On Thu, Jul 23, 2015 at 03:57:20PM -0600, Jérémie Courrèges-Anglas wrote:
> Stuart Henderson <[email protected]> writes:
>
> > This avoids breaking with shell special characters. OK for the simple
> > fix? Or is there a safer way to feed in the password?
>
> OK. I only took a quick look at it, but -key seems the only way to pass
> the password, and switching this to execv(e) seems intrusive.
execv(e) would be the proper way to do this without shell interaction:
with the patch, a password with a ' character inside would make the
shell in trouble.
A long term solution is definitively to have *another* way to pass the
key. A command argument is something visible with ps.
> > I also noticed that ikeca.cnf doesn't get installed (the distribution:
> > target in ikectl/Makefile is commented out), is there a reason for
> > that?
> >
> > Index: ikeca.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v
> > retrieving revision 1.30
> > diff -u -p -r1.30 ikeca.c
> > --- ikeca.c 16 Jan 2015 06:40:17 -0000 1.30
> > +++ ikeca.c 23 Jul 2015 15:57:57 -0000
> > @@ -774,7 +774,7 @@ ca_revoke(struct ca *ca, char *keyname)
> > if (keyname) {
> > snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' "
> > " %s ca %s-config %s -keyfile %s/private/ca.key"
> > - " -key %s"
> > + " -key '%s'"
> > " -cert %s/ca.crt"
> > " -md sha1"
> > " -revoke %s/%s.crt",
> > @@ -785,7 +785,7 @@ ca_revoke(struct ca *ca, char *keyname)
> >
> > snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' "
> > " %s ca %s-config %s -keyfile %s/private/ca.key"
> > - " -key %s"
> > + " -key '%s'"
> > " -gencrl"
> > " -cert %s/ca.crt"
> > " -md sha1"
> >
>
--
Sebastien Marie
