The patched submitted by Andrei fixed it for me. There are some style issues, I fixed the ones I saw and reattached the patch.
Index: ikeca.c =================================================================== RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v retrieving revision 1.46 diff -u -p -r1.46 ikeca.c --- ikeca.c 8 Jun 2017 11:45:44 -0000 1.46 +++ ikeca.c 25 Oct 2017 12:51:59 -0000 @@ -85,11 +85,11 @@ struct { }; /* explicitly list allowed variables */ -const char *ca_env[][2] = { +char *ca_env[][2] = { { "$ENV::CADB", NULL }, { "$ENV::CASERIAL", NULL }, - { "$ENV::CERTFQDN", NULL }, - { "$ENV::CERTIP", NULL }, + { "DNS:$ENV::CERTFQDN", NULL }, + { "IP:$ENV::CERTIP", NULL }, { "$ENV::CERTPATHLEN", NULL }, { "$ENV::CERTUSAGE", NULL }, { "$ENV::CERT_C", NULL }, @@ -202,23 +202,26 @@ ca_request(struct ca *ca, char *keyname, { char cmd[PATH_MAX * 2]; char hostname[HOST_NAME_MAX+1]; - char name[128]; + char subjaltname[HOST_NAME_MAX+5]; char path[PATH_MAX]; ca_setenv("$ENV::CERT_CN", keyname); - strlcpy(name, keyname, sizeof(name)); - if (type == HOST_IPADDR) { - ca_setenv("$ENV::CERTIP", name); + snprintf(subjaltname, sizeof(subjaltname), "IP:%s", keyname); + ca_setenv("IP:$ENV::CERTIP", subjaltname); ca_setenv("$ENV::REQ_EXT", "x509v3_IPAddr"); } else if (type == HOST_FQDN) { if (!strcmp(keyname, "local")) { if (gethostname(hostname, sizeof(hostname))) err(1, "gethostname"); - strlcpy(name, hostname, sizeof(name)); + snprintf(subjaltname, sizeof(subjaltname), "DNS:%s", + hostname); + } else { + snprintf(subjaltname, sizeof(subjaltname), "DNS:%s", + keyname); } - ca_setenv("$ENV::CERTFQDN", name); + ca_setenv("DNS:$ENV::CERTFQDN", subjaltname); ca_setenv("$ENV::REQ_EXT", "x509v3_FQDN"); } else { errx(1, "unknown host type %d", type); @@ -306,6 +309,9 @@ ca_certificate(struct ca *ca, char *keyn ca_request(ca, keyname, type); ca_sign(ca, keyname, type); + /* call ca_clrenv again to free the char*'s allocated by ca_setenv */ + ca_clrenv(); + return (0); } @@ -440,6 +446,9 @@ ca_create(struct ca *ca) /* Create the CRL revocation list */ ca_revoke(ca, NULL); + /* call ca_clrenv again to free the char*'s allocated by ca_setenv */ + ca_clrenv(); + return (0); } @@ -892,6 +901,11 @@ ca_revoke(struct ca *ca, char *keyname) ca->passfile, ca->sslpath, ca->sslpath); system(cmd); + if (keyname) { + /* ca_revoke() called directly from ca_opt() so free char *'s */ + ca_clrenv(); + } + return (0); } @@ -899,20 +913,26 @@ void ca_clrenv(void) { int i; - for (i = 0; ca_env[i][0] != NULL; i++) + for (i = 0; ca_env[i][0] != NULL; i++) { + free((char *) ca_env[i][1]); ca_env[i][1] = NULL; + } } void ca_setenv(const char *key, const char *value) { int i; + char *p = NULL; for (i = 0; ca_env[i][0] != NULL; i++) { if (strcmp(ca_env[i][0], key) == 0) { if (ca_env[i][1] != NULL) errx(1, "env %s already set: %s", key, value); - ca_env[i][1] = value; + p = strdup(value); + if (p == NULL) + err(1, NULL); + ca_env[i][1] = p; return; } } -- Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-dev-bugs-f183916.html