Same dir with different type in X509_LOOKUP_hash_dir

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Same dir with different type in X509_LOOKUP_hash_dir

Jan Burgmeier
Hi,

during setup of my X509_STORE I use X509_LOOKUP_hash_dir with same dir
but different type X509_FILETYPE_PEM and X509_FILETYPE_ASN1. But only
certificates of the first type are looked up.
I dig into the code and made a little change to fix my problem, see
attached patched. Is this behavior by design and I am doing anything
wrong or is this a bug?

Regards
Jan Burgmeier

--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -217,7 +217,8 @@
                 continue;
             for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) {
                 ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
-                if (strlen(ent->dir) == (size_t)len &&
+                if (type == ent->dir_type &&
+                    strlen(ent->dir) == (size_t)len &&
                     strncmp(ent->dir, ss, (unsigned int)len) == 0)
                     break;
             }

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Same dir with different type in X509_LOOKUP_hash_dir

Richard Levitte - VMS Whacker-2
Well, that will kinda sorta work, I think...  what you're basically
doing there, albeit not entirely clearly, is making the type a part of
the directory index, not just its name.  I haven't looked thoroughly
enough to see if there are corner cases that will screw that up.

That being said, you will see an increase in processing time.  The
type setting for a directory is applied to ALL hash-named files this
code can find, so if you have two lookups, one with each file type
setting, what will happen is that it will attempt through all the
files, which will of course fail for those with the wrong format.  You
won't notice, because the loading errors are simply ignored and there
will be success as soon as a file could be loaded and matches your
lookup criteium.

So in essence, that does look like a workable solution, but with bad
optimization.

Cheers,
Richard

In message <[hidden email]> on Fri, 28 Sep 2018 13:11:25 +0200, Jan Burgmeier <[hidden email]> said:

> Hi,
>
> during setup of my X509_STORE I use X509_LOOKUP_hash_dir with same dir
> but different type X509_FILETYPE_PEM and X509_FILETYPE_ASN1. But only
> certificates of the first type are looked up.
> I dig into the code and made a little change to fix my problem, see
> attached patched. Is this behavior by design and I am doing anything
> wrong or is this a bug?
>
> Regards
> Jan Burgmeier
>
> --- a/crypto/x509/by_dir.c
> +++ b/crypto/x509/by_dir.c
> @@ -217,7 +217,8 @@
>                  continue;
>              for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) {
>                  ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
> -                if (strlen(ent->dir) == (size_t)len &&
> +                if (type == ent->dir_type &&
> +                    strlen(ent->dir) == (size_t)len &&
>                      strncmp(ent->dir, ss, (unsigned int)len) == 0)
>                      break;
>              }
>
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Same dir with different type in X509_LOOKUP_hash_dir

Jan Burgmeier
Performance wise it would also be possible to use the type parameter as
bit field. As 1 and 2 are the only used types at the moment this won't
break anything. Then the second type is only used if the first fails.
If a patch for this is wanted I can provide one.
The other way would be to convert all certificates to one type.

What is the preferred way to do this?
We are not interested in running a patched ssl.

Regards
Jan

On Sat, 2018-09-29 at 14:13 +0200, Richard Levitte wrote:

> Well, that will kinda sorta work, I think...  what you're basically
> doing there, albeit not entirely clearly, is making the type a part
> of
> the directory index, not just its name.  I haven't looked thoroughly
> enough to see if there are corner cases that will screw that up.
>
> That being said, you will see an increase in processing time.  The
> type setting for a directory is applied to ALL hash-named files this
> code can find, so if you have two lookups, one with each file type
> setting, what will happen is that it will attempt through all the
> files, which will of course fail for those with the wrong
> format.  You
> won't notice, because the loading errors are simply ignored and there
> will be success as soon as a file could be loaded and matches your
> lookup criteium.
>
> So in essence, that does look like a workable solution, but with bad
> optimization.
>
> Cheers,
> Richard
>
> In message <
> [hidden email]>
> on Fri, 28 Sep 2018 13:11:25 +0200, Jan Burgmeier <
> [hidden email]> said:
>
> > Hi,
> >
> > during setup of my X509_STORE I use X509_LOOKUP_hash_dir with same
> > dir
> > but different type X509_FILETYPE_PEM and X509_FILETYPE_ASN1. But
> > only
> > certificates of the first type are looked up.
> > I dig into the code and made a little change to fix my problem, see
> > attached patched. Is this behavior by design and I am doing
> > anything
> > wrong or is this a bug?
> >
> > Regards
> > Jan Burgmeier
> >
> > --- a/crypto/x509/by_dir.c
> > +++ b/crypto/x509/by_dir.c
> > @@ -217,7 +217,8 @@
> >                  continue;
> >              for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) {
> >                  ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
> > -                if (strlen(ent->dir) == (size_t)len &&
> > +                if (type == ent->dir_type &&
> > +                    strlen(ent->dir) == (size_t)len &&
> >                      strncmp(ent->dir, ss, (unsigned int)len) == 0)
> >                      break;
> >              }
> >
> >

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users