[openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)

Steffen Nurpmeso steffen at sdaoden.eu
Wed Mar 1 22:05:45 UTC 2017

Hello again,

Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
 |> On Mar 1, 2017, at 11:46 AM, Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
 |> No, not that i know.  But this -- thanks -- lead me to the
 |> following, which is the KISS that you want?
 |> diff --git a/apps/apps.c b/apps/apps.c
 |> index 216bc797d..3afbbaef2 100644
 |> --- a/apps/apps.c
 |> +++ b/apps/apps.c
 |> @@ -1221,7 +1221,8 @@ X509_STORE *setup_verify(const char *CAfile, \
 |> const char *CApath, int noCAfile, i
 |>         if (lookup == NULL)
 |>             goto end;
 |>         if (CApath) {
 |> -            if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM))\
 |>  {
 |> +            if (!app_isdir(CApath) ||
 |> +                    !X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_P\
 |> EM)) {
 |>                 BIO_printf(bio_err, "Error loading directory %s\n", \
 |>                 CApath);
 |>                 goto end;
 |We may need to be careful.  With OpenSSL <= 1.0.2, one way to suppress the
 |built-in default CApath was to set "-CApath" to a non-existent directory.
 |Users may have scripts relying on this behaviour.  Now with 1.1.0 on some
 |platforms OpenSSL already rejects non-existent directories, and we also
 |provide a "-no-CAfile" option, but this change will extend the change to
 |what is likely our most popular platform.
 |So it will at least deserve a comment in the "NEWS"/"CHANGES" files.  

I understand that this is a "lingering" configuration, which is
inspected on the fly as a last (or second last, if there is
SSL_CTX_set_default_verify_paths(3).  In fact i don't know, the
documentation is horrific!  E.g., just today i have implemented
some *{smime,ssl}-ca-flags*, mostly to be able to provide
X509_V_FLAG_PARTIAL_CHAIN, but you know you can't find just any
X509_STORE_set_flags(_not_ 3) at all, it is, again, _horrific_.
I for one, as someone unrelated, now that you have so many
sponsors, i really wonder why you don't spend a little bit of
money to some crypto nerd student(s) who really need(s) it in
order to improve it.  Really, and honestly.) resort.

But for an application that does a one-shot check i would at least
expect a message that leads into the right direction, at least
with -verbose.  I for one _of course_ looked for
X509_LOOKUP_add_dir() first, but i gave up after the second
indirection.  If you would ask me, i surely would add
a X509_FILETYPE_CHECK_OR_ERROR or similar flag to get the
synchronous checks.  But who am i.


More information about the openssl-dev mailing list