[openssl-commits] [openssl] master update
bernd.edlinger at hotmail.de
bernd.edlinger at hotmail.de
Wed Apr 4 12:47:15 UTC 2018
The branch master has been updated
via 284f4f6b70998b2b46dc74c3003c82cb1db0e742 (commit)
from dc55e4f70f401c5869410d6a0c068c18c3fd53ec (commit)
- Log -----------------------------------------------------------------
commit 284f4f6b70998b2b46dc74c3003c82cb1db0e742
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date: Wed Apr 4 14:45:49 2018 +0200
Don't use getenv for critical functions when run as setuid/setgid
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5856)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 4 ++++
crypto/conf/conf_mod.c | 8 +++++---
crypto/engine/eng_list.c | 3 ++-
doc/man3/ENGINE_add.pod | 1 +
doc/man3/OPENSSL_config.pod | 11 +++++++++++
doc/man5/config.pod | 16 ++++++++++++++++
6 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/CHANGES b/CHANGES
index b4d0329..40b5823 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,10 @@
Changes between 1.1.0h and 1.1.1 [xx XXX xxxx]
+ *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
+ in libcrypto when run as setuid/setgid.
+ [Bernd Edlinger]
+
*) Added new public header file <openssl/rand_drbg.h> and documentation
for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
[Matthias St. Pierre]
diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
index 99f0fcc..4a848b8 100644
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -480,9 +480,11 @@ char *CONF_get1_default_config_file(void)
char *file, *sep = "";
int len;
- file = getenv("OPENSSL_CONF");
- if (file)
- return OPENSSL_strdup(file);
+ if (!OPENSSL_issetugid()) {
+ file = getenv("OPENSSL_CONF");
+ if (file)
+ return OPENSSL_strdup(file);
+ }
len = strlen(X509_get_default_cert_area());
#ifndef OPENSSL_SYS_VMS
diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c
index bfd91e2..4bc7ea1 100644
--- a/crypto/engine/eng_list.c
+++ b/crypto/engine/eng_list.c
@@ -317,7 +317,8 @@ ENGINE *ENGINE_by_id(const char *id)
* Prevent infinite recursion if we're looking for the dynamic engine.
*/
if (strcmp(id, "dynamic")) {
- if ((load_dir = getenv("OPENSSL_ENGINES")) == NULL)
+ if (OPENSSL_issetugid()
+ || (load_dir = getenv("OPENSSL_ENGINES")) == NULL)
load_dir = ENGINESDIR;
iterator = ENGINE_by_id("dynamic");
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
diff --git a/doc/man3/ENGINE_add.pod b/doc/man3/ENGINE_add.pod
index b009949..a2fc299 100644
--- a/doc/man3/ENGINE_add.pod
+++ b/doc/man3/ENGINE_add.pod
@@ -568,6 +568,7 @@ extension).
=item B<OPENSSL_ENGINES>
The path to the engines directory.
+Ignored in set-user-ID and set-group-ID programs.
=back
diff --git a/doc/man3/OPENSSL_config.pod b/doc/man3/OPENSSL_config.pod
index e70fcd5..ac686e6 100644
--- a/doc/man3/OPENSSL_config.pod
+++ b/doc/man3/OPENSSL_config.pod
@@ -48,6 +48,17 @@ application calls OPENSSL_config() it doesn't need to know or care about
ENGINE control operations because they can be performed by editing a
configuration file.
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B<OPENSSL_CONF>
+
+The path to the config file.
+Ignored in set-user-ID and set-group-ID programs.
+
+=back
+
=head1 RETURN VALUES
Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index ef8e10e..09d72be 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -384,6 +384,22 @@ will output:
showing that the OID "newoid1" has been added as "1.2.3.4.1".
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B<OPENSSL_CONF>
+
+The path to the config file.
+Ignored in set-user-ID and set-group-ID programs.
+
+=item B<OPENSSL_ENGINES>
+
+The path to the engines directory.
+Ignored in set-user-ID and set-group-ID programs.
+
+=back
+
=head1 BUGS
Currently there is no way to include characters using the octal B<\nnn>
More information about the openssl-commits
mailing list