From 32ed68b3f2eadddcc650a744fa79bcfb00fa02a1 Mon Sep 17 00:00:00 2001
From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com>
Date: Mon, 29 May 2017 15:22:49 -0400
Subject: [PATCH] certstore: fix public dht call acceptance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix regression found in commit
[33447cc6bb: certstore: re-factor peer certificate authorization routine]

An unknown dht call is not accepted even if the configuration flags
"dhtPublicInCall" is true.

Now, accept the gnutls certificate error "INVALID + SIGNER_NOT_FOUND"
when this flags is true.

Change-Id: I90575ab82296d3d29140a7394ae178c196aa98c4
Reviewed-by: Andreas Traczyk <andreas.traczyk@savoirfairelinux.com>
Reviewed-by: Adrien Béraud <adrien.beraud@savoirfairelinux.com>
---
 src/security/certstore.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/security/certstore.cpp b/src/security/certstore.cpp
index 9985bc7239..52ea5690f8 100644
--- a/src/security/certstore.cpp
+++ b/src/security/certstore.cpp
@@ -511,7 +511,8 @@ TrustStore::isAllowed(const crypto::Certificate& crt, bool allowPublic)
     // Match by certificate chain
     updateKnownCerts();
     auto ret = allowed_.verify(crt);
-    if (not ret) {
+    // Unknown issuer (only that) are accepted if allowPublic is true
+    if (not ret and !(allowPublic and ret.result == (GNUTLS_CERT_INVALID|GNUTLS_CERT_SIGNER_NOT_FOUND))) {
         RING_WARN("%s", ret.toString().c_str());
         return false;
     }
-- 
GitLab