From: Dr. Stephen Henson <steve@openssl.org>
Date: Thu, 11 Feb 2016 15:25:11 +0000 (+0000)
Subject: Don't check self signed certificate signature security.
X-Git-Tag: OpenSSL_1_1_0-pre3~81
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=221c7b55e35a952f517c3c2237feb3c1044b7dd9;p=oweals%2Fopenssl.git

Don't check self signed certificate signature security.

Reviewed-by: Richard Levitte <levitte@openssl.org>
---

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e0e0cb95ac..d7a6f954b4 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -4122,6 +4122,9 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
 {
     /* Lookup signature algorithm digest */
     int secbits = -1, md_nid = NID_undef, sig_nid;
+    /* Don't check signature if self signed */
+    if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
+        return 1;
     sig_nid = X509_get_signature_nid(x);
     if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
         const EVP_MD *md;