diff options
| author |   tobhe <tobhe@openbsd.org> | 2020-09-08 20:20:30 +0000 |
|---|---|---|
| committer | tobhe <tobhe@openbsd.org> | 2020-09-08 20:20:30 +0000 |
| commit | 9956fe8fb0deeebec9febdfb6b69d62a84b2085f (patch) | |
| tree | 8af526c652b80e4e8a9a80f392435379b105dbb6 | |
| parent | Add a function to scan for PCI Express extended capabilities. (diff) | |
| download | wireguard-openbsd-9956fe8fb0deeebec9febdfb6b69d62a84b2085f.tar.xz wireguard-openbsd-9956fe8fb0deeebec9febdfb6b69d62a84b2085f.zip | |
Fix auth method negotiation for IKEV2_CERT_X509_CERT. If a cert matching
the CERTREQ is found, don't wait for more requests.
Correctly set type if cert was found as fallback.
ok patrick@
| -rw-r--r-- | sbin/iked/ca.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c index b536ec69383..0f1949a8e7d 100644 --- a/sbin/iked/ca.c +++ b/sbin/iked/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.69 2020/08/21 14:30:17 tobhe Exp $ */ +/* $OpenBSD: ca.c,v 1.70 2020/09/08 20:20:30 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -575,12 +575,16 @@ ca_getreq(struct iked *env, struct imsg *imsg) * was found and this was the last CERTREQ, try to find one with * subjectAltName matching the ID */ - if (more) + if (cert == NULL && more) return (0); if (cert == NULL) cert = ca_by_subjectaltname(store->ca_certs, &id); + /* Set type if coming from fallback */ + if (cert != NULL) + type = IKEV2_CERT_X509_CERT; + /* If there is no matching certificate use local raw pubkey */ if (cert == NULL) { if (ikev2_print_static_id(&id, idstr, sizeof(idstr)) == -1) |