Changeset 52541 in vbox

Timestamp:

Aug 31, 2014 9:52:20 PM (10 years ago)

Author:

vboxsync

Message:

fix

File:

• trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp (modified) (2 diffs)

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

@@ -997 +997 @@
      * planted by the linker when absent.  In ring-0 we don't have all the
      * necessary timestamp server root certificate info, so we have to allow
-     * using counter signatures unverified there.
+     * using counter signatures unverified there.  Ditto for the early period
+     * of ring-3 hardened stub execution.
      */
     RTTIMESPEC ValidationTime;
@@ -1004 +1005 @@
     uint32_t fFlags = RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT
                     | RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY;
-#ifdef IN_RING0
-    fFlags |= RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED;
+#ifndef IN_RING0
+    if (!g_fHaveOtherRoots)
 #endif
+        fFlags |= RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED;
     return RTCrPkcs7VerifySignedData(pContentInfo, fFlags, g_hSpcAndNtKernelSuppStore, g_hSpcAndNtKernelRootStore,
                                      &ValidationTime, supHardNtViCertVerifyCallback, pNtViRdr, pErrInfo);