Initial support for pledges in openssl(1) commands.

openssl(1) has two mechanisms for operating: either a single execution
of one command (looking at argv[0] or argv[1]) or as an interactive
session than may execute any number of commands.

We already have a top level pledge that should cover all commands
and that's what interactive mode must continue using.  However, we can
tighten up the pledges when only executing one command.

This is an initial stab at support and may contain regressions.  Most
commands only need "stdio rpath wpath cpath".  The pledges could be
further restricted by evaluating the situation after parsing options.

deraadt@ and beck@ are roughly fine with this approach.

47 files changed, 281 insertions, 46 deletions

diff --git a/src/usr.bin/openssl/apps.h b/src/usr.bin/openssl/apps.h
index bb9fd0dd7a..4813fa35df 100644
--- a/src/usr.bin/openssl/apps.h
+++ b/src/usr.bin/openssl/apps.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.h,v 1.16 2015/09/13 12:41:01 bcook Exp $ */
+/* $OpenBSD: apps.h,v 1.17 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -126,6 +126,9 @@
 #include <openssl/ocsp.h>
 #endif
 
+#include <unistd.h>
+extern int single_execution;
+
 extern CONF *config;
 extern char *default_config_file;
 extern BIO *bio_err;
diff --git a/src/usr.bin/openssl/asn1pars.c b/src/usr.bin/openssl/asn1pars.c
index da3bf761ce..2ce9d1a3ba 100644
--- a/src/usr.bin/openssl/asn1pars.c
+++ b/src/usr.bin/openssl/asn1pars.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1pars.c,v 1.4 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: asn1pars.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -247,6 +247,11 @@ asn1parse_main(int argc, char **argv)
         BUF_MEM *buf = NULL;
         ASN1_TYPE *at = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&asn1pars_config, 0, sizeof(asn1pars_config));
 
         asn1pars_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index e32abcdf21..0b246aeb15 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.16 2015/09/21 13:31:26 bcook Exp $ */
+/* $OpenBSD: ca.c,v 1.17 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -286,6 +286,11 @@ ca_main(int argc, char **argv)
         const char *errstr = NULL;
         DB_ATTR db_attr;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         conf = NULL;
         key = NULL;
         section = NULL;
diff --git a/src/usr.bin/openssl/certhash.c b/src/usr.bin/openssl/certhash.c
index 77e641cef5..bd0ac54ecf 100644
--- a/src/usr.bin/openssl/certhash.c
+++ b/src/usr.bin/openssl/certhash.c
@@ -649,6 +649,11 @@ certhash_main(int argc, char **argv)
         int argsused;
         int i, cwdfd, ret = 0;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&certhash_config, 0, sizeof(certhash_config));
 
         if (options_parse(argc, argv, certhash_options, NULL, &argsused) != 0) {
diff --git a/src/usr.bin/openssl/ciphers.c b/src/usr.bin/openssl/ciphers.c
index 18b8d3e4d9..caa40854ea 100644
--- a/src/usr.bin/openssl/ciphers.c
+++ b/src/usr.bin/openssl/ciphers.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ciphers.c,v 1.6 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: ciphers.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -81,6 +81,11 @@ ciphers_main(int argc, char **argv)
         int i, rv = 0;
         char *desc;
 
+        if (single_execution) {
+                if (pledge("stdio rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&ciphers_config, 0, sizeof(ciphers_config));
 
         if (options_parse(argc, argv, ciphers_options, &cipherlist,
diff --git a/src/usr.bin/openssl/cms.c b/src/usr.bin/openssl/cms.c
index fccac23db7..29429f53e0 100644
--- a/src/usr.bin/openssl/cms.c
+++ b/src/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms.c,v 1.3 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: cms.c,v 1.4 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -135,6 +135,11 @@ cms_main(int argc, char **argv)
 
         X509_VERIFY_PARAM *vpm = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         args = argv + 1;
         ret = 1;
 
diff --git a/src/usr.bin/openssl/crl.c b/src/usr.bin/openssl/crl.c
index 4ab9e6c615..47173ec5ed 100644
--- a/src/usr.bin/openssl/crl.c
+++ b/src/usr.bin/openssl/crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crl.c,v 1.7 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: crl.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -230,6 +230,11 @@ crl_main(int argc, char **argv)
         const EVP_MD *digest;
         char *digest_name = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         if (bio_out == NULL) {
                 if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
                         BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
diff --git a/src/usr.bin/openssl/crl2p7.c b/src/usr.bin/openssl/crl2p7.c
index 4df986d325..3935bd18e0 100644
--- a/src/usr.bin/openssl/crl2p7.c
+++ b/src/usr.bin/openssl/crl2p7.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crl2p7.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: crl2p7.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -169,6 +169,11 @@ crl2pkcs7_main(int argc, char **argv)
         STACK_OF(X509) *cert_stack = NULL;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&crl2p7_config, 0, sizeof(crl2p7_config));
 
         crl2p7_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/dgst.c b/src/usr.bin/openssl/dgst.c
index 94d98ac6a4..b4632eefa3 100644
--- a/src/usr.bin/openssl/dgst.c
+++ b/src/usr.bin/openssl/dgst.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dgst.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: dgst.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -123,6 +123,11 @@ dgst_main(int argc, char **argv)
         char *mac_name = NULL;
         STACK_OF(OPENSSL_STRING) * sigopts = NULL, *macopts = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         if ((buf = malloc(BUFSIZE)) == NULL) {
                 BIO_printf(bio_err, "out of memory\n");
                 goto end;
diff --git a/src/usr.bin/openssl/dh.c b/src/usr.bin/openssl/dh.c
index f4112e87c2..7e8d65d1f6 100644
--- a/src/usr.bin/openssl/dh.c
+++ b/src/usr.bin/openssl/dh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: dh.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -158,6 +158,11 @@ dh_main(int argc, char **argv)
         BIO *in = NULL, *out = NULL;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&dh_config, 0, sizeof(dh_config));
 
         dh_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/dhparam.c b/src/usr.bin/openssl/dhparam.c
index 158a07a572..55b75663b3 100644
--- a/src/usr.bin/openssl/dhparam.c
+++ b/src/usr.bin/openssl/dhparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dhparam.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: dhparam.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -243,6 +243,11 @@ dhparam_main(int argc, char **argv)
         int ret = 1;
         int i;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&dhparam_config, 0, sizeof(dhparam_config));
 
         dhparam_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/dsa.c b/src/usr.bin/openssl/dsa.c
index 813e163662..2c4feea0d5 100644
--- a/src/usr.bin/openssl/dsa.c
+++ b/src/usr.bin/openssl/dsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: dsa.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -240,6 +240,11 @@ dsa_main(int argc, char **argv)
         BIO *in = NULL, *out = NULL;
         char *passin = NULL, *passout = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&dsa_config, 0, sizeof(dsa_config));
 
         dsa_config.pvk_encr = 2;
diff --git a/src/usr.bin/openssl/dsaparam.c b/src/usr.bin/openssl/dsaparam.c
index 0cdd5c1d51..73249498fc 100644
--- a/src/usr.bin/openssl/dsaparam.c
+++ b/src/usr.bin/openssl/dsaparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsaparam.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: dsaparam.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -168,6 +168,11 @@ dsaparam_main(int argc, char **argv)
         int numbits = -1;
         char *strbits = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&dsaparam_config, 0, sizeof(dsaparam_config));
 
         dsaparam_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/ec.c b/src/usr.bin/openssl/ec.c
index d5fe68f0d8..b4e2fe1daa 100644
--- a/src/usr.bin/openssl/ec.c
+++ b/src/usr.bin/openssl/ec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: ec.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -277,6 +277,11 @@ ec_main(int argc, char **argv)
         BIO *in = NULL, *out = NULL;
         char *passin = NULL, *passout = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&ec_config, 0, sizeof(ec_config));
 
         ec_config.asn1_flag = OPENSSL_EC_NAMED_CURVE;
diff --git a/src/usr.bin/openssl/ecparam.c b/src/usr.bin/openssl/ecparam.c
index 6adac863d5..bd0c5b8cc0 100644
--- a/src/usr.bin/openssl/ecparam.c
+++ b/src/usr.bin/openssl/ecparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecparam.c,v 1.13 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: ecparam.c,v 1.14 2015/10/10 22:28:51 doug Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -259,6 +259,11 @@ ecparam_main(int argc, char **argv)
         BIO *in = NULL, *out = NULL;
         int i, ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&ecparam_config, 0, sizeof(ecparam_config));
         ecparam_config.asn1_flag = OPENSSL_EC_NAMED_CURVE;
         ecparam_config.form = POINT_CONVERSION_UNCOMPRESSED;
diff --git a/src/usr.bin/openssl/enc.c b/src/usr.bin/openssl/enc.c
index 6eb804fd49..d7103823d3 100644
--- a/src/usr.bin/openssl/enc.c
+++ b/src/usr.bin/openssl/enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: enc.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: enc.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -338,6 +338,11 @@ enc_main(int argc, char **argv)
         char pname[PROG_NAME_SIZE + 1];
         int i;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&enc_config, 0, sizeof(enc_config));
         enc_config.enc = 1;
 
diff --git a/src/usr.bin/openssl/errstr.c b/src/usr.bin/openssl/errstr.c
index 9cf7bfba4b..7bd97d99b0 100644
--- a/src/usr.bin/openssl/errstr.c
+++ b/src/usr.bin/openssl/errstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: errstr.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: errstr.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -98,6 +98,11 @@ errstr_main(int argc, char **argv)
         char buf[256];
         int ret = 0;
 
+        if (single_execution) {
+                if (pledge("stdio rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&errstr_config, 0, sizeof(errstr_config));
 
         if (options_parse(argc, argv, errstr_options, NULL, &argsused) != 0) {
diff --git a/src/usr.bin/openssl/gendh.c b/src/usr.bin/openssl/gendh.c
index 208906e24c..ceea237be1 100644
--- a/src/usr.bin/openssl/gendh.c
+++ b/src/usr.bin/openssl/gendh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gendh.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: gendh.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -134,6 +134,11 @@ gendh_main(int argc, char **argv)
         BIO *out = NULL;
         char *strbits = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         BN_GENCB_set(&cb, dh_cb, bio_err);
 
         memset(&gendh_config, 0, sizeof(gendh_config));
diff --git a/src/usr.bin/openssl/gendsa.c b/src/usr.bin/openssl/gendsa.c
index ee2d6ba1b6..002380a1b9 100644
--- a/src/usr.bin/openssl/gendsa.c
+++ b/src/usr.bin/openssl/gendsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gendsa.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: gendsa.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -85,6 +85,11 @@ gendsa_main(int argc, char **argv)
         BIO *out = NULL, *in = NULL;
         const EVP_CIPHER *enc = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         argv++;
         argc--;
         for (;;) {
diff --git a/src/usr.bin/openssl/genpkey.c b/src/usr.bin/openssl/genpkey.c
index d76e2febd8..4d11bc3c33 100644
--- a/src/usr.bin/openssl/genpkey.c
+++ b/src/usr.bin/openssl/genpkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: genpkey.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: genpkey.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006
  */
@@ -86,6 +86,11 @@ genpkey_main(int argc, char **argv)
 
         int do_param = 0;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         outformat = FORMAT_PEM;
 
         args = argv + 1;
diff --git a/src/usr.bin/openssl/genrsa.c b/src/usr.bin/openssl/genrsa.c
index 9f78f0d65d..1ca8713ed2 100644
--- a/src/usr.bin/openssl/genrsa.c
+++ b/src/usr.bin/openssl/genrsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: genrsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: genrsa.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -100,6 +100,11 @@ genrsa_main(int argc, char **argv)
         BIGNUM *bn = BN_new();
         RSA *rsa = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         if (!bn)
                 goto err;
 
diff --git a/src/usr.bin/openssl/nseq.c b/src/usr.bin/openssl/nseq.c
index b73f512aee..15df3ffd40 100644
--- a/src/usr.bin/openssl/nseq.c
+++ b/src/usr.bin/openssl/nseq.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: nseq.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: nseq.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -109,6 +109,11 @@ nseq_main(int argc, char **argv)
         NETSCAPE_CERT_SEQUENCE *seq = NULL;
         int i, ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&nseq_config, 0, sizeof(nseq_config));
 
         if (options_parse(argc, argv, nseq_options, NULL, NULL) != 0) {
diff --git a/src/usr.bin/openssl/ocsp.c b/src/usr.bin/openssl/ocsp.c
index 3a6ac36b1e..c3b1b168ba 100644
--- a/src/usr.bin/openssl/ocsp.c
+++ b/src/usr.bin/openssl/ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp.c,v 1.5 2015/10/03 03:39:19 deraadt Exp $ */
+/* $OpenBSD: ocsp.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -146,6 +146,11 @@ ocsp_main(int argc, char **argv)
         const EVP_MD *cert_id_md = NULL;
         const char *errstr = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio inet rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         args = argv + 1;
         reqnames = sk_OPENSSL_STRING_new_null();
         ids = sk_OCSP_CERTID_new_null();
diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c
index 9db7e5b4eb..e842d6cc65 100644
--- a/src/usr.bin/openssl/openssl.c
+++ b/src/usr.bin/openssl/openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: openssl.c,v 1.16 2015/10/10 20:18:30 deraadt Exp $ */
+/* $OpenBSD: openssl.c,v 1.17 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -137,6 +137,8 @@
 #define FUNC_TYPE_MD_ALG        5
 #define FUNC_TYPE_CIPHER_ALG    6
 
+int single_execution = 0;
+
 typedef struct {
         int type;
         const char *name;
@@ -499,6 +501,8 @@ main(int argc, char **argv)
         fp = lh_FUNCTION_retrieve(prog, &f);
         if (fp != NULL) {
                 argv[0] = pname;
+
+                single_execution = 1;
                 ret = fp->func(argc, argv);
                 goto end;
         }
@@ -509,6 +513,8 @@ main(int argc, char **argv)
         if (argc != 1) {
                 argc--;
                 argv++;
+
+                single_execution = 1;
                 ret = do_cmd(prog, argc, argv);
                 if (ret < 0)
                         ret = 0;
diff --git a/src/usr.bin/openssl/passwd.c b/src/usr.bin/openssl/passwd.c
index b6285649e7..58fc5ecb4b 100644
--- a/src/usr.bin/openssl/passwd.c
+++ b/src/usr.bin/openssl/passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: passwd.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: passwd.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 
 #if defined OPENSSL_NO_MD5
 #define NO_MD5CRYPT_1
@@ -145,6 +145,11 @@ passwd_main(int argc, char **argv)
         int argsused;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&passwd_config, 0, sizeof(passwd_config));
 
         if (options_parse(argc, argv, passwd_options, NULL, &argsused) != 0) {
diff --git a/src/usr.bin/openssl/pkcs12.c b/src/usr.bin/openssl/pkcs12.c
index eaa7bcceac..f8d8cc6115 100644
--- a/src/usr.bin/openssl/pkcs12.c
+++ b/src/usr.bin/openssl/pkcs12.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkcs12.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -124,6 +124,11 @@ pkcs12_main(int argc, char **argv)
         char *macalg = NULL;
         char *CApath = NULL, *CAfile = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
 
         enc = EVP_des_ede3_cbc();
diff --git a/src/usr.bin/openssl/pkcs7.c b/src/usr.bin/openssl/pkcs7.c
index 717928d27b..c29a9c8df2 100644
--- a/src/usr.bin/openssl/pkcs7.c
+++ b/src/usr.bin/openssl/pkcs7.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs7.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkcs7.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -154,6 +154,11 @@ pkcs7_main(int argc, char **argv)
         int ret = 1;
         int i;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&pkcs7_config, 0, sizeof(pkcs7_config));
 
         pkcs7_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/pkcs8.c b/src/usr.bin/openssl/pkcs8.c
index b3ccd1966e..4ac2af012a 100644
--- a/src/usr.bin/openssl/pkcs8.c
+++ b/src/usr.bin/openssl/pkcs8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs8.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkcs8.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999-2004.
  */
@@ -226,6 +226,11 @@ pkcs8_main(int argc, char **argv)
         char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&pkcs8_config, 0, sizeof(pkcs8_config));
 
         pkcs8_config.iter = PKCS12_DEFAULT_ITER;
diff --git a/src/usr.bin/openssl/pkey.c b/src/usr.bin/openssl/pkey.c
index 72c03181f6..d1ddf5a929 100644
--- a/src/usr.bin/openssl/pkey.c
+++ b/src/usr.bin/openssl/pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkey.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkey.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006
  */
@@ -79,6 +79,11 @@ pkey_main(int argc, char **argv)
         int badarg = 0;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         informat = FORMAT_PEM;
         outformat = FORMAT_PEM;
 
diff --git a/src/usr.bin/openssl/pkeyparam.c b/src/usr.bin/openssl/pkeyparam.c
index 8f4d3a53f4..cb40fbb3ed 100644
--- a/src/usr.bin/openssl/pkeyparam.c
+++ b/src/usr.bin/openssl/pkeyparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkeyparam.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkeyparam.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006
  */
@@ -118,6 +118,11 @@ pkeyparam_main(int argc, char **argv)
         EVP_PKEY *pkey = NULL;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&pkeyparam_config, 0, sizeof(pkeyparam_config));
 
         if (options_parse(argc, argv, pkeyparam_options, NULL, NULL) != 0) {
diff --git a/src/usr.bin/openssl/pkeyutl.c b/src/usr.bin/openssl/pkeyutl.c
index 2caa61e282..64d1f90f50 100644
--- a/src/usr.bin/openssl/pkeyutl.c
+++ b/src/usr.bin/openssl/pkeyutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkeyutl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkeyutl.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -100,6 +100,11 @@ pkeyutl_main(int argc, char **argv)
 
         int ret = 1, rv = -1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         argc--;
         argv++;
 
diff --git a/src/usr.bin/openssl/prime.c b/src/usr.bin/openssl/prime.c
index 55fac455e9..13398b01b0 100644
--- a/src/usr.bin/openssl/prime.c
+++ b/src/usr.bin/openssl/prime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: prime.c,v 1.8 2015/09/12 15:04:06 lteo Exp $ */
+/* $OpenBSD: prime.c,v 1.9 2015/10/10 22:28:51 doug Exp $ */
 /* ====================================================================
  * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
  *
@@ -118,6 +118,11 @@ prime_main(int argc, char **argv)
         char *s;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&prime_config, 0, sizeof(prime_config));
 
         /* Default iterations for Miller-Rabin probabilistic primality test. */
diff --git a/src/usr.bin/openssl/rand.c b/src/usr.bin/openssl/rand.c
index b0df4eb1b5..2377c6e72b 100644
--- a/src/usr.bin/openssl/rand.c
+++ b/src/usr.bin/openssl/rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand.c,v 1.8 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: rand.c,v 1.9 2015/10/10 22:28:51 doug Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
@@ -109,6 +109,11 @@ rand_main(int argc, char **argv)
         int i, r;
         BIO *out = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&rand_config, 0, sizeof(rand_config));
 
         if (options_parse(argc, argv, rand_options, &num_bytes, NULL) != 0) {
diff --git a/src/usr.bin/openssl/req.c b/src/usr.bin/openssl/req.c
index c7256ae59a..032944b233 100644
--- a/src/usr.bin/openssl/req.c
+++ b/src/usr.bin/openssl/req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: req.c,v 1.9 2015/09/14 01:45:03 doug Exp $ */
+/* $OpenBSD: req.c,v 1.10 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -176,6 +176,11 @@ req_main(int argc, char **argv)
         const EVP_MD *md_alg = NULL, *digest = NULL;
         unsigned long chtype = MBSTRING_ASC;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         req_conf = NULL;
         cipher = EVP_aes_256_cbc();
         digest = EVP_sha256();
diff --git a/src/usr.bin/openssl/rsa.c b/src/usr.bin/openssl/rsa.c
index 708332a8d1..a5737605fe 100644
--- a/src/usr.bin/openssl/rsa.c
+++ b/src/usr.bin/openssl/rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: rsa.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -268,6 +268,11 @@ rsa_main(int argc, char **argv)
         BIO *out = NULL;
         char *passin = NULL, *passout = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&rsa_config, 0, sizeof(rsa_config));
         rsa_config.pvk_encr = 2;
         rsa_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/rsautl.c b/src/usr.bin/openssl/rsautl.c
index 2e9793297b..92dceff8a1 100644
--- a/src/usr.bin/openssl/rsautl.c
+++ b/src/usr.bin/openssl/rsautl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsautl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: rsautl.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -98,6 +98,11 @@ rsautl_main(int argc, char **argv)
 
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         argc--;
         argv++;
 
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c
index 6d250f177f..63f30389c4 100644
--- a/src/usr.bin/openssl/s_client.c
+++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.20 2015/10/06 03:29:49 deraadt Exp $ */
+/* $OpenBSD: s_client.c,v 1.21 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -364,6 +364,11 @@ s_client_main(int argc, char **argv)
         int enable_timeouts = 0;
         long socket_mtu = 0;
 
+        if (single_execution) {
+                if (pledge("stdio inet rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         meth = SSLv23_client_method();
 
         c_Pause = 0;
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 11e9814135..198508398b 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.19 2015/10/06 03:29:49 deraadt Exp $ */
+/* $OpenBSD: s_server.c,v 1.20 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -603,6 +603,12 @@ s_server_main(int argc, char *argv[])
         tlsextnextprotoctx next_proto = { NULL, 0 };
         const char *alpn_in = NULL;
         tlsextalpnctx alpn_ctx = { NULL, 0 };
+
+        if (single_execution) {
+                if (pledge("stdio inet rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         meth = SSLv23_server_method();
 
         local_argc = argc;
diff --git a/src/usr.bin/openssl/s_time.c b/src/usr.bin/openssl/s_time.c
index c102726b7e..417ff81f3f 100644
--- a/src/usr.bin/openssl/s_time.c
+++ b/src/usr.bin/openssl/s_time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_time.c,v 1.12 2015/09/11 14:43:57 lteo Exp $ */
+/* $OpenBSD: s_time.c,v 1.13 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -258,6 +258,11 @@ s_time_main(int argc, char **argv)
         char buf[1024 * 8];
         int ver;
 
+        if (single_execution) {
+                if (pledge("stdio inet rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         s_time_meth = SSLv23_client_method();
 
         verify_depth = 0;
diff --git a/src/usr.bin/openssl/sess_id.c b/src/usr.bin/openssl/sess_id.c
index d7f3339509..7bf14adbea 100644
--- a/src/usr.bin/openssl/sess_id.c
+++ b/src/usr.bin/openssl/sess_id.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sess_id.c,v 1.5 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: sess_id.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -158,6 +158,11 @@ sess_id_main(int argc, char **argv)
         int ret = 1, i;
         BIO *out = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&sess_id_config, 0, sizeof(sess_id_config));
 
         sess_id_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/smime.c b/src/usr.bin/openssl/smime.c
index d981335179..fee7c71e76 100644
--- a/src/usr.bin/openssl/smime.c
+++ b/src/usr.bin/openssl/smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: smime.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: smime.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -112,6 +112,11 @@ smime_main(int argc, char **argv)
 
         X509_VERIFY_PARAM *vpm = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         args = argv + 1;
         ret = 1;
 
diff --git a/src/usr.bin/openssl/speed.c b/src/usr.bin/openssl/speed.c
index 1657a43c02..cc555afe8c 100644
--- a/src/usr.bin/openssl/speed.c
+++ b/src/usr.bin/openssl/speed.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: speed.c,v 1.16 2015/09/20 13:39:13 miod Exp $ */
+/* $OpenBSD: speed.c,v 1.17 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -469,6 +469,11 @@ speed_main(int argc, char **argv)
         int multi = 0;
         const char *errstr = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio proc", NULL) == -1)
+                        perror("pledge");
+        }
+
         usertime = -1;
 
         memset(results, 0, sizeof(results));
diff --git a/src/usr.bin/openssl/spkac.c b/src/usr.bin/openssl/spkac.c
index b635b5e3b2..1c8b7073d8 100644
--- a/src/usr.bin/openssl/spkac.c
+++ b/src/usr.bin/openssl/spkac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: spkac.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: spkac.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999. Based on an original idea by Massimiliano Pala
  * (madwolf@openca.org).
@@ -181,6 +181,11 @@ spkac_main(int argc, char **argv)
         NETSCAPE_SPKI *spki = NULL;
         EVP_PKEY *pkey = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&spkac_config, 0, sizeof(spkac_config));
         spkac_config.spkac = "SPKAC";
         spkac_config.spksect = "default";
diff --git a/src/usr.bin/openssl/ts.c b/src/usr.bin/openssl/ts.c
index 93d258d583..04ff60ae48 100644
--- a/src/usr.bin/openssl/ts.c
+++ b/src/usr.bin/openssl/ts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.c,v 1.10 2015/09/21 13:13:06 bcook Exp $ */
+/* $OpenBSD: ts.c,v 1.11 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -149,6 +149,11 @@ ts_main(int argc, char **argv)
         /* Output is ContentInfo instead of TimeStampResp. */
         int token_out = 0;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         for (argc--, argv++; argc > 0; argc--, argv++) {
                 if (strcmp(*argv, "-config") == 0) {
                         if (argc-- < 1)
diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c
index 62ca63f01b..4975ad5b6e 100644
--- a/src/usr.bin/openssl/verify.c
+++ b/src/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: verify.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -85,6 +85,11 @@ verify_main(int argc, char **argv)
         X509_LOOKUP *lookup = NULL;
         X509_VERIFY_PARAM *vpm = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         cert_ctx = X509_STORE_new();
         if (cert_ctx == NULL)
                 goto end;
diff --git a/src/usr.bin/openssl/version.c b/src/usr.bin/openssl/version.c
index f47369df9d..e096f89969 100644
--- a/src/usr.bin/openssl/version.c
+++ b/src/usr.bin/openssl/version.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: version.c,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: version.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -213,6 +213,11 @@ version_usage(void)
 int
 version_main(int argc, char **argv)
 {
+        if (single_execution) {
+                if (pledge("stdio", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&version_config, 0, sizeof(version_config));
 
         if (options_parse(argc, argv, version_options, NULL, NULL) != 0) {
diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c
index ec592c29d7..07c28789d3 100644
--- a/src/usr.bin/openssl/x509.c
+++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.9 2015/10/01 06:31:21 jsing Exp $ */
+/* $OpenBSD: x509.c,v 1.10 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -198,6 +198,11 @@ x509_main(int argc, char **argv)
         unsigned long nmflag = 0, certflag = 0;
         const char *errstr = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         reqfile = 0;
 
         STDout = BIO_new_fp(stdout, BIO_NOCLOSE);