diff options
Diffstat (limited to 'src/lib/libcrypto/pkcs7')
| -rw-r--r-- | src/lib/libcrypto/pkcs7/pk7_smime.c | 23 | ||||
| -rw-r--r-- | src/lib/libcrypto/pkcs7/pkcs7.h | 3 |
2 files changed, 16 insertions, 10 deletions
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c index 32f28f0505..9baff7f525 100644 --- a/src/lib/libcrypto/pkcs7/pk7_smime.c +++ b/src/lib/libcrypto/pkcs7/pk7_smime.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: pk7_smime.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */ | 1 | /* $OpenBSD: pk7_smime.c,v 1.29 2025/12/20 07:22:43 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project. | 3 | * project. |
| 4 | */ | 4 | */ |
| @@ -277,14 +277,19 @@ PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, | |||
| 277 | return 0; | 277 | return 0; |
| 278 | } | 278 | } |
| 279 | 279 | ||
| 280 | /* | 280 | if ((flags & PKCS7_NO_DUAL_CONTENT) != 0) { |
| 281 | * Very old Netscape illegally included empty content with | 281 | /* |
| 282 | * a detached signature. Very old users should upgrade. | 282 | * This was originally "#if 0" because we thought that only old |
| 283 | */ | 283 | * broken Netscape did this. It turns out that Authenticode |
| 284 | /* Check for data and content: two sets of data */ | 284 | * uses this kind of "extended" PKCS7 format, and things like |
| 285 | if (!PKCS7_get_detached(p7) && indata) { | 285 | * UEFI secure boot and tools like osslsigncode need it. In |
| 286 | PKCS7error(PKCS7_R_CONTENT_AND_DATA_PRESENT); | 286 | * Authenticode the verification process is different, but the |
| 287 | return 0; | 287 | * existing PKCS7 verification works. |
| 288 | */ | ||
| 289 | if (!PKCS7_get_detached(p7) && indata != NULL) { | ||
| 290 | PKCS7error(PKCS7_R_CONTENT_AND_DATA_PRESENT); | ||
| 291 | return 0; | ||
| 292 | } | ||
| 288 | } | 293 | } |
| 289 | 294 | ||
| 290 | sinfos = PKCS7_get_signer_info(p7); | 295 | sinfos = PKCS7_get_signer_info(p7); |
diff --git a/src/lib/libcrypto/pkcs7/pkcs7.h b/src/lib/libcrypto/pkcs7/pkcs7.h index 6f0ccc0dc8..bac461d30d 100644 --- a/src/lib/libcrypto/pkcs7/pkcs7.h +++ b/src/lib/libcrypto/pkcs7/pkcs7.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: pkcs7.h,v 1.24 2025/07/02 10:24:17 tb Exp $ */ | 1 | /* $OpenBSD: pkcs7.h,v 1.25 2025/12/20 07:22:43 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -241,6 +241,7 @@ DECLARE_PKCS12_STACK_OF(PKCS7) | |||
| 241 | #define PKCS7_NOCRL 0x2000 | 241 | #define PKCS7_NOCRL 0x2000 |
| 242 | #define PKCS7_PARTIAL 0x4000 | 242 | #define PKCS7_PARTIAL 0x4000 |
| 243 | #define PKCS7_REUSE_DIGEST 0x8000 | 243 | #define PKCS7_REUSE_DIGEST 0x8000 |
| 244 | #define PKCS7_NO_DUAL_CONTENT 0x10000 | ||
| 244 | 245 | ||
| 245 | /* Flags: for compatibility with older code */ | 246 | /* Flags: for compatibility with older code */ |
| 246 | 247 | ||