5 files changed, 25 insertions, 1 deletions
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index 56ffab597..a102c459c 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -307,6 +307,9 @@ enum child_cfg_option_t {
 
 	/** Enable hardware offload, if supported by the IPsec backend */
 	OPT_HW_OFFLOAD = (1<<5),
+
+	/** Force 96-bit truncation for SHA-256 */
+	OPT_SHA256_96 = (1<<6),
 };
 
 /**
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index a9d073684..d47787d72 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -1074,7 +1074,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 		.options = (msg->add_conn.proxy_mode ? OPT_PROXY_MODE : 0) |
 				   (msg->add_conn.ipcomp ? OPT_IPCOMP : 0) |
 				   (msg->add_conn.me.hostaccess ? OPT_HOSTACCESS : 0) |
-				   (msg->add_conn.install_policy ? 0 : OPT_NO_POLICIES),
+				   (msg->add_conn.install_policy ? 0 : OPT_NO_POLICIES) |
+				   (msg->add_conn.sha256_96 ? OPT_SHA256_96 : 0),
 		.tfc = msg->add_conn.tfc,
 		.inactivity = msg->add_conn.inactivity,
 		.dpd_action = map_action(msg->add_conn.dpd.action),
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 46de90ca6..65d345db3 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -216,6 +216,7 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
 	DBG_OPT("  dpdtimeout=%d", msg->add_conn.dpd.timeout);
 	DBG_OPT("  dpdaction=%d", msg->add_conn.dpd.action);
 	DBG_OPT("  closeaction=%d", msg->add_conn.close_action);
+	DBG_OPT("  sha256_96=%s", msg->add_conn.sha256_96 ? "yes" : "no");
 	DBG_OPT("  mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
 	DBG_OPT("  mediated_by=%s", msg->add_conn.ikeme.mediated_by);
 	DBG_OPT("  me_peerid=%s", msg->add_conn.ikeme.peerid);
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 46eaf5cff..3af67df94 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -525,6 +525,7 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   local_ts = %#R", data->local_ts);
 	DBG2(DBG_CFG, "   remote_ts = %#R", data->remote_ts);
 	DBG2(DBG_CFG, "   hw_offload = %u", cfg->options & OPT_HW_OFFLOAD);
+	DBG2(DBG_CFG, "   sha256_96 = %u", cfg->options & OPT_SHA256_96);
 }
 
 /**
@@ -892,6 +893,15 @@ CALLBACK(parse_opt_hw_offl, bool,
 }
 
 /**
+ * Parse OPT_SHA256_96 option
+ */
+CALLBACK(parse_opt_sha256_96, bool,
+	child_cfg_option_t *out, chunk_t v)
+{
+	return parse_option(out, OPT_SHA256_96, v);
+}
+
+/**
  * Parse an action_t
  */
 CALLBACK(parse_action, bool,
@@ -1550,6 +1560,7 @@ CALLBACK(child_kv, bool,
 		{ "priority",			parse_uint32,		&child->cfg.priority				},
 		{ "interface",			parse_string,		&child->cfg.interface				},
 		{ "hw_offload",			parse_opt_hw_offl,	&child->cfg.options					},
+		{ "sha256_96",			parse_opt_sha256_96,&child->cfg.options					},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 1d615915f..e1ffc2aae 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -802,6 +802,14 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
 	this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
 								  &esn, NULL);
 
+	if (int_alg == AUTH_HMAC_SHA2_256_128 &&
+		this->config->has_option(this->config, OPT_SHA256_96))
+	{
+		DBG2(DBG_CHD, "  using %N with 96-bit truncation",
+			 integrity_algorithm_names, int_alg);
+		int_alg = AUTH_HMAC_SHA2_256_96;
+	}
+
 	if (!this->reqid_allocated && !this->static_reqid)
 	{
 		status = charon->kernel->alloc_reqid(charon->kernel, my_ts, other_ts,