Don't support very old versions of Netscape (is there any other kind?).

Apparently "very old" Netscape versions illegally included empty content
and a detached signature.  OpenSSL removed the #if 0 that protected
these users and added a new button OPENSSL_DONT_SUPPORT_OLD_NETSCAPE.
It appears to be off by default to keep the hopes and dreams of very old
Netscape users alive.  We decided to be rebels and disable support.

If you installed your browser from floppy disks, it's time to upgrade!

Based on OpenSSL commit: 02a938c953b3e1ced71d9a832de1618f907eb96d

ok tedu@, miod@, jsing@

1 files changed, 5 insertions, 6 deletions

diff --git a/lib/libcrypto/pkcs7/pk7_smime.c b/lib/libcrypto/pkcs7/pk7_smime.c
index 576866f5c25..1c00e5914a6 100644
--- a/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/lib/libcrypto/pkcs7/pk7_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_smime.c,v 1.19 2014/11/09 19:17:13 miod Exp $ */
+/* $OpenBSD: pk7_smime.c,v 1.20 2015/02/07 14:21:41 doug Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -287,17 +287,16 @@ PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata,
 		PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT);
 		return 0;
 	}
-#if 0
-	/* NB: this test commented out because some versions of Netscape
-	 * illegally include zero length content when signing data.
-	 */
 
+	/*
+	 * Very old Netscape illegally included empty content with
+	 * a detached signature.  Very old users should upgrade.
+	 */
 	/* Check for data and content: two sets of data */
 	if (!PKCS7_get_detached(p7) && indata) {
 		PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
 		return 0;
 	}
-#endif
 
 	sinfos = PKCS7_get_signer_info(p7);