[openssl-users] [openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)

Viktor Dukhovni openssl-users at dukhovni.org
Wed Mar 1 17:44:18 UTC 2017


> On Mar 1, 2017, at 11:46 AM, Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
> 
> No, not that i know.  But this -- thanks -- lead me to the
> following, which is the KISS that you want?
> Ciao!
> 
> diff --git a/apps/apps.c b/apps/apps.c
> index 216bc797d..3afbbaef2 100644
> --- a/apps/apps.c
> +++ b/apps/apps.c
> @@ -1221,7 +1221,8 @@ X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, i
>         if (lookup == NULL)
>             goto end;
>         if (CApath) {
> -            if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
> +            if (!app_isdir(CApath) ||
> +                    !X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
>                 BIO_printf(bio_err, "Error loading directory %s\n", CApath);
>                 goto end;
>             }

We may need to be careful.  With OpenSSL <= 1.0.2, one way to suppress the
built-in default CApath was to set "-CApath" to a non-existent directory.
Users may have scripts relying on this behaviour.  Now with 1.1.0 on some
platforms OpenSSL already rejects non-existent directories, and we also
provide a "-no-CAfile" option, but this change will extend the change to
what is likely our most popular platform.

So it will at least deserve a comment in the "NEWS"/"CHANGES" files.  

-- 
	Viktor.



More information about the openssl-users mailing list