Accepting request 518428 from home:oreinert:branches:network:vpn

- Include upstream patches:
  + 4eac410.patch
     Fix string comprehension
  + a138c0d.patch
     Fix incorrect "openssl rand" usage
  + 83a1a21.patch
     Add --copy-ext option
- Include upstream patches:
  + d20d2b3.patch
     Update docs and examples to fit changes in 534f673
- Adapted easy-rsa-packaging.patch to work with upstream patch
- Include upstream patches:
  + 534f673.patch
     Make $PWD/pki the default PKI location
- Adapted easy-rsa-packaging.patch to work with upstream patch
- Treat /etc/easy-rsa as public default config, no default vars

OBS-URL: https://build.opensuse.org/request/show/518428
OBS-URL: https://build.opensuse.org/package/show/network:vpn/easy-rsa?expand=0&rev=10

4eac410.patch

@@ -0,0 +1,34 @@
+From 4eac410bce13a4730aa160ba48e6fa0aef7edd7c Mon Sep 17 00:00:00 2001
+From: azvyagintsev <azvyagintsev@mirantis.com>
+Date: Tue, 4 Jul 2017 20:14:57 +0300
+Subject: [PATCH] Fix string comprehension
+
+ - "[[" syntax work only in "Bash"
+---
+ easyrsa3/easyrsa | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
+index e004e2b..901a52f 100755
+--- a/easyrsa3/easyrsa
++++ b/easyrsa3/easyrsa
+@@ -641,8 +641,7 @@ $(display_dn req "$req_in")
+ 
+ 		# If type is server and no subjectAltName was requested,
+ 		# add one to the extensions file
+-		if [[ "$crt_type" == 'server' ]]
+-		then
++		if [ "$crt_type" = 'server' ]; then
+ 			echo "$EASYRSA_EXTRA_EXTS" | 
+ 				grep -q subjectAltName || 
+ 				print $(default_server_san "$req_in")
+@@ -941,8 +940,7 @@ default_server_san() {
+ 		awk -F'=' '/^  *CN=/{print $2}'
+ 		)
+ 	echo "$cn" | egrep -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
+-	if [[ $? -eq 0 ]]
+-	then
++	if [ $? -eq 0 ]; then
+ 		print "subjectAltName = IP:$cn"
+ 	else
+ 		print "subjectAltName = DNS:$cn"

534f673.patch

@@ -0,0 +1,68 @@
+commit 534f67345997603e3b1fbf6b673bbaa65937019e
+Author: Olav Reinert <seroton10@gmail.com>
+Date:   Mon Jun 5 23:30:57 2017 +0200
+
+    Make $PWD/pki the default PKI location
+
+diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md
+index 64b29ae..1bd8c29 100644
+--- a/doc/EasyRSA-Advanced.md
++++ b/doc/EasyRSA-Advanced.md
+@@ -34,6 +34,7 @@ Configuration Reference
+   1. File referenced by the --vars CLI option
+   2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
+   3. The `EASYRSA_PKI` directory
++  4. The default PKI directory at $PWD/pki (usually will be the same as above)
+   4. The `EASYRSA` directory
+   5. The location of the easyrsa program (usually will be the same as above)
+ 
+@@ -80,7 +81,7 @@ possible terse description is shown below:
+  *  `EASYRSA` - should point to the Easy-RSA top-level dir, normally $PWD
+  *  `EASYRSA_OPENSSL` - command to invoke openssl
+  *  `EASYRSA_SSL_CONF` - the openssl config file to use
+- *  `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files
++ *  `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, normally $PWD/pki.
+  *  `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to
+     alter the fields to include in the req DN
+  *  `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode
+diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
+index 088faeb..8adc8fc 100755
+--- a/easyrsa3/easyrsa
++++ b/easyrsa3/easyrsa
+@@ -989,13 +989,15 @@ vars_setup() {
+ 
+ 	# set up program path
+ 	local prog_vars="${0%/*}/vars"
++	# set up PKI path
++	local pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"
+ 
+ 	# command-line path:
+ 	if [ -f "$EASYRSA_VARS_FILE" ]; then
+ 		vars="$EASYRSA_VARS_FILE"
+-	# EASYRSA_PKI, if defined:
+-	elif [ -n "$EASYRSA_PKI" ] && [ -f "$EASYRSA_PKI/vars" ]; then
+-		vars="$EASYRSA_PKI/vars"
++	# PKI location, if present:
++	elif [ -f "$pki_vars" ]; then
++		vars="$pki_vars"
+ 	# EASYRSA, if defined:
+ 	elif [ -n "$EASYRSA" ] && [ -f "$EASYRSA/vars" ]; then
+ 		vars="$EASYRSA/vars"
+@@ -1013,9 +1015,9 @@ Note: using Easy-RSA configuration from: $vars"
+ 	fi
+ 	
+ 	# Set defaults, preferring existing env-vars if present
+-	set_var EASYRSA		"$PWD"
++	set_var EASYRSA		"${0%/*}"
+ 	set_var EASYRSA_OPENSSL	openssl
+-	set_var EASYRSA_PKI	"$EASYRSA/pki"
++	set_var EASYRSA_PKI	"$PWD/pki"
+ 	set_var EASYRSA_DN	cn_only
+ 	set_var EASYRSA_REQ_COUNTRY	"US"
+ 	set_var EASYRSA_REQ_PROVINCE	"California"
+@@ -1225,4 +1227,4 @@ case "$cmd" in
+ 		;;
+ esac
+ 
+-# vim: ft=sh nu ai sw=8 ts=8
++# vim: ft=sh nu ai sw=8 ts=8 noet

83a1a21.patch

@@ -0,0 +1,52 @@
+From 83a1a21e7a90e8666498dec2fa35ee5b8f67920c Mon Sep 17 00:00:00 2001
+From: Eric F Crist <ecrist@secure-computing.net>
+Date: Tue, 22 Aug 2017 20:52:26 -0500
+Subject: [PATCH] Add --copy-ext option
+
+Adding the --copy-ext option to copy request extension data.  This will
+resolve #60 and other Subject Alternative Name "issues" that have been
+created.
+
+Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
+---
+ easyrsa3/easyrsa | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
+index 81618d3..55de809 100755
+--- a/easyrsa3/easyrsa
++++ b/easyrsa3/easyrsa
+@@ -199,6 +199,7 @@ Certificate & Request options: (these impact cert/req field values)
+                      ./easyrsa help altname
+ --use-algo=ALG  : crypto alg to use: choose rsa (default) or ec
+ --curve=NAME    : for elliptic curve, sets the named curve to use
++--copy-ext      : Copy included request X509 extensions (namely subjAltName
+ 
+ Organizational DN options: (only used with the 'org' DN mode)
+   (values may be blank for org DN options)
+@@ -623,6 +624,8 @@ $(display_dn req "$req_in")
+ 		# Append first any COMMON file (if present) then the cert-type extensions
+ 		cat "$EASYRSA_EXT_DIR/COMMON"
+ 		cat "$EASYRSA_EXT_DIR/$crt_type"
++		# copy req extensions
++		[ $EASYRSA_CP_EXT ] && print "copy_extensions = copy"
+ 
+ 		# Support a dynamic CA path length when present:
+ 		[ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \
+@@ -1063,6 +1066,7 @@ Note: using Easy-RSA configuration from: $vars"
+ 	set_var EASYRSA_TEMP_FILE_3	""
+ 	set_var EASYRSA_REQ_CN		ChangeMe
+ 	set_var EASYRSA_DIGEST		sha256
++	set_var EASYRSA_CP_EXT		0
+ 
+ 	# Detect openssl config, preferring EASYRSA_PKI over EASYRSA
+ 	if [ -f "$EASYRSA_PKI/openssl-1.0.cnf" ]; then
+@@ -1165,6 +1169,8 @@ while :; do
+ 		export EASYRSA_SUBCA_LEN="$val" ;;
+ 	--vars)
+ 		export EASYRSA_VARS_FILE="$val" ;;
++	--copy-ext)
++		export EASYRSA_CP_EXT=1 ;;
+ 	--subject-alt-name)
+ 		export EASYRSA_EXTRA_EXTS="\
+ $EASYRSA_EXTRA_EXTS

a138c0d.patch

@@ -0,0 +1,22 @@
+From a138c0d83b0ff1feed385c5d2d7a1c25422fe04d Mon Sep 17 00:00:00 2001
+From: Uwe Hermann <uwe@hermann-uwe.de>
+Date: Sat, 19 Aug 2017 18:17:43 +0200
+Subject: [PATCH] Fix incorrect "openssl rand" usage (#138).
+
+---
+ easyrsa3/easyrsa | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
+index e004e2b..f73b375 100755
+--- a/easyrsa3/easyrsa
++++ b/easyrsa3/easyrsa
+@@ -572,7 +572,7 @@ sign_req() {
+ 	# Randomize Serial number
+ 	local i= serial= check_serial=
+ 	for i in 1 2 3 4 5; do
+-		"$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial"
++		"$EASYRSA_OPENSSL" rand -hex -out "$EASYRSA_PKI/serial 16"
+ 		serial="$(cat "$EASYRSA_PKI/serial")"
+ 		check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
+ 		case "$check_serial" in

d20d2b3.patch

@@ -0,0 +1,81 @@
+commit d20d2b3c06baed2fc4e098b12331fd203e723f91
+Author: Olav Reinert <seroton10@gmail.com>
+Date:   Thu Jul 27 08:27:27 2017 +0200
+
+    Update docs and examples to fit changes in 534f673
+
+diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md
+index 1bd8c29..5bcd526 100644
+--- a/doc/EasyRSA-Advanced.md
++++ b/doc/EasyRSA-Advanced.md
+@@ -31,12 +31,12 @@ Configuration Reference
+   The following locations are checked, in this order, for a vars file. Only the
+   first one found is used:
+ 
+-  1. File referenced by the --vars CLI option
++  1. The file referenced by the --vars CLI option
+   2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
+-  3. The `EASYRSA_PKI` directory
+-  4. The default PKI directory at $PWD/pki (usually will be the same as above)
+-  4. The `EASYRSA` directory
+-  5. The location of the easyrsa program (usually will be the same as above)
++  3. The directory referenced by the `EASYRSA_PKI` env-var
++  4. The default PKI directory at $PWD/pki
++  4. The directory referenced by the `EASYRSA` env-var
++  5. The directory containing the easyrsa program
+ 
+   Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars
+   file in all cases, including defining it subsequently as a global option.
+@@ -78,10 +78,10 @@ Environmental Variables Reference
+ A list of env-vars, any matching global option (CLI) to set/override it, and a
+ possible terse description is shown below:
+ 
+- *  `EASYRSA` - should point to the Easy-RSA top-level dir, normally $PWD
++ *  `EASYRSA` - should point to the Easy-RSA top-level dir, where the easyrsa script is located.
+  *  `EASYRSA_OPENSSL` - command to invoke openssl
+  *  `EASYRSA_SSL_CONF` - the openssl config file to use
+- *  `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, normally $PWD/pki.
++ *  `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, defaults to $PWD/pki.
+  *  `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to
+     alter the fields to include in the req DN
+  *  `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode
+diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example
+index 2c444d8..c439cba 100644
+--- a/easyrsa3/vars.example
++++ b/easyrsa3/vars.example
+@@ -39,10 +39,15 @@ fi
+ 
+ # DO YOUR EDITS BELOW THIS POINT
+ 
+-# This variable should point to the top level of the easy-rsa tree. By default,
+-# this is taken to be the directory you are currently in.
++# This variable is used as the base location of configuration files needed by
++# easyrsa.  More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
++# may override this default.
++#
++# The default value of this variable is the location of the easyrsa script
++# itself, which is also where the configuration files are located in the
++# easy-rsa tree.
+ 
+-#set_var EASYRSA	"$PWD"
++#set_var EASYRSA	"${0%/*}"
+ 
+ # If your OpenSSL command is not in the system PATH, you will need to define the
+ # path to it here. Normally this means a full path to the executable, otherwise
+@@ -57,12 +62,14 @@ fi
+ # This sample is in Windows syntax -- edit it for your path if not using PATH:
+ #set_var EASYRSA_OPENSSL	"C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+ 
+-# Edit this variable to point to your soon-to-be-created key directory.
++# Edit this variable to point to your soon-to-be-created key directory.  By
++# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
++# directory you are currently in).
+ #
+ # WARNING: init-pki will do a rm -rf on this directory so make sure you define
+ # it correctly! (Interactive mode will prompt before acting.)
+ 
+-#set_var EASYRSA_PKI		"$EASYRSA/pki"
++#set_var EASYRSA_PKI		"$PWD/pki"
+ 
+ # Define X509 DN mode.
+ # This is used to adjust what elements are included in the Subject field as the DN

easy-rsa-packaging.patch

@@ -1,12 +1,36 @@
---- easyrsa3/easyrsa.orig	2015-04-05 21:42:25.422949081 +0200
+*** easyrsa3/easyrsa.orig	2017-07-18 23:46:26.431057777 +0200
-+++ easyrsa3/easyrsa	2015-04-05 21:43:55.493395425 +0200
+--- easyrsa3/easyrsa	2017-07-19 05:24:59.583924924 +0200
-@@ -972,6 +972,9 @@
+***************
- 	# command-line path:
+*** 1014,1020 ****
- 	if [ -f "$EASYRSA_VARS_FILE" ]; then
+  	local vars=
- 		vars="$EASYRSA_VARS_FILE"
+  
-+   # packaging defaults
+  	# set up program path
-+   elif [ -f "/etc/easy-rsa/vars" ]; then
+! 	local prog_vars="${0%/*}/vars"
-+      vars="/etc/easy-rsa/vars"
+  	# set up PKI path
- 	# EASYRSA_PKI, if defined:
+  	local pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"
- 	elif [ -n "$EASYRSA_PKI" ] && [ -f "$EASYRSA_PKI/vars" ]; then
+  
- 		vars="$EASYRSA_PKI/vars"
+--- 1014,1020 ----
+  	local vars=
+  
+  	# set up program path
+! 	local prog_vars="/etc/easy-rsa/vars"
+  	# set up PKI path
+  	local pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"
+  
+***************
+*** 1041,1047 ****
+  	fi
+  	
+  	# Set defaults, preferring existing env-vars if present
+! 	set_var EASYRSA		"${0%/*}"
+  	set_var EASYRSA_OPENSSL	openssl
+  	set_var EASYRSA_PKI	"$PWD/pki"
+  	set_var EASYRSA_DN	cn_only
+--- 1041,1047 ----
+  	fi
+  	
+  	# Set defaults, preferring existing env-vars if present
+! 	set_var EASYRSA		"/etc/easy-rsa"
+  	set_var EASYRSA_OPENSSL	openssl
+  	set_var EASYRSA_PKI	"$PWD/pki"
+  	set_var EASYRSA_DN	cn_only

easy-rsa.changes

@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Wed Aug 23 09:06:23 UTC 2017 - seroton10@gmail.com
+
+- Include upstream patches:
+  + 4eac410.patch
+     Fix string comprehension
+  + a138c0d.patch
+     Fix incorrect "openssl rand" usage
+  + 83a1a21.patch
+     Add --copy-ext option
+
+
+-------------------------------------------------------------------
+Fri Jul 28 21:27:09 UTC 2017 - seroton10@gmail.com
+
+- Include upstream patches:
+  + d20d2b3.patch
+     Update docs and examples to fit changes in 534f673
+- Adapted easy-rsa-packaging.patch to work with upstream patch
+
+-------------------------------------------------------------------
+Mon Jul 24 23:04:34 UTC 2017 - seroton10@gmail.com
+
+- Include upstream patches:
+  + 534f673.patch
+     Make $PWD/pki the default PKI location
+- Adapted easy-rsa-packaging.patch to work with upstream patch
+- Treat /etc/easy-rsa as public default config, no default vars
+
 -------------------------------------------------------------------
 Tue Jul 18 18:32:22 UTC 2017 - seroton10@gmail.com
 

easy-rsa.spec

@@ -40,6 +40,16 @@ Patch4:         https://github.com/OpenVPN/easy-rsa/commit/b75faa4.patch
 Patch5:         https://github.com/OpenVPN/easy-rsa/commit/6436eaf.patch
 # Moved @ValdikSS's serial randomization to sign_req
 Patch6:         https://github.com/OpenVPN/easy-rsa/commit/e9e8e27.patch
+# Make $PWD/pki the default PKI location
+Patch7:         https://github.com/OpenVPN/easy-rsa/commit/534f673.patch
+# Update docs and examples to fit changes in 534f673
+Patch8:         https://github.com/OpenVPN/easy-rsa/commit/d20d2b3.patch
+# Fix string comprehension
+Patch9:         https://github.com/OpenVPN/easy-rsa/commit/4eac410.patch
+# Fix incorrect "openssl rand" usage
+Patch10:         https://github.com/OpenVPN/easy-rsa/commit/a138c0d.patch
+# Add --copy-ext option
+Patch11:         https://github.com/OpenVPN/easy-rsa/commit/83a1a21.patch
 # openSUSE specific
 Patch100:       easy-rsa-packaging.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -59,8 +69,12 @@ certificates, including sub-CAs and certificate revokation lists (CRL).
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
 %patch100 -p0
-sed -i 's;#\(set_var EASYRSA	\)"$PWD";\1"%{_sysconfdir}/easy-rsa";' easyrsa3/vars.example
 
 # Add this for SLE11, patch tool can't rename file.
 # Next release we should publish .md documentation.
@@ -72,9 +86,9 @@ mv -v README README.md
 %build
 
 %install
-install -dm0700 %{buildroot}/%{_sysconfdir}/easy-rsa/
+install -dm0755 %{buildroot}/%{_sysconfdir}/easy-rsa/
 install -dm0755 %{buildroot}/%{_sysconfdir}/easy-rsa/x509-types
-install -Dm0644 easyrsa3/vars.example %{buildroot}/%{_sysconfdir}/easy-rsa/vars
+install -Dm0644 easyrsa3/vars.example %{buildroot}/%{_sysconfdir}/easy-rsa/
 install -Dm0644 easyrsa3/openssl-1.0.cnf %{buildroot}/%{_sysconfdir}/easy-rsa/openssl-1.0.cnf
 install -Dm0644 easyrsa3/x509-types/* %{buildroot}/%{_sysconfdir}/easy-rsa/x509-types/
 install -Dm0755 easyrsa3/easyrsa %{buildroot}/%{_bindir}/easyrsa