On 2015-07-03, Stuart Henderson <s...@spacehopper.org> wrote:
> On 2015-07-02, Denis Lapshin <den...@mindall.org> wrote:
>> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical
>> 0x00 length 5
>> ikev2_pld_certreq: type X509_CERT signatures length 0
>> ikev2_pld_certreq: invalid certificate request
>> ikev2_resp_recv: failed to parse message
>
> iked doesn't accept an empte certreq (which appears to be valid), this affects
> interop with Firebrick's implementation too.
>
>
Denis replied off-list but his MTA isn't answering so I'll reply here.
<den...@mindall.org>: connect to mindall.org[5.23.109.177]:25: Connection
refused
On 2015/07/03 11:40, Denis Lapshin wrote:
> Stuart,
>
> What can be done to accept an empty certreq (or fill certreq) on server's
> side and/or phone's side to obtain a connection?
You could try this diff, though I'm not sure whether it is correct,
I don't have a suitable IKEv2 implementation to test against myself.
Index: ikev2_pld.c
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2_pld.c,v
retrieving revision 1.50
diff -u -p -r1.50 ikev2_pld.c
--- ikev2_pld.c 26 Mar 2015 19:52:35 -0000 1.50
+++ ikev2_pld.c 3 Jul 2015 09:19:29 -0000
@@ -916,7 +916,9 @@ ikev2_pld_certreq(struct iked *env, stru
return (0);
if (cert.cert_type == IKEV2_CERT_X509_CERT) {
- if (!len || (len % SHA_DIGEST_LENGTH) != 0) {
+ if (!len)
+ return (0);
+ if ((len % SHA_DIGEST_LENGTH) != 0) {
log_debug("%s: invalid certificate request", __func__);
return (-1);
}
