Re: cvs commit: openssl/crypto/dso dso_dl.c

Wed, 08 Nov 2000 00:47:34 -0800 

On Wed, Nov 08, 2000 at 09:45:24AM +0100, Richard Levitte - VMS Whacker wrote:
> From: Mixmaster <[EMAIL PROTECTED]>
> 
> mixmaster> Loading shared libs from SHLIB_PATH or LD_LIBRARY_PATH is a
> mixmaster> huge security hole.  No security conscious program uses
> mixmaster> them, and IMO that capability should be explicitly disabled
> mixmaster> in OpenSSL and users should simply be required to provide
> mixmaster> complete path names (starting with '/').
> 
> You're right about the risks.  However, the engine code makes use of
> DSO to load the library that is relevant for the external device that
> is relevant.  The only thing that can be sort of guaranteed about
> those is the name (like "cswift" for CryptoSwift, which should
> translate to "libcswift.so", "libcswift.sl" or "cswift.dll", depending
> on the OS).  There's no real way to say exactly where each library
> will be, since that may be OS dependent (on some Unixen, the natural
> thing is to install under /opt, under others it's /usr/local).
> 
> So, basically, we've chosen for now to go the easy, flexible way, so
> as not to cause too much trouble since there's no way we can predict
> how things are installed.
> 
> If you have some ideas on how to solve that problem, please tell us.

I have not looked into the engine code. It should however be possible
to perform some string processing inside OpenSSL to generate the
complete pathname. Say, you check an environment variable "ENGINE_PATH"
and build $ENGINE_PATH/name_of_engine when calling shl_load()
and/or the application calls some engine_setup(shared_lib_path) and
this shared_lib_path is then used when constructing the complete
path name to the shared library...

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to