wrap getenv OPENSSL_ALLOW_PROXY_CERTS in an issetugid check, to protect

setuid applications from being fooled.
ok miod

2 files changed, 4 insertions, 4 deletions

diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 4a485fc4847..b82af081c62 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.28 2014/06/19 21:24:35 tedu Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.29 2014/06/20 20:59:49 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -487,7 +487,7 @@ check_chain_extensions(X509_STORE_CTX *ctx)
 		    !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
 		/* A hack to keep people who don't want to modify their
 		   software happy */
-		if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+		if (issetugid() == 0 && getenv("OPENSSL_ALLOW_PROXY_CERTS"))
 			allow_proxy_certs = 1;
 		purpose = ctx->param->purpose;
 	}
diff --git a/lib/libssl/src/crypto/x509/x509_vfy.c b/lib/libssl/src/crypto/x509/x509_vfy.c
index 4a485fc4847..b82af081c62 100644
--- a/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.28 2014/06/19 21:24:35 tedu Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.29 2014/06/20 20:59:49 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -487,7 +487,7 @@ check_chain_extensions(X509_STORE_CTX *ctx)
 		    !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
 		/* A hack to keep people who don't want to modify their
 		   software happy */
-		if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+		if (issetugid() == 0 && getenv("OPENSSL_ALLOW_PROXY_CERTS"))
 			allow_proxy_certs = 1;
 		purpose = ctx->param->purpose;
 	}