ikev2: Store signature scheme used to verify peer in auth_cfg
authorTobias Brunner <tobias@strongswan.org>
Wed, 25 Feb 2015 15:44:46 +0000 (16:44 +0100)
committerTobias Brunner <tobias@strongswan.org>
Wed, 4 Mar 2015 12:54:09 +0000 (13:54 +0100)
This enables late connection switching based on the signature scheme used
for IKEv2 and allows to enforce stronger signature schemes.

This may break existing connections with peers that don't support RFC 7427
if signature schemes are currently used in `rightauth` for certificate chain
validation and if the configured schemes are stronger than the default used
for IKE (e.g. SHA-1 for RSA).

src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c

index 59e1670..f7ededb 100644 (file)
@@ -321,6 +321,7 @@ METHOD(authenticator_t, process, status_t,
                                                   id, auth_method_names, auth_method);
                        status = SUCCESS;
                        auth->merge(auth, current_auth, FALSE);
+                       auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
                        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
                        break;
                }