From e9f756769d22473955d6535a62e78476bf0dcd13 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Wed, 29 Jun 2022 21:19:21 +0000
Subject: [PATCH] Don't check the signature if a cert is self signed.

ok beck jsing
---
 lib/libssl/ssl_seclevel.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c
index b24999498cf..4bcbcbf36c0 100644
--- a/lib/libssl/ssl_seclevel.c
+++ b/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl_seclevel.c,v 1.9 2022/06/29 21:10:20 tb Exp $ */
+/*	$OpenBSD: ssl_seclevel.c,v 1.10 2022/06/29 21:19:21 tb Exp $ */
 /*
  * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
  *
@@ -26,6 +26,7 @@
 #include <openssl/ssl.h>
 #include <openssl/tls1.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 
 #include "ssl_locl.h"
 
@@ -284,7 +285,7 @@ ssl_security_cert_key(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int op)
 }
 
 static int
-ssl_cert_signature_md_nid(const X509 *x509)
+ssl_cert_signature_md_nid(X509 *x509)
 {
 	int md_nid, signature_nid;
 
@@ -317,6 +318,10 @@ ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int op)
 {
 	int md_nid, security_bits;
 
+	/* Don't check signature if self signed. */
+	if ((X509_get_extension_flags(x509) & EXFLAG_SS) != 0)
+		return 1;
+
 	md_nid = ssl_cert_signature_md_nid(x509);
 	security_bits = ssl_cert_md_nid_security_bits(md_nid);
 
-- 
2.20.1