]>
Commit | Line | Data |
---|---|---|
117cbe2e ER |
1 | Skip signature validation on selfsigned certificates and |
2 | drop MD2 algorithm from the list of algorithms added to | |
3 | EVP tables by default. (CVE-2009-2409) | |
4 | diff -up openssl-0.9.7a/crypto/evp/c_alld.c.nomd2 openssl-0.9.7a/crypto/evp/c_alld.c | |
5 | --- openssl-0.9.7a/crypto/evp/c_alld.c.nomd2 2001-02-19 17:03:53.000000000 +0100 | |
6 | +++ openssl-0.9.7a/crypto/evp/c_alld.c 2010-02-10 12:55:31.000000000 +0100 | |
7 | @@ -64,9 +64,6 @@ | |
8 | ||
9 | void OpenSSL_add_all_digests(void) | |
10 | { | |
11 | -#ifndef OPENSSL_NO_MD2 | |
12 | - EVP_add_digest(EVP_md2()); | |
13 | -#endif | |
14 | #ifndef OPENSSL_NO_MD4 | |
15 | EVP_add_digest(EVP_md4()); | |
16 | #endif | |
17 | diff -up openssl-0.9.7a/crypto/x509/x509_vfy.c.nomd2 openssl-0.9.7a/crypto/x509/x509_vfy.c | |
18 | --- openssl-0.9.7a/crypto/x509/x509_vfy.c.nomd2 2010-02-10 12:53:02.000000000 +0100 | |
19 | +++ openssl-0.9.7a/crypto/x509/x509_vfy.c 2010-02-10 12:53:16.000000000 +0100 | |
20 | @@ -665,7 +665,11 @@ static int internal_verify(X509_STORE_CT | |
21 | while (n >= 0) | |
22 | { | |
23 | ctx->error_depth=n; | |
24 | - if (!xs->valid) | |
25 | + | |
26 | + /* Skip signature check for self signed certificates. It | |
27 | + * doesn't add any security and just wastes time. | |
28 | + */ | |
29 | + if (!xs->valid && xs != xi) | |
30 | { | |
31 | if ((pkey=X509_get_pubkey(xi)) == NULL) | |
32 | { | |
33 | @@ -675,13 +679,6 @@ static int internal_verify(X509_STORE_CT | |
34 | if (!ok) goto end; | |
35 | } | |
36 | else if (X509_verify(xs,pkey) <= 0) | |
37 | - /* XXX For the final trusted self-signed cert, | |
38 | - * this is a waste of time. That check should | |
39 | - * optional so that e.g. 'openssl x509' can be | |
40 | - * used to detect invalid self-signatures, but | |
41 | - * we don't verify again and again in SSL | |
42 | - * handshakes and the like once the cert has | |
43 | - * been declared trusted. */ | |
44 | { | |
45 | ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; | |
46 | ctx->current_cert=xs; | |
47 | diff -up openssl-0.9.7a/ssl/ssl_algs.c.nomd2 openssl-0.9.7a/ssl/ssl_algs.c | |
48 | --- openssl-0.9.7a/ssl/ssl_algs.c.nomd2 2001-02-20 09:11:58.000000000 +0100 | |
49 | +++ openssl-0.9.7a/ssl/ssl_algs.c 2010-02-10 12:57:10.000000000 +0100 | |
50 | @@ -82,9 +82,6 @@ int SSL_library_init(void) | |
51 | EVP_add_cipher(EVP_aes_192_cbc()); | |
52 | EVP_add_cipher(EVP_aes_256_cbc()); | |
53 | #endif | |
54 | -#ifndef OPENSSL_NO_MD2 | |
55 | - EVP_add_digest(EVP_md2()); | |
56 | -#endif | |
57 | #ifndef OPENSSL_NO_MD5 | |
58 | EVP_add_digest(EVP_md5()); | |
59 | EVP_add_digest_alias(SN_md5,"ssl2-md5"); |