openssl/openssl-1.0.1c-secure-getenv.patch

diff -up openssl-1.0.1c/Configure.secure-getenv openssl-1.0.1c/Configure
--- openssl-1.0.1c/Configure.secure-getenv	2012-07-13 13:34:37.309433776 +0200
+++ openssl-1.0.1c/Configure	2012-07-13 13:34:37.309433776 +0200
@@ -1437,6 +1437,10 @@ if ($target =~ /^BSD\-/)
 	$shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
 	}
 
+if ($target =~ /^linux/i) {
+	$cflags .= " -DLIBC_ENABLE_SECURE";
+}
+
 if ($sys_id ne "")
 	{
 	#$cflags="-DOPENSSL_SYSNAME_$sys_id $cflags";
diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c
--- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv	2011-09-02 13:20:32.000000000 +0200
+++ openssl-1.0.1c/crypto/conf/conf_api.c	2012-07-13 13:34:37.277433033 +0200
@@ -140,7 +140,7 @@ char *_CONF_get_string(const CONF *conf,
 			vv.section=(char *)section;
 			v=lh_CONF_VALUE_retrieve(conf->data,&vv);
 			if (v != NULL) return(v->value);
-			if (strcmp(section,"ENV") == 0)
+			if (!OPENSSL_issetugid() && (strcmp(section,"ENV") == 0))
 				{
 				p=getenv(name);
 				if (p != NULL) return(p);
@@ -155,7 +155,7 @@ char *_CONF_get_string(const CONF *conf,
 			return(NULL);
 		}
 	else
-		return(getenv(name));
+		return (OPENSSL_issetugid() ? NULL : getenv(name));
 	}
 
 #if 0 /* There's no way to provide error checking with this function, so
diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c
--- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv	2008-11-05 19:38:55.000000000 +0100
+++ openssl-1.0.1c/crypto/conf/conf_mod.c	2012-07-13 13:34:37.277433033 +0200
@@ -548,8 +548,8 @@ char *CONF_get1_default_config_file(void
 	char *file;
 	int len;
 
-	file = getenv("OPENSSL_CONF");
-	if (file) 
+	if (!OPENSSL_issetugid() && 
+	    (file = getenv("OPENSSL_CONF")) != NULL);
 		return BUF_strdup(file);
 
 	len = strlen(X509_get_default_cert_area());
diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c
--- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv	2010-03-27 19:28:13.000000000 +0100
+++ openssl-1.0.1c/crypto/engine/eng_list.c	2012-07-13 13:34:37.278433056 +0200
@@ -399,9 +399,9 @@ ENGINE *ENGINE_by_id(const char *id)
 	if (strcmp(id, "dynamic"))
 		{
 #ifdef OPENSSL_SYS_VMS
-		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
+		if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
 #else
-		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
+		if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
 #endif
 		iterator = ENGINE_by_id("dynamic");
 		if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c
--- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv	2012-07-13 13:34:37.000000000 +0200
+++ openssl-1.0.1c/crypto/md5/md5_dgst.c	2012-07-13 13:37:27.709392052 +0200
@@ -74,7 +74,7 @@ const char MD5_version[]="MD5" OPENSSL_V
 int MD5_Init(MD5_CTX *c)
 #ifdef OPENSSL_FIPS
 	{
-	if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
+	if (FIPS_mode() && (OPENSSL_issetugid() || getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL))
 		OpenSSLDie(__FILE__, __LINE__, \
                 "Digest MD5 forbidden in FIPS mode!");
 	return private_MD5_Init(c);
diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c
--- openssl-1.0.1c/crypto/o_init.c.secure-getenv	2012-07-13 13:34:37.237432103 +0200
+++ openssl-1.0.1c/crypto/o_init.c	2012-07-13 13:34:37.278433056 +0200
@@ -71,7 +71,7 @@ static void init_fips_mode(void)
 	char buf[2] = "0";
 	int fd;
 	
-	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+	if (!OPENSSL_issetugid() && getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
 		{
 		buf[0] = '1';
 		}
diff -up openssl-1.0.1c/crypto/uid.c.secure-getenv openssl-1.0.1c/crypto/uid.c
--- openssl-1.0.1c/crypto/uid.c.secure-getenv	2003-11-28 14:10:55.000000000 +0100
+++ openssl-1.0.1c/crypto/uid.c	2012-07-13 13:34:37.278433056 +0200
@@ -77,8 +77,26 @@ int OPENSSL_issetugid(void)
 #include OPENSSL_UNISTD
 #include <sys/types.h>
 
+#ifdef LIBC_ENABLE_SECURE
+extern int __libc_enable_secure;
+#endif
+#ifdef PRCTL_DUMPABLE
+#include <sys/prctl.h>
+#endif
+
 int OPENSSL_issetugid(void)
 	{
+#ifdef LIBC_ENABLE_SECURE
+	if (__libc_enable_secure) return 1;
+#endif
+#ifdef PRCTL_DUMPABLE
+	/* 0 -> not dumpable, 2 -> dumpable by root only from
+	 * Linux kernel 2.6.13 - 2.6.17, so we require dumpable
+	 * flag to be == 1 to accept non-secure mode.
+	 */
+	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) != 1)
+		return 1;
+#endif
 	if (getuid() != geteuid()) return 1;
 	if (getgid() != getegid()) return 1;
 	return 0;
diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c
--- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv	2010-02-19 19:26:23.000000000 +0100
+++ openssl-1.0.1c/crypto/x509/by_dir.c	2012-07-13 13:34:37.279433079 +0200
@@ -135,7 +135,8 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
 	case X509_L_ADD_DIR:
 		if (argl == X509_FILETYPE_DEFAULT)
 			{
-			dir=(char *)getenv(X509_get_default_cert_dir_env());
+			if (!OPENSSL_issetugid())
+				dir=(char *)getenv(X509_get_default_cert_dir_env());
 			if (dir)
 				ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
 			else
diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c
--- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv	2012-07-13 13:34:37.187430942 +0200
+++ openssl-1.0.1c/crypto/x509/by_file.c	2012-07-13 13:34:37.279433079 +0200
@@ -93,14 +93,15 @@ static int by_file_ctrl(X509_LOOKUP *ctx
 	     char **ret)
 	{
 	int ok=0;
-	char *file;
+	char *file = NULL;
 
 	switch (cmd)
 		{
 	case X509_L_FILE_LOAD:
 		if (argl == X509_FILETYPE_DEFAULT)
 			{
-			file = (char *)getenv(X509_get_default_cert_file_env());
+			if (!OPENSSL_issetugid())
+				file = (char *)getenv(X509_get_default_cert_file_env());
 			if (file)
 				ok = (X509_load_cert_crl_file(ctx,file,
 					      X509_FILETYPE_PEM) != 0);
diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c
--- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv	2011-09-23 15:39:35.000000000 +0200
+++ openssl-1.0.1c/crypto/x509/x509_vfy.c	2012-07-13 13:34:37.280433102 +0200
@@ -456,7 +456,7 @@ static int check_chain_extensions(X509_S
 	int (*cb)(int xok,X509_STORE_CTX *xctx);
 	int proxy_path_length = 0;
 	int purpose;
-	int allow_proxy_certs;
+	int allow_proxy_certs = 0;
 	cb=ctx->verify_cb;
 
 	/* must_be_ca can have 1 of 3 values:
@@ -481,7 +481,7 @@ static int check_chain_extensions(X509_S
 			!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
 		/* A hack to keep people who don't want to modify their
 		   software happy */
-		if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+		if (!OPENSSL_issetugid() && getenv("OPENSSL_ALLOW_PROXY_CERTS"))
 			allow_proxy_certs = 1;
 		purpose = ctx->param->purpose;
 		}
diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c
--- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv	2008-03-16 22:05:44.000000000 +0100
+++ openssl-1.0.1c/engines/ccgost/gost_ctl.c	2012-07-13 13:34:37.280433102 +0200
@@ -59,13 +59,14 @@ int gost_control_func(ENGINE *e,int cmd,
 
 const char *get_gost_engine_param(int param) 
 	{
-	char *tmp;
+	char *tmp = NULL;
 	if (param <0 || param >GOST_PARAM_MAX) return NULL;
 	if (gost_params[param]!=NULL) 
 		{
 		return gost_params[param];
 		}
-	tmp = getenv(gost_envnames[param]);
+	if (!OPENSSL_issetugid())
+		tmp = getenv(gost_envnames[param]);
 	if (tmp) 
 		{
 		if (gost_params[param]) OPENSSL_free(gost_params[param]);
@@ -77,9 +78,10 @@ const char *get_gost_engine_param(int pa
 
 int gost_set_default_param(int param, const char *value) 
 	{
-	const char *tmp;
+	const char *tmp = NULL;
 	if (param <0 || param >GOST_PARAM_MAX) return 0;
-	tmp = getenv(gost_envnames[param]);
+	if (!OPENSSL_issetugid())
+		tmp = getenv(gost_envnames[param]);
 	/* if there is value in the environment, use it, else -passed string * */
 	if (!tmp) tmp=value;
 	if (gost_params[param]) OPENSSL_free(gost_params[param]);
do not move libcrypto to /lib - do not use environment variables if __libc_enable_secure is on - fix strict aliasing problems in modes 2012-07-13 12:23:34 +00:00			`diff -up openssl-1.0.1c/Configure.secure-getenv openssl-1.0.1c/Configure`
			`--- openssl-1.0.1c/Configure.secure-getenv 2012-07-13 13:34:37.309433776 +0200`
			`+++ openssl-1.0.1c/Configure 2012-07-13 13:34:37.309433776 +0200`
			`@@ -1437,6 +1437,10 @@ if ($target =~ /^BSD\-/)`
			`$shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m\|^/usr[/]*$\|);`
			`}`

			`+if ($target =~ /^linux/i) {`
			`+ $cflags .= " -DLIBC_ENABLE_SECURE";`
			`+}`
			`+`
			`if ($sys_id ne "")`
			`{`
			`#$cflags="-DOPENSSL_SYSNAME_$sys_id $cflags";`
			`diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c`
			`--- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv 2011-09-02 13:20:32.000000000 +0200`
			`+++ openssl-1.0.1c/crypto/conf/conf_api.c 2012-07-13 13:34:37.277433033 +0200`
			`@@ -140,7 +140,7 @@ char _CONF_get_string(const CONF conf,`
			`vv.section=(char *)section;`
			`v=lh_CONF_VALUE_retrieve(conf->data,&vv);`
			`if (v != NULL) return(v->value);`
			`- if (strcmp(section,"ENV") == 0)`
			`+ if (!OPENSSL_issetugid() && (strcmp(section,"ENV") == 0))`
			`{`
			`p=getenv(name);`
			`if (p != NULL) return(p);`
			`@@ -155,7 +155,7 @@ char _CONF_get_string(const CONF conf,`
			`return(NULL);`
			`}`
			`else`
			`- return(getenv(name));`
			`+ return (OPENSSL_issetugid() ? NULL : getenv(name));`
			`}`

			`#if 0 /* There's no way to provide error checking with this function, so`
			`diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c`
			`--- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv 2008-11-05 19:38:55.000000000 +0100`
			`+++ openssl-1.0.1c/crypto/conf/conf_mod.c 2012-07-13 13:34:37.277433033 +0200`
			`@@ -548,8 +548,8 @@ char *CONF_get1_default_config_file(void`
			`char *file;`
			`int len;`

			`- file = getenv("OPENSSL_CONF");`
			`- if (file)`
			`+ if (!OPENSSL_issetugid() &&`
			`+ (file = getenv("OPENSSL_CONF")) != NULL);`
			`return BUF_strdup(file);`

			`len = strlen(X509_get_default_cert_area());`
			`diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c`
			`--- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv 2010-03-27 19:28:13.000000000 +0100`
			`+++ openssl-1.0.1c/crypto/engine/eng_list.c 2012-07-13 13:34:37.278433056 +0200`
			`@@ -399,9 +399,9 @@ ENGINE ENGINE_by_id(const char id)`
			`if (strcmp(id, "dynamic"))`
			`{`
			`#ifdef OPENSSL_SYS_VMS`
			`- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";`
			`+ if(OPENSSL_issetugid() \|\| (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";`
			`#else`
			`- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;`
			`+ if(OPENSSL_issetugid() \|\| (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;`
			`#endif`
			`iterator = ENGINE_by_id("dynamic");`
			`if(!iterator \|\| !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) \|\|`
			`diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c`
			`--- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv 2012-07-13 13:34:37.000000000 +0200`
			`+++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-07-13 13:37:27.709392052 +0200`
			`@@ -74,7 +74,7 @@ const char MD5_version[]="MD5" OPENSSL_V`
			`int MD5_Init(MD5_CTX *c)`
			`#ifdef OPENSSL_FIPS`
			`{`
			`- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)`
			`+ if (FIPS_mode() && (OPENSSL_issetugid() \|\| getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL))`
			`OpenSSLDie(__FILE__, __LINE__, \`
			`"Digest MD5 forbidden in FIPS mode!");`
			`return private_MD5_Init(c);`
			`diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c`
			`--- openssl-1.0.1c/crypto/o_init.c.secure-getenv 2012-07-13 13:34:37.237432103 +0200`
			`+++ openssl-1.0.1c/crypto/o_init.c 2012-07-13 13:34:37.278433056 +0200`
			`@@ -71,7 +71,7 @@ static void init_fips_mode(void)`
			`char buf[2] = "0";`
			`int fd;`

			`- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)`
			`+ if (!OPENSSL_issetugid() && getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)`
			`{`
			`buf[0] = '1';`
			`}`
			`diff -up openssl-1.0.1c/crypto/uid.c.secure-getenv openssl-1.0.1c/crypto/uid.c`
			`--- openssl-1.0.1c/crypto/uid.c.secure-getenv 2003-11-28 14:10:55.000000000 +0100`
			`+++ openssl-1.0.1c/crypto/uid.c 2012-07-13 13:34:37.278433056 +0200`
			`@@ -77,8 +77,26 @@ int OPENSSL_issetugid(void)`
			`#include OPENSSL_UNISTD`
			`#include <sys/types.h>`

			`+#ifdef LIBC_ENABLE_SECURE`
			`+extern int __libc_enable_secure;`
			`+#endif`
			`+#ifdef PRCTL_DUMPABLE`
			`+#include <sys/prctl.h>`
			`+#endif`
			`+`
			`int OPENSSL_issetugid(void)`
			`{`
			`+#ifdef LIBC_ENABLE_SECURE`
			`+ if (__libc_enable_secure) return 1;`
			`+#endif`
			`+#ifdef PRCTL_DUMPABLE`
			`+ /* 0 -> not dumpable, 2 -> dumpable by root only from`
			`+ * Linux kernel 2.6.13 - 2.6.17, so we require dumpable`
			`+ * flag to be == 1 to accept non-secure mode.`
			`+ */`
			`+ if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) != 1)`
			`+ return 1;`
			`+#endif`
			`if (getuid() != geteuid()) return 1;`
			`if (getgid() != getegid()) return 1;`
			`return 0;`
			`diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c`
			`--- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv 2010-02-19 19:26:23.000000000 +0100`
			`+++ openssl-1.0.1c/crypto/x509/by_dir.c 2012-07-13 13:34:37.279433079 +0200`
			`@@ -135,7 +135,8 @@ static int dir_ctrl(X509_LOOKUP *ctx, in`
			`case X509_L_ADD_DIR:`
			`if (argl == X509_FILETYPE_DEFAULT)`
			`{`
			`- dir=(char *)getenv(X509_get_default_cert_dir_env());`
			`+ if (!OPENSSL_issetugid())`
			`+ dir=(char *)getenv(X509_get_default_cert_dir_env());`
			`if (dir)`
			`ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);`
			`else`
			`diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c`
			`--- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv 2012-07-13 13:34:37.187430942 +0200`
			`+++ openssl-1.0.1c/crypto/x509/by_file.c 2012-07-13 13:34:37.279433079 +0200`
			`@@ -93,14 +93,15 @@ static int by_file_ctrl(X509_LOOKUP *ctx`
			`char **ret)`
			`{`
			`int ok=0;`
			`- char *file;`
			`+ char *file = NULL;`

			`switch (cmd)`
			`{`
			`case X509_L_FILE_LOAD:`
			`if (argl == X509_FILETYPE_DEFAULT)`
			`{`
			`- file = (char *)getenv(X509_get_default_cert_file_env());`
			`+ if (!OPENSSL_issetugid())`
			`+ file = (char *)getenv(X509_get_default_cert_file_env());`
			`if (file)`
			`ok = (X509_load_cert_crl_file(ctx,file,`
			`X509_FILETYPE_PEM) != 0);`
			`diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c`
			`--- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv 2011-09-23 15:39:35.000000000 +0200`
			`+++ openssl-1.0.1c/crypto/x509/x509_vfy.c 2012-07-13 13:34:37.280433102 +0200`
			`@@ -456,7 +456,7 @@ static int check_chain_extensions(X509_S`
			`int (cb)(int xok,X509_STORE_CTX xctx);`
			`int proxy_path_length = 0;`
			`int purpose;`
			`- int allow_proxy_certs;`
			`+ int allow_proxy_certs = 0;`
			`cb=ctx->verify_cb;`

			`/* must_be_ca can have 1 of 3 values:`
			`@@ -481,7 +481,7 @@ static int check_chain_extensions(X509_S`
			`!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);`
			`/* A hack to keep people who don't want to modify their`
			`software happy */`
			`- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))`
			`+ if (!OPENSSL_issetugid() && getenv("OPENSSL_ALLOW_PROXY_CERTS"))`
			`allow_proxy_certs = 1;`
			`purpose = ctx->param->purpose;`
			`}`
			`diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c`
			`--- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv 2008-03-16 22:05:44.000000000 +0100`
			`+++ openssl-1.0.1c/engines/ccgost/gost_ctl.c 2012-07-13 13:34:37.280433102 +0200`
			`@@ -59,13 +59,14 @@ int gost_control_func(ENGINE *e,int cmd,`

			`const char *get_gost_engine_param(int param)`
			`{`
			`- char *tmp;`
			`+ char *tmp = NULL;`
			`if (param <0 \|\| param >GOST_PARAM_MAX) return NULL;`
			`if (gost_params[param]!=NULL)`
			`{`
			`return gost_params[param];`
			`}`
			`- tmp = getenv(gost_envnames[param]);`
			`+ if (!OPENSSL_issetugid())`
			`+ tmp = getenv(gost_envnames[param]);`
			`if (tmp)`
			`{`
			`if (gost_params[param]) OPENSSL_free(gost_params[param]);`
			`@@ -77,9 +78,10 @@ const char *get_gost_engine_param(int pa`

			`int gost_set_default_param(int param, const char *value)`
			`{`
			`- const char *tmp;`
			`+ const char *tmp = NULL;`
			`if (param <0 \|\| param >GOST_PARAM_MAX) return 0;`
			`- tmp = getenv(gost_envnames[param]);`
			`+ if (!OPENSSL_issetugid())`
			`+ tmp = getenv(gost_envnames[param]);`
			`/* if there is value in the environment, use it, else -passed string * */`
			`if (!tmp) tmp=value;`
			`if (gost_params[param]) OPENSSL_free(gost_params[param]);`