Bug#995156: easy-rsa: vars Autodetection
Bump to avoid auto removal while the fixed version ages in unstable.
Bug#995156: easy-rsa: vars Autodetection
On Wed, 1 Mar 2023 19:05:13 +0200, Adrian Bunk wrote: > Has anyone discussed this with upstream? > > This seems to be an area with frequent changes upstream, adding a >patch > that is not a backport from upstream might be a bad idea. From what I can tell upstream has addressed this issue in release 3.1.1. I propose to backport upstream commit 525a116 (fix-make-cadir.patch attached) to restore the correct behaviour. I wrote a small test script (test.sh) which initialises a new cadir, sets EASYRSA_KEY_SIZE and generates a CA + certificate to verify that the configured key size is applied. Regards, Dennis PS: Please note that the subject of the certificate generated by test.sh is incorrect (#1032270). diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 46de7dd..525a116 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -977,7 +977,7 @@ and initialize a fresh PKI here." Your newly created PKI dir is: * $EASYRSA_PKI" - if [ "$user_vars_true" ]; then + if [ "$user_vars_true" ] || [ "$old_vars_true" ]; then : # ok - No message required else message "\ @@ -1079,12 +1079,18 @@ install_data_to_pki () { fi # Create PKI/vars from PKI/example + unset -v old_vars_true case "$context" in init-pki) - if [ -e "${EASYRSA_PKI}/${vars_file_example}" ]; then - [ -e "${EASYRSA_PKI}/${vars_file}" ] || \ -cp "${EASYRSA_PKI}/${vars_file_example}" \ - "${EASYRSA_PKI}/${vars_file}" || : + if [ -e ./vars ]; then + # If the old vars exists then do nothing + old_vars_true=1 + else + if [ -e "${EASYRSA_PKI}/${vars_file_example}" ]; then +[ -e "${EASYRSA_PKI}/${vars_file}" ] || \ + cp "${EASYRSA_PKI}/${vars_file_example}" \ + "${EASYRSA_PKI}/${vars_file}" || : + fi fi ;; vars-setup) test.sh Description: application/shellscript
Bug#995156: easy-rsa: vars Autodetection
On Tue, Feb 14, 2023 at 10:28:16PM +0100, Lee Garrett wrote: > I'm bumping the bug severity because currently it will ignore > security-relevant settings like keysize and algo, and the defaults are > pretty weak. Has anyone discussed this with upstream? This seems to be an area with frequent changes upstream, adding a patch that is not a backport from upstream might be a bad idea. cu Adrian
Bug#995156: easy-rsa: vars Autodetection
I'm bumping the bug severity because currently it will ignore security-relevant settings like keysize and algo, and the defaults are pretty weak.
Bug#995156: easy-rsa: vars Autodetection
Hi, On Mon, 27 Sep 2021 08:50:53 + Mathieu Espagnacq wrote: Package: easy-rsa Version: 3.0.8-1 Severity: normal Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Upgrading to Debian 11 * What exactly did you do (or not do) that was effective (or ineffective)? Creating new client cert * What was the outcome of this action? New cert whitout option from vars file * What outcome did you expect instead? New cert created with option from vars file. Before upgrade i've created cadir usign "make-cadir" which create some files and directory including a file named vars. Which i modified to my needs. After upgrade, options in this file were not used anymore (and the message "Note: using Easy-RSA configuration from: " were not displayed anymore). I've made some test, using make-cadir on Debian 11, a file named vars is still created but not used. I've made some research on vars Autodetection using /usr/share/doc/easy-rsa/doc/. Informations from EasyRSA-Advanced.md look identical from Debian 10 and Debian 11 about vars Autodetection : vars Autodetection A 'vars' file is a file named simply `vars` (without an extension) that Easy-RSA will source for configuration. This file is specifically designed *not* to replace variables that have been set with a higher-priority method such as CLI opts or env-vars. The following locations are checked, in this order, for a vars file. Only the first one found is used: 1. The file referenced by the `--vars` CLI option 2. The file referenced by the env-var named `EASYRSA_VARS_FILE` 3. The directory referenced by the `EASYRSA_PKI` env-var 4. The default PKI directory at `$PWD/pki` 4. The directory referenced by the `EASYRSA` env-var 5. The directory containing the easyrsa program Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars file in all cases, including defining it subsequently as a global option. I ran into the same issue and found the culprit: a commit [1] which intended to fix the problem with easyrsa in $PATH, due to pattern matching in the shell variable that tries to detect the $EASYRSA value. Please find attached my patch to fix this regression: --- a/easyrsa 2021-11-05 10:21:02.783260266 +0100 +++ b/easyrsa 2021-11-05 10:22:12.591259497 +0100 @@ -1664,9 +1664,8 @@ vars= # set up program path - prog_file="$0" + prog_file="$(dirname $0)/$(basename $0)" prog_file2="$(which -- "$prog_file" 2>/dev/null)" && prog_file="$prog_file2" - prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" && prog_file="$prog_file2" prog_dir="${prog_file%/*}" prog_vars="${prog_dir}/vars" # set up PKI path Otherwise, "$prog_file" ends up being empty and subsequently, the vars file is not being sourced. Cheers Christoph [1] https://github.com/OpenVPN/easy-rsa/commit/52befc623fbf6fc9c1fbd29bfe32af2503e65b24 --- a/easyrsa 2021-11-05 10:21:02.783260266 +0100 +++ b/easyrsa 2021-11-05 10:22:12.591259497 +0100 @@ -1664,9 +1664,8 @@ vars= # set up program path - prog_file="$0" + prog_file="$(dirname $0)/$(basename $0)" prog_file2="$(which -- "$prog_file" 2>/dev/null)" && prog_file="$prog_file2" - prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" && prog_file="$prog_file2" prog_dir="${prog_file%/*}" prog_vars="${prog_dir}/vars" # set up PKI path
Bug#995156: easy-rsa: vars Autodetection
Package: easy-rsa Version: 3.0.8-1 Severity: normal Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Upgrading to Debian 11 * What exactly did you do (or not do) that was effective (or ineffective)? Creating new client cert * What was the outcome of this action? New cert whitout option from vars file * What outcome did you expect instead? New cert created with option from vars file. Before upgrade i've created cadir usign "make-cadir" which create some files and directory including a file named vars. Which i modified to my needs. After upgrade, options in this file were not used anymore (and the message "Note: using Easy-RSA configuration from: " were not displayed anymore). I've made some test, using make-cadir on Debian 11, a file named vars is still created but not used. I've made some research on vars Autodetection using /usr/share/doc/easy-rsa/doc/. Informations from EasyRSA-Advanced.md look identical from Debian 10 and Debian 11 about vars Autodetection : vars Autodetection A 'vars' file is a file named simply `vars` (without an extension) that Easy-RSA will source for configuration. This file is specifically designed *not* to replace variables that have been set with a higher-priority method such as CLI opts or env-vars. The following locations are checked, in this order, for a vars file. Only the first one found is used: 1. The file referenced by the `--vars` CLI option 2. The file referenced by the env-var named `EASYRSA_VARS_FILE` 3. The directory referenced by the `EASYRSA_PKI` env-var 4. The default PKI directory at `$PWD/pki` 4. The directory referenced by the `EASYRSA` env-var 5. The directory containing the easyrsa program Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars file in all cases, including defining it subsequently as a global option. I'm unsure 5. is still effective (or identical to previous version). Maybe i've missed warning about this change in https://metadata.ftp-master.debian.org/changelogs//main/e/easy-rsa/easy-rsa_3.0.8-1_changelog and i apologize for this. Regards, m.e. *** End of the template - remove these template lines *** -- System Information: Debian Release: 11.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-cloud-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages easy-rsa depends on: ii openssl 1.1.1k-1+deb11u1 Versions of packages easy-rsa recommends: ii opensc 0.21.0-1 easy-rsa suggests no packages. -- no debconf information