From a7bbe59f85da90a61f93fe4d0d1d1d2b0f60e130 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 25 Feb 2015 16:44:46 +0100 Subject: [PATCH] ikev2: Store signature scheme used to verify peer in auth_cfg This enables late connection switching based on the signature scheme used for IKEv2 and allows to enforce stronger signature schemes. This may break existing connections with peers that don't support RFC 7427 if signature schemes are currently used in `rightauth` for certificate chain validation and if the configured schemes are stronger than the default used for IKE (e.g. SHA-1 for RSA). --- src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 59e1670108..f7ededb89a 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -321,6 +321,7 @@ METHOD(authenticator_t, process, status_t, id, auth_method_names, auth_method); status = SUCCESS; auth->merge(auth, current_auth, FALSE); + auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); break; } -- 2.47.2