From eed30c19c6f1ffcbeaa8dd77c93cb55cb24fd911 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sat, 13 Nov 2021 17:33:12 +0000 Subject: [PATCH 1/8] Remove spurious echo command Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 36e154d01..2b6eb8991 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2228,7 +2228,7 @@ up23_manage_upgrade_23 () if [ $EASYRSA_FOUND_VARS -ne 1 ]; then - die echo "vars file not found" + die "vars file not found" fi # Only allow specific vars/vars.bat to exist From 17b3176525ec4ee0126c83f11e1b0a795ff0b5d6 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sat, 13 Nov 2021 17:33:54 +0000 Subject: [PATCH 2/8] Verify that $EASYRSA_EXT_DIR folder can be found When using Windows, the current working directory is not reliably evaluated. This can be due to user error or possible script bugs. This means that the variable EASYRSA may have an incorrect value, which causes EASYRSA_EXT_DIR to point to an invalid location. Currently, the value of EASYRSA_EXT_DIR is assumed to be correct, without verification. Always verify that x509-types folder can be found or error-exit. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 2b6eb8991..59359bd67 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1738,9 +1738,11 @@ Note: using Easy-RSA configuration from: $vars" # Same as above for the x509-types extensions dir if [ -d "$EASYRSA_PKI/x509-types" ]; then set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types" - else + elif [ -d "$EASYRSA/x509-types" ]; then #TODO: This should be removed. Not really suitable for packaging. set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" + else + die "Missing x509-types folder" fi # EASYRSA_ALGO_PARAMS must be set depending on selected algo From 61361d7fbfb1f9818e9632df584da341b90e2354 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sat, 13 Nov 2021 19:55:54 +0000 Subject: [PATCH 3/8] Minor indentation correction (NFC) Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 59359bd67..c78d0f116 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1674,8 +1674,8 @@ vars_setup() { # command-line path: if [ ! -z "$EASYRSA_VARS_FILE" ]; then - if [ ! -f "$EASYRSA_VARS_FILE" ]; then - # If the --vars option does not point to a file, show helpful error. + if [ ! -f "$EASYRSA_VARS_FILE" ]; then + # If the --vars option does not point to a file, show helpful error. die "The file '$EASYRSA_VARS_FILE' was not found." fi vars="$EASYRSA_VARS_FILE" From 631a2c50315bf0849ba571de46ee6561cc8c9094 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 14 Nov 2021 00:00:32 +0000 Subject: [PATCH 4/8] Replace needlessly complex `if` with concise `case` Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c78d0f116..83b00780e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1746,13 +1746,16 @@ Note: using Easy-RSA configuration from: $vars" fi # EASYRSA_ALGO_PARAMS must be set depending on selected algo - if [ "ec" = "$EASYRSA_ALGO" ]; then - EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem" - elif [ "rsa" = "$EASYRSA_ALGO" ]; then - EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}" - elif [ "ed" != "$EASYRSA_ALGO" ]; then - die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa', 'ec' or 'ed' " - fi + case "$EASYRSA_ALGO" in + rsa) + EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}" ;; + ec) + EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem" ;; + ed) + : ;; + *) + die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa', 'ec' or 'ed' " ;; + esac # Assign value to $EASYRSA_TEMP_DIR_session and work around Windows mktemp bug when parent dir is missing if [ -z "$EASYRSA_TEMP_DIR_session" ]; then From 407eb55ad372afdf1aa1417f4035cd9688548aaf Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 14 Nov 2021 00:22:25 +0000 Subject: [PATCH 5/8] Conform to coding style - Remove '${variable}' braces Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 83b00780e..f5d000bfc 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1748,9 +1748,9 @@ Note: using Easy-RSA configuration from: $vars" # EASYRSA_ALGO_PARAMS must be set depending on selected algo case "$EASYRSA_ALGO" in rsa) - EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}" ;; + EASYRSA_ALGO_PARAMS="$EASYRSA_KEY_SIZE" ;; ec) - EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem" ;; + EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/$EASYRSA_CURVE.pem" ;; ed) : ;; *) From ffcdebc3183efb504d588a9840f58d1391c267da Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 2 Feb 2022 15:21:27 +0000 Subject: [PATCH 6/8] Allow local unit-test script to remain after test completion Signed-off-by: Richard T Bonhomme --- op_test.sh | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/op_test.sh b/op_test.sh index f9d6be957..7a9532d89 100755 --- a/op_test.sh +++ b/op_test.sh @@ -4,14 +4,19 @@ # and executes that - allows for disconnected testing from the easy-rsa # repo with TravisCI. -curl -O 'https://raw.githubusercontent.com/OpenVPN/easyrsa-unit-tests/master/easyrsa-unit-tests.sh' +verb="${1:-'-v'}" -if [ -e "easyrsa-unit-tests.sh" ]; -then - sh easyrsa-unit-tests.sh -v +if [ ! -e "easyrsa-unit-tests.sh" ]; then + curl -O 'https://raw.githubusercontent.com/OpenVPN/easyrsa-unit-tests/master/easyrsa-unit-tests.sh' + + if [ -e "easyrsa-unit-tests.sh" ]; then + sh easyrsa-unit-tests.sh "$verb" + estat=$? + fi + rm -f easyrsa-unit-tests.sh +else + sh easyrsa-unit-tests.sh "$verb" estat=$? fi -rm -f easyrsa-unit-tests.sh - exit $estat From b0af1e5bee2c69d3d101c0bfb8c79ad1181cd490 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 2 Feb 2022 15:28:25 +0000 Subject: [PATCH 7/8] Determine SSL Library major version number Currently, only supports: 1 - For version 1.x.x 3 - For version 3.x.x Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index f5d000bfc..6f56fb7dc 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -459,6 +459,12 @@ verify_ssl_lib () { val="$("$EASYRSA_OPENSSL" version)" case "${val%% *}" in OpenSSL|LibreSSL) + osslv_major="${val#* }" + osslv_major="${osslv_major%%.*}" + case "$osslv_major" in + 1|3) : ;; # OK + *) die "Unsupported SSL library: $osslv_major" + esac print "\ Using SSL: $EASYRSA_OPENSSL $("$EASYRSA_OPENSSL" version)" ;; *) die "\ From 1075b2729c0a5b4f77fe42a960c986a3308d24fd Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 2 Feb 2022 16:32:31 +0000 Subject: [PATCH 8/8] OpenSSL v3x: Use required -noenc flag to build a CA without password Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 6f56fb7dc..fa2b6b460 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -593,12 +593,25 @@ build_ca() { opts="" sub_ca="" nopass="" + noenc="" crypto="-aes256" while [ -n "$1" ]; do case "$1" in intca) sub_ca=1 ;; subca) sub_ca=1 ;; - nopass) nopass=1 ;; + nopass) + nopass=1 + # verify_ssl_lib mjor version + if verify_ssl_lib; then + case "$osslv_major" in + 1) : ;; + 3) noenc="-noenc" ;; + *) die "build-ca ssl lib: $osslv_major" + esac + else + die "build-ca ssl lib: $osslv_major" + fi + ;; *) warn "Ignoring unknown command option: '$1'" ;; esac shift @@ -704,7 +717,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." [ ! $nopass ] && [ -z "$EASYRSA_PASSIN" ] && crypto_opts="-passin file:$out_key_pass_tmp" #shellcheck disable=SC2086 - easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \ + easyrsa_openssl req ${noenc} -utf8 -new -key "$out_key_tmp" \ -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \ die "Failed to build the CA"