Browse code
Fix checking the revoked certs
Shawn webb authored on 2012/10/24 05:26:03Showing 2 changed files
| ... | ... |
@@ -749,6 +749,7 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg |
| 749 | 749 |
SHA1Context ctx; |
| 750 | 750 |
cli_crt *x509; |
| 751 | 751 |
int result; |
| 752 |
+ int isBlacklisted = 0; |
|
| 752 | 753 |
|
| 753 | 754 |
cli_dbgmsg("in asn1_parse_mscat\n");
|
| 754 | 755 |
|
| ... | ... |
@@ -840,12 +841,15 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg |
| 840 | 840 |
cli_dbgmsg("asn1_parse_mscat: %u new certificates collected\n", newcerts.items);
|
| 841 | 841 |
while(x509) {
|
| 842 | 842 |
cli_crt *parent = crtmgr_verify_crt(cmgr, x509); |
| 843 |
- if(parent && !(parent->isBlacklisted)) {
|
|
| 843 |
+ if(parent) {
|
|
| 844 |
+ if (parent->isBlacklisted) |
|
| 845 |
+ isBlacklisted = 1; |
|
| 846 |
+ |
|
| 844 | 847 |
x509->codeSign &= parent->codeSign; |
| 845 | 848 |
x509->timeSign &= parent->timeSign; |
| 846 |
- if(crtmgr_add(cmgr, x509)) |
|
| 847 |
- break; |
|
| 848 |
- crtmgr_del(&newcerts, x509); |
|
| 849 |
+ if(crtmgr_add(cmgr, x509)) |
|
| 850 |
+ break; |
|
| 851 |
+ crtmgr_del(&newcerts, x509); |
|
| 849 | 852 |
x509 = newcerts.crts; |
| 850 | 853 |
continue; |
| 851 | 854 |
} |
| ... | ... |
@@ -1276,6 +1280,10 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg |
| 1276 | 1276 |
} |
| 1277 | 1277 |
|
| 1278 | 1278 |
cli_dbgmsg("asn1_parse_mscat: catalog succesfully parsed\n");
|
| 1279 |
+ if (isBlacklisted) {
|
|
| 1280 |
+ cli_dbgmsg("asn1_parse_mscat: executable containes revoked cert.\n");
|
|
| 1281 |
+ return 1; |
|
| 1282 |
+ } |
|
| 1279 | 1283 |
return 0; |
| 1280 | 1284 |
} while(0); |
| 1281 | 1285 |
|
| ... | ... |
@@ -1290,7 +1298,7 @@ int asn1_load_mscat(fmap_t *map, struct cl_engine *engine) {
|
| 1290 | 1290 |
int i; |
| 1291 | 1291 |
|
| 1292 | 1292 |
if(asn1_parse_mscat(map, 0, map->len, &engine->cmgr, 0, &c.next, &size)) |
| 1293 |
- return 1; |
|
| 1293 |
+ return 1; |
|
| 1294 | 1294 |
|
| 1295 | 1295 |
if(asn1_expect_objtype(map, c.next, &size, &c, 0x30)) |
| 1296 | 1296 |
return 1; |
| ... | ... |
@@ -1426,6 +1434,7 @@ int asn1_load_mscat(fmap_t *map, struct cl_engine *engine) {
|
| 1426 | 1426 |
} |
| 1427 | 1427 |
} |
| 1428 | 1428 |
} |
| 1429 |
+ |
|
| 1429 | 1430 |
return 0; |
| 1430 | 1431 |
} |
| 1431 | 1432 |
|
| ... | ... |
@@ -317,8 +317,6 @@ cli_crt *crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const uint8_t *se |
| 317 | 317 |
if(!memcmp(i->issuer, issuer, sizeof(i->issuer)) && |
| 318 | 318 |
!memcmp(i->serial, serial, sizeof(i->serial)) && |
| 319 | 319 |
!crtmgr_rsa_verify(i, &sig, hashtype, refhash)) {
|
| 320 |
- if (i->isBlacklisted) |
|
| 321 |
- i = NULL; |
|
| 322 | 320 |
break; |
| 323 | 321 |
} |
| 324 | 322 |
} |