From 4e99a5c0b6fa18eb76160d4cb726840aacb45404 Mon Sep 17 00:00:00 2001 From: tb <> Date: Sat, 20 Dec 2025 07:22:43 +0000 Subject: pkcs7: add PKCS7_NO_DUAL_CONTENT flag/behavior What Netscape fucked up just had to be embraced by secure boot and other nonsense. First OpenSSL wanted to be strict (which we inherited) then Rich Salz Postel-ized this and made OpenSSL bypass this check by default and added a flag to be strict 10 years ago. Now sthen found that PHP 8.5 uses/exposes this flag. Follows OpenSSL 6b2ebe43 (2016) ok kenjiro --- src/lib/libcrypto/man/PKCS7_verify.3 | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'src/lib/libcrypto/man') diff --git a/src/lib/libcrypto/man/PKCS7_verify.3 b/src/lib/libcrypto/man/PKCS7_verify.3 index 6bf932b54b..53b32f738a 100644 --- a/src/lib/libcrypto/man/PKCS7_verify.3 +++ b/src/lib/libcrypto/man/PKCS7_verify.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS7_verify.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $ +.\" $OpenBSD: PKCS7_verify.3,v 1.13 2025/12/20 07:22:43 tb Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 8 2025 $ +.Dd $Mdocdate: December 20 2025 $ .Dt PKCS7_VERIFY 3 .Os .Sh NAME @@ -125,6 +125,15 @@ is detached, .Fa indata cannot be .Dv NULL . +If the content is not detached and +.Fa indata +is not +.Fa NULL , +then the structure has both embedded and external content. +To treat this as an error, use the flag +.Dv PKCS7_NO_DUAL_CONTENT . +The default behavior allows this, for compatibility with other +implementations. .Pp An attempt is made to locate all the signer's certificates, first looking in the -- cgit v1.2.3-55-g6feb