]>
Commit | Line | Data |
---|---|---|
7b891ac1 AM |
1 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-ca openvpn-2.2.0/easy-rsa/2.0/build-ca |
2 | --- openvpn-2.2.0-orig/easy-rsa/2.0/build-ca 2011-04-06 18:05:52.000000000 +0200 | |
3 | +++ openvpn-2.2.0/easy-rsa/2.0/build-ca 2011-04-27 22:34:59.357652908 +0200 | |
4 | @@ -4,5 +4,5 @@ | |
5 | # Build a root certificate | |
6 | # | |
7 | ||
8 | -export EASY_RSA="${EASY_RSA:-.}" | |
9 | -"$EASY_RSA/pkitool" --interact --initca $* | |
10 | +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" | |
11 | +/usr/sbin/pkitool --interact --initca $* | |
12 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-dh openvpn-2.2.0/easy-rsa/2.0/build-dh | |
13 | --- openvpn-2.2.0-orig/easy-rsa/2.0/build-dh 2011-04-06 18:05:52.000000000 +0200 | |
14 | +++ openvpn-2.2.0/easy-rsa/2.0/build-dh 2011-04-27 22:36:11.867656490 +0200 | |
15 | @@ -3,8 +3,12 @@ | |
16 | # Build Diffie-Hellman parameters for the server side | |
17 | # of an SSL/TLS connection. | |
18 | ||
19 | +if [ -z "$EASY_RSA" ]; then | |
20 | + . /etc/easy-rsa/vars | |
21 | +fi | |
22 | + | |
23 | if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then | |
24 | - $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} | |
25 | + openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} | |
26 | else | |
27 | echo 'Please source the vars script first (i.e. "source ./vars")' | |
28 | echo 'Make sure you have edited it to reflect your configuration.' | |
29 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-inter openvpn-2.2.0/easy-rsa/2.0/build-inter | |
30 | --- openvpn-2.2.0-orig/easy-rsa/2.0/build-inter 2011-04-06 18:05:52.000000000 +0200 | |
31 | +++ openvpn-2.2.0/easy-rsa/2.0/build-inter 2011-04-27 22:37:59.789289422 +0200 | |
32 | @@ -3,5 +3,5 @@ | |
33 | # Make an intermediate CA certificate/private key pair using a locally generated | |
34 | # root certificate. | |
35 | ||
36 | -export EASY_RSA="${EASY_RSA:-.}" | |
37 | -"$EASY_RSA/pkitool" --interact --inter $* | |
38 | +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" | |
39 | +/usr/sbin/pkitool --interact --inter $* | |
40 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key openvpn-2.2.0/easy-rsa/2.0/build-key | |
41 | --- openvpn-2.2.0-orig/easy-rsa/2.0/build-key 2011-04-06 18:05:52.000000000 +0200 | |
42 | +++ openvpn-2.2.0/easy-rsa/2.0/build-key 2011-04-27 22:38:35.330924876 +0200 | |
43 | @@ -3,5 +3,5 @@ | |
44 | # Make a certificate/private key pair using a locally generated | |
45 | # root certificate. | |
46 | ||
47 | -export EASY_RSA="${EASY_RSA:-.}" | |
48 | -"$EASY_RSA/pkitool" --interact $* | |
49 | +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" | |
50 | +/usr/sbin/pkitool --interact $* | |
51 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pass openvpn-2.2.0/easy-rsa/2.0/build-key-pass | |
52 | --- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pass 2011-04-06 18:05:52.000000000 +0200 | |
53 | +++ openvpn-2.2.0/easy-rsa/2.0/build-key-pass 2011-04-27 22:39:23.919827311 +0200 | |
54 | @@ -3,5 +3,5 @@ | |
55 | # Similar to build-key, but protect the private key | |
56 | # with a password. | |
57 | ||
58 | -export EASY_RSA="${EASY_RSA:-.}" | |
59 | -"$EASY_RSA/pkitool" --interact --pass $* | |
60 | +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" | |
61 | +/usr/sbin/pkitool --interact --pass $* | |
62 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pkcs12 openvpn-2.2.0/easy-rsa/2.0/build-key-pkcs12 | |
63 | --- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pkcs12 2011-04-06 18:05:52.000000000 +0200 | |
64 | +++ openvpn-2.2.0/easy-rsa/2.0/build-key-pkcs12 2011-04-27 22:40:10.288627524 +0200 | |
65 | @@ -4,5 +4,5 @@ | |
66 | # root certificate and convert it to a PKCS #12 file including the | |
67 | # the CA certificate as well. | |
68 | ||
69 | -export EASY_RSA="${EASY_RSA:-.}" | |
70 | -"$EASY_RSA/pkitool" --interact --pkcs12 $* | |
71 | +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" | |
72 | +/usr/sbin/pkitool --interact --pkcs12 $* | |
73 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-server openvpn-2.2.0/easy-rsa/2.0/build-key-server | |
74 | --- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-server 2011-04-06 18:05:52.000000000 +0200 | |
75 | +++ openvpn-2.2.0/easy-rsa/2.0/build-key-server 2011-04-27 22:41:24.715385295 +0200 | |
76 | @@ -6,5 +6,5 @@ | |
77 | # Explicitly set nsCertType to server using the "server" | |
78 | # extension in the openssl.cnf file. | |
79 | ||
80 | -export EASY_RSA="${EASY_RSA:-.}" | |
81 | -"$EASY_RSA/pkitool" --interact --server $* | |
82 | +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" | |
83 | +/usr/sbin/pkitool --interact --server $* | |
84 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-req openvpn-2.2.0/easy-rsa/2.0/build-req | |
85 | --- openvpn-2.2.0-orig/easy-rsa/2.0/build-req 2011-04-06 18:05:52.000000000 +0200 | |
86 | +++ openvpn-2.2.0/easy-rsa/2.0/build-req 2011-04-27 22:41:59.636992013 +0200 | |
87 | @@ -3,5 +3,5 @@ | |
88 | # Build a certificate signing request and private key. Use this | |
89 | # when your root certificate and key is not available locally. | |
90 | ||
91 | -export EASY_RSA="${EASY_RSA:-.}" | |
92 | -"$EASY_RSA/pkitool" --interact --csr $* | |
93 | +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" | |
94 | +/usr/sbin/pkitool --interact --csr $* | |
95 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-req-pass openvpn-2.2.0/easy-rsa/2.0/build-req-pass | |
96 | --- openvpn-2.2.0-orig/easy-rsa/2.0/build-req-pass 2011-04-06 18:05:52.000000000 +0200 | |
97 | +++ openvpn-2.2.0/easy-rsa/2.0/build-req-pass 2011-04-27 22:43:36.938135257 +0200 | |
98 | @@ -3,5 +3,5 @@ | |
99 | # Like build-req, but protect your private key | |
100 | # with a password. | |
101 | ||
102 | -export EASY_RSA="${EASY_RSA:-.}" | |
103 | -"$EASY_RSA/pkitool" --interact --csr --pass $* | |
104 | +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" | |
105 | +/usr/sbin/pkitool --interact --csr --pass $* | |
106 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/clean-all openvpn-2.2.0/easy-rsa/2.0/clean-all | |
107 | --- openvpn-2.2.0-orig/easy-rsa/2.0/clean-all 2011-04-06 18:05:52.000000000 +0200 | |
108 | +++ openvpn-2.2.0/easy-rsa/2.0/clean-all 2011-04-27 22:44:36.544210785 +0200 | |
109 | @@ -4,6 +4,10 @@ | |
110 | # Note that this script does a | |
111 | # rm -rf on $KEY_DIR so be careful! | |
112 | ||
113 | +if [ -z "$EASY_RSA" ]; then | |
114 | + . /etc/easy-rsa/vars | |
115 | +fi | |
116 | + | |
117 | if [ "$KEY_DIR" ]; then | |
118 | rm -rf "$KEY_DIR" | |
119 | mkdir "$KEY_DIR" && \ | |
120 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/inherit-inter openvpn-2.2.0/easy-rsa/2.0/inherit-inter | |
121 | --- openvpn-2.2.0-orig/easy-rsa/2.0/inherit-inter 2011-04-06 18:05:52.000000000 +0200 | |
122 | +++ openvpn-2.2.0/easy-rsa/2.0/inherit-inter 2011-04-27 22:45:20.809580498 +0200 | |
123 | @@ -9,6 +9,10 @@ | |
124 | # To build an intermediate CA, follow the same steps for a regular PKI but | |
125 | # replace ./build-key or ./pkitool --initca with this script. | |
126 | ||
127 | +if [ -z "$EASY_RSA" ]; then | |
128 | + . /etc/easy-rsa/vars | |
129 | +fi | |
130 | + | |
131 | # The EXPORT_CA file will contain the CA certificate chain and should be | |
132 | # referenced by the OpenVPN "ca" directive in config files. The ca.crt file | |
133 | # will only contain the local intermediate CA -- it's needed by the easy-rsa | |
134 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/list-crl openvpn-2.2.0/easy-rsa/2.0/list-crl | |
135 | --- openvpn-2.2.0-orig/easy-rsa/2.0/list-crl 2011-04-06 18:05:52.000000000 +0200 | |
136 | +++ openvpn-2.2.0/easy-rsa/2.0/list-crl 2011-04-27 22:46:23.149114937 +0200 | |
137 | @@ -2,11 +2,15 @@ | |
138 | ||
139 | # list revoked certificates | |
140 | ||
141 | +if [ -z "$EASY_RSA" ]; then | |
142 | + . /etc/easy-rsa/vars | |
143 | +fi | |
144 | + | |
145 | CRL="${1:-crl.pem}" | |
146 | ||
147 | if [ "$KEY_DIR" ]; then | |
148 | cd "$KEY_DIR" && \ | |
149 | - $OPENSSL crl -text -noout -in "$CRL" | |
150 | + openssl crl -text -noout -in "$CRL" | |
151 | else | |
152 | echo 'Please source the vars script first (i.e. "source ./vars")' | |
153 | echo 'Make sure you have edited it to reflect your configuration.' | |
154 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/pkitool openvpn-2.2.0/easy-rsa/2.0/pkitool | |
155 | --- openvpn-2.2.0-orig/easy-rsa/2.0/pkitool 2011-04-06 18:05:52.000000000 +0200 | |
156 | +++ openvpn-2.2.0/easy-rsa/2.0/pkitool 2011-04-27 22:53:35.735697923 +0200 | |
157 | @@ -42,6 +42,10 @@ | |
158 | exit 1 | |
159 | } | |
160 | ||
161 | +if [ -z "$EASY_RSA" ]; then | |
162 | + . /etc/easy-rsa/vars | |
163 | +fi | |
164 | + | |
165 | need_vars() | |
166 | { | |
167 | echo ' Please edit the vars script to reflect your configuration,' | |
168 | @@ -172,16 +176,16 @@ | |
169 | if [ -z "$PKCS11_LABEL" ]; then | |
170 | die "Please specify library name, slot and label" | |
171 | fi | |
172 | - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ | |
173 | + pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ | |
174 | --label "$PKCS11_LABEL" && | |
175 | - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" | |
176 | + pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" | |
177 | exit $?;; | |
178 | --pkcs11-slots) | |
179 | PKCS11_MODULE_PATH="$2" | |
180 | if [ -z "$PKCS11_MODULE_PATH" ]; then | |
181 | die "Please specify library name" | |
182 | fi | |
183 | - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots | |
184 | + pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-slots | |
185 | exit 0;; | |
186 | --pkcs11-objects) | |
187 | PKCS11_MODULE_PATH="$2" | |
188 | @@ -189,7 +193,7 @@ | |
189 | if [ -z "$PKCS11_SLOT" ]; then | |
190 | die "Please specify library name and slot" | |
191 | fi | |
192 | - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" | |
193 | + pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" | |
194 | exit 0;; | |
195 | ||
196 | --help|--usage) | |
197 | @@ -206,7 +210,7 @@ | |
198 | done | |
199 | ||
200 | if ! [ -z "$BATCH" ]; then | |
201 | - if $OPENSSL version | grep 0.9.6 > /dev/null; then | |
202 | + if openssl version | grep 0.9.6 > /dev/null; then | |
203 | die "Batch mode is unsupported in openssl<0.9.7" | |
204 | fi | |
205 | fi | |
206 | @@ -311,7 +315,7 @@ | |
207 | ||
208 | # Make sure $KEY_CONFIG points to the correct version | |
209 | # of openssl.cnf | |
210 | - if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then | |
211 | + if grep -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then | |
212 | : | |
213 | else | |
214 | echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" | |
215 | @@ -322,7 +326,7 @@ | |
216 | ||
217 | # Build root CA | |
218 | if [ $DO_ROOT -eq 1 ]; then | |
219 | - $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \ | |
220 | + openssl req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \ | |
221 | -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ | |
222 | chmod 0600 "$CA.key" | |
223 | else | |
224 | @@ -345,7 +349,7 @@ | |
225 | export PKCS11_PIN | |
226 | ||
227 | echo "Generating key pair on PKCS#11 token..." | |
228 | - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ | |
229 | + pkcs11-tool --module "$PKCS11_MODULE_PATH" --keypairgen \ | |
230 | --login --pin "$PKCS11_PIN" \ | |
231 | --key-type rsa:1024 \ | |
232 | --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 | |
233 | @@ -353,19 +357,19 @@ | |
234 | fi | |
235 | ||
236 | # Build cert/key | |
237 | - ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ | |
238 | + ( [ $DO_REQ -eq 0 ] || openssl req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ | |
239 | -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ | |
240 | - ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ | |
241 | + ( [ $DO_CA -eq 0 ] || openssl ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ | |
242 | -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \ | |
243 | - ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ | |
244 | + ( [ $DO_P12 -eq 0 ] || openssl pkcs12 -export -inkey "$FN.key" \ | |
245 | -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ | |
246 | ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ | |
247 | ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) | |
248 | ||
249 | # Load certificate into PKCS#11 token | |
250 | if [ $DO_P11 -eq 1 ]; then | |
251 | - $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ | |
252 | - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ | |
253 | + openssl x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ | |
254 | + pkcs11-tool --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ | |
255 | --login --pin "$PKCS11_PIN" \ | |
256 | --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" | |
257 | [ -e "$FN.crt.der" ]; rm "$FN.crt.der" | |
258 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/revoke-full openvpn-2.2.0/easy-rsa/2.0/revoke-full | |
259 | --- openvpn-2.2.0-orig/easy-rsa/2.0/revoke-full 2011-04-06 18:05:52.000000000 +0200 | |
260 | +++ openvpn-2.2.0/easy-rsa/2.0/revoke-full 2011-04-27 22:56:07.449351374 +0200 | |
261 | @@ -3,6 +3,10 @@ | |
262 | # revoke a certificate, regenerate CRL, | |
263 | # and verify revocation | |
264 | ||
265 | +if [ -z "$EASY_RSA" ]; then | |
266 | + . /etc/easy-rsa/vars | |
267 | +fi | |
268 | + | |
269 | CRL="crl.pem" | |
270 | RT="revoke-test.pem" | |
271 | ||
272 | @@ -21,11 +25,11 @@ | |
273 | export KEY_NAME="" | |
274 | ||
275 | # revoke key and generate a new CRL | |
276 | - $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" | |
277 | + openssl ca -revoke "$1" -config "$KEY_CONFIG" | |
278 | ||
279 | # generate a new CRL -- try to be compatible with | |
280 | # intermediate PKIs | |
281 | - $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" | |
282 | + openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG" | |
283 | if [ -e export-ca.crt ]; then | |
284 | cat export-ca.crt "$CRL" >"$RT" | |
285 | else | |
286 | @@ -33,7 +37,7 @@ | |
287 | fi | |
288 | ||
289 | # verify the revocation | |
290 | - $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" | |
291 | + openssl verify -CAfile "$RT" -crl_check "$1" | |
292 | else | |
293 | echo 'Please source the vars script first (i.e. "source ./vars")' | |
294 | echo 'Make sure you have edited it to reflect your configuration.' | |
295 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/sign-req openvpn-2.2.0/easy-rsa/2.0/sign-req | |
296 | --- openvpn-2.2.0-orig/easy-rsa/2.0/sign-req 2011-04-06 18:05:52.000000000 +0200 | |
297 | +++ openvpn-2.2.0/easy-rsa/2.0/sign-req 2011-04-27 22:56:46.124465700 +0200 | |
298 | @@ -3,5 +3,5 @@ | |
299 | # Sign a certificate signing request (a .csr file) | |
300 | # with a local root certificate and key. | |
301 | ||
302 | -export EASY_RSA="${EASY_RSA:-.}" | |
303 | -"$EASY_RSA/pkitool" --interact --sign $* | |
304 | +export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" | |
305 | +/usr/sbin/pkitool --interact --sign $* | |
306 | diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/vars openvpn-2.2.0/easy-rsa/2.0/vars | |
307 | --- openvpn-2.2.0-orig/easy-rsa/2.0/vars 2010-10-21 11:18:17.000000000 +0200 | |
308 | +++ openvpn-2.2.0/easy-rsa/2.0/vars 2011-04-27 22:58:41.789791888 +0200 | |
309 | @@ -12,21 +12,12 @@ | |
310 | # This variable should point to | |
311 | # the top level of the easy-rsa | |
312 | # tree. | |
313 | -export EASY_RSA="`pwd`" | |
314 | - | |
315 | -# | |
316 | -# This variable should point to | |
317 | -# the requested executables | |
318 | -# | |
319 | -export OPENSSL="openssl" | |
320 | -export PKCS11TOOL="pkcs11-tool" | |
321 | -export GREP="grep" | |
322 | - | |
323 | +export EASY_RSA="/etc/easy-rsa" | |
324 | ||
325 | # This variable should point to | |
326 | # the openssl.cnf file included | |
327 | # with easy-rsa. | |
328 | -export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` | |
329 | +export KEY_CONFIG="$EASY_RSA/openssl.cnf" | |
330 | ||
331 | # Edit this variable to point to | |
332 | # your soon-to-be-created key | |
333 | @@ -38,9 +29,6 @@ | |
334 | # it correctly! | |
335 | export KEY_DIR="$EASY_RSA/keys" | |
336 | ||
337 | -# Issue rm -rf warning | |
338 | -echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR | |
339 | - | |
340 | # PKCS11 fixes | |
341 | export PKCS11_MODULE_PATH="dummy" | |
342 | export PKCS11_PIN="dummy" |