On Wed, Oct 25, 2017 at 06:03:44AM -0700, j...@posteo.de wrote: > The patched submitted by Andrei fixed it for me. > There are some style issues, I fixed the ones I saw and reattached the > patch. > > Index: ikeca.c > =================================================================== > RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v > retrieving revision 1.46 > diff -u -p -r1.46 ikeca.c > --- ikeca.c 8 Jun 2017 11:45:44 -0000 1.46 > +++ ikeca.c 25 Oct 2017 12:51:59 -0000 > @@ -85,11 +85,11 @@ struct { > }; > > /* explicitly list allowed variables */ > -const char *ca_env[][2] = { > +char *ca_env[][2] = { > { "$ENV::CADB", NULL }, > { "$ENV::CASERIAL", NULL }, > - { "$ENV::CERTFQDN", NULL }, > - { "$ENV::CERTIP", NULL }, > + { "DNS:$ENV::CERTFQDN", NULL }, > + { "IP:$ENV::CERTIP", NULL }, > { "$ENV::CERTPATHLEN", NULL }, > { "$ENV::CERTUSAGE", NULL }, > { "$ENV::CERT_C", NULL }, > @@ -202,23 +202,26 @@ ca_request(struct ca *ca, char *keyname, > { > char cmd[PATH_MAX * 2]; > char hostname[HOST_NAME_MAX+1]; > - char name[128]; > + char subjaltname[HOST_NAME_MAX+5]; > char path[PATH_MAX]; > > ca_setenv("$ENV::CERT_CN", keyname); > > - strlcpy(name, keyname, sizeof(name)); > - > if (type == HOST_IPADDR) { > - ca_setenv("$ENV::CERTIP", name); > + snprintf(subjaltname, sizeof(subjaltname), "IP:%s", keyname); > + ca_setenv("IP:$ENV::CERTIP", subjaltname); > ca_setenv("$ENV::REQ_EXT", "x509v3_IPAddr"); > } else if (type == HOST_FQDN) { > if (!strcmp(keyname, "local")) { > if (gethostname(hostname, sizeof(hostname))) > err(1, "gethostname"); > - strlcpy(name, hostname, sizeof(name)); > + snprintf(subjaltname, sizeof(subjaltname), "DNS:%s", > + hostname); > + } else { > + snprintf(subjaltname, sizeof(subjaltname), "DNS:%s", > + keyname); > } > - ca_setenv("$ENV::CERTFQDN", name); > + ca_setenv("DNS:$ENV::CERTFQDN", subjaltname); > ca_setenv("$ENV::REQ_EXT", "x509v3_FQDN"); > } else { > errx(1, "unknown host type %d", type); > @@ -306,6 +309,9 @@ ca_certificate(struct ca *ca, char *keyn > ca_request(ca, keyname, type); > ca_sign(ca, keyname, type); > > + /* call ca_clrenv again to free the char*'s allocated by ca_setenv */ > + ca_clrenv(); > + > return (0); > } > > @@ -440,6 +446,9 @@ ca_create(struct ca *ca) > /* Create the CRL revocation list */ > ca_revoke(ca, NULL); > > + /* call ca_clrenv again to free the char*'s allocated by ca_setenv */ > + ca_clrenv(); > + > return (0); > } > > @@ -892,6 +901,11 @@ ca_revoke(struct ca *ca, char *keyname) > ca->passfile, ca->sslpath, ca->sslpath); > system(cmd); > > + if (keyname) { > + /* ca_revoke() called directly from ca_opt() so free char *'s */ > + ca_clrenv(); > + } > + > return (0); > } > > @@ -899,20 +913,26 @@ void > ca_clrenv(void) > { > int i; > - for (i = 0; ca_env[i][0] != NULL; i++) > + for (i = 0; ca_env[i][0] != NULL; i++) { > + free((char *) ca_env[i][1]); > ca_env[i][1] = NULL; > + } > } > > void > ca_setenv(const char *key, const char *value) > { > int i; > + char *p = NULL; > > for (i = 0; ca_env[i][0] != NULL; i++) { > if (strcmp(ca_env[i][0], key) == 0) { > if (ca_env[i][1] != NULL) > errx(1, "env %s already set: %s", key, value); > - ca_env[i][1] = value; > + p = strdup(value); > + if (p == NULL) > + err(1, NULL); > + ca_env[i][1] = p; > return; > } > }
Good find by Andrei, I will have a look!