keymat: Check for aes256-sha512 in derive_ike_keys

Return FALSE if peers try to use other algorithm combinations.
author: Reto Buerki <reet@codelabs.ch> 2012-08-30 11:25:14 +0200
committer: Tobias Brunner <tobias@strongswan.org> 2013-03-19 15:23:46 +0100
commit: e7a497c30761a7e949ea928401a785eecd6db31b (patch)
tree: aad718d2508ab1f720d734bbeddb6f04157e093c /src
parent: 51fdbd042901635280f98d4ee96231b2890f7feb (diff)
download: strongswan-e7a497c30761a7e949ea928401a785eecd6db31b.tar.bz2
strongswan-e7a497c30761a7e949ea928401a785eecd6db31b.tar.xz
1 files changed, 8 insertions, 0 deletions
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index 0c71967e3..43e0c1f02 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -179,6 +179,14 @@ METHOD(tkm_keymat_t, derive_ike_keys, bool,
 				INTEGRITY_ALGORITHM);
 		return FALSE;
 	}
+	if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
+			int_alg == AUTH_HMAC_SHA2_512_256))
+	{
+		DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, please"
+				" update your configuration");
+		return FALSE;
+	}
+
 	DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
 			encryption_algorithm_names, enc_alg,
 			integrity_algorithm_names, int_alg);
author	Reto Buerki <reet@codelabs.ch>	2012-08-30 11:25:14 +0200
committer	Tobias Brunner <tobias@strongswan.org>	2013-03-19 15:23:46 +0100
commit	e7a497c30761a7e949ea928401a785eecd6db31b (patch)
tree	aad718d2508ab1f720d734bbeddb6f04157e093c /src
parent	51fdbd042901635280f98d4ee96231b2890f7feb (diff)
download	strongswan-e7a497c30761a7e949ea928401a785eecd6db31b.tar.bz2 strongswan-e7a497c30761a7e949ea928401a785eecd6db31b.tar.xz