From cdb427a22c11d66b3a8b7d327e76c2408174dd7b Mon Sep 17 00:00:00 2001 From: tobhe Date: Mon, 4 Jul 2022 09:23:15 +0000 Subject: [PATCH] Ignore any CERT payload after the first instead of failing the exchange when more than one is received. The first CERT is always the leaf certificate, additional payloads can be used to send intermediate certs which iked can not handle at the moment. This fixes exchanges where the certificate chain is still valid because matching intermediate certs are available locally in /etc/iked. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Reported and tested by Loïc Revest ok mbuhl@ --- sbin/iked/ikev2_pld.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c index a68b7bfab74..d2ec6bd6423 100644 --- a/sbin/iked/ikev2_pld.c +++ b/sbin/iked/ikev2_pld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2_pld.c,v 1.123 2022/03/14 12:58:55 tobhe Exp $ */ +/* $OpenBSD: ikev2_pld.c,v 1.124 2022/07/04 09:23:15 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -827,9 +827,9 @@ ikev2_pld_cert(struct iked *env, struct ikev2_payload *pld, certid = &msg->msg_parent->msg_cert; if (certid->id_type) { - log_info("%s: multiple cert payloads not supported", + log_debug("%s: multiple cert payloads, ignoring", SPI_SA(sa, __func__)); - return (-1); + return (0); } if ((certid->id_buf = ibuf_new(buf, len)) == NULL) { -- 2.20.1