[openssl-commits] [openssl] master update
Viktor Dukhovni
viktor at openssl.org
Mon Jan 18 18:21:16 UTC 2016
The branch master has been updated
via 0e76014e584ba78ef1d6ecb4572391ef61c4fb51 (commit)
from 86334b6a61b35a3f3d487cc0eb74ac1aff79d185 (commit)
- Log -----------------------------------------------------------------
commit 0e76014e584ba78ef1d6ecb4572391ef61c4fb51
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date: Sun Jan 17 02:33:14 2016 -0500
Drop cached certificate signature validity flag
It seems risky in the context of cross-signed certificates when the
same certificate might have multiple potential issuers. Also rarely
used, since chains in OpenSSL typically only employ self-signed
trust-anchors, whose self-signatures are not checked, while untrusted
certificates are generally ephemeral.
Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/include/internal/x509_int.h | 1 -
crypto/x509/x509_vfy.c | 6 +-----
crypto/x509/x_x509.c | 1 -
3 files changed, 1 insertion(+), 7 deletions(-)
diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h
index 5997a21..c11d3b3 100644
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -192,7 +192,6 @@ struct x509_st {
X509_CINF cert_info;
X509_ALGOR sig_alg;
ASN1_BIT_STRING signature;
- int valid;
int references;
char *name;
CRYPTO_EX_DATA ex_data;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 48d9367..ec9c321 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1618,9 +1618,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
* explicitly asked for. It doesn't add any security and just wastes
* time.
*/
- if (!xs->valid
- && (xs != xi
- || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
+ if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
if ((pkey = X509_get0_pubkey(xi)) == NULL) {
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
ctx->current_cert = xi;
@@ -1636,8 +1634,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
}
}
- xs->valid = 1;
-
check_cert:
ok = x509_check_cert_time(ctx, xs, 0);
if (!ok)
diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index 4733321..53a5eb7 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -90,7 +90,6 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
switch (operation) {
case ASN1_OP_NEW_POST:
- ret->valid = 0;
ret->name = NULL;
ret->ex_flags = 0;
ret->ex_pathlen = -1;
More information about the openssl-commits
mailing list