diff options
| -rw-r--r-- | src/libcharon/plugins/vici/vici_config.c | 11 | ||||
| -rw-r--r-- | src/swanctl/swanctl.opt | 9 |
2 files changed, 20 insertions, 0 deletions
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 46eaf5cff..3af67df94 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -525,6 +525,7 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " local_ts = %#R", data->local_ts); DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts); DBG2(DBG_CFG, " hw_offload = %u", cfg->options & OPT_HW_OFFLOAD); + DBG2(DBG_CFG, " sha256_96 = %u", cfg->options & OPT_SHA256_96); } /** @@ -892,6 +893,15 @@ CALLBACK(parse_opt_hw_offl, bool, } /** + * Parse OPT_SHA256_96 option + */ +CALLBACK(parse_opt_sha256_96, bool, + child_cfg_option_t *out, chunk_t v) +{ + return parse_option(out, OPT_SHA256_96, v); +} + +/** * Parse an action_t */ CALLBACK(parse_action, bool, @@ -1550,6 +1560,7 @@ CALLBACK(child_kv, bool, { "priority", parse_uint32, &child->cfg.priority }, { "interface", parse_string, &child->cfg.interface }, { "hw_offload", parse_opt_hw_offl, &child->cfg.options }, + { "sha256_96", parse_opt_sha256_96,&child->cfg.options }, }; return parse_rules(rules, countof(rules), name, value, diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 496dbf3cd..7e204db61 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -651,6 +651,15 @@ connections.<conn>.children.<child>.esp_proposals = default for interoperability. If no algorithms are specified for AH nor ESP, the _default_ set of algorithms for ESP is included. +connections.<conn>.children.<child>.sha256_96 = no + Use incorrect 96-bit truncation for HMAC-SHA-256. + + HMAC-SHA-256 is used with 128-bit truncation with IPsec. For compatibility + with implementations that incorrectly use 96-bit truncation this option may + be enabled to configure the shorter truncation length in the kernel. This + is not negotiated, so this only works with peers that use the incorrect + truncation length (or have this option enabled). + connections.<conn>.children.<child>.local_ts = dynamic Local traffic selectors to include in CHILD_SA. |