Hi, I've converted ikectl(8) from getpass to readpassphrase.
=================================================================== RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v retrieving revision 1.40 diff -u -p -r1.40 ikeca.c --- ikeca.c 2 Nov 2015 12:21:27 -0000 1.40 +++ ikeca.c 3 Sep 2016 10:36:10 -0000 @@ -29,6 +29,7 @@ #include <fts.h> #include <dirent.h> #include <limits.h> +#include <readpassphrase.h> #include <openssl/rand.h> #include <openssl/rsa.h> @@ -366,21 +367,26 @@ void ca_newpass(char *passfile, char *password) { FILE *f; - char *pass; - char prev[_PASSWORD_LEN + 1]; + char pass[1024]; + char prev[1024]; if (password != NULL) { - pass = password; + if (strlcpy(pass, password, sizeof(pass)) >= sizeof(pass)) + errx(1, "password too long"); goto done; } - pass = getpass("CA passphrase:"); - if (pass == NULL || *pass == '\0') - err(1, "password not set"); + if (readpassphrase("CA passphrase:", pass, + sizeof(pass), RPP_ECHO_OFF) == NULL) + err(1, "readpassphrase"); + if (pass[0] == '\0') + errx(1, "password not set"); strlcpy(prev, pass, sizeof(prev)); - pass = getpass("Retype CA passphrase:"); - if (pass == NULL || strcmp(prev, pass) != 0) + if (readpassphrase("Retype CA passphrase:", pass, + sizeof(pass), RPP_ECHO_OFF) == NULL) + err(1, "readpassphrase"); + if (strcmp(prev, pass) != 0) errx(1, "passphrase does not match!"); done: @@ -637,8 +643,8 @@ ca_export(struct ca *ca, char *keyname, DIR *dexp; struct dirent *de; struct stat st; - char *pass; - char prev[_PASSWORD_LEN + 1]; + char pass[1024]; + char prev[1024]; char cmd[PATH_MAX * 2]; char oname[PATH_MAX]; char src[PATH_MAX]; @@ -659,16 +665,20 @@ ca_export(struct ca *ca, char *keyname, while ((p = strchr(oname, ':')) != NULL) *p = '_'; - if (password != NULL) - pass = password; - else { - pass = getpass("Export passphrase:"); - if (pass == NULL || *pass == '\0') - err(1, "password not set"); - + if (password != NULL) { + if (strlcpy(pass, password, sizeof(pass)) >= sizeof(pass)) + errx(1, "password too long"); + } else { + if (readpassphrase("Export passphrase:", pass, + sizeof(pass), RPP_ECHO_OFF) == NULL) + err(1, "readpassphrase"); + if (pass[0] == '\0') + errx(1, "password not set"); strlcpy(prev, pass, sizeof(prev)); - pass = getpass("Retype export passphrase:"); - if (pass == NULL || strcmp(prev, pass) != 0) + if (readpassphrase("Retype export passphrase:", pass, + sizeof(pass), RPP_ECHO_OFF) == NULL) + err(1, "readpassphrase"); + if (strcmp(prev, pass) != 0) errx(1, "passphrase does not match!"); }