[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    Re: Reenable ASN1_DN IDs with certificates in iked
From:       Tim Stewart <tim () stoo ! org>
Date:       2017-05-17 5:41:55
Message-ID: 87k25gjazg.fsf () stoo ! org
[Download RAW message or body]

Here is a version of the previous patch that preserves tabs properly.
Apologies.

-TimS


Index: parse.y
===================================================================
RCS file: /cvs/src/sbin/iked/parse.y,v
retrieving revision 1.65
diff -u -p -r1.65 parse.y
--- parse.y	24 Apr 2017 07:07:25 -0000	1.65
+++ parse.y	17 May 2017 05:40:39 -0000
@@ -1735,6 +1735,8 @@ set_policy_auth_method(const char *peeri
 	method = IKEV2_AUTH_NONE;
 	cert_type = IKEV2_CERT_NONE;

+	ikeauth = &pol->pol_auth;
+
 	if (key != NULL) {
 		/* infer policy from key type */
 		if ((rsa = EVP_PKEY_get1_RSA(key)) != NULL) {
@@ -1767,14 +1769,16 @@ set_policy_auth_method(const char *peeri

 		if (method == IKEV2_AUTH_NONE || cert_type == IKEV2_CERT_NONE)
 			return (-1);
+	} else if (ikeauth->auth_method == IKEV2_AUTH_RSA_SIG) {
+		/* default to IKEV2_CERT_X509_CERT otherwise */
+		method = IKEV2_AUTH_RSA_SIG;
+		cert_type = IKEV2_CERT_X509_CERT;
 	} else {
 		/* default to IKEV2_CERT_X509_CERT otherwise */
 		method = IKEV2_AUTH_SIG;
 		cert_type = IKEV2_CERT_X509_CERT;
 	}

-	ikeauth = &pol->pol_auth;
-
 	if (ikeauth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC) {
 		if (key != NULL &&
 		    method != IKEV2_AUTH_RSA_SIG)
@@ -1784,6 +1788,7 @@ set_policy_auth_method(const char *peeri

 	if (ikeauth->auth_method != IKEV2_AUTH_NONE &&
 	    ikeauth->auth_method != IKEV2_AUTH_SIG_ANY &&
+	    ikeauth->auth_method != IKEV2_AUTH_RSA_SIG &&
 	    ikeauth->auth_method != method)
 		goto mismatch;

[prev in list] [next in list] [prev in thread] [next in thread]