Ignore any CERT payload after the first instead of failing the exchange

when more than one is received.  The first CERT is always the leaf
certificate, additional payloads can be used to send intermediate certs
which iked can not handle at the moment.
This fixes exchanges where the certificate chain is still valid because
matching intermediate certs are available locally in /etc/iked.

Reported and tested by Loïc Revest <l.revest (at) apc.fr>
ok mbuhl@

diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c
index a68b7bf..d2ec6bd 100644 (file)
--- a/sbin/iked/ikev2_pld.c
+++ b/sbin/iked/ikev2_pld.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ikev2_pld.c,v 1.123 2022/03/14 12:58:55 tobhe Exp $   */
+/*     $OpenBSD: ikev2_pld.c,v 1.124 2022/07/04 09:23:15 tobhe Exp $   */
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -827,9 +827,9 @@ ikev2_pld_cert(struct iked *env, struct ikev2_payload *pld,
 
        certid = &msg->msg_parent->msg_cert;
        if (certid->id_type) {
-               log_info("%s: multiple cert payloads not supported",
+               log_debug("%s: multiple cert payloads, ignoring",
                   SPI_SA(sa, __func__));
-               return (-1);
+               return (0);
        }
 
        if ((certid->id_buf = ibuf_new(buf, len)) == NULL) {