... | ... |
@@ -749,6 +749,7 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg |
749 | 749 |
SHA1Context ctx; |
750 | 750 |
cli_crt *x509; |
751 | 751 |
int result; |
752 |
+ int isBlacklisted = 0; |
|
752 | 753 |
|
753 | 754 |
cli_dbgmsg("in asn1_parse_mscat\n"); |
754 | 755 |
|
... | ... |
@@ -840,12 +841,15 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg |
840 | 840 |
cli_dbgmsg("asn1_parse_mscat: %u new certificates collected\n", newcerts.items); |
841 | 841 |
while(x509) { |
842 | 842 |
cli_crt *parent = crtmgr_verify_crt(cmgr, x509); |
843 |
- if(parent && !(parent->isBlacklisted)) { |
|
843 |
+ if(parent) { |
|
844 |
+ if (parent->isBlacklisted) |
|
845 |
+ isBlacklisted = 1; |
|
846 |
+ |
|
844 | 847 |
x509->codeSign &= parent->codeSign; |
845 | 848 |
x509->timeSign &= parent->timeSign; |
846 |
- if(crtmgr_add(cmgr, x509)) |
|
847 |
- break; |
|
848 |
- crtmgr_del(&newcerts, x509); |
|
849 |
+ if(crtmgr_add(cmgr, x509)) |
|
850 |
+ break; |
|
851 |
+ crtmgr_del(&newcerts, x509); |
|
849 | 852 |
x509 = newcerts.crts; |
850 | 853 |
continue; |
851 | 854 |
} |
... | ... |
@@ -1276,6 +1280,10 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg |
1276 | 1276 |
} |
1277 | 1277 |
|
1278 | 1278 |
cli_dbgmsg("asn1_parse_mscat: catalog succesfully parsed\n"); |
1279 |
+ if (isBlacklisted) { |
|
1280 |
+ cli_dbgmsg("asn1_parse_mscat: executable containes revoked cert.\n"); |
|
1281 |
+ return 1; |
|
1282 |
+ } |
|
1279 | 1283 |
return 0; |
1280 | 1284 |
} while(0); |
1281 | 1285 |
|
... | ... |
@@ -1290,7 +1298,7 @@ int asn1_load_mscat(fmap_t *map, struct cl_engine *engine) { |
1290 | 1290 |
int i; |
1291 | 1291 |
|
1292 | 1292 |
if(asn1_parse_mscat(map, 0, map->len, &engine->cmgr, 0, &c.next, &size)) |
1293 |
- return 1; |
|
1293 |
+ return 1; |
|
1294 | 1294 |
|
1295 | 1295 |
if(asn1_expect_objtype(map, c.next, &size, &c, 0x30)) |
1296 | 1296 |
return 1; |
... | ... |
@@ -1426,6 +1434,7 @@ int asn1_load_mscat(fmap_t *map, struct cl_engine *engine) { |
1426 | 1426 |
} |
1427 | 1427 |
} |
1428 | 1428 |
} |
1429 |
+ |
|
1429 | 1430 |
return 0; |
1430 | 1431 |
} |
1431 | 1432 |
|
... | ... |
@@ -317,8 +317,6 @@ cli_crt *crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const uint8_t *se |
317 | 317 |
if(!memcmp(i->issuer, issuer, sizeof(i->issuer)) && |
318 | 318 |
!memcmp(i->serial, serial, sizeof(i->serial)) && |
319 | 319 |
!crtmgr_rsa_verify(i, &sig, hashtype, refhash)) { |
320 |
- if (i->isBlacklisted) |
|
321 |
- i = NULL; |
|
322 | 320 |
break; |
323 | 321 |
} |
324 | 322 |
} |