Re: cvs commit: openssl/crypto/dso dso_dl.c

[Richard Levitte - VMS Whacker]

From: Mixmaster <[EMAIL PROTECTED]>

mixmaster> Loading shared libs from SHLIB_PATH or LD_LIBRARY_PATH is a
mixmaster> huge security hole.  No security conscious program uses
mixmaster> them, and IMO that capability should be explicitly disabled
mixmaster> in OpenSSL and users should simply be required to provide
mixmaster> complete path names (starting with '/').

You're right about the risks.  However, the engine code makes use of
DSO to load the library that is relevant for the external device that
is relevant.  The only thing that can be sort of guaranteed about
those is the name (like "cswift" for CryptoSwift, which should
translate to "libcswift.so", "libcswift.sl" or "cswift.dll", depending
on the OS).  There's no real way to say exactly where each library
will be, since that may be OS dependent (on some Unixen, the natural
thing is to install under /opt, under others it's /usr/local).

So, basically, we've chosen for now to go the easy, flexible way, so
as not to cause too much trouble since there's no way we can predict
how things are installed.

If you have some ideas on how to solve that problem, please tell us.

-- 
Richard Levitte   \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \      SWEDEN       \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]