diff --git a/4eac410.patch b/4eac410.patch new file mode 100644 index 0000000..2f55e70 --- /dev/null +++ b/4eac410.patch @@ -0,0 +1,34 @@ +From 4eac410bce13a4730aa160ba48e6fa0aef7edd7c Mon Sep 17 00:00:00 2001 +From: azvyagintsev +Date: Tue, 4 Jul 2017 20:14:57 +0300 +Subject: [PATCH] Fix string comprehension + + - "[[" syntax work only in "Bash" +--- + easyrsa3/easyrsa | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa +index e004e2b..901a52f 100755 +--- a/easyrsa3/easyrsa ++++ b/easyrsa3/easyrsa +@@ -641,8 +641,7 @@ $(display_dn req "$req_in") + + # If type is server and no subjectAltName was requested, + # add one to the extensions file +- if [[ "$crt_type" == 'server' ]] +- then ++ if [ "$crt_type" = 'server' ]; then + echo "$EASYRSA_EXTRA_EXTS" | + grep -q subjectAltName || + print $(default_server_san "$req_in") +@@ -941,8 +940,7 @@ default_server_san() { + awk -F'=' '/^ *CN=/{print $2}' + ) + echo "$cn" | egrep -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$' +- if [[ $? -eq 0 ]] +- then ++ if [ $? -eq 0 ]; then + print "subjectAltName = IP:$cn" + else + print "subjectAltName = DNS:$cn" diff --git a/534f673.patch b/534f673.patch new file mode 100644 index 0000000..b3a7f5c --- /dev/null +++ b/534f673.patch @@ -0,0 +1,68 @@ +commit 534f67345997603e3b1fbf6b673bbaa65937019e +Author: Olav Reinert +Date: Mon Jun 5 23:30:57 2017 +0200 + + Make $PWD/pki the default PKI location + +diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md +index 64b29ae..1bd8c29 100644 +--- a/doc/EasyRSA-Advanced.md ++++ b/doc/EasyRSA-Advanced.md +@@ -34,6 +34,7 @@ Configuration Reference + 1. File referenced by the --vars CLI option + 2. The file referenced by the env-var named `EASYRSA_VARS_FILE` + 3. The `EASYRSA_PKI` directory ++ 4. The default PKI directory at $PWD/pki (usually will be the same as above) + 4. The `EASYRSA` directory + 5. The location of the easyrsa program (usually will be the same as above) + +@@ -80,7 +81,7 @@ possible terse description is shown below: + * `EASYRSA` - should point to the Easy-RSA top-level dir, normally $PWD + * `EASYRSA_OPENSSL` - command to invoke openssl + * `EASYRSA_SSL_CONF` - the openssl config file to use +- * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files ++ * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, normally $PWD/pki. + * `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to + alter the fields to include in the req DN + * `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode +diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa +index 088faeb..8adc8fc 100755 +--- a/easyrsa3/easyrsa ++++ b/easyrsa3/easyrsa +@@ -989,13 +989,15 @@ vars_setup() { + + # set up program path + local prog_vars="${0%/*}/vars" ++ # set up PKI path ++ local pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" + + # command-line path: + if [ -f "$EASYRSA_VARS_FILE" ]; then + vars="$EASYRSA_VARS_FILE" +- # EASYRSA_PKI, if defined: +- elif [ -n "$EASYRSA_PKI" ] && [ -f "$EASYRSA_PKI/vars" ]; then +- vars="$EASYRSA_PKI/vars" ++ # PKI location, if present: ++ elif [ -f "$pki_vars" ]; then ++ vars="$pki_vars" + # EASYRSA, if defined: + elif [ -n "$EASYRSA" ] && [ -f "$EASYRSA/vars" ]; then + vars="$EASYRSA/vars" +@@ -1013,9 +1015,9 @@ Note: using Easy-RSA configuration from: $vars" + fi + + # Set defaults, preferring existing env-vars if present +- set_var EASYRSA "$PWD" ++ set_var EASYRSA "${0%/*}" + set_var EASYRSA_OPENSSL openssl +- set_var EASYRSA_PKI "$EASYRSA/pki" ++ set_var EASYRSA_PKI "$PWD/pki" + set_var EASYRSA_DN cn_only + set_var EASYRSA_REQ_COUNTRY "US" + set_var EASYRSA_REQ_PROVINCE "California" +@@ -1225,4 +1227,4 @@ case "$cmd" in + ;; + esac + +-# vim: ft=sh nu ai sw=8 ts=8 ++# vim: ft=sh nu ai sw=8 ts=8 noet diff --git a/83a1a21.patch b/83a1a21.patch new file mode 100644 index 0000000..9e0fe6b --- /dev/null +++ b/83a1a21.patch @@ -0,0 +1,52 @@ +From 83a1a21e7a90e8666498dec2fa35ee5b8f67920c Mon Sep 17 00:00:00 2001 +From: Eric F Crist +Date: Tue, 22 Aug 2017 20:52:26 -0500 +Subject: [PATCH] Add --copy-ext option + +Adding the --copy-ext option to copy request extension data. This will +resolve #60 and other Subject Alternative Name "issues" that have been +created. + +Signed-off-by: Eric F Crist +--- + easyrsa3/easyrsa | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa +index 81618d3..55de809 100755 +--- a/easyrsa3/easyrsa ++++ b/easyrsa3/easyrsa +@@ -199,6 +199,7 @@ Certificate & Request options: (these impact cert/req field values) + ./easyrsa help altname + --use-algo=ALG : crypto alg to use: choose rsa (default) or ec + --curve=NAME : for elliptic curve, sets the named curve to use ++--copy-ext : Copy included request X509 extensions (namely subjAltName + + Organizational DN options: (only used with the 'org' DN mode) + (values may be blank for org DN options) +@@ -623,6 +624,8 @@ $(display_dn req "$req_in") + # Append first any COMMON file (if present) then the cert-type extensions + cat "$EASYRSA_EXT_DIR/COMMON" + cat "$EASYRSA_EXT_DIR/$crt_type" ++ # copy req extensions ++ [ $EASYRSA_CP_EXT ] && print "copy_extensions = copy" + + # Support a dynamic CA path length when present: + [ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \ +@@ -1063,6 +1066,7 @@ Note: using Easy-RSA configuration from: $vars" + set_var EASYRSA_TEMP_FILE_3 "" + set_var EASYRSA_REQ_CN ChangeMe + set_var EASYRSA_DIGEST sha256 ++ set_var EASYRSA_CP_EXT 0 + + # Detect openssl config, preferring EASYRSA_PKI over EASYRSA + if [ -f "$EASYRSA_PKI/openssl-1.0.cnf" ]; then +@@ -1165,6 +1169,8 @@ while :; do + export EASYRSA_SUBCA_LEN="$val" ;; + --vars) + export EASYRSA_VARS_FILE="$val" ;; ++ --copy-ext) ++ export EASYRSA_CP_EXT=1 ;; + --subject-alt-name) + export EASYRSA_EXTRA_EXTS="\ + $EASYRSA_EXTRA_EXTS diff --git a/a138c0d.patch b/a138c0d.patch new file mode 100644 index 0000000..8771a46 --- /dev/null +++ b/a138c0d.patch @@ -0,0 +1,22 @@ +From a138c0d83b0ff1feed385c5d2d7a1c25422fe04d Mon Sep 17 00:00:00 2001 +From: Uwe Hermann +Date: Sat, 19 Aug 2017 18:17:43 +0200 +Subject: [PATCH] Fix incorrect "openssl rand" usage (#138). + +--- + easyrsa3/easyrsa | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa +index e004e2b..f73b375 100755 +--- a/easyrsa3/easyrsa ++++ b/easyrsa3/easyrsa +@@ -572,7 +572,7 @@ sign_req() { + # Randomize Serial number + local i= serial= check_serial= + for i in 1 2 3 4 5; do +- "$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial" ++ "$EASYRSA_OPENSSL" rand -hex -out "$EASYRSA_PKI/serial 16" + serial="$(cat "$EASYRSA_PKI/serial")" + check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)" + case "$check_serial" in diff --git a/d20d2b3.patch b/d20d2b3.patch new file mode 100644 index 0000000..f722841 --- /dev/null +++ b/d20d2b3.patch @@ -0,0 +1,81 @@ +commit d20d2b3c06baed2fc4e098b12331fd203e723f91 +Author: Olav Reinert +Date: Thu Jul 27 08:27:27 2017 +0200 + + Update docs and examples to fit changes in 534f673 + +diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md +index 1bd8c29..5bcd526 100644 +--- a/doc/EasyRSA-Advanced.md ++++ b/doc/EasyRSA-Advanced.md +@@ -31,12 +31,12 @@ Configuration Reference + The following locations are checked, in this order, for a vars file. Only the + first one found is used: + +- 1. File referenced by the --vars CLI option ++ 1. The file referenced by the --vars CLI option + 2. The file referenced by the env-var named `EASYRSA_VARS_FILE` +- 3. The `EASYRSA_PKI` directory +- 4. The default PKI directory at $PWD/pki (usually will be the same as above) +- 4. The `EASYRSA` directory +- 5. The location of the easyrsa program (usually will be the same as above) ++ 3. The directory referenced by the `EASYRSA_PKI` env-var ++ 4. The default PKI directory at $PWD/pki ++ 4. The directory referenced by the `EASYRSA` env-var ++ 5. The directory containing the easyrsa program + + Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars + file in all cases, including defining it subsequently as a global option. +@@ -78,10 +78,10 @@ Environmental Variables Reference + A list of env-vars, any matching global option (CLI) to set/override it, and a + possible terse description is shown below: + +- * `EASYRSA` - should point to the Easy-RSA top-level dir, normally $PWD ++ * `EASYRSA` - should point to the Easy-RSA top-level dir, where the easyrsa script is located. + * `EASYRSA_OPENSSL` - command to invoke openssl + * `EASYRSA_SSL_CONF` - the openssl config file to use +- * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, normally $PWD/pki. ++ * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, defaults to $PWD/pki. + * `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to + alter the fields to include in the req DN + * `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode +diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example +index 2c444d8..c439cba 100644 +--- a/easyrsa3/vars.example ++++ b/easyrsa3/vars.example +@@ -39,10 +39,15 @@ fi + + # DO YOUR EDITS BELOW THIS POINT + +-# This variable should point to the top level of the easy-rsa tree. By default, +-# this is taken to be the directory you are currently in. ++# This variable is used as the base location of configuration files needed by ++# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) ++# may override this default. ++# ++# The default value of this variable is the location of the easyrsa script ++# itself, which is also where the configuration files are located in the ++# easy-rsa tree. + +-#set_var EASYRSA "$PWD" ++#set_var EASYRSA "${0%/*}" + + # If your OpenSSL command is not in the system PATH, you will need to define the + # path to it here. Normally this means a full path to the executable, otherwise +@@ -57,12 +62,14 @@ fi + # This sample is in Windows syntax -- edit it for your path if not using PATH: + #set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +-# Edit this variable to point to your soon-to-be-created key directory. ++# Edit this variable to point to your soon-to-be-created key directory. By ++# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the ++# directory you are currently in). + # + # WARNING: init-pki will do a rm -rf on this directory so make sure you define + # it correctly! (Interactive mode will prompt before acting.) + +-#set_var EASYRSA_PKI "$EASYRSA/pki" ++#set_var EASYRSA_PKI "$PWD/pki" + + # Define X509 DN mode. + # This is used to adjust what elements are included in the Subject field as the DN diff --git a/easy-rsa-packaging.patch b/easy-rsa-packaging.patch index 30ab1bf..202f7a2 100644 --- a/easy-rsa-packaging.patch +++ b/easy-rsa-packaging.patch @@ -1,12 +1,36 @@ ---- easyrsa3/easyrsa.orig 2015-04-05 21:42:25.422949081 +0200 -+++ easyrsa3/easyrsa 2015-04-05 21:43:55.493395425 +0200 -@@ -972,6 +972,9 @@ - # command-line path: - if [ -f "$EASYRSA_VARS_FILE" ]; then - vars="$EASYRSA_VARS_FILE" -+ # packaging defaults -+ elif [ -f "/etc/easy-rsa/vars" ]; then -+ vars="/etc/easy-rsa/vars" - # EASYRSA_PKI, if defined: - elif [ -n "$EASYRSA_PKI" ] && [ -f "$EASYRSA_PKI/vars" ]; then - vars="$EASYRSA_PKI/vars" +*** easyrsa3/easyrsa.orig 2017-07-18 23:46:26.431057777 +0200 +--- easyrsa3/easyrsa 2017-07-19 05:24:59.583924924 +0200 +*************** +*** 1014,1020 **** + local vars= + + # set up program path +! local prog_vars="${0%/*}/vars" + # set up PKI path + local pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" + +--- 1014,1020 ---- + local vars= + + # set up program path +! local prog_vars="/etc/easy-rsa/vars" + # set up PKI path + local pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" + +*************** +*** 1041,1047 **** + fi + + # Set defaults, preferring existing env-vars if present +! set_var EASYRSA "${0%/*}" + set_var EASYRSA_OPENSSL openssl + set_var EASYRSA_PKI "$PWD/pki" + set_var EASYRSA_DN cn_only +--- 1041,1047 ---- + fi + + # Set defaults, preferring existing env-vars if present +! set_var EASYRSA "/etc/easy-rsa" + set_var EASYRSA_OPENSSL openssl + set_var EASYRSA_PKI "$PWD/pki" + set_var EASYRSA_DN cn_only diff --git a/easy-rsa.changes b/easy-rsa.changes index bb53b64..7c6fca1 100644 --- a/easy-rsa.changes +++ b/easy-rsa.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Wed Aug 23 09:06:23 UTC 2017 - seroton10@gmail.com + +- Include upstream patches: + + 4eac410.patch + Fix string comprehension + + a138c0d.patch + Fix incorrect "openssl rand" usage + + 83a1a21.patch + Add --copy-ext option + + +------------------------------------------------------------------- +Fri Jul 28 21:27:09 UTC 2017 - seroton10@gmail.com + +- Include upstream patches: + + d20d2b3.patch + Update docs and examples to fit changes in 534f673 +- Adapted easy-rsa-packaging.patch to work with upstream patch + +------------------------------------------------------------------- +Mon Jul 24 23:04:34 UTC 2017 - seroton10@gmail.com + +- Include upstream patches: + + 534f673.patch + Make $PWD/pki the default PKI location +- Adapted easy-rsa-packaging.patch to work with upstream patch +- Treat /etc/easy-rsa as public default config, no default vars + ------------------------------------------------------------------- Tue Jul 18 18:32:22 UTC 2017 - seroton10@gmail.com diff --git a/easy-rsa.spec b/easy-rsa.spec index ab44748..2ba4b4a 100644 --- a/easy-rsa.spec +++ b/easy-rsa.spec @@ -40,6 +40,16 @@ Patch4: https://github.com/OpenVPN/easy-rsa/commit/b75faa4.patch Patch5: https://github.com/OpenVPN/easy-rsa/commit/6436eaf.patch # Moved @ValdikSS's serial randomization to sign_req Patch6: https://github.com/OpenVPN/easy-rsa/commit/e9e8e27.patch +# Make $PWD/pki the default PKI location +Patch7: https://github.com/OpenVPN/easy-rsa/commit/534f673.patch +# Update docs and examples to fit changes in 534f673 +Patch8: https://github.com/OpenVPN/easy-rsa/commit/d20d2b3.patch +# Fix string comprehension +Patch9: https://github.com/OpenVPN/easy-rsa/commit/4eac410.patch +# Fix incorrect "openssl rand" usage +Patch10: https://github.com/OpenVPN/easy-rsa/commit/a138c0d.patch +# Add --copy-ext option +Patch11: https://github.com/OpenVPN/easy-rsa/commit/83a1a21.patch # openSUSE specific Patch100: easy-rsa-packaging.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -59,8 +69,12 @@ certificates, including sub-CAs and certificate revokation lists (CRL). %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 %patch100 -p0 -sed -i 's;#\(set_var EASYRSA \)"$PWD";\1"%{_sysconfdir}/easy-rsa";' easyrsa3/vars.example # Add this for SLE11, patch tool can't rename file. # Next release we should publish .md documentation. @@ -72,9 +86,9 @@ mv -v README README.md %build %install -install -dm0700 %{buildroot}/%{_sysconfdir}/easy-rsa/ +install -dm0755 %{buildroot}/%{_sysconfdir}/easy-rsa/ install -dm0755 %{buildroot}/%{_sysconfdir}/easy-rsa/x509-types -install -Dm0644 easyrsa3/vars.example %{buildroot}/%{_sysconfdir}/easy-rsa/vars +install -Dm0644 easyrsa3/vars.example %{buildroot}/%{_sysconfdir}/easy-rsa/ install -Dm0644 easyrsa3/openssl-1.0.cnf %{buildroot}/%{_sysconfdir}/easy-rsa/openssl-1.0.cnf install -Dm0644 easyrsa3/x509-types/* %{buildroot}/%{_sysconfdir}/easy-rsa/x509-types/ install -Dm0755 easyrsa3/easyrsa %{buildroot}/%{_bindir}/easyrsa