[Pkg-openssl-changes] r433 - in openssl/branches/lenny: crypto/x509 debian

Kurt Roeckx kroeckx at alioth.debian.org
Fri Sep 11 15:00:53 UTC 2009 

Author: kroeckx
Date: 2009-09-11 15:00:53 +0000 (Fri, 11 Sep 2009)
New Revision: 433

Modified:
   openssl/branches/lenny/crypto/x509/x509_vfy.c
   openssl/branches/lenny/debian/changelog
Log:
Don't check self signed certificate signatures in X509_verify_cert()
(Closes: #541735)


Modified: openssl/branches/lenny/crypto/x509/x509_vfy.c
===================================================================
--- openssl/branches/lenny/crypto/x509/x509_vfy.c	2009-09-11 14:59:39 UTC (rev 432)
+++ openssl/branches/lenny/crypto/x509/x509_vfy.c	2009-09-11 15:00:53 UTC (rev 433)
@@ -982,7 +982,11 @@
 	while (n >= 0)
 		{
 		ctx->error_depth=n;
-		if (!xs->valid)
+
+		/* Skip signature check for self signed certificates. It
+		 * doesn't add any security and just wastes time.
+		 */
+		if (!xs->valid && xs != xi)
 			{
 			if ((pkey=X509_get_pubkey(xi)) == NULL)
 				{
@@ -992,13 +996,6 @@
 				if (!ok) goto end;
 				}
 			else if (X509_verify(xs,pkey) <= 0)
-				/* XXX  For the final trusted self-signed cert,
-				 * this is a waste of time.  That check should
-				 * optional so that e.g. 'openssl x509' can be
-				 * used to detect invalid self-signatures, but
-				 * we don't verify again and again in SSL
-				 * handshakes and the like once the cert has
-				 * been declared trusted. */
 				{
 				ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
 				ctx->current_cert=xs;

Modified: openssl/branches/lenny/debian/changelog
===================================================================
--- openssl/branches/lenny/debian/changelog	2009-09-11 14:59:39 UTC (rev 432)
+++ openssl/branches/lenny/debian/changelog	2009-09-11 15:00:53 UTC (rev 433)
@@ -1,3 +1,10 @@
+openssl (0.9.8g-15+lenny5) stable-security; urgency=low
+
+  * Don't check self signed certificate signatures in X509_verify_cert()
+    (Closes: #541735)
+
+ -- Kurt Roeckx <kurt at roeckx.be>  Fri, 11 Sep 2009 17:00:05 +0200
+
 openssl (0.9.8g-15+lenny4) stable-security; urgency=low
 
   * Remove MD2 from digest algorithm table.  (CVE-2009-2409) (Closes: #539899)

More information about the Pkg-openssl-changes mailing list