From 237d7b6caee75d64cf8cbbd424afa7627e05be26 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 15 Mar 2009 13:37:34 +0000 Subject: [PATCH] Fix from stable branch. --- CHANGES | 5 +++++ crypto/cms/cms_smime.c | 2 +- crypto/pkcs7/pk7_smime.c | 3 +-- crypto/x509/x509_vpm.c | 15 +++++++++++++-- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index aadff2e087..df5967cf72 100644 --- a/CHANGES +++ b/CHANGES @@ -748,6 +748,11 @@ Changes between 0.9.8j and 0.9.8k [xx XXX xxxx] + *) Set S/MIME signing as the default purpose rather than setting it + unconditionally. This allows applications to override it at the store + level. + [Steve Henson] + *) Permit restricted recursion of ASN1 strings. This is needed in practice to handle some structures. [Steve Henson] diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index f754b3ce4f..faa9c1d1d7 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -292,7 +292,7 @@ static int cms_signerinfo_verify_cert(CMS_SignerInfo *si, CMS_R_STORE_INIT_ERROR); goto err; } - X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_SMIME_SIGN); + X509_STORE_CTX_set_default(&cert_ctx, "smime_sign"); if (crls) X509_STORE_CTX_set0_crls(&ctx, crls); diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index a577141d3b..86742d0dcd 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -327,8 +327,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, sk_X509_free(signers); return 0; } - X509_STORE_CTX_set_purpose(&cert_ctx, - X509_PURPOSE_SMIME_SIGN); + X509_STORE_CTX_set_default(&cert_ctx, "smime_sign"); } else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) { PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB); sk_X509_free(signers); diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index a80f8e9478..acc50f97d5 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -74,7 +74,8 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) param->name = NULL; param->purpose = 0; param->trust = 0; - param->inh_flags = X509_VP_FLAG_DEFAULT; + /*param->inh_flags = X509_VP_FLAG_DEFAULT;*/ + param->inh_flags = 0; param->flags = 0; param->depth = -1; if (param->policies) @@ -324,7 +325,17 @@ static const X509_VERIFY_PARAM default_table[] = { NULL /* policies */ }, { - "pkcs7", /* SSL/TLS client parameters */ + "pkcs7", /* S/MIME sign parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + X509_PURPOSE_SMIME_SIGN, /* purpose */ + X509_TRUST_EMAIL, /* trust */ + -1, /* depth */ + NULL /* policies */ + }, + { + "smime_sign", /* S/MIME sign parameters */ 0, /* Check time */ 0, /* internal flags */ 0, /* flags */