From c300f6043f87a0eac24589f43accd4c01f7ef8ba Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 20 Jun 2022 00:54:42 +0100 Subject: [PATCH] LibreSSL corrections: genpkey and no-password Squashed commit of the following: * easyrsa_openssl() - Disable 'genpkey -config' for LibreSSL Closes: #601 * Set '-nodes' for LibreSSL version 3 'no-password' mode Closes: #602 Minor corrections to indentation/comments. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b26862deb..a1f34967a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -702,7 +702,10 @@ easyrsa_openssl() { # OpenSSL 1x genpkey does not support -config - Not as documented: # https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html - if [ "$osslv_major" = 3 ] && [ "$openssl_command" = genpkey ]; then + # This could be anyones bug .. + if [ "$openssl_command" = genpkey ] && \ + [ "$ssl_lib" = openssl ] && [ "$osslv_major" = 3 ] + then has_config=1 fi @@ -792,12 +795,15 @@ verify_ssl_lib() { if [ -z "$EASYRSA_SSL_OK" ]; then # redirect std-err to ignore missing etc/ssl/openssl.cnf file val="$("$EASYRSA_OPENSSL" version 2>/dev/null)" + + # SSL lib name case "${val%% *}" in # OpenSSL does require a safe config-file for ampersand OpenSSL) ssl_lib=openssl; require_safe_ssl_conf=1 ;; LibreSSL) ssl_lib=libressl; require_safe_ssl_conf=1 ;; *) die "\ -Missing or invalid OpenSSL +Missing SSL binary or invalid SSL output for 'version': +* '${val%% *}' Expected to find openssl command at: $EASYRSA_OPENSSL" esac @@ -806,8 +812,14 @@ Expected to find openssl command at: $EASYRSA_OPENSSL" osslv_major="${osslv_major%%.*}" case "$osslv_major" in 1) no_password='-nodes' ;; - 2) no_password='-nodes' ;; # LibreSSL Only - 3) no_password='-noenc' ;; + 2) no_password='-nodes' ;; + 3) + case "$ssl_lib" in + openssl) no_password='-noenc' ;; + libressl) no_password='-nodes' ;; + *) die "Unsupported SSL library: $ssl_lib" + esac + ;; *) die "Unsupported SSL library: $osslv_major" esac message "Using SSL: $EASYRSA_OPENSSL ${val}" @@ -3482,6 +3494,7 @@ detect_host() { show_host() { print_version print "$host_out | ${ssl_lib:-ssl_lib not set}" + [ ! "$EASYRSA_DEBUG" ] && return case "$easyrsa_host_os" in win) set ;; nix) env ;;