Quantcast

[patch] Use readpassphrase in ikectl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[patch] Use readpassphrase in ikectl

Matthew Martin
While making the last patch, I noticed ikectl uses getpass. Use
readpassphrase instead and explicit_bzero the buffers.

- Matthew Martin



diff --git ikeca.c ikeca.c
index 69ca076407b..2ec010a5831 100644
--- ikeca.c
+++ ikeca.c
@@ -22,6 +22,7 @@
 #include <unistd.h>
 #include <err.h>
 #include <errno.h>
+#include <readpassphrase.h>
 #include <string.h>
 #include <stdlib.h>
 #include <sys/wait.h>
@@ -636,7 +637,7 @@ ca_export(struct ca *ca, char *keyname, char *myname, char *password)
  DIR *dexp;
  struct dirent *de;
  struct stat st;
- char *pass;
+ char pass[_PASSWORD_LEN + 1];
  char prev[_PASSWORD_LEN + 1];
  char passenv[_PASSWORD_LEN + 8];
  char oname[PATH_MAX];
@@ -667,16 +668,21 @@ ca_export(struct ca *ca, char *keyname, char *myname, char *password)
  if (password != NULL)
  snprintf(passenv, sizeof(passenv), "EXPASS=%s", password);
  else {
- pass = getpass("Export passphrase:");
- if (pass == NULL || *pass == '\0')
- err(1, "password not set");
-
- strlcpy(prev, pass, sizeof(prev));
- pass = getpass("Retype export passphrase:");
- if (pass == NULL || strcmp(prev, pass) != 0)
+ if (readpassphrase("Export passphrase:", prev, sizeof(prev), 0)
+    == NULL)
+ errx(1, "unable to read passphrase");
+ if (*prev == '\0')
+ errx(1, "password not set");
+
+ if (readpassphrase("Retype export passphrase:", pass,
+    sizeof(pass), 0) == NULL)
+ errx(1, "unable to read passphrase");
+ if (strcmp(prev, pass) != 0)
  errx(1, "passphrase does not match!");
 
  snprintf(passenv, sizeof(passenv), "EXPASS=%s", pass);
+ explicit_bzero(pass, sizeof(pass));
+ explicit_bzero(prev, sizeof(prev));
  }
 
  snprintf(cacrt, sizeof(cacrt), "%s/ca.crt", ca->sslpath);

Loading...