child-cfg: Optionally use 96-bit truncation for HMAC-SHA-256

The correct truncation is 128-bit but some implementations insist on
using 96-bit truncation.  With strongSwan this can be negotiated using
an algorithm identifier from a private range.  But this doesn't work
with third-party implementations.  This adds an option to use 96-bit
truncation even if the official identifier is used.

2 files changed, 11 insertions, 0 deletions

diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index 56ffab597..a102c459c 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -307,6 +307,9 @@ enum child_cfg_option_t {
 
 	/** Enable hardware offload, if supported by the IPsec backend */
 	OPT_HW_OFFLOAD = (1<<5),
+
+	/** Force 96-bit truncation for SHA-256 */
+	OPT_SHA256_96 = (1<<6),
 };
 
 /**
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 1d615915f..e1ffc2aae 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -802,6 +802,14 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
 	this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
 								  &esn, NULL);
 
+	if (int_alg == AUTH_HMAC_SHA2_256_128 &&
+		this->config->has_option(this->config, OPT_SHA256_96))
+	{
+		DBG2(DBG_CHD, "  using %N with 96-bit truncation",
+			 integrity_algorithm_names, int_alg);
+		int_alg = AUTH_HMAC_SHA2_256_96;
+	}
+
 	if (!this->reqid_allocated && !this->static_reqid)
 	{
 		status = charon->kernel->alloc_reqid(charon->kernel, my_ts, other_ts,