CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2020/01/22 20:53:39
Modified files:
usr.sbin/ocspcheck: ocspcheck.c
Log message:
The X509_LOOKUP code tries to grope around in /etc/ssl/cert/ to find
CA certs it couldn't find otherwise. This may lead to a pledge rpath
violation reported by Kor, son of Rynar. Unfortunately, providing certs
inside a directory is common in linuxes, so we need to keep this
functionality for portable.
Check if /etc/ssl/cert.pem and /etc/ssl/cert exist and pledge
accordingly. Add unveils to restrict this program further on a
default OpenBSD install. Fix -C to look only inside the provided
root bundle.
Input from jsing and sthen, tests by sthen and Kor
ok beck, jsing, sthen (after much back and forth)
