diff options
| author |   tobhe <tobhe@openbsd.org> | 2020-04-07 18:52:57 +0000 |
|---|---|---|
| committer | tobhe <tobhe@openbsd.org> | 2020-04-07 18:52:57 +0000 |
| commit | c4fdf8b8ce85fdd534cdf06e6be9e345cb6dbbdd (patch) | |
| tree | bec3cd2a0e678a1899397a6a4346aadd29270b67 | |
| parent | Do not create /hooray as part of the regress test. Regress tests (diff) | |
| download | wireguard-openbsd-c4fdf8b8ce85fdd534cdf06e6be9e345cb6dbbdd.tar.xz wireguard-openbsd-c4fdf8b8ce85fdd534cdf06e6be9e345cb6dbbdd.zip | |
Always prefer generic signature authentication (RFC 7427) , not just for RSA.
ok markus@
| -rw-r--r-- | sbin/iked/ca.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c index 46d123a3623..a211215569b 100644 --- a/sbin/iked/ca.c +++ b/sbin/iked/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.56 2020/04/06 20:23:16 tobhe Exp $ */ +/* $OpenBSD: ca.c,v 1.57 2020/04/07 18:52:57 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -329,6 +329,20 @@ ca_setreq(struct iked *env, struct iked_sa *sa, return (ret); } +static int +auth_sig_compatible(uint8_t type) +{ + switch (type) { + case IKEV2_AUTH_RSA_SIG: + case IKEV2_AUTH_ECDSA_256: + case IKEV2_AUTH_ECDSA_384: + case IKEV2_AUTH_ECDSA_521: + case IKEV2_AUTH_SIG_ANY: + return (1); + } + return (0); +} + int ca_setauth(struct iked *env, struct iked_sa *sa, struct ibuf *authmsg, enum privsep_procid id) @@ -340,8 +354,9 @@ ca_setauth(struct iked *env, struct iked_sa *sa, if (id == PROC_CERT) { /* switch encoding to IKEV2_AUTH_SIG if SHA2 is supported */ - if (sa->sa_sigsha2 && type == IKEV2_AUTH_RSA_SIG) { - log_debug("%s: switching RSA_SIG to SIG", __func__); + if (sa->sa_sigsha2 && auth_sig_compatible(type)) { + log_debug("%s: switching %s to SIG", __func__, + print_map(type, ikev2_auth_map)); type = IKEV2_AUTH_SIG; } else if (!sa->sa_sigsha2 && type == IKEV2_AUTH_SIG_ANY) { log_debug("%s: switching SIG to RSA_SIG(*)", __func__); |