git: 9c3478cb2263 - main - libsecureboot: do not accept certificate we cannot decode

From: Simon J. Gerraty <sjg_at_FreeBSD.org>
Date: Wed, 05 Jul 2023 19:37:52 UTC
The branch main has been updated by sjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=9c3478cb226385c468c0d029337f4e78e69931c8

commit 9c3478cb226385c468c0d029337f4e78e69931c8
Author:     Simon J. Gerraty <sjg@FreeBSD.org>
AuthorDate: 2023-07-05 19:37:14 +0000
Commit:     Simon J. Gerraty <sjg@FreeBSD.org>
CommitDate: 2023-07-05 19:37:14 +0000

    libsecureboot: do not accept certificate we cannot decode
    
    Although we care more about the CN of a certificate than its status
    (for purpose of reporting), we should skip if we have errors decoding.
    
    Reviewed by:    stevek
    Sponsored by:   Juniper Networks, Inc.
---
 lib/libsecureboot/vets.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c
index 12191097ff8c..ca1eb12937bb 100644
--- a/lib/libsecureboot/vets.c
+++ b/lib/libsecureboot/vets.c
@@ -243,12 +243,10 @@ x509_cn_get(br_x509_certificate *xc, char *buf, size_t len)
 	mc.vtable->end_cert(&mc.vtable);
 	/* we don't actually care about cert status - just its name */
 	err = mc.vtable->end_chain(&mc.vtable);
+	(void)err;			/* keep compiler quiet */
 
-	if (!cn.status) {
+	if (cn.status <= 0)
 		buf = NULL;
-		if (err == 0)		/* keep compiler happy */
-			buf = NULL;
-	}
 	return (buf);
 }