diff options
author | Jaakko Keränen <jaakko.keranen@iki.fi> | 2021-07-16 22:46:30 +0300 |
---|---|---|
committer | Jaakko Keränen <jaakko.keranen@iki.fi> | 2021-07-16 22:46:30 +0300 |
commit | 1b1dc94c49368b7d7060244fde2bef31cc70d480 (patch) | |
tree | bca58bf618418adbc0060a85d289c3b1ebbca636 /src/gmcerts.c | |
parent | 8fb7695dc1cf4e136806fbd77557ebd644d71801 (diff) |
Allow override for certificate expiry
The user is able to ignore certificate expiry and continue loading the page regardless. This adds a one hour exception to the expiration date.
Diffstat (limited to 'src/gmcerts.c')
-rw-r--r-- | src/gmcerts.c | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/src/gmcerts.c b/src/gmcerts.c index 32e47b40..d8e77b12 100644 --- a/src/gmcerts.c +++ b/src/gmcerts.c | |||
@@ -456,13 +456,8 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls | |||
456 | if (!cert) { | 456 | if (!cert) { |
457 | return iFalse; | 457 | return iFalse; |
458 | } | 458 | } |
459 | if (isExpired_TlsCertificate(cert)) { | ||
460 | return iFalse; | ||
461 | } | ||
462 | /* We trust CA verification implicitly. */ | 459 | /* We trust CA verification implicitly. */ |
463 | //const iBool isAuth = verify_TlsCertificate(cert) == authority_TlsCertificateVerifyStatus; | 460 | if (!verifyDomain_GmCerts(cert, domain)) { |
464 | // const iBool isAuth = iFalse; /* CA verification done during handshake */ | ||
465 | if (/*!isAuth &&*/ !verifyDomain_GmCerts(cert, domain)) { | ||
466 | return iFalse; | 461 | return iFalse; |
467 | } | 462 | } |
468 | /* TODO: Could call setTrusted_GmCerts() instead of duplicating the trust-setting. */ | 463 | /* TODO: Could call setTrusted_GmCerts() instead of duplicating the trust-setting. */ |
@@ -474,11 +469,12 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls | |||
474 | init_String(&key); | 469 | init_String(&key); |
475 | makeTrustKey_(domain, port, &key); | 470 | makeTrustKey_(domain, port, &key); |
476 | lock_Mutex(d->mtx); | 471 | lock_Mutex(d->mtx); |
472 | iBool ok = !isExpired_TlsCertificate(cert); | ||
477 | iTrustEntry *trust = value_StringHash(d->trusted, &key); | 473 | iTrustEntry *trust = value_StringHash(d->trusted, &key); |
478 | if (trust) { | 474 | if (trust) { |
479 | /* We already have it, check if it matches the one we trust for this domain (if it's | 475 | /* We already have it, check if it matches the one we trust for this domain (if it's |
480 | still valid. */ | 476 | still valid. */ |
481 | if (/*!isAuth && */elapsedSeconds_Time(&trust->validUntil) < 0) { | 477 | if (elapsedSeconds_Time(&trust->validUntil) < 0) { |
482 | /* Trusted cert is still valid. */ | 478 | /* Trusted cert is still valid. */ |
483 | const iBool isTrusted = cmp_Block(fingerprint, &trust->fingerprint) == 0; | 479 | const iBool isTrusted = cmp_Block(fingerprint, &trust->fingerprint) == 0; |
484 | unlock_Mutex(d->mtx); | 480 | unlock_Mutex(d->mtx); |
@@ -487,17 +483,23 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls | |||
487 | return isTrusted; | 483 | return isTrusted; |
488 | } | 484 | } |
489 | /* Update the trusted cert. */ | 485 | /* Update the trusted cert. */ |
490 | init_Time(&trust->validUntil, &until); | 486 | if (ok) { |
491 | set_Block(&trust->fingerprint, fingerprint); | 487 | init_Time(&trust->validUntil, &until); |
488 | set_Block(&trust->fingerprint, fingerprint); | ||
489 | } | ||
492 | } | 490 | } |
493 | else { | 491 | else { |
494 | insert_StringHash(d->trusted, &key, iClob(new_TrustEntry(fingerprint, &until))); | 492 | if (ok) { |
493 | insert_StringHash(d->trusted, &key, iClob(new_TrustEntry(fingerprint, &until))); | ||
494 | } | ||
495 | } | ||
496 | if (ok) { | ||
497 | save_GmCerts_(d); | ||
495 | } | 498 | } |
496 | save_GmCerts_(d); | ||
497 | unlock_Mutex(d->mtx); | 499 | unlock_Mutex(d->mtx); |
498 | delete_Block(fingerprint); | 500 | delete_Block(fingerprint); |
499 | deinit_String(&key); | 501 | deinit_String(&key); |
500 | return iTrue; | 502 | return ok; |
501 | } | 503 | } |
502 | 504 | ||
503 | void setTrusted_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iBlock *fingerprint, | 505 | void setTrusted_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iBlock *fingerprint, |