diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-17 02:33:14 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-18 13:20:48 -0500 |
commit | 0e76014e584ba78ef1d6ecb4572391ef61c4fb51 (patch) | |
tree | 7f12b477dda49ed717ab35a38e81f39f019f6a02 /crypto/x509/x509_vfy.c | |
parent | 86334b6a61b35a3f3d487cc0eb74ac1aff79d185 (diff) | |
download | openssl-0e76014e584ba78ef1d6ecb4572391ef61c4fb51.tar.gz |
Drop cached certificate signature validity flag
It seems risky in the context of cross-signed certificates when the
same certificate might have multiple potential issuers. Also rarely
used, since chains in OpenSSL typically only employ self-signed
trust-anchors, whose self-signatures are not checked, while untrusted
certificates are generally ephemeral.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'crypto/x509/x509_vfy.c')
-rw-r--r-- | crypto/x509/x509_vfy.c | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 48d936791f..ec9c3211cc 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1618,9 +1618,7 @@ static int internal_verify(X509_STORE_CTX *ctx) * explicitly asked for. It doesn't add any security and just wastes * time. */ - if (!xs->valid - && (xs != xi - || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { + if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { if ((pkey = X509_get0_pubkey(xi)) == NULL) { ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ctx->current_cert = xi; @@ -1636,8 +1634,6 @@ static int internal_verify(X509_STORE_CTX *ctx) } } - xs->valid = 1; - check_cert: ok = x509_check_cert_time(ctx, xs, 0); if (!ok) |