47 files changed, 281 insertions, 46 deletions

diff --git a/src/usr.bin/openssl/apps.h b/src/usr.bin/openssl/apps.h
index bb9fd0dd7a..4813fa35df 100644
--- a/src/usr.bin/openssl/apps.h
+++ b/src/usr.bin/openssl/apps.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.h,v 1.16 2015/09/13 12:41:01 bcook Exp $ */
+/* $OpenBSD: apps.h,v 1.17 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -126,6 +126,9 @@
 #include <openssl/ocsp.h>
 #endif
 
+#include <unistd.h>
+extern int single_execution;
+
 extern CONF *config;
 extern char *default_config_file;
 extern BIO *bio_err;
diff --git a/src/usr.bin/openssl/asn1pars.c b/src/usr.bin/openssl/asn1pars.c
index da3bf761ce..2ce9d1a3ba 100644
--- a/src/usr.bin/openssl/asn1pars.c
+++ b/src/usr.bin/openssl/asn1pars.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1pars.c,v 1.4 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: asn1pars.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -247,6 +247,11 @@ asn1parse_main(int argc, char **argv)
         BUF_MEM *buf = NULL;
         ASN1_TYPE *at = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&asn1pars_config, 0, sizeof(asn1pars_config));
 
         asn1pars_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index e32abcdf21..0b246aeb15 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.16 2015/09/21 13:31:26 bcook Exp $ */
+/* $OpenBSD: ca.c,v 1.17 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -286,6 +286,11 @@ ca_main(int argc, char **argv)
         const char *errstr = NULL;
         DB_ATTR db_attr;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         conf = NULL;
         key = NULL;
         section = NULL;
diff --git a/src/usr.bin/openssl/certhash.c b/src/usr.bin/openssl/certhash.c
index 77e641cef5..bd0ac54ecf 100644
--- a/src/usr.bin/openssl/certhash.c
+++ b/src/usr.bin/openssl/certhash.c
@@ -649,6 +649,11 @@ certhash_main(int argc, char **argv)
         int argsused;
         int i, cwdfd, ret = 0;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&certhash_config, 0, sizeof(certhash_config));
 
         if (options_parse(argc, argv, certhash_options, NULL, &argsused) != 0) {
diff --git a/src/usr.bin/openssl/ciphers.c b/src/usr.bin/openssl/ciphers.c
index 18b8d3e4d9..caa40854ea 100644
--- a/src/usr.bin/openssl/ciphers.c
+++ b/src/usr.bin/openssl/ciphers.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ciphers.c,v 1.6 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: ciphers.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -81,6 +81,11 @@ ciphers_main(int argc, char **argv)
         int i, rv = 0;
         char *desc;
 
+        if (single_execution) {
+                if (pledge("stdio rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&ciphers_config, 0, sizeof(ciphers_config));
 
         if (options_parse(argc, argv, ciphers_options, &cipherlist,
diff --git a/src/usr.bin/openssl/cms.c b/src/usr.bin/openssl/cms.c
index fccac23db7..29429f53e0 100644
--- a/src/usr.bin/openssl/cms.c
+++ b/src/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms.c,v 1.3 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: cms.c,v 1.4 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -135,6 +135,11 @@ cms_main(int argc, char **argv)
 
         X509_VERIFY_PARAM *vpm = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         args = argv + 1;
         ret = 1;
 
diff --git a/src/usr.bin/openssl/crl.c b/src/usr.bin/openssl/crl.c
index 4ab9e6c615..47173ec5ed 100644
--- a/src/usr.bin/openssl/crl.c
+++ b/src/usr.bin/openssl/crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crl.c,v 1.7 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: crl.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -230,6 +230,11 @@ crl_main(int argc, char **argv)
         const EVP_MD *digest;
         char *digest_name = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         if (bio_out == NULL) {
                 if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
                         BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
diff --git a/src/usr.bin/openssl/crl2p7.c b/src/usr.bin/openssl/crl2p7.c
index 4df986d325..3935bd18e0 100644
--- a/src/usr.bin/openssl/crl2p7.c
+++ b/src/usr.bin/openssl/crl2p7.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crl2p7.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: crl2p7.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -169,6 +169,11 @@ crl2pkcs7_main(int argc, char **argv)
         STACK_OF(X509) *cert_stack = NULL;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&crl2p7_config, 0, sizeof(crl2p7_config));
 
         crl2p7_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/dgst.c b/src/usr.bin/openssl/dgst.c
index 94d98ac6a4..b4632eefa3 100644
--- a/src/usr.bin/openssl/dgst.c
+++ b/src/usr.bin/openssl/dgst.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dgst.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: dgst.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -123,6 +123,11 @@ dgst_main(int argc, char **argv)
         char *mac_name = NULL;
         STACK_OF(OPENSSL_STRING) * sigopts = NULL, *macopts = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         if ((buf = malloc(BUFSIZE)) == NULL) {
                 BIO_printf(bio_err, "out of memory\n");
                 goto end;
diff --git a/src/usr.bin/openssl/dh.c b/src/usr.bin/openssl/dh.c
index f4112e87c2..7e8d65d1f6 100644
--- a/src/usr.bin/openssl/dh.c
+++ b/src/usr.bin/openssl/dh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: dh.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -158,6 +158,11 @@ dh_main(int argc, char **argv)
         BIO *in = NULL, *out = NULL;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&dh_config, 0, sizeof(dh_config));
 
         dh_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/dhparam.c b/src/usr.bin/openssl/dhparam.c
index 158a07a572..55b75663b3 100644
--- a/src/usr.bin/openssl/dhparam.c
+++ b/src/usr.bin/openssl/dhparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dhparam.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: dhparam.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -243,6 +243,11 @@ dhparam_main(int argc, char **argv)
         int ret = 1;
         int i;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&dhparam_config, 0, sizeof(dhparam_config));
 
         dhparam_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/dsa.c b/src/usr.bin/openssl/dsa.c
index 813e163662..2c4feea0d5 100644
--- a/src/usr.bin/openssl/dsa.c
+++ b/src/usr.bin/openssl/dsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: dsa.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -240,6 +240,11 @@ dsa_main(int argc, char **argv)
         BIO *in = NULL, *out = NULL;
         char *passin = NULL, *passout = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&dsa_config, 0, sizeof(dsa_config));
 
         dsa_config.pvk_encr = 2;
diff --git a/src/usr.bin/openssl/dsaparam.c b/src/usr.bin/openssl/dsaparam.c
index 0cdd5c1d51..73249498fc 100644
--- a/src/usr.bin/openssl/dsaparam.c
+++ b/src/usr.bin/openssl/dsaparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsaparam.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: dsaparam.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -168,6 +168,11 @@ dsaparam_main(int argc, char **argv)
         int numbits = -1;
         char *strbits = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&dsaparam_config, 0, sizeof(dsaparam_config));
 
         dsaparam_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/ec.c b/src/usr.bin/openssl/ec.c
index d5fe68f0d8..b4e2fe1daa 100644
--- a/src/usr.bin/openssl/ec.c
+++ b/src/usr.bin/openssl/ec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: ec.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -277,6 +277,11 @@ ec_main(int argc, char **argv)
         BIO *in = NULL, *out = NULL;
         char *passin = NULL, *passout = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&ec_config, 0, sizeof(ec_config));
 
         ec_config.asn1_flag = OPENSSL_EC_NAMED_CURVE;
diff --git a/src/usr.bin/openssl/ecparam.c b/src/usr.bin/openssl/ecparam.c
index 6adac863d5..bd0c5b8cc0 100644
--- a/src/usr.bin/openssl/ecparam.c
+++ b/src/usr.bin/openssl/ecparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecparam.c,v 1.13 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: ecparam.c,v 1.14 2015/10/10 22:28:51 doug Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -259,6 +259,11 @@ ecparam_main(int argc, char **argv)
         BIO *in = NULL, *out = NULL;
         int i, ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&ecparam_config, 0, sizeof(ecparam_config));
         ecparam_config.asn1_flag = OPENSSL_EC_NAMED_CURVE;
         ecparam_config.form = POINT_CONVERSION_UNCOMPRESSED;
diff --git a/src/usr.bin/openssl/enc.c b/src/usr.bin/openssl/enc.c
index 6eb804fd49..d7103823d3 100644
--- a/src/usr.bin/openssl/enc.c
+++ b/src/usr.bin/openssl/enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: enc.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: enc.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -338,6 +338,11 @@ enc_main(int argc, char **argv)
         char pname[PROG_NAME_SIZE + 1];
         int i;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&enc_config, 0, sizeof(enc_config));
         enc_config.enc = 1;
 
diff --git a/src/usr.bin/openssl/errstr.c b/src/usr.bin/openssl/errstr.c
index 9cf7bfba4b..7bd97d99b0 100644
--- a/src/usr.bin/openssl/errstr.c
+++ b/src/usr.bin/openssl/errstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: errstr.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: errstr.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -98,6 +98,11 @@ errstr_main(int argc, char **argv)
         char buf[256];
         int ret = 0;
 
+        if (single_execution) {
+                if (pledge("stdio rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&errstr_config, 0, sizeof(errstr_config));
 
         if (options_parse(argc, argv, errstr_options, NULL, &argsused) != 0) {
diff --git a/src/usr.bin/openssl/gendh.c b/src/usr.bin/openssl/gendh.c
index 208906e24c..ceea237be1 100644
--- a/src/usr.bin/openssl/gendh.c
+++ b/src/usr.bin/openssl/gendh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gendh.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: gendh.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -134,6 +134,11 @@ gendh_main(int argc, char **argv)
         BIO *out = NULL;
         char *strbits = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         BN_GENCB_set(&cb, dh_cb, bio_err);
 
         memset(&gendh_config, 0, sizeof(gendh_config));
diff --git a/src/usr.bin/openssl/gendsa.c b/src/usr.bin/openssl/gendsa.c
index ee2d6ba1b6..002380a1b9 100644
--- a/src/usr.bin/openssl/gendsa.c
+++ b/src/usr.bin/openssl/gendsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gendsa.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: gendsa.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -85,6 +85,11 @@ gendsa_main(int argc, char **argv)
         BIO *out = NULL, *in = NULL;
         const EVP_CIPHER *enc = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         argv++;
         argc--;
         for (;;) {
diff --git a/src/usr.bin/openssl/genpkey.c b/src/usr.bin/openssl/genpkey.c
index d76e2febd8..4d11bc3c33 100644
--- a/src/usr.bin/openssl/genpkey.c
+++ b/src/usr.bin/openssl/genpkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: genpkey.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: genpkey.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006
  */
@@ -86,6 +86,11 @@ genpkey_main(int argc, char **argv)
 
         int do_param = 0;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         outformat = FORMAT_PEM;
 
         args = argv + 1;
diff --git a/src/usr.bin/openssl/genrsa.c b/src/usr.bin/openssl/genrsa.c
index 9f78f0d65d..1ca8713ed2 100644
--- a/src/usr.bin/openssl/genrsa.c
+++ b/src/usr.bin/openssl/genrsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: genrsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: genrsa.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -100,6 +100,11 @@ genrsa_main(int argc, char **argv)
         BIGNUM *bn = BN_new();
         RSA *rsa = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         if (!bn)
                 goto err;
 
diff --git a/src/usr.bin/openssl/nseq.c b/src/usr.bin/openssl/nseq.c
index b73f512aee..15df3ffd40 100644
--- a/src/usr.bin/openssl/nseq.c
+++ b/src/usr.bin/openssl/nseq.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: nseq.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: nseq.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -109,6 +109,11 @@ nseq_main(int argc, char **argv)
         NETSCAPE_CERT_SEQUENCE *seq = NULL;
         int i, ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&nseq_config, 0, sizeof(nseq_config));
 
         if (options_parse(argc, argv, nseq_options, NULL, NULL) != 0) {
diff --git a/src/usr.bin/openssl/ocsp.c b/src/usr.bin/openssl/ocsp.c
index 3a6ac36b1e..c3b1b168ba 100644
--- a/src/usr.bin/openssl/ocsp.c
+++ b/src/usr.bin/openssl/ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp.c,v 1.5 2015/10/03 03:39:19 deraadt Exp $ */
+/* $OpenBSD: ocsp.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -146,6 +146,11 @@ ocsp_main(int argc, char **argv)
         const EVP_MD *cert_id_md = NULL;
         const char *errstr = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio inet rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         args = argv + 1;
         reqnames = sk_OPENSSL_STRING_new_null();
         ids = sk_OCSP_CERTID_new_null();
diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c
index 9db7e5b4eb..e842d6cc65 100644
--- a/src/usr.bin/openssl/openssl.c
+++ b/src/usr.bin/openssl/openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: openssl.c,v 1.16 2015/10/10 20:18:30 deraadt Exp $ */
+/* $OpenBSD: openssl.c,v 1.17 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -137,6 +137,8 @@
 #define FUNC_TYPE_MD_ALG        5
 #define FUNC_TYPE_CIPHER_ALG    6
 
+int single_execution = 0;
+
 typedef struct {
         int type;
         const char *name;
@@ -499,6 +501,8 @@ main(int argc, char **argv)
         fp = lh_FUNCTION_retrieve(prog, &f);
         if (fp != NULL) {
                 argv[0] = pname;
+
+                single_execution = 1;
                 ret = fp->func(argc, argv);
                 goto end;
         }
@@ -509,6 +513,8 @@ main(int argc, char **argv)
         if (argc != 1) {
                 argc--;
                 argv++;
+
+                single_execution = 1;
                 ret = do_cmd(prog, argc, argv);
                 if (ret < 0)
                         ret = 0;
diff --git a/src/usr.bin/openssl/passwd.c b/src/usr.bin/openssl/passwd.c
index b6285649e7..58fc5ecb4b 100644
--- a/src/usr.bin/openssl/passwd.c
+++ b/src/usr.bin/openssl/passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: passwd.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: passwd.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 
 #if defined OPENSSL_NO_MD5
 #define NO_MD5CRYPT_1
@@ -145,6 +145,11 @@ passwd_main(int argc, char **argv)
         int argsused;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&passwd_config, 0, sizeof(passwd_config));
 
         if (options_parse(argc, argv, passwd_options, NULL, &argsused) != 0) {
diff --git a/src/usr.bin/openssl/pkcs12.c b/src/usr.bin/openssl/pkcs12.c
index eaa7bcceac..f8d8cc6115 100644
--- a/src/usr.bin/openssl/pkcs12.c
+++ b/src/usr.bin/openssl/pkcs12.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkcs12.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -124,6 +124,11 @@ pkcs12_main(int argc, char **argv)
         char *macalg = NULL;
         char *CApath = NULL, *CAfile = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
 
         enc = EVP_des_ede3_cbc();
diff --git a/src/usr.bin/openssl/pkcs7.c b/src/usr.bin/openssl/pkcs7.c
index 717928d27b..c29a9c8df2 100644
--- a/src/usr.bin/openssl/pkcs7.c
+++ b/src/usr.bin/openssl/pkcs7.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs7.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkcs7.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -154,6 +154,11 @@ pkcs7_main(int argc, char **argv)
         int ret = 1;
         int i;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&pkcs7_config, 0, sizeof(pkcs7_config));
 
         pkcs7_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/pkcs8.c b/src/usr.bin/openssl/pkcs8.c
index b3ccd1966e..4ac2af012a 100644
--- a/src/usr.bin/openssl/pkcs8.c
+++ b/src/usr.bin/openssl/pkcs8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs8.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkcs8.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999-2004.
  */
@@ -226,6 +226,11 @@ pkcs8_main(int argc, char **argv)
         char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&pkcs8_config, 0, sizeof(pkcs8_config));
 
         pkcs8_config.iter = PKCS12_DEFAULT_ITER;
diff --git a/src/usr.bin/openssl/pkey.c b/src/usr.bin/openssl/pkey.c
index 72c03181f6..d1ddf5a929 100644
--- a/src/usr.bin/openssl/pkey.c
+++ b/src/usr.bin/openssl/pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkey.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkey.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006
  */
@@ -79,6 +79,11 @@ pkey_main(int argc, char **argv)
         int badarg = 0;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         informat = FORMAT_PEM;
         outformat = FORMAT_PEM;
 
diff --git a/src/usr.bin/openssl/pkeyparam.c b/src/usr.bin/openssl/pkeyparam.c
index 8f4d3a53f4..cb40fbb3ed 100644
--- a/src/usr.bin/openssl/pkeyparam.c
+++ b/src/usr.bin/openssl/pkeyparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkeyparam.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkeyparam.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006
  */
@@ -118,6 +118,11 @@ pkeyparam_main(int argc, char **argv)
         EVP_PKEY *pkey = NULL;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&pkeyparam_config, 0, sizeof(pkeyparam_config));
 
         if (options_parse(argc, argv, pkeyparam_options, NULL, NULL) != 0) {
diff --git a/src/usr.bin/openssl/pkeyutl.c b/src/usr.bin/openssl/pkeyutl.c
index 2caa61e282..64d1f90f50 100644
--- a/src/usr.bin/openssl/pkeyutl.c
+++ b/src/usr.bin/openssl/pkeyutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkeyutl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: pkeyutl.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -100,6 +100,11 @@ pkeyutl_main(int argc, char **argv)
 
         int ret = 1, rv = -1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         argc--;
         argv++;
 
diff --git a/src/usr.bin/openssl/prime.c b/src/usr.bin/openssl/prime.c
index 55fac455e9..13398b01b0 100644
--- a/src/usr.bin/openssl/prime.c
+++ b/src/usr.bin/openssl/prime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: prime.c,v 1.8 2015/09/12 15:04:06 lteo Exp $ */
+/* $OpenBSD: prime.c,v 1.9 2015/10/10 22:28:51 doug Exp $ */
 /* ====================================================================
  * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
  *
@@ -118,6 +118,11 @@ prime_main(int argc, char **argv)
         char *s;
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&prime_config, 0, sizeof(prime_config));
 
         /* Default iterations for Miller-Rabin probabilistic primality test. */
diff --git a/src/usr.bin/openssl/rand.c b/src/usr.bin/openssl/rand.c
index b0df4eb1b5..2377c6e72b 100644
--- a/src/usr.bin/openssl/rand.c
+++ b/src/usr.bin/openssl/rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand.c,v 1.8 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: rand.c,v 1.9 2015/10/10 22:28:51 doug Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
@@ -109,6 +109,11 @@ rand_main(int argc, char **argv)
         int i, r;
         BIO *out = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&rand_config, 0, sizeof(rand_config));
 
         if (options_parse(argc, argv, rand_options, &num_bytes, NULL) != 0) {
diff --git a/src/usr.bin/openssl/req.c b/src/usr.bin/openssl/req.c
index c7256ae59a..032944b233 100644
--- a/src/usr.bin/openssl/req.c
+++ b/src/usr.bin/openssl/req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: req.c,v 1.9 2015/09/14 01:45:03 doug Exp $ */
+/* $OpenBSD: req.c,v 1.10 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -176,6 +176,11 @@ req_main(int argc, char **argv)
         const EVP_MD *md_alg = NULL, *digest = NULL;
         unsigned long chtype = MBSTRING_ASC;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         req_conf = NULL;
         cipher = EVP_aes_256_cbc();
         digest = EVP_sha256();
diff --git a/src/usr.bin/openssl/rsa.c b/src/usr.bin/openssl/rsa.c
index 708332a8d1..a5737605fe 100644
--- a/src/usr.bin/openssl/rsa.c
+++ b/src/usr.bin/openssl/rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: rsa.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -268,6 +268,11 @@ rsa_main(int argc, char **argv)
         BIO *out = NULL;
         char *passin = NULL, *passout = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&rsa_config, 0, sizeof(rsa_config));
         rsa_config.pvk_encr = 2;
         rsa_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/rsautl.c b/src/usr.bin/openssl/rsautl.c
index 2e9793297b..92dceff8a1 100644
--- a/src/usr.bin/openssl/rsautl.c
+++ b/src/usr.bin/openssl/rsautl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsautl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: rsautl.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -98,6 +98,11 @@ rsautl_main(int argc, char **argv)
 
         int ret = 1;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         argc--;
         argv++;
 
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c
index 6d250f177f..63f30389c4 100644
--- a/src/usr.bin/openssl/s_client.c
+++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.20 2015/10/06 03:29:49 deraadt Exp $ */
+/* $OpenBSD: s_client.c,v 1.21 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -364,6 +364,11 @@ s_client_main(int argc, char **argv)
         int enable_timeouts = 0;
         long socket_mtu = 0;
 
+        if (single_execution) {
+                if (pledge("stdio inet rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         meth = SSLv23_client_method();
 
         c_Pause = 0;
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 11e9814135..198508398b 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.19 2015/10/06 03:29:49 deraadt Exp $ */
+/* $OpenBSD: s_server.c,v 1.20 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -603,6 +603,12 @@ s_server_main(int argc, char *argv[])
         tlsextnextprotoctx next_proto = { NULL, 0 };
         const char *alpn_in = NULL;
         tlsextalpnctx alpn_ctx = { NULL, 0 };
+
+        if (single_execution) {
+                if (pledge("stdio inet rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         meth = SSLv23_server_method();
 
         local_argc = argc;
diff --git a/src/usr.bin/openssl/s_time.c b/src/usr.bin/openssl/s_time.c
index c102726b7e..417ff81f3f 100644
--- a/src/usr.bin/openssl/s_time.c
+++ b/src/usr.bin/openssl/s_time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_time.c,v 1.12 2015/09/11 14:43:57 lteo Exp $ */
+/* $OpenBSD: s_time.c,v 1.13 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -258,6 +258,11 @@ s_time_main(int argc, char **argv)
         char buf[1024 * 8];
         int ver;
 
+        if (single_execution) {
+                if (pledge("stdio inet rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         s_time_meth = SSLv23_client_method();
 
         verify_depth = 0;
diff --git a/src/usr.bin/openssl/sess_id.c b/src/usr.bin/openssl/sess_id.c
index d7f3339509..7bf14adbea 100644
--- a/src/usr.bin/openssl/sess_id.c
+++ b/src/usr.bin/openssl/sess_id.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sess_id.c,v 1.5 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: sess_id.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -158,6 +158,11 @@ sess_id_main(int argc, char **argv)
         int ret = 1, i;
         BIO *out = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&sess_id_config, 0, sizeof(sess_id_config));
 
         sess_id_config.informat = FORMAT_PEM;
diff --git a/src/usr.bin/openssl/smime.c b/src/usr.bin/openssl/smime.c
index d981335179..fee7c71e76 100644
--- a/src/usr.bin/openssl/smime.c
+++ b/src/usr.bin/openssl/smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: smime.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: smime.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -112,6 +112,11 @@ smime_main(int argc, char **argv)
 
         X509_VERIFY_PARAM *vpm = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         args = argv + 1;
         ret = 1;
 
diff --git a/src/usr.bin/openssl/speed.c b/src/usr.bin/openssl/speed.c
index 1657a43c02..cc555afe8c 100644
--- a/src/usr.bin/openssl/speed.c
+++ b/src/usr.bin/openssl/speed.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: speed.c,v 1.16 2015/09/20 13:39:13 miod Exp $ */
+/* $OpenBSD: speed.c,v 1.17 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -469,6 +469,11 @@ speed_main(int argc, char **argv)
         int multi = 0;
         const char *errstr = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio proc", NULL) == -1)
+                        perror("pledge");
+        }
+
         usertime = -1;
 
         memset(results, 0, sizeof(results));
diff --git a/src/usr.bin/openssl/spkac.c b/src/usr.bin/openssl/spkac.c
index b635b5e3b2..1c8b7073d8 100644
--- a/src/usr.bin/openssl/spkac.c
+++ b/src/usr.bin/openssl/spkac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: spkac.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: spkac.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999. Based on an original idea by Massimiliano Pala
  * (madwolf@openca.org).
@@ -181,6 +181,11 @@ spkac_main(int argc, char **argv)
         NETSCAPE_SPKI *spki = NULL;
         EVP_PKEY *pkey = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&spkac_config, 0, sizeof(spkac_config));
         spkac_config.spkac = "SPKAC";
         spkac_config.spksect = "default";
diff --git a/src/usr.bin/openssl/ts.c b/src/usr.bin/openssl/ts.c
index 93d258d583..04ff60ae48 100644
--- a/src/usr.bin/openssl/ts.c
+++ b/src/usr.bin/openssl/ts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.c,v 1.10 2015/09/21 13:13:06 bcook Exp $ */
+/* $OpenBSD: ts.c,v 1.11 2015/10/10 22:28:51 doug Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -149,6 +149,11 @@ ts_main(int argc, char **argv)
         /* Output is ContentInfo instead of TimeStampResp. */
         int token_out = 0;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         for (argc--, argv++; argc > 0; argc--, argv++) {
                 if (strcmp(*argv, "-config") == 0) {
                         if (argc-- < 1)
diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c
index 62ca63f01b..4975ad5b6e 100644
--- a/src/usr.bin/openssl/verify.c
+++ b/src/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: verify.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -85,6 +85,11 @@ verify_main(int argc, char **argv)
         X509_LOOKUP *lookup = NULL;
         X509_VERIFY_PARAM *vpm = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         cert_ctx = X509_STORE_new();
         if (cert_ctx == NULL)
                 goto end;
diff --git a/src/usr.bin/openssl/version.c b/src/usr.bin/openssl/version.c
index f47369df9d..e096f89969 100644
--- a/src/usr.bin/openssl/version.c
+++ b/src/usr.bin/openssl/version.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: version.c,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: version.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -213,6 +213,11 @@ version_usage(void)
 int
 version_main(int argc, char **argv)
 {
+        if (single_execution) {
+                if (pledge("stdio", NULL) == -1)
+                        perror("pledge");
+        }
+
         memset(&version_config, 0, sizeof(version_config));
 
         if (options_parse(argc, argv, version_options, NULL, NULL) != 0) {
diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c
index ec592c29d7..07c28789d3 100644
--- a/src/usr.bin/openssl/x509.c
+++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.9 2015/10/01 06:31:21 jsing Exp $ */
+/* $OpenBSD: x509.c,v 1.10 2015/10/10 22:28:51 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -198,6 +198,11 @@ x509_main(int argc, char **argv)
         unsigned long nmflag = 0, certflag = 0;
         const char *errstr = NULL;
 
+        if (single_execution) {
+                if (pledge("stdio rpath wpath cpath", NULL) == -1)
+                        perror("pledge");
+        }
+
         reqfile = 0;
 
         STDout = BIO_new_fp(stdout, BIO_NOCLOSE);