提交 31db43df 编写于 作者: D Dr. Stephen Henson

Update from 0.9.8-stable.

上级 512cab01
...@@ -793,6 +793,11 @@ ...@@ -793,6 +793,11 @@
Changes between 0.9.8k and 0.9.8l [xx XXX xxxx] Changes between 0.9.8k and 0.9.8l [xx XXX xxxx]
*) Don't check self signed certificate signatures in X509_verify_cert():
it just wastes time without adding any security. As a useful side effect
self signed root CAs with non-FIPS digests are now usable in FIPS mode.
[Steve Henson]
*) In dtls1_process_out_of_seq_message() the check if the current message *) In dtls1_process_out_of_seq_message() the check if the current message
is already buffered was missing. For every new message was memory is already buffered was missing. For every new message was memory
allocated, allowing an attacker to perform an denial of service attack allocated, allowing an attacker to perform an denial of service attack
......
...@@ -1609,7 +1609,11 @@ static int internal_verify(X509_STORE_CTX *ctx) ...@@ -1609,7 +1609,11 @@ static int internal_verify(X509_STORE_CTX *ctx)
while (n >= 0) while (n >= 0)
{ {
ctx->error_depth=n; ctx->error_depth=n;
if (!xs->valid)
/* Skip signature check for self signed certificates. It
* doesn't add any security and just wastes time.
*/
if (!xs->valid && xs != xi)
{ {
if ((pkey=X509_get_pubkey(xi)) == NULL) if ((pkey=X509_get_pubkey(xi)) == NULL)
{ {
...@@ -1619,13 +1623,6 @@ static int internal_verify(X509_STORE_CTX *ctx) ...@@ -1619,13 +1623,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
if (!ok) goto end; if (!ok) goto end;
} }
else if (X509_verify(xs,pkey) <= 0) else if (X509_verify(xs,pkey) <= 0)
/* XXX For the final trusted self-signed cert,
* this is a waste of time. That check should
* optional so that e.g. 'openssl x509' can be
* used to detect invalid self-signatures, but
* we don't verify again and again in SSL
* handshakes and the like once the cert has
* been declared trusted. */
{ {
ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
ctx->current_cert=xs; ctx->current_cert=xs;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册