diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/gmcerts.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/gmcerts.c b/src/gmcerts.c index 2c7b1122..3db820fb 100644 --- a/src/gmcerts.c +++ b/src/gmcerts.c | |||
| @@ -457,6 +457,7 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls | |||
| 457 | return iFalse; | 457 | return iFalse; |
| 458 | } | 458 | } |
| 459 | /* We trust CA verification implicitly. */ | 459 | /* We trust CA verification implicitly. */ |
| 460 | const iBool isCATrusted = (verify_TlsCertificate(cert) == authority_TlsCertificateVerifyStatus); | ||
| 460 | if (!verifyDomain_GmCerts(cert, domain)) { | 461 | if (!verifyDomain_GmCerts(cert, domain)) { |
| 461 | return iFalse; | 462 | return iFalse; |
| 462 | } | 463 | } |
| @@ -477,10 +478,14 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls | |||
| 477 | if (elapsedSeconds_Time(&trust->validUntil) < 0) { | 478 | if (elapsedSeconds_Time(&trust->validUntil) < 0) { |
| 478 | /* Trusted cert is still valid. */ | 479 | /* Trusted cert is still valid. */ |
| 479 | const iBool isTrusted = cmp_Block(fingerprint, &trust->fingerprint) == 0; | 480 | const iBool isTrusted = cmp_Block(fingerprint, &trust->fingerprint) == 0; |
| 480 | unlock_Mutex(d->mtx); | 481 | /* Even if we don't trust it, we will go ahead and update the trusted certificate |
| 481 | delete_Block(fingerprint); | 482 | if a CA vouched for it. */ |
| 482 | deinit_String(&key); | 483 | if (isTrusted || !isCATrusted) { |
| 483 | return isTrusted; | 484 | unlock_Mutex(d->mtx); |
| 485 | delete_Block(fingerprint); | ||
| 486 | deinit_String(&key); | ||
| 487 | return isTrusted; | ||
| 488 | } | ||
| 484 | } | 489 | } |
| 485 | /* Update the trusted cert. */ | 490 | /* Update the trusted cert. */ |
| 486 | if (ok) { | 491 | if (ok) { |