1. Enable the whole X509v3 extension checking.

2. Replace d2i_X509_bio with d2i_X509.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ling Qin <qin.long@intel.com>
Reviewed-by: Ouyang Qian <qian.ouyang@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14026 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 2 insertions, 15 deletions

diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
index a2ba8aeb43..c5f646ee96 100644
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
@@ -260,20 +260,7 @@ Index: crypto/x509/x509_vfy.c
 ===================================================================

 --- crypto/x509/x509_vfy.c	(revision 1)

 +++ crypto/x509/x509_vfy.c	(working copy)

-@@ -386,7 +386,11 @@

- 

- static int check_chain_extensions(X509_STORE_CTX *ctx)

- {

--#ifdef OPENSSL_NO_CHAIN_VERIFY

-+#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI)

-+  /* 

-+    NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU flag setting

-+          in Authenticode Signing Certificates. 

-+  */

- 	return 1;

- #else

- 	int i, ok=0, must_be_ca, plen = 0;

-@@ -899,6 +903,10 @@

+@@ -899,6 +899,10 @@

  

  static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)

  	{

@@ -284,7 +271,7 @@ Index: crypto/x509/x509_vfy.c
  	time_t *ptime;

  	int i;

  

-@@ -942,6 +950,7 @@

+@@ -942,6 +946,7 @@

  		}

  

  	return 1;