[openssl] Use secure_getenv() with new glibc.
Tomáš Mráz
tmraz at fedoraproject.org
Mon Sep 10 18:25:57 UTC 2012
commit 79971bf19414216e34419cd8e0a33c048c362ccc
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Mon Sep 10 20:25:19 2012 +0200
Use secure_getenv() with new glibc.
openssl-1.0.1c-secure-getenv.patch | 168 +++++++++++++++++++++++++++--------
openssl.spec | 3 +-
2 files changed, 131 insertions(+), 40 deletions(-)
---
diff --git a/openssl-1.0.1c-secure-getenv.patch b/openssl-1.0.1c-secure-getenv.patch
index 0977e30..8338fb4 100644
--- a/openssl-1.0.1c-secure-getenv.patch
+++ b/openssl-1.0.1c-secure-getenv.patch
@@ -1,42 +1,69 @@
diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c
--- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv 2011-09-02 13:20:32.000000000 +0200
-+++ openssl-1.0.1c/crypto/conf/conf_api.c 2012-07-13 22:10:23.065949230 +0200
-@@ -142,7 +142,7 @@ char *_CONF_get_string(const CONF *conf,
++++ openssl-1.0.1c/crypto/conf/conf_api.c 2012-09-10 20:20:24.803968961 +0200
+@@ -63,6 +63,8 @@
+ # define NDEBUG
+ #endif
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <assert.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -142,7 +144,7 @@ char *_CONF_get_string(const CONF *conf,
if (v != NULL) return(v->value);
if (strcmp(section,"ENV") == 0)
{
- p=getenv(name);
-+ p=__secure_getenv(name);
++ p=secure_getenv(name);
if (p != NULL) return(p);
}
}
-@@ -155,7 +155,7 @@ char *_CONF_get_string(const CONF *conf,
+@@ -155,7 +157,7 @@ char *_CONF_get_string(const CONF *conf,
return(NULL);
}
else
- return(getenv(name));
-+ return (__secure_getenv(name));
++ return (secure_getenv(name));
}
#if 0 /* There's no way to provide error checking with this function, so
diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c
--- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv 2008-11-05 19:38:55.000000000 +0100
-+++ openssl-1.0.1c/crypto/conf/conf_mod.c 2012-07-13 22:18:31.937928293 +0200
-@@ -548,8 +548,8 @@ char *CONF_get1_default_config_file(void
++++ openssl-1.0.1c/crypto/conf/conf_mod.c 2012-09-10 20:22:46.228970661 +0200
+@@ -56,6 +56,8 @@
+ *
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <openssl/crypto.h>
+@@ -548,8 +550,8 @@ char *CONF_get1_default_config_file(void
char *file;
int len;
- file = getenv("OPENSSL_CONF");
- if (file)
-+ file = __secure_getenv("OPENSSL_CONF");
++ file = secure_getenv("OPENSSL_CONF");
+ if (file)
return BUF_strdup(file);
len = strlen(X509_get_default_cert_area());
diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c
--- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv 2010-03-27 19:28:13.000000000 +0100
-+++ openssl-1.0.1c/crypto/engine/eng_list.c 2012-07-13 22:13:14.736804605 +0200
-@@ -399,9 +399,9 @@ ENGINE *ENGINE_by_id(const char *id)
++++ openssl-1.0.1c/crypto/engine/eng_list.c 2012-09-10 20:20:46.106452027 +0200
+@@ -61,6 +61,8 @@
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "eng_int.h"
+
+ /* The linked-list of pointers to engine types. engine_list_head
+@@ -399,9 +401,9 @@ ENGINE *ENGINE_by_id(const char *id)
if (strcmp(id, "dynamic"))
{
#ifdef OPENSSL_SYS_VMS
@@ -44,111 +71,174 @@ diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/cr
+ if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
#else
- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
-+ if((load_dir = __secure_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
++ if((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
#endif
iterator = ENGINE_by_id("dynamic");
if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c
---- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv 2012-07-13 13:38:36.321985875 +0200
-+++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-07-13 22:11:01.320808356 +0200
-@@ -74,7 +74,7 @@ const char MD5_version[]="MD5" OPENSSL_V
+--- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv 2012-09-10 20:10:26.079391932 +0200
++++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-09-10 20:20:31.383118153 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include "md5_locl.h"
+ #include <openssl/opensslv.h>
+@@ -74,7 +76,7 @@ const char MD5_version[]="MD5" OPENSSL_V
int MD5_Init(MD5_CTX *c)
#ifdef OPENSSL_FIPS
{
- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
-+ if (FIPS_mode() && __secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
++ if (FIPS_mode() && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
OpenSSLDie(__FILE__, __LINE__, \
"Digest MD5 forbidden in FIPS mode!");
return private_MD5_Init(c);
diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c
---- openssl-1.0.1c/crypto/o_init.c.secure-getenv 2012-07-13 13:38:36.307985551 +0200
-+++ openssl-1.0.1c/crypto/o_init.c 2012-07-13 22:07:15.482736498 +0200
-@@ -71,7 +71,7 @@ static void init_fips_mode(void)
+--- openssl-1.0.1c/crypto/o_init.c.secure-getenv 2012-09-10 20:10:26.066391638 +0200
++++ openssl-1.0.1c/crypto/o_init.c 2012-09-10 20:23:27.634908822 +0200
+@@ -52,6 +52,8 @@
+ *
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <e_os.h>
+ #include <openssl/err.h>
+ #ifdef OPENSSL_FIPS
+@@ -71,7 +73,7 @@ static void init_fips_mode(void)
char buf[2] = "0";
int fd;
- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
-+ if (__secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
{
buf[0] = '1';
}
diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/crypto/rand/randfile.c
--- openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv 2012-01-15 14:40:21.000000000 +0100
-+++ openssl-1.0.1c/crypto/rand/randfile.c 2012-07-13 22:11:40.529688907 +0200
-@@ -275,8 +275,7 @@ const char *RAND_file_name(char *buf, si
++++ openssl-1.0.1c/crypto/rand/randfile.c 2012-09-10 20:20:40.708329617 +0200
+@@ -58,6 +58,8 @@
+
+ /* We need to define this to get macros like S_IFBLK and S_IFCHR */
+ #define _XOPEN_SOURCE 500
++/* for secure_getenv */
++#define _GNU_SOURCE
+
+ #include <errno.h>
+ #include <stdio.h>
+@@ -275,8 +277,7 @@ const char *RAND_file_name(char *buf, si
struct stat sb;
#endif
- if (OPENSSL_issetugid() == 0)
- s=getenv("RANDFILE");
-+ s=__secure_getenv("RANDFILE");
++ s=secure_getenv("RANDFILE");
if (s != NULL && *s && strlen(s) + 1 < size)
{
if (BUF_strlcpy(buf,s,size) >= size)
-@@ -284,8 +283,7 @@ const char *RAND_file_name(char *buf, si
+@@ -284,8 +285,7 @@ const char *RAND_file_name(char *buf, si
}
else
{
- if (OPENSSL_issetugid() == 0)
- s=getenv("HOME");
-+ s=__secure_getenv("HOME");
++ s=secure_getenv("HOME");
#ifdef DEFAULT_HOME
if (s == NULL)
{
diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c
--- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv 2010-02-19 19:26:23.000000000 +0100
-+++ openssl-1.0.1c/crypto/x509/by_dir.c 2012-07-13 22:14:42.707780256 +0200
-@@ -135,7 +135,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
++++ openssl-1.0.1c/crypto/x509/by_dir.c 2012-09-10 20:21:16.641144451 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -135,7 +137,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT)
{
- dir=(char *)getenv(X509_get_default_cert_dir_env());
-+ dir=(char *)__secure_getenv(X509_get_default_cert_dir_env());
++ dir=(char *)secure_getenv(X509_get_default_cert_dir_env());
if (dir)
ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
else
diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c
---- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv 2012-07-13 13:38:36.260984458 +0200
-+++ openssl-1.0.1c/crypto/x509/by_file.c 2012-07-13 22:15:23.320692338 +0200
-@@ -100,7 +100,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
+--- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv 2012-09-10 20:10:26.016390503 +0200
++++ openssl-1.0.1c/crypto/x509/by_file.c 2012-09-10 20:21:07.748942806 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -100,7 +102,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT)
{
- file = (char *)getenv(X509_get_default_cert_file_env());
-+ file = (char *)__secure_getenv(X509_get_default_cert_file_env());
++ file = (char *)secure_getenv(X509_get_default_cert_file_env());
if (file)
ok = (X509_load_cert_crl_file(ctx,file,
X509_FILETYPE_PEM) != 0);
diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c
--- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv 2011-09-23 15:39:35.000000000 +0200
-+++ openssl-1.0.1c/crypto/x509/x509_vfy.c 2012-07-13 22:14:13.937134124 +0200
-@@ -481,7 +481,7 @@ static int check_chain_extensions(X509_S
++++ openssl-1.0.1c/crypto/x509/x509_vfy.c 2012-09-10 20:20:55.951675283 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -481,7 +483,7 @@ static int check_chain_extensions(X509_S
!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
/* A hack to keep people who don't want to modify their
software happy */
- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
-+ if (__secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
++ if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
allow_proxy_certs = 1;
purpose = ctx->param->purpose;
}
diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c
--- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv 2008-03-16 22:05:44.000000000 +0100
-+++ openssl-1.0.1c/engines/ccgost/gost_ctl.c 2012-07-13 22:16:48.719610222 +0200
-@@ -65,7 +65,7 @@ const char *get_gost_engine_param(int pa
++++ openssl-1.0.1c/engines/ccgost/gost_ctl.c 2012-09-10 20:21:26.759373897 +0200
+@@ -6,6 +6,8 @@
+ * Implementation of control commands for GOST engine *
+ * OpenSSL 0.9.9 libraries required *
+ **********************************************************************/
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdlib.h>
+ #include <string.h>
+ #include <openssl/crypto.h>
+@@ -65,7 +67,7 @@ const char *get_gost_engine_param(int pa
{
return gost_params[param];
}
- tmp = getenv(gost_envnames[param]);
-+ tmp = __secure_getenv(gost_envnames[param]);
++ tmp = secure_getenv(gost_envnames[param]);
if (tmp)
{
if (gost_params[param]) OPENSSL_free(gost_params[param]);
-@@ -79,7 +79,7 @@ int gost_set_default_param(int param, co
+@@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
{
const char *tmp;
if (param <0 || param >GOST_PARAM_MAX) return 0;
- tmp = getenv(gost_envnames[param]);
-+ tmp = __secure_getenv(gost_envnames[param]);
++ tmp = secure_getenv(gost_envnames[param]);
/* if there is value in the environment, use it, else -passed string * */
if (!tmp) tmp=value;
if (gost_params[param]) OPENSSL_free(gost_params[param]);
diff --git a/openssl.spec b/openssl.spec
index 8307ed4..5e74218 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -429,9 +429,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
-* Fri Sep 7 2012 Tomas Mraz <tmraz at redhat.com> 1.0.1c-7
+* Mon Sep 10 2012 Tomas Mraz <tmraz at redhat.com> 1.0.1c-7
- add missing initialization of str in aes_ccm_init_key (#853963)
- add important patches from upstream CVS
+- use the secure_getenv() with new glibc
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1:1.0.1c-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
More information about the scm-commits
mailing list