From ca76697d213425a60876c61dad5274e600902b91 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 11 Apr 2024 21:46:13 +0100 Subject: [PATCH 1/2] Remove escape_hazard() This was an ill conceived atempt, to auto-escape characters used in the Organizational fields of an extended distinguished name. The original problem was due to using 'sed', to expand the SSL config file for use by LibreSSL, only. Use of 'sed' has been replaced by 'here-doc' expansion, which means 'escape_hazard()' is pointless. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 61 ------------------------------------------------ 1 file changed, 61 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5c85405a4..361d36651 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1014,63 +1014,6 @@ Temporary session not preserved." exit 1 } # => cleanup() -# Escape hazardous characters -# Auto-escape hazardous characters: -# '&' - Workaround 'sed' behavior -# '$' - Workaround 'easyrsa' based limitation -# This is required for all SSL libs, otherwise, -# there are unacceptable differences in behavior -escape_hazard() { - if [ "$EASYRSA_FORCE_SAFE_SSL" ] || \ - [ "$makesafeconf" ] - then - # Always run - verbose "escape_hazard: FORCED" - elif [ "$working_safe_org_conf" ]; then - # Has run once - verbose "escape_hazard: BYPASSED" - return - else - # Run once - verbose "escape_hazard: RUN-ONCE" - fi - - # Only use if old 'sed' version is requested - if [ "$EASYRSA_LEGACY_SAFE_SSL" ]; then - : # ok - else - verbose "escape_hazard: REPLACED by heredoc expansion" - verbose "escape_hazard: ABANDONED" - return - fi - - # Set run once - working_safe_org_conf=1 - - # Assign temp-file - escape_hazard_tmp="" - easyrsa_mktemp escape_hazard_tmp || die \ - "escape_hazard - easyrsa_mktemp escape_hazard_tmp" - - # write org fields to org temp-file and escape '&' and '$' - print "\ -export EASYRSA_REQ_COUNTRY=\"$EASYRSA_REQ_COUNTRY\" -export EASYRSA_REQ_PROVINCE=\"$EASYRSA_REQ_PROVINCE\" -export EASYRSA_REQ_CITY=\"$EASYRSA_REQ_CITY\" -export EASYRSA_REQ_ORG=\"$EASYRSA_REQ_ORG\" -export EASYRSA_REQ_OU=\"$EASYRSA_REQ_OU\" -export EASYRSA_REQ_EMAIL=\"$EASYRSA_REQ_EMAIL\" -export EASYRSA_REQ_SERIAL=\"$EASYRSA_REQ_SERIAL\"\ -" | sed -e s\`'\&'\`'\\\&'\`g \ - -e s\`'\$'\`'\\\$'\`g \ - > "$escape_hazard_tmp" || die "\ -escape_hazard - Failed to write temp-file" - - # Reload fields from fully escaped temp-file - source_vars "$escape_hazard_tmp" - verbose "escape_hazard: COMPLETED" -} # => escape_hazard() - # Replace environment variable names with current value # and write to temp-file or return error from sed expand_ssl_config() { @@ -1188,10 +1131,6 @@ easyrsa_openssl() { die "easyrsa_openssl: Illegal SSL command: rand" esac - # Auto-escape hazardous characters - escape_hazard || \ - die "easyrsa_openssl - escape_hazard failed" - # Rewrite SSL config expand_ssl_config || \ die "easyrsa_openssl - expand_ssl_config failed" From 476a408749290aac4f246c75f93688f28fe6d0bf Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 11 Apr 2024 22:13:28 +0100 Subject: [PATCH 2/2] ChangeLog: Remove escape_hazard(), obsolete Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index fcd804ca9..5c6c3d841 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Remove escape_hazard(), obsolete (ca76697) * Remove command and function display_cn(), unused (be8f400) (#1114) * Introduce Options to edit Request Subject during command 'sign-req' Global Option: --new-subject -- Command 'sign-req' option: 'newsubj'