c2e315
diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c
c2e315
--- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv	2011-09-02 13:20:32.000000000 +0200
af044b
+++ openssl-1.0.1c/crypto/conf/conf_api.c	2012-07-13 22:10:23.065949230 +0200
af044b
@@ -142,7 +142,7 @@ char *_CONF_get_string(const CONF *conf,
c2e315
 			if (v != NULL) return(v->value);
af044b
 			if (strcmp(section,"ENV") == 0)
c2e315
 				{
af044b
-				p=getenv(name);
af044b
+				p=__secure_getenv(name);
c2e315
 				if (p != NULL) return(p);
af044b
 				}
af044b
 			}
c2e315
@@ -155,7 +155,7 @@ char *_CONF_get_string(const CONF *conf,
c2e315
 			return(NULL);
c2e315
 		}
c2e315
 	else
c2e315
-		return(getenv(name));
af044b
+		return (__secure_getenv(name));
c2e315
 	}
c2e315
 
c2e315
 #if 0 /* There's no way to provide error checking with this function, so
c2e315
diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c
c2e315
--- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv	2008-11-05 19:38:55.000000000 +0100
af044b
+++ openssl-1.0.1c/crypto/conf/conf_mod.c	2012-07-13 22:18:31.937928293 +0200
c2e315
@@ -548,8 +548,8 @@ char *CONF_get1_default_config_file(void
c2e315
 	char *file;
c2e315
 	int len;
c2e315
 
c2e315
-	file = getenv("OPENSSL_CONF");
c2e315
-	if (file) 
af044b
+	file = __secure_getenv("OPENSSL_CONF");
af044b
+	if (file)
c2e315
 		return BUF_strdup(file);
c2e315
 
c2e315
 	len = strlen(X509_get_default_cert_area());
c2e315
diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c
c2e315
--- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv	2010-03-27 19:28:13.000000000 +0100
af044b
+++ openssl-1.0.1c/crypto/engine/eng_list.c	2012-07-13 22:13:14.736804605 +0200
c2e315
@@ -399,9 +399,9 @@ ENGINE *ENGINE_by_id(const char *id)
c2e315
 	if (strcmp(id, "dynamic"))
c2e315
 		{
c2e315
 #ifdef OPENSSL_SYS_VMS
c2e315
-		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
c2e315
+		if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
c2e315
 #else
c2e315
-		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
af044b
+		if((load_dir = __secure_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
c2e315
 #endif
c2e315
 		iterator = ENGINE_by_id("dynamic");
c2e315
 		if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
c2e315
diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c
af044b
--- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv	2012-07-13 13:38:36.321985875 +0200
af044b
+++ openssl-1.0.1c/crypto/md5/md5_dgst.c	2012-07-13 22:11:01.320808356 +0200
c2e315
@@ -74,7 +74,7 @@ const char MD5_version[]="MD5" OPENSSL_V
c2e315
 int MD5_Init(MD5_CTX *c)
c2e315
 #ifdef OPENSSL_FIPS
c2e315
 	{
c2e315
-	if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
af044b
+	if (FIPS_mode() && __secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
c2e315
 		OpenSSLDie(__FILE__, __LINE__, \
c2e315
                 "Digest MD5 forbidden in FIPS mode!");
c2e315
 	return private_MD5_Init(c);
c2e315
diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c
af044b
--- openssl-1.0.1c/crypto/o_init.c.secure-getenv	2012-07-13 13:38:36.307985551 +0200
af044b
+++ openssl-1.0.1c/crypto/o_init.c	2012-07-13 22:07:15.482736498 +0200
c2e315
@@ -71,7 +71,7 @@ static void init_fips_mode(void)
c2e315
 	char buf[2] = "0";
c2e315
 	int fd;
c2e315
 	
c2e315
-	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
af044b
+	if (__secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
c2e315
 		{
c2e315
 		buf[0] = '1';
c2e315
 		}
af044b
diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/crypto/rand/randfile.c
af044b
--- openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv	2012-01-15 14:40:21.000000000 +0100
af044b
+++ openssl-1.0.1c/crypto/rand/randfile.c	2012-07-13 22:11:40.529688907 +0200
af044b
@@ -275,8 +275,7 @@ const char *RAND_file_name(char *buf, si
af044b
 	struct stat sb;
af044b
 #endif
c2e315
 
af044b
-	if (OPENSSL_issetugid() == 0)
af044b
-		s=getenv("RANDFILE");
af044b
+	s=__secure_getenv("RANDFILE");
af044b
 	if (s != NULL && *s && strlen(s) + 1 < size)
af044b
 		{
af044b
 		if (BUF_strlcpy(buf,s,size) >= size)
af044b
@@ -284,8 +283,7 @@ const char *RAND_file_name(char *buf, si
af044b
 		}
af044b
 	else
af044b
 		{
af044b
-		if (OPENSSL_issetugid() == 0)
af044b
-			s=getenv("HOME");
af044b
+		s=__secure_getenv("HOME");
af044b
 #ifdef DEFAULT_HOME
af044b
 		if (s == NULL)
af044b
 			{
c2e315
diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c
c2e315
--- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv	2010-02-19 19:26:23.000000000 +0100
af044b
+++ openssl-1.0.1c/crypto/x509/by_dir.c	2012-07-13 22:14:42.707780256 +0200
af044b
@@ -135,7 +135,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
c2e315
 	case X509_L_ADD_DIR:
c2e315
 		if (argl == X509_FILETYPE_DEFAULT)
c2e315
 			{
c2e315
-			dir=(char *)getenv(X509_get_default_cert_dir_env());
af044b
+			dir=(char *)__secure_getenv(X509_get_default_cert_dir_env());
c2e315
 			if (dir)
c2e315
 				ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
c2e315
 			else
c2e315
diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c
af044b
--- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv	2012-07-13 13:38:36.260984458 +0200
af044b
+++ openssl-1.0.1c/crypto/x509/by_file.c	2012-07-13 22:15:23.320692338 +0200
af044b
@@ -100,7 +100,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
c2e315
 	case X509_L_FILE_LOAD:
c2e315
 		if (argl == X509_FILETYPE_DEFAULT)
c2e315
 			{
c2e315
-			file = (char *)getenv(X509_get_default_cert_file_env());
af044b
+			file = (char *)__secure_getenv(X509_get_default_cert_file_env());
c2e315
 			if (file)
c2e315
 				ok = (X509_load_cert_crl_file(ctx,file,
c2e315
 					      X509_FILETYPE_PEM) != 0);
c2e315
diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c
c2e315
--- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv	2011-09-23 15:39:35.000000000 +0200
af044b
+++ openssl-1.0.1c/crypto/x509/x509_vfy.c	2012-07-13 22:14:13.937134124 +0200
c2e315
@@ -481,7 +481,7 @@ static int check_chain_extensions(X509_S
c2e315
 			!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
c2e315
 		/* A hack to keep people who don't want to modify their
c2e315
 		   software happy */
c2e315
-		if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
af044b
+		if (__secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
c2e315
 			allow_proxy_certs = 1;
c2e315
 		purpose = ctx->param->purpose;
c2e315
 		}
c2e315
diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c
c2e315
--- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv	2008-03-16 22:05:44.000000000 +0100
af044b
+++ openssl-1.0.1c/engines/ccgost/gost_ctl.c	2012-07-13 22:16:48.719610222 +0200
af044b
@@ -65,7 +65,7 @@ const char *get_gost_engine_param(int pa
c2e315
 		{
c2e315
 		return gost_params[param];
c2e315
 		}
c2e315
-	tmp = getenv(gost_envnames[param]);
af044b
+	tmp = __secure_getenv(gost_envnames[param]);
c2e315
 	if (tmp) 
c2e315
 		{
c2e315
 		if (gost_params[param]) OPENSSL_free(gost_params[param]);
af044b
@@ -79,7 +79,7 @@ int gost_set_default_param(int param, co
c2e315
 	{
af044b
 	const char *tmp;
c2e315
 	if (param <0 || param >GOST_PARAM_MAX) return 0;
c2e315
-	tmp = getenv(gost_envnames[param]);
af044b
+	tmp = __secure_getenv(gost_envnames[param]);
c2e315
 	/* if there is value in the environment, use it, else -passed string * */
c2e315
 	if (!tmp) tmp=value;
c2e315
 	if (gost_params[param]) OPENSSL_free(gost_params[param]);