summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJaakko Keränen <jaakko.keranen@iki.fi>2021-07-22 21:57:44 +0300
committerJaakko Keränen <jaakko.keranen@iki.fi>2021-07-22 21:57:44 +0300
commit75399ff21c356dc1afe5cafe72e6ff40b3f206d5 (patch)
tree83ce610d335147b93a5b754be3886c1a48390346 /src
parentac987ccb8d177764308f09e9cf7068a7df8f0890 (diff)
GmCerts: Updating trust via CAs
Diffstat (limited to 'src')
-rw-r--r--src/gmcerts.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/src/gmcerts.c b/src/gmcerts.c
index 2c7b1122..3db820fb 100644
--- a/src/gmcerts.c
+++ b/src/gmcerts.c
@@ -457,6 +457,7 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls
457 return iFalse; 457 return iFalse;
458 } 458 }
459 /* We trust CA verification implicitly. */ 459 /* We trust CA verification implicitly. */
460 const iBool isCATrusted = (verify_TlsCertificate(cert) == authority_TlsCertificateVerifyStatus);
460 if (!verifyDomain_GmCerts(cert, domain)) { 461 if (!verifyDomain_GmCerts(cert, domain)) {
461 return iFalse; 462 return iFalse;
462 } 463 }
@@ -477,10 +478,14 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls
477 if (elapsedSeconds_Time(&trust->validUntil) < 0) { 478 if (elapsedSeconds_Time(&trust->validUntil) < 0) {
478 /* Trusted cert is still valid. */ 479 /* Trusted cert is still valid. */
479 const iBool isTrusted = cmp_Block(fingerprint, &trust->fingerprint) == 0; 480 const iBool isTrusted = cmp_Block(fingerprint, &trust->fingerprint) == 0;
480 unlock_Mutex(d->mtx); 481 /* Even if we don't trust it, we will go ahead and update the trusted certificate
481 delete_Block(fingerprint); 482 if a CA vouched for it. */
482 deinit_String(&key); 483 if (isTrusted || !isCATrusted) {
483 return isTrusted; 484 unlock_Mutex(d->mtx);
485 delete_Block(fingerprint);
486 deinit_String(&key);
487 return isTrusted;
488 }
484 } 489 }
485 /* Update the trusted cert. */ 490 /* Update the trusted cert. */
486 if (ok) { 491 if (ok) {