ikev2: Store signature scheme used to verify peer in auth_cfg

This enables late connection switching based on the signature scheme used
for IKEv2 and allows to enforce stronger signature schemes.

This may break existing connections with peers that don't support RFC 7427
if signature schemes are currently used in `rightauth` for certificate chain
validation and if the configured schemes are stronger than the default used
for IKE (e.g. SHA-1 for RSA).

diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 59e16701082787e2ec8ddbb21478b4c461bec5e4..f7ededb89a51efdeff87048845d497b31be59904 100644 (file)
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -321,6 +321,7 @@ METHOD(authenticator_t, process, status_t,
                                                   id, auth_method_names, auth_method);
                        status = SUCCESS;
                        auth->merge(auth, current_auth, FALSE);
+                       auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
                        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
                        break;
                }