From 4cb05fe29d6128aed35104ee7f183474456b9aba Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 29 Aug 2023 19:55:10 +0100 Subject: [PATCH 01/21] Disable prefer_vars_in_pki_msg(), until further notice Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d266feb41..af97cfb12 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1390,6 +1390,10 @@ prefer_vars_in_pki_msg() { return fi + # disable this until v3.2-ish + verbose "prefer_vars_in_pki_msg: DISABLED" + return 0 + information " IMPORTANT: The preferred location for 'vars' is within the PKI folder. From 2e5865ad2e0096aa2feb2590a5eac69beb66c49b Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 29 Aug 2023 20:47:22 +0100 Subject: [PATCH 02/21] install_data_to_pki: Disable creating new vars file Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index af97cfb12..35bcc4772 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1293,14 +1293,13 @@ and initialize a fresh PKI here." # now remove it: case "$reset" in hard) - # Promote use of soft init - confirm "Remove current 'vars' file? " yes "\ -* SECOND WARNING!!! - -* This will remove everything in your current PKI directory. - To keep your current settings use 'init-pki soft' instead. - Using 'init-pki soft' is recommended." +# confirm "Completely remove current PKI ? " yes "\ +#* SECOND WARNING!!! +# +#* This will remove everything in your current PKI directory. +# To keep your current settings use 'init-pki soft' instead. +# Using 'init-pki soft' is recommended." # # # shellcheck disable=SC2115 # Use "${var:?}" rm -rf "$EASYRSA_PKI" || \ @@ -1333,6 +1332,7 @@ and initialize a fresh PKI here." user_error "Unknown reset type: $reset" esac fi + verbose "init-pki $reset: Removal COMPLETE" # new dirs: for i in private reqs inline; do @@ -1502,6 +1502,11 @@ install_data_to_pki: $context - Not creating pki/vars" else case "$context" in init-pki) + # Disable creating a vars file + if : + then + verbose "install_data_to_pki: New vars DISABLED" + else # Only create for 'init-pki', if one does not exist # 'init-pki soft' should have it's own 'vars' file if [ -e "${EASYRSA_PKI}/${vars_file_example}" ] && \ @@ -1523,6 +1528,7 @@ install_data_to_pki: $context - vars = '$vars'" install_data_to_pki: $context - Failed to install vars file" fi fi + fi ;; vars-setup) : ;; # No change to current 'vars' required From f18c9a08df409c13ae4a16b5a89d09709ad43723 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 30 Aug 2023 11:33:48 +0100 Subject: [PATCH 03/21] Disable creating a vars file and only allow one vars file to exist intall_data_to_pki init-pki: Never create a vars file. Creating a vars file in the PKI is not recommended due to the possibility of defining use of a different PKI via EASYRSA_PKI variable. vars_setup: Never allow multiple vars files to exist for any commands. If there are multiple vars file found then EasyRSA has no way to prioritise one over another. Remove unused variable: expected_pki_vars Standardise some verbose messages. Correct some comments related to 'vars in PKI', no longer suitable. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 52 ++++++++++++++++++++++++++---------------------- 1 file changed, 28 insertions(+), 24 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 35bcc4772..e1c43cbea 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1477,7 +1477,7 @@ install_data_to_pki() { # Short circuit for x509-types-only if [ "$context" = x509-types-only ]; then verbose "\ -install_data_to_pki: $context - COMPLETED" +install_data_to_pki $context: $EASYRSA_EXT_DIR" return fi @@ -1488,7 +1488,7 @@ install_data_to_pki: $context - COMPLETED" create_vars_example > "$EASYRSA_PKI/vars.example" || \ die "install_data_to_pki - create_vars_example FAILED" verbose "\ -install_data_to_pki: $context - create_vars_example OK" +install_data_to_pki $context: create_vars_example OK" fi # Create PKI/vars from PKI/example @@ -1498,14 +1498,15 @@ install_data_to_pki: $context - create_vars_example OK" then : # ok - Do not make a PKI/vars if another vars exists verbose "\ -install_data_to_pki: $context - Not creating pki/vars" +install_data_to_pki $context: Not creating pki/vars" else case "$context" in init-pki) - # Disable creating a vars file + # ALWAYS Disable creating a vars file if : then - verbose "install_data_to_pki: New vars DISABLED" + verbose "\ +install_data_to_pki $context: New vars DISABLED" else # Only create for 'init-pki', if one does not exist # 'init-pki soft' should have it's own 'vars' file @@ -1521,11 +1522,11 @@ install_data_to_pki: $context - Not creating pki/vars" new_vars_true=1 vars="${EASYRSA_PKI}/${vars_file}" verbose "\ -install_data_to_pki: $context - vars = '$vars'" +install_data_to_pki $context: vars = '$vars'" else unset -v new_vars_true vars warn "\ -install_data_to_pki: $context - Failed to install vars file" +install_data_to_pki $context: Failed to install vars file" fi fi fi @@ -1549,12 +1550,12 @@ install_data_to_pki: $context - Failed to install vars file" "${EASYRSA_PKI}/${ssl_cnf_file}" || die "\ install_data_to_pki - Missing: '$ssl_cnf_file'" verbose "\ -install_data_to_pki: $context - create_openssl_easyrsa_cnf OK" +install_data_to_pki $context: create_openssl_easyrsa_cnf OK" fi [ -d "$EASYRSA_EXT_DIR" ] || verbose "\ install_data_to_pki: $context - Missing: '$x509_types_dir'" - verbose "install_data_to_pki: $context - COMPLETED" + verbose "install_data_to_pki $context: COMPLETED" } # => install_data_to_pki () # Disable terminal echo, if possible, otherwise warn @@ -5642,12 +5643,14 @@ The 'vars' file was not found: unset -v prog_in_pwd fi - # Program dir vars - This location is least wanted. + # Program dir vars prog_vars="${prog_dir}/vars" - # set up PKI path vars - Top preference + # set up PKI path vars + # Due to EASYRSA_PKI being a usable variable + # in the vars file, this is currently NOT a + # suitable location for vars pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" - expected_pki_vars="$pki_vars" # Some other place vars, out of scope. if [ "$EASYRSA" ]; then @@ -5656,10 +5659,11 @@ The 'vars' file was not found: unset -v easy_vars fi - # vars of last resort + # Working dir vars + # This location is most suitable pwd_vars="$PWD/vars" - # Clear flags - This is the preferred order to find: + # Clear flags unset -v \ e_pki_vars e_easy_vars e_pwd_vars e_prog_vars \ found_vars vars_in_pki @@ -5670,10 +5674,10 @@ The 'vars' file was not found: # EASYRSA, if defined: [ -e "$easy_vars" ] && e_easy_vars=1 - # vars of last resort + # Working dir: [ -e "$pwd_vars" ] && e_pwd_vars=1 - # program location: + # Program location: [ -e "$prog_vars" ] && e_prog_vars=1 # Filter duplicates @@ -5712,19 +5716,19 @@ The 'vars' file was not found: [ "$e_prog_vars" ] && print "Found: $prog_vars" # For init-pki, version and help, skip this - if [ "$require_pki" ]; then + #if [ "$require_pki" ]; then user_error "\ -Conflicting 'vars' files found. - -Priority should be given to your PKI vars file: -* $expected_pki_vars" - fi +Conflicting 'vars' files found, see above. +EasyRSA cannot be used with multiple 'vars' files. +Either declare which 'vars' file to use with --vars= +or remove the 'vars' files which are not in use." + #fi # For init-pki, pki/vars will be deleted # However, another vars file exists # so don't create pki/vars - no_new_vars=1 - verbose "vars_setup: no_new_vars = '$no_new_vars'" + #no_new_vars=1 + #verbose "vars_setup: no_new_vars = '$no_new_vars'" esac verbose "vars_setup: vars = '$vars'" From d05a89e352937d106501e8c6c4e5ad3766866334 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 30 Aug 2023 12:11:50 +0100 Subject: [PATCH 04/21] install_data_to_pki: Never create a pki/vars.example file Having a pki/vars.example file exist, leads to the incorrect conclusion that a pki/vars file is suitable. Therefore, never create an example file. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index e1c43cbea..f1564e924 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1455,9 +1455,9 @@ install_data_to_pki() { EASYRSA_EXT_DIR "${area}/${x509_types_dir}" # Find other files - Omitting "$vars_file" + # shellcheck disable=SC2066 # loop will only run once for source in \ - "$vars_file_example" \ - "$ssl_cnf_file" \ + "$ssl_cnf_file" # EOL do # Find each item @@ -1481,16 +1481,6 @@ install_data_to_pki $context: $EASYRSA_EXT_DIR" return fi - # Always require a pki/vars.example file - if [ -e "$EASYRSA_PKI/vars.example" ];then - : # ok - else - create_vars_example > "$EASYRSA_PKI/vars.example" || \ - die "install_data_to_pki - create_vars_example FAILED" - verbose "\ -install_data_to_pki $context: create_vars_example OK" - fi - # Create PKI/vars from PKI/example unset -v new_vars_true if [ "$found_vars" = 1 ] || [ "$user_vars_true" ] || \ From 8d55b9f906c8ce5701882966f6c885675e1cae45 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 30 Aug 2023 16:05:36 +0100 Subject: [PATCH 05/21] ChangeLog: Disable code which requests vars be moved to the PKI Signed-off-by: Richard T Bonhomme --- ChangeLog | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 182e6646a..96cbd5271 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,10 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) - * Update OpenSSL to 3.1.6 + +3.1.7 (ETA 2023-10-13) + * Disable all code which requests vars in PKI (#1014) + * Update OpenSSL to 3.1.2 3.1.6 (2023-07-18) * New commands: 'inline' and 'x509-eku' (#993) From 53f443c9f559c47c429497ca18687bab41889af8 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 31 Aug 2023 12:32:36 +0100 Subject: [PATCH 06/21] vars_setup: Downgrade warning to info for "no vars file exists" Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index f1564e924..9c1181025 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5742,8 +5742,8 @@ or remove the 'vars' files which are not in use." # If PKI is required then warn # For init-pki, version and help, skip this if [ "$require_pki" ]; then - warn "\ -No Easy-RSA 'vars' configuration file exists!" + information "\ +No Easy-RSA 'vars' configuration file exists." fi # If a vars file was located then source it From 3b4ac2ec2affc7af9db12b8b9c1f2288e7048854 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 1 Sep 2023 20:59:31 +0100 Subject: [PATCH 07/21] install_data_to_pki: Correct error message "text" only Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 9c1181025..df81a4f72 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1538,7 +1538,8 @@ install_data_to_pki $context: Failed to install vars file" else create_openssl_easyrsa_cnf > \ "${EASYRSA_PKI}/${ssl_cnf_file}" || die "\ -install_data_to_pki - Missing: '$ssl_cnf_file'" +install_data_to_pki $context: \ +Missing: '${EASYRSA_PKI}/${ssl_cnf_file}'" verbose "\ install_data_to_pki $context: create_openssl_easyrsa_cnf OK" fi From b19beb2fe04ff1fed3a74c4919d7f11e2771177c Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 3 Sep 2023 22:43:03 +0100 Subject: [PATCH 08/21] vars_setup: Multiple vars files, downgrade FATAL error to WARNING Finding multiple vars files will result in a WARNING instead of a FATAL error, then a vars file is selected. If --vars= is used or EASYRSA_VARS_FILE is defined then only the vars file defined is used, all other vars files are ignored without warning. If multiple vars files are found then select in the following order: * EASYRSA/vars - User has preset EASYRSA, highest priority. * PWD/vars - The expected default. * Program directory - This is essentially the same as PWD/vars However, it is explicitly listed due to code history. * pki/vars - This is least wanted. See note below. Note: The pki/vars was an attempt to change the default expected location of the vars file. After extensive testing, this change has proven to be fraught with misuse. Specifically, setting EASYRSA_PKI from with in a different PKI, an obvious conflict of inerests. If a single vars file is found then select it with the same priority as multiple vars files. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 127 +++++++++++++++++++++++++---------------------- 1 file changed, 69 insertions(+), 58 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index df81a4f72..e6ca925d2 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5624,44 +5624,40 @@ The 'vars' file was not found: # Otherwise, find vars else - # set up program path - prog_file="$0" - prog_dir="${prog_file%/*}" + # User defined EASYRSA vars + if [ "$EASYRSA" ]; then + easy_vars="${EASYRSA}/vars" + else + unset -v easy_vars + fi + + # Working dir vars + # This location is most suitable + pwd_vars="$PWD/vars" + + # Program dir + prog_dir="${0%/*}" + verbose "vars_setup: prog_dir=$prog_dir" + + # If prog_dir is PWD then do not check prog_vars if [ "$prog_dir" = . ] || [ "$prog_dir" = "$PWD" ] then - prog_in_pwd=1 + unset -v prog_vars else - unset -v prog_in_pwd + prog_vars="${prog_dir}/vars" fi - # Program dir vars - prog_vars="${prog_dir}/vars" - # set up PKI path vars # Due to EASYRSA_PKI being a usable variable # in the vars file, this is currently NOT a # suitable location for vars pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" - # Some other place vars, out of scope. - if [ "$EASYRSA" ]; then - easy_vars="${EASYRSA}/vars" - else - unset -v easy_vars - fi - - # Working dir vars - # This location is most suitable - pwd_vars="$PWD/vars" - # Clear flags unset -v \ e_pki_vars e_easy_vars e_pwd_vars e_prog_vars \ found_vars vars_in_pki - # PKI location, if present: - [ -e "$pki_vars" ] && e_pki_vars=1 - # EASYRSA, if defined: [ -e "$easy_vars" ] && e_easy_vars=1 @@ -5671,62 +5667,77 @@ The 'vars' file was not found: # Program location: [ -e "$prog_vars" ] && e_prog_vars=1 - # Filter duplicates - if [ "$e_prog_vars" ] && [ "$e_pwd_vars" ] && \ - [ "$prog_in_pwd" ] - then - unset -v prog_vars e_prog_vars - fi + # PKI location, if present: + [ -e "$pki_vars" ] && e_pki_vars=1 - # Allow only one vars to be found, No exceptions! + # Count found vars files found_vars="$(( e_pki_vars + e_easy_vars + e_pwd_vars + e_prog_vars ))" verbose "vars_setup: found_vars = '$found_vars'" # If found_vars greater than 1 - # then output user info and exit + # then output user info case "$found_vars" in 0) : # ok ;; 1) - # If a SINGLE vars file is found - # then assign $vars - [ "$e_prog_vars" ] && vars="$prog_vars" - [ "$e_pwd_vars" ] && vars="$pwd_vars" - [ "$e_easy_vars" ] && vars="$easy_vars" - [ "$e_pki_vars" ] && \ - vars="$pki_vars" && vars_in_pki=1 - : # Wipe error status + # If a SINGLE vars file is found then + # Select single vars file, with priority + if [ "$e_easy_vars" ]; then + vars="$easy_vars" + elif [ "$e_pwd_vars" ]; then + vars="$pwd_vars" + elif [ "$e_prog_vars" ]; then + vars="$prog_vars" + elif [ "$e_pki_vars" ]; then + vars="$pki_vars" + vars_in_pki=1 + else + # This cannot happen + die "Detecting vars file failed!" + fi ;; *) - [ "$e_pki_vars" ] && print "Found: $pki_vars" - [ "$e_easy_vars" ] && print "Found: $easy_vars" - [ "$e_pwd_vars" ] && print "Found: $pwd_vars" - [ "$e_prog_vars" ] && print "Found: $prog_vars" - - # For init-pki, version and help, skip this - #if [ "$require_pki" ]; then - user_error "\ -Conflicting 'vars' files found, see above. + # Multiple vars files + warn "\ +Conflicting 'vars' files found, see below. EasyRSA cannot be used with multiple 'vars' files. Either declare which 'vars' file to use with --vars= -or remove the 'vars' files which are not in use." - #fi - - # For init-pki, pki/vars will be deleted - # However, another vars file exists - # so don't create pki/vars - #no_new_vars=1 - #verbose "vars_setup: no_new_vars = '$no_new_vars'" +or remove the 'vars' files which are not in use.${NL}" + + # Show found vars files + [ "$e_easy_vars" ] && \ + print " easy_vars Found: $easy_vars" + [ "$e_pwd_vars" ] && \ + print " pwd_vars Found: $pwd_vars" + [ "$e_prog_vars" ] && \ + print " prog_vars Found: $prog_vars" + [ "$e_pki_vars" ] && \ + print " pki_vars Found: $pki_vars" + + # Select single vars file, with priority + if [ "$e_easy_vars" ]; then + vars="$easy_vars" + elif [ "$e_pwd_vars" ]; then + vars="$pwd_vars" + elif [ "$e_prog_vars" ]; then + vars="$prog_vars" + elif [ "$e_pki_vars" ]; then + vars="$pki_vars" + else + # This cannot happen + die "Detecting vars file failed!" + fi esac - verbose "vars_setup: vars = '$vars'" + # Show selected vars + print " * Selected vars: $vars" + [ "$EASYRSA_VERBOSE" ] && print # Clean up - unset -v prog_vars pwd_vars easy_vars pki_vars \ - expected_pki_vars + unset -v prog_vars pwd_vars easy_vars pki_vars # END: Find vars fi From 1c0228ba952d16e1695801a760ee1343aa8bdea6 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 4 Sep 2023 01:00:25 +0100 Subject: [PATCH 09/21] vars_setup: Prioritise pre-defined EASYRSA/vars over standard search There is no built-in way to set EASYRSA as a variable, it must be set externally by the user. Therefore, when EASYRSA is set allow ONLY "$EASYRSA/vars". Allow "$EASYRSA/vars" to NOT exist. Command option --vars= has priority. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 54 +++++++++++++++++++----------------------------- 1 file changed, 21 insertions(+), 33 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index e6ca925d2..63b862c43 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5600,37 +5600,33 @@ vars_setup() { vars= # Find vars - # Explicit user defined vars file: + # Explicit user defined NO vars file: if [ "$EASYRSA_NO_VARS" ]; then - # Found exactly zero vars files + user_vars_true=1 found_vars=0 - warn "\ -EASYRSA_NO_VARS is enabled, not using a 'vars' file.${NL}" + # Explicit user defined vars file: elif [ "$EASYRSA_VARS_FILE" ]; then - if [ -e "$EASYRSA_VARS_FILE" ]; then - vars="$EASYRSA_VARS_FILE" - # User set vars turns off pki/var warning + vars="$EASYRSA_VARS_FILE" + user_vars_true=1 + found_vars=1 + + # Implicit User defined EASYRSA vars + elif [ "$EASYRSA" ]; then + vars="${EASYRSA}/vars" + if [ -e "${EASYRSA}/vars" ]; then user_vars_true=1 - # Found exactly one vars file found_vars=1 else - # If the --vars option does not point to a file - user_error "\ -The 'vars' file was not found: -* $EASYRSA_VARS_FILE" + # Allow without a default vars file + unset -v vars + user_vars_true=1 + found_vars=0 fi # Otherwise, find vars else - # User defined EASYRSA vars - if [ "$EASYRSA" ]; then - easy_vars="${EASYRSA}/vars" - else - unset -v easy_vars - fi - # Working dir vars # This location is most suitable pwd_vars="$PWD/vars" @@ -5655,12 +5651,9 @@ The 'vars' file was not found: # Clear flags unset -v \ - e_pki_vars e_easy_vars e_pwd_vars e_prog_vars \ + e_pki_vars e_pwd_vars e_prog_vars \ found_vars vars_in_pki - # EASYRSA, if defined: - [ -e "$easy_vars" ] && e_easy_vars=1 - # Working dir: [ -e "$pwd_vars" ] && e_pwd_vars=1 @@ -5672,7 +5665,7 @@ The 'vars' file was not found: # Count found vars files found_vars="$(( - e_pki_vars + e_easy_vars + e_pwd_vars + e_prog_vars + e_pwd_vars + e_prog_vars + e_pki_vars ))" verbose "vars_setup: found_vars = '$found_vars'" @@ -5685,9 +5678,7 @@ The 'vars' file was not found: 1) # If a SINGLE vars file is found then # Select single vars file, with priority - if [ "$e_easy_vars" ]; then - vars="$easy_vars" - elif [ "$e_pwd_vars" ]; then + if [ "$e_pwd_vars" ]; then vars="$pwd_vars" elif [ "$e_prog_vars" ]; then vars="$prog_vars" @@ -5708,8 +5699,6 @@ Either declare which 'vars' file to use with --vars= or remove the 'vars' files which are not in use.${NL}" # Show found vars files - [ "$e_easy_vars" ] && \ - print " easy_vars Found: $easy_vars" [ "$e_pwd_vars" ] && \ print " pwd_vars Found: $pwd_vars" [ "$e_prog_vars" ] && \ @@ -5718,14 +5707,13 @@ or remove the 'vars' files which are not in use.${NL}" print " pki_vars Found: $pki_vars" # Select single vars file, with priority - if [ "$e_easy_vars" ]; then - vars="$easy_vars" - elif [ "$e_pwd_vars" ]; then + if [ "$e_pwd_vars" ]; then vars="$pwd_vars" elif [ "$e_prog_vars" ]; then vars="$prog_vars" elif [ "$e_pki_vars" ]; then vars="$pki_vars" + vars_in_pki=1 else # This cannot happen die "Detecting vars file failed!" @@ -5765,7 +5753,7 @@ No Easy-RSA 'vars' configuration file exists." Missing vars file: * $vars" - # Installation information + # Show the vars file in use [ "$require_pki" ] && information "\ Using Easy-RSA 'vars' configuration: * $vars" From b75c8b042a430aec2ce66f7bd2f016db6e890fbe Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 4 Sep 2023 01:27:19 +0100 Subject: [PATCH 10/21] vars_setup: Prohibit specifying vars as a directory. eg: ./ Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 63b862c43..c9ec993c8 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5748,6 +5748,11 @@ No Easy-RSA 'vars' configuration file exists." # If a vars file was located then source it else + # 'vars' MUST not be a directory + [ -d "$vars" ] && die "\ +Missing vars file: +* $vars" + # 'vars' now MUST exist [ -e "$vars" ] || die "\ Missing vars file: From 4a80b217dce0275093c929def820210dd5afb3eb Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 4 Sep 2023 01:47:27 +0100 Subject: [PATCH 11/21] vars_setup: Split into setup_vars() and source_vars() setup_vars: Determine which vars file to use. source_vars: Validate and source accepted vars file. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c9ec993c8..3c74a75e9 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5590,7 +5590,7 @@ Use of --silent and --verbose is unresolvable." # Here sourcing of 'vars' if present occurs. # If not present, defaults are used to support # running without a sourced config format -vars_setup() { +setup_vars() { # Try to locate a 'vars' file in order of preference. # If one is found then source it. # NOTE: EASYRSA_PKI is never set here, @@ -5633,7 +5633,7 @@ vars_setup() { # Program dir prog_dir="${0%/*}" - verbose "vars_setup: prog_dir=$prog_dir" + verbose "setup_vars: prog_dir = $prog_dir" # If prog_dir is PWD then do not check prog_vars if [ "$prog_dir" = . ] || [ "$prog_dir" = "$PWD" ] @@ -5667,7 +5667,7 @@ vars_setup() { found_vars="$(( e_pwd_vars + e_prog_vars + e_pki_vars ))" - verbose "vars_setup: found_vars = '$found_vars'" + verbose "setup_vars: found_vars = '$found_vars'" # If found_vars greater than 1 # then output user info @@ -5728,7 +5728,10 @@ or remove the 'vars' files which are not in use.${NL}" unset -v prog_vars pwd_vars easy_vars pki_vars # END: Find vars fi +} # => setup_vars() +# Source vars file and set defaults +source_vars() { # If EASYRSA_NO_VARS is defined then do not use vars # If PKI is not required then located vars files are # not required @@ -5871,8 +5874,8 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" if [ "$require_pki" ]; then prefer_vars_in_pki_msg fi - verbose "vars_setup: COMPLETED" -} # => vars_setup() + verbose "source_vars: COMPLETED" +} # => source_vars() # Verify working environment verify_working_env() { @@ -7272,8 +7275,11 @@ case "$cmd" in esac esac -# Intelligent env-var detection and auto-loading: -vars_setup +# Determine which vars file to use +setup_vars + +# Source the vars file +source_vars # Check for conflicting input options mutual_exclusions From b9914c6c1ce723c549ca9d2dd4cc2ed1c6be70e9 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 5 Sep 2023 00:01:23 +0100 Subject: [PATCH 12/21] Repurpose prefer_vars_in_pki_msg() to "warn against vars in PKI" Use the same logic as "prefer vars in pki" but change the message to "warn against vars in the pki". Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 46 ++++++++++++++++++++-------------------------- 1 file changed, 20 insertions(+), 26 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 3c74a75e9..430bc5f8d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -94,9 +94,9 @@ DIRECTORY STATUS (commands would take effect on these locations) x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined} $CA_status" - # if the vars file in use is not in the PKI - # and not user defined then Show the messages - prefer_vars_in_pki_msg + # if the vars file in use is in the PKI + # and not user defined then Show the message + vars_in_pki_msg } # => usage() # Detailed command help @@ -1308,7 +1308,7 @@ and initialize a fresh PKI here." # If vars was in the old pki, it has been removed # If vars was somewhere else, it is user defined # Clear found_vars, we MUST not find pki/vars - [ "$vars_in_pki" ] && unset -v found_vars + unset -v vars_in_pki found_vars ;; soft) # There is no unit test for a soft reset @@ -1354,13 +1354,12 @@ Your newly created PKI dir is: # Installation information # if $no_new_vars then there are one or more known vars - # which are not in the PKI. All further commands will fail - # until vars is manually corrected + # which are not in the PKI if [ "$no_new_vars" ]; then warn "\ A vars file has not been created in your new PKI because conflicting vars files have been found elsewhere." - prefer_vars_in_pki_msg + vars_in_pki_msg else information " Using Easy-RSA configuration: @@ -1376,30 +1375,26 @@ IMPORTANT: To use a global vars file, use global option --vars=" else - prefer_vars_in_pki_msg + vars_in_pki_msg fi verbose "\ init_pki: x509-types dir ${EASYRSA_EXT_DIR:-Not found}" } # => init_pki() # Must be used in two places, so made it a function -prefer_vars_in_pki_msg() { - if [ "$vars_in_pki" ] || [ "$user_vars_true" ] || - [ "$EASYRSA_NO_VARS" ] +vars_in_pki_msg() { + [ "$vars_in_pki" ] || return 0 + if [ "$user_vars_true" ] || [ "$EASYRSA_NO_VARS" ] then return fi - # disable this until v3.2-ish - verbose "prefer_vars_in_pki_msg: DISABLED" - return 0 - information " IMPORTANT: - The preferred location for 'vars' is within the PKI folder. - To silence this message move your 'vars' file to your PKI + Do NOT keep your 'vars' within your PKI directory. + To silence this message, move your 'vars' file out of your PKI or declare your 'vars' file with option: --vars=" -} # => prefer_vars_in_pki_msg() +} # => vars_in_pki_msg() # Copy data-files from various sources install_data_to_pki() { @@ -5661,7 +5656,8 @@ setup_vars() { [ -e "$prog_vars" ] && e_prog_vars=1 # PKI location, if present: - [ -e "$pki_vars" ] && e_pki_vars=1 + [ -e "$pki_vars" ] && e_pki_vars=1 && \ + vars_in_pki=1 # Count found vars files found_vars="$(( @@ -5684,7 +5680,6 @@ setup_vars() { vars="$prog_vars" elif [ "$e_pki_vars" ]; then vars="$pki_vars" - vars_in_pki=1 else # This cannot happen die "Detecting vars file failed!" @@ -5713,16 +5708,15 @@ or remove the 'vars' files which are not in use.${NL}" vars="$prog_vars" elif [ "$e_pki_vars" ]; then vars="$pki_vars" - vars_in_pki=1 else # This cannot happen die "Detecting vars file failed!" fi - esac - # Show selected vars - print " * Selected vars: $vars" - [ "$EASYRSA_VERBOSE" ] && print + # Show selected vars + print " * Selected vars: $vars" + [ "$EASYRSA_VERBOSE" ] && print + esac # Clean up unset -v prog_vars pwd_vars easy_vars pki_vars @@ -5872,7 +5866,7 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" # if the vars file in use is not in the PKI # and not user defined then Show the messages if [ "$require_pki" ]; then - prefer_vars_in_pki_msg + vars_in_pki_msg fi verbose "source_vars: COMPLETED" } # => source_vars() From 92a6341d47395fa8b90097d8c3bdedac78473702 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 5 Sep 2023 00:47:25 +0100 Subject: [PATCH 13/21] Add explicit confirmation for default 'pki/vars' setting a different PKI If the default 'pki/vars' exists and sets EASYRSA_PKI to a different PKI, anything other than "$PWD/pki", then issue a warning with an explicit user confirmation to proceed with this invalid configuration. This is a left-over by-product of trying to move the vars file to the PKI. Problem: 'pki/vars' sets EASYRSA_PKI to a different PKI. Conclusion: Easy-RSA v3.1.7 does NOT support a vars file in the PKI. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 46 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 430bc5f8d..a0e729895 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1389,6 +1389,13 @@ vars_in_pki_msg() { return fi + # Resolve setting EASYRSA_PKI in vars file + # when vars file is default 'pki/vars' + # and potentially points to a different PKI. + # Once resolved, a user set PKI will over-rule + # a vars setting and this message can be disabled + #return + information " IMPORTANT: Do NOT keep your 'vars' within your PKI directory. @@ -5656,8 +5663,10 @@ setup_vars() { [ -e "$prog_vars" ] && e_prog_vars=1 # PKI location, if present: - [ -e "$pki_vars" ] && e_pki_vars=1 && \ + if [ -e "$pki_vars" ]; then + e_pki_vars=1 vars_in_pki=1 + fi # Count found vars files found_vars="$(( @@ -5680,6 +5689,9 @@ setup_vars() { vars="$prog_vars" elif [ "$e_pki_vars" ]; then vars="$pki_vars" + # Set expected_pki + # to stop vars changing EASYRSA_PKI + expected_pki="${pki_vars%/*}" else # This cannot happen die "Detecting vars file failed!" @@ -5708,6 +5720,9 @@ or remove the 'vars' files which are not in use.${NL}" vars="$prog_vars" elif [ "$e_pki_vars" ]; then vars="$pki_vars" + # Set expected_pki + # to stop vars changing EASYRSA_PKI + expected_pki="${pki_vars%/*}" else # This cannot happen die "Detecting vars file failed!" @@ -5863,6 +5878,34 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" set_var EASYRSA_MAX_TEMP 4 + # expected_pki is set when default 'pki/vars' is used + # This blocks pki/vars changing EASYRSA_PKI + if [ "$expected_pki" ] # && [ "$require_pki" ] + then + if [ "$expected_pki" = "$EASYRSA_PKI" ] + then + : # ok + else + # Show warning + warn "\ +'EASYRSA_PKI' is set incorrectly in the 'vars' file. + + This vars file: + * $vars + + Uses this PKI: + * $EASYRSA_PKI" + + # Require user consent to continue + confirm "\ + Continue with invalid configuration ? " yes " + 'vars' configuration for 'EASYRSA_PKI' is invalid." + + verbose "\ +source_vars: Invalid PKI accepted for EASYRSA_PKI" + fi + fi + # if the vars file in use is not in the PKI # and not user defined then Show the messages if [ "$require_pki" ]; then @@ -7018,6 +7061,7 @@ detect_host # Initialisation requirements unset -v \ + expected_pki \ verify_ssl_lib_ok \ secured_session \ working_safe_ssl_conf working_safe_org_conf \ From a68edb356860769ae8343b1102a0f717fddbb724 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 5 Sep 2023 01:26:22 +0100 Subject: [PATCH 14/21] ChangeLog: Retract "preference for vars in the PKI" Signed-off-by: Richard T Bonhomme --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 96cbd5271..d904e13a0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) 3.1.7 (ETA 2023-10-13) + * Guard against default 'pki/vars' setting a different PKI (#1014) + * Retract preference for 'vars' file to exist in the PKI (#1014) * Disable all code which requests vars in PKI (#1014) * Update OpenSSL to 3.1.2 From bb1adae5856b6885cb4fbaf04b7305decad8566a Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 5 Sep 2023 19:55:59 +0100 Subject: [PATCH 15/21] source_vars: FATAL error when default 'pki/vars' sets a different PKI Previously, this was a warning and confirmation to continue. Changed to, NEVER allow this invalid configuration. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a0e729895..0d991a9fc 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5887,22 +5887,16 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" : # ok else # Show warning - warn "\ + user_error "\ 'EASYRSA_PKI' is set incorrectly in the 'vars' file. This vars file: * $vars Uses this PKI: - * $EASYRSA_PKI" + * $EASYRSA_PKI - # Require user consent to continue - confirm "\ - Continue with invalid configuration ? " yes " - 'vars' configuration for 'EASYRSA_PKI' is invalid." - - verbose "\ -source_vars: Invalid PKI accepted for EASYRSA_PKI" +Cannot continue with invalid configuration." fi fi From fab09e669aa5eb2739500fd59c156753b343a33f Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 5 Sep 2023 20:11:13 +0100 Subject: [PATCH 16/21] init-pki: Remove unnecessary user information concerning vars Remove second warning on hard-reset which promotes soft-reset, soft-reset will be removed. Remove information concerning 'vars' file. 'init-pki' does not create a 'vars' file in the PKI, therefore, the information is no longer relevant. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 33 --------------------------------- 1 file changed, 33 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0d991a9fc..8b435e297 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1293,14 +1293,6 @@ and initialize a fresh PKI here." # now remove it: case "$reset" in hard) - # Promote use of soft init -# confirm "Completely remove current PKI ? " yes "\ -#* SECOND WARNING!!! -# -#* This will remove everything in your current PKI directory. -# To keep your current settings use 'init-pki soft' instead. -# Using 'init-pki soft' is recommended." - # # # shellcheck disable=SC2115 # Use "${var:?}" rm -rf "$EASYRSA_PKI" || \ die "init-pki hard reset failed." @@ -1352,31 +1344,6 @@ Failed to install required data-files to PKI. (init)" Your newly created PKI dir is: * $EASYRSA_PKI" - # Installation information - # if $no_new_vars then there are one or more known vars - # which are not in the PKI - if [ "$no_new_vars" ]; then - warn "\ -A vars file has not been created in your new PKI because -conflicting vars files have been found elsewhere." - vars_in_pki_msg - else - information " -Using Easy-RSA configuration: -* ${vars:-undefined}" - fi - - # For new PKIs , pki/vars was auto-created, show message - if [ "$new_vars_true" ]; then - information " -IMPORTANT: - Easy-RSA 'vars' template file has been created in your new PKI. - Edit this 'vars' file to customise the settings for your PKI. - To use a global vars file, use global option --vars=" - - else - vars_in_pki_msg - fi verbose "\ init_pki: x509-types dir ${EASYRSA_EXT_DIR:-Not found}" } # => init_pki() From 0e53ae13604b03c41a9349f2d2862c807ca7f666 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 5 Sep 2023 20:23:25 +0100 Subject: [PATCH 17/21] install_data_to_pki() init-pki: Remove code to create a 'pki/vars' file Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 32 +------------------------------- 1 file changed, 1 insertion(+), 31 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 8b435e297..9035b2094 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1385,8 +1385,6 @@ install_data_to_pki() { shift # Set required sources - vars_file='vars' - vars_file_example='vars.example' ssl_cnf_file='openssl-easyrsa.cnf' x509_types_dir='x509-types' @@ -1461,35 +1459,7 @@ install_data_to_pki $context: Not creating pki/vars" else case "$context" in init-pki) - # ALWAYS Disable creating a vars file - if : - then - verbose "\ -install_data_to_pki $context: New vars DISABLED" - else - # Only create for 'init-pki', if one does not exist - # 'init-pki soft' should have it's own 'vars' file - if [ -e "${EASYRSA_PKI}/${vars_file_example}" ] && \ - [ ! -e "${EASYRSA_PKI}/${vars_file}" ] - then - # Failure means that no vars will exist and - # 'cp' will generate an error message - # This is not a fatal error - if cp "${EASYRSA_PKI}/${vars_file_example}" \ - "${EASYRSA_PKI}/${vars_file}" - then - new_vars_true=1 - vars="${EASYRSA_PKI}/${vars_file}" - verbose "\ -install_data_to_pki $context: vars = '$vars'" - else - unset -v new_vars_true vars - warn "\ -install_data_to_pki $context: Failed to install vars file" - fi - fi - fi - ;; + : ;; # No change to current 'vars' required vars-setup) : ;; # No change to current 'vars' required x509-types-only) From 6f88df35b4633d67f6222f8ea5ec63731d84de89 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 6 Sep 2023 19:54:36 +0100 Subject: [PATCH 18/21] Insert required errors and warning to control vars location Error-1: For multiple vars files when 'pki/vars' is true. Not thrown for multiple vars if 'pki/vars' is not true. When multiple vars are found one is selected based on priority. Priority is: "$PWD/vars" (default); Program folder; 'pki/vars' Not thrown if user specifies 'vars' by either specifying * EASYRSA, can only be set externally. * --vars=, user set vars is respected. Error-2: When the default 'pki/vars' sets EASYRSA_PKI, causing the PKI to be changed during setup proceedure. This is a rare error but must be caught, otherwise it is very easy to use 'init-pki' to remove the wrong PKI. Warning: When 'pki/vars' is true. After completing any command, this warning will be issued, if the sourced 'vars' file is in the default 'pki' AND if the user did not specifically select a vars file. Allow commands 'version', 'upgrade' and 'show-host' to complete without using any 'vars' file. Upgrade warning to error for 'export' or 'unset' used in the 'vars' file. Downgrade die to user_error for simple 'vars' file problems. Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + easyrsa3/easyrsa | 71 +++++++++++++++++++++++++++++------------------- 2 files changed, 44 insertions(+), 28 deletions(-) diff --git a/ChangeLog b/ChangeLog index d904e13a0..0c96341f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) 3.1.7 (ETA 2023-10-13) + * Insert required errors and warning to control vars location (#1014) * Guard against default 'pki/vars' setting a different PKI (#1014) * Retract preference for 'vars' file to exist in the PKI (#1014) * Disable all code which requests vars in PKI (#1014) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 9035b2094..e5ffe50f1 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -93,10 +93,6 @@ DIRECTORY STATUS (commands would take effect on these locations) vars-file: $vars_status x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined} $CA_status" - - # if the vars file in use is in the PKI - # and not user defined then Show the message - vars_in_pki_msg } # => usage() # Detailed command help @@ -875,6 +871,10 @@ Temporary session not preserved." *) warn "prompt_restore: '$prompt_restore'" esac + # if the vars file in use is in the PKI + # and not user defined then Show the message + vars_in_pki_msg + # Get a clean line [ "$EASYRSA_SILENT" ] || print @@ -892,7 +892,7 @@ Temporary session not preserved." # Exit: SIGINT if [ "$1" = 2 ]; then - verbose "exit SIGINT = true" + verbose "Exit: SIGINT = true" kill -2 "$$" fi @@ -5599,10 +5599,30 @@ setup_vars() { # Program location: [ -e "$prog_vars" ] && e_prog_vars=1 - # PKI location, if present: + # PKI location, least desirable: if [ -e "$pki_vars" ]; then e_pki_vars=1 vars_in_pki=1 + + # Conflicting vars: + if [ "$e_pwd_vars" ] || [ "$e_prog_vars" ] + then + user_error "\ +There is a 'vars' file located inside the default PKI. +This 'vars' file must be moved to the working directory. + + 'vars' file: + * $pki_vars + + PKI directory: + * ${pki_vars%/vars} + + Working directory: + * $PWD + + Info: + * https://github.com/OpenVPN/easy-rsa/issues/1009" + fi fi # Count found vars files @@ -5698,12 +5718,12 @@ No Easy-RSA 'vars' configuration file exists." # If a vars file was located then source it else # 'vars' MUST not be a directory - [ -d "$vars" ] && die "\ + [ -d "$vars" ] && user_error "\ Missing vars file: * $vars" # 'vars' now MUST exist - [ -e "$vars" ] || die "\ + [ -e "$vars" ] || user_error "\ Missing vars file: * $vars" @@ -5736,7 +5756,7 @@ Please, correct these errors and try again." -e '[[:blank:]]unset[[:blank:]]*' \ "$vars" then - warn "\ + user_error "\ One or more of these problems has been found in your 'vars' file: * Use of 'export': @@ -5815,33 +5835,26 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" set_var EASYRSA_MAX_TEMP 4 + # https://github.com/OpenVPN/easy-rsa/issues/1009 # expected_pki is set when default 'pki/vars' is used - # This blocks pki/vars changing EASYRSA_PKI - if [ "$expected_pki" ] # && [ "$require_pki" ] - then - if [ "$expected_pki" = "$EASYRSA_PKI" ] - then + # This blocks pki/vars UNEXPECTEDLY changing EASYRSA_PKI + if [ "$expected_pki" ]; then + if [ "$expected_pki" = "$EASYRSA_PKI" ]; then : # ok else - # Show warning user_error "\ -'EASYRSA_PKI' is set incorrectly in the 'vars' file. +'EASYRSA_PKI' is set incorrectly in the default 'vars' file. - This vars file: + The default pki/vars file: * $vars - Uses this PKI: + Uses a different PKI: * $EASYRSA_PKI Cannot continue with invalid configuration." fi fi - # if the vars file in use is not in the PKI - # and not user defined then Show the messages - if [ "$require_pki" ]; then - vars_in_pki_msg - fi verbose "source_vars: COMPLETED" } # => source_vars() @@ -5894,7 +5907,7 @@ verify_working_env - install_data_to_pki vars-setup failed" # Last setup msg information " Using SSL: -* $EASYRSA_OPENSSL $ssl_version" +* $EASYRSA_OPENSSL $ssl_version${NL}" else # The directory does not exist @@ -7226,10 +7239,12 @@ cmd="$1" # Establish PKI and CA initialisation requirements # This avoids unnecessary warnings and notices case "$cmd" in - init-pki|clean-all|\ - help|-h|--help|--usage|\ - show-host|\ - version|upgrade|'') + version|upgrade|show-host) + unset -v require_pki require_ca + EASYRSA_NO_VARS=1 + ;; + help|-h|--help|--usage|''| \ + init-pki|clean-all) unset -v require_pki require_ca ;; *) From d2c25deb8388018c030ded0dff332e04add214e6 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 12 Sep 2023 00:31:12 +0100 Subject: [PATCH 19/21] source_vars(): Forbid 'pki/vars' setting PKI for command 'init-pki' Forbid default 'pki/vars', if it exists, from setting EASYRSA_PKI to any other value except "$PWD/pki", for command 'init-pki'. When 'init-pki' is called with all default options then it will load a dafault 'pki/vars' file, if it exists. This EXPECTS the PKI to be 'pki' ONLY. For 'init-pki'; This 'pki/vars' file MUST NOT be allowed to set EASYRSA_PKI. This MUST include setting EASYRSA_PKI to 'pki'. Otherwise, this allows default command 'init-pki' to delete a non-default PKI. This change also forbids using command line settings for --vars and --pki-dir, to set the expected vars file or PKI, when a default 'pki/vars' exists AND changes the expected PKI, to anything other than "$PWD/pki". Example of the problem: If 'easyrsa' is executed with all default settings then the expected value for EASYRSA_PKI is "$PWD/pki" and if 'pki/vars' file exists, it IS loaded. If 'pki/vars' sets EASYRSA_PKI to a different PKI, 'bad-pki', then this would allow 'init-pki' to delete 'bad-pki' not 'pki'. For the record: All of these changes have been extensively tested. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index e5ffe50f1..4f4115c53 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5781,6 +5781,15 @@ Remove 'unset' ('force_set_var' may also work)." unset -v EASYRSA_CALLER fi + # Set expected PKI to determine if vars has changed PKI + # Required for init-pki + case "$cmd" in + init-pki|clean-all) + expected_pki="${expected_pki:-"$PWD/pki"}" + ;; + *) : # ok + esac + # Set defaults, preferring existing env-vars if present set_var EASYRSA "$PWD" set_var EASYRSA_OPENSSL openssl From dc15f35ff31087b4929e9720f4ebec4ddf360a32 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 12 Sep 2023 18:30:10 +0100 Subject: [PATCH 20/21] source_vars(): 'init-pki', prioritise USER set EASYRSA_PKI and EASYRSA When souring 'vars' file, allow user set EASYRSA_PKI and EASYRSA to take priority over default settings. This will still error out when default 'pki/vars' sets EASYRSA_PKI to a non-default PKI. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 4f4115c53..a59b32277 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5785,7 +5785,13 @@ Remove 'unset' ('force_set_var' may also work)." # Required for init-pki case "$cmd" in init-pki|clean-all) - expected_pki="${expected_pki:-"$PWD/pki"}" + if [ "$EASYRSA_PKI" ]; then + expected_pki="${expected_pki:-"$EASYRSA_PKI"}" + elif [ "$EASYRSA" ]; then + expected_pki="${expected_pki:-"$EASYRSA/pki"}" + else + expected_pki="${expected_pki:-"$PWD/pki"}" + fi ;; *) : # ok esac From 0c8fd82f941ae00708ec1639b0d5fd2299ea392f Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 13 Sep 2023 20:56:18 +0100 Subject: [PATCH 21/21] Move "Setup: catch vars file changing PKI unexpectedly" This setup assigns values for '$expected_pki' to before sourcing the vars file. This prioritises command line options above 'vars' file assignments. Minor improvement to error message given when subshell testing of sourcing 'vars' fails. On user_error(), exit_with_error via cleanup(). Minor improvements to error and verbose messages. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 65 +++++++++++++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 25 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a59b32277..72d2c9f0a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -607,7 +607,8 @@ EasyRSA version $EASYRSA_version Error ----- $1" - exit 1 + easyrsa_exit_with_error=1 + cleanup } # => user_error() # verbose information @@ -5604,7 +5605,7 @@ setup_vars() { e_pki_vars=1 vars_in_pki=1 - # Conflicting vars: + # Conflicting default pki/vars: if [ "$e_pwd_vars" ] || [ "$e_prog_vars" ] then user_error "\ @@ -5702,7 +5703,7 @@ source_vars() { # If PKI is not required then located vars files are # not required if [ "$EASYRSA_NO_VARS" ]; then - : # ok + verbose "source_vars: Explicit NO vars" # $vars remains undefined .. no vars found # 'install_data_to_pki vars-setup' will NOT @@ -5712,7 +5713,7 @@ source_vars() { # For init-pki, version and help, skip this if [ "$require_pki" ]; then information "\ -No Easy-RSA 'vars' configuration file exists." +No Easy-RSA 'vars' configuration file exists.${NL}" fi # If a vars file was located then source it @@ -5730,7 +5731,19 @@ Missing vars file: # Show the vars file in use [ "$require_pki" ] && information "\ Using Easy-RSA 'vars' configuration: -* $vars" +* $vars${NL}" + + # Setup: catch vars file changing PKI unexpectedly + if [ "$EASYRSA_PKI" ]; then + expected_pki="${expected_pki:-"$EASYRSA_PKI"}" + elif [ "$EASYRSA" ]; then + expected_pki="${expected_pki:-"$EASYRSA/pki"}" + elif [ "$user_vars_true" ]; then + expected_pki= + else + expected_pki="${expected_pki:-"$PWD/pki"}" + fi + verbose "source_vars: expected_pki=$expected_pki" # Sanitize vars if grep -q \ @@ -5772,30 +5785,26 @@ Remove 'unset' ('force_set_var' may also work)." # Test sourcing 'vars' in a subshell # shellcheck disable=1090 # can't follow .. vars - ( . "$vars" ) || \ - die "Failed to source the vars file." + if ( . "$vars" ); then + : # ok + else + if [ "$vars" = "${vars%/*}" ]; then + user_error "\ +Failed to source the vars file: '$vars' +Perhaps you need to specify the PATH. eg: './$vars'" + else + die "\ +Failed to source the vars file: '$vars' +The error above may have more information." + fi + fi # Source 'vars' now # shellcheck disable=1090 # can't follow .. vars - . "$vars" 2>/dev/null + . "$vars" unset -v EASYRSA_CALLER fi - # Set expected PKI to determine if vars has changed PKI - # Required for init-pki - case "$cmd" in - init-pki|clean-all) - if [ "$EASYRSA_PKI" ]; then - expected_pki="${expected_pki:-"$EASYRSA_PKI"}" - elif [ "$EASYRSA" ]; then - expected_pki="${expected_pki:-"$EASYRSA/pki"}" - else - expected_pki="${expected_pki:-"$PWD/pki"}" - fi - ;; - *) : # ok - esac - # Set defaults, preferring existing env-vars if present set_var EASYRSA "$PWD" set_var EASYRSA_OPENSSL openssl @@ -5855,7 +5864,7 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" # This blocks pki/vars UNEXPECTEDLY changing EASYRSA_PKI if [ "$expected_pki" ]; then if [ "$expected_pki" = "$EASYRSA_PKI" ]; then - : # ok + verbose "source_vars: expected_pki OK" else user_error "\ 'EASYRSA_PKI' is set incorrectly in the default 'vars' file. @@ -5866,8 +5875,13 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" Uses a different PKI: * $EASYRSA_PKI + Expected PKI to be: + * $expected_pki + Cannot continue with invalid configuration." fi + else + verbose "source_vars: expected_pki NOT defined" fi verbose "source_vars: COMPLETED" @@ -5920,7 +5934,8 @@ verify_working_env - install_data_to_pki vars-setup failed" fi # Last setup msg - information " + [ "$EASYRSA_VERBOSE" ] && print + information "\ Using SSL: * $EASYRSA_OPENSSL $ssl_version${NL}"