diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2009-06-26 11:29:26 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2009-06-26 11:29:26 +0000 |
commit | f3be6c7b7d2081101c21c7a9b7ec39f4e86271e5 (patch) | |
tree | ef92e5f388f36bf637cde6f5f6cde8c4ccde525d /crypto/x509 | |
parent | 4aa902ebaffb385199b9d0fb850ca4f9f5cb795e (diff) |
Update from 1.0.0-stable.
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509_vfy.c | 7 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.h | 3 |
2 files changed, 7 insertions, 3 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index dd4065b0ce..200a9cc0b6 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1610,10 +1610,11 @@ static int internal_verify(X509_STORE_CTX *ctx) { ctx->error_depth=n; - /* Skip signature check for self signed certificates. It - * doesn't add any security and just wastes time. + /* Skip signature check for self signed certificates unless + * explicitly asked for. It doesn't add any security and + * just wastes time. */ - if (!xs->valid && xs != xi) + if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { if ((pkey=X509_get_pubkey(xi)) == NULL) { diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 0df76db849..4e73806adc 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -387,6 +387,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 /* Delta CRL support */ #define X509_V_FLAG_USE_DELTAS 0x2000 +/* Check selfsigned CA signature */ +#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 + #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 |