From 51f67e036768f935502d4418c11e8c85553dd403 Mon Sep 17 00:00:00 2001
From: doug <>
Date: Sat, 7 Feb 2015 14:21:41 +0000
Subject: Don't support very old versions of Netscape (is there any other
 kind?).

Apparently "very old" Netscape versions illegally included empty content
and a detached signature.  OpenSSL removed the #if 0 that protected
these users and added a new button OPENSSL_DONT_SUPPORT_OLD_NETSCAPE.
It appears to be off by default to keep the hopes and dreams of very old
Netscape users alive.  We decided to be rebels and disable support.

If you installed your browser from floppy disks, it's time to upgrade!

Based on OpenSSL commit: 02a938c953b3e1ced71d9a832de1618f907eb96d

ok tedu@, miod@, jsing@
---
 src/lib/libcrypto/pkcs7/pk7_smime.c         | 11 +++++------
 src/lib/libssl/src/crypto/pkcs7/pk7_smime.c | 11 +++++------
 2 files changed, 10 insertions(+), 12 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index 576866f5c2..1c00e5914a 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_smime.c,v 1.19 2014/11/09 19:17:13 miod Exp $ */
+/* $OpenBSD: pk7_smime.c,v 1.20 2015/02/07 14:21:41 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -287,17 +287,16 @@ PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata,
 		PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT);
 		return 0;
 	}
-#if 0
-	/* NB: this test commented out because some versions of Netscape
-	 * illegally include zero length content when signing data.
-	 */
 
+	/*
+	 * Very old Netscape illegally included empty content with
+	 * a detached signature.  Very old users should upgrade.
+	 */
 	/* Check for data and content: two sets of data */
 	if (!PKCS7_get_detached(p7) && indata) {
 		PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
 		return 0;
 	}
-#endif
 
 	sinfos = PKCS7_get_signer_info(p7);
 
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
index 576866f5c2..1c00e5914a 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_smime.c,v 1.19 2014/11/09 19:17:13 miod Exp $ */
+/* $OpenBSD: pk7_smime.c,v 1.20 2015/02/07 14:21:41 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -287,17 +287,16 @@ PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata,
 		PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT);
 		return 0;
 	}
-#if 0
-	/* NB: this test commented out because some versions of Netscape
-	 * illegally include zero length content when signing data.
-	 */
 
+	/*
+	 * Very old Netscape illegally included empty content with
+	 * a detached signature.  Very old users should upgrade.
+	 */
 	/* Check for data and content: two sets of data */
 	if (!PKCS7_get_detached(p7) && indata) {
 		PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
 		return 0;
 	}
-#endif
 
 	sinfos = PKCS7_get_signer_info(p7);
 
-- 
cgit v1.2.3-55-g6feb