GTlsCertificate: fix loading of bad certificate chains

g_tls_certificate_new_from_file() was only loading the complete chain
if it was fully valid, but we only meant to be validating that it
formed an actual chain (since the caller may be planning to ignore
other errors).

https://bugzilla.gnome.org/show_bug.cgi?id=729739

diff --git a/gio/gtlscertificate.c b/gio/gtlscertificate.c
index 9e3faf26f68ed854a14a59337cb935633b64cf36..81e072f57a22625a79dba12335c03ce7a5172b1a 100644 (file)
--- a/gio/gtlscertificate.c
+++ b/gio/gtlscertificate.c
@@ -387,14 +387,14 @@ create_certificate_chain_from_list (GSList       *pem_list,
       pem = g_slist_next (pem);
     }
 
-  /* Verify the certificate chain and return NULL if it doesn't
-   * verify. */
+  /* Verify that the certificates form a chain. (We don't care at this
+   * point if there are other problems with it.)
+   */
   flags = g_tls_certificate_verify (cert, NULL, root);
-  if (flags)
+  if (flags & G_TLS_CERTIFICATE_UNKNOWN_CA)
     {
-      /* Couldn't verify the certificate chain, so unref it. */
-      g_object_unref (cert);
-      cert = NULL;
+      /* It wasn't a chain, it's just a bunch of unrelated certs. */
+      g_clear_object (&cert);
     }
 
   return cert;