From: Daniel Lenski <dlenski@gmail.com>
Date: Mon, 31 May 2021 22:56:30 +0000 (-0700)
Subject: Clarify 'Certificate Validation Failure' error from Cisco servers
X-Git-Tag: v8.20~154^2
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=82c85c8fd0caf6f27fd5622a8c7714ba3738e2f9;p=users%2Fdwmw2%2Fopenconnect.git

Clarify 'Certificate Validation Failure' error from Cisco servers

Cisco servers send this ambiguous error string when the CLIENT certificate
is absent or incorrect.  We rewrite it to make this clearer, while
preserving the original error as a substring. See #160.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---

diff --git a/auth.c b/auth.c
index 89fe3cde..f0747830 100644
--- a/auth.c
+++ b/auth.c
@@ -681,8 +681,18 @@ static int handle_auth_form(struct openconnect_info *vpninfo, struct oc_auth_for
 	if (!form->opts) {
 		if (form->message)
 			vpn_progress(vpninfo, PRG_INFO, "%s\n", form->message);
-		if (form->error)
-			vpn_progress(vpninfo, PRG_ERR, "%s\n", form->error);
+		if (form->error) {
+			if (!strcmp(form->error, "Certificate Validation Failure")) {
+				/* XX: Cisco servers send this ambiguous error string when the CLIENT certificate
+				 * is absent or incorrect. We rewrite it to make this clearer, while preserving
+				 * the original error as a substring.
+				 */
+				free(form->error);
+				if (!(form->error = strdup(_("Client certificate missing or incorrect (Certificate Validation Failure)"))))
+				    return -ENOMEM;
+			} else
+				vpn_progress(vpninfo, PRG_ERR, "%s\n", form->error);
+		}
 		if (!strcmp(form->auth_id, "openconnect_authentication_complete"))
 			goto justpost;
 		return -EPERM;