From 82c85c8fd0caf6f27fd5622a8c7714ba3738e2f9 Mon Sep 17 00:00:00 2001
From: Daniel Lenski <dlenski@gmail.com>
Date: Mon, 31 May 2021 15:56:30 -0700
Subject: [PATCH] Clarify 'Certificate Validation Failure' error from Cisco
 servers

Cisco servers send this ambiguous error string when the CLIENT certificate
is absent or incorrect.  We rewrite it to make this clearer, while
preserving the original error as a substring. See #160.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---
 auth.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/auth.c b/auth.c
index 89fe3cde..f0747830 100644
--- a/auth.c
+++ b/auth.c
@@ -681,8 +681,18 @@ static int handle_auth_form(struct openconnect_info *vpninfo, struct oc_auth_for
 	if (!form->opts) {
 		if (form->message)
 			vpn_progress(vpninfo, PRG_INFO, "%s\n", form->message);
-		if (form->error)
-			vpn_progress(vpninfo, PRG_ERR, "%s\n", form->error);
+		if (form->error) {
+			if (!strcmp(form->error, "Certificate Validation Failure")) {
+				/* XX: Cisco servers send this ambiguous error string when the CLIENT certificate
+				 * is absent or incorrect. We rewrite it to make this clearer, while preserving
+				 * the original error as a substring.
+				 */
+				free(form->error);
+				if (!(form->error = strdup(_("Client certificate missing or incorrect (Certificate Validation Failure)"))))
+				    return -ENOMEM;
+			} else
+				vpn_progress(vpninfo, PRG_ERR, "%s\n", form->error);
+		}
 		if (!strcmp(form->auth_id, "openconnect_authentication_complete"))
 			goto justpost;
 		return -EPERM;
-- 
2.49.0