From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 3 Mar 2015 18:32:35 +0000 (+0100)
Subject: ikev2: Try all RSA signature schemes if none is configured
X-Git-Tag: 5.3.0dr1~39^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e6f102842ef13dd3b78bfddfcb8b5482904e968;p=thirdparty%2Fstrongswan.git

ikev2: Try all RSA signature schemes if none is configured
---

diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 52539456eb..965f70aa55 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -159,11 +159,26 @@ static signature_scheme_t select_signature_scheme(keymat_v2_t *keymat,
 		}
 		enumerator->destroy(enumerator);
 
-		/* default to the scheme we'd use with classic authentication */
-		if (selected == SIGN_UNKNOWN && key_type == KEY_RSA &&
-			keymat->hash_algorithm_supported(keymat, HASH_SHA1))
+		/* for RSA we tried at least SHA-512, also try other schemes down to
+		 * what we'd use with classic authentication */
+		if (selected == SIGN_UNKNOWN && key_type == KEY_RSA)
 		{
-			selected = SIGN_RSA_EMSA_PKCS1_SHA1;
+			signature_scheme_t schemes[] = {
+				SIGN_RSA_EMSA_PKCS1_SHA384,
+				SIGN_RSA_EMSA_PKCS1_SHA256,
+				SIGN_RSA_EMSA_PKCS1_SHA1,
+			};
+			int i;
+
+			for (i = 0; i < countof(schemes); i++)
+			{
+				if (keymat->hash_algorithm_supported(keymat,
+									hasher_from_signature_scheme(schemes[i])))
+				{
+					selected = scheme;
+					break;
+				}
+			}
 		}
 	}
 	return selected;