diff options
| author |   tobhe <tobhe@openbsd.org> | 2020-09-16 21:21:23 +0000 |
|---|---|---|
| committer | tobhe <tobhe@openbsd.org> | 2020-09-16 21:21:23 +0000 |
| commit | 5d0e41c134ff7ea148218fab7bf66d99207018dd (patch) | |
| tree | 036aac7628c39a0c8910b4bf998925d8808e9d8d | |
| parent | Stop removing the control socket on exit and tighten the unveil even (diff) | |
| download | wireguard-openbsd-5d0e41c134ff7ea148218fab7bf66d99207018dd.tar.xz wireguard-openbsd-5d0e41c134ff7ea148218fab7bf66d99207018dd.zip | |
Fix EAP authentication if the initiator sends no certificate
request. The locally configured request is used as fallback to find a
certificate or key to send. The local auth method for MSCHAP-V2 should
be IKEV2_AUTH_SIG_ANY, which defaults to X509 certificates, instead of
raw rsa keys.
Tested with Strongswan, iPhone and Windows
Found by and ok sthen@
ok patrick@
| -rw-r--r-- | sbin/iked/parse.y | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y index cd236e09e29..bc68823e750 100644 --- a/sbin/iked/parse.y +++ b/sbin/iked/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.110 2020/09/05 19:14:32 tobhe Exp $ */ +/* $OpenBSD: parse.y,v 1.111 2020/09/16 21:21:23 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -1016,7 +1016,7 @@ ikeauth : /* empty */ { } free($2); - $$.auth_method = IKEV2_AUTH_RSA_SIG; + $$.auth_method = IKEV2_AUTH_SIG_ANY; $$.auth_eap = EAP_TYPE_MSCHAP_V2; $$.auth_length = 0; } |