|
 |
ae87d2 |
diff -Naur libreswan-3.25-orig/programs/pluto/nss_cert_verify.c libreswan-3.25/programs/pluto/nss_cert_verify.c
|
|
|
ae87d2 |
--- libreswan-3.25-orig/programs/pluto/nss_cert_verify.c 2019-04-11 12:50:35.423733161 +0200
|
|
|
ae87d2 |
+++ libreswan-3.25/programs/pluto/nss_cert_verify.c 2019-04-11 12:51:58.832735953 +0200
|
|
|
ae87d2 |
@@ -121,7 +121,7 @@
|
|
|
ae87d2 |
return FALSE;
|
|
|
ae87d2 |
}
|
|
|
ae87d2 |
|
|
|
ae87d2 |
-static int nss_err_to_revfail(CERTVerifyLogNode *node)
|
|
|
ae87d2 |
+static int nss_err_to_revfail(char *prefix, CERTVerifyLogNode *node)
|
|
|
ae87d2 |
{
|
|
|
ae87d2 |
int ret = VERIFY_RET_FAIL;
|
|
|
ae87d2 |
|
|
|
ae87d2 |
@@ -131,7 +131,7 @@
|
|
|
ae87d2 |
|
|
|
ae87d2 |
loglog(RC_LOG_SERIOUS, "Certificate %s failed verification",
|
|
|
ae87d2 |
node->cert->subjectName);
|
|
|
ae87d2 |
- loglog(RC_LOG_SERIOUS, "ERROR: %s",
|
|
|
ae87d2 |
+ loglog(RC_LOG_SERIOUS, "%s: %s", prefix,
|
|
|
ae87d2 |
nss_err_str(node->error));
|
|
|
ae87d2 |
|
|
|
ae87d2 |
if (node->error == SEC_ERROR_REVOKED_CERTIFICATE) {
|
|
|
ae87d2 |
@@ -298,18 +298,18 @@
|
|
|
ae87d2 |
cvout[1].value.pointer.chain = NULL;
|
|
|
ae87d2 |
cvout[2].type = cert_po_end;
|
|
|
ae87d2 |
|
|
|
ae87d2 |
- int fin;
|
|
|
ae87d2 |
+ int fin = VERIFY_RET_FAIL;
|
|
|
ae87d2 |
|
|
|
ae87d2 |
#ifdef NSS_IPSEC_PROFILE
|
|
|
ae87d2 |
SECStatus rv = CERT_PKIXVerifyCert(end_cert, certificateUsageIPsec,
|
|
|
ae87d2 |
cvin, cvout, NULL);
|
|
|
ae87d2 |
if (rv != SECSuccess || cur_log->count > 0) {
|
|
|
ae87d2 |
if (cur_log->count > 0 && cur_log->head != NULL) {
|
|
|
ae87d2 |
- fin = nss_err_to_revfail(cur_log->head);
|
|
|
ae87d2 |
+ fin = nss_err_to_revfail("warning", cur_log->head);
|
|
|
ae87d2 |
} else {
|
|
|
ae87d2 |
/*
|
|
|
ae87d2 |
* An rv != SECSuccess without CERTVerifyLog
|
|
|
ae87d2 |
- * results should not * happen, but catch it anyway
|
|
|
ae87d2 |
+ * results should not happen, but catch it anyway
|
|
|
ae87d2 |
*/
|
|
|
ae87d2 |
loglog(RC_LOG_SERIOUS, "X509: unspecified NSS verification failure");
|
|
|
ae87d2 |
fin = VERIFY_RET_FAIL;
|
|
|
ae87d2 |
@@ -319,7 +319,11 @@
|
|
|
ae87d2 |
*end_out = end_cert;
|
|
|
ae87d2 |
fin = VERIFY_RET_OK;
|
|
|
ae87d2 |
}
|
|
|
ae87d2 |
-#else
|
|
|
ae87d2 |
+#endif
|
|
|
ae87d2 |
+
|
|
|
ae87d2 |
+ if (fin != VERIFY_RET_OK)
|
|
|
ae87d2 |
+ {
|
|
|
ae87d2 |
+
|
|
|
ae87d2 |
/* kludge alert!!
|
|
|
ae87d2 |
* verification may be performed twice: once with the
|
|
|
ae87d2 |
* 'client' usage and once with 'server', which is an NSS
|
|
|
ae87d2 |
@@ -332,7 +336,7 @@
|
|
|
ae87d2 |
|
|
|
ae87d2 |
for (usage = certificateUsageSSLClient; ; usage = certificateUsageSSLServer) {
|
|
|
ae87d2 |
SECStatus rv = CERT_PKIXVerifyCert(end_cert, usage, cvin, cvout, NULL);
|
|
|
ae87d2 |
- if (rv != SECSuccess || cur_log->count > 0) {
|
|
|
ae87d2 |
+ if (rv != SECSuccess) {
|
|
|
ae87d2 |
if (cur_log->count > 0 && cur_log->head != NULL) {
|
|
|
ae87d2 |
if (usage == certificateUsageSSLClient &&
|
|
|
ae87d2 |
RETRYABLE_TYPE(cur_log->head->error)) {
|
|
|
ae87d2 |
@@ -348,7 +352,8 @@
|
|
|
ae87d2 |
cvout[1].value.pointer.chain = NULL;
|
|
|
ae87d2 |
continue;
|
|
|
ae87d2 |
} else {
|
|
|
ae87d2 |
- fin = nss_err_to_revfail(cur_log->head);
|
|
|
ae87d2 |
+ fin = nss_err_to_revfail("ERROR", cur_log->head);
|
|
|
ae87d2 |
+ loglog(RC_LOG_SERIOUS, "X509: verification failure using NSS TLS profile validation");
|
|
|
ae87d2 |
}
|
|
|
ae87d2 |
} else {
|
|
|
ae87d2 |
/*
|
|
|
ae87d2 |
@@ -365,7 +370,9 @@
|
|
|
ae87d2 |
}
|
|
|
ae87d2 |
break;
|
|
|
ae87d2 |
}
|
|
|
ae87d2 |
-#endif
|
|
|
ae87d2 |
+
|
|
|
ae87d2 |
+ }
|
|
|
ae87d2 |
+
|
|
|
ae87d2 |
pexpect(fin != 0);
|
|
|
ae87d2 |
|
|
|
ae87d2 |
CERT_DestroyCertList(trustcl);
|