From e571428e21280c28d0d591b70f13add7d8dbfe81 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 15 Dec 2015 10:48:10 +0800
Subject: Update to openssl to 1.0.2e

Also update Cryptlib to edk2 r19218
- Undefine NO_BUILTIN_VA_FUNCS in Cryptlib/OpenSSL/ for x86_64 to use
  the gcc builtins and remove all EFIAPI from the functions
- Move the most of defines into the headers instead of Makefile
- Remove the global variable 'timeval'
- Remove the unused code: crypto/pqueue/* and crypto/ts/*
- Include bn.h in MokManager.c due to the changes in openssl

Signed-off-by: Gary Lin <glin@suse.com>
---
 Cryptlib/Pk/CryptX509.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

(limited to 'Cryptlib/Pk/CryptX509.c')

diff --git a/Cryptlib/Pk/CryptX509.c b/Cryptlib/Pk/CryptX509.c
index 70b135a7..7dc45967 100644
--- a/Cryptlib/Pk/CryptX509.c
+++ b/Cryptlib/Pk/CryptX509.c
@@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 
 #include "InternalCryptLib.h"
 #include <openssl/x509.h>
-
+#include <openssl/rsa.h>
 
 /**
   Construct a X509 object from DER-encoded certificate data.
@@ -245,6 +245,7 @@ X509GetSubjectName (
   BOOLEAN    Status;
   X509       *X509Cert;
   X509_NAME  *X509Name;
+  UINTN      X509NameSize;
 
   //
   // Check input parameters.
@@ -274,13 +275,14 @@ X509GetSubjectName (
     goto _Exit;
   }
 
-  if (*SubjectSize < (UINTN) X509Name->bytes->length) {
-    *SubjectSize = (UINTN) X509Name->bytes->length;
+  X509NameSize = i2d_X509_NAME(X509Name, NULL);
+  if (*SubjectSize < X509NameSize) {
+    *SubjectSize = X509NameSize;
     goto _Exit;
   }
-  *SubjectSize = (UINTN) X509Name->bytes->length;
+  *SubjectSize = X509NameSize;
   if (CertSubject != NULL) {
-    CopyMem (CertSubject, (UINT8 *) X509Name->bytes->data, *SubjectSize);
+    i2d_X509_NAME(X509Name, &CertSubject);
     Status = TRUE;
   }
 
@@ -461,6 +463,13 @@ X509VerifyCert (
     goto _Exit;
   }
 
+  //
+  // Allow partial certificate chains, terminated by a non-self-signed but
+  // still trusted intermediate certificate. Also disable time checks.
+  //
+  X509_STORE_set_flags (CertStore,
+                        X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);
+
   //
   // Set up X509_STORE_CTX for the subsequent verification operation.
   //
-- 
cgit v1.2.3