[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Tue Feb 23 13:42:06 UTC 2016 

The branch master has been updated
       via  6b2ebe4332e22b4eb7dd6fadf418e3da7b926ca4 (commit)
      from  893fe73a637cd349b4bd2f39d2d6019e1d7cac18 (commit)


- Log -----------------------------------------------------------------
commit 6b2ebe4332e22b4eb7dd6fadf418e3da7b926ca4
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Feb 22 12:07:06 2016 -0500

    Add PKCS7_NO_DUAL_CONTENT flag
    
    Signed-off-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/pkcs7/pk7_smime.c    | 16 ++++++++++++----
 doc/crypto/PKCS7_verify.pod |  9 ++++++++-
 include/openssl/pkcs7.h     |  1 +
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index ed5268f..8027640 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -279,10 +279,18 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
         return 0;
     }
 
-    /* Check for data and content: two sets of data */
-    if (!PKCS7_get_detached(p7) && indata) {
-        PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
-        return 0;
+    if (flags & PKCS7_NO_DUAL_CONTENT) {
+        /*
+         * This was originally "#if 0" because we thought that only old broken
+         * Netscape did this.  It turns out that Authenticode uses this kind
+         * of "extended" PKCS7 format, and things like UEFI secure boot and
+         * tools like osslsigncode need it.  In Authenticode the verification
+         * process is different, but the existing PKCs7 verification works.
+         */
+        if (!PKCS7_get_detached(p7) && indata) {
+            PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
+            return 0;
+        }
     }
 
     sinfos = PKCS7_get_signer_info(p7);
diff --git a/doc/crypto/PKCS7_verify.pod b/doc/crypto/PKCS7_verify.pod
index 3a5300a..b013e33 100644
--- a/doc/crypto/PKCS7_verify.pod
+++ b/doc/crypto/PKCS7_verify.pod
@@ -8,6 +8,8 @@ PKCS7_verify, PKCS7_get0_signers - verify a PKCS#7 signedData structure
 
  #include <openssl/pkcs7.h>
 
+ #define PKCS7_NO_DUAL_CONTENT
+
  int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags);
 
  STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
@@ -34,7 +36,12 @@ Normally the verify process proceeds as follows.
 
 Initially some sanity checks are performed on B<p7>. The type of B<p7> must
 be signedData. There must be at least one signature on the data and if
-the content is detached B<indata> cannot be B<NULL>.
+the content is detached B<indata> cannot be B<NULL>.  If the content is
+not detached and B<indata> is not B<NULL>, then the structure has both
+embedded and external content. To treat this as an error, use the flag
+B<PKCS7_NO_DUAL_CONTENT>.
+The default behavior allows this, for compatibility with older
+versions of OpenSSL.
 
 An attempt is made to locate all the signer's certificates, first looking in
 the B<certs> parameter (if it is not B<NULL>) and then looking in any certificates
diff --git a/include/openssl/pkcs7.h b/include/openssl/pkcs7.h
index 74f6c9b..7ca085e 100644
--- a/include/openssl/pkcs7.h
+++ b/include/openssl/pkcs7.h
@@ -237,6 +237,7 @@ DEFINE_STACK_OF(PKCS7)
 # define PKCS7_NOCRL             0x2000
 # define PKCS7_PARTIAL           0x4000
 # define PKCS7_REUSE_DIGEST      0x8000
+# define PKCS7_NO_DUAL_CONTENT   0x10000
 
 /* Flags: for compatibility with older code */

More information about the openssl-commits mailing list