From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 25 Feb 2015 15:44:46 +0000 (+0100)
Subject: ikev2: Store signature scheme used to verify peer in auth_cfg
X-Git-Tag: 5.3.0dr1~39^2~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7bbe59f85da90a61f93fe4d0d1d1d2b0f60e130;p=thirdparty%2Fstrongswan.git

ikev2: Store signature scheme used to verify peer in auth_cfg

This enables late connection switching based on the signature scheme used
for IKEv2 and allows to enforce stronger signature schemes.

This may break existing connections with peers that don't support RFC 7427
if signature schemes are currently used in `rightauth` for certificate chain
validation and if the configured schemes are stronger than the default used
for IKE (e.g. SHA-1 for RSA).
---

diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 59e1670108..f7ededb89a 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -321,6 +321,7 @@ METHOD(authenticator_t, process, status_t,
 						   id, auth_method_names, auth_method);
 			status = SUCCESS;
 			auth->merge(auth, current_auth, FALSE);
+			auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 			break;
 		}