From cc048f0c50f8e5e45de66f9368232727efba76bd Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 26 Feb 2015 17:36:41 +0100 Subject: [PATCH] ikev2: Fall back to SHA-1 signatures for RSA This is really just a fallback to "classic" IKEv2 authentication if the other peer supports no stronger hash algorithms. --- .../sa/ikev2/authenticators/pubkey_authenticator.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 576aa4c630..d8c4570dcc 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -153,6 +153,13 @@ static signature_scheme_t select_signature_scheme(keymat_v2_t *keymat, } } enumerator->destroy(enumerator); + + /* default to the scheme we'd use with classic authentication */ + if (selected == SIGN_UNKNOWN && key_type == KEY_RSA && + keymat->hash_algorithm_supported(keymat, HASH_SHA1)) + { + selected = SIGN_RSA_EMSA_PKCS1_SHA1; + } } return selected; } -- 2.47.2