From ad257ab3b4165bded9d7920d08d2ea8bfdead093 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 23 Oct 2024 02:37:28 +0100 Subject: [PATCH 1/4] inline: Introduce EASYRSA_DISABLE_INLINE Allow inline_file() to be disabled. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 690055af..b8d31941 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2976,6 +2976,10 @@ See error messages above for details." # Generate inline file V2 inline_file() { + # Allow complete disable + [ "$EASYRSA_DISABLE_INLINE" ] && return + + # definitive source [ "$1" ] || die "inline_file - Missing file_name_base" # Source files From cfe77462beb3cd84b42a7d67db2d6d54ba0a4827 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 23 Oct 2024 02:52:50 +0100 Subject: [PATCH 2/4] Integrate EASYRSA_DISABLE_INLINE into 'vars' file Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++++ easyrsa3/vars.example | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b8d31941..2de8fbc5 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5312,6 +5312,10 @@ fi #set_var EASYRSA_KU_CRIT 1 #set_var EASYRSA_EKU_CRIT 1 #set_var EASYRSA_SAN_CRIT 1 + +# Disable automatic inline files +# +#set_var EASYRSA_DISABLE_INLINE 1 CREATE_VARS_EXAMPLE ;; ssl-cnf|safe-cnf) diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example index 26b4face..95e401fc 100644 --- a/easyrsa3/vars.example +++ b/easyrsa3/vars.example @@ -174,6 +174,10 @@ fi #set_var EASYRSA_EKU_CRIT 1 #set_var EASYRSA_SAN_CRIT 1 +# Disable automatic inline files +# +#set_var EASYRSA_DISABLE_INLINE 1 + # Support deprecated "Netscape" extensions? (choices "yes" or "no"). # The default is "no", to discourage use of deprecated extensions. # If you require this feature to use with --ns-cert-type, set this to "yes". From faf5fe25a37533e044d4565b8314c269ee1ec41e Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 23 Oct 2024 17:34:36 +0100 Subject: [PATCH 3/4] Move 'inline' folder creation to inline_file() This ring-fences all inline code to inline_file() function. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 2de8fbc5..ca1547c9 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1461,7 +1461,7 @@ Please delete the key above that is no longer in use." # new dirs: easyrsa_mkdir "$EASYRSA_PKI" - for i in issued private reqs inline; do + for i in issued private reqs; do easyrsa_mkdir "${EASYRSA_PKI}/$i" done @@ -2982,6 +2982,10 @@ inline_file() { # definitive source [ "$1" ] || die "inline_file - Missing file_name_base" + # make inline dirs + easyrsa_mkdir "$EASYRSA_PKI"/inline + easyrsa_mkdir "$EASYRSA_PKI"/inline/private + # Source files crt_source="${EASYRSA_PKI}/issued/${1}.crt" key_source="${EASYRSA_PKI}/private/${1}.key" @@ -2991,8 +2995,6 @@ inline_file() { # output inline_out="${EASYRSA_PKI}/inline/${1}.inline" - easyrsa_mkdir "$EASYRSA_PKI"/inline - easyrsa_mkdir "$EASYRSA_PKI"/inline/private print "\ # Inline files in the 'private' directory contain security keys which # MUST only be transmitted over a secure connection, such as 'scp'." \ From 5d43f540d3c8d1622ce359eda598f38addc303e3 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 23 Oct 2024 19:58:12 +0100 Subject: [PATCH 4/4] ChangeLog: New global variable 'EASYRSA_DISABLE_INLINE' Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 79057fd6..112e05ae 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.2 (TBD) + * New global variable 'EASYRSA_DISABLE_INLINE' (ad257ab) (#1245) * Add LibreSSL version 4 to supported SSL Libraries (7df616b) (#1240) * sign-req: Allow custom X509 Types (2ee08cc) (#1238) * Remove redundant file index.txt.attr (da3c249) (#1233)