build-ca: Do not export CA password to environment

In default mode, build-ca exports the CA password to the environment, via function force_set_var(). Replace use of force_set_var() with a here-doc. Also, make verbose openssl command output debug only. Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Dec 14, 2023 · 009ea1f · 009ea1f
1 parent 784ad81
commit 009ea1f
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -1126,7 +1126,8 @@ easyrsa_openssl() {
 	fi
 
 	# Execute command - Return on success
-	verbose "> easyrsa_openssl - EXEC $openssl_command $*"
+	[ -z "$EASYRSA_DEBUG" ] || \
+		verbose "> easyrsa_openssl - EXEC $openssl_command $*"
 
 	case "$openssl_command" in
 	makesafeconf)
@@ -1449,7 +1450,10 @@ get_passphrase() {
 			printf '\n%s\n' \
 				"Passphrase must be at least 4 characters!"
 		else
-			force_set_var "$t" "$r" || die "Passphrase error!"
+			read -r "$t" <<- SECRET
+				$r
+				SECRET
+
 			unset -v r t
 			print
 			return 0