Re: [openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Mar 1, 2017, at 11:46 AM, Steffen Nurpmeso <steffen@xxxxxxxxxx> wrote:
> 
> No, not that i know.  But this -- thanks -- lead me to the
> following, which is the KISS that you want?
> Ciao!
> 
> diff --git a/apps/apps.c b/apps/apps.c
> index 216bc797d..3afbbaef2 100644
> --- a/apps/apps.c
> +++ b/apps/apps.c
> @@ -1221,7 +1221,8 @@ X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, i
>         if (lookup == NULL)
>             goto end;
>         if (CApath) {
> -            if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
> +            if (!app_isdir(CApath) ||
> +                    !X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
>                 BIO_printf(bio_err, "Error loading directory %s\n", CApath);
>                 goto end;
>             }

We may need to be careful.  With OpenSSL <= 1.0.2, one way to suppress the
built-in default CApath was to set "-CApath" to a non-existent directory.
Users may have scripts relying on this behaviour.  Now with 1.1.0 on some
platforms OpenSSL already rejects non-existent directories, and we also
provide a "-no-CAfile" option, but this change will extend the change to
what is likely our most popular platform.

So it will at least deserve a comment in the "NEWS"/"CHANGES" files.  

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux