes made here are, easyrsa_openssl():
- ALWAYS creates a "safe" SSL config file, although it may not be required.
- ALWAYS assigns SSL env-var OPENSSL_CONF to the above "safe" SSL config file.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
