pkcs7: add PKCS7_NO_DUAL_CONTENT flag/behavior

What Netscape fucked up just had to be embraced by secure boot and
other nonsense. First OpenSSL wanted to be strict (which we inherited)
then Rich Salz Postel-ized this and made OpenSSL bypass this check by
default and added a flag to be strict 10 years ago.

Now sthen found that PHP 8.5 uses/exposes this flag.

Follows OpenSSL 6b2ebe43 (2016)

ok kenjiro

3 files changed, 27 insertions, 12 deletions

diff --git a/src/lib/libcrypto/man/PKCS7_verify.3 b/src/lib/libcrypto/man/PKCS7_verify.3
index 6bf932b54b..53b32f738a 100644
--- a/src/lib/libcrypto/man/PKCS7_verify.3
+++ b/src/lib/libcrypto/man/PKCS7_verify.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS7_verify.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
+.\"     $OpenBSD: PKCS7_verify.3,v 1.13 2025/12/20 07:22:43 tb Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2025 $
+.Dd $Mdocdate: December 20 2025 $
 .Dt PKCS7_VERIFY 3
 .Os
 .Sh NAME
@@ -125,6 +125,15 @@ is detached,
 .Fa indata
 cannot be
 .Dv NULL .
+If the content is not detached and
+.Fa indata
+is not
+.Fa NULL ,
+then the structure has both embedded and external content.
+To treat this as an error, use the flag
+.Dv PKCS7_NO_DUAL_CONTENT .
+The default behavior allows this, for compatibility with other
+implementations.
 .Pp
 An attempt is made to locate all the signer's certificates, first
 looking in the
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index 32f28f0505..9baff7f525 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_smime.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
+/* $OpenBSD: pk7_smime.c,v 1.29 2025/12/20 07:22:43 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -277,14 +277,19 @@ PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata,
                 return 0;
         }
 
-        /*
-         * Very old Netscape illegally included empty content with
-         * a detached signature.  Very old users should upgrade.
-         */
-        /* Check for data and content: two sets of data */
-        if (!PKCS7_get_detached(p7) && indata) {
-                PKCS7error(PKCS7_R_CONTENT_AND_DATA_PRESENT);
-                return 0;
+        if ((flags & PKCS7_NO_DUAL_CONTENT) != 0) {
+                /*
+                 * This was originally "#if 0" because we thought that only old
+                 * broken Netscape did this.  It turns out that Authenticode
+                 * uses this kind of "extended" PKCS7 format, and things like
+                 * UEFI secure boot and tools like osslsigncode need it.  In
+                 * Authenticode the verification process is different, but the
+                 * existing PKCS7 verification works.
+                 */
+                if (!PKCS7_get_detached(p7) && indata != NULL) {
+                        PKCS7error(PKCS7_R_CONTENT_AND_DATA_PRESENT);
+                        return 0;
+                }
         }
 
         sinfos = PKCS7_get_signer_info(p7);
diff --git a/src/lib/libcrypto/pkcs7/pkcs7.h b/src/lib/libcrypto/pkcs7/pkcs7.h
index 6f0ccc0dc8..bac461d30d 100644
--- a/src/lib/libcrypto/pkcs7/pkcs7.h
+++ b/src/lib/libcrypto/pkcs7/pkcs7.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs7.h,v 1.24 2025/07/02 10:24:17 tb Exp $ */
+/* $OpenBSD: pkcs7.h,v 1.25 2025/12/20 07:22:43 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -241,6 +241,7 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 #define PKCS7_NOCRL             0x2000
 #define PKCS7_PARTIAL           0x4000
 #define PKCS7_REUSE_DIGEST      0x8000
+#define PKCS7_NO_DUAL_CONTENT   0x10000
 
 /* Flags: for compatibility with older code */