WSL2-Linux-Kernel/crypto/asymmetric_keys
Eric Biggers 29e76b211e PKCS#7: fix certificate blacklisting
commit 29f4a67c17 upstream.

If there is a blacklisted certificate in a SignerInfo's certificate
chain, then pkcs7_verify_sig_chain() sets sinfo->blacklisted and returns
0.  But, pkcs7_verify() fails to handle this case appropriately, as it
actually continues on to the line 'actual_ret = 0;', indicating that the
SignerInfo has passed verification.  Consequently, PKCS#7 signature
verification ignores the certificate blacklist.

Fix this by not considering blacklisted SignerInfos to have passed
verification.

Also fix the function comment with regards to when 0 is returned.

Fixes: 03bb79315d ("PKCS#7: Handle blacklisted certificates")
Cc: <stable@vger.kernel.org> # v4.12+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-02-28 10:19:39 +01:00
..
.gitignore X.509: Add a crypto key parser for binary (DER) X.509 certificates 2012-10-08 13:50:22 +10:30
Kconfig License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
asymmetric_keys.h KEYS: Generalise x509_request_asymmetric_key() 2016-04-11 22:41:56 +01:00
asymmetric_type.c KEYS: checking the input id parameters before finding asymmetric key 2017-10-18 09:12:40 +01:00
mscode.asn1 pefile: Parse the "Microsoft individual code signing" data blob 2014-07-09 14:58:37 +01:00
mscode_parser.c pefile: Fix the failure of calculation for digest 2016-07-18 12:19:46 +10:00
pkcs7.asn1 PKCS#7: Appropriately restrict authenticated attributes and content type 2015-08-12 17:01:01 +01:00
pkcs7_key_type.c KEYS: The PKCS#7 test key type should use the secondary keyring 2016-05-11 14:31:55 +01:00
pkcs7_parser.c pkcs7: Prevent NULL pointer dereference, since sinfo is not always set. 2017-10-18 09:12:41 +01:00
pkcs7_parser.h PKCS#7: Handle blacklisted certificates 2017-04-03 16:07:25 +01:00
pkcs7_trust.c KEYS: Generalise x509_request_asymmetric_key() 2016-04-11 22:41:56 +01:00
pkcs7_verify.c PKCS#7: fix certificate blacklisting 2018-02-28 10:19:39 +01:00
public_key.c X.509: fix BUG_ON() when hash algorithm is unsupported 2018-02-28 10:19:39 +01:00
restrict.c X.509: fix NULL dereference when restricting key with unsupported_sig 2018-02-28 10:19:39 +01:00
signature.c KEYS: Add identifier pointers to public_key_signature struct 2016-04-06 16:13:33 +01:00
verify_pefile.c crypto : asymmetric_keys : verify_pefile:zero memory content before freeing 2017-06-09 13:29:50 +10:00
verify_pefile.h KEYS: Generalise system_verify_data() to provide access to internal content 2016-04-06 16:14:24 +01:00
x509.asn1 X.509: Add bits needed for PKCS#7 2014-07-01 16:40:19 +01:00
x509_akid.asn1 X.509: Extract both parts of the AuthorityKeyIdentifier 2015-08-07 16:26:13 +01:00
x509_cert_parser.c X.509: reject invalid BIT STRING for subjectPublicKey 2017-12-14 09:52:53 +01:00
x509_parser.h X.509: Allow X.509 certs to be blacklisted 2017-04-03 16:07:25 +01:00
x509_public_key.c X.509: fix comparisons of ->pkey_algo 2017-12-14 09:52:53 +01:00