Don't check self-signed signature in X509_verify_cert(), the check just

wastes processing time and doesn't add any security.
author: Dr. Stephen Henson <steve@openssl.org> 2009-06-15 14:52:38 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2009-06-15 14:52:38 +0000
commit: 1e53b797f65ef6d3c2eb1052797683fec27a9ff5 (patch)
tree: 3b3126654278f2a275fc488395c5f5ece0effb02 /crypto
parent: 1ddf6912449ca02e9cdd106f2c423117d6e2ea62 (diff)
1 files changed, 5 insertions, 8 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 336c40ddd7..9e398c2d19 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -986,7 +986,11 @@ static int internal_verify(X509_STORE_CTX *ctx)
 	while (n >= 0)
 		{
 		ctx->error_depth=n;
-		if (!xs->valid)
+
+		/* Skip signature check for self signed certificates. It
+		 * doesn't add any security and just wastes time.
+		 */
+		if (!xs->valid && xs != xi)
 			{
 			if ((pkey=X509_get_pubkey(xi)) == NULL)
 				{
@@ -996,13 +1000,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
 				if (!ok) goto end;
 				}
 			else if (X509_verify(xs,pkey) <= 0)
-				/* XXX  For the final trusted self-signed cert,
-				 * this is a waste of time.  That check should
-				 * optional so that e.g. 'openssl x509' can be
-				 * used to detect invalid self-signatures, but
-				 * we don't verify again and again in SSL
-				 * handshakes and the like once the cert has
-				 * been declared trusted. */
 				{
 				ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
 				ctx->current_cert=xs;
author	Dr. Stephen Henson <steve@openssl.org>	2009-06-15 14:52:38 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2009-06-15 14:52:38 +0000
commit	1e53b797f65ef6d3c2eb1052797683fec27a9ff5 (patch)
tree	3b3126654278f2a275fc488395c5f5ece0effb02 /crypto
parent	1ddf6912449ca02e9cdd106f2c423117d6e2ea62 (diff)