diff options
| author |   ho <ho@openbsd.org> | 2002-09-05 17:30:03 +0000 |
|---|---|---|
| committer | ho <ho@openbsd.org> | 2002-09-05 17:30:03 +0000 |
| commit | 82bf5ee88da5347d5f8fc75a7ef05e1079a67ad9 (patch) | |
| tree | 388bb6f5f16bb81c49ccdcb6fc555799a5f4526a | |
| parent | lacnic support; from Loic Tortay <loict@bougon.net>. (diff) | |
| download | wireguard-openbsd-82bf5ee88da5347d5f8fc75a7ef05e1079a67ad9.tar.xz wireguard-openbsd-82bf5ee88da5347d5f8fc75a7ef05e1079a67ad9.zip | |
Without IDs wait until next step/retry to handle CERTREQs. This should
make certificate auth work better with some clients, such as SSH Sentinel.
| -rw-r--r-- | sbin/isakmpd/exchange.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c index 80b89f71731..a7f2245f109 100644 --- a/sbin/isakmpd/exchange.c +++ b/sbin/isakmpd/exchange.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exchange.c,v 1.68 2002/09/05 14:54:16 ho Exp $ */ +/* $OpenBSD: exchange.c,v 1.69 2002/09/05 17:30:03 ho Exp $ */ /* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */ /* @@ -1645,6 +1645,15 @@ exchange_add_certs (struct message *msg) id = exchange->initiator ? exchange->id_r : exchange->id_i; id_len = exchange->initiator ? exchange->id_r_len : exchange->id_i_len; + /* + * Without IDs we cannot handle this yet. Keep the aca_list around for + * a later step/retry to see if we got the ID by then. + * Note: A 'return -1' breaks X509-auth interop in the responder case + * with some IPSec clients that send CERTREQs early (ex SSH Sentinel). + */ + if (!id) + return 0; + for (aca = TAILQ_FIRST (&exchange->aca_list); aca; aca = TAILQ_NEXT (aca, link)) { |