diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2009-06-26 11:34:22 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2009-06-26 11:34:22 +0000 |
commit | 9aecc3e5ff3889fbe6f469d61e6f5935d870d4af (patch) | |
tree | ccfe23227378b0d97f770a230c97550c60433973 /crypto | |
parent | b8a4a5bcba1545b5b22fed0ab7fcd5dc37598052 (diff) |
Update from 1.0.0-stable.
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/x509/x509_vfy.c | 7 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.h | 3 |
2 files changed, 7 insertions, 3 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9e398c2d19..b85456e65b 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -987,10 +987,11 @@ static int internal_verify(X509_STORE_CTX *ctx) { ctx->error_depth=n; - /* Skip signature check for self signed certificates. It - * doesn't add any security and just wastes time. + /* Skip signature check for self signed certificates unless + * explicitly asked for. It doesn't add any security and + * just wastes time. */ - if (!xs->valid && xs != xi) + if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { if ((pkey=X509_get_pubkey(xi)) == NULL) { diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 76c76e1719..86ae35f69d 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -363,6 +363,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); /* Notify callback that policy is OK */ #define X509_V_FLAG_NOTIFY_POLICY 0x800 +/* Check selfsigned CA signature */ +#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 + #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 #define X509_VP_FLAG_RESET_FLAGS 0x4 |