Thank you, the patch appears to work. I haven't fully tested
connecting/establishing connections, so I'll send another update.
Prior to the patch, iked also complained about lack of public keys for
PSK connections 1 and 2 (in /etc/iked/pubkeys/fqdn/)
It doesn't mind them being absent anymore though.
- Igor
On 4/20/17 5:44 PM, Reyk Floeter wrote:
> --- sbin/iked/parse.y 28 Mar 2017 16:56:39 -0000 1.64
> +++ sbin/iked/parse.y 20 Apr 2017 21:40:14 -0000
> @@ -1807,7 +1807,7 @@ set_policy(char *idstr, int type, struct
> {
> char keyfile[PATH_MAX];
> const char *prefix = NULL;
> - EVP_PKEY *key;
> + EVP_PKEY *key = NULL;
>
> switch (type) {
> case IKEV2_ID_IPV4:
> @@ -1822,6 +1822,9 @@ set_policy(char *idstr, int type, struct
> case IKEV2_ID_UFQDN:
> prefix = "ufqdn";
> break;
> + case IKEV2_ID_ASN1_DN:
> + /* public key authentication is not supported with ASN.1 IDs */
> + goto done;
> default:
> /* Unspecified ID or public key not supported for this type */
> log_debug("%s: unknown type = %d", __func__, type);
> @@ -1841,6 +1844,7 @@ set_policy(char *idstr, int type, struct
> keyfile);
> }
>
> + done:
> if (set_policy_auth_method(keyfile, key, pol) < 0) {
> EVP_PKEY_free(key);
> log_warnx("%s: failed to set policy auth method for %s",
