Bug#995156: easy-rsa: vars Autodetection
Bump to avoid auto removal while the fixed version ages in unstable.
Bug#995156: easy-rsa: vars Autodetection
On Wed, 1 Mar 2023 19:05:13 +0200, Adrian Bunk wrote:
> Has anyone discussed this with upstream?
>
> This seems to be an area with frequent changes upstream, adding a
>patch
> that is not a backport from upstream might be a bad idea.
From what I can tell upstream has addressed this issue in release 3.1.1.
I propose to backport upstream commit 525a116 (fix-make-cadir.patch
attached) to restore the correct behaviour.
I wrote a small test script (test.sh) which initialises a new cadir,
sets EASYRSA_KEY_SIZE and generates a CA + certificate to verify that
the configured key size is applied.
Regards,
Dennis
PS: Please note that the subject of the certificate generated by
test.sh is incorrect (#1032270).
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 46de7dd..525a116 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -977,7 +977,7 @@ and initialize a fresh PKI here."
Your newly created PKI dir is:
* $EASYRSA_PKI"
- if [ "$user_vars_true" ]; then
+ if [ "$user_vars_true" ] || [ "$old_vars_true" ]; then
: # ok - No message required
else
message "\
@@ -1079,12 +1079,18 @@ install_data_to_pki () {
fi
# Create PKI/vars from PKI/example
+ unset -v old_vars_true
case "$context" in
init-pki)
- if [ -e "${EASYRSA_PKI}/${vars_file_example}" ]; then
- [ -e "${EASYRSA_PKI}/${vars_file}" ] || \
-cp "${EASYRSA_PKI}/${vars_file_example}" \
- "${EASYRSA_PKI}/${vars_file}" || :
+ if [ -e ./vars ]; then
+ # If the old vars exists then do nothing
+ old_vars_true=1
+ else
+ if [ -e "${EASYRSA_PKI}/${vars_file_example}" ]; then
+[ -e "${EASYRSA_PKI}/${vars_file}" ] || \
+ cp "${EASYRSA_PKI}/${vars_file_example}" \
+ "${EASYRSA_PKI}/${vars_file}" || :
+ fi
fi
;;
vars-setup)
test.sh
Description: application/shellscript
Bug#995156: easy-rsa: vars Autodetection
On Tue, Feb 14, 2023 at 10:28:16PM +0100, Lee Garrett wrote: > I'm bumping the bug severity because currently it will ignore > security-relevant settings like keysize and algo, and the defaults are > pretty weak. Has anyone discussed this with upstream? This seems to be an area with frequent changes upstream, adding a patch that is not a backport from upstream might be a bad idea. cu Adrian
Bug#995156: easy-rsa: vars Autodetection
I'm bumping the bug severity because currently it will ignore security-relevant settings like keysize and algo, and the defaults are pretty weak.
Bug#995156: easy-rsa: vars Autodetection
Hi,
On Mon, 27 Sep 2021 08:50:53 + Mathieu Espagnacq
wrote:
Package: easy-rsa
Version: 3.0.8-1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Upgrading to Debian 11
* What exactly did you do (or not do) that was effective (or
ineffective)?
Creating new client cert
* What was the outcome of this action?
New cert whitout option from vars file
* What outcome did you expect instead?
New cert created with option from vars file.
Before upgrade i've created cadir usign "make-cadir" which create some
files and directory including a file named vars. Which i modified to my
needs.
After upgrade, options in this file were not used anymore (and the
message "Note: using Easy-RSA configuration from: " were not displayed
anymore).
I've made some test, using make-cadir on Debian 11, a file named vars
is still created but not used.
I've made some research on vars Autodetection using
/usr/share/doc/easy-rsa/doc/. Informations from EasyRSA-Advanced.md look
identical from Debian 10 and Debian 11 about vars Autodetection :
vars Autodetection
A 'vars' file is a file named simply `vars` (without an extension) that
Easy-RSA will source for configuration. This file is specifically designed
*not* to replace variables that have been set with a higher-priority method
such as CLI opts or env-vars.
The following locations are checked, in this order, for a vars file. Only the
first one found is used:
1. The file referenced by the `--vars` CLI option
2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
3. The directory referenced by the `EASYRSA_PKI` env-var
4. The default PKI directory at `$PWD/pki`
4. The directory referenced by the `EASYRSA` env-var
5. The directory containing the easyrsa program
Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars
file in all cases, including defining it subsequently as a global option.
I ran into the same issue and found the culprit: a commit [1] which
intended to fix the problem with easyrsa in $PATH, due to pattern
matching in the shell variable that tries to detect the $EASYRSA value.
Please find attached my patch to fix this regression:
--- a/easyrsa 2021-11-05 10:21:02.783260266 +0100
+++ b/easyrsa 2021-11-05 10:22:12.591259497 +0100
@@ -1664,9 +1664,8 @@
vars=
# set up program path
- prog_file="$0"
+ prog_file="$(dirname $0)/$(basename $0)"
prog_file2="$(which -- "$prog_file" 2>/dev/null)" &&
prog_file="$prog_file2"
- prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" &&
prog_file="$prog_file2"
prog_dir="${prog_file%/*}"
prog_vars="${prog_dir}/vars"
# set up PKI path
Otherwise, "$prog_file" ends up being empty and subsequently, the vars
file is not being sourced.
Cheers
Christoph
[1]
https://github.com/OpenVPN/easy-rsa/commit/52befc623fbf6fc9c1fbd29bfe32af2503e65b24
--- a/easyrsa 2021-11-05 10:21:02.783260266 +0100
+++ b/easyrsa 2021-11-05 10:22:12.591259497 +0100
@@ -1664,9 +1664,8 @@
vars=
# set up program path
- prog_file="$0"
+ prog_file="$(dirname $0)/$(basename $0)"
prog_file2="$(which -- "$prog_file" 2>/dev/null)" && prog_file="$prog_file2"
- prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" && prog_file="$prog_file2"
prog_dir="${prog_file%/*}"
prog_vars="${prog_dir}/vars"
# set up PKI path
Bug#995156: easy-rsa: vars Autodetection
Package: easy-rsa Version: 3.0.8-1 Severity: normal Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Upgrading to Debian 11 * What exactly did you do (or not do) that was effective (or ineffective)? Creating new client cert * What was the outcome of this action? New cert whitout option from vars file * What outcome did you expect instead? New cert created with option from vars file. Before upgrade i've created cadir usign "make-cadir" which create some files and directory including a file named vars. Which i modified to my needs. After upgrade, options in this file were not used anymore (and the message "Note: using Easy-RSA configuration from: " were not displayed anymore). I've made some test, using make-cadir on Debian 11, a file named vars is still created but not used. I've made some research on vars Autodetection using /usr/share/doc/easy-rsa/doc/. Informations from EasyRSA-Advanced.md look identical from Debian 10 and Debian 11 about vars Autodetection : vars Autodetection A 'vars' file is a file named simply `vars` (without an extension) that Easy-RSA will source for configuration. This file is specifically designed *not* to replace variables that have been set with a higher-priority method such as CLI opts or env-vars. The following locations are checked, in this order, for a vars file. Only the first one found is used: 1. The file referenced by the `--vars` CLI option 2. The file referenced by the env-var named `EASYRSA_VARS_FILE` 3. The directory referenced by the `EASYRSA_PKI` env-var 4. The default PKI directory at `$PWD/pki` 4. The directory referenced by the `EASYRSA` env-var 5. The directory containing the easyrsa program Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars file in all cases, including defining it subsequently as a global option. I'm unsure 5. is still effective (or identical to previous version). Maybe i've missed warning about this change in https://metadata.ftp-master.debian.org/changelogs//main/e/easy-rsa/easy-rsa_3.0.8-1_changelog and i apologize for this. Regards, m.e. *** End of the template - remove these template lines *** -- System Information: Debian Release: 11.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-cloud-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages easy-rsa depends on: ii openssl 1.1.1k-1+deb11u1 Versions of packages easy-rsa recommends: ii opensc 0.21.0-1 easy-rsa suggests no packages. -- no debconf information
