From 788d2fa0cf38420fd729b336bdb88d5a6e9d68ac Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Mon, 24 Sep 2018 14:06:45 +1000
Subject: Merge 1.0.2 setuid calls to getenv(3) safety.

Manual merge of #7047 to 1.0.2-stable.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7300)
---
 crypto/Makefile          |  6 ++++--
 crypto/conf/conf_api.c   |  5 +++--
 crypto/conf/conf_mod.c   |  2 +-
 crypto/cryptlib.h        |  2 ++
 crypto/engine/eng_list.c |  5 +++--
 crypto/getenv.c          | 31 +++++++++++++++++++++++++++++++
 crypto/rand/randfile.c   |  7 +++----
 crypto/x509/by_dir.c     |  2 +-
 crypto/x509/by_file.c    |  3 ++-
 crypto/x509/x509_vfy.c   |  2 +-
 10 files changed, 51 insertions(+), 14 deletions(-)
 create mode 100644 crypto/getenv.c

(limited to 'crypto')

diff --git a/crypto/Makefile b/crypto/Makefile
index ad1b9f018b..72c96f6dde 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -36,9 +36,11 @@ TEST=constant_time_test.c
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
 LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
-	ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c
+	ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c \
+	getenv.c
 LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o \
-	uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ)
+	uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o getenv.o \
+	$(CPUID_OBJ)
 
 SRC= $(LIBSRC)
 
diff --git a/crypto/conf/conf_api.c b/crypto/conf/conf_api.c
index 60c9440120..480781d205 100644
--- a/crypto/conf/conf_api.c
+++ b/crypto/conf/conf_api.c
@@ -66,6 +66,7 @@
 #include <assert.h>
 #include <stdlib.h>
 #include <string.h>
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>
 #include "e_os.h"
@@ -141,7 +142,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
             if (v != NULL)
                 return (v->value);
             if (strcmp(section, "ENV") == 0) {
-                p = getenv(name);
+                p = ossl_safe_getenv(name);
                 if (p != NULL)
                     return (p);
             }
@@ -154,7 +155,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
         else
             return (NULL);
     } else
-        return (getenv(name));
+        return (ossl_safe_getenv(name));
 }
 
 #if 0                           /* There's no way to provide error checking
diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
index e2a9a81678..2a7a27b8ee 100644
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -530,7 +530,7 @@ char *CONF_get1_default_config_file(void)
     char *file;
     int len;
 
-    file = getenv("OPENSSL_CONF");
+    file = ossl_safe_getenv("OPENSSL_CONF");
     if (file)
         return BUF_strdup(file);
 
diff --git a/crypto/cryptlib.h b/crypto/cryptlib.h
index fba180a6b2..cdbddf1735 100644
--- a/crypto/cryptlib.h
+++ b/crypto/cryptlib.h
@@ -104,6 +104,8 @@ void OPENSSL_showfatal(const char *fmta, ...);
 void *OPENSSL_stderr(void);
 extern int OPENSSL_NONPIC_relocated;
 
+char *ossl_safe_getenv(const char *);
+
 #ifdef  __cplusplus
 }
 #endif
diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c
index 83c95d56f4..9e64b9dd93 100644
--- a/crypto/engine/eng_list.c
+++ b/crypto/engine/eng_list.c
@@ -62,6 +62,7 @@
  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
  */
 
+#include "cryptlib.h"
 #include "eng_int.h"
 
 /*
@@ -369,10 +370,10 @@ ENGINE *ENGINE_by_id(const char *id)
      */
     if (strcmp(id, "dynamic")) {
 # ifdef OPENSSL_SYS_VMS
-        if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
+        if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == 0)
             load_dir = "SSLROOT:[ENGINES]";
 # else
-        if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
+        if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == 0)
             load_dir = ENGINESDIR;
 # endif
         iterator = ENGINE_by_id("dynamic");
diff --git a/crypto/getenv.c b/crypto/getenv.c
new file mode 100644
index 0000000000..53f1dfd457
--- /dev/null
+++ b/crypto/getenv.c
@@ -0,0 +1,31 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE
+#endif
+
+#include <stdlib.h>
+#include "cryptlib.h"
+
+char *ossl_safe_getenv(const char *name)
+{
+#if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
+# if __GLIBC_PREREQ(2, 17)
+#  define SECURE_GETENV
+    return secure_getenv(name);
+# endif
+#endif
+
+#ifndef SECURE_GETENV
+    if (OPENSSL_issetugid())
+        return NULL;
+    return getenv(name);
+#endif
+}
diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c
index 728fd0a721..c93812cfb9 100644
--- a/crypto/rand/randfile.c
+++ b/crypto/rand/randfile.c
@@ -61,6 +61,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "cryptlib.h"
 #include "e_os.h"
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
@@ -327,14 +328,12 @@ const char *RAND_file_name(char *buf, size_t size)
     struct stat sb;
 #endif
 
-    if (OPENSSL_issetugid() == 0)
-        s = getenv("RANDFILE");
+    s = ossl_safe_getenv("RANDFILE");
     if (s != NULL && *s && strlen(s) + 1 < size) {
         if (BUF_strlcpy(buf, s, size) >= size)
             return NULL;
     } else {
-        if (OPENSSL_issetugid() == 0)
-            s = getenv("HOME");
+        s = ossl_safe_getenv("HOME");
 #ifdef DEFAULT_HOME
         if (s == NULL) {
             s = DEFAULT_HOME;
diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index 6f0209a275..9212076383 100644
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -128,7 +128,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
     switch (cmd) {
     case X509_L_ADD_DIR:
         if (argl == X509_FILETYPE_DEFAULT) {
-            dir = (char *)getenv(X509_get_default_cert_dir_env());
+            dir = (char *)ossl_safe_getenv(X509_get_default_cert_dir_env());
             if (dir)
                 ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
             else
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
index 82ce4e8d87..e6d0e6e1a6 100644
--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
@@ -97,7 +97,8 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
     switch (cmd) {
     case X509_L_FILE_LOAD:
         if (argl == X509_FILETYPE_DEFAULT) {
-            file = getenv(X509_get_default_cert_file_env());
+            file = ossl_safe_getenv(X509_get_default_cert_file_env());
+
             if (file)
                 ok = (X509_load_cert_crl_file(ctx, file,
                                               X509_FILETYPE_PEM) != 0);
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 869460d7cd..749768e5a6 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -621,7 +621,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
          * A hack to keep people who don't want to modify their software
          * happy
          */
-        if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+        if (ossl_safe_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
             allow_proxy_certs = 1;
         purpose = ctx->param->purpose;
     }
-- 
cgit v1.2.3