diff options
author | Tobias Brunner <tobias@strongswan.org> | 2017-05-10 19:15:53 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2017-05-26 11:22:27 +0200 |
commit | 7637633bb9ac497563a10d93d32e26443edd4383 (patch) | |
tree | 4b683d579f0bc1ac872b1fc2ea259daec7990d04 /src/libcharon | |
parent | 7b476029e6475ed5d5e4511760b1fe489385c4db (diff) | |
download | strongswan-7637633bb9ac497563a10d93d32e26443edd4383.tar.bz2 strongswan-7637633bb9ac497563a10d93d32e26443edd4383.tar.xz |
child-cfg: Optionally use 96-bit truncation for HMAC-SHA-256
The correct truncation is 128-bit but some implementations insist on
using 96-bit truncation. With strongSwan this can be negotiated using
an algorithm identifier from a private range. But this doesn't work
with third-party implementations. This adds an option to use 96-bit
truncation even if the official identifier is used.
Diffstat (limited to 'src/libcharon')
-rw-r--r-- | src/libcharon/config/child_cfg.h | 3 | ||||
-rw-r--r-- | src/libcharon/sa/child_sa.c | 8 |
2 files changed, 11 insertions, 0 deletions
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index 56ffab597..a102c459c 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -307,6 +307,9 @@ enum child_cfg_option_t { /** Enable hardware offload, if supported by the IPsec backend */ OPT_HW_OFFLOAD = (1<<5), + + /** Force 96-bit truncation for SHA-256 */ + OPT_SHA256_96 = (1<<6), }; /** diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 1d615915f..e1ffc2aae 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -802,6 +802,14 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr, this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS, &esn, NULL); + if (int_alg == AUTH_HMAC_SHA2_256_128 && + this->config->has_option(this->config, OPT_SHA256_96)) + { + DBG2(DBG_CHD, " using %N with 96-bit truncation", + integrity_algorithm_names, int_alg); + int_alg = AUTH_HMAC_SHA2_256_96; + } + if (!this->reqid_allocated && !this->static_reqid) { status = charon->kernel->alloc_reqid(charon->kernel, my_ts, other_ts, |