Hi.

Please find attached a mini-patch that will tell curl to get the
passphrase for a private key for SSL client authentication from an
environment variable instead of passing the passphrase directly on the
command line or prompting for it.

I developed the patch because I want to use curl in a batch context and
did not want to pass the passphrase on the command line: I assumed that
the passphrase would be visible via e.g. "ps".

Daniel Stenberg already told me that curl actually hides the passphrase
on many OSes by overwriting the argv-array; but perhaps the patch is
useful anyway.

The patch updates main.c from curl, curl.1 and curl.html, but not
curl.pdf. I've tested it on a linux box.

Best regards,
   Juergen

diff -r -u curl-7.15.1_orig/docs/curl.1 curl-7.15.1/docs/curl.1
--- curl-7.15.1_orig/docs/curl.1 2005-11-24 08:41:53.000000000 +0100
+++ curl-7.15.1/docs/curl.1 2006-01-11 09:40:35.000000000 +0100
@@ -694,6 +694,10 @@
 (SSL) Pass phrase for the private key
 
 If this option is used several times, the last one will be used.
+.IP "--passenviron <environment variable>"
+(SSL) Environment varibale that holds the pass phrase for the private key
+
+If this option is used several times, the last one will be used.
 .IP "--proxy-anyauth"
 Tells curl to pick a suitable authentication method when communicating with
 the given proxy. This will cause an extra request/response round-trip. Added
diff -r -u curl-7.15.1_orig/docs/curl.html curl-7.15.1/docs/curl.html
--- curl-7.15.1_orig/docs/curl.html 2005-12-07 00:06:29.000000000 +0100
+++ curl-7.15.1/docs/curl.html 2006-01-11 09:42:15.000000000 +0100
@@ -298,6 +298,9 @@
 <p class="level0"><a name="--pass"></a><span class="nroffip">--pass &lt;phrase&gt;</span>
 <p class="level1">(SSL) Pass phrase for the private key
 <p class="level1">If this option is used several times, the last one will be used.
+<p class="level0"><a name="--passenviron"></a><span class="nroffip">--passenviron &lt;environment variable&gt;</span>
+<p class="level1">(SSL) Environment variable that holds the pass phrase for the private key
+<p class="level1">If this option is used several times, the last one will be used.
 <p class="level0"><a name="--proxy-anyauth"></a><span class="nroffip">--proxy-anyauth</span>
 <p class="level1">Tells curl to pick a suitable authentication method when communicating with the given proxy. This will cause an extra request/response round-trip. Added in curl 7.13.2.
 <p class="level1">If this option is used twice, the second will again disable the proxy use-any authentication.
diff -r -u curl-7.15.1_orig/src/main.c curl-7.15.1/src/main.c
--- curl-7.15.1_orig/src/main.c 2005-12-05 15:10:48.000000000 +0100
+++ curl-7.15.1/src/main.c 2006-01-11 09:44:06.000000000 +0100
@@ -499,6 +499,7 @@
     " --key <key> Private key file name (SSL)",
     " --key-type <type> Private key file type (DER/PEM/ENG) (SSL)",
     " --pass <pass> Pass phrase for the private key (SSL)",
+ " --passenviron <environment variable> Environment-Variable with pass phrase for the private key (SSL)",
     " --engine <eng> Crypto engine to use (SSL). \"--engine list\" for list",
     " --cacert <file> CA certificate to verify peer against (SSL)",
     " --capath <directory> CA directory (made using c_rehash) to verify",
@@ -1356,6 +1357,7 @@
     {"Ee","pass", TRUE},
     {"Ef","engine", TRUE},
     {"Eg","capath ", TRUE},
+ {"Eh","passenviron", TRUE},
     {"f", "fail", FALSE},
     {"F", "form", TRUE},
     {"Fs","form-string", TRUE},
@@ -1920,6 +1922,11 @@
         /* CA cert directory */
         GetStr(&config->capath, nextarg);
         break;
+ case 'h': /* Passphrase-Environment-Var */
+ if( nextarg && curlx_getenv(nextarg)) {
+ GetStr(&config->key_passwd, curlx_getenv(nextarg));
+ }
+ break;
       default: /* certificate file */
         {
           char *ptr = strchr(nextarg, ':');