Subject: bin/24458: openssl config parser (variable substitution) broken
To: None <gnats-bugs@gnats.NetBSD.org>
From: Frank Kardel <kardel@pip.acrys.com>
List: netbsd-bugs
Date: 02/17/2004 15:43:18
>Number: 24458
>Category: bin
>Synopsis: openssl.cnf cannot correctly do variable substitution
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Feb 17 14:44:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator: Frank Kardel
>Release: NetBSD 1.6ZK
>Organization:
>Environment:
System: NetBSD pip 1.6ZK NetBSD 1.6ZK (SYSPIP_ISDN) #1: Sun Feb 15 15:42:43 MET 2004 kardel@pip:/fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/compile/obj.i386/SYSPIP_ISDN i386
Architecture: i386
Machine: i386
>Description:
After upgrading my notbook to -current openssl couldn't
correctly read private keys any more. openssl.cnf
had lines like this:
dir = ${ENV::CA_ROOT}/userCA
certname = user-ca1
private_key = ${dir}/private/${certname}.key
Before the upgrade this was correcly expanded.
Now expansion stops with the p from private. When only
one variable needs to be expanded things work. The
second expansion seems to mess up.
>How-To-Repeat:
try using openssl ca with a configuration using the
above pattern.
>Fix:
1) check for errors in the config parser
2) use only one substitution a workaround
>Release-Note:
>Audit-Trail:
>Unformatted: