• Eric Biggers's avatar
    PKCS#7: fix direct verification of SignerInfo signature · e47c1bf9
    Eric Biggers authored
    [ Upstream commit 6459ae38 ]
    
    If none of the certificates in a SignerInfo's certificate chain match a
    trusted key, nor is the last certificate signed by a trusted key, then
    pkcs7_validate_trust_one() tries to check whether the SignerInfo's
    signature was made directly by a trusted key.  But, it actually fails to
    set the 'sig' variable correctly, so it actually verifies the last
    signature seen.  That will only be the SignerInfo's signature if the
    certificate chain is empty; otherwise it will actually be the last
    certificate's signature.
    
    This is not by itself a security problem, since verifying any of the
    certificates in the chain should be sufficient to verify the SignerInfo.
    Still, it's not working as intended so it should be fixed.
    
    Fix it by setting 'sig' correctly for the direct verification case.
    
    Fixes: 757932e6 ("PKCS#7: Handle PKCS#7 messages that contain no X.509 certs")
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    e47c1bf9
Name
Last commit
Last update
..
asymmetric_keys Loading commit data...
async_tx Loading commit data...
.gitignore Loading commit data...
842.c Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
ablk_helper.c Loading commit data...
ablkcipher.c Loading commit data...
acompress.c Loading commit data...
aead.c Loading commit data...
aes_generic.c Loading commit data...
aes_ti.c Loading commit data...
af_alg.c Loading commit data...
ahash.c Loading commit data...
akcipher.c Loading commit data...
algapi.c Loading commit data...
algboss.c Loading commit data...
algif_aead.c Loading commit data...
algif_hash.c Loading commit data...
algif_rng.c Loading commit data...
algif_skcipher.c Loading commit data...
ansi_cprng.c Loading commit data...
anubis.c Loading commit data...
api.c Loading commit data...
arc4.c Loading commit data...
authenc.c Loading commit data...
authencesn.c Loading commit data...
blkcipher.c Loading commit data...
blowfish_common.c Loading commit data...
blowfish_generic.c Loading commit data...
camellia_generic.c Loading commit data...
cast5_generic.c Loading commit data...
cast6_generic.c Loading commit data...
cast_common.c Loading commit data...
cbc.c Loading commit data...
ccm.c Loading commit data...
chacha20_generic.c Loading commit data...
chacha20poly1305.c Loading commit data...
cipher.c Loading commit data...
cmac.c Loading commit data...
compress.c Loading commit data...
crc32_generic.c Loading commit data...
crc32c_generic.c Loading commit data...
crct10dif_common.c Loading commit data...
crct10dif_generic.c Loading commit data...
cryptd.c Loading commit data...
crypto_engine.c Loading commit data...
crypto_null.c Loading commit data...
crypto_user.c Loading commit data...
crypto_wq.c Loading commit data...
ctr.c Loading commit data...
cts.c Loading commit data...
deflate.c Loading commit data...
des_generic.c Loading commit data...
dh.c Loading commit data...
dh_helper.c Loading commit data...
drbg.c Loading commit data...
ecb.c Loading commit data...
ecc.c Loading commit data...
ecc.h Loading commit data...
ecc_curve_defs.h Loading commit data...
ecdh.c Loading commit data...
ecdh_helper.c Loading commit data...
echainiv.c Loading commit data...
fcrypt.c Loading commit data...
fips.c Loading commit data...
gcm.c Loading commit data...
gf128mul.c Loading commit data...
ghash-generic.c Loading commit data...
hash_info.c Loading commit data...
hmac.c Loading commit data...
internal.h Loading commit data...
jitterentropy-kcapi.c Loading commit data...
jitterentropy.c Loading commit data...
keywrap.c Loading commit data...
khazad.c Loading commit data...
kpp.c Loading commit data...
lrw.c Loading commit data...
lz4.c Loading commit data...
lz4hc.c Loading commit data...
lzo.c Loading commit data...
mcryptd.c Loading commit data...
md4.c Loading commit data...
md5.c Loading commit data...
memneq.c Loading commit data...
michael_mic.c Loading commit data...
pcbc.c Loading commit data...
pcrypt.c Loading commit data...
poly1305_generic.c Loading commit data...
proc.c Loading commit data...
ripemd.h Loading commit data...
rmd128.c Loading commit data...
rmd160.c Loading commit data...
rmd256.c Loading commit data...
rmd320.c Loading commit data...
rng.c Loading commit data...
rsa-pkcs1pad.c Loading commit data...
rsa.c Loading commit data...
rsa_helper.c Loading commit data...
rsaprivkey.asn1 Loading commit data...
rsapubkey.asn1 Loading commit data...
salsa20_generic.c Loading commit data...
scatterwalk.c Loading commit data...
scompress.c Loading commit data...
seed.c Loading commit data...
seqiv.c Loading commit data...
serpent_generic.c Loading commit data...
sha1_generic.c Loading commit data...
sha256_generic.c Loading commit data...
sha3_generic.c Loading commit data...
sha512_generic.c Loading commit data...
shash.c Loading commit data...
simd.c Loading commit data...
skcipher.c Loading commit data...
tcrypt.c Loading commit data...
tcrypt.h Loading commit data...
tea.c Loading commit data...
testmgr.c Loading commit data...
testmgr.h Loading commit data...
tgr192.c Loading commit data...
twofish_common.c Loading commit data...
twofish_generic.c Loading commit data...
vmac.c Loading commit data...
wp512.c Loading commit data...
xcbc.c Loading commit data...
xor.c Loading commit data...
xts.c Loading commit data...