Here is a version of the previous patch that preserves tabs properly. Apologies.
-TimS Index: parse.y =================================================================== RCS file: /cvs/src/sbin/iked/parse.y,v retrieving revision 1.65 diff -u -p -r1.65 parse.y --- parse.y 24 Apr 2017 07:07:25 -0000 1.65 +++ parse.y 17 May 2017 05:40:39 -0000 @@ -1735,6 +1735,8 @@ set_policy_auth_method(const char *peeri method = IKEV2_AUTH_NONE; cert_type = IKEV2_CERT_NONE; + ikeauth = &pol->pol_auth; + if (key != NULL) { /* infer policy from key type */ if ((rsa = EVP_PKEY_get1_RSA(key)) != NULL) { @@ -1767,14 +1769,16 @@ set_policy_auth_method(const char *peeri if (method == IKEV2_AUTH_NONE || cert_type == IKEV2_CERT_NONE) return (-1); + } else if (ikeauth->auth_method == IKEV2_AUTH_RSA_SIG) { + /* default to IKEV2_CERT_X509_CERT otherwise */ + method = IKEV2_AUTH_RSA_SIG; + cert_type = IKEV2_CERT_X509_CERT; } else { /* default to IKEV2_CERT_X509_CERT otherwise */ method = IKEV2_AUTH_SIG; cert_type = IKEV2_CERT_X509_CERT; } - ikeauth = &pol->pol_auth; - if (ikeauth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC) { if (key != NULL && method != IKEV2_AUTH_RSA_SIG) @@ -1784,6 +1788,7 @@ set_policy_auth_method(const char *peeri if (ikeauth->auth_method != IKEV2_AUTH_NONE && ikeauth->auth_method != IKEV2_AUTH_SIG_ANY && + ikeauth->auth_method != IKEV2_AUTH_RSA_SIG && ikeauth->auth_method != method) goto mismatch;