From e5e37197fd032db5dd502e35c97063dba7d2af14 Mon Sep 17 00:00:00 2001
From: tobhe <tobhe@openbsd.org>
Date: Thu, 11 Feb 2021 22:02:41 +0000
Subject: [PATCH] Explicitly unset IKED_REQ_CERTVALID before sending cert to ca
 process.

ok markus@
---
 sbin/iked/ikev2.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 49bbf7ffb9a..979d1295189 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.305 2021/02/10 22:25:54 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.306 2021/02/11 22:02:41 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -1011,6 +1011,7 @@ ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa,
 			certlen = ibuf_length(msg->msg_cert.id_buf);
 			bzero(&msg->msg_cert, sizeof(msg->msg_cert));
 		}
+		sa->sa_stateflags &= ~IKED_REQ_CERTVALID;
 		if (ca_setcert(env, &sa->sa_hdr, id, certtype, cert, certlen, PROC_CERT) == -1)
 			return (-1);
 	}
-- 
2.20.1