diff options
| author | tobhe <tobhe@cvs.openbsd.org> | 2020-09-08 20:20:31 +0000 |
|---|---|---|
| committer | tobhe <tobhe@cvs.openbsd.org> | 2020-09-08 20:20:31 +0000 |
| commit | 9a522c178e3a2ff8abae703d7dac75e6e9f9740d (patch) | |
| tree | 35cd5d7d55971e73660dd1a78733da4284e24f2e /sbin | |
| parent | d075eab76001a27094f942528416eaa3e621c525 (diff) | |
Fix auth method negotiation for IKEV2_CERT_X509_CERT. If a cert matching
the CERTREQ is found, don't wait for more requests.
Correctly set type if cert was found as fallback.
ok patrick@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/iked/ca.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c index b536ec69383..0f1949a8e7d 100644 --- a/sbin/iked/ca.c +++ b/sbin/iked/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.69 2020/08/21 14:30:17 tobhe Exp $ */ +/* $OpenBSD: ca.c,v 1.70 2020/09/08 20:20:30 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -575,12 +575,16 @@ ca_getreq(struct iked *env, struct imsg *imsg) * was found and this was the last CERTREQ, try to find one with * subjectAltName matching the ID */ - if (more) + if (cert == NULL && more) return (0); if (cert == NULL) cert = ca_by_subjectaltname(store->ca_certs, &id); + /* Set type if coming from fallback */ + if (cert != NULL) + type = IKEV2_CERT_X509_CERT; + /* If there is no matching certificate use local raw pubkey */ if (cert == NULL) { if (ikev2_print_static_id(&id, idstr, sizeof(idstr)) == -1) |