diff options
| author | Steve Langasek <steve.langasek@canonical.com> | 2019-02-09 21:28:06 -0800 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@canonical.com> | 2019-02-09 21:32:44 -0800 |
| commit | ab4c731c1dd379acd3e95971af57401fb0a650a1 (patch) | |
| tree | 6a26fb8d0746cbbaa6c2d4b242c73442bcc1df06 /Cryptlib/ca-check-workaround.patch | |
| parent | 0d63079c7da8e86104ce4bbdae2f6cb8d2ea40c6 (diff) | |
| parent | 9c12130f9cd2ae11a9336813dd1f1669c0b64ad0 (diff) | |
| download | efi-boot-shim-debian/15+1533136590.3beb971-1.tar.gz efi-boot-shim-debian/15+1533136590.3beb971-1.zip | |
* New upstream release.debian/15+1533136590.3beb971-1
- debian/patches/second-stage-path: dropped; the default loader path now
includes an arch suffix.
- debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
- debian/copyright: Update upstream source location.
- debian/control: add a Build-Depends on libelf-dev.
- Enable arm64 build.
- debian/patches/fixup_git.patch: don't run git in clean; we're not
really in a git tree.
- debian/rules, debian/shim.install: use the upstream install target as
intended, and move files to the target directory using dh_install.
- define RELEASE and COMMIT_ID for the snapshot.
- Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
- Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
options: set MAKELEVEL.
- Define an EFI_ARCH variable, and use that for paths to shim. This
makes it possible to build a shim for other architectures than amd64.
- Set EFIDIR=$distro for dh_auto_install; that will let files be installed
in the "right" final directories, and makes boot.csv for us.
- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
at compile-time for MokManager and fallback.
- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
and MokManager.
Diffstat (limited to 'Cryptlib/ca-check-workaround.patch')
| -rw-r--r-- | Cryptlib/ca-check-workaround.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/Cryptlib/ca-check-workaround.patch b/Cryptlib/ca-check-workaround.patch new file mode 100644 index 00000000..752528bb --- /dev/null +++ b/Cryptlib/ca-check-workaround.patch @@ -0,0 +1,60 @@ +diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c +index bf24e92..cbd9669 100644 +--- a/Cryptlib/Pk/CryptPkcs7Verify.c ++++ b/Cryptlib/Pk/CryptPkcs7Verify.c +@@ -30,6 +30,43 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +
+ UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
+
++BOOLEAN ca_warning;
++
++void
++clear_ca_warning()
++{
++ ca_warning = FALSE;
++}
++
++BOOLEAN
++get_ca_warning()
++{
++ return ca_warning;
++}
++
++int
++X509VerifyCb (
++ IN int Status,
++ IN X509_STORE_CTX *Context
++ )
++{
++ INTN Error;
++
++ Error = (INTN) X509_STORE_CTX_get_error (Context);
++
++ if (Error == X509_V_ERR_INVALID_CA) {
++ /* Due to the historical reason, we have to relax the the x509 v3 extension
++ * check to allow the CA certificates without the CA flag in the basic
++ * constraints or KeyCertSign in the key usage to be loaded. In the future,
++ * this callback should be removed to enforce the proper check. */
++ ca_warning = TRUE;
++
++ return 1;
++ }
++
++ return Status;
++}
++
+ /**
+ Check input P7Data is a wrapped ContentInfo structure or not. If not construct
+ a new structure to wrap P7Data.
+@@ -858,6 +895,8 @@ Pkcs7Verify ( + goto _Exit;
+ }
+
++ X509_STORE_set_verify_cb (CertStore, X509VerifyCb);
++
+ //
+ // For generic PKCS#7 handling, InData may be NULL if the content is present
+ // in PKCS#7 structure. So ignore NULL checking here.
+-- +2.14.2 + |