build_full(): Recreate secure_session between gen-req and sign-req

This resets the SSL config file to beginning of an instantiation. Allow built-in SSL config file to be initially created as either unexpanded (OpenSSL) or expanded (LibreSSL) Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · May 28, 2024 · b015eec · b015eec
1 parent fb50232
commit b015eec
Showing 1 changed file with 28 additions and 12 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -796,9 +796,11 @@ secure_session() {
 		# atomic:
 		if mkdir "$secured_session"; then
 			# New session requires safe-ssl conf
-			unset -v OPENSSL_CONF \
-				safe_ssl_cnf_tmp working_safe_ssl_conf
+			unset -v OPENSSL_CONF safe_ssl_cnf_tmp \
+				working_safe_ssl_conf working_safe_org_conf
+
 			easyrsa_err_log="$secured_session/error.log"
+			mktemp_counter=0
 
 			verbose "\
 secure_session: CREATED: $secured_session"
@@ -817,8 +819,9 @@ remove_secure_session() {
 		if rm -rf "$secured_session"; then
 			verbose "\
 remove_secure_session: DELETED: $secured_session"
-			unset -v secured_session OPENSSL_CONF \
-				safe_ssl_cnf_tmp working_safe_ssl_conf
+			unset -v secured_session \
+				safe_ssl_cnf_tmp working_safe_ssl_conf \
+				EASYRSA_SSL_CONF OPENSSL_CONF
 			return
 		fi
 	fi
@@ -1197,7 +1200,7 @@ easyrsa_openssl() {
 
 	# VERIFY safe temp-file exists
 	export OPENSSL_CONF="$EASYRSA_SSL_CONF"
-	verbose "easyrsa_openssl: OPENSSL_CONF = $EASYRSA_SSL_CONF"
+	verbose "easyrsa_openssl: OPENSSL_CONF = $OPENSSL_CONF"
 
 	# Debug level
 	[ -z "$EASYRSA_DEBUG" ] || \
@@ -2741,6 +2744,13 @@ Option conflict --req-cn:
 	gen_req "$name" batch
 	verbose "build_full: END gen_req"
 
+	# Recreate temp-session and
+	# drop edits to SSL Conf file
+	remove_secure_session
+	locate_support_files
+	secure_session
+	write_easyrsa_ssl_cnf_tmp
+
 	# Require --copy-ext
 	export EASYRSA_CP_EXT=1
 
@@ -4479,12 +4489,15 @@ f97425686fa1976d436fa31f550641aa"
 		# Use the existing file ONLY
 		if [ "$hash_is_unknown" ]; then
 			unset -v hash_is_unknown
-			verbose "write_easyrsa_ssl_cnf_tmp: SSL config NO CHANGE!"
+			verbose "write_easyrsa_ssl_cnf_tmp: SSL config UNKNOWN!"
+
+			# Force 'sed' expnsion of file in place
+			export EASYRSA_LEGACY_SAFE_SSL=1
 			return 0
 		fi
 
 		# Ignore existing file, prefer to use a temp-file
-		verbose "write_easyrsa_ssl_cnf_tmp: SSL config IGNORED"
+		verbose "write_easyrsa_ssl_cnf_tmp: SSL config KNOWN"
 	fi
 
 	# SET and USE temp-file from here-doc Now
@@ -4493,14 +4506,20 @@ f97425686fa1976d436fa31f550641aa"
 	easyrsa_mktemp ssl_cnf_tmp || die "\
 write_easyrsa_ssl_cnf_tmp - easyrsa_mktemp"
 
+	# Choose SSL Conf type:
+	# OpenSSL=Unexpended, LibreSSL=Expanded (Safe)
+	ssl_cnf_type=ssl-cnf
+	[ "$ssl_lib" = openssl ] || ssl_cnf_type=safe-cnf
+
 	# Write SSL cnf to temp-file
-	write ssl-cnf > "$ssl_cnf_tmp" || die "\
+	write "$ssl_cnf_type" > "$ssl_cnf_tmp" || die "\
 write_easyrsa_ssl_cnf_tmp - write ssl-cnf: $ssl_cnf_tmp"
 
 	# export SSL cnf tmp
 	export EASYRSA_SSL_CONF="$ssl_cnf_tmp"
 	verbose "\
-write_easyrsa_ssl_cnf_tmp: EASYRSA_SSL_CONF = $ssl_cnf_tmp"
+write_easyrsa_ssl_cnf_tmp: $ssl_cnf_type \
+- EASYRSA_SSL_CONF = $ssl_cnf_tmp"
 } # => write_easyrsa_ssl_cnf_tmp()
 
 # Write x509 type file to a temp file
@@ -5159,9 +5178,6 @@ unset -v \
 	# after user interrupt when using manual password
 	prompt_restore=0
 
-	# verbose diagnostic for temp-files
-	mktemp_counter=0
-
 # Parse options
 while :; do
 	# Reset per pass flags