sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-15 00:00:16 -04:00
Code Issues Projects Releases Wiki Activity

ikev2: Try all RSA signature schemes if none is configured

Browse Source
This commit is contained in:
Tobias Brunner 2015-03-03 19:32:35 +01:00
parent 1d94b7950b
commit 4e6f102842
1 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
View File

@ -159,11 +159,26 @@ static signature_scheme_t select_signature_scheme(keymat_v2_t *keymat,
}
enumerator->destroy(enumerator);
/* default to the scheme we'd use with classic authentication */
if (selected == SIGN_UNKNOWN && key_type == KEY_RSA &&
keymat->hash_algorithm_supported(keymat, HASH_SHA1))
/* for RSA we tried at least SHA-512, also try other schemes down to
* what we'd use with classic authentication */
if (selected == SIGN_UNKNOWN && key_type == KEY_RSA)
{
selected = SIGN_RSA_EMSA_PKCS1_SHA1;
signature_scheme_t schemes[] = {
SIGN_RSA_EMSA_PKCS1_SHA384,
SIGN_RSA_EMSA_PKCS1_SHA256,
SIGN_RSA_EMSA_PKCS1_SHA1,
};
int i;
for (i = 0; i < countof(schemes); i++)
{
if (keymat->hash_algorithm_supported(keymat,
hasher_from_signature_scheme(schemes[i])))
{
selected = scheme;
break;
}
}
}
}
return selected;