diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 254233637..bbb773ef2 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -563,6 +563,8 @@ General options: (Default config file is in the EasyRSA PKI directory) --force-safe-ssl: Always generate a safe SSL config file (Default: Generate Safe SSL config once per instance) +--old-safe-ssl: Always generate a safe SSL config file + As --force-safe-ssl but use 'sed' expansion. --tmp-dir=DIR : Declare the temporary directory (Default temporary directory is the EasyRSA PKI directory) @@ -963,17 +965,6 @@ Temporary session not preserved." exit 1 } # => cleanup() -# Make a copy safe SSL config file -make_safe_ssl() { - easyrsa_openssl makesafeconf "$@" - notice "\ -Safe SSL config file created at: -* $EASYRSA_SAFE_CONF" - - verbose "\ -make_safe_ssl: NEW SSL cnf file: $safe_ssl_cnf_tmp" -} # => make_safe_ssl() - # Escape hazardous characters # Auto-escape hazardous characters: # '&' - Workaround 'sed' behavior @@ -995,6 +986,15 @@ escape_hazard() { verbose "escape_hazard: RUN-ONCE" fi + # Only use if old 'sed' version is requested + if [ "$EASYRSA_LEGACY_SAFE_SSL" ]; then + : # ok + else + verbose "escape_hazard: REPLACED by heredoc expansion" + verbose "escape_hazard: ABANDONED" + return + fi + # Set run once working_safe_org_conf=1 @@ -1057,8 +1057,10 @@ expand_ssl_config - \ easyrsa_mktemp safe_ssl_cnf_tmp" # Rewrite + # Only use if old 'sed' version is requested # shellcheck disable=SC2016 # No expand '' - expand_ssl_config() - if sed \ + if [ "$EASYRSA_LEGACY_SAFE_SSL" ]; then + if sed \ \ -e s\`'$dir'\`\ \""$EASYRSA_PKI"\"\`g \ @@ -1105,11 +1107,17 @@ easyrsa_mktemp safe_ssl_cnf_tmp" -e s\`'$ENV::EASYRSA_REQ_SERIAL'\`\ \""$EASYRSA_REQ_SERIAL"\"\`g \ \ - "$EASYRSA_SSL_CONF" > "$safe_ssl_cnf_tmp" - then - verbose "expand_ssl_config: COMPLETED" + "$EASYRSA_SSL_CONF" > "$safe_ssl_cnf_tmp" + then + verbose "expand_ssl_config: via 'sed' COMPLETED" + else + return 1 + fi + else - return 1 + write safe-cnf > "$safe_ssl_cnf_tmp" || \ + die "expand_ssl_config - write safe-cnf temp-file" + verbose "expand_ssl_config: via 'write' COMPLETED" fi } # => expand_ssl_config() @@ -1129,12 +1137,6 @@ easyrsa_openssl() { case "$openssl_command" in rand) die "easyrsa_openssl: Illegal SSL command: rand" - ;; - makesafeconf) - safe_target_file="$1" - makesafeconf=1 - ;; - *) : esac # Auto-escape hazardous characters @@ -1161,15 +1163,6 @@ easyrsa_openssl() { verbose "> easyrsa_openssl - EXEC $openssl_command $*" case "$openssl_command" in - makesafeconf) - # COPY temp-file to safessl-easyrsa.cnf - unset -v makesafeconf - if [ "$safe_target_file" ]; then - cp -f "$safe_ssl_cnf_tmp" "$safe_target_file" && return - else - cat "$safe_ssl_cnf_tmp" && return - fi - ;; *) # Exec SSL if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ] @@ -5595,24 +5588,40 @@ Legacy files: openssl-easyrsa.cnf and x509-types/ directory." # write legacy files to stdout or to $folder write() { + # recursion check + write_recursion="$(( write_recursion + 1 ))" + if [ "$write_recursion" -gt 2 ]; then + print "write recursion" > "$easyrsa_err_log" + die "write recursion" + fi + write_type="$1" write_dir="$2" write_file= case "$write_type" in safe-cnf) + # Set expansion to use full-expansion style + set_openssl_easyrsa_cnf_vars expanded + # write to stdout or $write_dir/safessl-easyrsa.cnf if [ "$write_dir" ]; then [ -d "$write_dir" ] || \ user_error "Missing directory '$write_dir'" write_file="$write_dir"/safessl-easyrsa.cnf - make_safe_ssl "$write_file" || die "write failed" + create_legacy_stream "$write_type" >"$write_file" || \ + die "write failed" else - make_safe_ssl || die "write failed" + create_legacy_stream "$write_type" fi + + write_recursion="$(( write_recursion - 1 ))" return ;; ssl-cnf) + # Set expansion to use '$ENV::EASYRSA_PKI' style + set_openssl_easyrsa_cnf_vars unexpanded + # write to stdout or $write_dir/openssl-easyrsa.cnf if [ "$write_dir" ]; then write_file="$write_dir"/openssl-easyrsa.cnf @@ -5643,7 +5652,12 @@ write() { if [ -f "$write_file" ]; then # If the file exists then do not over write # unless explicitly instructed - [ "$legacy_file_over_write" ] || return 0 + if [ "$legacy_file_over_write" ]; then + : # ok + else + write_recursion="$(( write_recursion - 1 ))" + return 0 + fi fi fi @@ -5654,7 +5668,51 @@ write() { else create_legacy_stream "$write_type" fi -} #= write() + write_recursion="$(( write_recursion - 1 ))" +} # => write() + +# set heredoc variables for openssl-esyrsa.cnf +# shellcheck disable=SC2016 # (info): $ don't expand in '' +set_openssl_easyrsa_cnf_vars(){ + case "$1" in + expanded) + # fully expand ssl-cnf for safe-cnf + conf_EASYRSA_dir="$EASYRSA_PKI" + conf_EASYRSA_PKI="$EASYRSA_PKI" + conf_EASYRSA_DIGEST="$EASYRSA_DIGEST" + conf_EASYRSA_KEY_SIZE="$EASYRSA_KEY_SIZE" + conf_EASYRSA_DIGEST="$EASYRSA_DIGEST" + conf_EASYRSA_DN="$EASYRSA_DN" + conf_EASYRSA_REQ_CN="$EASYRSA_REQ_CN" + conf_EASYRSA_REQ_COUNTRY="$EASYRSA_REQ_COUNTRY" + conf_EASYRSA_REQ_PROVINCE="$EASYRSA_REQ_PROVINCE" + conf_EASYRSA_REQ_CITY="$EASYRSA_REQ_CITY" + conf_EASYRSA_REQ_ORG="$EASYRSA_REQ_ORG" + conf_EASYRSA_REQ_OU="$EASYRSA_REQ_OU" + conf_EASYRSA_REQ_EMAIL="$EASYRSA_REQ_EMAIL" + conf_EASYRSA_REQ_SERIAL="$EASYRSA_REQ_SERIAL" + ;; + unexpanded) + # write standard ssl-cnf + conf_EASYRSA_dir='$dir' + conf_EASYRSA_PKI='$ENV::EASYRSA_PKI' + conf_EASYRSA_DIGEST='$ENV::EASYRSA_DIGEST' + conf_EASYRSA_KEY_SIZE='$ENV::EASYRSA_KEY_SIZE' + conf_EASYRSA_DIGEST='$ENV::EASYRSA_DIGEST' + conf_EASYRSA_DN='$ENV::EASYRSA_DN' + conf_EASYRSA_REQ_CN='$ENV::EASYRSA_REQ_CN' + conf_EASYRSA_REQ_COUNTRY='$ENV::EASYRSA_REQ_COUNTRY' + conf_EASYRSA_REQ_PROVINCE='$ENV::EASYRSA_REQ_PROVINCE' + conf_EASYRSA_REQ_CITY='$ENV::EASYRSA_REQ_CITY' + conf_EASYRSA_REQ_ORG='$ENV::EASYRSA_REQ_ORG' + conf_EASYRSA_REQ_OU='$ENV::EASYRSA_REQ_OU' + conf_EASYRSA_REQ_EMAIL='$ENV::EASYRSA_REQ_EMAIL' + conf_EASYRSA_REQ_SERIAL='$ENV::EASYRSA_REQ_SERIAL' + ;; + *) + die "set_openssl_easyrsa_cnf_vars - input" + esac +} # => set_openssl_easyrsa_cnf_vars() # Create x509 type create_legacy_stream() { @@ -5896,9 +5954,9 @@ fi #set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" CREATE_VARS_EXAMPLE ;; - ssl-cnf) + ssl-cnf|safe-cnf) # SSL config v3.2.0-1 - cat << "CREATE_SSL_CONFIG" + cat << CREATE_SSL_CONFIG # For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL #################################################################### @@ -5908,17 +5966,17 @@ default_ca = CA_default # The default ca section #################################################################### [ CA_default ] -dir = $ENV::EASYRSA_PKI # Where everything is kept -certs = $dir # Where the issued certs are kept -crl_dir = $dir # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir/certs_by_serial # default place for new certs. +dir = $conf_EASYRSA_PKI # Where everything is kept +certs = $conf_EASYRSA_dir # Where the issued certs are kept +crl_dir = $conf_EASYRSA_dir # Where the issued crl are kept +database = $conf_EASYRSA_dir/index.txt # database index file. +new_certs_dir = $conf_EASYRSA_dir/certs_by_serial # default place for new certs. -certificate = $dir/ca.crt # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/ca.key # The private key -RANDFILE = $dir/.rand # private random number file +certificate = $conf_EASYRSA_dir/ca.crt # The CA certificate +serial = $conf_EASYRSA_dir/serial # The current serial number +crl = $conf_EASYRSA_dir/crl.pem # The current CRL +private_key = $conf_EASYRSA_dir/private/ca.key # The private key +RANDFILE = $conf_EASYRSA_dir/.rand # private random number file x509_extensions = basic_exts # The extensions to add to the cert @@ -5933,11 +5991,11 @@ crl_extensions = crl_ext # These fields are removed from this here-doc but retained # in 'openssl-easyrsa.cnf' file, in case something breaks. # default_days is no longer required by Easy-RSA -#default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for +#default_days = \$ENV::EASYRSA_CERT_EXPIRE # how long to certify for # default_crl_days is no longer required by Easy-RSA -#default_crl_days = $ENV::EASYRSA_CRL_DAYS # how long before next CRL +#default_crl_days = \$ENV::EASYRSA_CRL_DAYS # how long before next CRL -default_md = $ENV::EASYRSA_DIGEST # use public key default MD +default_md = $conf_EASYRSA_DIGEST # use public key default MD preserve = no # keep passed DN ordering # This allows to renew certificates which have not been revoked @@ -5961,16 +6019,16 @@ serialNumber = optional #################################################################### # Easy-RSA request handling -# We key off $DN_MODE to determine how to format the DN +# We key off \$DN_MODE to determine how to format the DN [ req ] -default_bits = $ENV::EASYRSA_KEY_SIZE +default_bits = $conf_EASYRSA_KEY_SIZE default_keyfile = privkey.pem -default_md = $ENV::EASYRSA_DIGEST -distinguished_name = $ENV::EASYRSA_DN +default_md = $conf_EASYRSA_DIGEST +distinguished_name = $conf_EASYRSA_DN x509_extensions = easyrsa_ca # The extensions to add to the self signed cert -# A placeholder to handle the $EXTRA_EXTS feature: -#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it +# A placeholder to handle the \$EXTRA_EXTS feature: +#%EXTRA_EXTS% # Do NOT remove or change this line as \$EXTRA_EXTS support requires it #################################################################### # Easy-RSA DN (Subject) handling @@ -5979,37 +6037,37 @@ x509_extensions = easyrsa_ca # The extensions to add to the self signed cert [ cn_only ] commonName = Common Name (eg: your user, host, or server name) commonName_max = 64 -commonName_default = $ENV::EASYRSA_REQ_CN +commonName_default = $conf_EASYRSA_REQ_CN # Easy-RSA DN for org support: [ org ] countryName = Country Name (2 letter code) -countryName_default = $ENV::EASYRSA_REQ_COUNTRY +countryName_default = $conf_EASYRSA_REQ_COUNTRY countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE +stateOrProvinceName_default = $conf_EASYRSA_REQ_PROVINCE localityName = Locality Name (eg, city) -localityName_default = $ENV::EASYRSA_REQ_CITY +localityName_default = $conf_EASYRSA_REQ_CITY 0.organizationName = Organization Name (eg, company) -0.organizationName_default = $ENV::EASYRSA_REQ_ORG +0.organizationName_default = $conf_EASYRSA_REQ_ORG organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = $ENV::EASYRSA_REQ_OU +organizationalUnitName_default = $conf_EASYRSA_REQ_OU commonName = Common Name (eg: your user, host, or server name) commonName_max = 64 -commonName_default = $ENV::EASYRSA_REQ_CN +commonName_default = $conf_EASYRSA_REQ_CN emailAddress = Email Address -emailAddress_default = $ENV::EASYRSA_REQ_EMAIL +emailAddress_default = $conf_EASYRSA_REQ_EMAIL emailAddress_max = 64 serialNumber = Serial-number (eg, device serial-number) -serialNumber_default = $ENV::EASYRSA_REQ_SERIAL +serialNumber_default = $conf_EASYRSA_REQ_SERIAL #################################################################### # Easy-RSA cert extension handling @@ -6041,8 +6099,8 @@ keyUsage = cRLSign, keyCertSign # nsCertType omitted by default. Let's try to let the deprecated stuff die. # nsCertType = sslCA -# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS: -#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it +# A placeholder to handle the \$X509_TYPES and CA extra extensions \$EXTRA_EXTS: +#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as \$X509_TYPES and EXTRA_EXTS demands it # CRL extensions. [ crl_ext ] @@ -6245,6 +6303,11 @@ while :; do empty_ok=1 export EASYRSA_FORCE_SAFE_SSL=1 ;; + --old-safe-ssl) + empty_ok=1 + export EASYRSA_FORCE_SAFE_SSL=1 + export EASYRSA_LEGACY_SAFE_SSL=1 + ;; --nopass|--no-pass) empty_ok=1 export EASYRSA_NO_PASS=1