git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Eric Biggers <ebiggers@google.com>
	Thu, 22 Feb 2018 14:38:33 +0000 (14:38 +0000)
committer	Seth Forshee <seth.forshee@canonical.com>
	Wed, 28 Feb 2018 14:47:12 +0000 (08:47 -0600)
commit	e534852a6ced04ba0a3267ae1f5aa5d3c4afd292
tree	3807b6b411aa35ac122eec9440a5b51aa0d98105	tree
parent	89bb3dc23b2d406b2a7a336175747483086107d4	commit \| diff

PKCS#7: fix certificate blacklisting

BugLink: https://bugs.launchpad.net/bugs/1752317
commit 29f4a67c17e19314b7d74b8569be935e6c7edf50 upstream.

If there is a blacklisted certificate in a SignerInfo's certificate
chain, then pkcs7_verify_sig_chain() sets sinfo->blacklisted and returns
0. But, pkcs7_verify() fails to handle this case appropriately, as it
actually continues on to the line 'actual_ret = 0;', indicating that the
SignerInfo has passed verification. Consequently, PKCS#7 signature
verification ignores the certificate blacklist.

Fix this by not considering blacklisted SignerInfos to have passed
verification.

Also fix the function comment with regards to when 0 is returned.

Fixes: 03bb79315ddc ("PKCS#7: Handle blacklisted certificates")
Cc: <stable@vger.kernel.org> # v4.12+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>