Work around for Netscape PKCS#7 signedData bug.

diff --git a/CHANGES b/CHANGES
index 67b0f565d18d3385ad0edd9f45b72ba2341574a5..a0e0916eca9ffadc06b893ce4d921f6f6b52bdd8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.5a and 0.9.6  [xx XXX 2000]
 
+  *) Disable the check for content being present when verifying detached
+     signatures in pk7_smime.c. Some versions of Netscape (wrongly)
+     include zero length content when signing messages.
+     [Steve Henson]
+
   *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
      BIO_ctrl (for BIO pairs).
 

diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index 2ececcd07e9809edec6ccff34aed8dd72c73572f..d716f9faeba696081bc5bb3cac8dbbe68053f5d3 100644 (file)
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -172,12 +172,17 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_NO_CONTENT);
                return 0;
        }
+#if 0
+       /* NB: this test commented out because some versions of Netscape
+        * illegally include zero length content when signing data.
+        */
 
        /* Check for data and content: two sets of data */
        if(!PKCS7_get_detached(p7) && indata) {
                                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CONTENT_AND_DATA_PRESENT);
                return 0;
        }
+#endif
 
        sinfos = PKCS7_get_signer_info(p7);