ikev2: Try all RSA signature schemes if none is configured

diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 52539456eb44cbe1182cc4c093ea5999bc48d61c..965f70aa5544b7b7f43543ac4a8c9e94341d2b82 100644 (file)
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -159,11 +159,26 @@ static signature_scheme_t select_signature_scheme(keymat_v2_t *keymat,
                }
                enumerator->destroy(enumerator);
 
-               /* default to the scheme we'd use with classic authentication */
-               if (selected == SIGN_UNKNOWN && key_type == KEY_RSA &&
-                       keymat->hash_algorithm_supported(keymat, HASH_SHA1))
+               /* for RSA we tried at least SHA-512, also try other schemes down to
+                * what we'd use with classic authentication */
+               if (selected == SIGN_UNKNOWN && key_type == KEY_RSA)
                {
-                       selected = SIGN_RSA_EMSA_PKCS1_SHA1;
+                       signature_scheme_t schemes[] = {
+                               SIGN_RSA_EMSA_PKCS1_SHA384,
+                               SIGN_RSA_EMSA_PKCS1_SHA256,
+                               SIGN_RSA_EMSA_PKCS1_SHA1,
+                       };
+                       int i;
+
+                       for (i = 0; i < countof(schemes); i++)
+                       {
+                               if (keymat->hash_algorithm_supported(keymat,
+                                                                       hasher_from_signature_scheme(schemes[i])))
+                               {
+                                       selected = scheme;
+                                       break;
+                               }
+                       }
                }
        }
        return selected;