From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 6 Mar 2015 15:10:41 +0000 (+0100)
Subject: tkm: Disable RFC 7427 signature authentication
X-Git-Tag: 5.3.0dr1~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab65a3e8fc1a3ca4c6e72e11af84d2f51abf6db9;p=thirdparty%2Fstrongswan.git

tkm: Disable RFC 7427 signature authentication

TKM can't verify such signatures so we'd fail in the authorize hook.
Skipping the algorithm identifier doesn't help if the peer uses
anything other than SHA-1, so config changes would be required.
---

diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index a6770fc507..7c60f0ca80 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -276,6 +276,10 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
+	/* the authorize hook currently does not support RFC 7427 signature auth */
+	lib->settings->set_bool(lib->settings, "%s.signature_authentication", FALSE,
+							dmn_name);
+
 	/* make sure we log to the DAEMON facility by default */
 	lib->settings->set_int(lib->settings, "%s.syslog.daemon.default",
 			lib->settings->get_int(lib->settings, "%s.syslog.daemon.default", 1,