diff options
author | jkim <jkim@FreeBSD.org> | 2016-03-01 22:08:28 +0000 |
---|---|---|
committer | jkim <jkim@FreeBSD.org> | 2016-03-01 22:08:28 +0000 |
commit | de2249f81ccf8ad3eac972b7558a16a3bab99325 (patch) | |
tree | dd0f91775301f47811f2b56ba60043ebdf64aea9 /crypto/openssl/crypto/pkcs7 | |
parent | 0e774f6016f1dfb6a8f55462cc815c3b4da580b2 (diff) | |
parent | 72d32bf80dfdcfe0e69da200b66f195e919653f7 (diff) | |
download | FreeBSD-src-de2249f81ccf8ad3eac972b7558a16a3bab99325.zip FreeBSD-src-de2249f81ccf8ad3eac972b7558a16a3bab99325.tar.gz |
Merge OpenSSL 1.0.2g.
Relnotes: yes
Diffstat (limited to 'crypto/openssl/crypto/pkcs7')
-rw-r--r-- | crypto/openssl/crypto/pkcs7/pk7_smime.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c index c4d3724..dc9b484 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c @@ -274,12 +274,29 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT); return 0; } +#if 0 + /* + * NB: this test commented out because some versions of Netscape + * illegally include zero length content when signing data. Also + * Microsoft Authenticode includes a SpcIndirectDataContent data + * structure which describes the content to be protected by the + * signature, rather than directly embedding that content. So + * Authenticode implementations are also expected to use + * PKCS7_verify() with explicit external data, on non-detached + * PKCS#7 signatures. + * + * In OpenSSL 1.1 a new flag PKCS7_NO_DUAL_CONTENT has been + * introduced to disable this sanity check. For the 1.0.2 branch + * this change is not acceptable, so the check remains completely + * commented out (as it has been for a long time). + */ /* Check for data and content: two sets of data */ if (!PKCS7_get_detached(p7) && indata) { PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT); return 0; } +#endif sinfos = PKCS7_get_signer_info(p7); |