net/openvpn/patches/patch-ab


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

$NetBSD: patch-ab,v 1.2 2005/08/17 19:55:57 jlam Exp $

--- easy-rsa/2.0/pkitool.orig	2005-07-15 14:38:14.000000000 -0400
+++ easy-rsa/2.0/pkitool
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 #  OpenVPN -- An application to securely tunnel IP networks
 #             over a single TCP/UDP port, with support for SSL/TLS-based
@@ -31,7 +31,10 @@ PROGNAME=pkitool
 VERSION=2.0
 DEBUG=0
 
-function need_vars
+GREP=grep
+OPENSSL=openssl
+
+need_vars()
 {
     echo '  Please edit the vars script to reflect your configuration,'
     echo '  then source it with "source ./vars".'
@@ -40,7 +43,7 @@ function need_vars
     echo "  Finally, you can run this tool ($PROGNAME) to build certificates/keys."
 }
 
-function usage
+usage()
 {
     echo "$PROGNAME $VERSION"
     echo "Usage: $PROGNAME [options...] [common-name]"
@@ -103,7 +106,7 @@ BATCH="-batch"
 CA="ca"
 
 # Process options
-while [ "$1" ] && [ "${1:0:2}" = "--" ]; do
+while [ $# -gt 0 ]; do
     case "$1" in
 	--server   ) REQ_EXT="$REQ_EXT -extensions server"
 	             CA_EXT="$CA_EXT -extensions server" ;;
@@ -115,8 +118,9 @@ while [ "$1" ] && [ "${1:0:2}" = "--" ];
         --csr      ) DO_CA="0" ;;
         --sign     ) DO_REQ="0" ;;
         --pkcs12   ) DO_P12="1" ;;
-	*  )       echo "$PROGNAME: unknown option: $1"
-	           exit 1
+	--*        ) echo "$PROGNAME: unknown option: $1"
+	             exit 1 ;;
+	*          ) break ;;
     esac
     shift   
 done
@@ -128,25 +132,25 @@ if [ $DO_P12 -eq 1 ]; then
 fi
 
 # If undefined, set default key expiration intervals
-if [ -z $KEY_EXPIRE ]; then
-    export KEY_EXPIRE=3650
+if [ -z "$KEY_EXPIRE" ]; then
+    KEY_EXPIRE=3650
 fi
-if [ -z $CA_EXPIRE ]; then
-    export CA_EXPIRE=3650
+if [ -z "$CA_EXPIRE" ]; then
+    CA_EXPIRE=3650
 fi
 
 # Set organizational unit to empty string if undefined
 if [ -z "$KEY_OU" ]; then
-    export KEY_OU=""
+    KEY_OU=""
 fi
 
 # Set KEY_CN
 if [ $DO_ROOT -eq 1 ]; then
     if [ -z "$KEY_CN" ]; then
 	if [ "$1" ]; then
-	    export KEY_CN="$1"
+	    KEY_CN="$1"
 	elif [ "$KEY_ORG" ]; then
-	    export KEY_CN="$KEY_ORG CA"
+	    KEY_CN="$KEY_ORG CA"
 	fi
     fi
     if [ $BATCH ] && [ "$KEY_CN" ]; then
@@ -159,9 +163,10 @@ else
 	usage
 	exit 1
     else
-	export KEY_CN="$1"
+	KEY_CN="$1"
     fi
 fi
+export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN
 
 # Show parameters (debugging)
 if [ $DEBUG -eq 1 ]; then
@@ -186,7 +191,9 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" 
 
     # Make sure $KEY_CONFIG points to the correct version
     # of openssl.cnf
-    if ! grep -Eqi 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" ; then
+    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
+	:
+    else
 	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
         echo "version of openssl.cnf: $KEY_CONFIG"
 	echo "The correct version should have a comment that says: easy-rsa version 2.x";
@@ -195,7 +202,7 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" 
 
     # Build root CA
     if [ $DO_ROOT -eq 1 ]; then
-	openssl req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \
+	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \
 	    -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
 	    chmod 0600 "$CA.key"
     else        
@@ -209,11 +216,11 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" 
 	fi
 
         # Build cert/key
-	( [ $DO_REQ -eq 0 ] || openssl req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \
+	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \
 	        -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \
-	    ( [ $DO_CA -eq 0 ]  || openssl ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
+	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
 	        -in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
-	    ( [ $DO_P12 -eq 0 ] || openssl pkcs12 -export -inkey "$KEY_CN.key" \
+	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
 	        -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
 	    ( [ $DO_CA -eq 0 ]  || chmod 0600 "$KEY_CN.key" ) && \
 	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )