Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
f3be6c7b
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
8 个月 前同步成功
通知
8
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
f3be6c7b
编写于
6月 26, 2009
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Update from 1.0.0-stable.
上级
4aa902eb
变更
9
隐藏空白更改
内联
并排
Showing
9 changed file
with
22 addition
and
9 deletion
+22
-9
CHANGES
CHANGES
+4
-3
apps/apps.c
apps/apps.c
+2
-0
apps/x509.c
apps/x509.c
+1
-0
crypto/x509/x509_vfy.c
crypto/x509/x509_vfy.c
+4
-3
crypto/x509/x509_vfy.h
crypto/x509/x509_vfy.h
+3
-0
doc/apps/cms.pod
doc/apps/cms.pod
+1
-1
doc/apps/s_client.pod
doc/apps/s_client.pod
+1
-1
doc/apps/smime.pod
doc/apps/smime.pod
+1
-1
doc/apps/verify.pod
doc/apps/verify.pod
+5
-0
未找到文件。
CHANGES
浏览文件 @
f3be6c7b
...
...
@@ -808,9 +808,10 @@
Changes between 0.9.8k and 0.9.8l [xx XXX xxxx]
*) Don't check self signed certificate signatures in X509_verify_cert():
it just wastes time without adding any security. As a useful side effect
self signed root CAs with non-FIPS digests are now usable in FIPS mode.
*) Don't check self signed certificate signatures in X509_verify_cert()
by default (a flag can override this): it just wastes time without
adding any security. As a useful side effect self signed root CAs
with non-FIPS digests are now usable in FIPS mode.
[Steve Henson]
*) In dtls1_process_out_of_seq_message() the check if the current message
...
...
apps/apps.c
浏览文件 @
f3be6c7b
...
...
@@ -2256,6 +2256,8 @@ int args_verify(char ***pargs, int *pargc,
flags
|=
X509_V_FLAG_USE_DELTAS
;
else
if
(
!
strcmp
(
arg
,
"-policy_print"
))
flags
|=
X509_V_FLAG_NOTIFY_POLICY
;
else
if
(
!
strcmp
(
arg
,
"-check_ss_sig"
))
flags
|=
X509_V_FLAG_CHECK_SS_SIGNATURE
;
else
return
0
;
...
...
apps/x509.c
浏览文件 @
f3be6c7b
...
...
@@ -1130,6 +1130,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
/* NOTE: this certificate can/should be self signed, unless it was
* a certificate request in which case it is not. */
X509_STORE_CTX_set_cert
(
&
xsc
,
x
);
X509_STORE_CTX_set_flags
(
&
xsc
,
X509_V_FLAG_CHECK_SS_SIGNATURE
);
if
(
!
reqfile
&&
X509_verify_cert
(
&
xsc
)
<=
0
)
goto
end
;
...
...
crypto/x509/x509_vfy.c
浏览文件 @
f3be6c7b
...
...
@@ -1610,10 +1610,11 @@ static int internal_verify(X509_STORE_CTX *ctx)
{
ctx
->
error_depth
=
n
;
/* Skip signature check for self signed certificates. It
* doesn't add any security and just wastes time.
/* Skip signature check for self signed certificates unless
* explicitly asked for. It doesn't add any security and
* just wastes time.
*/
if
(
!
xs
->
valid
&&
xs
!=
xi
)
if
(
!
xs
->
valid
&&
(
xs
!=
xi
||
(
ctx
->
param
->
flags
&
X509_V_FLAG_CHECK_SS_SIGNATURE
))
)
{
if
((
pkey
=
X509_get_pubkey
(
xi
))
==
NULL
)
{
...
...
crypto/x509/x509_vfy.h
浏览文件 @
f3be6c7b
...
...
@@ -387,6 +387,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000
/* Delta CRL support */
#define X509_V_FLAG_USE_DELTAS 0x2000
/* Check selfsigned CA signature */
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
#define X509_VP_FLAG_DEFAULT 0x1
#define X509_VP_FLAG_OVERWRITE 0x2
...
...
doc/apps/cms.pod
浏览文件 @
f3be6c7b
...
...
@@ -401,7 +401,7 @@ portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy
-check_ss_sig
>
Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details.
...
...
doc/apps/s_client.pod
浏览文件 @
f3be6c7b
...
...
@@ -101,7 +101,7 @@ also used when building the client certificate chain.
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy
-check_ss_sig
>
Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details.
...
...
doc/apps/smime.pod
浏览文件 @
f3be6c7b
...
...
@@ -259,7 +259,7 @@ portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy
-check_ss_sig
>
Set various options of certificate chain verification. See
L<B<verify>|verify(1)> manual page for details.
...
...
doc/apps/verify.pod
浏览文件 @
f3be6c7b
...
...
@@ -135,6 +135,11 @@ signing keys.
Enable support for delta CRLs.
=item B<-check_ss_sig>
Verify the signature on the self-signed root CA. This is disabled by default
because it doesn't add any security.
=item B<->
marks the last option. All arguments following this are assumed to be
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录