diff options
Diffstat (limited to 'crypto/pkcs7')
| -rw-r--r-- | crypto/pkcs7/pk7_smime.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index ed5268fd0f..8027640de3 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -279,10 +279,18 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, return 0; } - /* Check for data and content: two sets of data */ - if (!PKCS7_get_detached(p7) && indata) { - PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT); - return 0; + if (flags & PKCS7_NO_DUAL_CONTENT) { + /* + * This was originally "#if 0" because we thought that only old broken + * Netscape did this. It turns out that Authenticode uses this kind + * of "extended" PKCS7 format, and things like UEFI secure boot and + * tools like osslsigncode need it. In Authenticode the verification + * process is different, but the existing PKCs7 verification works. + */ + if (!PKCS7_get_detached(p7) && indata) { + PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT); + return 0; + } } sinfos = PKCS7_get_signer_info(p7); |