• Eric Biggers's avatar
    PKCS#7: fix certificate blacklisting · 29f4a67c
    Eric Biggers authored
    If there is a blacklisted certificate in a SignerInfo's certificate
    chain, then pkcs7_verify_sig_chain() sets sinfo->blacklisted and returns
    0.  But, pkcs7_verify() fails to handle this case appropriately, as it
    actually continues on to the line 'actual_ret = 0;', indicating that the
    SignerInfo has passed verification.  Consequently, PKCS#7 signature
    verification ignores the certificate blacklist.
    
    Fix this by not considering blacklisted SignerInfos to have passed
    verification.
    
    Also fix the function comment with regards to when 0 is returned.
    
    Fixes: 03bb7931 ("PKCS#7: Handle blacklisted certificates")
    Cc: <stable@vger.kernel.org> # v4.12+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    29f4a67c
pkcs7_verify.c 12.8 KB