diff options
author | Simon J. Gerraty <sjg@FreeBSD.org> | 2023-07-05 19:37:14 +0000 |
---|---|---|
committer | Simon J. Gerraty <sjg@FreeBSD.org> | 2023-07-05 19:37:14 +0000 |
commit | 9c3478cb226385c468c0d029337f4e78e69931c8 (patch) | |
tree | a1819d945759047adf9697c06b0408f10b20caa7 | |
parent | ba8cc6d7271a50fec978a1d3a088aec7985fae48 (diff) | |
download | src-9c3478cb226385c468c0d029337f4e78e69931c8.tar.gz src-9c3478cb226385c468c0d029337f4e78e69931c8.zip |
libsecureboot: do not accept certificate we cannot decode
Although we care more about the CN of a certificate than its status
(for purpose of reporting), we should skip if we have errors decoding.
Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
-rw-r--r-- | lib/libsecureboot/vets.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c index 12191097ff8c..ca1eb12937bb 100644 --- a/lib/libsecureboot/vets.c +++ b/lib/libsecureboot/vets.c @@ -243,12 +243,10 @@ x509_cn_get(br_x509_certificate *xc, char *buf, size_t len) mc.vtable->end_cert(&mc.vtable); /* we don't actually care about cert status - just its name */ err = mc.vtable->end_chain(&mc.vtable); + (void)err; /* keep compiler quiet */ - if (!cn.status) { + if (cn.status <= 0) buf = NULL; - if (err == 0) /* keep compiler happy */ - buf = NULL; - } return (buf); } |