diff --git a/ChangeLog b/ChangeLog index 182e6646a..0c96341f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,13 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) - * Update OpenSSL to 3.1.6 + +3.1.7 (ETA 2023-10-13) + * Insert required errors and warning to control vars location (#1014) + * Guard against default 'pki/vars' setting a different PKI (#1014) + * Retract preference for 'vars' file to exist in the PKI (#1014) + * Disable all code which requests vars in PKI (#1014) + * Update OpenSSL to 3.1.2 3.1.6 (2023-07-18) * New commands: 'inline' and 'x509-eku' (#993) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d266feb41..72d2c9f0a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -93,10 +93,6 @@ DIRECTORY STATUS (commands would take effect on these locations) vars-file: $vars_status x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined} $CA_status" - - # if the vars file in use is not in the PKI - # and not user defined then Show the messages - prefer_vars_in_pki_msg } # => usage() # Detailed command help @@ -611,7 +607,8 @@ EasyRSA version $EASYRSA_version Error ----- $1" - exit 1 + easyrsa_exit_with_error=1 + cleanup } # => user_error() # verbose information @@ -875,6 +872,10 @@ Temporary session not preserved." *) warn "prompt_restore: '$prompt_restore'" esac + # if the vars file in use is in the PKI + # and not user defined then Show the message + vars_in_pki_msg + # Get a clean line [ "$EASYRSA_SILENT" ] || print @@ -892,7 +893,7 @@ Temporary session not preserved." # Exit: SIGINT if [ "$1" = 2 ]; then - verbose "exit SIGINT = true" + verbose "Exit: SIGINT = true" kill -2 "$$" fi @@ -1293,15 +1294,6 @@ and initialize a fresh PKI here." # now remove it: case "$reset" in hard) - - # Promote use of soft init - confirm "Remove current 'vars' file? " yes "\ -* SECOND WARNING!!! - -* This will remove everything in your current PKI directory. - To keep your current settings use 'init-pki soft' instead. - Using 'init-pki soft' is recommended." - # # # shellcheck disable=SC2115 # Use "${var:?}" rm -rf "$EASYRSA_PKI" || \ die "init-pki hard reset failed." @@ -1309,7 +1301,7 @@ and initialize a fresh PKI here." # If vars was in the old pki, it has been removed # If vars was somewhere else, it is user defined # Clear found_vars, we MUST not find pki/vars - [ "$vars_in_pki" ] && unset -v found_vars + unset -v vars_in_pki found_vars ;; soft) # There is no unit test for a soft reset @@ -1333,6 +1325,7 @@ and initialize a fresh PKI here." user_error "Unknown reset type: $reset" esac fi + verbose "init-pki $reset: Removal COMPLETE" # new dirs: for i in private reqs inline; do @@ -1352,50 +1345,31 @@ Failed to install required data-files to PKI. (init)" Your newly created PKI dir is: * $EASYRSA_PKI" - # Installation information - # if $no_new_vars then there are one or more known vars - # which are not in the PKI. All further commands will fail - # until vars is manually corrected - if [ "$no_new_vars" ]; then - warn "\ -A vars file has not been created in your new PKI because -conflicting vars files have been found elsewhere." - prefer_vars_in_pki_msg - else - information " -Using Easy-RSA configuration: -* ${vars:-undefined}" - fi - - # For new PKIs , pki/vars was auto-created, show message - if [ "$new_vars_true" ]; then - information " -IMPORTANT: - Easy-RSA 'vars' template file has been created in your new PKI. - Edit this 'vars' file to customise the settings for your PKI. - To use a global vars file, use global option --vars=" - - else - prefer_vars_in_pki_msg - fi verbose "\ init_pki: x509-types dir ${EASYRSA_EXT_DIR:-Not found}" } # => init_pki() # Must be used in two places, so made it a function -prefer_vars_in_pki_msg() { - if [ "$vars_in_pki" ] || [ "$user_vars_true" ] || - [ "$EASYRSA_NO_VARS" ] +vars_in_pki_msg() { + [ "$vars_in_pki" ] || return 0 + if [ "$user_vars_true" ] || [ "$EASYRSA_NO_VARS" ] then return fi + # Resolve setting EASYRSA_PKI in vars file + # when vars file is default 'pki/vars' + # and potentially points to a different PKI. + # Once resolved, a user set PKI will over-rule + # a vars setting and this message can be disabled + #return + information " IMPORTANT: - The preferred location for 'vars' is within the PKI folder. - To silence this message move your 'vars' file to your PKI + Do NOT keep your 'vars' within your PKI directory. + To silence this message, move your 'vars' file out of your PKI or declare your 'vars' file with option: --vars=" -} # => prefer_vars_in_pki_msg() +} # => vars_in_pki_msg() # Copy data-files from various sources install_data_to_pki() { @@ -1412,8 +1386,6 @@ install_data_to_pki() { shift # Set required sources - vars_file='vars' - vars_file_example='vars.example' ssl_cnf_file='openssl-easyrsa.cnf' x509_types_dir='x509-types' @@ -1451,9 +1423,9 @@ install_data_to_pki() { EASYRSA_EXT_DIR "${area}/${x509_types_dir}" # Find other files - Omitting "$vars_file" + # shellcheck disable=SC2066 # loop will only run once for source in \ - "$vars_file_example" \ - "$ssl_cnf_file" \ + "$ssl_cnf_file" # EOL do # Find each item @@ -1473,20 +1445,10 @@ install_data_to_pki() { # Short circuit for x509-types-only if [ "$context" = x509-types-only ]; then verbose "\ -install_data_to_pki: $context - COMPLETED" +install_data_to_pki $context: $EASYRSA_EXT_DIR" return fi - # Always require a pki/vars.example file - if [ -e "$EASYRSA_PKI/vars.example" ];then - : # ok - else - create_vars_example > "$EASYRSA_PKI/vars.example" || \ - die "install_data_to_pki - create_vars_example FAILED" - verbose "\ -install_data_to_pki: $context - create_vars_example OK" - fi - # Create PKI/vars from PKI/example unset -v new_vars_true if [ "$found_vars" = 1 ] || [ "$user_vars_true" ] || \ @@ -1494,32 +1456,11 @@ install_data_to_pki: $context - create_vars_example OK" then : # ok - Do not make a PKI/vars if another vars exists verbose "\ -install_data_to_pki: $context - Not creating pki/vars" +install_data_to_pki $context: Not creating pki/vars" else case "$context" in init-pki) - # Only create for 'init-pki', if one does not exist - # 'init-pki soft' should have it's own 'vars' file - if [ -e "${EASYRSA_PKI}/${vars_file_example}" ] && \ - [ ! -e "${EASYRSA_PKI}/${vars_file}" ] - then - # Failure means that no vars will exist and - # 'cp' will generate an error message - # This is not a fatal error - if cp "${EASYRSA_PKI}/${vars_file_example}" \ - "${EASYRSA_PKI}/${vars_file}" - then - new_vars_true=1 - vars="${EASYRSA_PKI}/${vars_file}" - verbose "\ -install_data_to_pki: $context - vars = '$vars'" - else - unset -v new_vars_true vars - warn "\ -install_data_to_pki: $context - Failed to install vars file" - fi - fi - ;; + : ;; # No change to current 'vars' required vars-setup) : ;; # No change to current 'vars' required x509-types-only) @@ -1537,14 +1478,15 @@ install_data_to_pki: $context - Failed to install vars file" else create_openssl_easyrsa_cnf > \ "${EASYRSA_PKI}/${ssl_cnf_file}" || die "\ -install_data_to_pki - Missing: '$ssl_cnf_file'" +install_data_to_pki $context: \ +Missing: '${EASYRSA_PKI}/${ssl_cnf_file}'" verbose "\ -install_data_to_pki: $context - create_openssl_easyrsa_cnf OK" +install_data_to_pki $context: create_openssl_easyrsa_cnf OK" fi [ -d "$EASYRSA_EXT_DIR" ] || verbose "\ install_data_to_pki: $context - Missing: '$x509_types_dir'" - verbose "install_data_to_pki: $context - COMPLETED" + verbose "install_data_to_pki $context: COMPLETED" } # => install_data_to_pki () # Disable terminal echo, if possible, otherwise warn @@ -5588,7 +5530,7 @@ Use of --silent and --verbose is unresolvable." # Here sourcing of 'vars' if present occurs. # If not present, defaults are used to support # running without a sourced config format -vars_setup() { +setup_vars() { # Try to locate a 'vars' file in order of preference. # If one is found then source it. # NOTE: EASYRSA_PKI is never set here, @@ -5598,138 +5540,170 @@ vars_setup() { vars= # Find vars - # Explicit user defined vars file: + # Explicit user defined NO vars file: if [ "$EASYRSA_NO_VARS" ]; then - # Found exactly zero vars files + user_vars_true=1 found_vars=0 - warn "\ -EASYRSA_NO_VARS is enabled, not using a 'vars' file.${NL}" + # Explicit user defined vars file: elif [ "$EASYRSA_VARS_FILE" ]; then - if [ -e "$EASYRSA_VARS_FILE" ]; then - vars="$EASYRSA_VARS_FILE" - # User set vars turns off pki/var warning + vars="$EASYRSA_VARS_FILE" + user_vars_true=1 + found_vars=1 + + # Implicit User defined EASYRSA vars + elif [ "$EASYRSA" ]; then + vars="${EASYRSA}/vars" + if [ -e "${EASYRSA}/vars" ]; then user_vars_true=1 - # Found exactly one vars file found_vars=1 else - # If the --vars option does not point to a file - user_error "\ -The 'vars' file was not found: -* $EASYRSA_VARS_FILE" + # Allow without a default vars file + unset -v vars + user_vars_true=1 + found_vars=0 fi # Otherwise, find vars else - # set up program path - prog_file="$0" - prog_dir="${prog_file%/*}" + # Working dir vars + # This location is most suitable + pwd_vars="$PWD/vars" + + # Program dir + prog_dir="${0%/*}" + verbose "setup_vars: prog_dir = $prog_dir" + + # If prog_dir is PWD then do not check prog_vars if [ "$prog_dir" = . ] || [ "$prog_dir" = "$PWD" ] then - prog_in_pwd=1 + unset -v prog_vars else - unset -v prog_in_pwd + prog_vars="${prog_dir}/vars" fi - # Program dir vars - This location is least wanted. - prog_vars="${prog_dir}/vars" - - # set up PKI path vars - Top preference + # set up PKI path vars + # Due to EASYRSA_PKI being a usable variable + # in the vars file, this is currently NOT a + # suitable location for vars pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" - expected_pki_vars="$pki_vars" - - # Some other place vars, out of scope. - if [ "$EASYRSA" ]; then - easy_vars="${EASYRSA}/vars" - else - unset -v easy_vars - fi - - # vars of last resort - pwd_vars="$PWD/vars" - # Clear flags - This is the preferred order to find: + # Clear flags unset -v \ - e_pki_vars e_easy_vars e_pwd_vars e_prog_vars \ + e_pki_vars e_pwd_vars e_prog_vars \ found_vars vars_in_pki - # PKI location, if present: - [ -e "$pki_vars" ] && e_pki_vars=1 - - # EASYRSA, if defined: - [ -e "$easy_vars" ] && e_easy_vars=1 - - # vars of last resort + # Working dir: [ -e "$pwd_vars" ] && e_pwd_vars=1 - # program location: + # Program location: [ -e "$prog_vars" ] && e_prog_vars=1 - # Filter duplicates - if [ "$e_prog_vars" ] && [ "$e_pwd_vars" ] && \ - [ "$prog_in_pwd" ] - then - unset -v prog_vars e_prog_vars + # PKI location, least desirable: + if [ -e "$pki_vars" ]; then + e_pki_vars=1 + vars_in_pki=1 + + # Conflicting default pki/vars: + if [ "$e_pwd_vars" ] || [ "$e_prog_vars" ] + then + user_error "\ +There is a 'vars' file located inside the default PKI. +This 'vars' file must be moved to the working directory. + + 'vars' file: + * $pki_vars + + PKI directory: + * ${pki_vars%/vars} + + Working directory: + * $PWD + + Info: + * https://github.com/OpenVPN/easy-rsa/issues/1009" + fi fi - # Allow only one vars to be found, No exceptions! + # Count found vars files found_vars="$(( - e_pki_vars + e_easy_vars + e_pwd_vars + e_prog_vars + e_pwd_vars + e_prog_vars + e_pki_vars ))" - verbose "vars_setup: found_vars = '$found_vars'" + verbose "setup_vars: found_vars = '$found_vars'" # If found_vars greater than 1 - # then output user info and exit + # then output user info case "$found_vars" in 0) : # ok ;; 1) - # If a SINGLE vars file is found - # then assign $vars - [ "$e_prog_vars" ] && vars="$prog_vars" - [ "$e_pwd_vars" ] && vars="$pwd_vars" - [ "$e_easy_vars" ] && vars="$easy_vars" - [ "$e_pki_vars" ] && \ - vars="$pki_vars" && vars_in_pki=1 - : # Wipe error status + # If a SINGLE vars file is found then + # Select single vars file, with priority + if [ "$e_pwd_vars" ]; then + vars="$pwd_vars" + elif [ "$e_prog_vars" ]; then + vars="$prog_vars" + elif [ "$e_pki_vars" ]; then + vars="$pki_vars" + # Set expected_pki + # to stop vars changing EASYRSA_PKI + expected_pki="${pki_vars%/*}" + else + # This cannot happen + die "Detecting vars file failed!" + fi ;; *) - [ "$e_pki_vars" ] && print "Found: $pki_vars" - [ "$e_easy_vars" ] && print "Found: $easy_vars" - [ "$e_pwd_vars" ] && print "Found: $pwd_vars" - [ "$e_prog_vars" ] && print "Found: $prog_vars" - - # For init-pki, version and help, skip this - if [ "$require_pki" ]; then - user_error "\ -Conflicting 'vars' files found. - -Priority should be given to your PKI vars file: -* $expected_pki_vars" + # Multiple vars files + warn "\ +Conflicting 'vars' files found, see below. +EasyRSA cannot be used with multiple 'vars' files. +Either declare which 'vars' file to use with --vars= +or remove the 'vars' files which are not in use.${NL}" + + # Show found vars files + [ "$e_pwd_vars" ] && \ + print " pwd_vars Found: $pwd_vars" + [ "$e_prog_vars" ] && \ + print " prog_vars Found: $prog_vars" + [ "$e_pki_vars" ] && \ + print " pki_vars Found: $pki_vars" + + # Select single vars file, with priority + if [ "$e_pwd_vars" ]; then + vars="$pwd_vars" + elif [ "$e_prog_vars" ]; then + vars="$prog_vars" + elif [ "$e_pki_vars" ]; then + vars="$pki_vars" + # Set expected_pki + # to stop vars changing EASYRSA_PKI + expected_pki="${pki_vars%/*}" + else + # This cannot happen + die "Detecting vars file failed!" fi - # For init-pki, pki/vars will be deleted - # However, another vars file exists - # so don't create pki/vars - no_new_vars=1 - verbose "vars_setup: no_new_vars = '$no_new_vars'" + # Show selected vars + print " * Selected vars: $vars" + [ "$EASYRSA_VERBOSE" ] && print esac - verbose "vars_setup: vars = '$vars'" - # Clean up - unset -v prog_vars pwd_vars easy_vars pki_vars \ - expected_pki_vars + unset -v prog_vars pwd_vars easy_vars pki_vars # END: Find vars fi +} # => setup_vars() +# Source vars file and set defaults +source_vars() { # If EASYRSA_NO_VARS is defined then do not use vars # If PKI is not required then located vars files are # not required if [ "$EASYRSA_NO_VARS" ]; then - : # ok + verbose "source_vars: Explicit NO vars" # $vars remains undefined .. no vars found # 'install_data_to_pki vars-setup' will NOT @@ -5738,21 +5712,38 @@ Priority should be given to your PKI vars file: # If PKI is required then warn # For init-pki, version and help, skip this if [ "$require_pki" ]; then - warn "\ -No Easy-RSA 'vars' configuration file exists!" + information "\ +No Easy-RSA 'vars' configuration file exists.${NL}" fi # If a vars file was located then source it else + # 'vars' MUST not be a directory + [ -d "$vars" ] && user_error "\ +Missing vars file: +* $vars" + # 'vars' now MUST exist - [ -e "$vars" ] || die "\ + [ -e "$vars" ] || user_error "\ Missing vars file: * $vars" - # Installation information + # Show the vars file in use [ "$require_pki" ] && information "\ Using Easy-RSA 'vars' configuration: -* $vars" +* $vars${NL}" + + # Setup: catch vars file changing PKI unexpectedly + if [ "$EASYRSA_PKI" ]; then + expected_pki="${expected_pki:-"$EASYRSA_PKI"}" + elif [ "$EASYRSA" ]; then + expected_pki="${expected_pki:-"$EASYRSA/pki"}" + elif [ "$user_vars_true" ]; then + expected_pki= + else + expected_pki="${expected_pki:-"$PWD/pki"}" + fi + verbose "source_vars: expected_pki=$expected_pki" # Sanitize vars if grep -q \ @@ -5778,7 +5769,7 @@ Please, correct these errors and try again." -e '[[:blank:]]unset[[:blank:]]*' \ "$vars" then - warn "\ + user_error "\ One or more of these problems has been found in your 'vars' file: * Use of 'export': @@ -5794,12 +5785,23 @@ Remove 'unset' ('force_set_var' may also work)." # Test sourcing 'vars' in a subshell # shellcheck disable=1090 # can't follow .. vars - ( . "$vars" ) || \ - die "Failed to source the vars file." + if ( . "$vars" ); then + : # ok + else + if [ "$vars" = "${vars%/*}" ]; then + user_error "\ +Failed to source the vars file: '$vars' +Perhaps you need to specify the PATH. eg: './$vars'" + else + die "\ +Failed to source the vars file: '$vars' +The error above may have more information." + fi + fi # Source 'vars' now # shellcheck disable=1090 # can't follow .. vars - . "$vars" 2>/dev/null + . "$vars" unset -v EASYRSA_CALLER fi @@ -5857,13 +5859,33 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" set_var EASYRSA_MAX_TEMP 4 - # if the vars file in use is not in the PKI - # and not user defined then Show the messages - if [ "$require_pki" ]; then - prefer_vars_in_pki_msg + # https://github.com/OpenVPN/easy-rsa/issues/1009 + # expected_pki is set when default 'pki/vars' is used + # This blocks pki/vars UNEXPECTEDLY changing EASYRSA_PKI + if [ "$expected_pki" ]; then + if [ "$expected_pki" = "$EASYRSA_PKI" ]; then + verbose "source_vars: expected_pki OK" + else + user_error "\ +'EASYRSA_PKI' is set incorrectly in the default 'vars' file. + + The default pki/vars file: + * $vars + + Uses a different PKI: + * $EASYRSA_PKI + + Expected PKI to be: + * $expected_pki + +Cannot continue with invalid configuration." + fi + else + verbose "source_vars: expected_pki NOT defined" fi - verbose "vars_setup: COMPLETED" -} # => vars_setup() + + verbose "source_vars: COMPLETED" +} # => source_vars() # Verify working environment verify_working_env() { @@ -5912,9 +5934,10 @@ verify_working_env - install_data_to_pki vars-setup failed" fi # Last setup msg - information " + [ "$EASYRSA_VERBOSE" ] && print + information "\ Using SSL: -* $EASYRSA_OPENSSL $ssl_version" +* $EASYRSA_OPENSSL $ssl_version${NL}" else # The directory does not exist @@ -7012,6 +7035,7 @@ detect_host # Initialisation requirements unset -v \ + expected_pki \ verify_ssl_lib_ok \ secured_session \ working_safe_ssl_conf working_safe_org_conf \ @@ -7245,10 +7269,12 @@ cmd="$1" # Establish PKI and CA initialisation requirements # This avoids unnecessary warnings and notices case "$cmd" in - init-pki|clean-all|\ - help|-h|--help|--usage|\ - show-host|\ - version|upgrade|'') + version|upgrade|show-host) + unset -v require_pki require_ca + EASYRSA_NO_VARS=1 + ;; + help|-h|--help|--usage|''| \ + init-pki|clean-all) unset -v require_pki require_ca ;; *) @@ -7263,8 +7289,11 @@ case "$cmd" in esac esac -# Intelligent env-var detection and auto-loading: -vars_setup +# Determine which vars file to use +setup_vars + +# Source the vars file +source_vars # Check for conflicting input options mutual_exclusions