ikev2: Don't use SHA-1 for RFC 7427 signature authentication

RFC 8247 demoted it to MUST NOT. References #2427.
author: Tobias Brunner <tobias@strongswan.org> 2017-09-19 11:10:09 +0200
committer: Tobias Brunner <tobias@strongswan.org> 2017-11-08 16:47:24 +0100
commit: 43b59d13239e0d9593649b77bdea3651150f6132 (patch)
tree: 7fec605b0c29e2bbc64a40588814f63eaef1b1e1 /src/libcharon/sa
parent: 76c58498efd1a80a70966889bd3fdc3b9e863b06 (diff)
download: strongswan-43b59d13239e0d9593649b77bdea3651150f6132.tar.bz2
strongswan-43b59d13239e0d9593649b77bdea3651150f6132.tar.xz
1 files changed, 1 insertions, 3 deletions
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 19ea72d0b..b2b1ef289 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -156,14 +156,12 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 		}
 		enumerator->destroy(enumerator);
 
-		/* for RSA we tried at least SHA-512, also try other schemes down to
-		 * what we'd use with classic authentication */
+		/* for RSA we tried at least SHA-512, also try other schemes */
 		if (key_type == KEY_RSA)
 		{
 			signature_scheme_t schemes[] = {
 				SIGN_RSA_EMSA_PKCS1_SHA2_384,
 				SIGN_RSA_EMSA_PKCS1_SHA2_256,
-				SIGN_RSA_EMSA_PKCS1_SHA1,
 			}, contained;
 			bool found;
 			int i, j;
author	Tobias Brunner <tobias@strongswan.org>	2017-09-19 11:10:09 +0200
committer	Tobias Brunner <tobias@strongswan.org>	2017-11-08 16:47:24 +0100
commit	43b59d13239e0d9593649b77bdea3651150f6132 (patch)
tree	7fec605b0c29e2bbc64a40588814f63eaef1b1e1 /src/libcharon/sa
parent	76c58498efd1a80a70966889bd3fdc3b9e863b06 (diff)
download	strongswan-43b59d13239e0d9593649b77bdea3651150f6132.tar.bz2 strongswan-43b59d13239e0d9593649b77bdea3651150f6132.tar.xz