From 32ed68b3f2eadddcc650a744fa79bcfb00fa02a1 Mon Sep 17 00:00:00 2001 From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com> Date: Mon, 29 May 2017 15:22:49 -0400 Subject: [PATCH] certstore: fix public dht call acceptance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix regression found in commit [33447cc6bb: certstore: re-factor peer certificate authorization routine] An unknown dht call is not accepted even if the configuration flags "dhtPublicInCall" is true. Now, accept the gnutls certificate error "INVALID + SIGNER_NOT_FOUND" when this flags is true. Change-Id: I90575ab82296d3d29140a7394ae178c196aa98c4 Reviewed-by: Andreas Traczyk <andreas.traczyk@savoirfairelinux.com> Reviewed-by: Adrien Béraud <adrien.beraud@savoirfairelinux.com> --- src/security/certstore.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/security/certstore.cpp b/src/security/certstore.cpp index 9985bc7239..52ea5690f8 100644 --- a/src/security/certstore.cpp +++ b/src/security/certstore.cpp @@ -511,7 +511,8 @@ TrustStore::isAllowed(const crypto::Certificate& crt, bool allowPublic) // Match by certificate chain updateKnownCerts(); auto ret = allowed_.verify(crt); - if (not ret) { + // Unknown issuer (only that) are accepted if allowPublic is true + if (not ret and !(allowPublic and ret.result == (GNUTLS_CERT_INVALID|GNUTLS_CERT_SIGNER_NOT_FOUND))) { RING_WARN("%s", ret.toString().c_str()); return false; } -- GitLab