summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDr. Stephen Henson <steve@openssl.org>2009-06-26 13:29:26 +0200
committerDr. Stephen Henson <steve@openssl.org>2009-06-26 13:29:26 +0200
commitf3be6c7b7d2081101c21c7a9b7ec39f4e86271e5 (patch)
treeef92e5f388f36bf637cde6f5f6cde8c4ccde525d
parentStop warnings in gcc where "a" is const passed as a non-const argument. (diff)
downloadopenssl-f3be6c7b7d2081101c21c7a9b7ec39f4e86271e5.tar.xz
openssl-f3be6c7b7d2081101c21c7a9b7ec39f4e86271e5.zip
Update from 1.0.0-stable.
-rw-r--r--CHANGES7
-rw-r--r--apps/apps.c2
-rw-r--r--apps/x509.c1
-rw-r--r--crypto/x509/x509_vfy.c7
-rw-r--r--crypto/x509/x509_vfy.h3
-rw-r--r--doc/apps/cms.pod2
-rw-r--r--doc/apps/s_client.pod2
-rw-r--r--doc/apps/smime.pod2
-rw-r--r--doc/apps/verify.pod5
9 files changed, 22 insertions, 9 deletions
diff --git a/CHANGES b/CHANGES
index d74262e1bb..b886dbfeec 100644
--- a/CHANGES
+++ b/CHANGES
@@ -808,9 +808,10 @@
Changes between 0.9.8k and 0.9.8l [xx XXX xxxx]
- *) Don't check self signed certificate signatures in X509_verify_cert():
- it just wastes time without adding any security. As a useful side effect
- self signed root CAs with non-FIPS digests are now usable in FIPS mode.
+ *) Don't check self signed certificate signatures in X509_verify_cert()
+ by default (a flag can override this): it just wastes time without
+ adding any security. As a useful side effect self signed root CAs
+ with non-FIPS digests are now usable in FIPS mode.
[Steve Henson]
*) In dtls1_process_out_of_seq_message() the check if the current message
diff --git a/apps/apps.c b/apps/apps.c
index 47413f5827..08ce00822e 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2256,6 +2256,8 @@ int args_verify(char ***pargs, int *pargc,
flags |= X509_V_FLAG_USE_DELTAS;
else if (!strcmp(arg, "-policy_print"))
flags |= X509_V_FLAG_NOTIFY_POLICY;
+ else if (!strcmp(arg, "-check_ss_sig"))
+ flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
else
return 0;
diff --git a/apps/x509.c b/apps/x509.c
index 6e49377f0d..5e81ee8c3f 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1130,6 +1130,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
/* NOTE: this certificate can/should be self signed, unless it was
* a certificate request in which case it is not. */
X509_STORE_CTX_set_cert(&xsc,x);
+ X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
if (!reqfile && X509_verify_cert(&xsc) <= 0)
goto end;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index dd4065b0ce..200a9cc0b6 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1610,10 +1610,11 @@ static int internal_verify(X509_STORE_CTX *ctx)
{
ctx->error_depth=n;
- /* Skip signature check for self signed certificates. It
- * doesn't add any security and just wastes time.
+ /* Skip signature check for self signed certificates unless
+ * explicitly asked for. It doesn't add any security and
+ * just wastes time.
*/
- if (!xs->valid && xs != xi)
+ if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
{
if ((pkey=X509_get_pubkey(xi)) == NULL)
{
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 0df76db849..4e73806adc 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -387,6 +387,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000
/* Delta CRL support */
#define X509_V_FLAG_USE_DELTAS 0x2000
+/* Check selfsigned CA signature */
+#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
+
#define X509_VP_FLAG_DEFAULT 0x1
#define X509_VP_FLAG_OVERWRITE 0x2
diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod
index 520279eeab..d62961a023 100644
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -401,7 +401,7 @@ portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details.
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index f61b80c720..4ebf7b5854 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -101,7 +101,7 @@ also used when building the client certificate chain.
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details.
diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
index 97cc0dc789..e0258b5648 100644
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -259,7 +259,7 @@ portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
Set various options of certificate chain verification. See
L<B<verify>|verify(1)> manual page for details.
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index dad3d17c83..bd399dc772 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -135,6 +135,11 @@ signing keys.
Enable support for delta CRLs.
+=item B<-check_ss_sig>
+
+Verify the signature on the self-signed root CA. This is disabled by default
+because it doesn't add any security.
+
=item B<->
marks the last option. All arguments following this are assumed to be