From f3be6c7b7d2081101c21c7a9b7ec39f4e86271e5 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 26 Jun 2009 11:29:26 +0000 Subject: [PATCH] Update from 1.0.0-stable. --- CHANGES | 7 ++++--- apps/apps.c | 2 ++ apps/x509.c | 1 + crypto/x509/x509_vfy.c | 7 ++++--- crypto/x509/x509_vfy.h | 3 +++ doc/apps/cms.pod | 2 +- doc/apps/s_client.pod | 2 +- doc/apps/smime.pod | 2 +- doc/apps/verify.pod | 5 +++++ 9 files changed, 22 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index d74262e1b..b886dbfee 100644 --- a/CHANGES +++ b/CHANGES @@ -808,9 +808,10 @@ Changes between 0.9.8k and 0.9.8l [xx XXX xxxx] - *) Don't check self signed certificate signatures in X509_verify_cert(): - it just wastes time without adding any security. As a useful side effect - self signed root CAs with non-FIPS digests are now usable in FIPS mode. + *) Don't check self signed certificate signatures in X509_verify_cert() + by default (a flag can override this): it just wastes time without + adding any security. As a useful side effect self signed root CAs + with non-FIPS digests are now usable in FIPS mode. [Steve Henson] *) In dtls1_process_out_of_seq_message() the check if the current message diff --git a/apps/apps.c b/apps/apps.c index 47413f582..08ce00822 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2256,6 +2256,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_USE_DELTAS; else if (!strcmp(arg, "-policy_print")) flags |= X509_V_FLAG_NOTIFY_POLICY; + else if (!strcmp(arg, "-check_ss_sig")) + flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else return 0; diff --git a/apps/x509.c b/apps/x509.c index 6e49377f0..5e81ee8c3 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1130,6 +1130,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); + X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index dd4065b0c..200a9cc0b 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1610,10 +1610,11 @@ static int internal_verify(X509_STORE_CTX *ctx) { ctx->error_depth=n; - /* Skip signature check for self signed certificates. It - * doesn't add any security and just wastes time. + /* Skip signature check for self signed certificates unless + * explicitly asked for. It doesn't add any security and + * just wastes time. */ - if (!xs->valid && xs != xi) + if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { if ((pkey=X509_get_pubkey(xi)) == NULL) { diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 0df76db84..4e73806ad 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -387,6 +387,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 /* Delta CRL support */ #define X509_V_FLAG_USE_DELTAS 0x2000 +/* Check selfsigned CA signature */ +#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 + #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index 520279eea..d62961a02 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -401,7 +401,7 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index f61b80c72..4ebf7b585 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -101,7 +101,7 @@ also used when building the client certificate chain. A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index 97cc0dc78..e0258b564 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -259,7 +259,7 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> Set various options of certificate chain verification. See L|verify(1)> manual page for details. diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index dad3d17c8..bd399dc77 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -135,6 +135,11 @@ signing keys. Enable support for delta CRLs. +=item B<-check_ss_sig> + +Verify the signature on the self-signed root CA. This is disabled by default +because it doesn't add any security. + =item B<-> marks the last option. All arguments following this are assumed to be