From c176b5e73b88d1bee072fdc03af1cf7e24083396 Mon Sep 17 00:00:00 2001 From: Qin Long Date: Sat, 5 Mar 2016 23:41:31 +0800 Subject: CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3951 A more complete implementation of the X509_V_FLAG_NO_CHECK_TIME flag was added to OpenSSL 1.1 as commit d35ff2c0a. Drop our own version and use a backport of what was committed upstream. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse Reviewed-by: Laszlo Ersek Reviewed-by: Qin Long Tested-by: Qin Long (cherry picked from commit e94546e77bcb4ff57c167be06bfbe1d1d5ac0754) --- .../Library/OpensslLib/EDKII_openssl-1.0.2f.patch | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch index 04ee8af1df..82fa8dddf0 100644 --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch @@ -11,6 +11,19 @@ index 4a715dc..eb61eda 100755 { $disabled{"gost"} = "forced"; } +diff --git a/apps/apps.c b/apps/apps.c +index 2e77805..e21e759 100644 +--- a/apps/apps.c ++++ b/apps/apps.c +@@ -2374,6 +2374,8 @@ int args_verify(char ***pargs, int *pargc, + flags |= X509_V_FLAG_PARTIAL_CHAIN; + else if (!strcmp(arg, "-no_alt_chains")) + flags |= X509_V_FLAG_NO_ALT_CHAINS; ++ else if (!strcmp(arg, "-no_check_time")) ++ flags |= X509_V_FLAG_NO_CHECK_TIME; + else + return 0; + diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index 35fd44c..9f39bff 100644 --- a/crypto/asn1/a_strex.c @@ -1608,6 +1621,21 @@ index f4a8358..94d3293 100644 /* Error codes for the ZENCOD functions. */ +diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +index 44792f9..7f95d58 100644 +--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod ++++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +@@ -203,6 +203,10 @@ chain found is not trusted, then OpenSSL will continue to check to see if an + alternative chain can be found that is trusted. With this flag set the behaviour + will match that of OpenSSL versions prior to 1.0.2b. + ++The B flag suppresses checking the validity period ++of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time() ++is used to specify a verification time, the check is not suppressed. ++ + =head1 NOTES + + The above functions should be used to manipulate verification parameters diff --git a/doc/crypto/threads.pod b/doc/crypto/threads.pod index dc0e939..fe123bb 100644 --- a/doc/crypto/threads.pod -- cgit v1.2.3