Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Forbid "default vars in the default PKI" for all commands #1021

Merged
merged 8 commits into from
Sep 15, 2023
Merged

Forbid "default vars in the default PKI" for all commands #1021

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
6608952
Forbid "default vars in the default PKI" for all commands
TinCanTech Sep 13, 2023
eedb81e
init-pki: Never create a vars.example and vars file in the pki
TinCanTech Sep 14, 2023
7684b97
init-pki: Remove SECOND confirmation promoting use of option 'soft'
TinCanTech Sep 14, 2023
232a28d
user_error(): Exit with known error directly to cleanup()
TinCanTech Sep 14, 2023
6de343f
vars_setup: Prohibit specifying vars as a directory. eg: ./
TinCanTech Sep 14, 2023
4095e33
vars_setup(): User message severity and verbosity, reduce noise
TinCanTech Sep 14, 2023
5a24fa7
vars_setup(): When sourcing 'vars' restrict PATH to './'
TinCanTech Sep 14, 2023
00dcf56
ChangeLog: Forbid "default vars in the default PKI" for all commands
TinCanTech Sep 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
Easy-RSA 3 ChangeLog

3.2.0 (TBD)
* Update OpenSSL to 3.1.6
* Forbid "default vars in the default PKI" for all commands #1021
There can be only one default vars file, that is now './vars' ONLY.
Use of other 'vars' files can be done by using option --vars=<FILE>
* Update OpenSSL to 3.1.2

3.1.6 (2023-07-18)
* New commands: 'inline' and 'x509-eku' (#993)
Expand Down
93 changes: 48 additions & 45 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -611,7 +611,8 @@ EasyRSA version $EASYRSA_version
Error
-----
$1"
exit 1
easyrsa_exit_with_error=1
cleanup
} # => user_error()

# verbose information
Expand Down Expand Up @@ -885,6 +886,7 @@ Temporary session not preserved."
# -> confirm(): aborted
# -> verify_cert(): verify failed --batch mode
# -> check_serial_unique(): not unique --batch mode
# -> user_error(): User errors but not die()
if [ "$easyrsa_exit_with_error" ]; then
verbose "Exit: Known errors = true"
exit 1
Expand Down Expand Up @@ -1293,15 +1295,6 @@ and initialize a fresh PKI here."
# now remove it:
case "$reset" in
hard)

# Promote use of soft init
confirm "Remove current 'vars' file? " yes "\
* SECOND WARNING!!!

* This will remove everything in your current PKI directory.
To keep your current settings use 'init-pki soft' instead.
Using 'init-pki soft' is recommended."

# # # shellcheck disable=SC2115 # Use "${var:?}"
rm -rf "$EASYRSA_PKI" || \
die "init-pki hard reset failed."
Expand Down Expand Up @@ -1390,6 +1383,9 @@ prefer_vars_in_pki_msg() {
return
fi

# Never show this message
return

information "
IMPORTANT:
The preferred location for 'vars' is within the PKI folder.
Expand Down Expand Up @@ -1451,8 +1447,8 @@ install_data_to_pki() {
EASYRSA_EXT_DIR "${area}/${x509_types_dir}"

# Find other files - Omitting "$vars_file"
# shellcheck disable=2066 # Loop will only run once
for source in \
"$vars_file_example" \
"$ssl_cnf_file" \
# EOL
do
Expand All @@ -1477,16 +1473,6 @@ install_data_to_pki: $context - COMPLETED"
return
fi

# Always require a pki/vars.example file
if [ -e "$EASYRSA_PKI/vars.example" ];then
: # ok
else
create_vars_example > "$EASYRSA_PKI/vars.example" || \
die "install_data_to_pki - create_vars_example FAILED"
verbose "\
install_data_to_pki: $context - create_vars_example OK"
fi

# Create PKI/vars from PKI/example
unset -v new_vars_true
if [ "$found_vars" = 1 ] || [ "$user_vars_true" ] || \
Expand Down Expand Up @@ -5600,10 +5586,10 @@ vars_setup() {
# Find vars
# Explicit user defined vars file:
if [ "$EASYRSA_NO_VARS" ]; then
# User set vars turns off pki/var warning
user_vars_true=1
# Found exactly zero vars files
found_vars=0
warn "\
EASYRSA_NO_VARS is enabled, not using a 'vars' file.${NL}"

elif [ "$EASYRSA_VARS_FILE" ]; then
if [ -e "$EASYRSA_VARS_FILE" ]; then
Expand Down Expand Up @@ -5637,7 +5623,6 @@ The 'vars' file was not found:

# set up PKI path vars - Top preference
pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"
expected_pki_vars="$pki_vars"

# Some other place vars, out of scope.
if [ "$EASYRSA" ]; then
Expand Down Expand Up @@ -5691,24 +5676,31 @@ The 'vars' file was not found:
[ "$e_prog_vars" ] && vars="$prog_vars"
[ "$e_pwd_vars" ] && vars="$pwd_vars"
[ "$e_easy_vars" ] && vars="$easy_vars"
[ "$e_pki_vars" ] && \
vars="$pki_vars" && vars_in_pki=1
: # Wipe error status
if [ "$e_pki_vars" ]; then
vars="$pki_vars"
vars_in_pki=1
user_error "\
Use of a default 'vars' file in the default PKI is prohibited.
Please move the 'pki/vars' file to the working directory:
* ${pwd_vars%/vars}/"
fi
;;
*)
[ "$e_pki_vars" ] && print "Found: $pki_vars"
[ "$e_easy_vars" ] && print "Found: $easy_vars"
[ "$e_pwd_vars" ] && print "Found: $pwd_vars"
[ "$e_prog_vars" ] && print "Found: $prog_vars"
[ "$e_pki_vars" ] && \
found_msg="${NL} * Found: $pki_vars"
[ "$e_easy_vars" ] && \
found_msg="${found_msg}${NL} * Found: $easy_vars"
[ "$e_pwd_vars" ] && \
found_msg="${found_msg}${NL} * Found: $pwd_vars"
[ "$e_prog_vars" ] && \
found_msg="${found_msg}${NL} * Found: $prog_vars"

# For init-pki, version and help, skip this
if [ "$require_pki" ]; then
user_error "\
Conflicting 'vars' files found.
user_error "\
Conflicting 'vars' files found:
$found_msg

Priority should be given to your PKI vars file:
* $expected_pki_vars"
fi
Priority should be given to this vars file:
* $pwd_vars"

# For init-pki, pki/vars will be deleted
# However, another vars file exists
Expand All @@ -5729,7 +5721,7 @@ Priority should be given to your PKI vars file:
# If PKI is not required then located vars files are
# not required
if [ "$EASYRSA_NO_VARS" ]; then
: # ok
verbose "vars_setup: EASYRSA_NO_VARS enabled"

# $vars remains undefined .. no vars found
# 'install_data_to_pki vars-setup' will NOT
Expand All @@ -5738,14 +5730,19 @@ Priority should be given to your PKI vars file:
# If PKI is required then warn
# For init-pki, version and help, skip this
if [ "$require_pki" ]; then
warn "\
information "\
No Easy-RSA 'vars' configuration file exists!"
fi

# If a vars file was located then source it
else
# 'vars' MUST not be a directory
[ -d "$vars" ] && user_error "\
Missing vars file:
* $vars"

# 'vars' now MUST exist
[ -e "$vars" ] || die "\
[ -e "$vars" ] || user_error "\
Missing vars file:
* $vars"

Expand Down Expand Up @@ -5778,7 +5775,7 @@ Please, correct these errors and try again."
-e '[[:blank:]]unset[[:blank:]]*' \
"$vars"
then
warn "\
user_error "\
One or more of these problems has been found in your 'vars' file:

* Use of 'export':
Expand All @@ -5791,16 +5788,22 @@ Remove 'unset' ('force_set_var' may also work)."
# Enable sourcing 'vars'
# shellcheck disable=SC2034 # appears unused
EASYRSA_CALLER=1
easyrsa_path="$PATH"
PATH=./

# Test sourcing 'vars' in a subshell
# shellcheck disable=1090 # can't follow .. vars
( . "$vars" ) || \
die "Failed to source the vars file."
die "Failed to dry-run the vars file."

# Source 'vars' now
# shellcheck disable=1090 # can't follow .. vars
. "$vars" 2>/dev/null
unset -v EASYRSA_CALLER
. "$vars" || \
die "Failed to source the vars file."

PATH="$easyrsa_path"
unset -v EASYRSA_CALLER easyrsa_path
verbose "vars_setup: sourced 'vars' OK"
fi

# Set defaults, preferring existing env-vars if present
Expand Down