\r
//\r
// Allow partial certificate chains, terminated by a non-self-signed but\r
- // still trusted intermediate certificate.\r
+ // still trusted intermediate certificate. Also disable time checks.\r
//\r
- X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);\r
+ X509_STORE_set_flags (CertStore,\r
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);\r
\r
//\r
// OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and\r
\r
//\r
// Allow partial certificate chains, terminated by a non-self-signed but\r
- // still trusted intermediate certificate.\r
+ // still trusted intermediate certificate. Also disable time checks.\r
//\r
- X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);\r
+ X509_STORE_set_flags (CertStore,\r
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);\r
\r
X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);\r
\r
\r
//\r
// Allow partial certificate chains, terminated by a non-self-signed but\r
- // still trusted intermediate certificate.\r
+ // still trusted intermediate certificate. Also disable time checks.\r
//\r
- X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);\r
+ X509_STORE_set_flags (CertStore,\r
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);\r
\r
//\r
// Set up X509_STORE_CTX for the subsequent verification operation.\r
diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c\r
--- crypto/x509/x509_vfy.c Thu Jun 11 21:52:58 2015\r
+++ crypto/x509/x509_vfy.c Fri Jun 12 11:29:37 2015\r
-@@ -1653,6 +1653,10 @@\r
- \r
- static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)\r
- {\r
-+#ifdef OPENSSL_SYS_UEFI\r
-+ /* Bypass Certificate Time Checking for UEFI version. */\r
-+ return 1;\r
-+#else\r
- time_t *ptime;\r
- int i;\r
- \r
-@@ -1692,6 +1696,7 @@\r
- }\r
- \r
- return 1;\r
-+#endif\r
- }\r
- \r
- static int internal_verify(X509_STORE_CTX *ctx)\r
+@@ -935,6 +935,8 @@\r
+ ctx->current_crl = crl;\r
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)\r
+ ptime = &ctx->param->check_time;\r
++ else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)\r
++ return 1;\r
+ else\r
+ ptime = NULL;\r
+ \r
+@@ -1658,6 +1660,8 @@\r
+ \r
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)\r
+ ptime = &ctx->param->check_time;\r
++ else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)\r
++ return 1;\r
+ else\r
+ ptime = NULL;\r
+ \r
+diff U3 crypto/x509/x509_vfy.h crypto/x509/x509_vfy.h\r
+--- crypto/x509/x509_vfy.h Thu Jul 09 19:57:16 2015\r
++++ crypto/x509/x509_vfy.h Thu Oct 29 14:05:57 2015\r
+@@ -438,6 +438,8 @@\r
+ * will force the behaviour to match that of previous versions.\r
+ */\r
+ # define X509_V_FLAG_NO_ALT_CHAINS 0x100000\r
++/* Do not check certificate/CRL validity against current time */\r
++# define X509_V_FLAG_NO_CHECK_TIME 0x200000\r
+ \r
+ # define X509_VP_FLAG_DEFAULT 0x1\r
+ # define X509_VP_FLAG_OVERWRITE 0x2\r
diff U3 crypto/x509v3/ext_dat.h crypto/x509v3/ext_dat.h\r
--- crypto/x509v3/ext_dat.h Thu Jun 11 21:50:12 2015\r
+++ crypto/x509v3/ext_dat.h Fri Jun 12 11:11:03 2015\r
projects / mirror_edk2.git / commitdiff