From 93b28add100da4d84d30319d4787091ec99d64a9 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 15 Jan 2024 23:48:15 +0000 Subject: [PATCH] Switch to using heredoc expansion for openssl-easyrsa.cnf This replaces use of: * 'sed' for expanding openssl-easyrsa.cnf * 'sed' for sanitizing Distinguished Name fields .. by using heredoc expansion of the built-in openssl-easyrsa.cnf Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a84330925..e5352604c 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -998,6 +998,14 @@ escape_hazard() { verbose "escape_hazard: RUN-ONCE" fi + # Only use if old 'sed' version is requested + if [ "$EASYRSA_SAFE_CNF_SED" ]; then + : # ok + else + verbose "escape_hazard: REPLACED by heredoc expansion" + return + fi + # Set run once working_safe_org_conf=1 @@ -1060,8 +1068,10 @@ expand_ssl_config - \ easyrsa_mktemp safe_ssl_cnf_tmp" # Rewrite + # Only use if old 'sed' version is requested # shellcheck disable=SC2016 # No expand '' - expand_ssl_config() - if sed \ + if [ "$EASYRSA_SAFE_CNF_SED" ]; then + if sed \ \ -e s\`'$dir'\`\ \""$EASYRSA_PKI"\"\`g \ @@ -1108,11 +1118,17 @@ easyrsa_mktemp safe_ssl_cnf_tmp" -e s\`'$ENV::EASYRSA_REQ_SERIAL'\`\ \""$EASYRSA_REQ_SERIAL"\"\`g \ \ - "$EASYRSA_SSL_CONF" > "$safe_ssl_cnf_tmp" - then - verbose "expand_ssl_config: COMPLETED" + "$EASYRSA_SSL_CONF" > "$safe_ssl_cnf_tmp" + then + verbose "expand_ssl_config: via 'sed' COMPLETED" + else + return 1 + fi + else - return 1 + write safe-cnf > "$safe_ssl_cnf_tmp" || \ + die "expand_ssl_config - write safe-cnf temp-file" + verbose "expand_ssl_config: via 'write' COMPLETED" fi } # => expand_ssl_config()