projects / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 708dff0)
tkm: Disable RFC 7427 signature authentication
authorTobias Brunner <tobias@strongswan.org>
Fri, 6 Mar 2015 15:10:41 +0000 (16:10 +0100)
committerTobias Brunner <tobias@strongswan.org>
Mon, 9 Mar 2015 15:59:07 +0000 (16:59 +0100)
TKM can't verify such signatures so we'd fail in the authorize hook.
Skipping the algorithm identifier doesn't help if the peer uses
anything other than SHA-1, so config changes would be required.

src/charon-tkm/src/charon-tkm.c patch | blob | history

diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index a6770fc..7c60f0c 100644 (file)
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -276,6 +276,10 @@ int main(int argc, char *argv[])
                goto deinit;
        }
 
+       /* the authorize hook currently does not support RFC 7427 signature auth */
+       lib->settings->set_bool(lib->settings, "%s.signature_authentication", FALSE,
+                                                       dmn_name);
+
        /* make sure we log to the DAEMON facility by default */
        lib->settings->set_int(lib->settings, "%s.syslog.daemon.default",
                        lib->settings->get_int(lib->settings, "%s.syslog.daemon.default", 1,
strongSwan - IPsec VPN