LibreSSL corrections: genpkey and no-password

Squashed commit of the following: * easyrsa_openssl() - Disable 'genpkey -config' for LibreSSL Closes: OpenVPN#601 * Set '-nodes' for LibreSSL version 3 'no-password' mode Closes: OpenVPN#602 Minor corrections to indentation/comments. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech · Jun 19, 2022 · c300f60 · c300f60
1 parent 17df3b8
commit c300f60
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -702,7 +702,10 @@ easyrsa_openssl() {
 
 	# OpenSSL 1x genpkey does not support -config - Not as documented:
 	# https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html
-	if [ "$osslv_major" = 3 ] && [ "$openssl_command" = genpkey ]; then
+	# This could be anyones bug ..
+	if [ "$openssl_command" = genpkey ] && \
+		[ "$ssl_lib" = openssl ] && [ "$osslv_major" = 3 ]
+	then
 		has_config=1
 	fi
 
@@ -792,12 +795,15 @@ verify_ssl_lib() {
 	if [ -z "$EASYRSA_SSL_OK" ]; then
 		# redirect std-err to ignore missing etc/ssl/openssl.cnf file
 		val="$("$EASYRSA_OPENSSL" version 2>/dev/null)"
+
+		# SSL lib name
 		case "${val%% *}" in
 			# OpenSSL does require a safe config-file for ampersand
 			OpenSSL) ssl_lib=openssl; require_safe_ssl_conf=1 ;;
 			LibreSSL) ssl_lib=libressl; require_safe_ssl_conf=1 ;;
 			*) die "\
-Missing or invalid OpenSSL
+Missing SSL binary or invalid SSL output for 'version':
+* '${val%% *}'
 Expected to find openssl command at: $EASYRSA_OPENSSL"
 		esac
 
@@ -806,8 +812,14 @@ Expected to find openssl command at: $EASYRSA_OPENSSL"
 		osslv_major="${osslv_major%%.*}"
 		case "$osslv_major" in
 			1) no_password='-nodes' ;;
-			2) no_password='-nodes' ;; # LibreSSL Only
-			3) no_password='-noenc' ;;
+			2) no_password='-nodes' ;;
+			3)
+				case "$ssl_lib" in
+					openssl) no_password='-noenc' ;;
+					libressl) no_password='-nodes' ;;
+					*) die "Unsupported SSL library: $ssl_lib"
+				esac
+			;;
 			*) die "Unsupported SSL library: $osslv_major"
 		esac
 		message "Using SSL: $EASYRSA_OPENSSL ${val}"
@@ -3482,6 +3494,7 @@ detect_host() {
 show_host() {
 	print_version
 	print "$host_out | ${ssl_lib:-ssl_lib not set}"
+	[ ! "$EASYRSA_DEBUG" ] && return
 	case "$easyrsa_host_os" in
 	win) set ;;
 	nix) env ;;