Re: [openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)

Viktor Dukhovni

> On Mar 1, 2017, at 11:46 AM, Steffen Nurpmeso <[hidden email]> wrote:
>
> No, not that i know.  But this -- thanks -- lead me to the
> following, which is the KISS that you want?
> Ciao!
>
> diff --git a/apps/apps.c b/apps/apps.c
> index 216bc797d..3afbbaef2 100644
> --- a/apps/apps.c
> +++ b/apps/apps.c
> @@ -1221,7 +1221,8 @@ X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, i
>         if (lookup == NULL)
>             goto end;
>         if (CApath) {
> -            if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
> +            if (!app_isdir(CApath) ||
> +                    !X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
>                 BIO_printf(bio_err, "Error loading directory %s\n", CApath);
>                 goto end;
>             }

We may need to be careful.  With OpenSSL <= 1.0.2, one way to suppress the
built-in default CApath was to set "-CApath" to a non-existent directory.
Users may have scripts relying on this behaviour.  Now with 1.1.0 on some
platforms OpenSSL already rejects non-existent directories, and we also
provide a "-no-CAfile" option, but this change will extend the change to
what is likely our most popular platform.

So it will at least deserve a comment in the "NEWS"/"CHANGES" files.  

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)

Jakob Bohm-7
On 01/03/2017 18:44, Viktor Dukhovni wrote:

>> On Mar 1, 2017, at 11:46 AM, Steffen Nurpmeso <[hidden email]> wrote:
>>
>> No, not that i know.  But this -- thanks -- lead me to the
>> following, which is the KISS that you want?
>> Ciao!
>>
>> diff --git a/apps/apps.c b/apps/apps.c
>> index 216bc797d..3afbbaef2 100644
>> --- a/apps/apps.c
>> +++ b/apps/apps.c
>> @@ -1221,7 +1221,8 @@ X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, i
>>          if (lookup == NULL)
>>              goto end;
>>          if (CApath) {
>> -            if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
>> +            if (!app_isdir(CApath) ||
>> +                    !X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
>>                  BIO_printf(bio_err, "Error loading directory %s\n", CApath);
>>                  goto end;
>>              }
Shouldn't this be in X509_LOOKUP_add_dir() itself?
> We may need to be careful.  With OpenSSL <= 1.0.2, one way to suppress the
> built-in default CApath was to set "-CApath" to a non-existent directory.
> Users may have scripts relying on this behaviour.  Now with 1.1.0 on some
> platforms OpenSSL already rejects non-existent directories, and we also
> provide a "-no-CAfile" option, but this change will extend the change to
> what is likely our most popular platform.
Since compatibility is important, there should be a list of values that
are equivalent to "-no-CApath" for 3rd party apps and scripts that haven't
implemented such an option.  As a minimum I would suggest: NULL (null
string
pointer), "" (empty string), " " (single space) "X" (single letter uppercase
X with no path) "-" (single dash since stdin/stdout cannot be a path) and
anything that maps to the "/dev/null" device of the platform.
> So it will at least deserve a comment in the "NEWS"/"CHANGES" files.
>
Another case to consider are chroot daemons that call X509_LOOKUP_add_dir()
before doing a chroot() to the tree containing that directory.  Or maybe
that is why you want to only do the check in the openssl command line
program,
because it is known not to do that.  Anyway, users of such daemons can work
around it by having an empty or arbitrary directory with that name in the
old root, provided they are told to do so.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...