On Thu, Jul 23, 2015 at 05:03:26PM +0100, Stuart Henderson wrote:
> This avoids breaking with shell special characters. OK for the simple
> fix? Or is there a safer way to feed in the password?
I'm OK with this change. It should be possible to write
the passphrase to a fd/stdin instead?
>
> I also noticed that ikeca.cnf doesn't get installed (the distribution:
> target in ikectl/Makefile is commented out), is there a reason for
> that?
ikectl used to be a script before being translated to C
and imported. When it existed seperately ikeca.cnf existed
for options that hadn't been added to the default
openssl .cnf files.
It looks like the removal of support for environment variables
in openssl config files broke ikeca.cnf/ikectl though.
>
> Index: ikeca.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v
> retrieving revision 1.30
> diff -u -p -r1.30 ikeca.c
> --- ikeca.c 16 Jan 2015 06:40:17 -0000 1.30
> +++ ikeca.c 23 Jul 2015 15:57:57 -0000
> @@ -774,7 +774,7 @@ ca_revoke(struct ca *ca, char *keyname)
> if (keyname) {
> snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' "
> " %s ca %s-config %s -keyfile %s/private/ca.key"
> - " -key %s"
> + " -key '%s'"
> " -cert %s/ca.crt"
> " -md sha1"
> " -revoke %s/%s.crt",
> @@ -785,7 +785,7 @@ ca_revoke(struct ca *ca, char *keyname)
>
> snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' "
> " %s ca %s-config %s -keyfile %s/private/ca.key"
> - " -key %s"
> + " -key '%s'"
> " -gencrl"
> " -cert %s/ca.crt"
> " -md sha1"
>
