From 75399ff21c356dc1afe5cafe72e6ff40b3f206d5 Mon Sep 17 00:00:00 2001 From: Jaakko Keränen Date: Thu, 22 Jul 2021 21:57:44 +0300 Subject: GmCerts: Updating trust via CAs --- src/gmcerts.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/gmcerts.c b/src/gmcerts.c index 2c7b1122..3db820fb 100644 --- a/src/gmcerts.c +++ b/src/gmcerts.c @@ -457,6 +457,7 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls return iFalse; } /* We trust CA verification implicitly. */ + const iBool isCATrusted = (verify_TlsCertificate(cert) == authority_TlsCertificateVerifyStatus); if (!verifyDomain_GmCerts(cert, domain)) { return iFalse; } @@ -477,10 +478,14 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls if (elapsedSeconds_Time(&trust->validUntil) < 0) { /* Trusted cert is still valid. */ const iBool isTrusted = cmp_Block(fingerprint, &trust->fingerprint) == 0; - unlock_Mutex(d->mtx); - delete_Block(fingerprint); - deinit_String(&key); - return isTrusted; + /* Even if we don't trust it, we will go ahead and update the trusted certificate + if a CA vouched for it. */ + if (isTrusted || !isCATrusted) { + unlock_Mutex(d->mtx); + delete_Block(fingerprint); + deinit_String(&key); + return isTrusted; + } } /* Update the trusted cert. */ if (ok) { -- cgit v1.2.3