From 58c71edf26cfa1d162b0e9e0bcc64b370ff465d1 Mon Sep 17 00:00:00 2001 From: reyk Date: Mon, 24 Apr 2017 07:07:25 +0000 Subject: [PATCH] Fix configuration of ASN1_DN IDs. Public key authentication uses public key files that are stored in the /etc/iked/pubkeys/ directory where the IKE IDs are encoded as filenames. This does not simply work with ASN1_DNs where the IDs include slashes and other special characters. Instead of breaking and failing when an ASN1_DN is configured, simply skip the public key lookup but allow to use it with certificates or PSKs. Reported and fix tested by Igor V. Gubenko - Thanks. --- sbin/iked/parse.y | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y index aa2a6426b31..419a5996f36 100644 --- a/sbin/iked/parse.y +++ b/sbin/iked/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.64 2017/03/28 16:56:39 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.65 2017/04/24 07:07:25 reyk Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -1807,7 +1807,7 @@ set_policy(char *idstr, int type, struct iked_policy *pol) { char keyfile[PATH_MAX]; const char *prefix = NULL; - EVP_PKEY *key; + EVP_PKEY *key = NULL; switch (type) { case IKEV2_ID_IPV4: @@ -1822,6 +1822,9 @@ set_policy(char *idstr, int type, struct iked_policy *pol) case IKEV2_ID_UFQDN: prefix = "ufqdn"; break; + case IKEV2_ID_ASN1_DN: + /* public key authentication is not supported with ASN.1 IDs */ + goto done; default: /* Unspecified ID or public key not supported for this type */ log_debug("%s: unknown type = %d", __func__, type); @@ -1841,6 +1844,7 @@ set_policy(char *idstr, int type, struct iked_policy *pol) keyfile); } + done: if (set_policy_auth_method(keyfile, key, pol) < 0) { EVP_PKEY_free(key); log_warnx("%s: failed to set policy auth method for %s", -- 2.20.1