Always use locate_support_files() after secure_session()

easyrsa: Move locate_support_files() to the last command in verify_working_env(). This means that for single commands, locate_support_files() will find an existing 'openssl-easyrsa.cnf' file, after secure_session() has cleared '$EASYRSA_SSL_CONF' variable. For build_full(), use locate_support_files() after secure_session(), during the phase between gen_req() and sign_req(), when the secure session is recreated. easyrsa-tools.lib: In read_db(), set the same order as above, between each record. Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Dec 4, 2024 · d530bc3 · d530bc3
1 parent 187083a
commit d530bc3
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -2984,8 +2984,8 @@ Conflicting file found at:
 	# Recreate temp-session and
 	# drop edits to SSL Conf file
 	remove_secure_session
-	locate_support_files
 	secure_session
+	locate_support_files
 	write_global_safe_ssl_cnf_tmp
 
 	# Require --copy-ext
@@ -4661,6 +4661,11 @@ verify_working_env() {
 			write_global_safe_ssl_cnf_tmp
 		fi
 	fi
+
+	# Find x509-types, openssl-easyrsa.cnf
+	# and easyrsa-tools.lib
+	locate_support_files
+
 	verbose "verify_working_env: COMPLETED Handover-to: $cmd"
 } # => verify_working_env()
 
@@ -4716,6 +4721,10 @@ verify_working_env - easyrsa_mktemp global_safe_ssl_cnf_tmp"
 # If the existing file has a known hash then use temp-file.
 # Otherwise, use the file in place.
 write_easyrsa_ssl_cnf_tmp() {
+	# If EASYRSA_SSL_CONF is undefined then use default
+	[ "$EASYRSA_SSL_CONF" ] || set_var \
+		EASYRSA_SSL_CONF "$EASYRSA_PKI"/openssl-easyrsa.cnf
+
 	if [ -f "$EASYRSA_SSL_CONF" ]; then
 		verbose "write_easyrsa_ssl_cnf_tmp: SSL config EXISTS"
 
@@ -5832,9 +5841,6 @@ validate_default_vars
 # Check for conflicting input options
 mutual_exclusions
 
-# Find x509-types, openssl-easyrsa.cnf and easyrsa-tools.lib
-locate_support_files
-
 # Verify SSL Lib - One time ONLY
 verify_ssl_lib
 

diff --git a/easyrsa3/easyrsa-tools.lib b/easyrsa3/easyrsa-tools.lib
@@ -417,11 +417,11 @@ read_db() {
 		# Recreate temp session
 		remove_secure_session || \
 			die "read_db - remove_secure_session"
-		locate_support_files
 		secure_session || \
 			die "read_db - secure_session"
 		# Recreate openssl-easyrsa.cnf (Temp)
 		write_global_safe_ssl_cnf_tmp
+		locate_support_files
 
 		# Interpret the db/certificate record
 		unset -v db_serial db_cn db_revoke_date db_reason