Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Always use locate_support_files() after secure_session() #1270

Merged
merged 7 commits into from
Dec 6, 2024
Merged

Always use locate_support_files() after secure_session() #1270

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d530bc3
Always use locate_support_files() after secure_session()
TinCanTech Dec 4, 2024
d693711
ChangeLog: bugfix: Use locate_support_files() after secure_session()
TinCanTech Dec 4, 2024
7cdb14d
Save and Restore $EASYRSA_SSL_CONF for compound commands
TinCanTech Dec 5, 2024
5049ff6
ChangeLog: bugfix: Save/Restore $EASYRSA_SSL_CONF for compound commands
TinCanTech Dec 5, 2024
c788423
Rename global option --ssl-conf (DEPRECATED) to --ssl-cnf
TinCanTech Dec 6, 2024
fab08b2
ChangeLog: Rename global option --ssl-conf (DEPRECATED) to --ssl-cnf
TinCanTech Dec 6, 2024
a3dc168
sign-req: Add comment to clarify restriction for EASYRSA_REQ_CN
TinCanTech Dec 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ Easy-RSA 3 ChangeLog

3.2.2 (TBD)

* Rename global option --ssl-conf (DEPRECATED) to --ssl-cnf (c788423) (#1270)
* bugfix: Save and Restore $EASYRSA_SSL_CONF for compound commands (7cdb14d) (#1270)
* bugfix: Always use locate_support_files() after secure_session() (d530bc3) (#1270)
* bugfix: easyrsa-tools.lib: renew, write full metadata to temp-file (b47d2af) (#1267)
* Introduce new command 'revoke-issued' (38bf2d8) (#1266)
Commands 'revoke' and 'revoke-issued' are identical.
Expand Down
32 changes: 22 additions & 10 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -625,7 +625,7 @@ General options:
(Default PKI directory is sub-directory 'pki')
See Advanced.md for in depth usage.

--ssl-conf=FILE : Define a specific OpenSSL config file for Easy-RSA to use
--ssl-cnf=FILE : Define a specific OpenSSL config file for Easy-RSA to use
(Default config file is in the EasyRSA PKI directory)
--force-safe-ssl: Always generate a safe SSL config file
(Default: Generate Safe SSL config once per instance)
Expand Down Expand Up @@ -840,8 +840,7 @@ secure_session - Missing temporary directory:
die "secure_session - temp-file EXISTS"

# New session requires safe-ssl conf
unset -v session OPENSSL_CONF \
EASYRSA_SSL_CONF safe_ssl_cnf_tmp \
unset -v session OPENSSL_CONF safe_ssl_cnf_tmp \
working_safe_ssl_conf working_safe_org_conf

easyrsa_err_log="$secured_session/error.log"
Expand All @@ -859,8 +858,11 @@ remove_secure_session() {
if rm -rf "$secured_session"; then
verbose "\
remove_secure_session: DELETED: $secured_session"
unset -v secured_session OPENSSL_CONF \
EASYRSA_SSL_CONF safe_ssl_cnf_tmp \

# Restore original EASYRSA_SSL_CONF
EASYRSA_SSL_CONF="$original_ssl_cnf"

unset -v secured_session OPENSSL_CONF safe_ssl_cnf_tmp \
working_safe_ssl_conf working_safe_org_conf
return
fi
Expand Down Expand Up @@ -2678,6 +2680,7 @@ basicConstraints is not defined, cannot use 'pathlen'"

# Get request CN
# EASYRSA_REQ_CN MUST always be set to the CSR CN
# or use --new-subect
EASYRSA_REQ_CN="$(
"$EASYRSA_OPENSSL" req -utf8 -in "$req_in" -noout \
-subject -nameopt multiline | grep 'commonName'
Expand Down Expand Up @@ -2984,8 +2987,8 @@ Conflicting file found at:
# Recreate temp-session and
# drop edits to SSL Conf file
remove_secure_session
locate_support_files
secure_session
locate_support_files
write_global_safe_ssl_cnf_tmp

# Require --copy-ext
Expand Down Expand Up @@ -4661,6 +4664,14 @@ verify_working_env() {
write_global_safe_ssl_cnf_tmp
fi
fi

# Find x509-types, openssl-easyrsa.cnf
# and easyrsa-tools.lib
locate_support_files

# Save original EASYRSA_SSL_CONF
original_ssl_cnf="$EASYRSA_SSL_CONF"

verbose "verify_working_env: COMPLETED Handover-to: $cmd"
} # => verify_working_env()

Expand Down Expand Up @@ -4716,6 +4727,10 @@ verify_working_env - easyrsa_mktemp global_safe_ssl_cnf_tmp"
# If the existing file has a known hash then use temp-file.
# Otherwise, use the file in place.
write_easyrsa_ssl_cnf_tmp() {
# If EASYRSA_SSL_CONF is undefined then use default
[ "$EASYRSA_SSL_CONF" ] || set_var \
EASYRSA_SSL_CONF "$EASYRSA_PKI"/openssl-easyrsa.cnf

if [ -f "$EASYRSA_SSL_CONF" ]; then
verbose "write_easyrsa_ssl_cnf_tmp: SSL config EXISTS"

Expand Down Expand Up @@ -5578,7 +5593,7 @@ while :; do
--tmp-dir)
export EASYRSA_TEMP_DIR="$val"
;;
--ssl-conf)
--ssl-cnf|--ssl-conf)
export EASYRSA_SSL_CONF="$val"
;;
--keep-tmp)
Expand Down Expand Up @@ -5832,9 +5847,6 @@ validate_default_vars
# Check for conflicting input options
mutual_exclusions

# Find x509-types, openssl-easyrsa.cnf and easyrsa-tools.lib
locate_support_files

# Verify SSL Lib - One time ONLY
verify_ssl_lib

Expand Down
10 changes: 4 additions & 6 deletions easyrsa3/easyrsa-tools.lib
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -414,13 +414,11 @@ read_db() {

verbose "***** Read next record *****"

# Recreate temp session
remove_secure_session || \
die "read_db - remove_secure_session"
# Recreate temp-session and
# drop edits to SSL Conf file
remove_secure_session
secure_session
locate_support_files
secure_session || \
die "read_db - secure_session"
# Recreate openssl-easyrsa.cnf (Temp)
write_global_safe_ssl_cnf_tmp

# Interpret the db/certificate record
Expand Down
Loading