From 6ae2c2957af158e4556bf2a504c829f1fa1d135b Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue, 17 Dec 2024 18:23:20 +0000
Subject: [PATCH 1/6] easyrsa_openssl(): Simplify check for OPENSSL_CONF

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index fd388777..9da5499b 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1214,9 +1214,10 @@ easyrsa_openssl() {
 	# Use $EASYRSA_SSL_CONF (local) or $OPENSSL_CONF (global)
 	if [ -f "$EASYRSA_SSL_CONF" ]; then
 		export OPENSSL_CONF="$EASYRSA_SSL_CONF"
+	elif [ -f "$OPENSSL_CONF" ]; then
+		export OPENSSL_CONF
 	else
-		[ -f "$OPENSSL_CONF" ] || \
-			die "easyrsa_openssl - OPENSSL_CONF undefined"
+		die "easyrsa_openssl - OPENSSL_CONF undefined"
 	fi
 	verbose "= easyrsa_openssl: OPENSSL_CONF = $OPENSSL_CONF"
 

From 787ddf166ff785dbe97a697b92f366c3fb347db9 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue, 17 Dec 2024 21:48:06 +0000
Subject: [PATCH 2/6] Allow '-h|--help|--usage' as usable options (minor
 bugfix)

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 9da5499b..c1579d05 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -5816,6 +5816,11 @@ while :; do
 			set -- "$@" "version"
 			break
 			;;
+		-h|--help|--usage)
+			shift "$#"
+			set -- "$@" "help"
+			break
+			;;
 		-*)
 			user_error "\
 Unknown option '$opt'.
@@ -5864,8 +5869,7 @@ cmd="$1"
 unset -v require_pki require_ca quiet_vars
 
 case "$cmd" in
-	''|help|-h|--help|--usage| \
-	version|show-host|rand|random)
+	''|help|version|show-host|rand|random)
 		unset -v EASYRSA_SILENT
 		quiet_vars=1
 		;;

From e6ff07cf68a83a11a4e25813d5084fb9fd164763 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue, 17 Dec 2024 21:58:08 +0000
Subject: [PATCH 3/6] Remove unnecessary, initial check for
 $working_safe_ssl_conf

This extra check was done to ensure that early changes did not allow
an unrelated Safe SSL config to persist into the 'command' stage.

$working_safe_ssl_conf is reset when the temporary session is created
and deleted. This is now verified to be safe.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index c1579d05..dd403911 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -5913,13 +5913,6 @@ mutual_exclusions
 # Verify SSL Lib - One time ONLY
 verify_ssl_lib
 
-# Check $working_safe_ssl_conf, to build
-# a fully configured safe ssl conf, on the
-# next invocation of easyrsa_openssl()
-if [ "$working_safe_ssl_conf" ]; then
-	die "working_safe_ssl_conf must not be set!"
-fi
-
 # Hand off to the function responsible
 # ONLY verify_working_env() for valid commands
 case "$cmd" in

From 939e456f8bbb701ef31960b71fb130f924d91c81 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue, 17 Dec 2024 22:06:04 +0000
Subject: [PATCH 4/6] Move control of $safe_ssl_cnf_tmp to expand_ssl_config()

expand_ssl_config() is the only function to set or use $safe_ssl_cnf_tmp.
Therefore, make $safe_ssl_cnf_tmp simulated 'local' to expand_ssl_config().

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index dd403911..66f97308 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -840,7 +840,7 @@ secure_session - Missing temporary directory:
 				die "secure_session - temp-file EXISTS"
 
 			# New session requires safe-ssl conf
-			unset -v session OPENSSL_CONF safe_ssl_cnf_tmp \
+			unset -v session OPENSSL_CONF \
 				working_safe_ssl_conf working_safe_org_conf
 
 			easyrsa_err_log="$secured_session/error.log"
@@ -862,7 +862,7 @@ remove_secure_session: DELETED: $secured_session"
 		# Restore original EASYRSA_SSL_CONF
 		EASYRSA_SSL_CONF="$original_ssl_cnf"
 
-		unset -v secured_session OPENSSL_CONF safe_ssl_cnf_tmp \
+		unset -v secured_session OPENSSL_CONF \
 			working_safe_ssl_conf working_safe_org_conf
 		return
 	fi
@@ -1190,6 +1190,7 @@ expand_ssl_config() {
 		fi
 
 	export EASYRSA_SSL_CONF="$safe_ssl_cnf_tmp"
+	unset -v safe_ssl_cnf_tmp
 	verbose \
 		"expand_ssl_config: EASYRSA_SSL_CONF = $EASYRSA_SSL_CONF"
 } # => expand_ssl_config()

From ee363c67e0ce5f58cee8ede6c604c34640e2c759 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun, 22 Dec 2024 18:24:36 +0000
Subject: [PATCH 5/6] write_legacy_file_v2(): Correct over-write logic

If 'overwrite' is not enabled AND the target exists then skip this
target, instead of erroring out. Include EASYRSA_DEBUG output.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 66f97308..57f99479 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -4990,7 +4990,7 @@ write_legacy_file_v2() {
 	write_type="$1"
 	write_file="$2"
 	write_over=
-	[ "$3" = overwrite ] && write_over="$3"
+	[ "$3" = overwrite ] && write_over=1
 
 	# Select by type
 	case "$write_type" in
@@ -5022,29 +5022,40 @@ write_legacy_file_v2() {
 		if [ -f "$write_file" ]; then
 			# if this is a temp file then enable auto-overwrite
 			path="${write_file%%/temp.*}"
-			if [ "${secured_session}" = "$path" ]; then
+			if [ "$path" = "${secured_session}" ]; then
 				verbose ": write_legacy_file_v2 - temp-file ACCEPTED"
-				write_over=overwrite
+				write_over=1
 			else
 				# target is not a temp-file, overwrite not changed
 				verbose ": Target is not a temp-file: $write_file"
 			fi
 		else
-			# enable overwrite, "there is no file" to over write
-			verbose ": Missing input file: $write_file"
-			write_over=overwrite
+			verbose ": Create new file: $write_file"
 		fi
+	else
+		verbose ": No target file - output to stdout"
 	fi
 
 	# write legacy data stream to stdout or file
-	if [ "$write_file" ]; then
+	if [ -f "$write_file" ]; then
 		if [ "$write_over" ]; then
 			verbose ": write_legacy_file_v2 - over-write ENABLED"
 			create_legacy_stream "$write_type" > "$write_file" || \
 				die "write failed"
+			[ "$EASYRSA_DEBUG" ] && print \
+				"### write OVERWRITE: $write_type to $write_file"
 		else
-			user_error "write: Over-write refused for existing file!"
+			# Preserve existing file and continue
+			verbose "write_legacy_file_v2 - over-write DISABLED "
+			[ "$EASYRSA_DEBUG" ] && print \
+				"### write PRESERVE existing: $write_file"
 		fi
+	elif [ "$write_file" ]; then
+			verbose ": write_legacy_file_v2 - over-write DISABLED"
+			create_legacy_stream "$write_type" > "$write_file" || \
+				die "write failed"
+			[ "$EASYRSA_DEBUG" ] && print \
+				"### write NEWFILE: $write_type to $write_file"
 	else
 		# write stream to stdout ONLY
 		create_legacy_stream "$write_type"

From 87a815b369e7905ddf17c4530846e0e15cc6c1e2 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Mon, 23 Dec 2024 20:21:59 +0000
Subject: [PATCH 6/6] sign-req: Typo and comment. Simplify
 check_unique_serial().

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 57f99479..f415b655 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2428,7 +2428,7 @@ sign_req() {
 Unrecognised x509-type: '$crt_type'
 
 In order to sign a custom X509 Type certificate, there must be a
-corresponding SSL configuration file in the 'x509-type' folder."
+corresponding SSL configuration file in the 'x509-types' folder."
 	esac
 
 	# Check argument sanity:
@@ -2831,6 +2831,7 @@ source or that you have verified the request checksum \
 with the sender.$NL"
 	fi
 
+	# Request FINAL user confirmation
 	confirm "Confirm requested details: " "yes" "\
 ${foreign_request}You are about to sign the following certificate:
 
@@ -2893,12 +2894,8 @@ check_serial_unique() {
 			user_error "Invalid serial number: '$1'"
 	esac
 
-	unset -v unique_serial_true
-
 	# Check for openssl -status of serial number
 	# Always errors out - Do not capture error
-	# unset EASYRSA_SILENT_SSL to capture all output
-	# Do NOT unset check_serial for sign-req error msg
 	check_serial="$(
 			"$EASYRSA_OPENSSL" ca -status "$1" 2>&1
 		)" || :
@@ -2910,17 +2907,15 @@ check_serial_unique() {
 			verbose "check_serial_unique: unique_serial=true"
 			;;
 		*)
-			: # Some other response
+			unique_serial_true=
 			verbose "check_serial_unique: unique_serial=false"
 	esac
 
 	# In batch mode return result only
 	if [ "$2" = batch ] || [ "$EASYRSA_BATCH" ]; then
 		if [ "$unique_serial_true" ]; then
-			unset -v unique_serial_true
 			return 0
 		else
-			unset -v unique_serial_true
 			return 1
 		fi
 	fi