From: Reto Buerki <reet@codelabs.ch>
Date: Thu, 30 Aug 2012 09:25:14 +0000 (+0200)
Subject: keymat: Check for aes256-sha512 in derive_ike_keys
X-Git-Tag: 5.0.3rc1~39^2~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7a497c30761a7e949ea928401a785eecd6db31b;p=thirdparty%2Fstrongswan.git

keymat: Check for aes256-sha512 in derive_ike_keys

Return FALSE if peers try to use other algorithm combinations.
---

diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index 0c71967e31..43e0c1f024 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -179,6 +179,14 @@ METHOD(tkm_keymat_t, derive_ike_keys, bool,
 				INTEGRITY_ALGORITHM);
 		return FALSE;
 	}
+	if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
+			int_alg == AUTH_HMAC_SHA2_512_256))
+	{
+		DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, please"
+				" update your configuration");
+		return FALSE;
+	}
+
 	DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
 			encryption_algorithm_names, enc_alg,
 			integrity_algorithm_names, int_alg);