Loading CHANGES +4 −3 Original line number Diff line number Diff line Loading @@ -808,9 +808,10 @@ Changes between 0.9.8k and 0.9.8l [xx XXX xxxx] *) Don't check self signed certificate signatures in X509_verify_cert(): it just wastes time without adding any security. As a useful side effect self signed root CAs with non-FIPS digests are now usable in FIPS mode. *) Don't check self signed certificate signatures in X509_verify_cert() by default (a flag can override this): it just wastes time without adding any security. As a useful side effect self signed root CAs with non-FIPS digests are now usable in FIPS mode. [Steve Henson] *) In dtls1_process_out_of_seq_message() the check if the current message Loading apps/apps.c +2 −0 Original line number Diff line number Diff line Loading @@ -2256,6 +2256,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_USE_DELTAS; else if (!strcmp(arg, "-policy_print")) flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else return 0; Loading apps/x509.c +1 −0 Original line number Diff line number Diff line Loading @@ -1130,6 +1130,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; Loading crypto/x509/x509_vfy.c +4 −3 Original line number Diff line number Diff line Loading @@ -1610,10 +1610,11 @@ static int internal_verify(X509_STORE_CTX *ctx) { ctx->error_depth=n; /* Skip signature check for self signed certificates. It * doesn't add any security and just wastes time. /* Skip signature check for self signed certificates unless * explicitly asked for. It doesn't add any security and * just wastes time. */ if (!xs->valid && xs != xi) if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { if ((pkey=X509_get_pubkey(xi)) == NULL) { Loading crypto/x509/x509_vfy.h +3 −0 Original line number Diff line number Diff line Loading @@ -387,6 +387,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 /* Delta CRL support */ #define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 Loading Loading
CHANGES +4 −3 Original line number Diff line number Diff line Loading @@ -808,9 +808,10 @@ Changes between 0.9.8k and 0.9.8l [xx XXX xxxx] *) Don't check self signed certificate signatures in X509_verify_cert(): it just wastes time without adding any security. As a useful side effect self signed root CAs with non-FIPS digests are now usable in FIPS mode. *) Don't check self signed certificate signatures in X509_verify_cert() by default (a flag can override this): it just wastes time without adding any security. As a useful side effect self signed root CAs with non-FIPS digests are now usable in FIPS mode. [Steve Henson] *) In dtls1_process_out_of_seq_message() the check if the current message Loading
apps/apps.c +2 −0 Original line number Diff line number Diff line Loading @@ -2256,6 +2256,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_USE_DELTAS; else if (!strcmp(arg, "-policy_print")) flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else return 0; Loading
apps/x509.c +1 −0 Original line number Diff line number Diff line Loading @@ -1130,6 +1130,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; Loading
crypto/x509/x509_vfy.c +4 −3 Original line number Diff line number Diff line Loading @@ -1610,10 +1610,11 @@ static int internal_verify(X509_STORE_CTX *ctx) { ctx->error_depth=n; /* Skip signature check for self signed certificates. It * doesn't add any security and just wastes time. /* Skip signature check for self signed certificates unless * explicitly asked for. It doesn't add any security and * just wastes time. */ if (!xs->valid && xs != xi) if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { if ((pkey=X509_get_pubkey(xi)) == NULL) { Loading
crypto/x509/x509_vfy.h +3 −0 Original line number Diff line number Diff line Loading @@ -387,6 +387,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 /* Delta CRL support */ #define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 Loading
