On 2017/05/19 00:32, Matthew Martin wrote:
> ikectl errors in a number of situations where shell special characters
> are used. For example:
> 
> % doas ikectl ca test create password \'
> [...]
> subject=/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN 
> CA/emailAddress=r...@openbsd.org
> Getting Private key
> sh: no closing quote
> 
> This is because it uses system(3) in various places to run openssl, tar,
> and zip. Take the hint from the system(3) man page, and write a small
> function that does the fork and exec bypassing sh.

This seems like a good idea anyway, but this diff from Andrei-Marius Radu
to stop passing the password on the command line is still pending :

https://marc.info/?l=openbsd-bugs&m=149064755410645&w=2

Index: ikeca.c
===================================================================
RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v
retrieving revision 1.42
diff -u -p -r1.42 ikeca.c
--- ikeca.c     29 Mar 2017 08:19:13 -0000      1.42
+++ ikeca.c     19 May 2017 08:55:36 -0000
@@ -108,7 +108,6 @@ const char *ca_env[][2] = {
 int             ca_sign(struct ca *, char *, int);
 int             ca_request(struct ca *, char *, int);
 void            ca_newpass(char *, char *);
-char           *ca_readpass(char *, size_t *);
 int             fcopy(char *, char *, mode_t);
 void            fcopy_env(const char *, const char *, mode_t);
 int             rm_dir(char *);
@@ -809,33 +808,6 @@ ca_export(struct ca *ca, char *keyname, 
        return (0);
 }
 
-char *
-ca_readpass(char *path, size_t *len)
-{
-       FILE            *f;
-       char            *p, *r;
-
-       if ((f = fopen(path, "r")) == NULL) {
-               warn("fopen %s", path);
-               return (NULL);
-       }
-
-       if ((p = fgetln(f, len)) != NULL) {
-               if ((r = malloc(*len + 1)) == NULL)
-                       err(1, "malloc");
-               memcpy(r, p, *len);
-               if (r[*len - 1] == '\n')
-                       r[*len - 1] = '\0';
-               else
-                       r[*len] = '\0';
-       } else
-               r = NULL;
-
-       fclose(f);
-
-       return (r);
-}
-
 /* create index if it doesn't already exist */
 void
 ca_create_index(struct ca *ca)
@@ -879,8 +851,6 @@ ca_revoke(struct ca *ca, char *keyname)
        struct stat      st;
        char             cmd[PATH_MAX * 2];
        char             path[PATH_MAX];
-       char            *pass;
-       size_t           len;
 
        if (keyname) {
                snprintf(path, sizeof(path), "%s/%s.crt",
@@ -891,11 +861,6 @@ ca_revoke(struct ca *ca, char *keyname)
                }
        }
 
-       snprintf(path, sizeof(path), "%s/ikeca.passwd", ca->sslpath);
-       pass = ca_readpass(path, &len);
-       if (pass == NULL)
-               errx(1, "could not open passphrase file");
-
        ca_create_index(ca);
 
        ca_setenv("$ENV::CADB", ca->index);
@@ -905,27 +870,24 @@ ca_revoke(struct ca *ca, char *keyname)
        if (keyname) {
                snprintf(cmd, sizeof(cmd),
                    "%s ca %s-config %s -keyfile %s/private/ca.key"
-                   " -key %s"
+                   " -passin file:%s"
                    " -cert %s/ca.crt"
                    " -revoke %s/%s.crt",
                    PATH_OPENSSL, ca->batch, ca->sslcnf,
-                   ca->sslpath, pass, ca->sslpath, ca->sslpath, keyname);
+                   ca->sslpath, ca->passfile, ca->sslpath, ca->sslpath, 
keyname);
                system(cmd);
        }
 
        snprintf(cmd, sizeof(cmd),
            "%s ca %s-config %s -keyfile %s/private/ca.key"
-           " -key %s"
+           " -passin file:%s"
            " -gencrl"
            " -cert %s/ca.crt"
            " -crldays 365"
            " -out %s/ca.crl",
            PATH_OPENSSL, ca->batch, ca->sslcnf, ca->sslpath,
-           pass, ca->sslpath, ca->sslpath);
+           ca->passfile, ca->sslpath, ca->sslpath);
        system(cmd);
-
-       explicit_bzero(pass, len);
-       free(pass);
 
        return (0);
 }

Reply via email to