@@ -190,6 +190,18 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
190190 x509 -> subject ,
191191 x509 -> raw_serial_size , x509 -> raw_serial );
192192 x509 -> seen = true;
193+
194+ if (x509 -> blacklisted ) {
195+ /* If this cert is blacklisted, then mark everything
196+ * that depends on this as blacklisted too.
197+ */
198+ sinfo -> blacklisted = true;
199+ for (p = sinfo -> signer ; p != x509 ; p = p -> signer )
200+ p -> blacklisted = true;
201+ pr_debug ("- blacklisted\n" );
202+ return 0 ;
203+ }
204+
193205 if (x509 -> unsupported_key )
194206 goto unsupported_crypto_in_x509 ;
195207
@@ -357,17 +369,19 @@ static int pkcs7_verify_one(struct pkcs7_message *pkcs7,
357369 *
358370 * (*) -EBADMSG if some part of the message was invalid, or:
359371 *
360- * (*) -ENOPKG if none of the signature chains are verifiable because suitable
361- * crypto modules couldn't be found , or:
372+ * (*) 0 if no signature chains were found to be blacklisted or to contain
373+ * unsupported crypto , or:
362374 *
363- * (*) 0 if all the signature chains that don't incur -ENOPKG can be verified
364- * (note that a signature chain may be of zero length), or:
375+ * (*) -EKEYREJECTED if a blacklisted key was encountered, or:
376+ *
377+ * (*) -ENOPKG if none of the signature chains are verifiable because suitable
378+ * crypto modules couldn't be found.
365379 */
366380int pkcs7_verify (struct pkcs7_message * pkcs7 ,
367381 enum key_being_used_for usage )
368382{
369383 struct pkcs7_signed_info * sinfo ;
370- int enopkg = - ENOPKG ;
384+ int actual_ret = - ENOPKG ;
371385 int ret ;
372386
373387 kenter ("" );
@@ -412,6 +426,8 @@ int pkcs7_verify(struct pkcs7_message *pkcs7,
412426
413427 for (sinfo = pkcs7 -> signed_infos ; sinfo ; sinfo = sinfo -> next ) {
414428 ret = pkcs7_verify_one (pkcs7 , sinfo );
429+ if (sinfo -> blacklisted && actual_ret == - ENOPKG )
430+ actual_ret = - EKEYREJECTED ;
415431 if (ret < 0 ) {
416432 if (ret == - ENOPKG ) {
417433 sinfo -> unsupported_crypto = true;
@@ -420,11 +436,11 @@ int pkcs7_verify(struct pkcs7_message *pkcs7,
420436 kleave (" = %d" , ret );
421437 return ret ;
422438 }
423- enopkg = 0 ;
439+ actual_ret = 0 ;
424440 }
425441
426- kleave (" = %d" , enopkg );
427- return enopkg ;
442+ kleave (" = %d" , actual_ret );
443+ return actual_ret ;
428444}
429445EXPORT_SYMBOL_GPL (pkcs7_verify );
430446
0 commit comments