summaryrefslogtreecommitdiffstats
path: root/CryptoPkg
diff options
context:
space:
mode:
authorDavid Woodhouse <David.Woodhouse@intel.com>2015-10-29 14:16:54 +0000
committerqlong <qlong@Edk2>2015-10-29 14:16:54 +0000
commitde0408be72d4a0e27683ce594fde982ff9085f7f (patch)
tree0baa4b039489979601fe1ada02efbcdb257787c1 /CryptoPkg
parent68547181f3c5b1c0a73e748b44be1f454e2f7e3c (diff)
downloadedk2-de0408be72d4a0e27683ce594fde982ff9085f7f.tar.gz
edk2-de0408be72d4a0e27683ce594fde982ff9085f7f.tar.bz2
edk2-de0408be72d4a0e27683ce594fde982ff9085f7f.zip
CryptoPkg/BaseCryptLib: Use X509_V_FLAG_NO_CHECK_TIME
OpenSSL HEAD is in the process of adding this flag to disable the validity time checking. Backport it to 1.0.2 and use it too, for consistency. https://rt.openssl.org/Ticket/Display.html?id=3951&user=guest&pass=guest Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18704 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'CryptoPkg')
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c5
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c5
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c5
-rw-r--r--CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch49
4 files changed, 39 insertions, 25 deletions
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index 4d23cbfb94..fafcf1ba85 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -569,9 +569,10 @@ Pkcs7Verify (
//
// Allow partial certificate chains, terminated by a non-self-signed but
- // still trusted intermediate certificate.
+ // still trusted intermediate certificate. Also disable time checks.
//
- X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
+ X509_STORE_set_flags (CertStore,
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);
//
// OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
index 449a08db2c..d49581221c 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -426,9 +426,10 @@ TimestampTokenVerify (
//
// Allow partial certificate chains, terminated by a non-self-signed but
- // still trusted intermediate certificate.
+ // still trusted intermediate certificate. Also disable time checks.
//
- X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
+ X509_STORE_set_flags (CertStore,
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);
X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 669a7af3db..7dc4596759 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -465,9 +465,10 @@ X509VerifyCert (
//
// Allow partial certificate chains, terminated by a non-self-signed but
- // still trusted intermediate certificate.
+ // still trusted intermediate certificate. Also disable time checks.
//
- X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
+ X509_STORE_set_flags (CertStore,
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);
//
// Set up X509_STORE_CTX for the subsequent verification operation.
diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
index 72e5f3da54..220d44ef3b 100644
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
@@ -210,25 +210,36 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c
diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
--- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015
+++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015
-@@ -1653,6 +1653,10 @@
-
- static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
- {
-+#ifdef OPENSSL_SYS_UEFI
-+ /* Bypass Certificate Time Checking for UEFI version. */
-+ return 1;
-+#else
- time_t *ptime;
- int i;
-
-@@ -1692,6 +1696,7 @@
- }
-
- return 1;
-+#endif
- }
-
- static int internal_verify(X509_STORE_CTX *ctx)
+@@ -935,6 +935,8 @@
+ ctx->current_crl = crl;
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
+ ptime = &ctx->param->check_time;
++ else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
++ return 1;
+ else
+ ptime = NULL;
+
+@@ -1658,6 +1660,8 @@
+
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
+ ptime = &ctx->param->check_time;
++ else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
++ return 1;
+ else
+ ptime = NULL;
+
+diff U3 crypto/x509/x509_vfy.h crypto/x509/x509_vfy.h
+--- crypto/x509/x509_vfy.h Thu Jul 09 19:57:16 2015
++++ crypto/x509/x509_vfy.h Thu Oct 29 14:05:57 2015
+@@ -438,6 +438,8 @@
+ * will force the behaviour to match that of previous versions.
+ */
+ # define X509_V_FLAG_NO_ALT_CHAINS 0x100000
++/* Do not check certificate/CRL validity against current time */
++# define X509_V_FLAG_NO_CHECK_TIME 0x200000
+
+ # define X509_VP_FLAG_DEFAULT 0x1
+ # define X509_VP_FLAG_OVERWRITE 0x2
diff U3 crypto/x509v3/ext_dat.h crypto/x509v3/ext_dat.h
--- crypto/x509v3/ext_dat.h Thu Jun 11 21:50:12 2015
+++ crypto/x509v3/ext_dat.h Fri Jun 12 11:11:03 2015