From: Dr. Stephen Henson <steve@openssl.org>
Date: Sun, 15 Mar 2009 13:36:01 +0000 (+0000)
Subject: Don't force S/MIME signing purpose: allow it to be overridden by store
X-Git-Tag: OpenSSL_0_9_8k~10
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=37afdc953e5cfc4559d33fea49168953be4c3a6e;p=openssl

Don't force S/MIME signing purpose: allow it to be overridden by store
settings.

Don't set default values in X509_VERIFY_PARAM_new(): it stops parameters
being inherited properly.
---

diff --git a/CHANGES b/CHANGES
index 8455d94d98..fe35aa6ed7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.8j and 0.9.8k  [xx XXX xxxx]
 
+  *) Set S/MIME signing as the default purpose rather than setting it 
+     unconditionally. This allows applications to override it at the store
+     level.
+     [Steve Henson]
+
   *) Permit restricted recursion of ASN1 strings. This is needed in practice
      to handle some structures.
      [Steve Henson]
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index b9463f9abb..167daf5915 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -298,7 +298,7 @@ static int cms_signerinfo_verify_cert(CMS_SignerInfo *si,
 						CMS_R_STORE_INIT_ERROR);
 		goto err;
 		}
-	X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_SMIME_SIGN);
+	X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
 	if (crls)
 		X509_STORE_CTX_set0_crls(&ctx, crls);
 
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index c34db1d6fe..fd18ec3d95 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -229,8 +229,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 				sk_X509_free(signers);
 				return 0;
 				}
-			X509_STORE_CTX_set_purpose(&cert_ctx,
-						X509_PURPOSE_SMIME_SIGN);
+			X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
 		} else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) {
 			PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
 			sk_X509_free(signers);
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 4bdec58b9e..2b06718aec 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -74,7 +74,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
 	param->name = NULL;
 	param->purpose = 0;
 	param->trust = 0;
-	param->inh_flags = X509_VP_FLAG_DEFAULT;
+	param->inh_flags = 0;
 	param->flags = 0;
 	param->depth = -1;
 	if (param->policies)
@@ -324,7 +324,17 @@ static const X509_VERIFY_PARAM default_table[] = {
 	NULL		/* policies */
 	},
 	{
-	"pkcs7",			/* SSL/TLS client parameters */
+	"pkcs7",			/* S/MIME signing parameters */
+	0,				/* Check time */
+	0,				/* internal flags */
+	0,				/* flags */
+	X509_PURPOSE_SMIME_SIGN,	/* purpose */
+	X509_TRUST_EMAIL,		/* trust */
+	-1,				/* depth */
+	NULL				/* policies */
+	},
+	{
+	"smime_sign",			/* S/MIME signing parameters */
 	0,				/* Check time */
 	0,				/* internal flags */
 	0,				/* flags */