From 816d1cf4ee9d060ccc24786db2a9d7f75ff9b440 Mon Sep 17 00:00:00 2001
From: Dan Winship <danw@gnome.org>
Date: Mon, 19 Sep 2011 15:06:20 -0400
Subject: [PATCH] soup-socket: fix tls-errors property

We were mistakenly leaving G_TLS_CERTIFICATE_UNKNOWN_CA set after
validating the certificate against the ssl_creds's CA list.
---
 libsoup/soup-socket.c | 7 +++----
 libsoup/soup-ssl.c    | 5 ++++-
 libsoup/soup-ssl.h    | 3 ++-
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/libsoup/soup-socket.c b/libsoup/soup-socket.c
index a4d9f54..86388d9 100644
--- a/libsoup/soup-socket.c
+++ b/libsoup/soup-socket.c
@@ -77,9 +77,9 @@ typedef struct {
 	guint is_server:1;
 	guint ssl_strict:1;
 	guint ssl_fallback:1;
-	guint ssl_ca_in_creds:1;
 	guint clean_dispose:1;
 	gpointer ssl_creds;
+	gboolean ssl_ca_in_creds;
 
 	GMainContext   *async_context;
 	GSource        *watch_src;
@@ -896,10 +896,9 @@ soup_socket_accept_certificate (GTlsConnection *conn, GTlsCertificate *cert,
 	SoupSocketPrivate *priv = SOUP_SOCKET_GET_PRIVATE (sock);
 
 	if (soup_ssl_credentials_verify_certificate (priv->ssl_creds,
-						     cert, errors)) {
-		priv->ssl_ca_in_creds = TRUE;
+						     cert, errors,
+						     &priv->ssl_ca_in_creds))
 		return TRUE;
-	}
 
 	return !priv->ssl_strict;
 }
diff --git a/libsoup/soup-ssl.c b/libsoup/soup-ssl.c
index 74d87f2..c63110c 100644
--- a/libsoup/soup-ssl.c
+++ b/libsoup/soup-ssl.c
@@ -49,16 +49,19 @@ soup_ssl_get_client_credentials (const char *ca_file)
 gboolean
 soup_ssl_credentials_verify_certificate (SoupSSLCredentials   *creds,
 					 GTlsCertificate      *cert,
-					 GTlsCertificateFlags  errors)
+					 GTlsCertificateFlags  errors,
+					 gboolean             *ca_in_creds)
 {
 	errors = errors & creds->validation_flags;
 
+	*ca_in_creds = FALSE;
 	if (errors & G_TLS_CERTIFICATE_UNKNOWN_CA) {
 		GList *ca;
 
 		for (ca = creds->ca_list; ca; ca = ca->next) {
 			if ((g_tls_certificate_verify (cert, NULL, ca->data) & G_TLS_CERTIFICATE_UNKNOWN_CA) == 0) {
 				errors &= ~G_TLS_CERTIFICATE_UNKNOWN_CA;
+				*ca_in_creds = TRUE;
 				break;
 			}
 		}
diff --git a/libsoup/soup-ssl.h b/libsoup/soup-ssl.h
index 5858199..eac6de6 100644
--- a/libsoup/soup-ssl.h
+++ b/libsoup/soup-ssl.h
@@ -19,7 +19,8 @@ SoupSSLCredentials   *soup_ssl_get_client_credentials           (const char
 void                  soup_ssl_free_client_credentials          (SoupSSLCredentials   *creds);
 gboolean              soup_ssl_credentials_verify_certificate   (SoupSSLCredentials   *creds,
 								 GTlsCertificate      *cert,
-								 GTlsCertificateFlags  errors);
+								 GTlsCertificateFlags  errors,
+								 gboolean             *ca_in_creds);
 
 SoupSSLCredentials   *soup_ssl_get_server_credentials           (const char           *cert_file,
 								 const char           *key_file);
-- 
2.7.4