wrap getenv OPENSSL_ALLOW_PROXY_CERTS in an issetugid check, to protect

setuid applications from being fooled. ok miod
author: deraadt <> 2014-06-20 20:59:49 +0000
committer: deraadt <> 2014-06-20 20:59:49 +0000
commit: 7ad0caae1a0b3317154a69d8faea6b9be64f37f5 (patch)
tree: 402198e2f9aae057dc1d8d221c5ae204bc738818 /src
parent: 741adedfcf8f7528c3c26c91f26222cd03d2f435 (diff)
download: openbsd-7ad0caae1a0b3317154a69d8faea6b9be64f37f5.tar.gz
openbsd-7ad0caae1a0b3317154a69d8faea6b9be64f37f5.tar.bz2
openbsd-7ad0caae1a0b3317154a69d8faea6b9be64f37f5.zip
2 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 4a485fc484..b82af081c6 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.28 2014/06/19 21:24:35 tedu Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.29 2014/06/20 20:59:49 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -487,7 +487,7 @@ check_chain_extensions(X509_STORE_CTX *ctx)
                    !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
                /* A hack to keep people who don't want to modify their
                   software happy */
-                if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+                if (issetugid() == 0 && getenv("OPENSSL_ALLOW_PROXY_CERTS"))
                        allow_proxy_certs = 1;
                purpose = ctx->param->purpose;
        }
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index 4a485fc484..b82af081c6 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.28 2014/06/19 21:24:35 tedu Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.29 2014/06/20 20:59:49 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -487,7 +487,7 @@ check_chain_extensions(X509_STORE_CTX *ctx)
                    !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
                /* A hack to keep people who don't want to modify their
                   software happy */
-                if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+                if (issetugid() == 0 && getenv("OPENSSL_ALLOW_PROXY_CERTS"))
                        allow_proxy_certs = 1;
                purpose = ctx->param->purpose;
        }
author	deraadt <>	2014-06-20 20:59:49 +0000
committer	deraadt <>	2014-06-20 20:59:49 +0000
commit	7ad0caae1a0b3317154a69d8faea6b9be64f37f5 (patch)
tree	402198e2f9aae057dc1d8d221c5ae204bc738818 /src
parent	741adedfcf8f7528c3c26c91f26222cd03d2f435 (diff)
download	openbsd-7ad0caae1a0b3317154a69d8faea6b9be64f37f5.tar.gz openbsd-7ad0caae1a0b3317154a69d8faea6b9be64f37f5.tar.bz2 openbsd-7ad0caae1a0b3317154a69d8faea6b9be64f37f5.zip

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 4a485fc484..b82af081c6 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.28 2014/06/19 21:24:35 tedu Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.29 2014/06/20 20:59:49 deraadt Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -487,7 +487,7 @@ check_chain_extensions(X509_STORE_CTX *ctx)
487	!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);	487	!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
488	/* A hack to keep people who don't want to modify their	488	/* A hack to keep people who don't want to modify their
489	software happy */	489	software happy */
490	if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))	490	if (issetugid() == 0 && getenv("OPENSSL_ALLOW_PROXY_CERTS"))
491	allow_proxy_certs = 1;	491	allow_proxy_certs = 1;
492	purpose = ctx->param->purpose;	492	purpose = ctx->param->purpose;
493	}	493	}


diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c index 4a485fc484..b82af081c6 100644 --- a/src/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.28 2014/06/19 21:24:35 tedu Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.29 2014/06/20 20:59:49 deraadt Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -487,7 +487,7 @@ check_chain_extensions(X509_STORE_CTX *ctx)
487	!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);	487	!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
488	/* A hack to keep people who don't want to modify their	488	/* A hack to keep people who don't want to modify their
489	software happy */	489	software happy */
490	if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))	490	if (issetugid() == 0 && getenv("OPENSSL_ALLOW_PROXY_CERTS"))
491	allow_proxy_certs = 1;	491	allow_proxy_certs = 1;
492	purpose = ctx->param->purpose;	492	purpose = ctx->param->purpose;
493	}	493	}