git.openssl.org Git - openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Thu, 29 Mar 2018 08:17:11 +0000 (09:17 +0100)
committer	Matt Caswell <matt@openssl.org>
	Tue, 3 Apr 2018 14:54:22 +0000 (15:54 +0100)
commit	afa2a54bb99e4260100a6abdb72f83f97824f2e7
tree	1401acf48c6ca0bd96f496ac8c751cb33b11d7c0	tree \| snapshot
parent	b854bb40364e96eac6239e07ad41292cd4de5a70	commit \| diff

Fix a text canonicalisation bug in CMS

Where a CMS detached signature is used with text content the text goes
through a canonicalisation process first prior to signing or verifying a
signature. This process strips trailing space at the end of lines, converts
line terminators to CRLF and removes additional trailing line terminators
at the end of a file. A bug in the canonicalisation process meant that
some characters, such as form-feed, were incorrectly treated as whitespace
and removed. This is contrary to the specification (RFC5485). This fix
could mean that detached text data signed with an earlier version of
OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
signed with a fixed OpenSSL may fail to verify with an earlier version of
OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
and use the "-binary" flag (for the "cms" command line application) or set
the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5791)

CHANGES		diff \| blob \| history
crypto/asn1/asn_mime.c		diff \| blob \| history