Fix from stable branch.
authorDr. Stephen Henson <steve@openssl.org>
Sun, 15 Mar 2009 13:37:34 +0000 (13:37 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sun, 15 Mar 2009 13:37:34 +0000 (13:37 +0000)
CHANGES
crypto/cms/cms_smime.c
crypto/pkcs7/pk7_smime.c
crypto/x509/x509_vpm.c

diff --git a/CHANGES b/CHANGES
index aadff2e..df5967c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
 
  Changes between 0.9.8j and 0.9.8k  [xx XXX xxxx]
 
+  *) Set S/MIME signing as the default purpose rather than setting it 
+     unconditionally. This allows applications to override it at the store
+     level.
+     [Steve Henson]
+
   *) Permit restricted recursion of ASN1 strings. This is needed in practice
      to handle some structures.
      [Steve Henson]
index f754b3c..faa9c1d 100644 (file)
@@ -292,7 +292,7 @@ static int cms_signerinfo_verify_cert(CMS_SignerInfo *si,
                                                CMS_R_STORE_INIT_ERROR);
                goto err;
                }
-       X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_SMIME_SIGN);
+       X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
        if (crls)
                X509_STORE_CTX_set0_crls(&ctx, crls);
 
index a577141..86742d0 100644 (file)
@@ -327,8 +327,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                                sk_X509_free(signers);
                                return 0;
                                }
-                       X509_STORE_CTX_set_purpose(&cert_ctx,
-                                               X509_PURPOSE_SMIME_SIGN);
+                       X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
                } else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) {
                        PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
                        sk_X509_free(signers);
index a80f8e9..acc50f9 100644 (file)
@@ -74,7 +74,8 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
        param->name = NULL;
        param->purpose = 0;
        param->trust = 0;
-       param->inh_flags = X509_VP_FLAG_DEFAULT;
+       /*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
+       param->inh_flags = 0;
        param->flags = 0;
        param->depth = -1;
        if (param->policies)
@@ -324,7 +325,17 @@ static const X509_VERIFY_PARAM default_table[] = {
        NULL            /* policies */
        },
        {
-       "pkcs7",                        /* SSL/TLS client parameters */
+       "pkcs7",                        /* S/MIME sign parameters */
+       0,                              /* Check time */
+       0,                              /* internal flags */
+       0,                              /* flags */
+       X509_PURPOSE_SMIME_SIGN,        /* purpose */
+       X509_TRUST_EMAIL,               /* trust */
+       -1,                             /* depth */
+       NULL                            /* policies */
+       },
+       {
+       "smime_sign",                   /* S/MIME sign parameters */
        0,                              /* Check time */
        0,                              /* internal flags */
        0,                              /* flags */