diff --git a/lib/libswan/Makefile b/lib/libswan/Makefile index 510148ad1..0f5c26228 100644 --- a/lib/libswan/Makefile +++ b/lib/libswan/Makefile @@ -200,10 +200,6 @@ CFLAGS+=-I${LIBRESWANSRCDIR}/include ${PORTINCLUDE} CFLAGS+=$(USERLAND_CFLAGS) CFLAGS+=${CROSSFLAGS} -ifeq ($(NSS_REQ_AVA_COPY),true) -CFLAGS+=-DNSS_REQ_AVA_COPY -endif - OBJS += $(abs_builddir)/version.o include $(top_srcdir)/mk/library.mk diff --git a/mk/config.mk b/mk/config.mk index 3f2bd55c1..fcdabd1fb 100644 --- a/mk/config.mk +++ b/mk/config.mk @@ -242,6 +242,17 @@ NSPR_LDFLAGS ?= -lnspr4 # Use nss copy for CERT_CompareAVA # See https://bugzilla.mozilla.org/show_bug.cgi?id=1336487 NSS_REQ_AVA_COPY?=true +ifeq ($(NSS_REQ_AVA_COPY),true) +NSSFLAGS+=-DNSS_REQ_AVA_COPY +endif + +# Use nss IPsec profile for X509 validation. This is less restrictive +# ok EKU's. This is not yet in upstream nss. +# See https://bugzilla.mozilla.org/show_bug.cgi?id=1252891 +NSS_HAS_IPSEC_PROFILE?=false +ifeq ($(NSS_HAS_IPSEC_PROFILE),true) +NSSFLAGS+=-DNSS_IPSEC_PROFILE +endif # Use a local copy of xfrm.h. This can be needed on older systems # that do not ship linux/xfrm.h, or when the shipped version is too diff --git a/programs/pluto/nss_cert_verify.c b/programs/pluto/nss_cert_verify.c index 95c637f53..7d458ac2a 100644 --- a/programs/pluto/nss_cert_verify.c +++ b/programs/pluto/nss_cert_verify.c @@ -299,6 +299,28 @@ static int vfy_chain_pkix(CERTCertificate **chain, int chain_len, cvout[1].value.pointer.chain = NULL; cvout[2].type = cert_po_end; + int fin; + +#ifdef NSS_IPSEC_PROFILE + SECStatus rv = CERT_PKIXVerifyCert(end_cert, certificateUsageIPsec, + cvin, cvout, NULL); + if (rv != SECSuccess || cur_log->count > 0) { + if (cur_log->count > 0 && cur_log->head != NULL) { + fin = nss_err_to_revfail(cur_log->head); + } else { + /* + * An rv != SECSuccess without CERTVerifyLog + * results should not * happen, but catch it anyway + */ + loglog(RC_LOG_SERIOUS, "X509: unspecified NSS verification failure"); + fin = VERIFY_RET_FAIL; + } + } else { + DBG(DBG_X509, DBG_log("certificate is valid")); + *end_out = end_cert; + fin = VERIFY_RET_OK; + } +#else /* kludge alert!! * verification may be performed twice: once with the * 'client' usage and once with 'server', which is an NSS @@ -307,12 +329,10 @@ static int vfy_chain_pkix(CERTCertificate **chain, int chain_len, * KU/EKU combinations */ - int fin; SECCertificateUsage usage; for (usage = certificateUsageSSLClient; ; usage = certificateUsageSSLServer) { SECStatus rv = CERT_PKIXVerifyCert(end_cert, usage, cvin, cvout, NULL); - if (rv != SECSuccess || cur_log->count > 0) { if (cur_log->count > 0 && cur_log->head != NULL) { if (usage == certificateUsageSSLClient && @@ -346,6 +366,7 @@ static int vfy_chain_pkix(CERTCertificate **chain, int chain_len, } break; } +#endif pexpect(fin != 0); CERT_DestroyCertList(trustcl); diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c index 50582822d..007d73f45 100644 --- a/programs/pluto/plutomain.c +++ b/programs/pluto/plutomain.c @@ -180,6 +180,12 @@ static const char compile_time_interop_options[] = "" " BROKEN_POPEN" #endif " NSS" +#ifdef NSS_REQ_AVA_COPY + " (AVA copy)" +#endif +#ifdef NSS_IPSEC_PROFILE + " (IPsec profile)" +#endif #ifdef USE_DNSSEC " DNSSEC" #endif