|
 |
b77cff |
diff -Naur libreswan-3.25-orig/programs/pluto/nss_cert_verify.c libreswan-3.25/programs/pluto/nss_cert_verify.c
|
|
|
77b34d |
--- libreswan-3.25-orig/programs/pluto/nss_cert_verify.c 2019-02-23 21:15:03.910589319 -0500
|
|
|
77b34d |
+++ libreswan-3.25/programs/pluto/nss_cert_verify.c 2019-02-23 21:42:05.955565629 -0500
|
|
|
b77cff |
@@ -121,7 +121,7 @@
|
|
|
b77cff |
return FALSE;
|
|
|
b77cff |
}
|
|
|
b77cff |
|
|
|
b77cff |
-static int nss_err_to_revfail(CERTVerifyLogNode *node)
|
|
|
b77cff |
+static int nss_err_to_revfail(char *prefix, CERTVerifyLogNode *node)
|
|
|
b77cff |
{
|
|
|
b77cff |
int ret = VERIFY_RET_FAIL;
|
|
|
b77cff |
|
|
|
b77cff |
@@ -131,7 +131,7 @@
|
|
|
b77cff |
|
|
|
b77cff |
loglog(RC_LOG_SERIOUS, "Certificate %s failed verification",
|
|
|
b77cff |
node->cert->subjectName);
|
|
|
b77cff |
- loglog(RC_LOG_SERIOUS, "ERROR: %s",
|
|
|
b77cff |
+ loglog(RC_LOG_SERIOUS, "%s: %s", prefix,
|
|
|
b77cff |
nss_err_str(node->error));
|
|
|
b77cff |
|
|
|
b77cff |
if (node->error == SEC_ERROR_REVOKED_CERTIFICATE) {
|
|
|
b77cff |
@@ -298,18 +298,18 @@
|
|
|
b77cff |
cvout[1].value.pointer.chain = NULL;
|
|
|
b77cff |
cvout[2].type = cert_po_end;
|
|
|
b77cff |
|
|
|
b77cff |
- int fin;
|
|
|
b77cff |
+ int fin = VERIFY_RET_FAIL;
|
|
|
b77cff |
|
|
|
b77cff |
#ifdef NSS_IPSEC_PROFILE
|
|
|
b77cff |
SECStatus rv = CERT_PKIXVerifyCert(end_cert, certificateUsageIPsec,
|
|
|
b77cff |
cvin, cvout, NULL);
|
|
|
b77cff |
if (rv != SECSuccess || cur_log->count > 0) {
|
|
|
b77cff |
if (cur_log->count > 0 && cur_log->head != NULL) {
|
|
|
b77cff |
- fin = nss_err_to_revfail(cur_log->head);
|
|
|
b77cff |
+ fin = nss_err_to_revfail("warning", cur_log->head);
|
|
|
b77cff |
} else {
|
|
|
b77cff |
/*
|
|
|
b77cff |
* An rv != SECSuccess without CERTVerifyLog
|
|
|
b77cff |
- * results should not * happen, but catch it anyway
|
|
|
b77cff |
+ * results should not happen, but catch it anyway
|
|
|
b77cff |
*/
|
|
|
b77cff |
loglog(RC_LOG_SERIOUS, "X509: unspecified NSS verification failure");
|
|
|
b77cff |
fin = VERIFY_RET_FAIL;
|
|
|
b77cff |
@@ -319,7 +319,11 @@
|
|
|
b77cff |
*end_out = end_cert;
|
|
|
b77cff |
fin = VERIFY_RET_OK;
|
|
|
b77cff |
}
|
|
|
b77cff |
-#else
|
|
|
b77cff |
+#endif
|
|
|
b77cff |
+
|
|
|
b77cff |
+ if (fin != VERIFY_RET_OK)
|
|
|
b77cff |
+ {
|
|
|
b77cff |
+
|
|
|
b77cff |
/* kludge alert!!
|
|
|
b77cff |
* verification may be performed twice: once with the
|
|
|
b77cff |
* 'client' usage and once with 'server', which is an NSS
|
|
|
b77cff |
@@ -348,7 +352,8 @@
|
|
|
b77cff |
cvout[1].value.pointer.chain = NULL;
|
|
|
b77cff |
continue;
|
|
|
b77cff |
} else {
|
|
|
b77cff |
- fin = nss_err_to_revfail(cur_log->head);
|
|
|
b77cff |
+ fin = nss_err_to_revfail("ERROR", cur_log->head);
|
|
|
b77cff |
+ loglog(RC_LOG_SERIOUS, "X509: verification failure using NSS TLS profile validation");
|
|
|
b77cff |
}
|
|
|
b77cff |
} else {
|
|
|
b77cff |
/*
|
|
|
b77cff |
@@ -365,7 +370,9 @@
|
|
|
b77cff |
}
|
|
|
b77cff |
break;
|
|
|
b77cff |
}
|
|
|
b77cff |
-#endif
|
|
|
b77cff |
+
|
|
|
b77cff |
+ }
|
|
|
b77cff |
+
|
|
|
b77cff |
pexpect(fin != 0);
|
|
|
b77cff |
|
|
|
b77cff |
CERT_DestroyCertList(trustcl);
|