On Wed, Oct 25, 2017 at 06:03:44AM -0700, j...@posteo.de wrote:
> The patched submitted by Andrei fixed it for me.
> There are some style issues, I fixed the ones I saw and reattached the
> patch.
>
> Index: ikeca.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v
> retrieving revision 1.46
> diff -u -p -r1.46 ikeca.c
> --- ikeca.c 8 Jun 2017 11:45:44 -0000 1.46
> +++ ikeca.c 25 Oct 2017 12:51:59 -0000
> @@ -85,11 +85,11 @@ struct {
> };
>
> /* explicitly list allowed variables */
> -const char *ca_env[][2] = {
> +char *ca_env[][2] = {
> { "$ENV::CADB", NULL },
> { "$ENV::CASERIAL", NULL },
> - { "$ENV::CERTFQDN", NULL },
> - { "$ENV::CERTIP", NULL },
> + { "DNS:$ENV::CERTFQDN", NULL },
> + { "IP:$ENV::CERTIP", NULL },
> { "$ENV::CERTPATHLEN", NULL },
> { "$ENV::CERTUSAGE", NULL },
> { "$ENV::CERT_C", NULL },
> @@ -202,23 +202,26 @@ ca_request(struct ca *ca, char *keyname,
> {
> char cmd[PATH_MAX * 2];
> char hostname[HOST_NAME_MAX+1];
> - char name[128];
> + char subjaltname[HOST_NAME_MAX+5];
> char path[PATH_MAX];
>
> ca_setenv("$ENV::CERT_CN", keyname);
>
> - strlcpy(name, keyname, sizeof(name));
> -
> if (type == HOST_IPADDR) {
> - ca_setenv("$ENV::CERTIP", name);
> + snprintf(subjaltname, sizeof(subjaltname), "IP:%s", keyname);
> + ca_setenv("IP:$ENV::CERTIP", subjaltname);
> ca_setenv("$ENV::REQ_EXT", "x509v3_IPAddr");
> } else if (type == HOST_FQDN) {
> if (!strcmp(keyname, "local")) {
> if (gethostname(hostname, sizeof(hostname)))
> err(1, "gethostname");
> - strlcpy(name, hostname, sizeof(name));
> + snprintf(subjaltname, sizeof(subjaltname), "DNS:%s",
> + hostname);
> + } else {
> + snprintf(subjaltname, sizeof(subjaltname), "DNS:%s",
> + keyname);
> }
> - ca_setenv("$ENV::CERTFQDN", name);
> + ca_setenv("DNS:$ENV::CERTFQDN", subjaltname);
> ca_setenv("$ENV::REQ_EXT", "x509v3_FQDN");
> } else {
> errx(1, "unknown host type %d", type);
> @@ -306,6 +309,9 @@ ca_certificate(struct ca *ca, char *keyn
> ca_request(ca, keyname, type);
> ca_sign(ca, keyname, type);
>
> + /* call ca_clrenv again to free the char*'s allocated by ca_setenv */
> + ca_clrenv();
> +
> return (0);
> }
>
> @@ -440,6 +446,9 @@ ca_create(struct ca *ca)
> /* Create the CRL revocation list */
> ca_revoke(ca, NULL);
>
> + /* call ca_clrenv again to free the char*'s allocated by ca_setenv */
> + ca_clrenv();
> +
> return (0);
> }
>
> @@ -892,6 +901,11 @@ ca_revoke(struct ca *ca, char *keyname)
> ca->passfile, ca->sslpath, ca->sslpath);
> system(cmd);
>
> + if (keyname) {
> + /* ca_revoke() called directly from ca_opt() so free char *'s */
> + ca_clrenv();
> + }
> +
> return (0);
> }
>
> @@ -899,20 +913,26 @@ void
> ca_clrenv(void)
> {
> int i;
> - for (i = 0; ca_env[i][0] != NULL; i++)
> + for (i = 0; ca_env[i][0] != NULL; i++) {
> + free((char *) ca_env[i][1]);
> ca_env[i][1] = NULL;
> + }
> }
>
> void
> ca_setenv(const char *key, const char *value)
> {
> int i;
> + char *p = NULL;
>
> for (i = 0; ca_env[i][0] != NULL; i++) {
> if (strcmp(ca_env[i][0], key) == 0) {
> if (ca_env[i][1] != NULL)
> errx(1, "env %s already set: %s", key, value);
> - ca_env[i][1] = value;
> + p = strdup(value);
> + if (p == NULL)
> + err(1, NULL);
> + ca_env[i][1] = p;
> return;
> }
> }
Good find by Andrei, I will have a look!
