From af044b4037e3c4a92ea31a5a704ce7e1dde070f1 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 13 Jul 2012 22:21:05 +0200 Subject: [PATCH] use __getenv_secure() instead of __libc_enable_secure --- openssl-1.0.1c-secure-getenv.patch | 164 ++++++++++------------------- openssl.spec | 5 +- 2 files changed, 60 insertions(+), 109 deletions(-) diff --git a/openssl-1.0.1c-secure-getenv.patch b/openssl-1.0.1c-secure-getenv.patch index 2a0e5eb..0977e30 100644 --- a/openssl-1.0.1c-secure-getenv.patch +++ b/openssl-1.0.1c-secure-getenv.patch @@ -1,55 +1,41 @@ -diff -up openssl-1.0.1c/Configure.secure-getenv openssl-1.0.1c/Configure ---- openssl-1.0.1c/Configure.secure-getenv 2012-07-13 13:34:37.309433776 +0200 -+++ openssl-1.0.1c/Configure 2012-07-13 13:34:37.309433776 +0200 -@@ -1437,6 +1437,10 @@ if ($target =~ /^BSD\-/) - $shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|); - } - -+if ($target =~ /^linux/i) { -+ $cflags .= " -DLIBC_ENABLE_SECURE"; -+} -+ - if ($sys_id ne "") - { - #$cflags="-DOPENSSL_SYSNAME_$sys_id $cflags"; diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c --- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv 2011-09-02 13:20:32.000000000 +0200 -+++ openssl-1.0.1c/crypto/conf/conf_api.c 2012-07-13 13:34:37.277433033 +0200 -@@ -140,7 +140,7 @@ char *_CONF_get_string(const CONF *conf, - vv.section=(char *)section; - v=lh_CONF_VALUE_retrieve(conf->data,&vv); ++++ openssl-1.0.1c/crypto/conf/conf_api.c 2012-07-13 22:10:23.065949230 +0200 +@@ -142,7 +142,7 @@ char *_CONF_get_string(const CONF *conf, if (v != NULL) return(v->value); -- if (strcmp(section,"ENV") == 0) -+ if (!OPENSSL_issetugid() && (strcmp(section,"ENV") == 0)) + if (strcmp(section,"ENV") == 0) { - p=getenv(name); +- p=getenv(name); ++ p=__secure_getenv(name); if (p != NULL) return(p); + } + } @@ -155,7 +155,7 @@ char *_CONF_get_string(const CONF *conf, return(NULL); } else - return(getenv(name)); -+ return (OPENSSL_issetugid() ? NULL : getenv(name)); ++ return (__secure_getenv(name)); } #if 0 /* There's no way to provide error checking with this function, so diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c --- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv 2008-11-05 19:38:55.000000000 +0100 -+++ openssl-1.0.1c/crypto/conf/conf_mod.c 2012-07-13 13:34:37.277433033 +0200 ++++ openssl-1.0.1c/crypto/conf/conf_mod.c 2012-07-13 22:18:31.937928293 +0200 @@ -548,8 +548,8 @@ char *CONF_get1_default_config_file(void char *file; int len; - file = getenv("OPENSSL_CONF"); - if (file) -+ if (!OPENSSL_issetugid() && -+ (file = getenv("OPENSSL_CONF")) != NULL); ++ file = __secure_getenv("OPENSSL_CONF"); ++ if (file) return BUF_strdup(file); len = strlen(X509_get_default_cert_area()); diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c --- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv 2010-03-27 19:28:13.000000000 +0100 -+++ openssl-1.0.1c/crypto/engine/eng_list.c 2012-07-13 13:34:37.278433056 +0200 ++++ openssl-1.0.1c/crypto/engine/eng_list.c 2012-07-13 22:13:14.736804605 +0200 @@ -399,9 +399,9 @@ ENGINE *ENGINE_by_id(const char *id) if (strcmp(id, "dynamic")) { @@ -58,149 +44,111 @@ diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/cr + if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]"; #else - if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR; -+ if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR; ++ if((load_dir = __secure_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR; #endif iterator = ENGINE_by_id("dynamic"); if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c ---- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv 2012-07-13 13:34:37.000000000 +0200 -+++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-07-13 13:37:27.709392052 +0200 +--- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv 2012-07-13 13:38:36.321985875 +0200 ++++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-07-13 22:11:01.320808356 +0200 @@ -74,7 +74,7 @@ const char MD5_version[]="MD5" OPENSSL_V int MD5_Init(MD5_CTX *c) #ifdef OPENSSL_FIPS { - if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) -+ if (FIPS_mode() && (OPENSSL_issetugid() || getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)) ++ if (FIPS_mode() && __secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) OpenSSLDie(__FILE__, __LINE__, \ "Digest MD5 forbidden in FIPS mode!"); return private_MD5_Init(c); diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c ---- openssl-1.0.1c/crypto/o_init.c.secure-getenv 2012-07-13 13:34:37.237432103 +0200 -+++ openssl-1.0.1c/crypto/o_init.c 2012-07-13 13:34:37.278433056 +0200 +--- openssl-1.0.1c/crypto/o_init.c.secure-getenv 2012-07-13 13:38:36.307985551 +0200 ++++ openssl-1.0.1c/crypto/o_init.c 2012-07-13 22:07:15.482736498 +0200 @@ -71,7 +71,7 @@ static void init_fips_mode(void) char buf[2] = "0"; int fd; - if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) -+ if (!OPENSSL_issetugid() && getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) ++ if (__secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { buf[0] = '1'; } -diff -up openssl-1.0.1c/crypto/uid.c.secure-getenv openssl-1.0.1c/crypto/uid.c ---- openssl-1.0.1c/crypto/uid.c.secure-getenv 2003-11-28 14:10:55.000000000 +0100 -+++ openssl-1.0.1c/crypto/uid.c 2012-07-13 13:34:37.278433056 +0200 -@@ -77,8 +77,26 @@ int OPENSSL_issetugid(void) - #include OPENSSL_UNISTD - #include +diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/crypto/rand/randfile.c +--- openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv 2012-01-15 14:40:21.000000000 +0100 ++++ openssl-1.0.1c/crypto/rand/randfile.c 2012-07-13 22:11:40.529688907 +0200 +@@ -275,8 +275,7 @@ const char *RAND_file_name(char *buf, si + struct stat sb; + #endif -+#ifdef LIBC_ENABLE_SECURE -+extern int __libc_enable_secure; -+#endif -+#ifdef PRCTL_DUMPABLE -+#include -+#endif -+ - int OPENSSL_issetugid(void) - { -+#ifdef LIBC_ENABLE_SECURE -+ if (__libc_enable_secure) return 1; -+#endif -+#ifdef PRCTL_DUMPABLE -+ /* 0 -> not dumpable, 2 -> dumpable by root only from -+ * Linux kernel 2.6.13 - 2.6.17, so we require dumpable -+ * flag to be == 1 to accept non-secure mode. -+ */ -+ if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) != 1) -+ return 1; -+#endif - if (getuid() != geteuid()) return 1; - if (getgid() != getegid()) return 1; - return 0; +- if (OPENSSL_issetugid() == 0) +- s=getenv("RANDFILE"); ++ s=__secure_getenv("RANDFILE"); + if (s != NULL && *s && strlen(s) + 1 < size) + { + if (BUF_strlcpy(buf,s,size) >= size) +@@ -284,8 +283,7 @@ const char *RAND_file_name(char *buf, si + } + else + { +- if (OPENSSL_issetugid() == 0) +- s=getenv("HOME"); ++ s=__secure_getenv("HOME"); + #ifdef DEFAULT_HOME + if (s == NULL) + { diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c --- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv 2010-02-19 19:26:23.000000000 +0100 -+++ openssl-1.0.1c/crypto/x509/by_dir.c 2012-07-13 13:34:37.279433079 +0200 -@@ -135,7 +135,8 @@ static int dir_ctrl(X509_LOOKUP *ctx, in ++++ openssl-1.0.1c/crypto/x509/by_dir.c 2012-07-13 22:14:42.707780256 +0200 +@@ -135,7 +135,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in case X509_L_ADD_DIR: if (argl == X509_FILETYPE_DEFAULT) { - dir=(char *)getenv(X509_get_default_cert_dir_env()); -+ if (!OPENSSL_issetugid()) -+ dir=(char *)getenv(X509_get_default_cert_dir_env()); ++ dir=(char *)__secure_getenv(X509_get_default_cert_dir_env()); if (dir) ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM); else diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c ---- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv 2012-07-13 13:34:37.187430942 +0200 -+++ openssl-1.0.1c/crypto/x509/by_file.c 2012-07-13 13:34:37.279433079 +0200 -@@ -93,14 +93,15 @@ static int by_file_ctrl(X509_LOOKUP *ctx - char **ret) - { - int ok=0; -- char *file; -+ char *file = NULL; - - switch (cmd) - { +--- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv 2012-07-13 13:38:36.260984458 +0200 ++++ openssl-1.0.1c/crypto/x509/by_file.c 2012-07-13 22:15:23.320692338 +0200 +@@ -100,7 +100,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx case X509_L_FILE_LOAD: if (argl == X509_FILETYPE_DEFAULT) { - file = (char *)getenv(X509_get_default_cert_file_env()); -+ if (!OPENSSL_issetugid()) -+ file = (char *)getenv(X509_get_default_cert_file_env()); ++ file = (char *)__secure_getenv(X509_get_default_cert_file_env()); if (file) ok = (X509_load_cert_crl_file(ctx,file, X509_FILETYPE_PEM) != 0); diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c --- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv 2011-09-23 15:39:35.000000000 +0200 -+++ openssl-1.0.1c/crypto/x509/x509_vfy.c 2012-07-13 13:34:37.280433102 +0200 -@@ -456,7 +456,7 @@ static int check_chain_extensions(X509_S - int (*cb)(int xok,X509_STORE_CTX *xctx); - int proxy_path_length = 0; - int purpose; -- int allow_proxy_certs; -+ int allow_proxy_certs = 0; - cb=ctx->verify_cb; - - /* must_be_ca can have 1 of 3 values: ++++ openssl-1.0.1c/crypto/x509/x509_vfy.c 2012-07-13 22:14:13.937134124 +0200 @@ -481,7 +481,7 @@ static int check_chain_extensions(X509_S !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); /* A hack to keep people who don't want to modify their software happy */ - if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) -+ if (!OPENSSL_issetugid() && getenv("OPENSSL_ALLOW_PROXY_CERTS")) ++ if (__secure_getenv("OPENSSL_ALLOW_PROXY_CERTS")) allow_proxy_certs = 1; purpose = ctx->param->purpose; } diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c --- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv 2008-03-16 22:05:44.000000000 +0100 -+++ openssl-1.0.1c/engines/ccgost/gost_ctl.c 2012-07-13 13:34:37.280433102 +0200 -@@ -59,13 +59,14 @@ int gost_control_func(ENGINE *e,int cmd, - - const char *get_gost_engine_param(int param) - { -- char *tmp; -+ char *tmp = NULL; - if (param <0 || param >GOST_PARAM_MAX) return NULL; - if (gost_params[param]!=NULL) ++++ openssl-1.0.1c/engines/ccgost/gost_ctl.c 2012-07-13 22:16:48.719610222 +0200 +@@ -65,7 +65,7 @@ const char *get_gost_engine_param(int pa { return gost_params[param]; } - tmp = getenv(gost_envnames[param]); -+ if (!OPENSSL_issetugid()) -+ tmp = getenv(gost_envnames[param]); ++ tmp = __secure_getenv(gost_envnames[param]); if (tmp) { if (gost_params[param]) OPENSSL_free(gost_params[param]); -@@ -77,9 +78,10 @@ const char *get_gost_engine_param(int pa - - int gost_set_default_param(int param, const char *value) +@@ -79,7 +79,7 @@ int gost_set_default_param(int param, co { -- const char *tmp; -+ const char *tmp = NULL; + const char *tmp; if (param <0 || param >GOST_PARAM_MAX) return 0; - tmp = getenv(gost_envnames[param]); -+ if (!OPENSSL_issetugid()) -+ tmp = getenv(gost_envnames[param]); ++ tmp = __secure_getenv(gost_envnames[param]); /* if there is value in the environment, use it, else -passed string * */ if (!tmp) tmp=value; if (gost_params[param]) OPENSSL_free(gost_params[param]); diff --git a/openssl.spec b/openssl.spec index 9659726..4c13e1f 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem Name: openssl Version: 1.0.1c # Do not forget to bump SHLIB_VERSION on version upgrades -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -425,6 +425,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Fri Jul 13 2012 Tomas Mraz 1.0.1c-5 +- use __getenv_secure() instead of __libc_enable_secure + * Fri Jul 13 2012 Tomas Mraz 1.0.1c-4 - do not move libcrypto to /lib - do not use environment variables if __libc_enable_secure is on