From d535b9ed60d5d0737cbae4a6a6fa998976eca4b7 Mon Sep 17 00:00:00 2001 From: jsg Date: Thu, 8 Jun 2017 11:45:44 +0000 Subject: [PATCH] Invoke openssl with -passin file rather than -key in ca_revoke(). From Andrei-Marius Radu via sthen@ --- usr.sbin/ikectl/ikeca.c | 46 +++++------------------------------------ 1 file changed, 5 insertions(+), 41 deletions(-) diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c index 08f96b5f705..3dacac9e83e 100644 --- a/usr.sbin/ikectl/ikeca.c +++ b/usr.sbin/ikectl/ikeca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikeca.c,v 1.45 2017/05/31 06:46:57 jsg Exp $ */ +/* $OpenBSD: ikeca.c,v 1.46 2017/06/08 11:45:44 jsg Exp $ */ /* * Copyright (c) 2010 Jonathan Gray @@ -108,7 +108,6 @@ const char *ca_env[][2] = { int ca_sign(struct ca *, char *, int); int ca_request(struct ca *, char *, int); void ca_newpass(char *, char *); -char *ca_readpass(char *, size_t *); int fcopy(char *, char *, mode_t); void fcopy_env(const char *, const char *, mode_t); int rm_dir(char *); @@ -809,33 +808,6 @@ ca_export(struct ca *ca, char *keyname, char *myname, char *password) return (0); } -char * -ca_readpass(char *path, size_t *len) -{ - FILE *f; - char *p, *r; - - if ((f = fopen(path, "r")) == NULL) { - warn("fopen %s", path); - return (NULL); - } - - if ((p = fgetln(f, len)) != NULL) { - if ((r = malloc(*len + 1)) == NULL) - err(1, "malloc"); - memcpy(r, p, *len); - if (r[*len - 1] == '\n') - r[*len - 1] = '\0'; - else - r[*len] = '\0'; - } else - r = NULL; - - fclose(f); - - return (r); -} - /* create index if it doesn't already exist */ void ca_create_index(struct ca *ca) @@ -879,8 +851,6 @@ ca_revoke(struct ca *ca, char *keyname) struct stat st; char cmd[PATH_MAX * 2]; char path[PATH_MAX]; - char *pass; - size_t len; if (keyname) { snprintf(path, sizeof(path), "%s/%s.crt", @@ -891,11 +861,6 @@ ca_revoke(struct ca *ca, char *keyname) } } - snprintf(path, sizeof(path), "%s/ikeca.passwd", ca->sslpath); - pass = ca_readpass(path, &len); - if (pass == NULL) - errx(1, "could not open passphrase file"); - ca_create_index(ca); ca_setenv("$ENV::CADB", ca->index); @@ -908,26 +873,25 @@ ca_revoke(struct ca *ca, char *keyname) if (keyname) { snprintf(cmd, sizeof(cmd), "%s ca %s-config %s -keyfile %s/private/ca.key" - " -key %s" + " -passin file:%s" " -cert %s/ca.crt" " -revoke %s/%s.crt", PATH_OPENSSL, ca->batch, ca->sslcnf, - ca->sslpath, pass, ca->sslpath, ca->sslpath, keyname); + ca->sslpath, ca->passfile, ca->sslpath, ca->sslpath, keyname); system(cmd); } snprintf(cmd, sizeof(cmd), "%s ca %s-config %s -keyfile %s/private/ca.key" - " -key %s" + " -passin file:%s" " -gencrl" " -cert %s/ca.crt" " -crldays 365" " -out %s/ca.crl", PATH_OPENSSL, ca->batch, ca->sslcnf, ca->sslpath, - pass, ca->sslpath, ca->sslpath); + ca->passfile, ca->sslpath, ca->sslpath); system(cmd); - freezero(pass, len); return (0); } -- 2.20.1