From: Tobias Brunner Date: Wed, 10 May 2017 17:37:22 +0000 (+0200) Subject: vici: Make 96-bit truncation for SHA-256 configurable X-Git-Tag: 5.5.3~22^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0afe0eca67d696a4842462dea949739ba0554a8b;p=thirdparty%2Fstrongswan.git vici: Make 96-bit truncation for SHA-256 configurable --- diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 46eaf5cffa..3af67df94d 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -525,6 +525,7 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " local_ts = %#R", data->local_ts); DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts); DBG2(DBG_CFG, " hw_offload = %u", cfg->options & OPT_HW_OFFLOAD); + DBG2(DBG_CFG, " sha256_96 = %u", cfg->options & OPT_SHA256_96); } /** @@ -891,6 +892,15 @@ CALLBACK(parse_opt_hw_offl, bool, return parse_option(out, OPT_HW_OFFLOAD, v); } +/** + * Parse OPT_SHA256_96 option + */ +CALLBACK(parse_opt_sha256_96, bool, + child_cfg_option_t *out, chunk_t v) +{ + return parse_option(out, OPT_SHA256_96, v); +} + /** * Parse an action_t */ @@ -1550,6 +1560,7 @@ CALLBACK(child_kv, bool, { "priority", parse_uint32, &child->cfg.priority }, { "interface", parse_string, &child->cfg.interface }, { "hw_offload", parse_opt_hw_offl, &child->cfg.options }, + { "sha256_96", parse_opt_sha256_96,&child->cfg.options }, }; return parse_rules(rules, countof(rules), name, value, diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 496dbf3cd6..7e204db61f 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -651,6 +651,15 @@ connections..children..esp_proposals = default for interoperability. If no algorithms are specified for AH nor ESP, the _default_ set of algorithms for ESP is included. +connections..children..sha256_96 = no + Use incorrect 96-bit truncation for HMAC-SHA-256. + + HMAC-SHA-256 is used with 128-bit truncation with IPsec. For compatibility + with implementations that incorrectly use 96-bit truncation this option may + be enabled to configure the shorter truncation length in the kernel. This + is not negotiated, so this only works with peers that use the incorrect + truncation length (or have this option enabled). + connections..children..local_ts = dynamic Local traffic selectors to include in CHILD_SA.