diff options
-rw-r--r-- | man/ipsec.conf.5.in | 7 | ||||
-rw-r--r-- | src/libcharon/plugins/stroke/stroke_config.c | 3 | ||||
-rw-r--r-- | src/libcharon/plugins/stroke/stroke_socket.c | 1 | ||||
-rw-r--r-- | src/starter/args.c | 1 | ||||
-rw-r--r-- | src/starter/confread.h | 2 | ||||
-rw-r--r-- | src/starter/keywords.h | 1 | ||||
-rw-r--r-- | src/starter/keywords.txt | 1 | ||||
-rw-r--r-- | src/starter/starterstroke.c | 1 | ||||
-rw-r--r-- | src/stroke/stroke_msg.h | 1 |
9 files changed, 17 insertions, 1 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index ee7d86089..fef44ae21 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -1141,6 +1141,13 @@ a value of 0 disables IPsec replay protection. .BR reqid " = <number>" sets the reqid for a given connection to a pre-configured fixed value. .TP +.BR sha256_96 " = " no " | yes" +HMAC-SHA-256 is used with 128-bit truncation with IPsec. For compatibility +with implementations that incorrectly use 96-bit truncation this option may be +enabled to configure the shorter truncation length in the kernel. This is not +negotiated, so this only works with peers that use the incorrect truncation +length (or have this option enabled). +.TP .BR tfc " = <value>" number of bytes to pad ESP payload data to. Traffic Flow Confidentiality is currently supported in IKEv2 and applies to outgoing packets only. The diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index a9d073684..d47787d72 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -1074,7 +1074,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, .options = (msg->add_conn.proxy_mode ? OPT_PROXY_MODE : 0) | (msg->add_conn.ipcomp ? OPT_IPCOMP : 0) | (msg->add_conn.me.hostaccess ? OPT_HOSTACCESS : 0) | - (msg->add_conn.install_policy ? 0 : OPT_NO_POLICIES), + (msg->add_conn.install_policy ? 0 : OPT_NO_POLICIES) | + (msg->add_conn.sha256_96 ? OPT_SHA256_96 : 0), .tfc = msg->add_conn.tfc, .inactivity = msg->add_conn.inactivity, .dpd_action = map_action(msg->add_conn.dpd.action), diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 46de90ca6..65d345db3 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -216,6 +216,7 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg) DBG_OPT(" dpdtimeout=%d", msg->add_conn.dpd.timeout); DBG_OPT(" dpdaction=%d", msg->add_conn.dpd.action); DBG_OPT(" closeaction=%d", msg->add_conn.close_action); + DBG_OPT(" sha256_96=%s", msg->add_conn.sha256_96 ? "yes" : "no"); DBG_OPT(" mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no"); DBG_OPT(" mediated_by=%s", msg->add_conn.ikeme.mediated_by); DBG_OPT(" me_peerid=%s", msg->add_conn.ikeme.peerid); diff --git a/src/starter/args.c b/src/starter/args.c index 7f010d350..477a52082 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -165,6 +165,7 @@ static const token_info_t token_info[] = { ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL }, { ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action }, { ARG_ENUM, offsetof(starter_conn_t, close_action), LST_dpd_action }, + { ARG_ENUM, offsetof(starter_conn_t, sha256_96), LST_bool }, { ARG_TIME, offsetof(starter_conn_t, inactivity), NULL }, { ARG_MISC, 0, NULL /* KW_MODECONFIG */ }, { ARG_MISC, 0, NULL /* KW_XAUTH */ }, diff --git a/src/starter/confread.h b/src/starter/confread.h index 2b974d1bc..8ee730daa 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -162,6 +162,8 @@ struct starter_conn { dpd_action_t close_action; + bool sha256_96; + time_t inactivity; bool me_mediation; diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 94af493f8..0cb46a740 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -64,6 +64,7 @@ enum kw_token_t { KW_DPDTIMEOUT, KW_DPDACTION, KW_CLOSEACTION, + KW_SHA256_96, KW_INACTIVITY, KW_MODECONFIG, KW_XAUTH, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index ee0bd31e1..3f92dc83f 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -61,6 +61,7 @@ dpddelay, KW_DPDDELAY dpdtimeout, KW_DPDTIMEOUT dpdaction, KW_DPDACTION closeaction, KW_CLOSEACTION +sha256_96, KW_SHA256_96 inactivity, KW_INACTIVITY modeconfig, KW_MODECONFIG xauth, KW_XAUTH diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index b92c00c87..90af9372a 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -220,6 +220,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg->add_conn.dpd.timeout = conn->dpd_timeout; msg->add_conn.dpd.action = conn->dpd_action; msg->add_conn.close_action = conn->close_action; + msg->add_conn.sha256_96 = conn->sha256_96; msg->add_conn.inactivity = conn->inactivity; msg->add_conn.ikeme.mediation = conn->me_mediation; push_string(&msg, add_conn.ikeme.mediated_by, conn->me_mediated_by); diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index a3b911d0f..60ea0028d 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -302,6 +302,7 @@ struct stroke_msg_t { } mark_in, mark_out; stroke_end_t me, other; uint32_t replay_window; + bool sha256_96; } add_conn; /* data for STR_ADD_CA */ |