From f3315ef2b941ac47909f427a6db39ed51459e3b0 Mon Sep 17 00:00:00 2001 From: deraadt <> Date: Tue, 2 Jan 2001 23:03:49 +0000 Subject: do not honour environment variables if issetugid, and even more strongly support the random device --- src/lib/libcrypto/rand/randfile.c | 34 +++++++++++++++--------------- src/lib/libcrypto/threads/mttest.c | 3 ++- src/lib/libssl/src/crypto/rand/randfile.c | 34 +++++++++++++++--------------- src/lib/libssl/src/crypto/threads/mttest.c | 3 ++- 4 files changed, 38 insertions(+), 36 deletions(-) diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c index 29718bdb9d..8e993360fa 100644 --- a/src/lib/libcrypto/rand/randfile.c +++ b/src/lib/libcrypto/rand/randfile.c @@ -215,34 +215,32 @@ err: const char *RAND_file_name(char *buf, int size) { - char *s; + char *s = NULL; char *ret=NULL; struct stat sb; - s=getenv("RANDFILE"); - if (s != NULL) + if (issetugid() == 0) + s = getenv("RANDFILE"); + if (s != NULL && *s && strlen(s) < size) { - strncpy(buf,s,size-1); - buf[size-1]='\0'; + strlcpy(buf,s,size); ret=buf; } else { - s=getenv("HOME"); - if (s == NULL || *s == '\0') - ret = RFILE; - if (((int)(strlen(s)+strlen(RFILE)+2)) > size) - ret=RFILE; - else + if (issetugid() == 0) + s=getenv("HOME"); + if (s && *s && strlen(s)+strlen(RFILE)+2 < size) { - strlcpy(buf,s,size); + strlcpy(buf,s,size); #ifndef VMS - strcat(buf,"/"); + strcat(buf,"/"); #endif - strlcat(buf,RFILE,size); - ret=buf; + strlcat(buf,RFILE,size); + ret=buf; } } + #ifdef DEVRANDOM /* given that all random loads just fail if the file can't be * seen on a stat, we stat the file we're returning, if it @@ -251,9 +249,11 @@ const char *RAND_file_name(char *buf, int size) * to something hopefully decent if that isn't available. */ + if (ret == NULL) + ret = DEVRANDOM; + if (stat(ret,&sb) == -1) - ret = DEVRANDOM; + ret = DEVRANDOM; #endif return(ret); } - diff --git a/src/lib/libcrypto/threads/mttest.c b/src/lib/libcrypto/threads/mttest.c index 100165948c..019add4d9c 100644 --- a/src/lib/libcrypto/threads/mttest.c +++ b/src/lib/libcrypto/threads/mttest.c @@ -248,7 +248,8 @@ bad: goto end; } - if (cipher == NULL) cipher=getenv("SSL_CIPHER"); + if (cipher == NULL && issetugid() == 0) + cipher=getenv("SSL_CIPHER"); SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); diff --git a/src/lib/libssl/src/crypto/rand/randfile.c b/src/lib/libssl/src/crypto/rand/randfile.c index 29718bdb9d..8e993360fa 100644 --- a/src/lib/libssl/src/crypto/rand/randfile.c +++ b/src/lib/libssl/src/crypto/rand/randfile.c @@ -215,34 +215,32 @@ err: const char *RAND_file_name(char *buf, int size) { - char *s; + char *s = NULL; char *ret=NULL; struct stat sb; - s=getenv("RANDFILE"); - if (s != NULL) + if (issetugid() == 0) + s = getenv("RANDFILE"); + if (s != NULL && *s && strlen(s) < size) { - strncpy(buf,s,size-1); - buf[size-1]='\0'; + strlcpy(buf,s,size); ret=buf; } else { - s=getenv("HOME"); - if (s == NULL || *s == '\0') - ret = RFILE; - if (((int)(strlen(s)+strlen(RFILE)+2)) > size) - ret=RFILE; - else + if (issetugid() == 0) + s=getenv("HOME"); + if (s && *s && strlen(s)+strlen(RFILE)+2 < size) { - strlcpy(buf,s,size); + strlcpy(buf,s,size); #ifndef VMS - strcat(buf,"/"); + strcat(buf,"/"); #endif - strlcat(buf,RFILE,size); - ret=buf; + strlcat(buf,RFILE,size); + ret=buf; } } + #ifdef DEVRANDOM /* given that all random loads just fail if the file can't be * seen on a stat, we stat the file we're returning, if it @@ -251,9 +249,11 @@ const char *RAND_file_name(char *buf, int size) * to something hopefully decent if that isn't available. */ + if (ret == NULL) + ret = DEVRANDOM; + if (stat(ret,&sb) == -1) - ret = DEVRANDOM; + ret = DEVRANDOM; #endif return(ret); } - diff --git a/src/lib/libssl/src/crypto/threads/mttest.c b/src/lib/libssl/src/crypto/threads/mttest.c index 100165948c..019add4d9c 100644 --- a/src/lib/libssl/src/crypto/threads/mttest.c +++ b/src/lib/libssl/src/crypto/threads/mttest.c @@ -248,7 +248,8 @@ bad: goto end; } - if (cipher == NULL) cipher=getenv("SSL_CIPHER"); + if (cipher == NULL && issetugid() == 0) + cipher=getenv("SSL_CIPHER"); SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); -- cgit v1.2.3-55-g6feb