Update from 1.0.0-stable.

2009-06-26 11:34:22 +00:00 · 2009-06-26 11:34:22 +00:00 · 9aecc3e5ff
commit 9aecc3e5ff
parent b8a4a5bcba
6 changed files with 19 additions and 6 deletions
--- a/7
+++ b/7
@ -9,9 +9,10 @@
     clash.
     [Guenter <lists@gknw.net>]

-  *) Don't check self signed certificate signatures in X509_verify_cert():
-     it just wastes time without adding any security. As a useful side effect
-     self signed root CAs with non-FIPS digests are now usable in FIPS mode.
+  *) Don't check self signed certificate signatures in X509_verify_cert()
+     by default (a flag can override this): it just wastes time without
+     adding any security. As a useful side effect self signed root CAs
+     with non-FIPS digests are now usable in FIPS mode.
     [Steve Henson]

  *) In dtls1_process_out_of_seq_message() the check if the current message
--- a/apps/apps.c
+++ b/apps/apps.c
@ -2261,6 +2261,8 @@ int args_verify(char ***pargs, int *pargc,
 		flags |= X509_V_FLAG_X509_STRICT;
 	else if (!strcmp(arg, "-policy_print"))
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
+	else if (!strcmp(arg, "-check_ss_sig"))
+		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
 	else
 		return 0;

--- a/apps/x509.c
+++ b/apps/x509.c
@ -1151,6 +1151,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 	/* NOTE: this certificate can/should be self signed, unless it was
 	 * a certificate request in which case it is not. */
 	X509_STORE_CTX_set_cert(&xsc,x);
+	X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
 	if (!reqfile && X509_verify_cert(&xsc) <= 0)
 		goto end;

--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@ -987,10 +987,11 @@ static int internal_verify(X509_STORE_CTX *ctx)
 		{
 		ctx->error_depth=n;

-		/* Skip signature check for self signed certificates. It
-		 * doesn't add any security and just wastes time.
+		/* Skip signature check for self signed certificates unless
+		 * explicitly asked for. It doesn't add any security and
+		 * just wastes time.
 		 */
-		if (!xs->valid && xs != xi)
+		if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
 			{
 			if ((pkey=X509_get_pubkey(xi)) == NULL)
 				{
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@ -363,6 +363,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 /* Notify callback that policy is OK */
 #define X509_V_FLAG_NOTIFY_POLICY		0x800

+/* Check selfsigned CA signature */
+#define X509_V_FLAG_CHECK_SS_SIGNATURE		0x4000
+
 #define X509_VP_FLAG_DEFAULT			0x1
 #define X509_VP_FLAG_OVERWRITE			0x2
 #define X509_VP_FLAG_RESET_FLAGS		0x4
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@ -66,6 +66,11 @@ certificate was rejected. However the presence of rejection messages
 does not itself imply that anything is wrong: during the normal
 verify process several rejections may take place.

+=item B<-check_ss_sig>
+
+Verify the signature on the self-signed root CA. This is disabled by default
+because it doesn't add any security.
+
 =item B<->

 marks the last option. All arguments following this are assumed to be