Import OpenSSL 1.1.0f

doc/crypto/PKCS7_verify.pod

@@ -16,7 +16,7 @@ PKCS7_verify, PKCS7_get0_signers - verify a PKCS#7 signedData structure
 
 PKCS7_verify() verifies a PKCS#7 signedData structure. B<p7> is the PKCS7
 structure to verify. B<certs> is a set of certificates in which to search for
-the signer's certificate. B<store> is a trusted certficate store (used for
+the signer's certificate. B<store> is a trusted certificate store (used for
 chain verification). B<indata> is the signed data if the content is not
 present in B<p7> (that is it is detached). The content is written to B<out>
 if it is not NULL.
@@ -34,7 +34,12 @@ Normally the verify process proceeds as follows.
 
 Initially some sanity checks are performed on B<p7>. The type of B<p7> must
 be signedData. There must be at least one signature on the data and if
-the content is detached B<indata> cannot be B<NULL>.
+the content is detached B<indata> cannot be B<NULL>.  If the content is
+not detached and B<indata> is not B<NULL>, then the structure has both
+embedded and external content. To treat this as an error, use the flag
+B<PKCS7_NO_DUAL_CONTENT>.
+The default behavior allows this, for compatibility with older
+versions of OpenSSL.
 
 An attempt is made to locate all the signer's certificates, first looking in
 the B<certs> parameter (if it is not B<NULL>) and then looking in any certificates
@@ -54,7 +59,7 @@ Any of the following flags (ored together) can be passed in the B<flags> paramet
 to change the default verify behaviour. Only the flag B<PKCS7_NOINTERN> is
 meaningful to PKCS7_get0_signers().
 
-If B<PKCS7_NOINTERN> is set the certificates in the message itself are not 
+If B<PKCS7_NOINTERN> is set the certificates in the message itself are not
 searched when locating the signer's certificate. This means that all the signers
 certificates must be in the B<certs> parameter.
 
@@ -79,7 +84,7 @@ certificates supplied in B<certs> then the verify will fail because the
 signer cannot be found.
 
 Care should be taken when modifying the default verify behaviour, for example
-setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification 
+setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification
 and any signed message will be considered valid. This combination is however
 useful if one merely wishes to write the content to B<out> and its validity
 is not considered important.
@@ -96,7 +101,7 @@ if an error occurs.
 
 PKCS7_get0_signers() returns all signers or B<NULL> if an error occurred.
 
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
+The error can be obtained from L<ERR_get_error(3)>
 
 =head1 BUGS
 
@@ -109,10 +114,15 @@ mentioned in PKCS7_sign() also applies to PKCS7_verify().
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>
+L<ERR_get_error(3)>, L<PKCS7_sign(3)>
 
-=head1 HISTORY
+=head1 COPYRIGHT
 
-PKCS7_verify() was added to OpenSSL 0.9.5
+Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
 
 =cut