Re: [openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/03/2017 18:44, Viktor Dukhovni wrote:
On Mar 1, 2017, at 11:46 AM, Steffen Nurpmeso <steffen@xxxxxxxxxx> wrote:

No, not that i know.  But this -- thanks -- lead me to the
following, which is the KISS that you want?
Ciao!

diff --git a/apps/apps.c b/apps/apps.c
index 216bc797d..3afbbaef2 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -1221,7 +1221,8 @@ X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, i
         if (lookup == NULL)
             goto end;
         if (CApath) {
-            if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
+            if (!app_isdir(CApath) ||
+                    !X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
                 BIO_printf(bio_err, "Error loading directory %s\n", CApath);
                 goto end;
             }
Shouldn't this be in X509_LOOKUP_add_dir() itself?
We may need to be careful.  With OpenSSL <= 1.0.2, one way to suppress the
built-in default CApath was to set "-CApath" to a non-existent directory.
Users may have scripts relying on this behaviour.  Now with 1.1.0 on some
platforms OpenSSL already rejects non-existent directories, and we also
provide a "-no-CAfile" option, but this change will extend the change to
what is likely our most popular platform.
Since compatibility is important, there should be a list of values that
are equivalent to "-no-CApath" for 3rd party apps and scripts that haven't
implemented such an option. As a minimum I would suggest: NULL (null string
pointer), "" (empty string), " " (single space) "X" (single letter uppercase
X with no path) "-" (single dash since stdin/stdout cannot be a path) and
anything that maps to the "/dev/null" device of the platform.
So it will at least deserve a comment in the "NEWS"/"CHANGES" files.

Another case to consider are chroot daemons that call X509_LOOKUP_add_dir()
before doing a chroot() to the tree containing that directory.  Or maybe
that is why you want to only do the check in the openssl command line program,
because it is known not to do that.  Anyway, users of such daemons can work
around it by having an empty or arbitrary directory with that name in the
old root, provided they are told to do so.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux