Update from 1.0.0-stable.

author: Dr. Stephen Henson <steve@openssl.org> 2009-06-26 11:29:26 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2009-06-26 11:29:26 +0000
commit: f3be6c7b7d2081101c21c7a9b7ec39f4e86271e5 (patch)
tree: ef92e5f388f36bf637cde6f5f6cde8c4ccde525d /crypto/x509
parent: 4aa902ebaffb385199b9d0fb850ca4f9f5cb795e (diff)
2 files changed, 7 insertions, 3 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index dd4065b0ce..200a9cc0b6 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1610,10 +1610,11 @@ static int internal_verify(X509_STORE_CTX *ctx)
 		{
 		ctx->error_depth=n;
 
-		/* Skip signature check for self signed certificates. It
-		 * doesn't add any security and just wastes time.
+		/* Skip signature check for self signed certificates unless
+		 * explicitly asked for. It doesn't add any security and
+		 * just wastes time.
 		 */
-		if (!xs->valid && xs != xi)
+		if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
 			{
 			if ((pkey=X509_get_pubkey(xi)) == NULL)
 				{
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 0df76db849..4e73806adc 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -387,6 +387,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_FLAG_EXTENDED_CRL_SUPPORT	0x1000
 /* Delta CRL support */
 #define X509_V_FLAG_USE_DELTAS			0x2000
+/* Check selfsigned CA signature */
+#define X509_V_FLAG_CHECK_SS_SIGNATURE		0x4000
+
 
 #define X509_VP_FLAG_DEFAULT			0x1
 #define X509_VP_FLAG_OVERWRITE			0x2
author	Dr. Stephen Henson <steve@openssl.org>	2009-06-26 11:29:26 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2009-06-26 11:29:26 +0000
commit	f3be6c7b7d2081101c21c7a9b7ec39f4e86271e5 (patch)
tree	ef92e5f388f36bf637cde6f5f6cde8c4ccde525d /crypto/x509
parent	4aa902ebaffb385199b9d0fb850ca4f9f5cb795e (diff)