From 9aecc3e5ff3889fbe6f469d61e6f5935d870d4af Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 26 Jun 2009 11:34:22 +0000 Subject: [PATCH] Update from 1.0.0-stable. --- CHANGES | 7 ++++--- apps/apps.c | 2 ++ apps/x509.c | 1 + crypto/x509/x509_vfy.c | 7 ++++--- crypto/x509/x509_vfy.h | 3 +++ doc/apps/verify.pod | 5 +++++ 6 files changed, 19 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 30df42765c..e60f704aac 100644 --- a/CHANGES +++ b/CHANGES @@ -9,9 +9,10 @@ clash. [Guenter ] - *) Don't check self signed certificate signatures in X509_verify_cert(): - it just wastes time without adding any security. As a useful side effect - self signed root CAs with non-FIPS digests are now usable in FIPS mode. + *) Don't check self signed certificate signatures in X509_verify_cert() + by default (a flag can override this): it just wastes time without + adding any security. As a useful side effect self signed root CAs + with non-FIPS digests are now usable in FIPS mode. [Steve Henson] *) In dtls1_process_out_of_seq_message() the check if the current message diff --git a/apps/apps.c b/apps/apps.c index 498722a5a2..35b62b8b09 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2261,6 +2261,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_X509_STRICT; else if (!strcmp(arg, "-policy_print")) flags |= X509_V_FLAG_NOTIFY_POLICY; + else if (!strcmp(arg, "-check_ss_sig")) + flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else return 0; diff --git a/apps/x509.c b/apps/x509.c index 6debce4419..b25508aa8e 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1151,6 +1151,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); + X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9e398c2d19..b85456e65b 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -987,10 +987,11 @@ static int internal_verify(X509_STORE_CTX *ctx) { ctx->error_depth=n; - /* Skip signature check for self signed certificates. It - * doesn't add any security and just wastes time. + /* Skip signature check for self signed certificates unless + * explicitly asked for. It doesn't add any security and + * just wastes time. */ - if (!xs->valid && xs != xi) + if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { if ((pkey=X509_get_pubkey(xi)) == NULL) { diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 76c76e1719..86ae35f69d 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -363,6 +363,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); /* Notify callback that policy is OK */ #define X509_V_FLAG_NOTIFY_POLICY 0x800 +/* Check selfsigned CA signature */ +#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 + #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 #define X509_VP_FLAG_RESET_FLAGS 0x4 diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index ff2629d2cf..b798867370 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -66,6 +66,11 @@ certificate was rejected. However the presence of rejection messages does not itself imply that anything is wrong: during the normal verify process several rejections may take place. +=item B<-check_ss_sig> + +Verify the signature on the self-signed root CA. This is disabled by default +because it doesn't add any security. + =item B<-> marks the last option. All arguments following this are assumed to be -- 2.25.1