On 2017/05/19 00:32, Matthew Martin wrote: > ikectl errors in a number of situations where shell special characters > are used. For example: > > % doas ikectl ca test create password \' > [...] > subject=/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN > CA/[email protected] > Getting Private key > sh: no closing quote > > This is because it uses system(3) in various places to run openssl, tar, > and zip. Take the hint from the system(3) man page, and write a small > function that does the fork and exec bypassing sh.
This seems like a good idea anyway, but this diff from Andrei-Marius Radu to stop passing the password on the command line is still pending : https://marc.info/?l=openbsd-bugs&m=149064755410645&w=2 Index: ikeca.c =================================================================== RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v retrieving revision 1.42 diff -u -p -r1.42 ikeca.c --- ikeca.c 29 Mar 2017 08:19:13 -0000 1.42 +++ ikeca.c 19 May 2017 08:55:36 -0000 @@ -108,7 +108,6 @@ const char *ca_env[][2] = { int ca_sign(struct ca *, char *, int); int ca_request(struct ca *, char *, int); void ca_newpass(char *, char *); -char *ca_readpass(char *, size_t *); int fcopy(char *, char *, mode_t); void fcopy_env(const char *, const char *, mode_t); int rm_dir(char *); @@ -809,33 +808,6 @@ ca_export(struct ca *ca, char *keyname, return (0); } -char * -ca_readpass(char *path, size_t *len) -{ - FILE *f; - char *p, *r; - - if ((f = fopen(path, "r")) == NULL) { - warn("fopen %s", path); - return (NULL); - } - - if ((p = fgetln(f, len)) != NULL) { - if ((r = malloc(*len + 1)) == NULL) - err(1, "malloc"); - memcpy(r, p, *len); - if (r[*len - 1] == '\n') - r[*len - 1] = '\0'; - else - r[*len] = '\0'; - } else - r = NULL; - - fclose(f); - - return (r); -} - /* create index if it doesn't already exist */ void ca_create_index(struct ca *ca) @@ -879,8 +851,6 @@ ca_revoke(struct ca *ca, char *keyname) struct stat st; char cmd[PATH_MAX * 2]; char path[PATH_MAX]; - char *pass; - size_t len; if (keyname) { snprintf(path, sizeof(path), "%s/%s.crt", @@ -891,11 +861,6 @@ ca_revoke(struct ca *ca, char *keyname) } } - snprintf(path, sizeof(path), "%s/ikeca.passwd", ca->sslpath); - pass = ca_readpass(path, &len); - if (pass == NULL) - errx(1, "could not open passphrase file"); - ca_create_index(ca); ca_setenv("$ENV::CADB", ca->index); @@ -905,27 +870,24 @@ ca_revoke(struct ca *ca, char *keyname) if (keyname) { snprintf(cmd, sizeof(cmd), "%s ca %s-config %s -keyfile %s/private/ca.key" - " -key %s" + " -passin file:%s" " -cert %s/ca.crt" " -revoke %s/%s.crt", PATH_OPENSSL, ca->batch, ca->sslcnf, - ca->sslpath, pass, ca->sslpath, ca->sslpath, keyname); + ca->sslpath, ca->passfile, ca->sslpath, ca->sslpath, keyname); system(cmd); } snprintf(cmd, sizeof(cmd), "%s ca %s-config %s -keyfile %s/private/ca.key" - " -key %s" + " -passin file:%s" " -gencrl" " -cert %s/ca.crt" " -crldays 365" " -out %s/ca.crl", PATH_OPENSSL, ca->batch, ca->sslcnf, ca->sslpath, - pass, ca->sslpath, ca->sslpath); + ca->passfile, ca->sslpath, ca->sslpath); system(cmd); - - explicit_bzero(pass, len); - free(pass); return (0); }
