summaryrefslogtreecommitdiff
path: root/src/gmcerts.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/gmcerts.c')
-rw-r--r--src/gmcerts.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/src/gmcerts.c b/src/gmcerts.c
index da918279..3e629f8f 100644
--- a/src/gmcerts.c
+++ b/src/gmcerts.c
@@ -380,7 +380,9 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, const iTlsCertificate *ce
380 if (isExpired_TlsCertificate(cert)) { 380 if (isExpired_TlsCertificate(cert)) {
381 return iFalse; 381 return iFalse;
382 } 382 }
383 if (!verifyDomain_TlsCertificate(cert, domain)) { 383 /* We trust CA verification implicitly. */
384 const iBool isAuth = verify_TlsCertificate(cert) == authority_TlsCertificateVerifyStatus;
385 if (!isAuth && !verifyDomain_TlsCertificate(cert, domain)) {
384 return iFalse; 386 return iFalse;
385 } 387 }
386 /* TODO: Could call setTrusted_GmCerts() instead of duplicating the trust-setting. */ 388 /* TODO: Could call setTrusted_GmCerts() instead of duplicating the trust-setting. */
@@ -394,9 +396,7 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, const iTlsCertificate *ce
394 if (trust) { 396 if (trust) {
395 /* We already have it, check if it matches the one we trust for this domain (if it's 397 /* We already have it, check if it matches the one we trust for this domain (if it's
396 still valid. */ 398 still valid. */
397 iTime now; 399 if (!isAuth && elapsedSeconds_Time(&trust->validUntil) > 0) {
398 initCurrent_Time(&now);
399 if (secondsSince_Time(&trust->validUntil, &now) > 0) {
400 /* Trusted cert is still valid. */ 400 /* Trusted cert is still valid. */
401 const iBool isTrusted = cmp_Block(fingerprint, &trust->fingerprint) == 0; 401 const iBool isTrusted = cmp_Block(fingerprint, &trust->fingerprint) == 0;
402 unlock_Mutex(d->mtx); 402 unlock_Mutex(d->mtx);