pkcs15-init: removed --options-file
use an environment variable to pass a hidden PIN code instead of the options file fixes 13814 Resource leak as reported by Coverity Scan
This commit is contained in:
parent
dca02dd9a0
commit
6b1770e7ad
|
@ -346,27 +346,6 @@
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term>
|
|
||||||
<option>--options-file</option> <replaceable>filename</replaceable>
|
|
||||||
</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
Tells <command>pkcs15-init</command> to read additional options
|
|
||||||
from <replaceable>filename</replaceable>. The file is supposed to
|
|
||||||
contain one long option per line, without the leading dashes,
|
|
||||||
for instance:
|
|
||||||
<programlisting>
|
|
||||||
pin 1234
|
|
||||||
puk 87654321
|
|
||||||
</programlisting>
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
You can specify <option>--options-file</option> several times.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>
|
<term>
|
||||||
<option>--pin</option>,
|
<option>--pin</option>,
|
||||||
|
@ -384,10 +363,9 @@ puk 87654321
|
||||||
that on most operation systems, any user can
|
that on most operation systems, any user can
|
||||||
display the command line of any process on the
|
display the command line of any process on the
|
||||||
system using utilities such as
|
system using utilities such as
|
||||||
<command>ps(1)</command>. Therefore, you should use
|
<command>ps(1)</command>. Therefore, you should prefer
|
||||||
these options only on a secured system, or in an
|
passing the values via a hidden environment variable
|
||||||
options file specified with
|
on an unsecured system.
|
||||||
<option>--options-file</option>.
|
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
|
@ -115,13 +115,11 @@ static int do_read_public_key(const char *, const char *, EVP_PKEY **);
|
||||||
static int do_read_certificate(const char *, const char *, X509 **);
|
static int do_read_certificate(const char *, const char *, X509 **);
|
||||||
static char * cert_common_name(X509 *x509);
|
static char * cert_common_name(X509 *x509);
|
||||||
static void parse_commandline(int argc, char **argv);
|
static void parse_commandline(int argc, char **argv);
|
||||||
static void read_options_file(const char *);
|
|
||||||
static void ossl_print_errors(void);
|
static void ossl_print_errors(void);
|
||||||
static int verify_pin(struct sc_pkcs15_card *, char *);
|
static int verify_pin(struct sc_pkcs15_card *, char *);
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
OPT_OPTIONS = 0x100,
|
OPT_PASSPHRASE = 0x100,
|
||||||
OPT_PASSPHRASE,
|
|
||||||
OPT_PUBKEY,
|
OPT_PUBKEY,
|
||||||
OPT_SECRKEY,
|
OPT_SECRKEY,
|
||||||
OPT_EXTRACTABLE,
|
OPT_EXTRACTABLE,
|
||||||
|
@ -213,7 +211,6 @@ const struct option options[] = {
|
||||||
|
|
||||||
{ "profile", required_argument, NULL, 'p' },
|
{ "profile", required_argument, NULL, 'p' },
|
||||||
{ "card-profile", required_argument, NULL, 'c' },
|
{ "card-profile", required_argument, NULL, 'c' },
|
||||||
{ "options-file", required_argument, NULL, OPT_OPTIONS },
|
|
||||||
{ "md-container-guid", required_argument, NULL, OPT_MD_CONTAINER_GUID},
|
{ "md-container-guid", required_argument, NULL, OPT_MD_CONTAINER_GUID},
|
||||||
{ "wait", no_argument, NULL, 'w' },
|
{ "wait", no_argument, NULL, 'w' },
|
||||||
{ "help", no_argument, NULL, 'h' },
|
{ "help", no_argument, NULL, 'h' },
|
||||||
|
@ -279,7 +276,6 @@ static const char * option_help[] = {
|
||||||
|
|
||||||
"Specify the general profile to use",
|
"Specify the general profile to use",
|
||||||
"Specify the card profile to use",
|
"Specify the card profile to use",
|
||||||
"Read additional command line options from file",
|
|
||||||
"For a new key specify GUID for a MD container",
|
"For a new key specify GUID for a MD container",
|
||||||
"Wait for card insertion",
|
"Wait for card insertion",
|
||||||
"Display this message",
|
"Display this message",
|
||||||
|
@ -2774,9 +2770,6 @@ handle_option(const struct option *opt)
|
||||||
case 'w':
|
case 'w':
|
||||||
opt_wait = 1;
|
opt_wait = 1;
|
||||||
break;
|
break;
|
||||||
case OPT_OPTIONS:
|
|
||||||
read_options_file(optarg);
|
|
||||||
break;
|
|
||||||
case OPT_PIN1: case OPT_PUK1:
|
case OPT_PIN1: case OPT_PUK1:
|
||||||
case OPT_PIN2: case OPT_PUK2:
|
case OPT_PIN2: case OPT_PUK2:
|
||||||
util_get_pin(optarg, &(opt_pins[opt->val & 3]));
|
util_get_pin(optarg, &(opt_pins[opt->val & 3]));
|
||||||
|
@ -2954,55 +2947,6 @@ next: ;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
* Read a file containing more command line options.
|
|
||||||
* This allows you to specify PINs to pkcs15-init without
|
|
||||||
* exposing them through ps.
|
|
||||||
*/
|
|
||||||
static void
|
|
||||||
read_options_file(const char *filename)
|
|
||||||
{
|
|
||||||
const struct option *o;
|
|
||||||
char buffer[1024], *name;
|
|
||||||
FILE *fp;
|
|
||||||
|
|
||||||
if ((fp = fopen(filename, "r")) == NULL)
|
|
||||||
util_fatal("Unable to open %s: %m", filename);
|
|
||||||
while (fgets(buffer, sizeof(buffer), fp) != NULL) {
|
|
||||||
buffer[strcspn(buffer, "\n")] = '\0';
|
|
||||||
|
|
||||||
name = strtok(buffer, " \t");
|
|
||||||
while (name) {
|
|
||||||
if (*name == '#')
|
|
||||||
break;
|
|
||||||
for (o = options; o->name; o++)
|
|
||||||
if (!strcmp(o->name, name))
|
|
||||||
break;
|
|
||||||
if (!o->name) {
|
|
||||||
util_error("Unknown option \"%s\"\n", name);
|
|
||||||
util_print_usage_and_die(app_name, options, option_help, NULL);
|
|
||||||
}
|
|
||||||
if (o->has_arg != no_argument) {
|
|
||||||
optarg = strtok(NULL, "");
|
|
||||||
if (optarg) {
|
|
||||||
while (isspace((int) *optarg))
|
|
||||||
optarg++;
|
|
||||||
optarg = strdup(optarg);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (o->has_arg == required_argument
|
|
||||||
&& (!optarg || !*optarg)) {
|
|
||||||
util_error("Option %s: missing argument\n", name);
|
|
||||||
util_print_usage_and_die(app_name, options, option_help, NULL);
|
|
||||||
}
|
|
||||||
handle_option(o);
|
|
||||||
name = strtok(NULL, " \t");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
fclose(fp);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* OpenSSL helpers
|
* OpenSSL helpers
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in New Issue