From 74cabf7948b2597f5b6a67d6910c844fd1a88ff6 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sat, 15 Dec 2018 01:42:53 +0100 Subject: Update NSS to 3.41 --- security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'security/nss/lib/libpkix') diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c index fa8f1851e..145dcff9a 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c @@ -2914,7 +2914,8 @@ PKIX_PL_Cert_CheckValidity( requiredUsages = ((PKIX_PL_NssContext*)plContext)->certificateUsage; allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) || - (requiredUsages & certificateUsageSSLServerWithStepUp)); + (requiredUsages & certificateUsageSSLServerWithStepUp) || + (requiredUsages & certificateUsageIPsec)); val = CERT_CheckCertValidTimes(cert->nssCert, timeToCheck, allowOverride); if (val != secCertTimeValid){ PKIX_ERROR(PKIX_CERTCHECKCERTVALIDTIMESFAILED); @@ -3001,8 +3002,17 @@ PKIX_PL_Cert_VerifyCertAndKeyType( if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) { PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED); } - if (!(certType & requiredCertType)) { - PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED); + if (certUsage != certUsageIPsec) { + if (!(certType & requiredCertType)) { + PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED); + } + } else { + PRBool isCritical; + PRBool allowed = cert_EKUAllowsIPsecIKE(cert->nssCert, &isCritical); + /* If the extension isn't critical, we allow any EKU value. */ + if (isCritical && !allowed) { + PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED); + } } cleanup: PKIX_DECREF(basicConstraints); -- cgit v1.2.3