From d4fa9bdb6daafee2df14a1ed5c18408895094ff1 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed, 19 Jul 2023 02:17:20 +0100
Subject: [PATCH] easyrsa_openssl: Replace variable 'has_config' with
 OPENSSL_CONF

Variable 'has_config' was a way to minimize the need to fully expand the
SSL config file (ENV:OPENSSL_CONF) for use by LibreSSL. IE. Only expand
the SSL config file when the SSL command requires a config file.

LibreSSL Always requires the config file to be expanded, even when it
is Not used.

OpenSSL Never requires the config file to be expanded.

Changes follow.

The first part:
* Disable expanding the SSL config file for OpenSSL.
* Require expanding the SSL config file for LibreSSL.

LibreSSL will use the run-once mechanism to expand the SSL config file.

The second part:
Replace the use of SSL option '-config', by Always configuring the SSL
environment variable OPENSSL_CONF to point to the Easy-RSA generated
config file. This is supported by LibreSSL and OpenSSL.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 74 +++++++++++++++---------------------------------
 1 file changed, 23 insertions(+), 51 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 6010d92e0..3e0ca903e 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -918,20 +918,10 @@ escape_hazard() {
 	then
 		# Always run
 		verbose "escape_hazard: FORCED"
-	# Do not respect --no-safe-ssl, escape the fields
-	# before they are expanded by OpenSSL or easyrsa.
-	#elif [ "$EASYRSA_NO_SAFE_SSL" ]; then
-	#	# Never run
-	#	verbose "escape_hazard: DENIED"
-	#	return
 	elif [ "$working_safe_org_conf" ]; then
 		# Has run once
 		verbose "escape_hazard: BYPASSED"
 		return
-	elif [ -z "$has_config" ]; then
-		# SSL Config not required
-		verbose "escape_hazard: IGNORED"
-		return
 	else
 		# Run once
 		verbose "escape_hazard: RUN-ONCE"
@@ -979,23 +969,27 @@ expand_ssl_config() {
 		verbose "expand_ssl_config: FORCED"
 	elif [ "$EASYRSA_NO_SAFE_SSL" ]; then
 		# Never run
-		verbose "expand_ssl_config: DENIED"
+		verbose "expand_ssl_config: DISABLED"
 		return
 	elif [ "$working_safe_ssl_conf" ]; then
 		# Has run once
 		verbose "expand_ssl_config: BYPASSED"
 		return
-	elif [ -z "$has_config" ]; then
-		# SSL Config not required
+	elif [ "$ssl_lib" = libressl ]; then
+		# Always run
+		verbose "expand_ssl_config: REQUIRED"
+	elif [ "$ssl_lib" = openssl ]; then
+		# OpenSSl does not require a safe config
 		verbose "expand_ssl_config: IGNORED"
 		return
 	else
-		# Run once
-		verbose "expand_ssl_config: RUN-ONCE"
+		# do NOT Run
+		die "expand_ssl_config: EXCEPTION"
 	fi
 
 	# Set run once
 	working_safe_ssl_conf=1
+	verbose "expand_ssl_config: RUN-ONCE"
 
 	# Assign temp-file
 	safe_ssl_cnf_tmp=""
@@ -1098,57 +1092,35 @@ easyrsa_openssl() {
 	expand_ssl_config || \
 		die "easyrsa_openssl - expand_ssl_config failed"
 
-	# Support --no-safe-ssl
-	if [ "$EASYRSA_NO_SAFE_SSL" ]; then
-		# Assign safe temp file as Original openssl-easyrsa.conf
-		safe_ssl_cnf_tmp="$EASYRSA_SSL_CONF"
-		verbose "easyrsa_openssl: No SAFE SSL config"
-	fi
-
 	# VERIFY safe temp-file exists
 	if [ -e "$safe_ssl_cnf_tmp" ]; then
 		verbose "\
 easyrsa_openssl: Safe SSL conf OK: $safe_ssl_cnf_tmp"
+		export OPENSSL_CONF="$safe_ssl_cnf_tmp"
 	else
-		[ "$has_config" ] && die "\
-easyrsa_openssl - Safe SSL conf MISSING: $safe_ssl_cnf_tmp"
+		verbose "\
+easyrsa_openssl: No Safe SSL conf, FALLBACK to default"
+		export OPENSSL_CONF="$EASYRSA_SSL_CONF"
 	fi
 
-	# set $OPENSSL_CONF - Use which-ever file is assigned above
-	export OPENSSL_CONF="$safe_ssl_cnf_tmp"
-
 	# Execute command - Return on success
 	if [ "$openssl_command" = "makesafeconf" ]; then
 		# COPY temp-file to safessl-easyrsa.cnf
 		unset -v makesafeconf
 		cp -f "$safe_ssl_cnf_tmp" "$EASYRSA_SAFE_CONF" && \
 				return
+		die "easyrsa_openssl: makesafeconf FAILED"
+	fi
 
-	elif [ "$has_config" ]; then
-		# Exec SSL with -config temp-file
-		if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ]
-		then
-			"$EASYRSA_OPENSSL" "$openssl_command" \
-				-config "$safe_ssl_cnf_tmp" "$@" \
-				2>/dev/null && \
-					return
-		else
-			"$EASYRSA_OPENSSL" "$openssl_command" \
-				-config "$safe_ssl_cnf_tmp" "$@" && \
-					return
-		fi
-
+	# Exec SSL
+	if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ]
+	then
+		"$EASYRSA_OPENSSL" "$openssl_command" "$@" \
+			2>/dev/null && \
+				return
 	else
-		# Exec SSL without -config temp-file
-		if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ]
-		then
-			"$EASYRSA_OPENSSL" "$openssl_command" "$@" \
-				2>/dev/null && \
-					return
-		else
-			"$EASYRSA_OPENSSL" "$openssl_command" "$@" && \
-					return
-		fi
+		"$EASYRSA_OPENSSL" "$openssl_command" "$@" && \
+				return
 	fi
 
 	# Always fail here