cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Custom OpenSSL crypto engine not known to cURL

From: Petr Pisar <petr.pisar_at_atlas.cz>
Date: Thu, 1 Apr 2010 23:16:18 +0200

On Thu, Apr 01, 2010 at 09:11:04AM +0200, Daniel Stenberg wrote:
> On Thu, 1 Apr 2010, Camille Moncelier wrote:
>
> > You could set up some _evil_ openssl engine and set init = 1 so openssl
> > try to initialize it automatically and TADA, (Bonus points if the
> > application is setuid root) :-)
>
> Assuming an app wants to support custom crypto engines as Petr Pisar enabled
> with his patch, and assuming the app runs as setuid root. How can the app
> limit what evilness a user can trick it into doing?
>
Unset OPENSSL_CNF. The same applies to NSS as user could supply custom NSS
database (that can load PKCS#11 engines too).

In case of OpenSSL, this forces user to use system wide configuration that is
under sole control of superuser.

-- Petr

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

  • application/pgp-signature attachment: stored
Received on 2010-04-01