Introduce Global Safe SSL config and Local SSL config

The global safe SSL config is used by ancillary commands, such as 'vefiry_file()' and 'display_dn()', when no other SSL config has been created so far. The global safe SSL config is created with all env-vars fully expanded, which allows this file to be used by any SSL library. The local SSL config is used by commands that build X509 files, such as build-ca and gen-req. This file is created per command. The local SSL config is created as per the requirements of the SSL library in use. eg. OpenSSL:Unexpanded, LibreSSL:Expanded. The local SSL config is the file which is edited by commands, which insert data, such as "copy_extensions = copy" --copy-ext. The local file is tracked via EASYRSA_SSL_CONF. Calling command easyrsa_openssl() finally sets OPENSSL_CONF to EASYRSA_SSL_CONF. The global file is not tracked, it is only used when no local file has been created. OPENSSL_CONF is set to the global file, by default, from the start. Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Jun 5, 2024 · b18fe38 · b18fe38
1 parent 7da361d
commit b18fe38
Showing 1 changed file with 49 additions and 16 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -1212,8 +1212,8 @@ easyrsa_openssl() {
 	expand_ssl_config || \
 		die "easyrsa_openssl - expand_ssl_config failed"
 
-	# VERIFY safe temp-file exists
-	export OPENSSL_CONF="$EASYRSA_SSL_CONF"
+	# create local SSL cnf
+	write_easyrsa_ssl_cnf_tmp
 	verbose "easyrsa_openssl: OPENSSL_CONF = $OPENSSL_CONF"
 
 	# Debug level
@@ -1657,6 +1657,9 @@ Unable to create necessary PKI files (permissions?)"
 		fi
 	fi
 
+	# create local SSL cnf
+	write_easyrsa_ssl_cnf_tmp
+
 	# Check for insert-marker in ssl config file
 	if [ "$EASYRSA_EXTRA_EXTS" ]; then
 		if ! grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' \
@@ -2143,6 +2146,9 @@ Option conflict --req-cn:
 	# Enforce commonName
 	export EASYRSA_REQ_CN="$file_name_base"
 
+	# create local SSL cnf
+	write_easyrsa_ssl_cnf_tmp
+
 	# Output files
 	key_out="$EASYRSA_PKI/private/${file_name_base}.key"
 	req_out="$EASYRSA_PKI/reqs/${file_name_base}.req"
@@ -2294,6 +2300,9 @@ Option conflict --req-cn:
 	# Enforce commonName
 	export EASYRSA_REQ_CN="$file_name_base"
 
+	# create local SSL cnf
+	write_easyrsa_ssl_cnf_tmp
+
 	# Check optional subject
 	force_subj=
 	while [ "$1" ]; do
@@ -2763,7 +2772,7 @@ Option conflict --req-cn:
 	remove_secure_session
 	locate_support_files
 	secure_session
-	write_easyrsa_ssl_cnf_tmp
+	write_global_safe_ssl_cnf_tmp
 
 	# Require --copy-ext
 	export EASYRSA_CP_EXT=1
@@ -2916,6 +2925,17 @@ Run easyrsa without commands for usage and command help."
 	file_name_base="$1"
 	shift
 
+	# Prohibit --req-cn
+	[ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\
+Option conflict --req-cn:
+* '$cmd' does not support setting an external commonName"
+
+	# Enforce commonName
+	export EASYRSA_REQ_CN="$file_name_base"
+
+	# create local SSL cnf
+	write_easyrsa_ssl_cnf_tmp
+
 	in_dir="$EASYRSA_PKI"
 	key_in="$in_dir/private/${file_name_base}.key"
 	req_in="$in_dir/reqs/${file_name_base}.req"
@@ -3635,6 +3655,7 @@ display_dn - input error"
 
 	# Display DN
 	ssl_out="$(
+		#export OPENSSL_CONF="$global_safe_ssl_cnf_tmp"
 		"$EASYRSA_OPENSSL" "$format" -in "$path" -noout -subject \
 		-nameopt utf8,sep_multiline,space_eq,lname,align)" || \
 			die "display_dn: SSL command '$format'"
@@ -4361,13 +4382,11 @@ verify_working_env() {
 		# Verify PKI is initialised
 		verify_pki_init
 
-		# Temp dir session and default SSL conf file
-		if [ -z "$secured_session" ]; then
-			secure_session
+		# Temp dir session
+		secure_session
 
-			# Verify or create temp EASYRSA_SSL_CONF
-			write_easyrsa_ssl_cnf_tmp
-		fi
+		# global safe ssl cnf temp
+		write_global_safe_ssl_cnf_tmp
 
 		# Verify selected algorithm and parameters
 		verify_algo_params
@@ -4382,13 +4401,11 @@ verify_working_env() {
 		# If there is a valid temp-dir:
 		# Create temp-session and openssl-easyrsa.cnf (Temp) now
 		if [ -d "$EASYRSA_TEMP_DIR" ]; then
-			# Temp dir session and default SSL conf file
-			if [ -z "$secured_session" ]; then
-				secure_session
+			# Temp dir session
+			secure_session
 
-				# Verify or create: EASYRSA_SSL_CONF
-				write_easyrsa_ssl_cnf_tmp
-			fi
+			# global safe ssl cnf temp
+			write_global_safe_ssl_cnf_tmp
 		fi
 	fi
 	verbose "verify_working_env: COMPLETED Handover-to: $cmd"
@@ -4429,6 +4446,19 @@ force_set_var() {
 	die "force_set_var - set_var '$*'"
 } # => force_set_var()
 
+# global Safe SSL conf file, for use by any SSL lib
+write_global_safe_ssl_cnf_tmp() {
+	global_safe_ssl_cnf_tmp=
+	easyrsa_mktemp global_safe_ssl_cnf_tmp || die "\
+verify_working_env - easyrsa_mktemp global_safe_ssl_cnf_tmp"
+
+	write safe-cnf > "$global_safe_ssl_cnf_tmp" || die "\
+verify_working_env - write safe-cnf"
+
+	export OPENSSL_CONF="$global_safe_ssl_cnf_tmp"
+	verbose "GLOBAL - OPENSSL_CONF = $OPENSSL_CONF"
+} # => write_global_safe_ssl_cnf_tmp()
+
 # Create as needed: $EASYRSA_SSL_CONF pki/openssl-easyrsa.cnf
 # If the existing file has a known hash then use temp-file.
 # Otherwise, use the file in place.
@@ -4527,13 +4557,16 @@ write_easyrsa_ssl_cnf_tmp - easyrsa_mktemp"
 
 	# Write SSL cnf to temp-file
 	write "$ssl_cnf_type" > "$ssl_cnf_tmp" || die "\
-write_easyrsa_ssl_cnf_tmp - write ssl-cnf: $ssl_cnf_tmp"
+write_easyrsa_ssl_cnf_tmp - write $ssl_cnf_type: $ssl_cnf_tmp"
 
 	# export SSL cnf tmp
 	export EASYRSA_SSL_CONF="$ssl_cnf_tmp"
 	verbose "\
 write_easyrsa_ssl_cnf_tmp: $ssl_cnf_type \
 - EASYRSA_SSL_CONF = $ssl_cnf_tmp"
+
+	export OPENSSL_CONF="$EASYRSA_SSL_CONF"
+	verbose "LOCAL - OPENSSL_CONF = $OPENSSL_CONF"
 } # => write_easyrsa_ssl_cnf_tmp()
 
 # Write x509 type file to a temp file