diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2014-06-23 22:19:03 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2014-06-23 22:19:03 +0000 |
commit | 18c06358d28d4cb2418212f8ada189a575527b2f (patch) | |
tree | 3feecb1682afd2fd30ebac3afa6097b83431db0c | |
parent | c3817697b5b0f2d63ff97d99d12de4300093a73f (diff) |
Since this is a library, place issetugid() before every getenv()
ok miod
-rw-r--r-- | lib/libcrypto/conf/conf_api.c | 13 | ||||
-rw-r--r-- | lib/libcrypto/conf/conf_mod.c | 7 | ||||
-rw-r--r-- | lib/libcrypto/engine/eng_list.c | 5 | ||||
-rw-r--r-- | lib/libcrypto/x509/by_dir.c | 5 | ||||
-rw-r--r-- | lib/libcrypto/x509/by_file.c | 7 |
5 files changed, 24 insertions, 13 deletions
diff --git a/lib/libcrypto/conf/conf_api.c b/lib/libcrypto/conf/conf_api.c index 21ce4d9fe5c..7480dda3d5a 100644 --- a/lib/libcrypto/conf/conf_api.c +++ b/lib/libcrypto/conf/conf_api.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf_api.c,v 1.10 2014/06/12 15:49:28 deraadt Exp $ */ +/* $OpenBSD: conf_api.c,v 1.11 2014/06/23 22:19:02 deraadt Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,6 +66,7 @@ #include <assert.h> #include <stdlib.h> #include <string.h> +#include <unistd.h> #include <openssl/conf.h> #include <openssl/conf_api.h> @@ -142,7 +143,10 @@ _CONF_get_string(const CONF *conf, const char *section, const char *name) if (v != NULL) return (v->value); if (strcmp(section, "ENV") == 0) { - p = getenv(name); + if (issetugid() == 0) + p = getenv(name); + else + p = NULL; if (p != NULL) return (p); } @@ -154,8 +158,11 @@ _CONF_get_string(const CONF *conf, const char *section, const char *name) return (v->value); else return (NULL); - } else + } else { + if (issetugid()) + return (NULL); return (getenv(name)); + } } #if 0 /* There's no way to provide error checking with this function, so diff --git a/lib/libcrypto/conf/conf_mod.c b/lib/libcrypto/conf/conf_mod.c index ae62f4abde7..e58582a5ec8 100644 --- a/lib/libcrypto/conf/conf_mod.c +++ b/lib/libcrypto/conf/conf_mod.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf_mod.c,v 1.20 2014/06/12 15:49:28 deraadt Exp $ */ +/* $OpenBSD: conf_mod.c,v 1.21 2014/06/23 22:19:02 deraadt Exp $ */ /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -541,9 +541,10 @@ CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data) char * CONF_get1_default_config_file(void) { - char *file; + char *file = NULL; - file = getenv("OPENSSL_CONF"); + if (issetugid() == 0) + file = getenv("OPENSSL_CONF"); if (file) return BUF_strdup(file); if (asprintf(&file, "%s/openssl.cnf", diff --git a/lib/libcrypto/engine/eng_list.c b/lib/libcrypto/engine/eng_list.c index 053767c6460..22e2abb01d1 100644 --- a/lib/libcrypto/engine/eng_list.c +++ b/lib/libcrypto/engine/eng_list.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_list.c,v 1.10 2014/06/22 12:15:53 jsing Exp $ */ +/* $OpenBSD: eng_list.c,v 1.11 2014/06/23 22:19:02 deraadt Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -385,7 +385,8 @@ ENGINE_by_id(const char *id) return iterator; /* Prevent infinite recusrion if we're looking for the dynamic engine. */ if (strcmp(id, "dynamic")) { - if ((load_dir = getenv("OPENSSL_ENGINES")) == 0) + if (issetugid() == 0 || + (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR; iterator = ENGINE_by_id("dynamic"); if (!iterator || diff --git a/lib/libcrypto/x509/by_dir.c b/lib/libcrypto/x509/by_dir.c index 21ba0a7bc25..187eba45155 100644 --- a/lib/libcrypto/x509/by_dir.c +++ b/lib/libcrypto/x509/by_dir.c @@ -1,4 +1,4 @@ -/* $OpenBSD: by_dir.c,v 1.27 2014/06/19 21:23:48 tedu Exp $ */ +/* $OpenBSD: by_dir.c,v 1.28 2014/06/23 22:19:02 deraadt Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -132,7 +132,8 @@ dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, switch (cmd) { case X509_L_ADD_DIR: if (argl == X509_FILETYPE_DEFAULT) { - dir = (char *)getenv(X509_get_default_cert_dir_env()); + if (issetugid() == 0) + dir = getenv(X509_get_default_cert_dir_env()); if (dir) ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); else diff --git a/lib/libcrypto/x509/by_file.c b/lib/libcrypto/x509/by_file.c index ca010032eb5..bb296e2a42d 100644 --- a/lib/libcrypto/x509/by_file.c +++ b/lib/libcrypto/x509/by_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: by_file.c,v 1.12 2014/06/12 15:49:31 deraadt Exp $ */ +/* $OpenBSD: by_file.c,v 1.13 2014/06/23 22:19:02 deraadt Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -94,12 +94,13 @@ by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, char **ret) { int ok = 0; - char *file; + char *file = NULL; switch (cmd) { case X509_L_FILE_LOAD: if (argl == X509_FILETYPE_DEFAULT) { - file = (char *)getenv(X509_get_default_cert_file_env()); + if (issetugid() == 0) + file = getenv(X509_get_default_cert_file_env()); if (file) ok = (X509_load_cert_crl_file(ctx, file, X509_FILETYPE_PEM) != 0); |