keymat: Check for aes256-sha512 in derive_ike_keys

Return FALSE if peers try to use other algorithm combinations.

diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index 0c71967e31229c505929c58ef49a56633c7f95ef..43e0c1f02461da213d32a4f6056ffb2f432f9a0d 100644 (file)
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -179,6 +179,14 @@ METHOD(tkm_keymat_t, derive_ike_keys, bool,
                                INTEGRITY_ALGORITHM);
                return FALSE;
        }
+       if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
+                       int_alg == AUTH_HMAC_SHA2_512_256))
+       {
+               DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, please"
+                               " update your configuration");
+               return FALSE;
+       }
+
        DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
                        encryption_algorithm_names, enc_alg,
                        integrity_algorithm_names, int_alg);