summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libcrypto/conf/conf_api.c13
-rw-r--r--src/lib/libcrypto/conf/conf_mod.c7
-rw-r--r--src/lib/libcrypto/engine/eng_list.c5
-rw-r--r--src/lib/libcrypto/x509/by_dir.c5
-rw-r--r--src/lib/libcrypto/x509/by_file.c7
-rw-r--r--src/lib/libssl/src/crypto/conf/conf_api.c13
-rw-r--r--src/lib/libssl/src/crypto/conf/conf_mod.c7
-rw-r--r--src/lib/libssl/src/crypto/engine/eng_list.c5
-rw-r--r--src/lib/libssl/src/crypto/x509/by_dir.c5
-rw-r--r--src/lib/libssl/src/crypto/x509/by_file.c7
10 files changed, 48 insertions, 26 deletions
diff --git a/src/lib/libcrypto/conf/conf_api.c b/src/lib/libcrypto/conf/conf_api.c
index 21ce4d9fe5..7480dda3d5 100644
--- a/src/lib/libcrypto/conf/conf_api.c
+++ b/src/lib/libcrypto/conf/conf_api.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: conf_api.c,v 1.10 2014/06/12 15:49:28 deraadt Exp $ */ 1/* $OpenBSD: conf_api.c,v 1.11 2014/06/23 22:19:02 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -66,6 +66,7 @@
66#include <assert.h> 66#include <assert.h>
67#include <stdlib.h> 67#include <stdlib.h>
68#include <string.h> 68#include <string.h>
69#include <unistd.h>
69#include <openssl/conf.h> 70#include <openssl/conf.h>
70#include <openssl/conf_api.h> 71#include <openssl/conf_api.h>
71 72
@@ -142,7 +143,10 @@ _CONF_get_string(const CONF *conf, const char *section, const char *name)
142 if (v != NULL) 143 if (v != NULL)
143 return (v->value); 144 return (v->value);
144 if (strcmp(section, "ENV") == 0) { 145 if (strcmp(section, "ENV") == 0) {
145 p = getenv(name); 146 if (issetugid() == 0)
147 p = getenv(name);
148 else
149 p = NULL;
146 if (p != NULL) 150 if (p != NULL)
147 return (p); 151 return (p);
148 } 152 }
@@ -154,8 +158,11 @@ _CONF_get_string(const CONF *conf, const char *section, const char *name)
154 return (v->value); 158 return (v->value);
155 else 159 else
156 return (NULL); 160 return (NULL);
157 } else 161 } else {
162 if (issetugid())
163 return (NULL);
158 return (getenv(name)); 164 return (getenv(name));
165 }
159} 166}
160 167
161#if 0 /* There's no way to provide error checking with this function, so 168#if 0 /* There's no way to provide error checking with this function, so
diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c
index ae62f4abde..e58582a5ec 100644
--- a/src/lib/libcrypto/conf/conf_mod.c
+++ b/src/lib/libcrypto/conf/conf_mod.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: conf_mod.c,v 1.20 2014/06/12 15:49:28 deraadt Exp $ */ 1/* $OpenBSD: conf_mod.c,v 1.21 2014/06/23 22:19:02 deraadt Exp $ */
2/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL 2/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -541,9 +541,10 @@ CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data)
541char * 541char *
542CONF_get1_default_config_file(void) 542CONF_get1_default_config_file(void)
543{ 543{
544 char *file; 544 char *file = NULL;
545 545
546 file = getenv("OPENSSL_CONF"); 546 if (issetugid() == 0)
547 file = getenv("OPENSSL_CONF");
547 if (file) 548 if (file)
548 return BUF_strdup(file); 549 return BUF_strdup(file);
549 if (asprintf(&file, "%s/openssl.cnf", 550 if (asprintf(&file, "%s/openssl.cnf",
diff --git a/src/lib/libcrypto/engine/eng_list.c b/src/lib/libcrypto/engine/eng_list.c
index 053767c646..22e2abb01d 100644
--- a/src/lib/libcrypto/engine/eng_list.c
+++ b/src/lib/libcrypto/engine/eng_list.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: eng_list.c,v 1.10 2014/06/22 12:15:53 jsing Exp $ */ 1/* $OpenBSD: eng_list.c,v 1.11 2014/06/23 22:19:02 deraadt Exp $ */
2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL 2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -385,7 +385,8 @@ ENGINE_by_id(const char *id)
385 return iterator; 385 return iterator;
386 /* Prevent infinite recusrion if we're looking for the dynamic engine. */ 386 /* Prevent infinite recusrion if we're looking for the dynamic engine. */
387 if (strcmp(id, "dynamic")) { 387 if (strcmp(id, "dynamic")) {
388 if ((load_dir = getenv("OPENSSL_ENGINES")) == 0) 388 if (issetugid() == 0 ||
389 (load_dir = getenv("OPENSSL_ENGINES")) == 0)
389 load_dir = ENGINESDIR; 390 load_dir = ENGINESDIR;
390 iterator = ENGINE_by_id("dynamic"); 391 iterator = ENGINE_by_id("dynamic");
391 if (!iterator || 392 if (!iterator ||
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 21ba0a7bc2..187eba4515 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: by_dir.c,v 1.27 2014/06/19 21:23:48 tedu Exp $ */ 1/* $OpenBSD: by_dir.c,v 1.28 2014/06/23 22:19:02 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -132,7 +132,8 @@ dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
132 switch (cmd) { 132 switch (cmd) {
133 case X509_L_ADD_DIR: 133 case X509_L_ADD_DIR:
134 if (argl == X509_FILETYPE_DEFAULT) { 134 if (argl == X509_FILETYPE_DEFAULT) {
135 dir = (char *)getenv(X509_get_default_cert_dir_env()); 135 if (issetugid() == 0)
136 dir = getenv(X509_get_default_cert_dir_env());
136 if (dir) 137 if (dir)
137 ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); 138 ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
138 else 139 else
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
index ca010032eb..bb296e2a42 100644
--- a/src/lib/libcrypto/x509/by_file.c
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: by_file.c,v 1.12 2014/06/12 15:49:31 deraadt Exp $ */ 1/* $OpenBSD: by_file.c,v 1.13 2014/06/23 22:19:02 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -94,12 +94,13 @@ by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
94 char **ret) 94 char **ret)
95{ 95{
96 int ok = 0; 96 int ok = 0;
97 char *file; 97 char *file = NULL;
98 98
99 switch (cmd) { 99 switch (cmd) {
100 case X509_L_FILE_LOAD: 100 case X509_L_FILE_LOAD:
101 if (argl == X509_FILETYPE_DEFAULT) { 101 if (argl == X509_FILETYPE_DEFAULT) {
102 file = (char *)getenv(X509_get_default_cert_file_env()); 102 if (issetugid() == 0)
103 file = getenv(X509_get_default_cert_file_env());
103 if (file) 104 if (file)
104 ok = (X509_load_cert_crl_file(ctx, file, 105 ok = (X509_load_cert_crl_file(ctx, file,
105 X509_FILETYPE_PEM) != 0); 106 X509_FILETYPE_PEM) != 0);
diff --git a/src/lib/libssl/src/crypto/conf/conf_api.c b/src/lib/libssl/src/crypto/conf/conf_api.c
index 21ce4d9fe5..7480dda3d5 100644
--- a/src/lib/libssl/src/crypto/conf/conf_api.c
+++ b/src/lib/libssl/src/crypto/conf/conf_api.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: conf_api.c,v 1.10 2014/06/12 15:49:28 deraadt Exp $ */ 1/* $OpenBSD: conf_api.c,v 1.11 2014/06/23 22:19:02 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -66,6 +66,7 @@
66#include <assert.h> 66#include <assert.h>
67#include <stdlib.h> 67#include <stdlib.h>
68#include <string.h> 68#include <string.h>
69#include <unistd.h>
69#include <openssl/conf.h> 70#include <openssl/conf.h>
70#include <openssl/conf_api.h> 71#include <openssl/conf_api.h>
71 72
@@ -142,7 +143,10 @@ _CONF_get_string(const CONF *conf, const char *section, const char *name)
142 if (v != NULL) 143 if (v != NULL)
143 return (v->value); 144 return (v->value);
144 if (strcmp(section, "ENV") == 0) { 145 if (strcmp(section, "ENV") == 0) {
145 p = getenv(name); 146 if (issetugid() == 0)
147 p = getenv(name);
148 else
149 p = NULL;
146 if (p != NULL) 150 if (p != NULL)
147 return (p); 151 return (p);
148 } 152 }
@@ -154,8 +158,11 @@ _CONF_get_string(const CONF *conf, const char *section, const char *name)
154 return (v->value); 158 return (v->value);
155 else 159 else
156 return (NULL); 160 return (NULL);
157 } else 161 } else {
162 if (issetugid())
163 return (NULL);
158 return (getenv(name)); 164 return (getenv(name));
165 }
159} 166}
160 167
161#if 0 /* There's no way to provide error checking with this function, so 168#if 0 /* There's no way to provide error checking with this function, so
diff --git a/src/lib/libssl/src/crypto/conf/conf_mod.c b/src/lib/libssl/src/crypto/conf/conf_mod.c
index ae62f4abde..e58582a5ec 100644
--- a/src/lib/libssl/src/crypto/conf/conf_mod.c
+++ b/src/lib/libssl/src/crypto/conf/conf_mod.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: conf_mod.c,v 1.20 2014/06/12 15:49:28 deraadt Exp $ */ 1/* $OpenBSD: conf_mod.c,v 1.21 2014/06/23 22:19:02 deraadt Exp $ */
2/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL 2/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -541,9 +541,10 @@ CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data)
541char * 541char *
542CONF_get1_default_config_file(void) 542CONF_get1_default_config_file(void)
543{ 543{
544 char *file; 544 char *file = NULL;
545 545
546 file = getenv("OPENSSL_CONF"); 546 if (issetugid() == 0)
547 file = getenv("OPENSSL_CONF");
547 if (file) 548 if (file)
548 return BUF_strdup(file); 549 return BUF_strdup(file);
549 if (asprintf(&file, "%s/openssl.cnf", 550 if (asprintf(&file, "%s/openssl.cnf",
diff --git a/src/lib/libssl/src/crypto/engine/eng_list.c b/src/lib/libssl/src/crypto/engine/eng_list.c
index 053767c646..22e2abb01d 100644
--- a/src/lib/libssl/src/crypto/engine/eng_list.c
+++ b/src/lib/libssl/src/crypto/engine/eng_list.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: eng_list.c,v 1.10 2014/06/22 12:15:53 jsing Exp $ */ 1/* $OpenBSD: eng_list.c,v 1.11 2014/06/23 22:19:02 deraadt Exp $ */
2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL 2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -385,7 +385,8 @@ ENGINE_by_id(const char *id)
385 return iterator; 385 return iterator;
386 /* Prevent infinite recusrion if we're looking for the dynamic engine. */ 386 /* Prevent infinite recusrion if we're looking for the dynamic engine. */
387 if (strcmp(id, "dynamic")) { 387 if (strcmp(id, "dynamic")) {
388 if ((load_dir = getenv("OPENSSL_ENGINES")) == 0) 388 if (issetugid() == 0 ||
389 (load_dir = getenv("OPENSSL_ENGINES")) == 0)
389 load_dir = ENGINESDIR; 390 load_dir = ENGINESDIR;
390 iterator = ENGINE_by_id("dynamic"); 391 iterator = ENGINE_by_id("dynamic");
391 if (!iterator || 392 if (!iterator ||
diff --git a/src/lib/libssl/src/crypto/x509/by_dir.c b/src/lib/libssl/src/crypto/x509/by_dir.c
index 21ba0a7bc2..187eba4515 100644
--- a/src/lib/libssl/src/crypto/x509/by_dir.c
+++ b/src/lib/libssl/src/crypto/x509/by_dir.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: by_dir.c,v 1.27 2014/06/19 21:23:48 tedu Exp $ */ 1/* $OpenBSD: by_dir.c,v 1.28 2014/06/23 22:19:02 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -132,7 +132,8 @@ dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
132 switch (cmd) { 132 switch (cmd) {
133 case X509_L_ADD_DIR: 133 case X509_L_ADD_DIR:
134 if (argl == X509_FILETYPE_DEFAULT) { 134 if (argl == X509_FILETYPE_DEFAULT) {
135 dir = (char *)getenv(X509_get_default_cert_dir_env()); 135 if (issetugid() == 0)
136 dir = getenv(X509_get_default_cert_dir_env());
136 if (dir) 137 if (dir)
137 ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); 138 ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
138 else 139 else
diff --git a/src/lib/libssl/src/crypto/x509/by_file.c b/src/lib/libssl/src/crypto/x509/by_file.c
index ca010032eb..bb296e2a42 100644
--- a/src/lib/libssl/src/crypto/x509/by_file.c
+++ b/src/lib/libssl/src/crypto/x509/by_file.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: by_file.c,v 1.12 2014/06/12 15:49:31 deraadt Exp $ */ 1/* $OpenBSD: by_file.c,v 1.13 2014/06/23 22:19:02 deraadt Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -94,12 +94,13 @@ by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
94 char **ret) 94 char **ret)
95{ 95{
96 int ok = 0; 96 int ok = 0;
97 char *file; 97 char *file = NULL;
98 98
99 switch (cmd) { 99 switch (cmd) {
100 case X509_L_FILE_LOAD: 100 case X509_L_FILE_LOAD:
101 if (argl == X509_FILETYPE_DEFAULT) { 101 if (argl == X509_FILETYPE_DEFAULT) {
102 file = (char *)getenv(X509_get_default_cert_file_env()); 102 if (issetugid() == 0)
103 file = getenv(X509_get_default_cert_file_env());
103 if (file) 104 if (file)
104 ok = (X509_load_cert_crl_file(ctx, file, 105 ok = (X509_load_cert_crl_file(ctx, file,
105 X509_FILETYPE_PEM) != 0); 106 X509_FILETYPE_PEM) != 0);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-28 09:56:56 +0000