giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pkcs15-init: removed --options-file 

use an environment variable to pass a hidden PIN code instead of the
options file

fixes 13814 Resource leak as reported by Coverity Scan
This commit is contained in:
Frank Morgner 2020-02-18 22:49:29 +01:00
parent dca02dd9a0
commit 6b1770e7ad
2 changed files with 4 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
doc/tools/pkcs15-init.1.xml
View File

@ -346,27 +346,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>
<option>--options-file</option> <replaceable>filename</replaceable>
</term>
<listitem>
<para>
Tells <command>pkcs15-init</command> to read additional options
from <replaceable>filename</replaceable>. The file is supposed to
contain one long option per line, without the leading dashes,
for instance:
<programlisting>
pin 1234
puk 87654321
</programlisting>
</para>
<para>
You can specify <option>--options-file</option> several times.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>--pin</option>, <option>--pin</option>,
@ -384,10 +363,9 @@ puk 87654321
that on most operation systems, any user can that on most operation systems, any user can
display the command line of any process on the display the command line of any process on the
system using utilities such as system using utilities such as
<command>ps(1)</command>. Therefore, you should use <command>ps(1)</command>. Therefore, you should prefer
these options only on a secured system, or in an passing the values via a hidden environment variable
options file specified with on an unsecured system.
<option>--options-file</option>.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

58
src/tools/pkcs15-init.c
View File

@ -115,13 +115,11 @@ static int do_read_public_key(const char *, const char *, EVP_PKEY **);
static int do_read_certificate(const char *, const char *, X509 **); static int do_read_certificate(const char *, const char *, X509 **);
static char * cert_common_name(X509 *x509); static char * cert_common_name(X509 *x509);
static void parse_commandline(int argc, char **argv); static void parse_commandline(int argc, char **argv);
static void read_options_file(const char *);
static void ossl_print_errors(void); static void ossl_print_errors(void);
static int verify_pin(struct sc_pkcs15_card *, char *); static int verify_pin(struct sc_pkcs15_card *, char *);
enum { enum {
OPT_OPTIONS = 0x100, OPT_PASSPHRASE = 0x100,
OPT_PASSPHRASE,
OPT_PUBKEY, OPT_PUBKEY,
OPT_SECRKEY, OPT_SECRKEY,
OPT_EXTRACTABLE, OPT_EXTRACTABLE,
@ -213,7 +211,6 @@ const struct option options[] = {
{ "profile", required_argument, NULL, 'p' }, { "profile", required_argument, NULL, 'p' },
{ "card-profile", required_argument, NULL, 'c' }, { "card-profile", required_argument, NULL, 'c' },
{ "options-file", required_argument, NULL, OPT_OPTIONS },
{ "md-container-guid", required_argument, NULL, OPT_MD_CONTAINER_GUID}, { "md-container-guid", required_argument, NULL, OPT_MD_CONTAINER_GUID},
{ "wait", no_argument, NULL, 'w' }, { "wait", no_argument, NULL, 'w' },
{ "help", no_argument, NULL, 'h' }, { "help", no_argument, NULL, 'h' },
@ -279,7 +276,6 @@ static const char * option_help[] = {
"Specify the general profile to use", "Specify the general profile to use",
"Specify the card profile to use", "Specify the card profile to use",
"Read additional command line options from file",
"For a new key specify GUID for a MD container", "For a new key specify GUID for a MD container",
"Wait for card insertion", "Wait for card insertion",
"Display this message", "Display this message",
@ -2774,9 +2770,6 @@ handle_option(const struct option *opt)
case 'w': case 'w':
opt_wait = 1; opt_wait = 1;
break; break;
case OPT_OPTIONS:
read_options_file(optarg);
break;
case OPT_PIN1: case OPT_PUK1: case OPT_PIN1: case OPT_PUK1:
case OPT_PIN2: case OPT_PUK2: case OPT_PIN2: case OPT_PUK2:
util_get_pin(optarg, &(opt_pins[opt->val & 3])); util_get_pin(optarg, &(opt_pins[opt->val & 3]));
@ -2954,55 +2947,6 @@ next: ;
} }
} }
/*
* Read a file containing more command line options.
* This allows you to specify PINs to pkcs15-init without
* exposing them through ps.
*/
static void
read_options_file(const char *filename)
{
const struct option *o;
char buffer[1024], *name;
FILE *fp;
if ((fp = fopen(filename, "r")) == NULL)
util_fatal("Unable to open %s: %m", filename);
while (fgets(buffer, sizeof(buffer), fp) != NULL) {
buffer[strcspn(buffer, "\n")] = '\0';
name = strtok(buffer, " \t");
while (name) {
if (*name == '#')
break;
for (o = options; o->name; o++)
if (!strcmp(o->name, name))
break;
if (!o->name) {
util_error("Unknown option \"%s\"\n", name);
util_print_usage_and_die(app_name, options, option_help, NULL);
}
if (o->has_arg != no_argument) {
optarg = strtok(NULL, "");
if (optarg) {
while (isspace((int) *optarg))
optarg++;
optarg = strdup(optarg);
}
}
if (o->has_arg == required_argument
&& (!optarg || !*optarg)) {
util_error("Option %s: missing argument\n", name);
util_print_usage_and_die(app_name, options, option_help, NULL);
}
handle_option(o);
name = strtok(NULL, " \t");
}
}
fclose(fp);
}
/* /*
* OpenSSL helpers * OpenSSL helpers
*/ */