The patched submitted by Andrei fixed it for me.
There are some style issues, I fixed the ones I saw and reattached the
patch.
Index: ikeca.c
===================================================================
RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v
retrieving revision 1.46
diff -u -p -r1.46 ikeca.c
--- ikeca.c 8 Jun 2017 11:45:44 -0000 1.46
+++ ikeca.c 25 Oct 2017 12:51:59 -0000
@@ -85,11 +85,11 @@ struct {
};
/* explicitly list allowed variables */
-const char *ca_env[][2] = {
+char *ca_env[][2] = {
{ "$ENV::CADB", NULL },
{ "$ENV::CASERIAL", NULL },
- { "$ENV::CERTFQDN", NULL },
- { "$ENV::CERTIP", NULL },
+ { "DNS:$ENV::CERTFQDN", NULL },
+ { "IP:$ENV::CERTIP", NULL },
{ "$ENV::CERTPATHLEN", NULL },
{ "$ENV::CERTUSAGE", NULL },
{ "$ENV::CERT_C", NULL },
@@ -202,23 +202,26 @@ ca_request(struct ca *ca, char *keyname,
{
char cmd[PATH_MAX * 2];
char hostname[HOST_NAME_MAX+1];
- char name[128];
+ char subjaltname[HOST_NAME_MAX+5];
char path[PATH_MAX];
ca_setenv("$ENV::CERT_CN", keyname);
- strlcpy(name, keyname, sizeof(name));
-
if (type == HOST_IPADDR) {
- ca_setenv("$ENV::CERTIP", name);
+ snprintf(subjaltname, sizeof(subjaltname), "IP:%s", keyname);
+ ca_setenv("IP:$ENV::CERTIP", subjaltname);
ca_setenv("$ENV::REQ_EXT", "x509v3_IPAddr");
} else if (type == HOST_FQDN) {
if (!strcmp(keyname, "local")) {
if (gethostname(hostname, sizeof(hostname)))
err(1, "gethostname");
- strlcpy(name, hostname, sizeof(name));
+ snprintf(subjaltname, sizeof(subjaltname), "DNS:%s",
+ hostname);
+ } else {
+ snprintf(subjaltname, sizeof(subjaltname), "DNS:%s",
+ keyname);
}
- ca_setenv("$ENV::CERTFQDN", name);
+ ca_setenv("DNS:$ENV::CERTFQDN", subjaltname);
ca_setenv("$ENV::REQ_EXT", "x509v3_FQDN");
} else {
errx(1, "unknown host type %d", type);
@@ -306,6 +309,9 @@ ca_certificate(struct ca *ca, char *keyn
ca_request(ca, keyname, type);
ca_sign(ca, keyname, type);
+ /* call ca_clrenv again to free the char*'s allocated by ca_setenv */
+ ca_clrenv();
+
return (0);
}
@@ -440,6 +446,9 @@ ca_create(struct ca *ca)
/* Create the CRL revocation list */
ca_revoke(ca, NULL);
+ /* call ca_clrenv again to free the char*'s allocated by ca_setenv */
+ ca_clrenv();
+
return (0);
}
@@ -892,6 +901,11 @@ ca_revoke(struct ca *ca, char *keyname)
ca->passfile, ca->sslpath, ca->sslpath);
system(cmd);
+ if (keyname) {
+ /* ca_revoke() called directly from ca_opt() so free char *'s */
+ ca_clrenv();
+ }
+
return (0);
}
@@ -899,20 +913,26 @@ void
ca_clrenv(void)
{
int i;
- for (i = 0; ca_env[i][0] != NULL; i++)
+ for (i = 0; ca_env[i][0] != NULL; i++) {
+ free((char *) ca_env[i][1]);
ca_env[i][1] = NULL;
+ }
}
void
ca_setenv(const char *key, const char *value)
{
int i;
+ char *p = NULL;
for (i = 0; ca_env[i][0] != NULL; i++) {
if (strcmp(ca_env[i][0], key) == 0) {
if (ca_env[i][1] != NULL)
errx(1, "env %s already set: %s", key, value);
- ca_env[i][1] = value;
+ p = strdup(value);
+ if (p == NULL)
+ err(1, NULL);
+ ca_env[i][1] = p;
return;
}
}
--
Sent from:
http://openbsd-archive.7691.n7.nabble.com/openbsd-dev-bugs-f183916.html
