Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace use of sed with heredoc expansion #1064

Merged
merged 9 commits into from
Jan 23, 2024

Conversation

TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Jan 15, 2024

sed is used to expand openssl-easyrsa.cnf and to sanitize the vars file organisation fields when configured for use.

Currently, the original behavior can be restored by setting EASYRSA_SAFE_CNF_SED=1 in the environment. There is no command option at this time but there probably will be, soon.

This replaces use of 'sed' to expand the SSL config file for LibreSSL use.

Currently, the SSL config file is copied unexpanded from the heredoc to the
openssl-easyrsa.cnf file. 'sed' is used to expand the '$ENV::EASYRSA_var'
to the configured EasyRSA values.

This change replaces use of 'sed' with expanding the 'ssl-cnf' heredoc.

The expansion of the heredoc can be configured to expand the original values
of, eg: $ENV::EASYRSA_PKI to $EASYRSA_PKI, or be set to expand the values to
the originial text of the file. eg: $ENV::EASYRSA_PKI will expand to the same
text string: '$ENV::EASYRSA_PKI'.

This allows expanding the SSL config heredoc to either:
* Unexpanded OpenSSL labels.
* Fully expanded safe values, configured by Easy-RSA.

The unexpanded output can be varified against the known heredoc hash within
the script: 82439f1860838e28f6270d5d06b1771756db777861e19bf9edc21222f86a310d

To confirm this hash, use: 'easyrsa write ssl-cnf | openssl dgst'

The expanded 'write safe-cnf' has all OpenSSL labels expanded.

Signed-off-by: Richard T Bonhomme <[email protected]>
This replaces command 'easyrsa_openssl makesafeconf' with new heredoc
expansion.

Signed-off-by: Richard T Bonhomme <[email protected]>
Currently, command 'write' must allow at least one level of recursion.
This check guards against infinite recursion.

Signed-off-by: Richard T Bonhomme <[email protected]>
This replaces use of:
* 'sed' for expanding openssl-easyrsa.cnf
* 'sed' for sanitizing Distinguished Name fields

.. by using heredoc expansion of the built-in openssl-easyrsa.cnf

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Jan 15, 2024

93b28ad shaves off almost 10 seconds from each unit test.

@TinCanTech TinCanTech changed the title Safe ssl cnf via hdoc Replace use of sed with heredoc expansion Jan 16, 2024
@TinCanTech TinCanTech linked an issue Jan 19, 2024 that may be closed by this pull request
@TinCanTech TinCanTech added Version 3.2.0-Release and removed development Possible changes labels Jan 20, 2024
This forces using the old 'sed' expansion of 'openssl-easyrsa.cnf'
and forces expansion of the SSL config for LibreSSL.

This is temporary because the intention is to remove the old 'sed'
expansion method, in favor of heredoc expansion.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech force-pushed the safe-ssl-cnf-via-hdoc branch from c057be7 to 6714a21 Compare January 20, 2024 03:16
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech merged commit d24f35b into OpenVPN:master Jan 23, 2024
3 checks passed
TinCanTech added a commit that referenced this pull request Feb 17, 2024
(#1055)

Further additions:
* Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
* LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
* Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)

Signed-off-by: Richard T Bonhomme <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Abandon escape_hazard() - Replace with heredoc expansion
1 participant