diff -up openssl-1.0.0k/crypto/conf/conf_api.c.secure-getenv openssl-1.0.0k/crypto/conf/conf_api.c --- openssl-1.0.0k/crypto/conf/conf_api.c.secure-getenv 2013-02-05 12:47:28.000000000 +0100 +++ openssl-1.0.0k/crypto/conf/conf_api.c 2013-02-19 21:25:56.623198152 +0100 @@ -142,7 +142,7 @@ char *_CONF_get_string(const CONF *conf, if (v != NULL) return(v->value); if (strcmp(section,"ENV") == 0) { - p=getenv(name); + p=__secure_getenv(name); if (p != NULL) return(p); } } @@ -155,7 +155,7 @@ char *_CONF_get_string(const CONF *conf, return(NULL); } else - return(getenv(name)); + return (__secure_getenv(name)); } #if 0 /* There's no way to provide error checking with this function, so diff -up openssl-1.0.0k/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.0k/crypto/conf/conf_mod.c --- openssl-1.0.0k/crypto/conf/conf_mod.c.secure-getenv 2013-02-05 12:47:28.000000000 +0100 +++ openssl-1.0.0k/crypto/conf/conf_mod.c 2013-02-19 21:25:56.624198172 +0100 @@ -548,8 +548,8 @@ char *CONF_get1_default_config_file(void char *file; int len; - file = getenv("OPENSSL_CONF"); - if (file) + file = __secure_getenv("OPENSSL_CONF"); + if (file) return BUF_strdup(file); len = strlen(X509_get_default_cert_area()); diff -up openssl-1.0.0k/crypto/engine/eng_list.c.secure-getenv openssl-1.0.0k/crypto/engine/eng_list.c --- openssl-1.0.0k/crypto/engine/eng_list.c.secure-getenv 2013-02-05 12:47:28.000000000 +0100 +++ openssl-1.0.0k/crypto/engine/eng_list.c 2013-02-19 21:25:56.625198193 +0100 @@ -399,9 +399,9 @@ ENGINE *ENGINE_by_id(const char *id) if (strcmp(id, "dynamic")) { #ifdef OPENSSL_SYS_VMS - if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]"; + if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]"; #else - if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR; + if((load_dir = __secure_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR; #endif iterator = ENGINE_by_id("dynamic"); if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || diff -up openssl-1.0.0k/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.0k/crypto/md5/md5_dgst.c --- openssl-1.0.0k/crypto/md5/md5_dgst.c.secure-getenv 2013-02-19 21:25:56.000000000 +0100 +++ openssl-1.0.0k/crypto/md5/md5_dgst.c 2013-02-19 21:27:02.814550574 +0100 @@ -78,7 +78,7 @@ const char MD5_version[]="MD5" OPENSSL_V int MD5_Init(MD5_CTX *c) #ifdef OPENSSL_FIPS { - if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) + if (FIPS_mode() && __secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) FIPS_BAD_ALGORITHM(alg) return private_MD5_Init(c); } diff -up openssl-1.0.0k/crypto/o_init.c.secure-getenv openssl-1.0.0k/crypto/o_init.c --- openssl-1.0.0k/crypto/o_init.c.secure-getenv 2013-02-19 21:25:56.491195456 +0100 +++ openssl-1.0.0k/crypto/o_init.c 2013-02-19 21:25:56.628198256 +0100 @@ -75,7 +75,7 @@ static void init_fips_mode(void) char buf[2] = "0"; int fd; - if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) + if (__secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { buf[0] = '1'; } diff -up openssl-1.0.0k/crypto/rand/randfile.c.secure-getenv openssl-1.0.0k/crypto/rand/randfile.c --- openssl-1.0.0k/crypto/rand/randfile.c.secure-getenv 2013-02-05 12:58:46.000000000 +0100 +++ openssl-1.0.0k/crypto/rand/randfile.c 2013-02-19 21:25:56.630198296 +0100 @@ -275,8 +275,7 @@ const char *RAND_file_name(char *buf, si struct stat sb; #endif - if (OPENSSL_issetugid() == 0) - s=getenv("RANDFILE"); + s=__secure_getenv("RANDFILE"); if (s != NULL && *s && strlen(s) + 1 < size) { if (BUF_strlcpy(buf,s,size) >= size) @@ -284,8 +283,7 @@ const char *RAND_file_name(char *buf, si } else { - if (OPENSSL_issetugid() == 0) - s=getenv("HOME"); + s=__secure_getenv("HOME"); #ifdef DEFAULT_HOME if (s == NULL) { diff -up openssl-1.0.0k/crypto/x509/by_dir.c.secure-getenv openssl-1.0.0k/crypto/x509/by_dir.c --- openssl-1.0.0k/crypto/x509/by_dir.c.secure-getenv 2013-02-05 12:47:29.000000000 +0100 +++ openssl-1.0.0k/crypto/x509/by_dir.c 2013-02-19 21:25:56.638198460 +0100 @@ -135,7 +135,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in case X509_L_ADD_DIR: if (argl == X509_FILETYPE_DEFAULT) { - dir=(char *)getenv(X509_get_default_cert_dir_env()); + dir=(char *)__secure_getenv(X509_get_default_cert_dir_env()); if (dir) ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM); else diff -up openssl-1.0.0k/crypto/x509/by_file.c.secure-getenv openssl-1.0.0k/crypto/x509/by_file.c --- openssl-1.0.0k/crypto/x509/by_file.c.secure-getenv 2013-02-19 21:25:56.431194229 +0100 +++ openssl-1.0.0k/crypto/x509/by_file.c 2013-02-19 21:25:56.639198480 +0100 @@ -100,7 +100,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx case X509_L_FILE_LOAD: if (argl == X509_FILETYPE_DEFAULT) { - file = (char *)getenv(X509_get_default_cert_file_env()); + file = (char *)__secure_getenv(X509_get_default_cert_file_env()); if (file) ok = (X509_load_cert_crl_file(ctx,file, X509_FILETYPE_PEM) != 0); diff -up openssl-1.0.0k/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.0k/crypto/x509/x509_vfy.c --- openssl-1.0.0k/crypto/x509/x509_vfy.c.secure-getenv 2013-02-05 12:47:29.000000000 +0100 +++ openssl-1.0.0k/crypto/x509/x509_vfy.c 2013-02-19 21:25:56.642198540 +0100 @@ -481,7 +481,7 @@ static int check_chain_extensions(X509_S !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); /* A hack to keep people who don't want to modify their software happy */ - if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) + if (__secure_getenv("OPENSSL_ALLOW_PROXY_CERTS")) allow_proxy_certs = 1; purpose = ctx->param->purpose; } diff -up openssl-1.0.0k/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.0k/engines/ccgost/gost_ctl.c --- openssl-1.0.0k/engines/ccgost/gost_ctl.c.secure-getenv 2013-02-05 12:47:29.000000000 +0100 +++ openssl-1.0.0k/engines/ccgost/gost_ctl.c 2013-02-19 21:25:56.643198560 +0100 @@ -65,7 +65,7 @@ const char *get_gost_engine_param(int pa { return gost_params[param]; } - tmp = getenv(gost_envnames[param]); + tmp = __secure_getenv(gost_envnames[param]); if (tmp) { if (gost_params[param]) OPENSSL_free(gost_params[param]); @@ -79,7 +79,7 @@ int gost_set_default_param(int param, co { const char *tmp; if (param <0 || param >GOST_PARAM_MAX) return 0; - tmp = getenv(gost_envnames[param]); + tmp = __secure_getenv(gost_envnames[param]); /* if there is value in the environment, use it, else -passed string * */ if (!tmp) tmp=value; if (gost_params[param]) OPENSSL_free(gost_params[param]);