From 7cdb14dde66d7e67f552310f0ddb49298e90ab54 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu, 5 Dec 2024 18:50:57 +0000
Subject: [PATCH] Save and Restore $EASYRSA_SSL_CONF for compound commands

Compound function build_full() calls gen_req() then sign_req().
However, between the two, $EASYRSA_SSL_CONF is set to a temp-file,
which has now been deleted. This causes sign_req() to use a
different SSL config file than that used by gen_req().

Also, '--ssl-conf' is ignored when secure_session() clears
$EASYRSA_SSL_CONF.

This change saves the original setting for $EASYRSA_SSL_CONF,
which is then restored when remove_secure_session() is called.

Also, secure_session() no longer clears $EASYRSA_SSL_CONF,
preserving the setting of '--ssl-conf'.

This mechanism also covers easyrsa-tools.lib:read_db(),
which also resets the temporary session. This does not
require updating easyrsa-tool.lib version (@v322).

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa           | 13 +++++++++----
 easyrsa3/easyrsa-tools.lib | 12 +++++-------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 17a15f70..b135a8d8 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -840,8 +840,7 @@ secure_session - Missing temporary directory:
 				die "secure_session - temp-file EXISTS"
 
 			# New session requires safe-ssl conf
-			unset -v session OPENSSL_CONF \
-				EASYRSA_SSL_CONF safe_ssl_cnf_tmp \
+			unset -v session OPENSSL_CONF safe_ssl_cnf_tmp \
 				working_safe_ssl_conf working_safe_org_conf
 
 			easyrsa_err_log="$secured_session/error.log"
@@ -859,8 +858,11 @@ remove_secure_session() {
 	if rm -rf "$secured_session"; then
 		verbose "\
 remove_secure_session: DELETED: $secured_session"
-		unset -v secured_session OPENSSL_CONF \
-			EASYRSA_SSL_CONF safe_ssl_cnf_tmp \
+
+		# Restore original EASYRSA_SSL_CONF
+		EASYRSA_SSL_CONF="$original_ssl_cnf"
+
+		unset -v secured_session OPENSSL_CONF safe_ssl_cnf_tmp \
 			working_safe_ssl_conf working_safe_org_conf
 		return
 	fi
@@ -4666,6 +4668,9 @@ verify_working_env() {
 	# and easyrsa-tools.lib
 	locate_support_files
 
+	# Save original EASYRSA_SSL_CONF
+	original_ssl_cnf="$EASYRSA_SSL_CONF"
+
 	verbose "verify_working_env: COMPLETED Handover-to: $cmd"
 } # => verify_working_env()
 
diff --git a/easyrsa3/easyrsa-tools.lib b/easyrsa3/easyrsa-tools.lib
index 37a080d4..e9e4aed2 100644
--- a/easyrsa3/easyrsa-tools.lib
+++ b/easyrsa3/easyrsa-tools.lib
@@ -414,14 +414,12 @@ read_db() {
 
 		verbose "***** Read next record *****"
 
-		# Recreate temp session
-		remove_secure_session || \
-			die "read_db - remove_secure_session"
-		secure_session || \
-			die "read_db - secure_session"
-		# Recreate openssl-easyrsa.cnf (Temp)
-		write_global_safe_ssl_cnf_tmp
+		# Recreate temp-session and
+		# drop edits to SSL Conf file
+		remove_secure_session
+		secure_session
 		locate_support_files
+		write_global_safe_ssl_cnf_tmp
 
 		# Interpret the db/certificate record
 		unset -v db_serial db_cn db_revoke_date db_reason