diff options
47 files changed, 281 insertions, 46 deletions
diff --git a/usr.bin/openssl/apps.h b/usr.bin/openssl/apps.h index bb9fd0dd7ae..4813fa35df4 100644 --- a/usr.bin/openssl/apps.h +++ b/usr.bin/openssl/apps.h @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.h,v 1.16 2015/09/13 12:41:01 bcook Exp $ */ +/* $OpenBSD: apps.h,v 1.17 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -126,6 +126,9 @@ #include <openssl/ocsp.h> #endif +#include <unistd.h> +extern int single_execution; + extern CONF *config; extern char *default_config_file; extern BIO *bio_err; diff --git a/usr.bin/openssl/asn1pars.c b/usr.bin/openssl/asn1pars.c index da3bf761ce4..2ce9d1a3bad 100644 --- a/usr.bin/openssl/asn1pars.c +++ b/usr.bin/openssl/asn1pars.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1pars.c,v 1.4 2015/08/19 18:25:31 deraadt Exp $ */ +/* $OpenBSD: asn1pars.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -247,6 +247,11 @@ asn1parse_main(int argc, char **argv) BUF_MEM *buf = NULL; ASN1_TYPE *at = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&asn1pars_config, 0, sizeof(asn1pars_config)); asn1pars_config.informat = FORMAT_PEM; diff --git a/usr.bin/openssl/ca.c b/usr.bin/openssl/ca.c index e32abcdf211..0b246aeb154 100644 --- a/usr.bin/openssl/ca.c +++ b/usr.bin/openssl/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.16 2015/09/21 13:31:26 bcook Exp $ */ +/* $OpenBSD: ca.c,v 1.17 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -286,6 +286,11 @@ ca_main(int argc, char **argv) const char *errstr = NULL; DB_ATTR db_attr; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + conf = NULL; key = NULL; section = NULL; diff --git a/usr.bin/openssl/certhash.c b/usr.bin/openssl/certhash.c index 77e641cef5c..bd0ac54ecfc 100644 --- a/usr.bin/openssl/certhash.c +++ b/usr.bin/openssl/certhash.c @@ -649,6 +649,11 @@ certhash_main(int argc, char **argv) int argsused; int i, cwdfd, ret = 0; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&certhash_config, 0, sizeof(certhash_config)); if (options_parse(argc, argv, certhash_options, NULL, &argsused) != 0) { diff --git a/usr.bin/openssl/ciphers.c b/usr.bin/openssl/ciphers.c index 18b8d3e4d95..caa40854ea8 100644 --- a/usr.bin/openssl/ciphers.c +++ b/usr.bin/openssl/ciphers.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ciphers.c,v 1.6 2015/08/19 18:25:31 deraadt Exp $ */ +/* $OpenBSD: ciphers.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -81,6 +81,11 @@ ciphers_main(int argc, char **argv) int i, rv = 0; char *desc; + if (single_execution) { + if (pledge("stdio rpath", NULL) == -1) + perror("pledge"); + } + memset(&ciphers_config, 0, sizeof(ciphers_config)); if (options_parse(argc, argv, ciphers_options, &cipherlist, diff --git a/usr.bin/openssl/cms.c b/usr.bin/openssl/cms.c index fccac23db74..29429f53e08 100644 --- a/usr.bin/openssl/cms.c +++ b/usr.bin/openssl/cms.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms.c,v 1.3 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: cms.c,v 1.4 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -135,6 +135,11 @@ cms_main(int argc, char **argv) X509_VERIFY_PARAM *vpm = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + args = argv + 1; ret = 1; diff --git a/usr.bin/openssl/crl.c b/usr.bin/openssl/crl.c index 4ab9e6c6152..47173ec5edd 100644 --- a/usr.bin/openssl/crl.c +++ b/usr.bin/openssl/crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crl.c,v 1.7 2015/08/22 16:36:05 jsing Exp $ */ +/* $OpenBSD: crl.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -230,6 +230,11 @@ crl_main(int argc, char **argv) const EVP_MD *digest; char *digest_name = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + if (bio_out == NULL) { if ((bio_out = BIO_new(BIO_s_file())) != NULL) { BIO_set_fp(bio_out, stdout, BIO_NOCLOSE); diff --git a/usr.bin/openssl/crl2p7.c b/usr.bin/openssl/crl2p7.c index 4df986d3250..3935bd18e05 100644 --- a/usr.bin/openssl/crl2p7.c +++ b/usr.bin/openssl/crl2p7.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crl2p7.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */ +/* $OpenBSD: crl2p7.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -169,6 +169,11 @@ crl2pkcs7_main(int argc, char **argv) STACK_OF(X509) *cert_stack = NULL; int ret = 1; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&crl2p7_config, 0, sizeof(crl2p7_config)); crl2p7_config.informat = FORMAT_PEM; diff --git a/usr.bin/openssl/dgst.c b/usr.bin/openssl/dgst.c index 94d98ac6a4c..b4632eefa35 100644 --- a/usr.bin/openssl/dgst.c +++ b/usr.bin/openssl/dgst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dgst.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: dgst.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -123,6 +123,11 @@ dgst_main(int argc, char **argv) char *mac_name = NULL; STACK_OF(OPENSSL_STRING) * sigopts = NULL, *macopts = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + if ((buf = malloc(BUFSIZE)) == NULL) { BIO_printf(bio_err, "out of memory\n"); goto end; diff --git a/usr.bin/openssl/dh.c b/usr.bin/openssl/dh.c index f4112e87c21..7e8d65d1f62 100644 --- a/usr.bin/openssl/dh.c +++ b/usr.bin/openssl/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: dh.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -158,6 +158,11 @@ dh_main(int argc, char **argv) BIO *in = NULL, *out = NULL; int ret = 1; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&dh_config, 0, sizeof(dh_config)); dh_config.informat = FORMAT_PEM; diff --git a/usr.bin/openssl/dhparam.c b/usr.bin/openssl/dhparam.c index 158a07a5725..55b75663b31 100644 --- a/usr.bin/openssl/dhparam.c +++ b/usr.bin/openssl/dhparam.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dhparam.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: dhparam.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -243,6 +243,11 @@ dhparam_main(int argc, char **argv) int ret = 1; int i; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&dhparam_config, 0, sizeof(dhparam_config)); dhparam_config.informat = FORMAT_PEM; diff --git a/usr.bin/openssl/dsa.c b/usr.bin/openssl/dsa.c index 813e163662c..2c4feea0d58 100644 --- a/usr.bin/openssl/dsa.c +++ b/usr.bin/openssl/dsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: dsa.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -240,6 +240,11 @@ dsa_main(int argc, char **argv) BIO *in = NULL, *out = NULL; char *passin = NULL, *passout = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&dsa_config, 0, sizeof(dsa_config)); dsa_config.pvk_encr = 2; diff --git a/usr.bin/openssl/dsaparam.c b/usr.bin/openssl/dsaparam.c index 0cdd5c1d51d..73249498fca 100644 --- a/usr.bin/openssl/dsaparam.c +++ b/usr.bin/openssl/dsaparam.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsaparam.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: dsaparam.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -168,6 +168,11 @@ dsaparam_main(int argc, char **argv) int numbits = -1; char *strbits = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&dsaparam_config, 0, sizeof(dsaparam_config)); dsaparam_config.informat = FORMAT_PEM; diff --git a/usr.bin/openssl/ec.c b/usr.bin/openssl/ec.c index d5fe68f0d84..b4e2fe1daac 100644 --- a/usr.bin/openssl/ec.c +++ b/usr.bin/openssl/ec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: ec.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -277,6 +277,11 @@ ec_main(int argc, char **argv) BIO *in = NULL, *out = NULL; char *passin = NULL, *passout = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&ec_config, 0, sizeof(ec_config)); ec_config.asn1_flag = OPENSSL_EC_NAMED_CURVE; diff --git a/usr.bin/openssl/ecparam.c b/usr.bin/openssl/ecparam.c index 6adac863d5c..bd0c5b8cc0c 100644 --- a/usr.bin/openssl/ecparam.c +++ b/usr.bin/openssl/ecparam.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecparam.c,v 1.13 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: ecparam.c,v 1.14 2015/10/10 22:28:51 doug Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -259,6 +259,11 @@ ecparam_main(int argc, char **argv) BIO *in = NULL, *out = NULL; int i, ret = 1; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&ecparam_config, 0, sizeof(ecparam_config)); ecparam_config.asn1_flag = OPENSSL_EC_NAMED_CURVE; ecparam_config.form = POINT_CONVERSION_UNCOMPRESSED; diff --git a/usr.bin/openssl/enc.c b/usr.bin/openssl/enc.c index 6eb804fd49c..d7103823d3e 100644 --- a/usr.bin/openssl/enc.c +++ b/usr.bin/openssl/enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: enc.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: enc.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -338,6 +338,11 @@ enc_main(int argc, char **argv) char pname[PROG_NAME_SIZE + 1]; int i; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&enc_config, 0, sizeof(enc_config)); enc_config.enc = 1; diff --git a/usr.bin/openssl/errstr.c b/usr.bin/openssl/errstr.c index 9cf7bfba4b7..7bd97d99b04 100644 --- a/usr.bin/openssl/errstr.c +++ b/usr.bin/openssl/errstr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: errstr.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */ +/* $OpenBSD: errstr.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -98,6 +98,11 @@ errstr_main(int argc, char **argv) char buf[256]; int ret = 0; + if (single_execution) { + if (pledge("stdio rpath", NULL) == -1) + perror("pledge"); + } + memset(&errstr_config, 0, sizeof(errstr_config)); if (options_parse(argc, argv, errstr_options, NULL, &argsused) != 0) { diff --git a/usr.bin/openssl/gendh.c b/usr.bin/openssl/gendh.c index 208906e24c2..ceea237be13 100644 --- a/usr.bin/openssl/gendh.c +++ b/usr.bin/openssl/gendh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gendh.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: gendh.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -134,6 +134,11 @@ gendh_main(int argc, char **argv) BIO *out = NULL; char *strbits = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + BN_GENCB_set(&cb, dh_cb, bio_err); memset(&gendh_config, 0, sizeof(gendh_config)); diff --git a/usr.bin/openssl/gendsa.c b/usr.bin/openssl/gendsa.c index ee2d6ba1b63..002380a1b9d 100644 --- a/usr.bin/openssl/gendsa.c +++ b/usr.bin/openssl/gendsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gendsa.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: gendsa.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -85,6 +85,11 @@ gendsa_main(int argc, char **argv) BIO *out = NULL, *in = NULL; const EVP_CIPHER *enc = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + argv++; argc--; for (;;) { diff --git a/usr.bin/openssl/genpkey.c b/usr.bin/openssl/genpkey.c index d76e2febd89..4d11bc3c338 100644 --- a/usr.bin/openssl/genpkey.c +++ b/usr.bin/openssl/genpkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: genpkey.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: genpkey.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006 */ @@ -86,6 +86,11 @@ genpkey_main(int argc, char **argv) int do_param = 0; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + outformat = FORMAT_PEM; args = argv + 1; diff --git a/usr.bin/openssl/genrsa.c b/usr.bin/openssl/genrsa.c index 9f78f0d65d8..1ca8713ed28 100644 --- a/usr.bin/openssl/genrsa.c +++ b/usr.bin/openssl/genrsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: genrsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: genrsa.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -100,6 +100,11 @@ genrsa_main(int argc, char **argv) BIGNUM *bn = BN_new(); RSA *rsa = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + if (!bn) goto err; diff --git a/usr.bin/openssl/nseq.c b/usr.bin/openssl/nseq.c index b73f512aeef..15df3ffd40b 100644 --- a/usr.bin/openssl/nseq.c +++ b/usr.bin/openssl/nseq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nseq.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */ +/* $OpenBSD: nseq.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -109,6 +109,11 @@ nseq_main(int argc, char **argv) NETSCAPE_CERT_SEQUENCE *seq = NULL; int i, ret = 1; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&nseq_config, 0, sizeof(nseq_config)); if (options_parse(argc, argv, nseq_options, NULL, NULL) != 0) { diff --git a/usr.bin/openssl/ocsp.c b/usr.bin/openssl/ocsp.c index 3a6ac36b1ed..c3b1b168ba7 100644 --- a/usr.bin/openssl/ocsp.c +++ b/usr.bin/openssl/ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp.c,v 1.5 2015/10/03 03:39:19 deraadt Exp $ */ +/* $OpenBSD: ocsp.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -146,6 +146,11 @@ ocsp_main(int argc, char **argv) const EVP_MD *cert_id_md = NULL; const char *errstr = NULL; + if (single_execution) { + if (pledge("stdio inet rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + args = argv + 1; reqnames = sk_OPENSSL_STRING_new_null(); ids = sk_OCSP_CERTID_new_null(); diff --git a/usr.bin/openssl/openssl.c b/usr.bin/openssl/openssl.c index 9db7e5b4eb1..e842d6cc65d 100644 --- a/usr.bin/openssl/openssl.c +++ b/usr.bin/openssl/openssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: openssl.c,v 1.16 2015/10/10 20:18:30 deraadt Exp $ */ +/* $OpenBSD: openssl.c,v 1.17 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -137,6 +137,8 @@ #define FUNC_TYPE_MD_ALG 5 #define FUNC_TYPE_CIPHER_ALG 6 +int single_execution = 0; + typedef struct { int type; const char *name; @@ -499,6 +501,8 @@ main(int argc, char **argv) fp = lh_FUNCTION_retrieve(prog, &f); if (fp != NULL) { argv[0] = pname; + + single_execution = 1; ret = fp->func(argc, argv); goto end; } @@ -509,6 +513,8 @@ main(int argc, char **argv) if (argc != 1) { argc--; argv++; + + single_execution = 1; ret = do_cmd(prog, argc, argv); if (ret < 0) ret = 0; diff --git a/usr.bin/openssl/passwd.c b/usr.bin/openssl/passwd.c index b6285649e75..58fc5ecb4b4 100644 --- a/usr.bin/openssl/passwd.c +++ b/usr.bin/openssl/passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: passwd.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */ +/* $OpenBSD: passwd.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */ #if defined OPENSSL_NO_MD5 #define NO_MD5CRYPT_1 @@ -145,6 +145,11 @@ passwd_main(int argc, char **argv) int argsused; int ret = 1; + if (single_execution) { + if (pledge("stdio rpath", NULL) == -1) + perror("pledge"); + } + memset(&passwd_config, 0, sizeof(passwd_config)); if (options_parse(argc, argv, passwd_options, NULL, &argsused) != 0) { diff --git a/usr.bin/openssl/pkcs12.c b/usr.bin/openssl/pkcs12.c index eaa7bcceac9..f8d8cc6115c 100644 --- a/usr.bin/openssl/pkcs12.c +++ b/usr.bin/openssl/pkcs12.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs12.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: pkcs12.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -124,6 +124,11 @@ pkcs12_main(int argc, char **argv) char *macalg = NULL; char *CApath = NULL, *CAfile = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; enc = EVP_des_ede3_cbc(); diff --git a/usr.bin/openssl/pkcs7.c b/usr.bin/openssl/pkcs7.c index 717928d27b0..c29a9c8df27 100644 --- a/usr.bin/openssl/pkcs7.c +++ b/usr.bin/openssl/pkcs7.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs7.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: pkcs7.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -154,6 +154,11 @@ pkcs7_main(int argc, char **argv) int ret = 1; int i; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&pkcs7_config, 0, sizeof(pkcs7_config)); pkcs7_config.informat = FORMAT_PEM; diff --git a/usr.bin/openssl/pkcs8.c b/usr.bin/openssl/pkcs8.c index b3ccd1966ef..4ac2af012ae 100644 --- a/usr.bin/openssl/pkcs8.c +++ b/usr.bin/openssl/pkcs8.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs8.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: pkcs8.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999-2004. */ @@ -226,6 +226,11 @@ pkcs8_main(int argc, char **argv) char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL; int ret = 1; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&pkcs8_config, 0, sizeof(pkcs8_config)); pkcs8_config.iter = PKCS12_DEFAULT_ITER; diff --git a/usr.bin/openssl/pkey.c b/usr.bin/openssl/pkey.c index 72c03181f68..d1ddf5a9299 100644 --- a/usr.bin/openssl/pkey.c +++ b/usr.bin/openssl/pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkey.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: pkey.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006 */ @@ -79,6 +79,11 @@ pkey_main(int argc, char **argv) int badarg = 0; int ret = 1; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + informat = FORMAT_PEM; outformat = FORMAT_PEM; diff --git a/usr.bin/openssl/pkeyparam.c b/usr.bin/openssl/pkeyparam.c index 8f4d3a53f42..cb40fbb3ed6 100644 --- a/usr.bin/openssl/pkeyparam.c +++ b/usr.bin/openssl/pkeyparam.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkeyparam.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: pkeyparam.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006 */ @@ -118,6 +118,11 @@ pkeyparam_main(int argc, char **argv) EVP_PKEY *pkey = NULL; int ret = 1; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&pkeyparam_config, 0, sizeof(pkeyparam_config)); if (options_parse(argc, argv, pkeyparam_options, NULL, NULL) != 0) { diff --git a/usr.bin/openssl/pkeyutl.c b/usr.bin/openssl/pkeyutl.c index 2caa61e282c..64d1f90f507 100644 --- a/usr.bin/openssl/pkeyutl.c +++ b/usr.bin/openssl/pkeyutl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkeyutl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: pkeyutl.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -100,6 +100,11 @@ pkeyutl_main(int argc, char **argv) int ret = 1, rv = -1; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + argc--; argv++; diff --git a/usr.bin/openssl/prime.c b/usr.bin/openssl/prime.c index 55fac455e9b..13398b01b04 100644 --- a/usr.bin/openssl/prime.c +++ b/usr.bin/openssl/prime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: prime.c,v 1.8 2015/09/12 15:04:06 lteo Exp $ */ +/* $OpenBSD: prime.c,v 1.9 2015/10/10 22:28:51 doug Exp $ */ /* ==================================================================== * Copyright (c) 2004 The OpenSSL Project. All rights reserved. * @@ -118,6 +118,11 @@ prime_main(int argc, char **argv) char *s; int ret = 1; + if (single_execution) { + if (pledge("stdio rpath", NULL) == -1) + perror("pledge"); + } + memset(&prime_config, 0, sizeof(prime_config)); /* Default iterations for Miller-Rabin probabilistic primality test. */ diff --git a/usr.bin/openssl/rand.c b/usr.bin/openssl/rand.c index b0df4eb1b53..2377c6e72be 100644 --- a/usr.bin/openssl/rand.c +++ b/usr.bin/openssl/rand.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rand.c,v 1.8 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: rand.c,v 1.9 2015/10/10 22:28:51 doug Exp $ */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * @@ -109,6 +109,11 @@ rand_main(int argc, char **argv) int i, r; BIO *out = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&rand_config, 0, sizeof(rand_config)); if (options_parse(argc, argv, rand_options, &num_bytes, NULL) != 0) { diff --git a/usr.bin/openssl/req.c b/usr.bin/openssl/req.c index c7256ae59a4..032944b233f 100644 --- a/usr.bin/openssl/req.c +++ b/usr.bin/openssl/req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: req.c,v 1.9 2015/09/14 01:45:03 doug Exp $ */ +/* $OpenBSD: req.c,v 1.10 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -176,6 +176,11 @@ req_main(int argc, char **argv) const EVP_MD *md_alg = NULL, *digest = NULL; unsigned long chtype = MBSTRING_ASC; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + req_conf = NULL; cipher = EVP_aes_256_cbc(); digest = EVP_sha256(); diff --git a/usr.bin/openssl/rsa.c b/usr.bin/openssl/rsa.c index 708332a8d11..a5737605fea 100644 --- a/usr.bin/openssl/rsa.c +++ b/usr.bin/openssl/rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: rsa.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -268,6 +268,11 @@ rsa_main(int argc, char **argv) BIO *out = NULL; char *passin = NULL, *passout = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&rsa_config, 0, sizeof(rsa_config)); rsa_config.pvk_encr = 2; rsa_config.informat = FORMAT_PEM; diff --git a/usr.bin/openssl/rsautl.c b/usr.bin/openssl/rsautl.c index 2e9793297bd..92dceff8a17 100644 --- a/usr.bin/openssl/rsautl.c +++ b/usr.bin/openssl/rsautl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsautl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: rsautl.c,v 1.8 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -98,6 +98,11 @@ rsautl_main(int argc, char **argv) int ret = 1; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + argc--; argv++; diff --git a/usr.bin/openssl/s_client.c b/usr.bin/openssl/s_client.c index 6d250f177f0..63f30389c4b 100644 --- a/usr.bin/openssl/s_client.c +++ b/usr.bin/openssl/s_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_client.c,v 1.20 2015/10/06 03:29:49 deraadt Exp $ */ +/* $OpenBSD: s_client.c,v 1.21 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -364,6 +364,11 @@ s_client_main(int argc, char **argv) int enable_timeouts = 0; long socket_mtu = 0; + if (single_execution) { + if (pledge("stdio inet rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + meth = SSLv23_client_method(); c_Pause = 0; diff --git a/usr.bin/openssl/s_server.c b/usr.bin/openssl/s_server.c index 11e98141351..198508398b3 100644 --- a/usr.bin/openssl/s_server.c +++ b/usr.bin/openssl/s_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_server.c,v 1.19 2015/10/06 03:29:49 deraadt Exp $ */ +/* $OpenBSD: s_server.c,v 1.20 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -603,6 +603,12 @@ s_server_main(int argc, char *argv[]) tlsextnextprotoctx next_proto = { NULL, 0 }; const char *alpn_in = NULL; tlsextalpnctx alpn_ctx = { NULL, 0 }; + + if (single_execution) { + if (pledge("stdio inet rpath", NULL) == -1) + perror("pledge"); + } + meth = SSLv23_server_method(); local_argc = argc; diff --git a/usr.bin/openssl/s_time.c b/usr.bin/openssl/s_time.c index c102726b7e2..417ff81f3fd 100644 --- a/usr.bin/openssl/s_time.c +++ b/usr.bin/openssl/s_time.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_time.c,v 1.12 2015/09/11 14:43:57 lteo Exp $ */ +/* $OpenBSD: s_time.c,v 1.13 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -258,6 +258,11 @@ s_time_main(int argc, char **argv) char buf[1024 * 8]; int ver; + if (single_execution) { + if (pledge("stdio inet rpath", NULL) == -1) + perror("pledge"); + } + s_time_meth = SSLv23_client_method(); verify_depth = 0; diff --git a/usr.bin/openssl/sess_id.c b/usr.bin/openssl/sess_id.c index d7f33395097..7bf14adbea2 100644 --- a/usr.bin/openssl/sess_id.c +++ b/usr.bin/openssl/sess_id.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sess_id.c,v 1.5 2015/08/19 18:25:31 deraadt Exp $ */ +/* $OpenBSD: sess_id.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -158,6 +158,11 @@ sess_id_main(int argc, char **argv) int ret = 1, i; BIO *out = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&sess_id_config, 0, sizeof(sess_id_config)); sess_id_config.informat = FORMAT_PEM; diff --git a/usr.bin/openssl/smime.c b/usr.bin/openssl/smime.c index d9813351798..fee7c71e761 100644 --- a/usr.bin/openssl/smime.c +++ b/usr.bin/openssl/smime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smime.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: smime.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -112,6 +112,11 @@ smime_main(int argc, char **argv) X509_VERIFY_PARAM *vpm = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + args = argv + 1; ret = 1; diff --git a/usr.bin/openssl/speed.c b/usr.bin/openssl/speed.c index 1657a43c029..cc555afe8ce 100644 --- a/usr.bin/openssl/speed.c +++ b/usr.bin/openssl/speed.c @@ -1,4 +1,4 @@ -/* $OpenBSD: speed.c,v 1.16 2015/09/20 13:39:13 miod Exp $ */ +/* $OpenBSD: speed.c,v 1.17 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -469,6 +469,11 @@ speed_main(int argc, char **argv) int multi = 0; const char *errstr = NULL; + if (single_execution) { + if (pledge("stdio proc", NULL) == -1) + perror("pledge"); + } + usertime = -1; memset(results, 0, sizeof(results)); diff --git a/usr.bin/openssl/spkac.c b/usr.bin/openssl/spkac.c index b635b5e3b28..1c8b7073d8e 100644 --- a/usr.bin/openssl/spkac.c +++ b/usr.bin/openssl/spkac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: spkac.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: spkac.c,v 1.6 2015/10/10 22:28:51 doug Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. Based on an original idea by Massimiliano Pala * (madwolf@openca.org). @@ -181,6 +181,11 @@ spkac_main(int argc, char **argv) NETSCAPE_SPKI *spki = NULL; EVP_PKEY *pkey = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + memset(&spkac_config, 0, sizeof(spkac_config)); spkac_config.spkac = "SPKAC"; spkac_config.spksect = "default"; diff --git a/usr.bin/openssl/ts.c b/usr.bin/openssl/ts.c index 93d258d583e..04ff60ae485 100644 --- a/usr.bin/openssl/ts.c +++ b/usr.bin/openssl/ts.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts.c,v 1.10 2015/09/21 13:13:06 bcook Exp $ */ +/* $OpenBSD: ts.c,v 1.11 2015/10/10 22:28:51 doug Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -149,6 +149,11 @@ ts_main(int argc, char **argv) /* Output is ContentInfo instead of TimeStampResp. */ int token_out = 0; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + for (argc--, argv++; argc > 0; argc--, argv++) { if (strcmp(*argv, "-config") == 0) { if (argc-- < 1) diff --git a/usr.bin/openssl/verify.c b/usr.bin/openssl/verify.c index 62ca63f01b1..4975ad5b6e1 100644 --- a/usr.bin/openssl/verify.c +++ b/usr.bin/openssl/verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: verify.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */ +/* $OpenBSD: verify.c,v 1.5 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -85,6 +85,11 @@ verify_main(int argc, char **argv) X509_LOOKUP *lookup = NULL; X509_VERIFY_PARAM *vpm = NULL; + if (single_execution) { + if (pledge("stdio rpath", NULL) == -1) + perror("pledge"); + } + cert_ctx = X509_STORE_new(); if (cert_ctx == NULL) goto end; diff --git a/usr.bin/openssl/version.c b/usr.bin/openssl/version.c index f47369df9d8..e096f899699 100644 --- a/usr.bin/openssl/version.c +++ b/usr.bin/openssl/version.c @@ -1,4 +1,4 @@ -/* $OpenBSD: version.c,v 1.6 2015/08/22 16:36:05 jsing Exp $ */ +/* $OpenBSD: version.c,v 1.7 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -213,6 +213,11 @@ version_usage(void) int version_main(int argc, char **argv) { + if (single_execution) { + if (pledge("stdio", NULL) == -1) + perror("pledge"); + } + memset(&version_config, 0, sizeof(version_config)); if (options_parse(argc, argv, version_options, NULL, NULL) != 0) { diff --git a/usr.bin/openssl/x509.c b/usr.bin/openssl/x509.c index ec592c29d7b..07c28789d3f 100644 --- a/usr.bin/openssl/x509.c +++ b/usr.bin/openssl/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.9 2015/10/01 06:31:21 jsing Exp $ */ +/* $OpenBSD: x509.c,v 1.10 2015/10/10 22:28:51 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -198,6 +198,11 @@ x509_main(int argc, char **argv) unsigned long nmflag = 0, certflag = 0; const char *errstr = NULL; + if (single_execution) { + if (pledge("stdio rpath wpath cpath", NULL) == -1) + perror("pledge"); + } + reqfile = 0; STDout = BIO_new_fp(stdout, BIO_NOCLOSE); |