Add new macro or PKCS7 flag to disable the check for both data and content

[Long, Qin]

The OpenSSL new release / HEAD updates removed the following comment-out statement
in PKCS7_verify() routine, which will return error for one call if both embedded-content and
detached data were provided.

#if 0       --> Removed
    /*
     * NB: this test commented out because some versions of Netscape
     * illegally include zero length content when signing data.
     */

    /* Check for data and content: two sets of data */
    if (!PKCS7_get_detached(p7) && indata) {
        PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
        return 0;
    }
#endif

This update will break some existing Authenticode verification solutions which leveraged the
Pkcs7_verify() interface, such as UEFI secure boot, and other open-source utilities (e.g. osslsigncode).
The root cause is the Authenticode is one extended PKCS7 format, and its verification process
is different (the embedded data is one extended structure (SpcIndirectDataContent), and will
not be used directly for signature verification) . The old comment-out in PKCS7_verify just helped
to support the Authenticode verification with embedded p7data and user-supplied inData
(some extra checking will be handled outside).

It's better to introduce one new macro or new PKCS7 flag to re-enable this capability. E.g.

#if !defined(OPENSSL_ALLOW_PKCS7_CONTENT_AND_DATA_PRESENT)
....
Or
If (!(flags & PKCS7_NO_CHECK_BOTH_DATASET))
...

If two data sets (embedded and detached data) were present, the input data will be the default
Input for validation (just as the current logic.), so there should be no risk.


Best Regards & Thanks,
LONG, Qin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-bugs-mod/attachments/20151208/6bcabd46/attachment.html>