Update to openssl to 1.0.2e

Also update Cryptlib to edk2 r19218 - Undefine NO_BUILTIN_VA_FUNCS in Cryptlib/OpenSSL/ for x86_64 to use the gcc builtins and remove all EFIAPI from the functions - Move the most of defines into the headers instead of Makefile - Remove the global variable 'timeval' - Remove the unused code: crypto/pqueue/* and crypto/ts/* - Include bn.h in MokManager.c due to the changes in openssl Signed-off-by: Gary Lin <glin@suse.com>
author: Gary Lin <glin@suse.com> 2015-12-15 10:48:10 +0800
committer: Peter Jones <pjones@redhat.com> 2016-09-06 15:05:34 -0400
commit: e571428e21280c28d0d591b70f13add7d8dbfe81 (patch)
tree: fadafcf006016eb83dd989969d2232048048bad8 /Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c
parent: 7052e75307553edc8f04eb529b0d37844fbcc30b (diff)
download: efi-boot-shim-e571428e21280c28d0d591b70f13add7d8dbfe81.tar.gz
efi-boot-shim-e571428e21280c28d0d591b70f13add7d8dbfe81.zip
1 files changed, 10 insertions, 9 deletions
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c
index 36b0d87a..845be673 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c
@@ -380,6 +380,14 @@ static void setup_crldp(X509 *x)
         setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
 }
 
+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+#define ku_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+#define xku_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+#define ns_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
+
 static void x509v3_cache_extensions(X509 *x)
 {
     BASIC_CONSTRAINTS *bs;
@@ -499,7 +507,8 @@ static void x509v3_cache_extensions(X509 *x)
     if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
         x->ex_flags |= EXFLAG_SI;
         /* If SKID matches AKID also indicate self signed */
-        if (X509_check_akid(x, x->akid) == X509_V_OK)
+        if (X509_check_akid(x, x->akid) == X509_V_OK &&
+            !ku_reject(x, KU_KEY_CERT_SIGN))
             x->ex_flags |= EXFLAG_SS;
     }
     x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
@@ -538,14 +547,6 @@ static void x509v3_cache_extensions(X509 *x)
  * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
  */
 
-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
-#define ku_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-#define xku_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
-#define ns_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-
 static int check_ca(const X509 *x)
 {
     /* keyUsage if present should allow cert signing */
author	Gary Lin <glin@suse.com>	2015-12-15 10:48:10 +0800
committer	Peter Jones <pjones@redhat.com>	2016-09-06 15:05:34 -0400
commit	e571428e21280c28d0d591b70f13add7d8dbfe81 (patch)
tree	fadafcf006016eb83dd989969d2232048048bad8 /Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c
parent	7052e75307553edc8f04eb529b0d37844fbcc30b (diff)
download	efi-boot-shim-e571428e21280c28d0d591b70f13add7d8dbfe81.tar.gz efi-boot-shim-e571428e21280c28d0d591b70f13add7d8dbfe81.zip