svn commit: r257601 - user/cperciva/pkesh

Colin Percival cperciva at FreeBSD.org
Mon Nov 4 02:58:17 UTC 2013 

Author: cperciva
Date: Mon Nov  4 02:58:16 2013
New Revision: 257601
URL: http://svnweb.freebsd.org/changeset/base/257601

Log:
  Add paranoid quoting of strings containing variables.
  
  Use $TMPDIR instead of $TMP for temporary files.
  
  Submitted by:	jilles

Modified:
  user/cperciva/pkesh/pkesh.sh

Modified: user/cperciva/pkesh/pkesh.sh
==============================================================================
--- user/cperciva/pkesh/pkesh.sh	Mon Nov  4 02:50:43 2013	(r257600)
+++ user/cperciva/pkesh/pkesh.sh	Mon Nov  4 02:58:16 2013	(r257601)
@@ -10,90 +10,90 @@ usage () {
 # gen priv.key pub.key
 gen () {
 	# Generate the key
-	openssl genrsa -out $D/rsakey -f4 2048 2>/dev/null
+	openssl genrsa -out "$D/rsakey" -f4 2048 2>/dev/null
 
 	# Write out private and public parts
-	cat $D/rsakey > $1
-	openssl rsa -in $D/rsakey -pubout > $2 2>/dev/null
+	cat "$D/rsakey" > "$1"
+	openssl rsa -in "$D/rsakey" -pubout > "$2" 2>/dev/null
 }
 
 # enc pub.key in out
 enc () {
 	# Generate a random 256-bit AES key
-	openssl rand 32 > $D/aeskey
+	openssl rand 32 > "$D/aeskey"
 
 	# Generate a random 128-bit IV
-	openssl rand 16 > $D/aesIV
+	openssl rand 16 > "$D/aesIV"
 
 	# Generate the encrypted data
-	KEY=`od -An -v -t x1 < $D/aeskey | tr -Cd '0-9a-fA-F'`
-	IV=`od -An -v -t x1 < $D/aesIV | tr -Cd '0-9a-fA-F'`
-	openssl enc -aes-256-cbc -K $KEY -iv $IV < $2 > $D/encdata
+	KEY=`od -An -v -t x1 < "$D/aeskey" | tr -Cd '0-9a-fA-F'`
+	IV=`od -An -v -t x1 < "$D/aesIV" | tr -Cd '0-9a-fA-F'`
+	openssl enc -aes-256-cbc -K $KEY -iv $IV < "$2" > "$D/encdata"
 
 	# Compute the SHA256 hash of the encrypted data
-	openssl dgst -sha256 -binary $D/encdata > $D/hash
+	openssl dgst -sha256 -binary "$D/encdata" > "$D/hash"
 
 	# Generate the header
-	cat $D/aeskey $D/aesIV $D/hash > $D/header
+	cat "$D/aeskey" "$D/aesIV" "$D/hash" > "$D/header"
 
 	# Generate the encrypted header
-	openssl rsautl -inkey $1 -pubin -encrypt -oaep \
-	    < $D/header > $D/encheader
+	openssl rsautl -inkey "$1" -pubin -encrypt -oaep \
+	    < "$D/header" > "$D/encheader"
 
 	# Generate the entire encrypted message
-	cat $D/encheader $D/encdata | openssl enc -base64 > $3
+	cat "$D/encheader" "$D/encdata" | openssl enc -base64 > "$3"
 }
 
 # dec priv.key in out
 dec () {
 	# Base-64 decode the encrypted message
-	openssl enc -d -base64 < $2 > $D/encmessage
+	openssl enc -d -base64 < "$2" > "$D/encmessage"
 
 	# Make sure the message is long enough
-	if [ `wc -c < $D/encmessage` -lt 256 ]; then
+	if [ `wc -c < "$D/encmessage"` -lt 256 ]; then
 		echo "Message is corrupt or truncated" >/dev/stderr
 		exit 1
 	fi
 
 	# Decrypt the header
-	dd if=$D/encmessage bs=256 count=1 of=$D/encheader 2>/dev/null
-	openssl rsautl -inkey $1 -decrypt -oaep < $D/encheader > $D/header
+	dd if="$D/encmessage" bs=256 count=1 of="$D/encheader" 2>/dev/null
+	openssl rsautl -inkey "$1" -decrypt -oaep < "$D/encheader" > "$D/header"
 
 	# Make sure the header is the right size
-	if [ `wc -c < $D/header` -ne 80 ]; then
+	if [ `wc -c < "$D/header"` -ne 80 ]; then
 		echo "Message is corrupt" >/dev/stderr
 		exit 1
 	fi
 
 	# Split header into components
-	dd if=$D/header bs=1 count=32 of=$D/aeskey 2>/dev/null
-	dd if=$D/header bs=1 skip=32 count=16 of=$D/aesIV 2>/dev/null
-	dd if=$D/header bs=1 skip=48 count=32 of=$D/hash 2>/dev/null
+	dd if="$D/header" bs=1 count=32 of="$D/aeskey" 2>/dev/null
+	dd if="$D/header" bs=1 skip=32 count=16 of="$D/aesIV" 2>/dev/null
+	dd if="$D/header" bs=1 skip=48 count=32 of="$D/hash" 2>/dev/null
 
 	# Verify the encrypted data hash
-	dd if=$D/encmessage bs=256 skip=1 2>/dev/null |
-	    openssl dgst -sha256 -binary > $D/encmessage.hash
-	if ! cmp -s $D/hash $D/encmessage.hash; then
+	dd if="$D/encmessage" bs=256 skip=1 2>/dev/null |
+	    openssl dgst -sha256 -binary > "$D/encmessage.hash"
+	if ! cmp -s "$D/hash" "$D/encmessage.hash"; then
 		echo "Message is corrupt or truncated" >/dev/stderr
 		exit 1
 	fi
 
 	# Decrypt the message
-	KEY=`od -An -v -t x1 < $D/aeskey | tr -Cd '0-9a-fA-F'`
-	IV=`od -An -v -t x1 < $D/aesIV | tr -Cd '0-9a-fA-F'`
-	dd if=$D/encmessage bs=256 skip=1 2>/dev/null |
-	    openssl enc -d -aes-256-cbc -K $KEY -iv $IV > $3
+	KEY=`od -An -v -t x1 < "$D/aeskey" | tr -Cd '0-9a-fA-F'`
+	IV=`od -An -v -t x1 < "$D/aesIV" | tr -Cd '0-9a-fA-F'`
+	dd if="$D/encmessage" bs=256 skip=1 2>/dev/null |
+	    openssl enc -d -aes-256-cbc -K $KEY -iv $IV > "$3"
 }
 
 # Get operation type
 if [ $# -lt 1 ]; then
 	usage
 fi
-OP=$1
+OP="$1"
 shift
 
 # Check operation type and number of operands
-case $OP in
+case "$OP" in
 gen)
 	if [ $# -ne 2 ]; then
 		usage
@@ -109,7 +109,7 @@ enc|dec)
 esac
 
 # Create temporary working directory
-D=`mktemp -d "${TMP:-/tmp}/pkesh.XXXXXX"`
+D=`mktemp -d "${TMPDIR:-/tmp}/pkesh.XXXXXX"`
 trap 'rm -r "$D"' EXIT
 
 # Perform the operation

More information about the svn-src-user mailing list