1. Enable the whole X509v3 extension checking.

[mirror_edk2.git] / CryptoPkg / Library / OpensslLib / EDKII_openssl-0.9.8w.patch

diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
index a2ba8aeb43e2c2ebeaa1e769c8368f79f878e63a..c5f646ee969889cc7001652ed8177de6b4d01f38 100644 (file)
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
@@ -260,20 +260,7 @@ Index: crypto/x509/x509_vfy.c
 ===================================================================\r
 --- crypto/x509/x509_vfy.c     (revision 1)\r
 +++ crypto/x509/x509_vfy.c     (working copy)\r
-@@ -386,7 +386,11 @@\r
- \r
- static int check_chain_extensions(X509_STORE_CTX *ctx)\r
- {\r
--#ifdef OPENSSL_NO_CHAIN_VERIFY\r
-+#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI)\r
-+  /* \r
-+    NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU flag setting\r
-+          in Authenticode Signing Certificates. \r
-+  */\r
-       return 1;\r
- #else\r
-       int i, ok=0, must_be_ca, plen = 0;\r
-@@ -899,6 +903,10 @@\r
+@@ -899,6 +899,10 @@\r
  \r
  static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)\r
        {\r
@@ -284,7 +271,7 @@ Index: crypto/x509/x509_vfy.c
        time_t *ptime;\r
        int i;\r
  \r
-@@ -942,6 +950,7 @@\r
+@@ -942,6 +946,7 @@\r
                }\r
  \r
        return 1;\r