Accepting request 511298 from home:oreinert:branches:network:vpn

Include upstream patches: + Add CN as SAN (if none requested) on server certs by default + Moved @ValdikSS's serial randomization to sign_req OBS-URL: https://build.opensuse.org/request/show/511298 OBS-URL: https://build.opensuse.org/package/show/network:vpn/easy-rsa?expand=0&rev=8
2017-07-24 19:37:33 +00:00 · 2017-07-24 19:37:33 +00:00 · 7d41c58ae5
commit 7d41c58ae5
parent 9c4d8632f4
4 changed files with 111 additions and 0 deletions
--- a/6436eaf.patch
+++ b/6436eaf.patch
@ -0,0 +1,49 @@
+commit 6436eaf8c1e5e3c44d23c1c7a0a5fef14f19d375
+Author: Martin Schmitt <mas@scsy.de>
+Date:   Fri Jun 30 16:12:13 2017 +0200
+
+    Add CN as SAN (if none requested) on server certs by default
+
+diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
+index 088faeb..f5ec797 100755
+--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
+@@ -627,6 +627,15 @@ $(display_dn req "$req_in")
+ 			esac
+ 		fi
+ 
+		# If type is server and no subjectAltName was requested,
+		# add one to the extensions file
+		if [[ "$crt_type" == 'server' ]]
+		then
+			echo "$EASYRSA_EXTRA_EXTS" | 
+				grep -q subjectAltName || 
+				print $(default_server_san "$req_in")
+		fi
+
+ 		# Add any advanced extensions supplied by env-var:
+ 		[ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS"
+ 		
+@@ -923,6 +932,22 @@ display_dn() {
+ 	print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)"
+ } # => display_dn()
+ 
+# generate default SAN from req/X509, passed by full pathname
+default_server_san() {
+	local path="$1"
+	local cn=$(
+		"$EASYRSA_OPENSSL" req -in "$path" -noout -subject -nameopt sep_multiline |
+		awk -F'=' '/^  *CN=/{print $2}'
+		)
+	echo "$cn" | egrep -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
+	if [[ $? -eq 0 ]]
+	then
+		print "subjectAltName = IP:$cn"
+	else
+		print "subjectAltName = DNS:$cn"
+	fi
+} # => default_server_san()
+
+ # verify a file seems to be a valid req/X509
+ verify_file() {
+ 	local format="$1" path="$2"
--- a/e9e8e27.patch
+++ b/e9e8e27.patch
@ -0,0 +1,47 @@
+commit e9e8e272e0eb5225ecfb0d8a0953a5b480c5e85d
+Author: Martin Schmitt <mas@scsy.de>
+Date:   Fri Jun 30 17:04:31 2017 +0200
+
+    Moved @ValdikSS's serial randomization to sign_req
+
+diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
+index f5ec797..cff63f2 100755
+--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
+@@ -569,6 +569,18 @@ sign_req() {
+ 	local req_in="$EASYRSA_PKI/reqs/$2.req"
+ 	local crt_out="$EASYRSA_PKI/issued/$2.crt"
+ 
+	# Randomize Serial number
+	local i= serial= check_serial=
+	for i in 1 2 3 4 5; do
+		"$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial"
+		serial="$(cat "$EASYRSA_PKI/serial")"
+		check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
+		case "$check_serial" in
+			*"not present in db"*) break ;;
+			*) continue ;;
+		esac
+	done
+
+ 	# Support batch by internal caller:
+ 	[ "$3" = "batch" ] && local EASYRSA_BATCH=1
+ 
+@@ -661,17 +673,6 @@ Certificate created at: $crt_out
+ build_full() {
+ 	verify_ca_init
+ 
+-	local i= serial= check_serial=
+-	for i in 1 2 3 4 5; do
+-		"$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial"
+-		serial="$(cat "$EASYRSA_PKI/serial")"
+-		check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
+-		case "$check_serial" in
+-			*"not present in db"*) break ;;
+-			*) continue ;;
+-		esac
+-	done
+-
+ 	# pull filename base:
+ 	[ -n "$2" ] || die "\
+ Error: didn't find a file base name as the first argument.
--- a/easy-rsa.changes
+++ b/easy-rsa.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Jul 18 18:32:22 UTC 2017 - seroton10@gmail.com
+
+- Include upstream patches:
+  + 6436eaf.patch
+     Add CN as SAN (if none requested) on server certs by default
+  + e9e8e27.patch
+     Moved @ValdikSS's serial randomization to sign_req
+
 -------------------------------------------------------------------
 Mon Jun  5 18:38:00 UTC 2017 - seroton10@gmail.com

--- a/easy-rsa.spec
+++ b/easy-rsa.spec
@ -36,6 +36,10 @@ Patch2:         https://github.com/OpenVPN/easy-rsa/commit/b93d0a1.patch
 Patch3:         https://github.com/OpenVPN/easy-rsa/commit/fb4d8d8.patch
 # Convert README and COPYING into markdown files
 Patch4:         https://github.com/OpenVPN/easy-rsa/commit/b75faa4.patch
+# Add CN as SAN (if none requested) on server certs by default
+Patch5:         https://github.com/OpenVPN/easy-rsa/commit/6436eaf.patch
+# Moved @ValdikSS's serial randomization to sign_req
+Patch6:         https://github.com/OpenVPN/easy-rsa/commit/e9e8e27.patch
 # openSUSE specific
 Patch100:       easy-rsa-packaging.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -53,6 +57,8 @@ certificates, including sub-CAs and certificate revokation lists (CRL).
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
 %patch100 -p0
 sed -i 's;#\(set_var EASYRSA	\)"$PWD";\1"%{_sysconfdir}/easy-rsa";' easyrsa3/vars.example