summaryrefslogtreecommitdiff
path: root/CryptoPkg/Library/BaseCryptLib/Pk
diff options
context:
space:
mode:
authorDavid Woodhouse <David.Woodhouse@intel.com>2015-10-29 14:16:54 +0000
committerqlong <qlong@Edk2>2015-10-29 14:16:54 +0000
commitde0408be72d4a0e27683ce594fde982ff9085f7f (patch)
tree0baa4b039489979601fe1ada02efbcdb257787c1 /CryptoPkg/Library/BaseCryptLib/Pk
parent68547181f3c5b1c0a73e748b44be1f454e2f7e3c (diff)
downloadedk2-platforms-de0408be72d4a0e27683ce594fde982ff9085f7f.tar.xz
CryptoPkg/BaseCryptLib: Use X509_V_FLAG_NO_CHECK_TIME
OpenSSL HEAD is in the process of adding this flag to disable the validity time checking. Backport it to 1.0.2 and use it too, for consistency. https://rt.openssl.org/Ticket/Display.html?id=3951&user=guest&pass=guest Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18704 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'CryptoPkg/Library/BaseCryptLib/Pk')
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c5
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c5
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c5
3 files changed, 9 insertions, 6 deletions
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index 4d23cbfb94..fafcf1ba85 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -569,9 +569,10 @@ Pkcs7Verify (
//
// Allow partial certificate chains, terminated by a non-self-signed but
- // still trusted intermediate certificate.
+ // still trusted intermediate certificate. Also disable time checks.
//
- X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
+ X509_STORE_set_flags (CertStore,
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);
//
// OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
index 449a08db2c..d49581221c 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -426,9 +426,10 @@ TimestampTokenVerify (
//
// Allow partial certificate chains, terminated by a non-self-signed but
- // still trusted intermediate certificate.
+ // still trusted intermediate certificate. Also disable time checks.
//
- X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
+ X509_STORE_set_flags (CertStore,
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);
X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 669a7af3db..7dc4596759 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -465,9 +465,10 @@ X509VerifyCert (
//
// Allow partial certificate chains, terminated by a non-self-signed but
- // still trusted intermediate certificate.
+ // still trusted intermediate certificate. Also disable time checks.
//
- X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
+ X509_STORE_set_flags (CertStore,
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);
//
// Set up X509_STORE_CTX for the subsequent verification operation.