From de0408be72d4a0e27683ce594fde982ff9085f7f Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Thu, 29 Oct 2015 14:16:54 +0000 Subject: CryptoPkg/BaseCryptLib: Use X509_V_FLAG_NO_CHECK_TIME OpenSSL HEAD is in the process of adding this flag to disable the validity time checking. Backport it to 1.0.2 and use it too, for consistency. https://rt.openssl.org/Ticket/Display.html?id=3951&user=guest&pass=guest Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse Reviewed-by: Qin Long git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18704 6f19259b-4bc3-4df7-8a09-765794883524 --- CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 5 +++-- CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 5 +++-- CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 5 +++-- 3 files changed, 9 insertions(+), 6 deletions(-) (limited to 'CryptoPkg/Library/BaseCryptLib/Pk') diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c index 4d23cbfb94..fafcf1ba85 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c @@ -569,9 +569,10 @@ Pkcs7Verify ( // // Allow partial certificate chains, terminated by a non-self-signed but - // still trusted intermediate certificate. + // still trusted intermediate certificate. Also disable time checks. // - X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN); + X509_STORE_set_flags (CertStore, + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME); // // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c index 449a08db2c..d49581221c 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c @@ -426,9 +426,10 @@ TimestampTokenVerify ( // // Allow partial certificate chains, terminated by a non-self-signed but - // still trusted intermediate certificate. + // still trusted intermediate certificate. Also disable time checks. // - X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN); + X509_STORE_set_flags (CertStore, + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME); X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY); diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c index 669a7af3db..7dc4596759 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c @@ -465,9 +465,10 @@ X509VerifyCert ( // // Allow partial certificate chains, terminated by a non-self-signed but - // still trusted intermediate certificate. + // still trusted intermediate certificate. Also disable time checks. // - X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN); + X509_STORE_set_flags (CertStore, + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME); // // Set up X509_STORE_CTX for the subsequent verification operation. -- cgit v1.2.3