From 8d7e017066482ff2202553b70141b6f74f6beb69 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 19 Sep 2023 01:16:12 +0100 Subject: [PATCH 1/7] vars: Improve auto-load logic The main changes made are: * If EASYRSA is set then only allow default vars file. No auto-load * If EASYRSA_PKI is set then allow also EASYRSA_PKI/vars. Use auto-load. This is something like "The Three Laws"; vars auto-load is unnecassary and should be replaced by a single default vars file. However, here is the latest version: 1. The DEFAULT vars file is in the working directory: ./vars 2. Using --vars=, takes priority ALWAYS. NO auto-load! 3. Using --pki-dir=, allows "$EASYRSA_PKI/vars". Use auto-load! Note: A user set PKI can auto-load a default vars file in the PKI, however, that can also conflict with a default ./vars file. 4. ERROR, if vars auto-load finds more than one VIABLE vars file. Viable vars files and conflicts: 1. "$PWD/vars" - Can conflict. 2. "$PWD/pki/vars" - Can conflict. 3. "$EASYRSA/vars" - User defined EASYRSA, no conflict. 4. "$EASYRSA_PKI/vars" - User defined EASYRSA_PKI, can conflict. This is achieved by making the following changes: Prioritise user-set EASYRSA to force "$EASYRSA/vars" ONLY. No auto-load. Expand assigning EASYRSA_PKI/vars to test for user-set PKI or default PKI. Use auto-load. Remove unused code and improve comments. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 87 +++++++++++++++++++++++------------------------- 1 file changed, 41 insertions(+), 46 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5f3a543f4..e25af443c 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5625,13 +5625,14 @@ vars_setup() { vars= # Find vars - # Explicit user defined vars file: + # User set vars '$user_vars_true' takes priority + # Deliberate NO vars if [ "$EASYRSA_NO_VARS" ]; then - # User set vars turns off pki/var warning user_vars_true=1 # Found exactly zero vars files found_vars=0 + # Priority: Explicit user defined vars file: elif [ "$EASYRSA_VARS_FILE" ]; then if [ -e "$EASYRSA_VARS_FILE" ]; then vars="$EASYRSA_VARS_FILE" @@ -5646,62 +5647,68 @@ The 'vars' file was not found: * $EASYRSA_VARS_FILE" fi + # Secondary: Setting EASYRSA forces vars to EASYRSA/vars + elif [ "$EASYRSA" ]; then + if [ -e "$EASYRSA/vars" ]; then + vars="${EASYRSA}/vars" + user_vars_true=1 + found_vars=1 + else + # Allow to run without EASYRSA/vars file + user_vars_true=1 + found_vars=0 + fi + # Otherwise, find vars else # set up program path + # Program dir vars - This location is least wanted. prog_file="$0" prog_dir="${prog_file%/*}" if [ "$prog_dir" = . ] || [ "$prog_dir" = "$PWD" ] then prog_in_pwd=1 + unset -v prog_vars else + prog_vars="${prog_dir}/vars" unset -v prog_in_pwd fi - # Program dir vars - This location is least wanted. - prog_vars="${prog_dir}/vars" - - # set up PKI path vars - Top preference - pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" - - # Some other place vars, out of scope. - if [ "$EASYRSA" ]; then - easy_vars="${EASYRSA}/vars" + # If EASYRSA_PKI is set then it is user set, + # allow use of the default vars in the PKI + if [ "$EASYRSA_PKI" ]; then + pki_vars="${EASYRSA_PKI}/vars" + user_pki_true=1 + unset -v default_pki_true else - unset -v easy_vars + # default pki/vars + # if this conflicts then bail + pki_vars="${PWD}/pki/vars" + default_pki_true=1 + unset -v user_pki_true fi - # vars of last resort + # vars of last resort; The Default pwd_vars="$PWD/vars" # Clear flags - This is the preferred order to find: unset -v \ - e_pki_vars e_easy_vars e_pwd_vars e_prog_vars \ + e_pki_vars e_pwd_vars e_prog_vars \ found_vars vars_in_pki # PKI location, if present: [ -e "$pki_vars" ] && e_pki_vars=1 - # EASYRSA, if defined: - [ -e "$easy_vars" ] && e_easy_vars=1 - # vars of last resort [ -e "$pwd_vars" ] && e_pwd_vars=1 # program location: [ -e "$prog_vars" ] && e_prog_vars=1 - # Filter duplicates - if [ "$e_prog_vars" ] && [ "$e_pwd_vars" ] && \ - [ "$prog_in_pwd" ] - then - unset -v prog_vars e_prog_vars - fi - # Allow only one vars to be found, No exceptions! found_vars="$(( - e_pki_vars + e_easy_vars + e_pwd_vars + e_prog_vars + e_pki_vars + e_pwd_vars + e_prog_vars ))" verbose "vars_setup: found_vars = '$found_vars'" @@ -5716,45 +5723,33 @@ The 'vars' file was not found: # then assign $vars [ "$e_prog_vars" ] && vars="$prog_vars" [ "$e_pwd_vars" ] && vars="$pwd_vars" - [ "$e_easy_vars" ] && vars="$easy_vars" if [ "$e_pki_vars" ]; then vars="$pki_vars" vars_in_pki=1 - user_error "\ -Use of a default 'vars' file in the default PKI is prohibited. -Please move the 'pki/vars' file to the working directory: -* ${pwd_vars%/vars}/" + else + unset -v vars_in_pki fi ;; *) + found_msg="" [ "$e_pki_vars" ] && \ - found_msg="${NL} * Found: $pki_vars" - [ "$e_easy_vars" ] && \ - found_msg="${found_msg}${NL} * Found: $easy_vars" + found_msg="${found_msg}${NL} * Found pki_vars : $pki_vars" [ "$e_pwd_vars" ] && \ - found_msg="${found_msg}${NL} * Found: $pwd_vars" + found_msg="${found_msg}${NL} * Found pwd_vars : $pwd_vars" [ "$e_prog_vars" ] && \ - found_msg="${found_msg}${NL} * Found: $prog_vars" + found_msg="${found_msg}${NL} * Found prog_vars: $prog_vars" user_error "\ Conflicting 'vars' files found: $found_msg -Priority should be given to this vars file: -* $pwd_vars" - - # For init-pki, pki/vars will be deleted - # However, another vars file exists - # so don't create pki/vars - no_new_vars=1 - verbose "vars_setup: no_new_vars = '$no_new_vars'" +Use option --vars= to define the vars file +or remove the conflicting vars files." esac - verbose "vars_setup: vars = '$vars'" # Clean up - unset -v prog_vars pwd_vars easy_vars pki_vars \ - expected_pki_vars + unset -v prog_vars pwd_vars pki_vars # END: Find vars fi From f47b49134607379a073c5c8605f05d9c9056b3b9 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 19 Sep 2023 01:59:39 +0100 Subject: [PATCH 2/7] vars: Remove program directory as a valid "vars auto-load" candidate Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 27 ++++----------------------- 1 file changed, 4 insertions(+), 23 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index e25af443c..ab327fa04 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5662,21 +5662,8 @@ The 'vars' file was not found: # Otherwise, find vars else - # set up program path - # Program dir vars - This location is least wanted. - prog_file="$0" - prog_dir="${prog_file%/*}" - if [ "$prog_dir" = . ] || [ "$prog_dir" = "$PWD" ] - then - prog_in_pwd=1 - unset -v prog_vars - else - prog_vars="${prog_dir}/vars" - unset -v prog_in_pwd - fi - # If EASYRSA_PKI is set then it is user set, - # allow use of the default vars in the PKI + # allow use of the default vars in the set PKI if [ "$EASYRSA_PKI" ]; then pki_vars="${EASYRSA_PKI}/vars" user_pki_true=1 @@ -5694,7 +5681,7 @@ The 'vars' file was not found: # Clear flags - This is the preferred order to find: unset -v \ - e_pki_vars e_pwd_vars e_prog_vars \ + e_pki_vars e_pwd_vars \ found_vars vars_in_pki # PKI location, if present: @@ -5703,12 +5690,9 @@ The 'vars' file was not found: # vars of last resort [ -e "$pwd_vars" ] && e_pwd_vars=1 - # program location: - [ -e "$prog_vars" ] && e_prog_vars=1 - # Allow only one vars to be found, No exceptions! found_vars="$(( - e_pki_vars + e_pwd_vars + e_prog_vars + e_pki_vars + e_pwd_vars ))" verbose "vars_setup: found_vars = '$found_vars'" @@ -5721,7 +5705,6 @@ The 'vars' file was not found: 1) # If a SINGLE vars file is found # then assign $vars - [ "$e_prog_vars" ] && vars="$prog_vars" [ "$e_pwd_vars" ] && vars="$pwd_vars" if [ "$e_pki_vars" ]; then vars="$pki_vars" @@ -5736,8 +5719,6 @@ The 'vars' file was not found: found_msg="${found_msg}${NL} * Found pki_vars : $pki_vars" [ "$e_pwd_vars" ] && \ found_msg="${found_msg}${NL} * Found pwd_vars : $pwd_vars" - [ "$e_prog_vars" ] && \ - found_msg="${found_msg}${NL} * Found prog_vars: $prog_vars" user_error "\ Conflicting 'vars' files found: @@ -5749,7 +5730,7 @@ or remove the conflicting vars files." verbose "vars_setup: vars = '$vars'" # Clean up - unset -v prog_vars pwd_vars pki_vars + unset -v pwd_vars pki_vars # END: Find vars fi From 7b38d99b4cd8afbdf7a911cd4643d7523e90fd91 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 19 Sep 2023 03:21:25 +0100 Subject: [PATCH 3/7] vars: Forbid auto-loaded "$EASYRSA_PKI/vars" from changing the PKI If a vars file in the PKI tries to change the expected PKI then fail. Allow vars file in the working directory to change the PKI. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ab327fa04..172dac550 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5665,15 +5665,16 @@ The 'vars' file was not found: # If EASYRSA_PKI is set then it is user set, # allow use of the default vars in the set PKI if [ "$EASYRSA_PKI" ]; then + # EASYRSA_PKI will not be changed by vars pki_vars="${EASYRSA_PKI}/vars" - user_pki_true=1 - unset -v default_pki_true else # default pki/vars # if this conflicts then bail pki_vars="${PWD}/pki/vars" - default_pki_true=1 - unset -v user_pki_true + + # Setup "catch EXPECTED PKI changed" + # auto-load 'pki/vars' is FORBIDDEN to change PKI + expected_pki="${PWD}/pki" fi # vars of last resort; The Default @@ -5878,6 +5879,16 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" set_var EASYRSA_MAX_TEMP 4 + # Catch unexpected PKI change + if [ "$expected_pki" ]; then + [ "$expected_pki" = "$EASYRSA_PKI" ] || \ + user_error "\ +The PKI was unexpectedly changed by the vars file. +vars : $vars +Expected: $expected_pki +Set : $EASYRSA_PKI" + fi + # if the vars file in use is not in the PKI # and not user defined then Show the messages if [ "$require_pki" ]; then @@ -7040,6 +7051,7 @@ unset -v \ alias_days \ prohibit_no_pass \ found_vars no_new_vars user_vars_true \ + expected_pki \ do_build_full error_build_full_cleanup \ internal_batch \ easyrsa_exit_with_error error_info From 0f1064ef009260676df2292794ce7c7922abc9c7 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 20 Sep 2023 10:52:12 +0100 Subject: [PATCH 4/7] Rename option --pki-dir to --pki but continue support for --pki-dir Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 172dac550..e96fd4f32 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -546,9 +546,10 @@ General options: --raw|raw-ca : Build CA with password via RAW SSL input --vars=FILE : Define a specific 'vars' file to use for Easy-RSA config - (Default vars file is in the EasyRSA PKI directory) ---pki-dir=DIR : Declare the PKI directory + (Default vars file is in the current working directory) +--pki=DIR : Declare the PKI directory (Default PKI directory is sub-directory 'pki') + See Advanced.md for in depth usage. --ssl-conf=FILE : Define a specific OpenSSL config file for Easy-RSA to use (Default config file is in the EasyRSA PKI directory) @@ -5884,9 +5885,10 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" [ "$expected_pki" = "$EASYRSA_PKI" ] || \ user_error "\ The PKI was unexpectedly changed by the vars file. -vars : $vars -Expected: $expected_pki -Set : $EASYRSA_PKI" + + * vars : $vars + * Expected: $expected_pki + * Set : $EASYRSA_PKI" fi # if the vars file in use is not in the PKI @@ -7089,7 +7091,7 @@ while :; do --enddate) export EASYRSA_END_DATE="$val" ;; - --pki-dir) + --pki-dir|--pki) export EASYRSA_PKI="$val" ;; --tmp-dir) From 3b4b5f37c764aaf80cad0dea6afac7843d6974d8 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 20 Sep 2023 23:37:14 +0100 Subject: [PATCH 5/7] Ignore conflicting vars files for commands which do not require vars Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index e96fd4f32..95e83b246 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5722,12 +5722,15 @@ The 'vars' file was not found: [ "$e_pwd_vars" ] && \ found_msg="${found_msg}${NL} * Found pwd_vars : $pwd_vars" - user_error "\ + # If command is not 'help' etc then Error out + [ "$ignore_vars" ] || user_error "\ Conflicting 'vars' files found: $found_msg Use option --vars= to define the vars file or remove the conflicting vars files." + + verbose "vars_setup: Conflicting vars IGNORED" esac verbose "vars_setup: vars = '$vars'" @@ -7280,10 +7283,11 @@ cmd="$1" # Establish PKI and CA initialisation requirements # This avoids unnecessary warnings and notices case "$cmd" in - init-pki|clean-all|\ - help|-h|--help|--usage|\ - show-host|\ - version|upgrade|'') + ''|help|-h|--help|--usage|version|upgrade|show-host) + unset -v require_pki require_ca + ignore_vars=1 + ;; + init-pki|clean-all) unset -v require_pki require_ca ;; *) From de3d484c67c9b4060e26eeb3de8aea0005ea9467 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 21 Sep 2023 15:22:12 +0100 Subject: [PATCH 6/7] Remove EASYRSA and EASYRSA_PKI from built-in vars file generation Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 27 ++++----------------------- 1 file changed, 4 insertions(+), 23 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 95e83b246..43f945377 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -6126,16 +6126,6 @@ fi # DO YOUR EDITS BELOW THIS POINT -# This variable is used as the base location of configuration files needed by -# easyrsa. More specific variables for specific files (eg: EASYRSA_SSL_CONF) -# may override this default. -# -# The default value of this variable is the location of the easyrsa script -# itself, which is also where the configuration files are located in the -# easy-rsa tree. -# -#set_var EASYRSA "${0%/*}" - # If your OpenSSL command is not in the system PATH, you will need to define # the path here. Normally this means a full path to the executable, otherwise # you could have left it undefined here and the shown default would be used. @@ -6149,19 +6139,6 @@ fi # This sample is in Windows syntax -- edit it for your path if not using PATH: #set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" -# Edit this variable to point to your soon-to-be-created key directory. -# By default, this will be "$PWD/pki" (ie: the "pki" subdirectory of the -# directory you are currently in). -# -# WARNING: init-pki will do a rm -rf on this directory so make sure you define -# it correctly! Interactive mode will prompt before acting. -# -#set_var EASYRSA_PKI "$PWD/pki" - -# Define directory for temporary subdirectories. -# -#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" - # Define X509 DN mode. # # This is used to adjust which elements are included in the Subject field @@ -6248,6 +6225,10 @@ fi # Cut-off window for checking expiring certificates. # #set_var EASYRSA_PRE_EXPIRY_WINDOW 90 + +# Define directory for temporary subdirectories. +# +#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" VARS_EXAMPLE } # => create_vars_example() From ebbb51def7f65654cfb78a1a0acae741e6877efd Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 21 Sep 2023 23:25:19 +0100 Subject: [PATCH 7/7] vars_setup: Add advice to "Conflicting vars files" error message Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 43f945377..af334fb81 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5727,8 +5727,11 @@ The 'vars' file was not found: Conflicting 'vars' files found: $found_msg -Use option --vars= to define the vars file -or remove the conflicting vars files." +Use option --vars= to define the vars file +or remove the conflicting vars files. + +Easy-RSA recommends moving your vars file to your PKI and using +option --pki=, which will auto-select the correct vars file." verbose "vars_setup: Conflicting vars IGNORED" esac