Update from 1.0.0-stable.

author: Dr. Stephen Henson <steve@openssl.org> 2009-06-26 11:34:22 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2009-06-26 11:34:22 +0000
commit: 9aecc3e5ff3889fbe6f469d61e6f5935d870d4af (patch)
tree: ccfe23227378b0d97f770a230c97550c60433973 /crypto
parent: b8a4a5bcba1545b5b22fed0ab7fcd5dc37598052 (diff)
2 files changed, 7 insertions, 3 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 9e398c2d19..b85456e65b 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -987,10 +987,11 @@ static int internal_verify(X509_STORE_CTX *ctx)
 		{
 		ctx->error_depth=n;
 
-		/* Skip signature check for self signed certificates. It
-		 * doesn't add any security and just wastes time.
+		/* Skip signature check for self signed certificates unless
+		 * explicitly asked for. It doesn't add any security and
+		 * just wastes time.
 		 */
-		if (!xs->valid && xs != xi)
+		if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
 			{
 			if ((pkey=X509_get_pubkey(xi)) == NULL)
 				{
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 76c76e1719..86ae35f69d 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -363,6 +363,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 /* Notify callback that policy is OK */
 #define X509_V_FLAG_NOTIFY_POLICY		0x800
 
+/* Check selfsigned CA signature */
+#define X509_V_FLAG_CHECK_SS_SIGNATURE		0x4000
+
 #define X509_VP_FLAG_DEFAULT			0x1
 #define X509_VP_FLAG_OVERWRITE			0x2
 #define X509_VP_FLAG_RESET_FLAGS		0x4
author	Dr. Stephen Henson <steve@openssl.org>	2009-06-26 11:34:22 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2009-06-26 11:34:22 +0000
commit	9aecc3e5ff3889fbe6f469d61e6f5935d870d4af (patch)
tree	ccfe23227378b0d97f770a230c97550c60433973 /crypto
parent	b8a4a5bcba1545b5b22fed0ab7fcd5dc37598052 (diff)