jsing and I are investigating removal of all? most? 'getenv from library'

instances.  This one for OPENSSL_ALLOW_PROXY_CERTS gets turned off first,
especially since it had this special comment:
/* A hack to keep people who don't want to modify their software happy */
ok beck jsing

2 files changed, 6 insertions, 2 deletions

diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index d894facd473..0b0a2c56d2f 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.35 2014/07/12 14:58:32 miod Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.36 2014/07/12 17:35:23 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -491,10 +491,12 @@ check_chain_extensions(X509_STORE_CTX *ctx)
 	} else {
 		allow_proxy_certs =
 		    !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
+#if 0
 		/* A hack to keep people who don't want to modify their
 		   software happy */
 		if (issetugid() == 0 && getenv("OPENSSL_ALLOW_PROXY_CERTS"))
 			allow_proxy_certs = 1;
+#endif
 		purpose = ctx->param->purpose;
 	}
 
diff --git a/lib/libssl/src/crypto/x509/x509_vfy.c b/lib/libssl/src/crypto/x509/x509_vfy.c
index d894facd473..0b0a2c56d2f 100644
--- a/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.35 2014/07/12 14:58:32 miod Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.36 2014/07/12 17:35:23 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -491,10 +491,12 @@ check_chain_extensions(X509_STORE_CTX *ctx)
 	} else {
 		allow_proxy_certs =
 		    !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
+#if 0
 		/* A hack to keep people who don't want to modify their
 		   software happy */
 		if (issetugid() == 0 && getenv("OPENSSL_ALLOW_PROXY_CERTS"))
 			allow_proxy_certs = 1;
+#endif
 		purpose = ctx->param->purpose;
 	}