OpenVPN · TinCanTech · Dec 17, 2024 · Dec 17, 2024 · Dec 17, 2024 · Dec 17, 2024
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -840,7 +840,7 @@ secure_session - Missing temporary directory:
 				die "secure_session - temp-file EXISTS"
 
 			# New session requires safe-ssl conf
-			unset -v session OPENSSL_CONF safe_ssl_cnf_tmp \
+			unset -v session OPENSSL_CONF \
 				working_safe_ssl_conf working_safe_org_conf
 
 			easyrsa_err_log="$secured_session/error.log"
@@ -862,7 +862,7 @@ remove_secure_session: DELETED: $secured_session"
 		# Restore original EASYRSA_SSL_CONF
 		EASYRSA_SSL_CONF="$original_ssl_cnf"
 
-		unset -v secured_session OPENSSL_CONF safe_ssl_cnf_tmp \
+		unset -v secured_session OPENSSL_CONF \
 			working_safe_ssl_conf working_safe_org_conf
 		return
 	fi
@@ -1190,6 +1190,7 @@ expand_ssl_config() {
 		fi
 
 	export EASYRSA_SSL_CONF="$safe_ssl_cnf_tmp"
+	unset -v safe_ssl_cnf_tmp
 	verbose \
 		"expand_ssl_config: EASYRSA_SSL_CONF = $EASYRSA_SSL_CONF"
 } # => expand_ssl_config()
@@ -1214,9 +1215,10 @@ easyrsa_openssl() {
 	# Use $EASYRSA_SSL_CONF (local) or $OPENSSL_CONF (global)
 	if [ -f "$EASYRSA_SSL_CONF" ]; then
 		export OPENSSL_CONF="$EASYRSA_SSL_CONF"
+	elif [ -f "$OPENSSL_CONF" ]; then
+		export OPENSSL_CONF
 	else
-		[ -f "$OPENSSL_CONF" ] || \
-			die "easyrsa_openssl - OPENSSL_CONF undefined"
+		die "easyrsa_openssl - OPENSSL_CONF undefined"
 	fi
 	verbose "= easyrsa_openssl: OPENSSL_CONF = $OPENSSL_CONF"
 
@@ -2426,7 +2428,7 @@ sign_req() {
 Unrecognised x509-type: '$crt_type'
 
 In order to sign a custom X509 Type certificate, there must be a
-corresponding SSL configuration file in the 'x509-type' folder."
+corresponding SSL configuration file in the 'x509-types' folder."
 	esac
 
 	# Check argument sanity:
@@ -2829,6 +2831,7 @@ source or that you have verified the request checksum \
 with the sender.$NL"
 	fi
 
+	# Request FINAL user confirmation
 	confirm "Confirm requested details: " "yes" "\
 ${foreign_request}You are about to sign the following certificate:
 
@@ -2891,12 +2894,8 @@ check_serial_unique() {
 			user_error "Invalid serial number: '$1'"
 	esac
 
-	unset -v unique_serial_true
-
 	# Check for openssl -status of serial number
 	# Always errors out - Do not capture error
-	# unset EASYRSA_SILENT_SSL to capture all output
-	# Do NOT unset check_serial for sign-req error msg
 	check_serial="$(
 			"$EASYRSA_OPENSSL" ca -status "$1" 2>&1
 		)" || :
@@ -2908,17 +2907,15 @@ check_serial_unique() {
 			verbose "check_serial_unique: unique_serial=true"
 			;;
 		*)
-			: # Some other response
+			unique_serial_true=
 			verbose "check_serial_unique: unique_serial=false"
 	esac
 
 	# In batch mode return result only
 	if [ "$2" = batch ] || [ "$EASYRSA_BATCH" ]; then
 		if [ "$unique_serial_true" ]; then
-			unset -v unique_serial_true
 			return 0
 		else
-			unset -v unique_serial_true
 			return 1
 		fi
 	fi
@@ -4988,7 +4985,7 @@ write_legacy_file_v2() {
 	write_type="$1"
 	write_file="$2"
 	write_over=
-	[ "$3" = overwrite ] && write_over="$3"
+	[ "$3" = overwrite ] && write_over=1
 
 	# Select by type
 	case "$write_type" in
@@ -5020,29 +5017,40 @@ write_legacy_file_v2() {
 		if [ -f "$write_file" ]; then
 			# if this is a temp file then enable auto-overwrite
 			path="${write_file%%/temp.*}"
-			if [ "${secured_session}" = "$path" ]; then
+			if [ "$path" = "${secured_session}" ]; then
 				verbose ": write_legacy_file_v2 - temp-file ACCEPTED"
-				write_over=overwrite
+				write_over=1
 			else
 				# target is not a temp-file, overwrite not changed
 				verbose ": Target is not a temp-file: $write_file"
 			fi
 		else
-			# enable overwrite, "there is no file" to over write
-			verbose ": Missing input file: $write_file"
-			write_over=overwrite
+			verbose ": Create new file: $write_file"
 		fi
+	else
+		verbose ": No target file - output to stdout"
 	fi
 
 	# write legacy data stream to stdout or file
-	if [ "$write_file" ]; then
+	if [ -f "$write_file" ]; then
 		if [ "$write_over" ]; then
 			verbose ": write_legacy_file_v2 - over-write ENABLED"
 			create_legacy_stream "$write_type" > "$write_file" || \
 				die "write failed"
+			[ "$EASYRSA_DEBUG" ] && print \
+				"### write OVERWRITE: $write_type to $write_file"
 		else
-			user_error "write: Over-write refused for existing file!"
+			# Preserve existing file and continue
+			verbose "write_legacy_file_v2 - over-write DISABLED "
+			[ "$EASYRSA_DEBUG" ] && print \
+				"### write PRESERVE existing: $write_file"
 		fi
+	elif [ "$write_file" ]; then
+			verbose ": write_legacy_file_v2 - over-write DISABLED"
+			create_legacy_stream "$write_type" > "$write_file" || \
+				die "write failed"
+			[ "$EASYRSA_DEBUG" ] && print \
+				"### write NEWFILE: $write_type to $write_file"
 	else
 		# write stream to stdout ONLY
 		create_legacy_stream "$write_type"
@@ -5815,6 +5823,11 @@ while :; do
 			set -- "$@" "version"
 			break
 			;;
+		-h|--help|--usage)
+			shift "$#"
+			set -- "$@" "help"
+			break
+			;;
 		-*)
 			user_error "\
 Unknown option '$opt'.
@@ -5863,8 +5876,7 @@ cmd="$1"
 unset -v require_pki require_ca quiet_vars
 
 case "$cmd" in
-	''|help|-h|--help|--usage| \
-	version|show-host|rand|random)
+	''|help|version|show-host|rand|random)
 		unset -v EASYRSA_SILENT
 		quiet_vars=1
 		;;
@@ -5908,13 +5920,6 @@ mutual_exclusions
 # Verify SSL Lib - One time ONLY
 verify_ssl_lib
 
-# Check $working_safe_ssl_conf, to build
-# a fully configured safe ssl conf, on the
-# next invocation of easyrsa_openssl()
-if [ "$working_safe_ssl_conf" ]; then
-	die "working_safe_ssl_conf must not be set!"
-fi
-
 # Hand off to the function responsible
 # ONLY verify_working_env() for valid commands
 case "$cmd" in