Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't use getenv for critical functions when run as setuid/setgid #5856

Closed
wants to merge 4 commits into from
Closed

Don't use getenv for critical functions when run as setuid/setgid #5856

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
789b17b
Don't use getenv for critical functions when run as setuid/setgid
bernd-edlinger Apr 3, 2018
8fe6202
Document OPENSSL_ENGINES is ignored in set-user-ID and set-group-ID p…
bernd-edlinger Apr 3, 2018
ed34122
Document how OPENSSL_CONF is used in libcrypto
bernd-edlinger Apr 3, 2018
31bae1e
Add an entry to CHANGES
bernd-edlinger Apr 3, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGES
View file
Open in desktop
Expand Up @@ -9,6 +9,10 @@

Changes between 1.1.0h and 1.1.1 [xx XXX xxxx]

*) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
in libcrypto when run as setuid/setgid.
[Bernd Edlinger]

*) Added new public header file <openssl/rand_drbg.h> and documentation
for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
[Matthias St. Pierre]
Expand Down
8 changes: 5 additions & 3 deletions crypto/conf/conf_mod.c
View file
Open in desktop
Expand Up @@ -479,9 +479,11 @@ char *CONF_get1_default_config_file(void)
char *file, *sep = "";
int len;

file = getenv("OPENSSL_CONF");
if (file)
return OPENSSL_strdup(file);
if (!OPENSSL_issetugid()) {
file = getenv("OPENSSL_CONF");
if (file)
return OPENSSL_strdup(file);
}

len = strlen(X509_get_default_cert_area());
#ifndef OPENSSL_SYS_VMS
Expand Down
3 changes: 2 additions & 1 deletion crypto/engine/eng_list.c
View file
Open in desktop
Expand Up @@ -317,7 +317,8 @@ ENGINE *ENGINE_by_id(const char *id)
* Prevent infinite recursion if we're looking for the dynamic engine.
*/
if (strcmp(id, "dynamic")) {
if ((load_dir = getenv("OPENSSL_ENGINES")) == NULL)
if (OPENSSL_issetugid()
|| (load_dir = getenv("OPENSSL_ENGINES")) == NULL)
load_dir = ENGINESDIR;
iterator = ENGINE_by_id("dynamic");
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
Expand Down
1 change: 1 addition & 0 deletions doc/man3/ENGINE_add.pod
View file
Open in desktop
Expand Up @@ -568,6 +568,7 @@ extension).
=item B<OPENSSL_ENGINES>

The path to the engines directory.
Ignored in set-user-ID and set-group-ID programs.

=back

Expand Down
11 changes: 11 additions & 0 deletions doc/man3/OPENSSL_config.pod
View file
Open in desktop
Expand Up @@ -48,6 +48,17 @@ application calls OPENSSL_config() it doesn't need to know or care about
ENGINE control operations because they can be performed by editing a
configuration file.

=head1 ENVIRONMENT

=over 4

=item B<OPENSSL_CONF>

The path to the config file.
Ignored in set-user-ID and set-group-ID programs.

=back

=head1 RETURN VALUES

Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
Expand Down
16 changes: 16 additions & 0 deletions doc/man5/config.pod
View file
Open in desktop
Expand Up @@ -384,6 +384,22 @@ will output:

showing that the OID "newoid1" has been added as "1.2.3.4.1".

=head1 ENVIRONMENT

=over 4

=item B<OPENSSL_CONF>

The path to the config file.
Ignored in set-user-ID and set-group-ID programs.

=item B<OPENSSL_ENGINES>

The path to the engines directory.
Ignored in set-user-ID and set-group-ID programs.

=back

=head1 BUGS

Currently there is no way to include characters using the octal B<\nnn>
Expand Down